Merge pull request #1865 from vikhyat/less-than-sanitization

Fix sanitization of smileys like <_< and <3.
This commit is contained in:
Robin Ward 2014-01-27 12:34:44 -08:00
commit 359a866458
2 changed files with 3 additions and 0 deletions

View File

@ -154,6 +154,7 @@ Discourse.Markdown = {
**/
sanitize: function(text) {
if (!window.html_sanitize) return "";
text = text.replace(/<([^A-Za-z\/]|$)/g, "&lt;$1");
return window.html_sanitize(text, Discourse.Markdown.urlAllowed, Discourse.Markdown.nameIdClassAllowed);
},

View File

@ -332,6 +332,8 @@ test("sanitize", function() {
equal(sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");
equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
equal(sanitize("<3 <3"), "&lt;3 &lt;3");
equal(sanitize("<_<"), "&lt;_&lt;");
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",