paste.html

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" href="/favicon.ico">
<script src="/cryptojs/core.js"></script>
<script src="/cryptojs/enc-base64.js"></script>
<script src="/cryptojs/evpkdf.js"></script>
<script src="/cryptojs/cipher-core.js"></script>
<script src="/cryptojs/aes.js"></script>
<script src="/cryptojs/x64-core.js"></script>
<script src="/cryptojs/sha512.js"></script>

<title>paste.sh &middot; {{encrypted}} pastebin</title>
<script>

var content = '{{content}}';
var editable = '{{editable}}';
var serverkey = {{serverkey}};

var cmd = false;

var paste = {
  shouldSave: false,
  saveTimer: null,
  text: "",
};

onload = function() {
  var textarea = document.getElementById('x');
  // Ensure the element remains focused (little hacky, but easier than
  // implementing selection blocking, key capture, etc).
  textarea.onblur = function() {
    if(cmd) {
      maybeSave();
    }
  }
  textarea.onfocus = function() {
    cmd = false;
  }

  var clearOnTouch = false;
  textarea.ontouchstart = function() {
    if (clearOnTouch) {
      textarea.value = '';
      clearOnTouch = false;
    }
  }

  if(!serverkey) {
    textarea.select();
    clearOnTouch = true;
  } else {
    try {
      paste.text = textarea.value = decrypt(getKey(), content);
    } catch(e) {
      textarea.value = "Decryption failed (" + e + ")";
      editable = false;
    }
    if(!textarea.value && content) {
      textarea.value = "Decryption failed";
      editable = false;
    }
    textarea.focus();
    // Firefox likes to scroll to the end, tell it not to
    textarea.selectionStart = 0;
    textarea.selectionEnd = 0;
  }

  if(!editable) {
    textarea.setAttribute('readonly', true);
    textarea.setAttribute('spellcheck', false);
    textarea.ondblclick = function() {
      if(confirm("You can't edit this paste, would you like to create a copy? You'll need to share the new URL.")) {
        generate();
        textarea.removeAttribute('readonly');
        textarea.removeAttribute('spellcheck');
        textarea.ondblclick = null;
        editable = true;
      }
    }
  }

  textarea.onmousedown = function(e) {
    if(!editable) return;
    // Middle click paste
    if(e.button == 1 && !serverkey) {
      textarea.value = '';
    }
  }

  // Note the content changed and we should save this.
  textarea.onchange = shouldSave;
  textarea.oninput = shouldSave;

  var seen_esc = false;
  textarea.onkeydown = function(e) {
    if(seen_esc && e.shiftKey && e.keyCode == 186 /* : */) {
      e.preventDefault();
      return;
      // TODO: finish Vim command support.
      // :set spell/nospell; number maybe; 
      // :w[rite], :e[dit], :raw.
      document.getElementById('command').style.display = 'block';
      document.getElementById('cmd').value = ':';
      setTimeout(function() { document.getElementById('cmd').focus() }, 1);
      sene_esc = false;
      cmd = true;
    }
    if(e.keyCode == 27 && !e.altKey && !e.metaKey && !e.ctrlKey && !e.shiftKey) {
      seen_esc = true;
      e.preventDefault();
      return;
    } else if(e.keyCode >= 32) {
      seen_esc = false;
    }

    if(!editable) return;
    if(!e.ctrlKey && !e.altKey && !e.metaKey) {
      // XXX: alt gr, etc handling.
      shouldSave.call(this);
    }
    // Make tab key work, keep shift+tab as a method to get to the URL bar.
    if(e.keyCode == 9 && !seen_esc && !e.shiftKey && !e.ctrlKey) {
      e.preventDefault();
      var s = this.selectionStart;
      this.value = this.value.substring(0, this.selectionStart) + "\t" +
        this.value.substring(this.selectionEnd);
      this.selectionEnd = s + 1; 
    } else if (e.keyCode == 9) {
      cmd = true;
    }
  }
  // Ensure typing and ctrl-a works even if the textarea wasn't focused
  window.onkeydown = function(e) {
    if (e.ctrlKey || e.charCode >= 32)
      textarea.focus();
  }

  // If the document loses focus save right away (the idea being this is likely
  // someone selecting the URL to share).
  window.onblur = maybeSave;
  window.onresize = maybeSave;
  textarea.onmouseout = maybeSave;

  window.onbeforeunload = function() {
    if(paste.shouldSave) {
      maybeSave();
      return "Data is still being saved. You may lose data if you leave the page now.";
    }
    return null;
  }
}

function getKey() {
  var hash = location.hash.substr(1);
  // Allow empty keys on special URLs like /about and public pastes (/p.{8}) but not encrypted ones.
  if(hash.length < 18 && (location.pathname.length == 8 ||
        (location.pathname.length > 8 && location.pathname[1] != 'p'))) {
    throw "Invalid hash, ensure you have the full URL, including the full '#xxxx' part at the end";
  }
  return location.pathname.substr(1) + serverkey + hash + 'https://paste.sh';
}

function maybeSave() {
  if(paste.shouldSave) {
    document.getElementById('status').textContent = 'Saving...';
    try {
      // This keeps the key unique per save
      serverkey = serverkey.substr(0, 8) + randomStr(6);
      serverSave(location.pathname, encrypt(getKey()));
    } catch(e) {
      alert(e);
    }
  }
}

