clarifying for #525 that none is a string, as PHP might evaluate it to NULL instead

created

.styleci.yml

@@ -19,6 +19,7 @@ disabled:
   - heredoc_to_nowdoc
   - method_argument_space
   - new_with_braces
+  - no_alternative_syntax
   - phpdoc_align
   - phpdoc_no_access
   - phpdoc_separation

.travis.yml

@@ -16,6 +16,7 @@ install:
   - source ~/.nvm/nvm.sh && nvm install --lts
 
 before_script:
+  - rm composer.lock
   - composer install -n
   - npm install -g mocha
   - cd js && npm install

CHANGELOG.md

@@ -1,6 +1,16 @@
 # PrivateBin version history
 
   * **1.4 (not yet released)**
+  * **1.3.2 (2020-01-11)**
+    * ADDED: Translation for Ukrainian (#533)
+    * ADDED: Option to send a mail with the link, when creating a paste (#398)
+    * ADDED: Add support for CONFIG_PATH environment variable (#552)
+    * CHANGED: Upgrading libraries to: base-x 3.0.7, DOMpurify 2.0.7 & Showdown 1.9.1
+    * FIXED: HTML injection via unescaped attachment filename (#554)
+    * FIXED: Password disabling option (#527)
+  * **1.2.2 (2020-01-11)**
+    * CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
+    * FIXED: HTML injection via unescaped attachment filename (#554)
   * **1.3.1 (2019-09-22)**
     * ADDED: Translation for Bulgarian (#455)
     * CHANGED: Improved mobile UI - obscured send button and hard to click shortener button (#477)

CREDITS.md

@@ -26,6 +26,7 @@ Sébastien Sauvage - original idea and main developer
 * thororm - Display of video, audio & PDF, drag & drop, preview of attachments
 * Harald Leithner - base58 encoding of key
 * Haocen - lots of bugfixes and UI improvements
+* Lucas Savva - configurable config file location, NixOS packaging
 
 ## Translations
 * Hexalyse - French
@@ -43,4 +44,5 @@ Sébastien Sauvage - original idea and main developer
 * Michael van Schaik - Dutch
 * Péter Tabajdi - Hungarian
 * info-path - Czech
-* BigWax - Bulgarian
+* BigWax - Bulgarian
+* AndriiZ - Ukrainian

INSTALL.md

@@ -18,7 +18,7 @@ options](#configuration) to adjust as you see fit.
   - open_basedir access to `/dev/urandom`
   - mcrypt extension
   - com_dotnet extension
-  
+
   Mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file.
 - GD extension
 - some disk space or (optionally) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php)
@@ -43,13 +43,34 @@ process (see also
 >
 > The full path of PrivateBin on your webserver is:
 > /home/example.com/htdocs/paste
-> 
+>
 > When setting the path like this:
 > define('PATH', '../../secret/privatebin/');
 >
 > PrivateBin will look for your includes / data here:
 > /home/example.com/secret/privatebin
 
+### Changing the config path only
+
+In situations where you want to keep the PrivateBin static files separate from the
+rest of your data, or you want to reuse the installation files on multiple vhosts,
+you may only want to change the `conf.php`. In this instance, you can set the
+`CONFIG_PATH` environment variable to the absolute path to the `conf.php` file.
+This can be done in your web server's virtual host config, the PHP config, or in
+the index.php if you choose to customize it.
+
+Note that your PHP process will need read access to the config wherever it may be.
+
+> #### CONFIG_PATH example
+> Setting the value in an Apache Vhost:
+> SetEnv CONFIG_PATH /var/lib/privatebin/conf.php
+>
+> In a php-fpm pool config:
+> env[CONFIG_PATH] = /var/lib/privatebin/conf.php
+>
+> In the index.php, near the top:
+> putenv('CONFIG_PATH=/var/lib/privatebin/conf.php');
+
 ### Transport security
 
 When setting up PrivateBin, also set up HTTPS, if you haven't already. Without HTTPS
@@ -66,8 +87,9 @@ See [this FAQ item](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-t
 
 In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php`
 is provided containing all options and default values. You can copy it to
-`cfg/conf.php` and adapt it as needed. The config file is divided into multiple
-sections, which are enclosed in square brackets.
+`cfg/conf.php` and adapt it as needed. Alternatively you can copy it anywhere and
+set the `CONFIG_PATH` environment variable (see above notes). The config file is
+divided into multiple sections, which are enclosed in square brackets.
 
