CVE-2023-27075

An attacker creates a pasta (a text paste) containing a malicious payload, such as HTML tags or JavaScript event handlers. When a victim views that pasta, the content is rendered in the browser without proper HTML entity encoding [patch_id=1640960]. The `content_escaped()` function in `src/pasta.rs` only escaped backticks and dollar signs, leaving the content vulnerable to script injection. The attacker does not need authentication if the application allows public paste creation, and the payload executes in the victim's browser session.

The vulnerability is in `src/pasta.rs` in the `content_escaped()` method, which only escaped backticks and dollar signs but not HTML-special characters. The template `templates/pasta.html` embeds the pasta content directly into a JavaScript context without HTML entity decoding safeguards. The `Cargo.toml` and `Cargo.lock` files show the addition of the `html-escape` crate as part of the fix [patch_id=1640960].

The patch adds the `html-escape` crate and wraps the output of `content_escaped()` with `html_escape::encode_text()` in `src/pasta.rs` [patch_id=1640960]. This converts HTML-special characters (e.g., `<`, `>`, `&`, `"`, `'`) into their corresponding HTML entities, preventing the browser from interpreting attacker-controlled content as markup. Additionally, the JavaScript in `templates/pasta.html` now decodes HTML entities via a `decodeEntity` function before writing content to the clipboard, ensuring the user still receives the original text when copying. The `copyURLBtn` null-check also prevents a potential JavaScript error on non-URL pastes.