From 4dc20e6855aac3f139f456efb61c623c2508fd62 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Mon, 21 Apr 2014 09:20:39 -0400
Subject: [PATCH] FIX: Sanitize custom quote attributes

---
 app/assets/javascripts/discourse/dialects/quote_dialect.js | 5 ++++-
 test/javascripts/lib/bbcode_test.js                        | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/dialects/quote_dialect.js b/app/assets/javascripts/discourse/dialects/quote_dialect.js
index dfccfd013db..f2d2a052b06 100644
--- a/app/assets/javascripts/discourse/dialects/quote_dialect.js
+++ b/app/assets/javascripts/discourse/dialects/quote_dialect.js
@@ -1,6 +1,9 @@
 /**
   Support for quoting other users.
 **/
+
+var esc = Handlebars.Utils.escapeExpression;
+
 Discourse.Dialect.replaceBlock({
   start: new RegExp("\\[quote=?([^\\[\\]]+)?\\]([\\s\\S]*)", "igm"),
   stop: '[/quote]',
@@ -19,7 +22,7 @@ Discourse.Dialect.replaceBlock({
         if (i > 0) {
           var assignment = p.split(':');
           if (assignment[0] && assignment[1]) {
-            params['data-' + assignment[0]] = assignment[1].trim();
+            params['data-' + esc(assignment[0])] = esc(assignment[1].trim());
           }
         }
       });
diff --git a/test/javascripts/lib/bbcode_test.js b/test/javascripts/lib/bbcode_test.js
index 6eddd0a6642..3d335b2aa38 100644
--- a/test/javascripts/lib/bbcode_test.js
+++ b/test/javascripts/lib/bbcode_test.js
@@ -99,6 +99,9 @@ test("quotes", function() {
          "<aside class=\"quote\"><blockquote><p><em>test</em></p></blockquote></aside>",
          "it doesn't insert a new line for italics");
 
+  format("[quote,script='a'><script>alert('test');//':a][/quote]",
+         "<aside class=\"quote\" data-script=&#x27;a&#x27;&gt;&lt;script&gt;alert(&#x27;test&#x27;);//&#x27;=\"a\"><blockquote></blockquote></aside>",
+         "It will not create a script tag within an attribute");
 });
 
 test("quote formatting", function() {