function serverSave(path, content) {
  var xhr = new XMLHttpRequest;
  xhr.open("PUT", path, true);
  xhr.setRequestHeader('X-Server-Key', serverkey);
  xhr.onreadystatechange = function() {
    if(this.readyState == this.DONE) {
      // XXX: check status
      paste.shouldSave = false;
      in_progress = false;
      document.getElementById('status').textContent = this.responseText;
    }
  }
  in_progress = true;
  xhr.send(content);
}

function getServerKey() {
  var xhr = new XMLHttpRequest;
  xhr.open("GET", '/new?id=' + location.pathname.substr(1), true);
  xhr.onreadystatechange = function() {
    if(this.readyState == this.DONE) {
      serverkey = this.responseText;
    }
  }
  xhr.send();
}


// TODO: Not hooked up yet
function updateCursorPos() {
  var lines = this.value.substring(0, this.selectionStart).split("\n");
  var line = lines.length;
  var col = lines[lines.length - 1].length;
  return "" + line + "," + col;
}

var oldwarning = false;

function shouldSave() {
  if(!editable) return;
  if(!('crypto' in window) || !('getRandomValues' in window.crypto)) {
    if(!oldwarning) {
      alert('This browser does not have crypto.getRandomValues. To securely create pastes please upgrade to a recent version of Chrome or Firefox');
      oldwarning = true;
    }
    document.getElementById('x').disabled = true;
    return;
  }
  if(location.pathname == '/') {
    generate();
  }
  if(paste.text != this.value) {
    paste.shouldSave = true;
    paste.text = this.value;
    document.getElementById('status').textContent = 'Unsaved';
    if (paste.saveTimer)
      clearTimeout(paste.saveTimer);
    paste.saveTimer = setTimeout(maybeSave, 4000);
  }
}

function randomStr(n) {
  return  CryptoJS.lib.WordArray.random(n).toString(
      CryptoJS.enc.Base64).replace(/[\+\/]/g, function(x) { return x == '+' ? '-' : '_'});
}

function generate() {
  if(!document.cookie.match(/pasteauth=/)) {
    document.cookie = 'pasteauth=' + randomStr(18);
  }
  var r = randomStr(6);
  var clientkey = randomStr(18);
  history.replaceState(null, '', '/' + r + (clientkey ? '#' + clientkey : ''));
  getServerKey(); // XXX: racy
}

function encrypt(password) {
  message = document.getElementById('x').value;
  // This matches "openssl enc -aes-256-cbc -md sha512"
  var e = CryptoJS.lib.PasswordBasedCipher.encrypt(
      CryptoJS.algo.AES, message, password,
      { hasher: CryptoJS.algo.SHA512 });
  return e.toString();
}

function decrypt(password, message) {
  var e = CryptoJS.lib.PasswordBasedCipher.decrypt(
      CryptoJS.algo.AES, message, password,
      { hasher: CryptoJS.algo.SHA512 });
  return e.toString(CryptoJS.enc.Utf8);
}

function rawme(l) {
  l.href = 'data:text/plain;base64,' + CryptoJS.enc.Utf8.parse(
      document.getElementById('x').value).toString(CryptoJS.enc.Base64);
}
</script>

<style>
  body { margin: 0; padding: 0; }
  #x { position: absolute; top: 0; left: 0; right: 0; width: 100%; border: 0;
    -webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
    margin: 0; padding: 0.5em; height: 97%;
    font-family: Consolas, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace;
  }
  textarea:focus, textarea:active, textarea:disabled { background: white; color: black; border: 0; outline: none; }
  #command { display: none; position: absolute; float: left; bottom:0; left: 0; padding-bottom: 0.25em; }
  #command input { border: 0; outline: none; font-family: Consolas, Monaco, Lucida Console, Liberation Mono, DejaVu
    Sans Mono, Bitstream Vera Sans Mono, Couri  er New, monospace; }
  #controls { position: absolute; clear: both; bottom: 0; padding-bottom: 0.25em; right: 0.5em; color: #aaa; }
  i { color: #aaa; }
</style>
</head>
<body>
<noscript>
  This site requires JavaScript. However there is a command line client:
  <br>
  <pre>
    cd ~/bin
    curl -O https://raw.github.com/dgl/paste.sh/master/paste.sh
    chmod +x paste.sh
  </pre>
  Then use either:
  <pre>
    $ paste.sh some-file
  </pre>
  to upload text, or:
  <pre>
    $ paste.sh https://paste.sh/...
  </pre>
  to view text. See <a href="https://github.com/dgl/paste.sh">github</a> for more.
</noscript>
<textarea id=x>This is an encrypted paste site. Simply type or paste code here and share the URL.</textarea>
<div id="command"><input type="text" id="cmd" value=":"></div>
<div id="controls"><span id="status"></span> &nbsp;&nbsp; <a href="#raw" oncontextmenu='rawme(this)' onclick='alert("This will show the unencrypted data in the location bar (base64 encoded). Only use this for saving locally, do not share the data: URL."); rawme(this)'>raw</a> &bull; <a href="/">new</a> &bull; <a href="/about">about</a></div>
</body>
</html>