 In the `[main]` section you can enable or disable the discussion feature, set
 the limit of stored pastes and comments in bytes. The `[traffic]` section lets
@@ -165,7 +187,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
 CREATE TABLE prefix_config (
     id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
 );
-INSERT INTO prefix_config VALUES('VERSION', '1.3.1');
+INSERT INTO prefix_config VALUES('VERSION', '1.3.2');
 ```
 
 In **PostgreSQL**, the data, attachment, nickname and vizhash columns needs to be TEXT and not BLOB or MEDIUMBLOB.

README.md

@@ -1,6 +1,6 @@
 # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
 
-*Current version: 1.3.1*
+*Current version: 1.3.2*
 
 **PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin)
 where the server has zero knowledge of pasted data.

SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.3.1   | :heavy_check_mark: |
-| < 1.3.1 | :x:                |
+| 1.3.2   | :heavy_check_mark: |
+| < 1.3.2 | :x:                |
 
 ## Reporting a Vulnerability
 

cfg/conf.sample.php

@@ -60,8 +60,8 @@ languageselection = false
 ; a different user when the same username was used in a comment. It might be
 ; used to get the IP of a non anonymous comment poster if the server salt is
 ; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
-; Can be set to one these values: none / vizhash / identicon (default).
-; icon = none
+; Can be set to one these values: "none" / "vizhash" / "identicon" (default).
+; icon = "none"
 
 ; Content Security Policy headers allow a website to restrict what sources are
 ; allowed to be accessed in its context. You need to change this if you added
@@ -95,8 +95,8 @@ languageselection = false
 
 ; Pick compression algorithm or disable it. Only applies to pastes/comments
 ; created after changing the setting.
-; Can be set to one these values: none / zlib (default).
-; compression = zlib
+; Can be set to one these values: "none" / "zlib" (default).
+; compression = "zlib"
 
 [expire]
 ; expire value that is selected per default

css/bootstrap/privatebin.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 body {
@@ -180,3 +180,28 @@ li.L0, li.L1, li.L2, li.L3, li.L5, li.L6, li.L7, li.L8 {
 		padding-right: 4ch;
 	}
 }
+
+.modal-dialog {
+	margin: auto !important;
+}
+
+/* makeup for the original margin on modal-dialog */
+@media (min-width: 768px) {
+	.modal-content {
+		margin: 30px 0;
+	}
+}
+
+.modal-content {
+	margin: 10px;
+}
+
+.modal-body {
+	display: flex;
+	justify-content: center;
+	align-items: center;
+}
+
+.modal .modal-content button {
+	margin: 0.5em 0;
+}

css/noscript.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 /* When there is no script at all other */

css/privatebin.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 /*  CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved.

i18n/bg.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Браузъра ви може да се нуждае от HTTPS връзка за да използва WebCrypto API. Пробвай <a href=\"%s\">да минеш на HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/cs.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/de.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Dein Browser benötigt möglicherweise eine HTTPS Verbindung um das WebCrypto API nutzen zu können. Versuche <a href=\"%s\">auf HTTPS zu wechseln</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Dein Browser unterstützt WebAssembly nicht, welches für zlib Komprimierung benötigt wird. Du kannst unkomprimierte Dokumente erzeugen, aber keine komprimierten lesen."
+        "Dein Browser unterstützt WebAssembly nicht, welches für zlib Komprimierung benötigt wird. Du kannst unkomprimierte Dokumente erzeugen, aber keine komprimierten lesen.",
+    "waiting on user to provide a password":
+        "warte auf Passworteingabe durch Benutzer",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Konnte Daten nicht entschlüsseln. Hast Du das falsche Passwort eingegeben? Wiederhole den Vorgang mit dem oben stehenden Knopf.",
+    "Retry":
+        "Wiederholen",
+    "Showing raw text…":
+        "Zeige reinen Text an…"
 }

i18n/es.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/fr.json

@@ -169,5 +169,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Votre navigateur peut nécessiter une connexion HTTPS pour prendre en charge l’API WebCrypto. Essayez <a href=\"%s\">de passer en HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/hu.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/it.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/nl.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/no.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Din nettleser har behov for HTTPS tilkobling for å støtte WebCrypto biblioteket. Prøv å <a href=\"%s\">bytt til HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/oc.json

@@ -169,5 +169,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Se pòt que vòstre navigator faga besonh d’una connexion HTTPS per èsser compatible amb l’API WebCrypto. Ensajatz de <a href=\"%s\">passar al HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/pl.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/pt.json

@@ -160,5 +160,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/ru.json

@@ -170,5 +170,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Ваш браузер требует использования HTTPS подключения для поддержки WebCrypto API. Попробуйте <a href=\"%s\">переключиться на HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/sl.json

@@ -169,5 +169,13 @@
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
         "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
 }

i18n/uk.json

@@ -0,0 +1,182 @@
+{
+    "PrivateBin": "PrivateBin",
+    "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted <i>in the browser</i> using 256 bits AES. More information on the <a href=\"https://privatebin.info/\">project page</a>.":
+        "%s це мінімалістичний Open Source проєкт для створення нотаток, де сервер не знає нічого про дані, що зберігаються. Дані шифруються/розшифровуються <i>у переглядачі</i> з використанням 256-бітного шифрувания AES. Подробиці можна дізнатися на <a href=\"https://privatebin.info/\">сайті проєкту</a>.",
+    "Because ignorance is bliss":
+        "Бо незнання - благо",
+    "en": "uk",
+    "Paste does not exist, has expired or has been deleted.":
+        "Допис не існує, протермінований чи був видалений.",
+    "%s requires php %s or above to work. Sorry.":
+        "Для роботи %s потрібен php %s и вище. Вибачте.",
+    "%s requires configuration section [%s] to be present in configuration file.":
+        "%s потрібна секція [%s] в конфігураційному файлі.",
+    "Please wait %d seconds between each post.":
+        ["Будь ласка, зачекайте %d секунду між дописами.", "Будь ласка, зачекайте %d секунди між дописами.", "Будь ласка, зачекайте %d секунд між дописами."],
+    "Paste is limited to %s of encrypted data.":
+        "Розмір допису обмежений %s зашифрованих даних.",
+    "Invalid data.":
+        "Неправильні дані.",
+    "You are unlucky. Try again.":
+        "Вам не пощастило. Спробуйте ще раз.",
+    "Error saving comment. Sorry.":
+        "Помилка при збереженні коментаря. Вибачте.",
+    "Error saving paste. Sorry.":
+        "Помилка при збереженні допису. Вибачте.",
+    "Invalid paste ID.":
+        "Неправильний ID допису.",
+    "Paste is not of burn-after-reading type.":
+        "Тип допису не \"Знищити після прочитання\".",
+    "Wrong deletion token. Paste was not deleted.":
+        "Неправильний ключ вилучення допису. Допис не вилучено.",
+    "Paste was properly deleted.":
+        "Допис був вилучений повністю.",
+    "JavaScript is required for %s to work.<br />Sorry for the inconvenience.":
+        "Для роботи %s потрібен увімкнутий JavaScript.<br />Вибачте.",
+    "%s requires a modern browser to work.":
+        "Для роботи %s потрібен більш сучасний переглядач.",
+    "New":
+        "Новий допис",
+    "Send":
+        "Відправити",
+    "Clone":
+        "Дублювати",
+    "Raw text":
+        "Початковий текст",
+    "Expires":
+        "Вилучити через",
+    "Burn after reading":
+        "Знищити після прочитання",
+    "Open discussion":
+        "Відкрити обговорення",
+    "Password (recommended)":
+        "Пароль (рекомендується)",
+    "Discussion":
+        "Обговорення",
+    "Toggle navigation":
+        "Перемкнути навігацію",
+    "%d seconds": ["%d секунду", "%d секунди", "%d секунд"],
+    "%d minutes": ["%d хвилину", "%d хвилини", "%d хвилин"],
+    "%d hours": ["%d годину", "%d години", "%d годин"],
+    "%d days": ["%d день", "%d дні", "%d днів"],
+    "%d weeks": ["%d тиждень", "%d тижні", "%d тижнів"],
+    "%d months": ["%d місяць", "%d місяці", "%d місяців"],
+    "%d years": ["%d рік", "%d роки", "%d років"],
+    "Never":
+        "Ніколи",
+    "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.":
+        "Примітка: Це тестовий сервіс: Дані можуть бути вилучені в будь який момент. Кошенята помруть, якщо ви будете зловживати сервісом.",
+    "This document will expire in %d seconds.":
+        ["Документ буде вилучений через %d секунду.", "Документ буде вилучений через %d секунди.", "Документ буде вилучений через %d секунд."],
+    "This document will expire in %d minutes.":
+        ["Документ буде вилучений через %d хвилину.", "Документ буде вилучений через %d хвилини.", "Документ буде вилучений через %d хвилин."],
+    "This document will expire in %d hours.":
+        ["Документ буде вилучений через %d годину.", "Документ буде вилучений через %d години.", "Документ буде вилучений через %d годин."],
+    "This document will expire in %d days.":
+        ["Документ буде вилучений через %d день.", "Документ буде вилучений через %d дні.", "Документ буде вилучений через %d днів."],
+    "This document will expire in %d months.":
+        ["Документ буде вилучений через %d місяць.", "Документ буде вилучений через %d місяці.", "Документ буде вилучений через %d місяців."],
+    "Please enter the password for this paste:":
+        "Будь ласка, введіть пароль від допису:",
+    "Could not decrypt data (Wrong key?)":
+        "Неможливо розшифрувати дані (Неправильний  ключ?)",
+    "Could not delete the paste, it was not stored in burn after reading mode.":
+        "Неможливо вилучити допис, він не був збережений в режимі знищити після прочитання.",
+    "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.":
+        "ЛИШЕ ДЛЯ ВАШИХ ОЧЕЙ. Не закривайте це вікно, це повідомлення не може бути показано знову.",
+    "Could not decrypt comment; Wrong key?":
+        "Неможливо розшифрувати коментар; Неправильний ключ?",
+    "Reply":
+        "Відповісти",
+    "Anonymous":
+        "Анонім",
+    "Avatar generated from IP address":
+        "Аватар зґенерований з IP-адреси",
+    "Add comment":
+        "Додати коментар",
+    "Optional nickname…":
+        "Необов’язкове прізвисько…",
+    "Post comment":
+        "Відправити коментар",
+    "Sending comment…":
+        "Відправка коментаря…",
