diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js index b7c37b85633..a2bdfde351e 100644 --- a/app/assets/javascripts/discourse/lib/markdown.js +++ b/app/assets/javascripts/discourse/lib/markdown.js @@ -154,6 +154,7 @@ Discourse.Markdown = { **/ sanitize: function(text) { if (!window.html_sanitize) return ""; + text = text.replace(/<([^A-Za-z\/]|$)/g, "<$1"); return window.html_sanitize(text, Discourse.Markdown.urlAllowed, Discourse.Markdown.nameIdClassAllowed); }, diff --git a/test/javascripts/lib/markdown_test.js b/test/javascripts/lib/markdown_test.js index 62821659b7c..a36f0f37547 100644 --- a/test/javascripts/lib/markdown_test.js +++ b/test/javascripts/lib/markdown_test.js @@ -332,6 +332,8 @@ test("sanitize", function() { equal(sanitize("bug"), "bug"); equal(sanitize("
"), "
"); equal(sanitize("

hello

"), "

hello

"); + equal(sanitize("<3 <3"), "<3 <3"); + equal(sanitize("<_<"), "<_<"); cooked("hello", "

hello

", "it sanitizes while cooking"); cooked("disney reddit",