FIX: Sanitize custom quote attributes

app/assets/javascripts/discourse/dialects/quote_dialect.js

@@ -1,6 +1,9 @@
 /**
   Support for quoting other users.
 **/
+
+var esc = Handlebars.Utils.escapeExpression;
+
 Discourse.Dialect.replaceBlock({
   start: new RegExp("\\[quote=?([^\\[\\]]+)?\\]([\\s\\S]*)", "igm"),
   stop: '[/quote]',
@@ -19,7 +22,7 @@ Discourse.Dialect.replaceBlock({
         if (i > 0) {
           var assignment = p.split(':');
           if (assignment[0] && assignment[1]) {
-            params['data-' + assignment[0]] = assignment[1].trim();
+            params['data-' + esc(assignment[0])] = esc(assignment[1].trim());
           }
         }
       });

test/javascripts/lib/bbcode_test.js

@@ -99,6 +99,9 @@ test("quotes", function() {
          "<aside class=\"quote\"><blockquote><p><em>test</em></p></blockquote></aside>",
          "it doesn't insert a new line for italics");
 
+  format("[quote,script='a'><script>alert('test');//':a][/quote]",
+         "<aside class=\"quote\" data-script=&#x27;a&#x27;&gt;&lt;script&gt;alert(&#x27;test&#x27;);//&#x27;=\"a\"><blockquote></blockquote></aside>",
+         "It will not create a script tag within an attribute");
 });
 
 test("quote formatting", function() {