+    "Comment posted.":
+        "Коментар опублікований.",
+    "Could not refresh display: %s":
+        "Не вдалося оновити екран: %s",
+    "unknown status":
+        "невідома причина",
+    "server error or not responding":
+        "помилка на сервері чи немає відповіді",
+    "Could not post comment: %s":
+        "Не вдалося опублікувати коментар: %s",
+    "Sending paste…":
+        "Відправка допису…",
+    "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>":
+        "Посилання на допис <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Тисніть [Ctrl]+[c], щоб скопіювати посилання)</span>",
+    "Delete data":
+        "Видалити допис",
+    "Could not create paste: %s":
+        "Не вдалося опублікувати допис: %s",
+    "Cannot decrypt paste: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)":
+        "Неможливо розшифрувати запис: Ключ дешифрування відсутній в посиланні (Можливо, ви використовуєте скорочувач посилань, що видаляє частину посилання?)",
+    "B": "байт",
+    "KiB": "Кбайт",
+    "MiB": "Мбайт",
+    "GiB": "Гбайт",
+    "TiB": "Тбайт",
+    "PiB": "Пбайт",
+    "EiB": "Ебайт",
+    "ZiB": "Збайт",
+    "YiB": "Йбайт",
+    "Format": "Формат",
+    "Plain Text": "Звичайний текст",
+    "Source Code": "Джерельний код",
+    "Markdown": "Мова розмітки",
+    "Download attachment": "Звантажити прикріплений файл",
+    "Cloned: '%s'": "Дубльовано: '%s'",
+    "The cloned file '%s' was attached to this paste.":
+        "Дублікат файлу '%s' був прикріплений до цього запису.",
+    "Attach a file": "Прикріпити файл",
+    "alternatively drag & drop a file or paste an image from the clipboard": "також можна перенести файл у вікно переглядача чи вставити зображення з буфера",
+    "File too large, to display a preview. Please download the attachment.": "Файл завеликий для відображення передогляду. Будь ласка, звантажте прикріплений файл.",
+    "Remove attachment": "Видалити вкладення",
+    "Your browser does not support uploading encrypted files. Please use a newer browser.":
+        "Ваш переглядач не підтримує відправлення зашифрованих файлів. Використовуйте сучасніший переглядач.",
+    "Invalid attachment.": "Невідоме вкладення.",
+    "Options": "Опції",
+    "Shorten URL": "Коротке посилання",
+    "Editor": "Редактор",
+    "Preview": "Передогляд",
+    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.":
+        "Змінна PATH необхідна %s в конці \"%s\". Будь ласка, оновіть змінну PATH у вашому index.php.",
+    "Decrypt":
+        "Розшифрувати",
+    "Enter password":
+        "Введіть пароль",
+    "Loading…": "Завантаження…",
+    "Decrypting paste…": "Розшифровування допису…",
+    "Preparing new paste…": "Приготування нового допису…",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.":
+        "Якщо це повідомлення не зникатиме тривалий час, подивіться <a href=\"%s\">цей FAQ з інформацією про можливе вирішення проблеми</a>.",
+    "+++ no paste text +++": "+++ у дописі немає тексту +++",
+    "Could not get paste data: %s":
+        "Не вдалося отримати дані допису: %s",
+    "QR code": "QR код",
+    "This website is using an insecure HTTP connection! Please use it only for testing.":
+        "Цей сайт використовує незахищене HTTP підключення! Будь ласка, використовуйте його лише для тестування.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.":
+        "Для подробиць <a href=\"%s\">дивіться інформацію в FAQ</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
+        "Ваш переглядач вимагає підключення HTTPS для підтримки  WebCrypto API. Спробуйте <a href=\"%s\">перемкнутися на HTTPS</a>.",
+    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
+        "Ваш переглядач не підтримує WebAssembly, що використовується для стиснення zlib. Ви можете створювати нестиснені документи, але не зможете читати стиснені.",
+    "waiting on user to provide a password":
+        "waiting on user to provide a password",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Retry":
+        "Retry",
+    "Showing raw text…":
+        "Showing raw text…"
+}

i18n/zh.json

@@ -154,11 +154,19 @@
         "无法获取粘贴数据：%s",
     "QR code": "二维码",
     "This website is using an insecure HTTP connection! Please use it only for testing.":
-        "This website is using an insecure HTTP connection! Please use it only for testing.",
+        "该网站使用了不安全的HTTP连接！ 请仅将其用于测试。",
     "For more information <a href=\"%s\">see this FAQ entry</a>.":
-        "For more information <a href=\"%s\">see this FAQ entry</a>.",
+        "有关更多信息，<a href=\"%s\">请参阅此常见问题解答</a>。",
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.":
-        "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
+        "您的浏览器可能需要HTTPS连接才能支持WebCrypto API。 尝试<a href=\"%s\">切换到HTTPS </a>。",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.":
-        "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones."
+        "您的浏览器不支持用于zlib压缩的WebAssembly。 您可以创建未压缩的文档，但不能读取压缩的文档。",
+    "waiting on user to provide a password":
+        "请输入密码",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.":
+        "无法解密数据。 您输入了错误的密码吗？ 点顶部的按钮重试。",
+    "Retry":
+        "重试",
+    "Showing raw text…":
+        "显示原始文字…"
 }

index.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3
+ * @version   1.3.2
  */
 
 // change this, if your php files and data is outside of your webservers document root

js/base-x-3.0.5.1.js

@@ -1,151 +0,0 @@
-// base-x encoding / decoding
-// based on https://github.com/cryptocoinjs/base-x 3.0.5
-// modification: removed Buffer dependency and node.modules entry
-// Copyright (c) 2018 base-x contributors
-// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
-// Distributed under the MIT software license, see the accompanying
-// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
-
-(function(){
-'use strict';
-this.baseX = function base (ALPHABET) {
-  if (ALPHABET.length >= 255) throw new TypeError('Alphabet too long')
-
-  const BASE_MAP = new Uint8Array(256)
-  BASE_MAP.fill(255)
-
-  for (let i = 0; i < ALPHABET.length; i++) {
-    const x = ALPHABET.charAt(i)
-    const xc = x.charCodeAt(0)
-
-    if (BASE_MAP[xc] !== 255) throw new TypeError(x + ' is ambiguous')
-    BASE_MAP[xc] = i
-  }
-
-  const BASE = ALPHABET.length
-  const LEADER = ALPHABET.charAt(0)
-  const FACTOR = Math.log(BASE) / Math.log(256) // log(BASE) / log(256), rounded up
-  const iFACTOR = Math.log(256) / Math.log(BASE) // log(256) / log(BASE), rounded up
-
-  function encode (source) {
-    if (source.length === 0) return ''
-
-    // Skip & count leading zeroes.
-    let zeroes = 0
-    let length = 0
-    let pbegin = 0
-    const pend = source.length
-
-    while (pbegin !== pend && source[pbegin] === 0) {
-      pbegin++
-      zeroes++
-    }
-
-    // Allocate enough space in big-endian base58 representation.
-    const size = ((pend - pbegin) * iFACTOR + 1) >>> 0
-    const b58 = new Uint8Array(size)
-
-    // Process the bytes.
-    while (pbegin !== pend) {
-      let carry = source[pbegin]
-
-      // Apply "b58 = b58 * 256 + ch".
-      let i = 0
-      for (let it = size - 1; (carry !== 0 || i < length) && (it !== -1); it--, i++) {
-        carry += (256 * b58[it]) >>> 0
-        b58[it] = (carry % BASE) >>> 0
-        carry = (carry / BASE) >>> 0
-      }
-
-      if (carry !== 0) throw new Error('Non-zero carry')
-      length = i
-      pbegin++
-    }
-
-    // Skip leading zeroes in base58 result.
-    let it = size - length
-    while (it !== size && b58[it] === 0) {
-      it++
-    }
-
-    // Translate the result into a string.
-    let str = LEADER.repeat(zeroes)
-    for (; it < size; ++it) str += ALPHABET.charAt(b58[it])
-
-    return str
-  }
-
-  function decodeUnsafe (source) {
-    if (typeof source !== 'string') throw new TypeError('Expected String')
-    if (source.length === 0) return ''
-
-    let psz = 0
-
-    // Skip leading spaces.
-    if (source[psz] === ' ') return
-
-    // Skip and count leading '1's.
-    let zeroes = 0
-    let length = 0
-    while (source[psz] === LEADER) {
-      zeroes++
-      psz++
-    }
-
-    // Allocate enough space in big-endian base256 representation.
-    const size = (((source.length - psz) * FACTOR) + 1) >>> 0 // log(58) / log(256), rounded up.
-    const b256 = new Uint8Array(size)
-
-    // Process the characters.
-    while (source[psz]) {
-      // Decode character
-      let carry = BASE_MAP[source.charCodeAt(psz)]
-
-      // Invalid character
-      if (carry === 255) return
-
-      let i = 0
-      for (let it = size - 1; (carry !== 0 || i < length) && (it !== -1); it--, i++) {
-        carry += (BASE * b256[it]) >>> 0
-        b256[it] = (carry % 256) >>> 0
-        carry = (carry / 256) >>> 0
-      }
-
-      if (carry !== 0) throw new Error('Non-zero carry')
-      length = i
-      psz++
-    }
-
-    // Skip trailing spaces.
-    if (source[psz] === ' ') return
-
-    // Skip leading zeroes in b256.
-    let it = size - length
-    while (it !== size && b256[it] === 0) {
-      it++
-    }
-
-    var vch = [];
-
-    let j = zeroes
-    while (it !== size) {
-      vch[j++] = b256[it++]
-    }
-
-    return vch
-  }
-
-  function decode (string) {
-    const buffer = decodeUnsafe(string)
-    if (buffer) return buffer
-
-    throw new Error('Non-base' + BASE + ' character')
-  }
-
-  return {
-    encode: encode,
-    decodeUnsafe: decodeUnsafe,
-    decode: decode
-  }
-}
-}).call(this);

js/base-x-3.0.7.js

@@ -0,0 +1,120 @@
+'use strict';
+// base-x encoding / decoding
+// based on https://github.com/cryptocoinjs/base-x 3.0.7
+// modification: removed Buffer dependency and node.modules entry
+// Copyright (c) 2018 base-x contributors
+// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
+// Distributed under the MIT software license, see the accompanying
+// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
+
+(function(){
+this.baseX = function base (ALPHABET) {
+  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
+  var BASE_MAP = new Uint8Array(256)
+  BASE_MAP.fill(255)
+  for (var i = 0; i < ALPHABET.length; i++) {
+    var x = ALPHABET.charAt(i)
+    var xc = x.charCodeAt(0)
+    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
+    BASE_MAP[xc] = i
+  }
+  var BASE = ALPHABET.length
+  var LEADER = ALPHABET.charAt(0)
+  var FACTOR = Math.log(BASE) / Math.log(256) // log(BASE) / log(256), rounded up
+  var iFACTOR = Math.log(256) / Math.log(BASE) // log(256) / log(BASE), rounded up
+  function encode (source) {
+    if (source.length === 0) { return '' }
+        // Skip & count leading zeroes.
+    var zeroes = 0
+    var length = 0
+    var pbegin = 0
+    var pend = source.length
+    while (pbegin !== pend && source[pbegin] === 0) {
+      pbegin++
+      zeroes++
+    }
+        // Allocate enough space in big-endian base58 representation.
+    var size = ((pend - pbegin) * iFACTOR + 1) >>> 0
+    var b58 = new Uint8Array(size)
+        // Process the bytes.
+    while (pbegin !== pend) {
