Permanent XSS
In syntax highlightling mode HTML is not properly escaped, thereby allowing cross site scripting. To reproduce:
$ echo "<script>alert('XSS');</script>" | curl -s -F 'tpaste=<-' https://tpaste.us/
And append ?hl=true
to the resulting url.
Example paste: https://tpaste.us/jnKq?hl=true