+      var carry = source[pbegin]
+            // Apply "b58 = b58 * 256 + ch".
+      var i = 0
+      for (var it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
+        carry += (256 * b58[it1]) >>> 0
+        b58[it1] = (carry % BASE) >>> 0
+        carry = (carry / BASE) >>> 0
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i
+      pbegin++
+    }
+        // Skip leading zeroes in base58 result.
+    var it2 = size - length
+    while (it2 !== size && b58[it2] === 0) {
+      it2++
+    }
+        // Translate the result into a string.
+    var str = LEADER.repeat(zeroes)
+    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]) }
+    return str
+  }
+  function decodeUnsafe (source) {
+    if (typeof source !== 'string') { throw new TypeError('Expected String') }
+    if (source.length === 0) { return '' }
+    var psz = 0
+        // Skip leading spaces.
+    if (source[psz] === ' ') { return }
+        // Skip and count leading '1's.
+    var zeroes = 0
+    var length = 0
+    while (source[psz] === LEADER) {
+      zeroes++
+      psz++
+    }
+        // Allocate enough space in big-endian base256 representation.
+    var size = (((source.length - psz) * FACTOR) + 1) >>> 0 // log(58) / log(256), rounded up.
+    var b256 = new Uint8Array(size)
+        // Process the characters.
+    while (source[psz]) {
+            // Decode character
+      var carry = BASE_MAP[source.charCodeAt(psz)]
+            // Invalid character
+      if (carry === 255) { return }
+      var i = 0
+      for (var it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
+        carry += (BASE * b256[it3]) >>> 0
+        b256[it3] = (carry % 256) >>> 0
+        carry = (carry / 256) >>> 0
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i
+      psz++
+    }
+        // Skip trailing spaces.
+    if (source[psz] === ' ') { return }
+        // Skip leading zeroes in b256.
+    var it4 = size - length
+    while (it4 !== size && b256[it4] === 0) {
+      it4++
+    }
+    var vch = []
+    var j = zeroes
+    while (it4 !== size) {
+      vch[j++] = b256[it4++]
+    }
+    return vch
+  }
+  function decode (string) {
+    var buffer = decodeUnsafe(string)
+    if (buffer) { return buffer }
+    throw new Error('Non-base' + BASE + ' character')
+  }
+  return {
+    encode: encode,
+    decodeUnsafe: decodeUnsafe,
+    decode: decode
+  }
+}
+}).call(this);

js/common.js

@@ -17,8 +17,8 @@ require('./prettify');
 global.prettyPrint = window.PR.prettyPrint;
 global.prettyPrintOne = window.PR.prettyPrintOne;
 global.showdown = require('./showdown-1.9.1');
-global.DOMPurify = require('./purify-2.0.1');
-global.baseX = require('./base-x-3.0.5.1').baseX;
+global.DOMPurify = require('./purify-2.0.7');
+global.baseX = require('./base-x-3.0.7').baseX;
 global.Legacy = require('./legacy').Legacy;
 require('./bootstrap-3.3.7');
 require('./privatebin');
@@ -40,21 +40,6 @@ var a2zString    = ['a','b','c','d','e','f','g','h','i','j','k','l','m',
     supportedLanguages = ['de', 'es', 'fr', 'it', 'no', 'pl', 'pt', 'oc', 'ru', 'sl', 'zh'],
     mimeTypes = ['image/png', 'application/octet-stream'],
     formats = ['plaintext', 'markdown', 'syntaxhighlighting'],
-    /**
-     * character to HTML entity lookup table
-     *
-     * @see    {@link https://github.com/janl/mustache.js/blob/master/mustache.js#L60}
-     */
-    entityMap = {
-        '&': '&',
-        '<': '&lt;',
-        '>': '&gt;',
-        '"': '&quot;',
-        "'": '&#39;',
-        '/': '&#x2F;',
-        '`': '&#x60;',
-        '=': '&#x3D;'
-    },
     mimeFile = fs.createReadStream('/etc/mime.types'),
     mimeLine = '';
 
@@ -97,22 +82,6 @@ function parseMime(line) {
 exports.atob = atob;
 exports.btoa = btoa;
 
-/**
- * convert all applicable characters to HTML entities
- *
- * @see    {@link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content}
- * @name   htmlEntities
- * @function
- * @param  {string} str
- * @return {string} escaped HTML
- */
-exports.htmlEntities = function(str) {
-    return String(str).replace(
-        /[&<>"'`=\/]/g, function(s) {
-            return entityMap[s];
-        });
-};
-
 // provides random lowercase characters from a to z
 exports.jscA2zString = function() {
     return jsc.elements(a2zString);

js/privatebin.js

@@ -6,7 +6,7 @@
  * @see       {@link https://github.com/PrivateBin/PrivateBin}
  * @copyright 2012 Sébastien SAUVAGE ({@link http://sebsauvage.net})
  * @license   {@link https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License}
- * @version   1.3.1
+ * @version   1.3.2
  * @name      PrivateBin
  * @namespace
  */
@@ -403,6 +403,71 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             baseUri = null;
         };
 
+        /**
+         * calculate expiration date given initial date and expiration period
+         * 
+         * @name   Helper.calculateExpirationDate
+         * @function
+         * @param  {Date} initialDate - may not be empty
+         * @param  {string|number} expirationDisplayStringOrSecondsToExpire - may not be empty
+         * @return {Date}
+         */
+        me.calculateExpirationDate = function(initialDate, expirationDisplayStringOrSecondsToExpire) {
+            let expirationDate = new Date(initialDate);
+
+            const expirationDisplayStringToSecondsDict = {
+                '5min': 300,
+                '10min': 600,
+                '1hour': 3500,
+                '1day': 86400,
+                '1week': 604800,
+                '1month': 2592000,
+                '1year': 31536000,
+                'never': 0
+            };
+
+            let secondsToExpiration = expirationDisplayStringOrSecondsToExpire;
+            if (typeof expirationDisplayStringOrSecondsToExpire === 'string') {
+                secondsToExpiration = expirationDisplayStringToSecondsDict[expirationDisplayStringOrSecondsToExpire];
+            }
+            
+            if (typeof secondsToExpiration !== 'number') {
+                throw new Error('Cannot calculate expiration date.');
+            }
+            if (secondsToExpiration === 0) {
+                return null;
+            }
+
+            expirationDate = expirationDate.setUTCSeconds(expirationDate.getUTCSeconds() + secondsToExpiration);
+            return expirationDate;
+        };
+
+        /**
+         * encode all applicable characters to HTML entities
+         *
+         * @see    {@link https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html}
+         *
+         * @name   Helper.htmlEntities
+         * @function
+         * @param  string str
+         * @return string escaped HTML
+         */
+        me.htmlEntities = function(str) {
+            // using textarea, since other tags may allow and execute scripts, even when detached from DOM
+            let holder = document.createElement('textarea');
+            holder.textContent = str;
+            // as per OWASP recommendation, also encoding quotes and slash
+            return holder.innerHTML.replace(
+                /["'\/]/g,
+                function(s) {
+                    return {
+                        '"': '"',
+                        "'": ''',
+                        '/': '/'
+                    }[s];
+                });
+        };
+
         return me;
     })();
 
@@ -433,7 +498,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          * @prop   {string[]}
          * @readonly
          */
-        const supportedLanguages = ['bg', 'cs', 'de', 'es', 'fr', 'it', 'hu', 'no', 'nl', 'pl', 'pt', 'oc', 'ru', 'sl', 'zh'];
+        const supportedLanguages = ['bg', 'cs', 'de', 'es', 'fr', 'it', 'hu', 'no', 'nl', 'pl', 'pt', 'oc', 'ru', 'sl', 'uk', 'zh'];
 
         /**
          * built in language
@@ -553,16 +618,31 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 args[0] = translations[messageId];
             }
 
+            // messageID may contain links, but should be from a trusted source (code or translation JSON files)
+            let containsNoLinks = args[0].indexOf('<a') === -1;
+            for (let i = 0; i < args.length; ++i) {
+                // parameters (i > 0) may never contain HTML as they may come from untrusted parties
+                if (i > 0 || containsNoLinks) {
+                    args[i] = Helper.htmlEntities(args[i]);
+                }
+            }
+
             // format string
             let output = Helper.sprintf.apply(this, args);
 
             // if $element is given, apply text to element
             if ($element !== null) {
-                // avoid HTML entity encoding if translation contains link
-                if (output.indexOf('<a') === -1) {
+                if (containsNoLinks) {
+                    // avoid HTML entity encoding if translation contains links
                     $element.text(output);
                 } else {
-                    $element.html(output);
+                    // only allow tags/attributes we actually use in our translations
+                    $element.html(
+                        DOMPurify.sanitize(output, {
+                            ALLOWED_TAGS: ['a', 'br', 'i', 'span'],
+                            ALLOWED_ATTR: ['href', 'id']
+                        })
+                    );
                 }
             }
 
@@ -590,6 +670,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 case 'pl':
                     return n === 1 ? 0 : (n % 10 >= 2 && n %10 <=4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2);
                 case 'ru':
+                case 'uk':
                     return n % 10 === 1 && n % 100 !== 11 ? 0 : (n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2);
                 case 'sl':
                     return n % 100 === 1 ? 1 : (n % 100 === 2 ? 2 : (n % 100 === 3 || n % 100 === 4 ? 3 : 0));
@@ -1822,7 +1903,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                     `${$shortenButton.data('shortener')}${encodeURIComponent($pasteUrl.attr('href'))}`,
                     '_blank',
                     'noopener, noreferrer'
-                )
+                );
             });
         }
 
@@ -2322,7 +2403,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
 
             // escape HTML entities, link URLs, sanitize
             const escapedLinkedText = Helper.urls2links(
-                    $('<div />').text(text).html()
+                    Helper.htmlEntities(text)
                   ),
                   sanitizedLinkedText = DOMPurify.sanitize(escapedLinkedText);
             $plainText.html(sanitizedLinkedText);
@@ -2755,7 +2836,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             // move elemement to new place
             $attachmentLink.appendTo($element);
 
-            // update text
+            // update text - ensuring no HTML is inserted into the text node
             I18n._($attachmentLink, label, $attachmentLink.attr('download'));
         };
 
@@ -3007,8 +3088,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $attachment = $('#attachment');
             $dragAndDropFileName = $('#dragAndDropFileName');
             $dropzone = $('#dropzone');
+            $attachmentLink = $('#attachment a') || $('<a>');
             if($attachment.length) {
-                $attachmentLink = $('#attachment a');
                 $attachmentPreview = $('#attachmentPreview');
 
                 $fileInput = $('#file');
@@ -3332,9 +3413,10 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $passwordInput,
             $rawTextButton,
             $qrCodeLink,
+            $emailLink,
             $sendButton,
             $retryButton,
-            pasteExpiration = '1week',
+            pasteExpiration = null,
             retryButtonCallback;
 
         /**
@@ -3453,7 +3535,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             for (let i = 0; i < $head.length; ++i) {
                 newDoc.write($head[i].outerHTML);
             }
-            newDoc.write('</head><body><pre>' + DOMPurify.sanitize($('<div />').text(paste).html()) + '</pre></body></html>');
+            newDoc.write('</head><body><pre>' + DOMPurify.sanitize(Helper.htmlEntities(paste)) + '</pre></body></html>');
             newDoc.close();
         }
 
@@ -3542,6 +3624,129 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $('#qrcode-display').html(qrCanvas);
         }
 
+        /**
+         * Template Email body.
+         * 
+         * @name   TopNav.templateEmailBody
+         * @private 
+         * @param {string} expirationDateString 
+         * @param {bool} isBurnafterreading 
+         */
+        function templateEmailBody(expirationDateString, isBurnafterreading)
+        {
+            const EOL = '\n';
+            const BULLET = '  - ';
+            let emailBody = '';
+            if (expirationDateString !== null || isBurnafterreading) {
+                emailBody += I18n._('Notice:');
+                emailBody += EOL;
+
+                if (expirationDateString !== null) {
+                    emailBody += EOL;
+                    emailBody += BULLET;
+                    emailBody += I18n._(
+                        'This link will expire after %s.',
+                        expirationDateString
+                    );
+                }
+                if (isBurnafterreading) {
+                    emailBody += EOL;
+                    emailBody += BULLET;
+                    emailBody += I18n._(
+                        'This link can only be accessed once, do not use back or refresh button in your browser.'
+                    );
+                }
+
+                emailBody += EOL;
+                emailBody += EOL;
+            }
+            emailBody += I18n._('Link:');
+            emailBody += EOL;
+            emailBody += `${window.location.href}`;
+            return emailBody;
+        }
+
+        /**
+         * Trigger Email send.
+         * 
+         * @name   TopNav.triggerEmailSend
+         * @private 
+         * @param {string} emailBody 
+         */
+        function triggerEmailSend(emailBody)
+        {
+            window.open(
+                `mailto:?body=${encodeURIComponent(emailBody)}`,
+                '_self',
+                'noopener, noreferrer'
+            );
+        }
+
+        /**
+         * Send Email with current paste (URL).
+         *
+         * @name   TopNav.sendEmail
+         * @private
+         * @function
+         * @param  {Date|null} expirationDate date of expiration
+         * @param  {bool} isBurnafterreading whether it is burn after reading
+         */
+        function sendEmail(expirationDate, isBurnafterreading)
+        {
+            const expirationDateRoundedToSecond = new Date(expirationDate);
+
+            // round down at least 30 seconds to make up for the delay of request
+            expirationDateRoundedToSecond.setUTCSeconds(
+                expirationDateRoundedToSecond.getUTCSeconds() - 30
+            );
+            expirationDateRoundedToSecond.setUTCSeconds(0);
+
+            const $emailconfirmmodal = $('#emailconfirmmodal');
+            if ($emailconfirmmodal.length > 0) {
+                if (expirationDate !== null) {
+                    $emailconfirmmodal.find('#emailconfirm-display').text(
+                        I18n._('Recipient may become aware of your timezone, convert time to UTC?')
+                    );
+                    const $emailconfirmTimezoneCurrent = $emailconfirmmodal.find('#emailconfirm-timezone-current');
+                    const $emailconfirmTimezoneUtc = $emailconfirmmodal.find('#emailconfirm-timezone-utc');
+                    $emailconfirmTimezoneCurrent.off('click.sendEmailCurrentTimezone');
+                    $emailconfirmTimezoneCurrent.on('click.sendEmailCurrentTimezone', () => {
+                        const emailBody = templateEmailBody(expirationDateRoundedToSecond.toLocaleString(), isBurnafterreading);
+                        $emailconfirmmodal.modal('hide');
+                        triggerEmailSend(emailBody);
+                    });
+                    $emailconfirmTimezoneUtc.off('click.sendEmailUtcTimezone');
+                    $emailconfirmTimezoneUtc.on('click.sendEmailUtcTimezone', () => {
+                        const emailBody = templateEmailBody(expirationDateRoundedToSecond.toLocaleString(
+                            undefined,
+                            // we don't use Date.prototype.toUTCString() because we would like to avoid GMT
+                            { timeZone: 'UTC', dateStyle: 'long', timeStyle: 'long' }
+                        ), isBurnafterreading);
+                        $emailconfirmmodal.modal('hide');
+                        triggerEmailSend(emailBody);
+                    });
+                    $emailconfirmmodal.modal('show');
+                } else {
+                    triggerEmailSend(templateEmailBody(null, isBurnafterreading));
+                }
+            } else {
+                let emailBody = '';
+                if (expirationDate !== null) {
+                    const expirationDateString = window.confirm(
+                        I18n._('Recipient may become aware of your timezone, convert time to UTC?')
+                    ) ? expirationDateRoundedToSecond.toLocaleString(
+                        undefined,
+                        // we don't use Date.prototype.toUTCString() because we would like to avoid GMT
+                        { timeZone: 'UTC', dateStyle: 'long', timeStyle: 'long' }
+                    ) : expirationDateRoundedToSecond.toLocaleString();
+                    emailBody = templateEmailBody(expirationDateString, isBurnafterreading);
+                } else {
+                    emailBody = templateEmailBody(null, isBurnafterreading);
+                }
+                triggerEmailSend(emailBody);
+            }
+        }
+
         /**
          * Shows all navigation elements for viewing an existing paste
          *
@@ -3578,6 +3783,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $newButton.addClass('hidden');
             $rawTextButton.addClass('hidden');
             $qrCodeLink.addClass('hidden');
+            me.hideEmailButton();
 
             viewButtonsDisplayed = false;
         };
@@ -3675,6 +3881,48 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $retryButton.addClass('hidden');
         }
 
+        /**
+         * show the "email" button
+         * 
+         * @name   TopNav.showEmailbutton
+         * @function
+         * @param {int|undefined} optionalRemainingTimeInSeconds
+         */
+        me.showEmailButton = function(optionalRemainingTimeInSeconds)
+        {
+            try {
+                // we cache expiration date in closure to avoid inaccurate expiration datetime
+                const expirationDate = Helper.calculateExpirationDate(
+                    new Date(),
+                    typeof optionalRemainingTimeInSeconds === 'number' ? optionalRemainingTimeInSeconds : TopNav.getExpiration()
+                );
+                const isBurnafterreading = TopNav.getBurnAfterReading();
+
+                $emailLink.removeClass('hidden');
+                $emailLink.off('click.sendEmail');
+                $emailLink.on('click.sendEmail', () => {
+                    sendEmail(expirationDate, isBurnafterreading);
+                });
+            } catch (error) {
+                console.error(error);
+                Alert.showError(
+                    I18n._('Cannot calculate expiration date.')
+                );
+            }
+        }
+
+        /**
+         * hide the "email" button
+         * 
+         * @name   TopNav.hideEmailButton
+         * @function
+         */
+        me.hideEmailButton = function()
+        {
+            $emailLink.addClass('hidden');
+            $emailLink.off('click.sendEmail');
+        }
+
         /**
          * only hides the clone button
          *
@@ -3697,6 +3945,30 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $rawTextButton.addClass('hidden');
         };
 
+        /**
+         * only hides the qr code button
+         * 
+         * @name   TopNav.hideQrCodeButton
+         * @function
+         */
+        me.hideQrCodeButton = function()
+        {
+            $qrCodeLink.addClass('hidden');
+        }
+
+        /**
+         * hide all irrelevant buttons when viewing burn after reading paste
+         * 
+         * @name   TopNav.hideBurnAfterReadingButtons
+         * @function
+         */
+        me.hideBurnAfterReadingButtons = function()
+        {
+            me.hideCloneButton();
+            me.hideQrCodeButton();
+            me.hideEmailButton();
+        }
+
         /**
          * hides the file selector in attachment
          *
@@ -3784,7 +4056,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         /**
          * returns the state of the burn after reading checkbox
          *
-         * @name   TopNav.getExpiration
+         * @name   TopNav.getBurnAfterReading
          * @function
          * @return {bool}
          */
@@ -3814,7 +4086,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.getPassword = function()
         {
-            return $passwordInput.val();
+            // when password is disabled $passwordInput.val() will return undefined
+            return $passwordInput.val() || '';
         };
 
         /**
@@ -3913,6 +4186,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $retryButton = $('#retrybutton');
             $sendButton = $('#sendbutton');
             $qrCodeLink = $('#qrcodelink');
+            $emailLink = $('#emaillink');
 
             // bootstrap template drop down
             $('#language ul.dropdown-menu li a').click(setLanguage);
@@ -4257,6 +4531,10 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             history.pushState({type: 'newpaste'}, document.title, url);
 
             TopNav.showViewButtons();
+
+            // this cannot be grouped with showViewButtons due to remaining time calculation
+            TopNav.showEmailButton();
+
             TopNav.hideRawButton();
             Editor.hide();
 
@@ -4648,7 +4926,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                         plaintexts[i][1]
                     );
                 }
-                DiscussionViewer.finishDiscussion();
             });
         }
 
@@ -4697,8 +4974,17 @@ jQuery.PrivateBin = (function($, RawDeflate) {
 
                     // discourage cloning (it cannot really be prevented)
                     if (paste.isBurnAfterReadingEnabled()) {
-                        TopNav.hideCloneButton();
+                        TopNav.hideBurnAfterReadingButtons();
+                    } else {
+                        // we have to pass in remaining_time here
+                        TopNav.showEmailButton(paste.getTimeToLive());
                     }
+
+                    // only offer adding comments, after paste was successfully decrypted
+                    if (paste.isDiscussionEnabled()) {
+                        DiscussionViewer.finishDiscussion();
+                    }
+
                 })
                 .catch((err) => {
                     // wait for the user to type in the password,
@@ -4913,6 +5199,13 @@ jQuery.PrivateBin = (function($, RawDeflate) {
 
             DOMPurify.setConfig({SAFE_FOR_JQUERY: true});
 
+            // center all modals
+            $('.modal').on('show.bs.modal', function(e) {
+                $(e.target).css({
+                    display: 'flex'
+                });
+            });
+
             // initialize other modules/"classes"
             Alert.init();
             Model.init();

js/test/Alert.js

@@ -67,10 +67,6 @@ describe('Alert', function () {
     });
 
     describe('showWarning', function () {
-        before(function () {
-            cleanup();
-        });
-
         jsc.property(
             'shows a warning message (basic)',
             jsc.array(common.jscAlnumString()),
@@ -136,10 +132,6 @@ describe('Alert', function () {
     });
 
     describe('showError', function () {
-        before(function () {
-            cleanup();
-        });
-
         jsc.property(
             'shows an error message (basic)',
             jsc.array(common.jscAlnumString()),
@@ -205,10 +197,6 @@ describe('Alert', function () {
     });
 
     describe('showRemaining', function () {
-        before(function () {
-            cleanup();
-        });
-
         jsc.property(
             'shows remaining time (basic)',
             jsc.array(common.jscAlnumString()),
@@ -254,10 +242,6 @@ describe('Alert', function () {
     });
 
     describe('showLoading', function () {
-        before(function () {
-            cleanup();
-        });
-
         jsc.property(
             'shows a loading message (basic)',
             jsc.array(common.jscAlnumString()),
@@ -310,10 +294,6 @@ describe('Alert', function () {
     });
 
     describe('hideLoading', function () {
-        before(function () {
-            cleanup();
-        });
-
         it(
             'hides the loading message',
             function() {
@@ -335,10 +315,6 @@ describe('Alert', function () {
     });
 
     describe('hideMessages', function () {
-        before(function () {
-            cleanup();
-        });
-
         it(
             'hides all messages',
             function() {
@@ -361,10 +337,6 @@ describe('Alert', function () {
     });
 
     describe('setCustomHandler', function () {
-        before(function () {
-            cleanup();
-        });
-
         jsc.property(
             'calls a given handler function',
             'nat 3',

js/test/AttachmentViewer.js

@@ -4,9 +4,6 @@ var common = require('../common');
 describe('AttachmentViewer', function () {
     describe('setAttachment, showAttachment, removeAttachment, hideAttachment, hideAttachmentPreview, hasAttachment, getAttachment & moveAttachmentTo', function () {
         this.timeout(30000);
-        before(function () {
-            cleanup();
-        });
 
         jsc.property(
             'displays & hides data as requested',
@@ -16,7 +13,7 @@ describe('AttachmentViewer', function () {
             'string',
             'string',
             function (mimeType, rawdata, filename, prefix, postfix) {
-                var clean = jsdom(),
+                let clean = jsdom(),
                     data = 'data:' + mimeType + ';base64,' + btoa(rawdata),
                     previewSupported = (
                         mimeType.substring(0, 6) === 'image/' ||
@@ -24,8 +21,9 @@ describe('AttachmentViewer', function () {
                         mimeType.substring(0, 6) === 'video/' ||
                         mimeType.match(/\/pdf/i)
                     ),
-                    results = [];
-                prefix = prefix.replace(/%(s|d)/g, '%%');
+                    results = [],
+                    result = '';
+                prefix  = prefix.replace(/%(s|d)/g, '%%');
                 postfix = postfix.replace(/%(s|d)/g, '%%');
                 $('body').html(
                     '<div id="attachment" role="alert" class="hidden alert ' +
@@ -57,7 +55,7 @@ describe('AttachmentViewer', function () {
                 }
                 // beyond this point we will get the blob URL instead of the data
                 data = window.URL.createObjectURL(data);
-                var attachment = $.PrivateBin.AttachmentViewer.getAttachment();
+                const attachment = $.PrivateBin.AttachmentViewer.getAttachment();
                 results.push(
                     $.PrivateBin.AttachmentViewer.hasAttachment() &&
                     $('#attachment').hasClass('hidden') &&
@@ -84,13 +82,19 @@ describe('AttachmentViewer', function () {
                     !$('#attachment').hasClass('hidden') &&
                     (previewSupported ? !$('#attachmentPreview').hasClass('hidden') : $('#attachmentPreview').hasClass('hidden'))
                 );
-                var element = $('<div></div>');
+                let element = $('<div>');
                 $.PrivateBin.AttachmentViewer.moveAttachmentTo(element, prefix + '%s' + postfix);
+                // messageIDs with links get a relaxed treatment
+                if (prefix.indexOf('<a') === -1 && postfix.indexOf('<a') === -1) {
+                    result = $.PrivateBin.Helper.htmlEntities(prefix + filename + postfix);
+                } else {
+                    result = $('<div>').html(prefix + $.PrivateBin.Helper.htmlEntities(filename) + postfix).html();
+                }
                 if (filename.length) {
                     results.push(
                         element.children()[0].href === data &&
                         element.children()[0].getAttribute('download') === filename &&
-                        element.children()[0].text === prefix + filename + postfix
+                        element.children()[0].text === result
                     );
                 } else {
                     results.push(element.children()[0].href === data);

js/test/Check.js

@@ -5,9 +5,6 @@ var common = require('../common');
 describe('Check', function () {
     describe('init', function () {
         this.timeout(30000);
-        before(function () {
-            cleanup();
-        });
 
         it('returns false and shows error, if a bot UA is detected', function () {
             jsc.assert(jsc.forall(

js/test/DiscussionViewer.js

@@ -4,9 +4,6 @@ var common = require('../common');
 describe('DiscussionViewer', function () {
     describe('handleNotification, prepareNewDiscussion, addComment, finishDiscussion, getReplyMessage, getReplyNickname, getReplyCommentId & highlightComment', function () {
         this.timeout(30000);
-        before(function () {
-            cleanup();
-        });
 
         jsc.property(
             'displays & hides comments as requested',

js/test/Editor.js

@@ -4,9 +4,6 @@ require('../common');
 describe('Editor', function () {
     describe('show, hide, getText, setText & isPreview', function () {
         this.timeout(30000);
-        before(function () {
-            cleanup();
-        });
 
         jsc.property(
             'returns text fed into the textarea, handles editor tabs',

js/test/Helper.js

@@ -3,10 +3,6 @@ var common = require('../common');
 
 describe('Helper', function () {
     describe('secondsToHuman', function () {
-        after(function () {
-            cleanup();
-        });
-
         jsc.property('returns an array with a number and a word', 'integer', function (number) {
             var result = $.PrivateBin.Helper.secondsToHuman(number);
             return Array.isArray(result) &&
@@ -57,11 +53,11 @@ describe('Helper', function () {
             'nearray string',
             function (ids, contents) {
                 var html = '',
-                    result = true;
+                    result = true,
+                    clean = jsdom(html);
                 ids.forEach(function(item, i) {
-                    html += '<div id="' + item.join('') + '">' + common.htmlEntities(contents[i] || contents[0]) + '</div>';
+                    html += '<div id="' + item.join('') + '">' + $.PrivateBin.Helper.htmlEntities(contents[i] || contents[0]) + '</div>';
                 });
-                var clean = jsdom(html);
                 // TODO: As per https://github.com/tmpvar/jsdom/issues/321 there is no getSelection in jsdom, yet.
                 // Once there is one, uncomment the block below to actually check the result.
                 /*
@@ -77,8 +73,8 @@ describe('Helper', function () {
     });
 
     describe('urls2links', function () {
-        after(function () {
-            cleanup();
+        before(function () {
+            cleanup = jsdom();
         });
 
         jsc.property(
@@ -97,11 +93,11 @@ describe('Helper', function () {
             jsc.array(common.jscHashString()),
             'string',
             function (prefix, schema, address, query, fragment, postfix) {
-                var query = query.join(''),
+                var query    = query.join(''),
                     fragment = fragment.join(''),
-                    url = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
-                    prefix = common.htmlEntities(prefix),
-                    postfix = ' ' + common.htmlEntities(postfix);
+                    url      = schema + '://' + address.join('') + '/?' + query + '#' + fragment,
+                    prefix   = $.PrivateBin.Helper.htmlEntities(prefix),
+                    postfix  = ' ' + $.PrivateBin.Helper.htmlEntities(postfix);
 
                 // special cases: When the query string and fragment imply the beginning of an HTML entity, eg. &#0 or &#x
                 if (
@@ -122,19 +118,15 @@ describe('Helper', function () {
             jsc.array(common.jscQueryString()),
             'string',
             function (prefix, query, postfix) {
-                var url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
-                    prefix = common.htmlEntities(prefix),
-                    postfix = common.htmlEntities(postfix);
+                var url     = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''),
+                    prefix  = $.PrivateBin.Helper.htmlEntities(prefix),
+                    postfix = $.PrivateBin.Helper.htmlEntities(postfix);
                 return prefix + '<a href="' + url + '" rel="nofollow">' + url + '</a> ' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + ' ' + postfix);
             }
         );
     });
 
     describe('sprintf', function () {
-        after(function () {
-            cleanup();
-        });
-
         jsc.property(
             'replaces %s in strings with first given parameter',
             'string',
@@ -211,7 +203,7 @@ describe('Helper', function () {
 
     describe('getCookie', function () {
         this.timeout(30000);
-        after(function () {
+        before(function () {
             cleanup();
         });
 
@@ -263,16 +255,16 @@ describe('Helper', function () {
     });
 
     describe('htmlEntities', function () {
-        after(function () {
-            cleanup();
+        before(function () {
+            cleanup = jsdom();
         });
 
         jsc.property(
             'removes all HTML entities from any given string',
             'string',
             function (string) {
-                var result = common.htmlEntities(string);
-                return !(/[<>"'`=\/]/.test(result)) && !(string.indexOf('&') > -1 && !(/&amp;/.test(result)));
+                var result = $.PrivateBin.Helper.htmlEntities(string);
+                return !(/[<>]/.test(result)) && !(string.indexOf('&') > -1 && !(/&amp;/.test(result)));
             }
         );
     });

js/test/I18n.js

@@ -32,6 +32,7 @@ describe('I18n', function () {
                 var fakeAlias = $.PrivateBin.I18n._(fake);
                 $.PrivateBin.I18n.reset();
 
+                messageId = $.PrivateBin.Helper.htmlEntities(messageId);
                 return messageId === result && messageId === alias &&
                     messageId === pluralResult && messageId === pluralAlias &&
                     messageId === fakeResult && messageId === fakeAlias;
@@ -46,7 +47,7 @@ describe('I18n', function () {
                 prefix    =    prefix.replace(/%(s|d)/g, '%%');
                 params[0] = params[0].replace(/%(s|d)/g, '%%');
                 postfix   =   postfix.replace(/%(s|d)/g, '%%');
-                var translation = prefix + params[0] + postfix;
+                var translation = $.PrivateBin.Helper.htmlEntities(prefix + params[0] + postfix);
                 params.unshift(prefix + '%s' + postfix);
                 var result = $.PrivateBin.I18n.translate.apply(this, params);
                 $.PrivateBin.I18n.reset();

js/test/Model.js

@@ -5,18 +5,18 @@ describe('Model', function () {
     describe('getExpirationDefault', function () {
         before(function () {
             $.PrivateBin.Model.reset();
-            cleanup();
+            cleanup = jsdom();
         });
 
         jsc.property(
             'returns the contents of the element with id "pasteExpiration"',
-            'array asciinestring',
+            'nearray asciinestring',
             'string',
             'small nat',
             function (keys, value, key) {
-                keys = keys.map(common.htmlEntities);
-                value = common.htmlEntities(value);
-                var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
+                keys = keys.map($.PrivateBin.Helper.htmlEntities);
+                value = $.PrivateBin.Helper.htmlEntities(value);
+                var content = keys.length > key ? keys[key] : keys[0],
                     contents = '<select id="pasteExpiration" name="pasteExpiration">';
                 keys.forEach(function(item) {
                     contents += '<option value="' + item + '"';
@@ -27,7 +27,7 @@ describe('Model', function () {
                 });
                 contents += '</select>';
                 $('body').html(contents);
-                var result = common.htmlEntities(
+                var result = $.PrivateBin.Helper.htmlEntities(
                     $.PrivateBin.Model.getExpirationDefault()
                 );
                 $.PrivateBin.Model.reset();
@@ -39,18 +39,20 @@ describe('Model', function () {
     describe('getFormatDefault', function () {
         before(function () {
             $.PrivateBin.Model.reset();
+        });
+        after(function () {
             cleanup();
         });
 
         jsc.property(
             'returns the contents of the element with id "pasteFormatter"',
-            'array asciinestring',
+            'nearray asciinestring',
             'string',
             'small nat',
             function (keys, value, key) {
-                keys = keys.map(common.htmlEntities);
-                value = common.htmlEntities(value);
-                var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
+                keys = keys.map($.PrivateBin.Helper.htmlEntities);
+                value = $.PrivateBin.Helper.htmlEntities(value);
+                var content = keys.length > key ? keys[key] : keys[0],
                     contents = '<select id="pasteFormatter" name="pasteFormatter">';
                 keys.forEach(function(item) {
                     contents += '<option value="' + item + '"';
@@ -61,7 +63,7 @@ describe('Model', function () {
                 });
                 contents += '</select>';
                 $('body').html(contents);
-                var result = common.htmlEntities(
+                var result = $.PrivateBin.Helper.htmlEntities(
                     $.PrivateBin.Model.getFormatDefault()
                 );
                 $.PrivateBin.Model.reset();
@@ -74,7 +76,6 @@ describe('Model', function () {
         this.timeout(30000);
         beforeEach(function () {
             $.PrivateBin.Model.reset();
-            cleanup();
         });
 
         jsc.property(
@@ -130,7 +131,6 @@ describe('Model', function () {
         this.timeout(30000);
         beforeEach(function () {
             $.PrivateBin.Model.reset();
-            cleanup();
         });
 
         jsc.property(
@@ -238,7 +238,6 @@ describe('Model', function () {
     describe('getTemplate', function () {
         beforeEach(function () {
             $.PrivateBin.Model.reset();
-            cleanup();
         });
 
         jsc.property(

js/test/PasteStatus.js

@@ -36,9 +36,6 @@ describe('PasteStatus', function () {
 
     describe('showRemainingTime', function () {
         this.timeout(30000);
-        before(function () {
-            cleanup();
-        });
 
         jsc.property(
             'shows burn after reading message or remaining time v1',
@@ -121,10 +118,6 @@ describe('PasteStatus', function () {
     });
 
     describe('hideMessages', function () {
-        before(function () {
-            cleanup();
-        });
-
         it(
             'hides all messages',
             function() {

js/test/PasteViewer.js

@@ -4,9 +4,6 @@ var common = require('../common');
 describe('PasteViewer', function () {
     describe('run, hide, getText, setText, getFormat, setFormat & isPrettyPrinted', function () {
         this.timeout(30000);
-        before(function () {
-            cleanup();
-        });
 
         jsc.property(
             'displays text according to format',

js/test/Prompt.js

@@ -6,10 +6,6 @@ describe('Prompt', function () {
     //       in nodejs -> replace the prompt in the "page" template with a modal
     describe('requestPassword & getPassword', function () {
         this.timeout(30000);
-        before(function () {
-            $.PrivateBin.Model.reset();
-            cleanup();
-        });
 
         jsc.property(
             'returns the password fed into the dialog',
@@ -26,6 +22,7 @@ describe('Prompt', function () {
                     'password"></div><button type="submit">Decrypt</button>' +
                     '</form></div></div></div></div>'
                 );
+                $.PrivateBin.Model.reset();
                 $.PrivateBin.Model.init();
                 $.PrivateBin.Prompt.init();
                 $.PrivateBin.Prompt.requestPassword();

js/test/TopNav.js

@@ -326,7 +326,7 @@ describe('TopNav', function () {
             'returns the currently selected expiration date',
             function () {
                 $.PrivateBin.TopNav.init();
-                assert.ok($.PrivateBin.TopNav.getExpiration() === '1week');
+                assert.ok($.PrivateBin.TopNav.getExpiration() === null);
             }
         );
     });

lib/Configuration.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;
@@ -102,8 +102,9 @@ class Configuration
     public function __construct()
     {
         $config     = array();
-        $configFile = PATH . 'cfg' . DIRECTORY_SEPARATOR . 'conf.php';
-        $configIni  = PATH . 'cfg' . DIRECTORY_SEPARATOR . 'conf.ini';
+        $basePath   = (getenv('CONFIG_PATH') !== false ? getenv('CONFIG_PATH') : PATH . 'cfg') . DIRECTORY_SEPARATOR;
+        $configIni  = $basePath . 'conf.ini';
+        $configFile = $basePath . 'conf.php';
 
         // rename INI files to avoid configuration leakage
         if (is_readable($configIni)) {
@@ -112,7 +113,7 @@ class Configuration
             // cleanup sample, too
             $configIniSample = $configIni . '.sample';
             if (is_readable($configIniSample)) {
-                DataStore::prependRename($configIniSample, PATH . 'cfg' . DIRECTORY_SEPARATOR . 'conf.sample.php', ';');
+                DataStore::prependRename($configIniSample, $basePath . 'conf.sample.php', ';');
             }
         }
 

lib/Controller.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;
@@ -28,7 +28,7 @@ class Controller
      *
      * @const string
      */
-    const VERSION = '1.3.1';
+    const VERSION = '1.3.2';
 
     /**
      * minimal required PHP version

lib/Data/AbstractData.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Data;

lib/Data/Database.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Data;
@@ -770,7 +770,7 @@ class Database extends AbstractData
                         " MODIFY COLUMN data $attachmentType;"
                     );
                 }
-                // no break, continue with updates for 1.3.1 and later
+                // no break, continue with updates for all newer versions
             default:
                 self::_exec(
                     'UPDATE ' . self::_sanitizeIdentifier('config') .

lib/Data/Filesystem.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Data;

lib/Filter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;

lib/FormatV2.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;

lib/I18n.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;
@@ -303,6 +303,7 @@ class I18n
             case 'pl':
                 return $n == 1 ? 0 : ($n % 10 >= 2 && $n % 10 <= 4 && ($n % 100 < 10 || $n % 100 >= 20) ? 1 : 2);
             case 'ru':
+            case 'uk':
                 return $n % 10 == 1 && $n % 100 != 11 ? 0 : ($n % 10 >= 2 && $n % 10 <= 4 && ($n % 100 < 10 || $n % 100 >= 20) ? 1 : 2);
             case 'sl':
                 return $n % 100 == 1 ? 1 : ($n % 100 == 2 ? 2 : ($n % 100 == 3 || $n % 100 == 4 ? 3 : 0));

lib/Json.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;

lib/Model.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;

lib/Model/AbstractModel.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Model;

lib/Model/Comment.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Model;

lib/Model/Paste.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Model;

lib/Persistence/AbstractPersistence.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/PurgeLimiter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/ServerSalt.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/TrafficLimiter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin\Persistence;

lib/Request.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;

lib/View.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.1
+ * @version   1.3.2
  */
 
 namespace PrivateBin;

lib/Vizhash16x16.php

@@ -8,7 +8,7 @@
  * @link      http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   0.0.5 beta PrivateBin 1.3.1
+ * @version   0.0.5 beta PrivateBin 1.3.2
  */
 
 namespace PrivateBin;

tpl/bootstrap.php

@@ -55,7 +55,7 @@ if ($ZEROBINCOMPATIBILITY):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/base-x-3.0.5.1.js" integrity="sha512-/zL3MWKMtl1IBF0URx3laql2jUw+rWfFFabNlILY/Qm+hUsQR/XULjUyNHkW/FkrV7A0sMQ7tsppH7sj5ht8wA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/base-x-3.0.7.js" integrity="sha512-/Bi1AJIP0TtxEB+Jh6Hk809H1G7vn4iJV80qagslf0+Hm0UjUi1s3qNrn1kZULjzUYuaf6ck0ndLGJ7MxWLmgQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/bootstrap-3.3.7.js" integrity="sha512-iztkobsvnjKfAtTNdHkGVjAYTrrtlC7mGp/54c40wowO7LhURYl3gVzzcEqGl/qKXQltJ2HwMrdLcNUdo+N/RQ==" crossorigin="anonymous"></script>
 <?php
@@ -66,13 +66,13 @@ if ($SYNTAXHIGHLIGHTING):
 endif;
 if ($MARKDOWN):
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/showdown-1.9.1.js" integrity="sha512-VeINC2WUWLyxgeQ56SsYFjQ5+d7RLvLPYOEYDFtEDd3AyVsgIsHYsWZ6WwgALwB6YR6qrVEM3IH4Bck96IfbMw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/showdown-1.9.1.js" integrity="sha512-nRri7kqh3iRLdHbhtjfe8w9eAQPmt+ubH5U88UZyKbz6O9Q0q4haaXF0krOUclKmRJou/kKZYulgBHvHXPqOvg==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.1.js" integrity="sha512-ddI36MdUoXp/o7yhQtr9/qj4G3oFwCRga4jCGaoUYtORg0PPmFKVKG4Ess3fIknYzxwwKMlrIL9o4NwuPTCc1Q==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-iZeao0p5riUgentjlrI2cY7Y8KRLTO42bQ4VGy6ky5FS0UjqXW4UkEJQcvR01SxbUFUz7h5AwzC8CVnUHDwRUg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-wizOnILU1zHsTf7zI5sUykY0+hYrw0b43LaJv16fudk4K7t+nx2u3jRuGdjwhMZVSLQKb0dgiJ/IpXTaOCZslQ==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
@@ -118,13 +118,41 @@ if ($QRCODE):
 					<div class="modal-body">
 						<div class="mx-auto" id="qrcode-display"></div>
 					</div>
-					<button type="button" class="btn btn-primary btn-block" data-dismiss="modal"><?php echo I18n::_('Close') ?></button>
+					<div class="row">
+						<div class="btn-group col-xs-12">
+							<span class="col-xs-12">
+								<button type="button" class="btn btn-primary btn-block" data-dismiss="modal"><?php echo I18n::_('Close') ?></button>
+							</span>
+						</div>
+					</div>
 				</div>
 			</div>
 		</div>
 <?php
 endif;
 ?>
+		<div id="emailconfirmmodal" tabindex="-1" class="modal fade" aria-labelledby="emailconfirmmodalTitle" role="dialog" aria-hidden="true">
+			<div class="modal-dialog" role="document">
+				<div class="modal-content">
+					<div class="modal-body">
+						<div id="emailconfirm-display"></div>
+					</div>
+					<div class="row">
+						<div class="btn-group col-xs-12" data-toggle="buttons">
+							<span class="col-xs-12 col-md-4">
+								<button id="emailconfirm-timezone-current" type="button" class="btn btn-danger btn-block" data-dismiss="modal"><?php echo I18n::_('Use Current Timezone') ?></button>
+							</span>
+							<span class="col-xs-12 col-md-4">
+								<button id="emailconfirm-timezone-utc" type="button" class="btn btn-default btn-block" data-dismiss="modal"><?php echo I18n::_('Convert To UTC') ?></button>
+							</span>
+							<span class="col-xs-12 col-md-4">
+								<button type="button" class="btn btn-primary btn-block" data-dismiss="modal"><?php echo I18n::_('Close') ?></button>
+							</span>
+						</div>
+					</div>
+				</div>
+			</div>
+		</div>
 		<nav class="navbar navbar-<?php echo $isDark ? 'inverse' : 'default'; ?> navbar-<?php echo $isCpct ? 'fixed' : 'static'; ?>-top"><?php
 if ($isCpct):
 ?><div class="container"><?php
@@ -171,6 +199,9 @@ endif;
 						<button id="rawtextbutton" type="button" class="hidden btn btn-<?php echo $isDark ? 'warning' : 'default'; ?> navbar-btn">
 							<span class="glyphicon glyphicon-text-background" aria-hidden="true"></span> <?php echo I18n::_('Raw text'), PHP_EOL; ?>
 						</button>
+						<button id="emaillink" type="button" class="hidden btn btn-<?php echo $isDark ? 'warning' : 'default'; ?> navbar-btn">
+							<span class="glyphicon glyphicon-envelope" aria-hidden="true"></span> <?php echo I18n::_('Email'), PHP_EOL; ?>
+						</button>
 <?php
 if ($QRCODE):
 ?>
@@ -559,4 +590,4 @@ if ($FILEUPLOAD):
 endif;
 ?>
 	</body>
-</html>
+</html>

tpl/page.php

@@ -34,7 +34,7 @@ if ($ZEROBINCOMPATIBILITY):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/base-x-3.0.5.1.js" integrity="sha512-/zL3MWKMtl1IBF0URx3laql2jUw+rWfFFabNlILY/Qm+hUsQR/XULjUyNHkW/FkrV7A0sMQ7tsppH7sj5ht8wA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/base-x-3.0.7.js" integrity="sha512-/Bi1AJIP0TtxEB+Jh6Hk809H1G7vn4iJV80qagslf0+Hm0UjUi1s3qNrn1kZULjzUYuaf6ck0ndLGJ7MxWLmgQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 <?php
 if ($SYNTAXHIGHLIGHTING):
@@ -44,13 +44,13 @@ if ($SYNTAXHIGHLIGHTING):
 endif;
 if ($MARKDOWN):
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/showdown-1.9.1.js" integrity="sha512-VeINC2WUWLyxgeQ56SsYFjQ5+d7RLvLPYOEYDFtEDd3AyVsgIsHYsWZ6WwgALwB6YR6qrVEM3IH4Bck96IfbMw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/showdown-1.9.1.js" integrity="sha512-nRri7kqh3iRLdHbhtjfe8w9eAQPmt+ubH5U88UZyKbz6O9Q0q4haaXF0krOUclKmRJou/kKZYulgBHvHXPqOvg==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.1.js" integrity="sha512-ddI36MdUoXp/o7yhQtr9/qj4G3oFwCRga4jCGaoUYtORg0PPmFKVKG4Ess3fIknYzxwwKMlrIL9o4NwuPTCc1Q==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-iZeao0p5riUgentjlrI2cY7Y8KRLTO42bQ4VGy6ky5FS0UjqXW4UkEJQcvR01SxbUFUz7h5AwzC8CVnUHDwRUg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-wizOnILU1zHsTf7zI5sUykY0+hYrw0b43LaJv16fudk4K7t+nx2u3jRuGdjwhMZVSLQKb0dgiJ/IpXTaOCZslQ==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
@@ -105,6 +105,7 @@ endif;
 					<button id="sendbutton" class="hidden"><img src="img/icon_send.png" width="18" height="15" alt="" /><?php echo I18n::_('Send'); ?></button>
 					<button id="clonebutton" class="hidden"><img src="img/icon_clone.png" width="15" height="17" alt="" /><?php echo I18n::_('Clone'); ?></button>
 					<button id="rawtextbutton" class="hidden"><img src="img/icon_raw.png" width="15" height="15" alt="" /><?php echo I18n::_('Raw text'); ?></button>
+					<button id="emaillink" class="hidden"><img src="img/icon_email.png" width="15" height="15" alt="" /><?php echo I18n::_('Email'); ?></button>
 <?php
 if ($QRCODE):
 ?>

tst/ConfigurationTest.php

@@ -4,24 +4,31 @@ use PrivateBin\Configuration;
 
 class ConfigurationTest extends PHPUnit_Framework_TestCase
 {
+    private $_minimalConfig;
+
     private $_options;
 
-    private $_minimalConfig;
+    private $_path;
 
     public function setUp()
     {
         /* Setup Routine */
         Helper::confBackup();
+        $this->_minimalConfig                   = '[main]' . PHP_EOL . '[model]' . PHP_EOL . '[model_options]';
         $this->_options                         = Configuration::getDefaults();
         $this->_options['model_options']['dir'] = PATH . $this->_options['model_options']['dir'];
         $this->_options['traffic']['dir']       = PATH . $this->_options['traffic']['dir'];
         $this->_options['purge']['dir']         = PATH . $this->_options['purge']['dir'];
-        $this->_minimalConfig                   = '[main]' . PHP_EOL . '[model]' . PHP_EOL . '[model_options]';
+        $this->_path                            = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'privatebin_cfg';
+        if (!is_dir($this->_path)) {
+            mkdir($this->_path);
+        }
     }
 
     public function tearDown()
     {
         /* Tear Down Routine */
+        Helper::rmDir($this->_path);
         if (is_file(CONF)) {
             unlink(CONF);
         }
@@ -177,4 +184,49 @@ class ConfigurationTest extends PHPUnit_Framework_TestCase
         $this->assertFileExists(CONF, 'old configuration file gets converted');
         $this->assertFileNotExists(PATH . 'cfg' . DIRECTORY_SEPARATOR . 'conf.ini', 'old configuration file gets removed');
     }
+
+    public function testConfigPath()
+    {
+        // setup
+        $configFile              = $this->_path . DIRECTORY_SEPARATOR . 'conf.php';
+        $options                 = $this->_options;
+        $options['main']['name'] = 'OtherBin';
+        Helper::createIniFile($configFile, $options);
+
+        // test
+        putenv('CONFIG_PATH=' . $this->_path);
+        $conf = new Configuration;
+        $this->assertEquals('OtherBin', $conf->getKey('name'), 'changing config path is supported');
+
+        // cleanup environment
+        if (is_file($configFile)) {
+            unlink($configFile);
+        }
+        putenv('CONFIG_PATH');
+    }
+
+    public function testConfigPathIni()
+    {
+        // setup
+        $configFile              = $this->_path . DIRECTORY_SEPARATOR . 'conf.ini';
+        $configMigrated          = $this->_path . DIRECTORY_SEPARATOR . 'conf.php';
+        $options                 = $this->_options;
+        $options['main']['name'] = 'OtherBin';
+        Helper::createIniFile($configFile, $options);
+        $this->assertFileNotExists(CONF, 'configuration in the default location is non existing');
+
+        // test
+        putenv('CONFIG_PATH=' . $this->_path);
+        $conf = new Configuration;
+        $this->assertEquals('OtherBin', $conf->getKey('name'), 'changing config path is supported for ini files as well');
+        $this->assertFileExists($configMigrated, 'old configuration file gets converted');
+        $this->assertFileNotExists($configFile, 'old configuration file gets removed');
+        $this->assertFileNotExists(CONF, 'configuration is not created in the default location');
+
+        // cleanup environment
+        if (is_file($configFile)) {
+            unlink($configFile);
+        }
+        putenv('CONFIG_PATH');
+    }
 }