SECURITY: improve escaping protection

app/assets/javascripts/discourse/dialects/quote_dialect.js

@@ -22,7 +22,11 @@ Discourse.Dialect.replaceBlock({
         if (i > 0) {
           var assignment = p.split(':');
           if (assignment[0] && assignment[1]) {
-            params['data-' + esc(assignment[0])] = esc(assignment[1].trim());
+            var escaped = esc(assignment[0]);
+            // don't escape attributes, makes no sense
+            if(escaped === assignment[0]) {
+              params['data-' + assignment[0]] = esc(assignment[1].trim());
+            }
           }
         }
       });

app/assets/javascripts/discourse/lib/markdown.js

@@ -19,8 +19,7 @@ function validateAttribute(tagName, attribName, value) {
   //
   // We are SUPER strict cause nokogiri will sometimes "correct"
   //  this stuff "incorrectly"
-  var escaped = Handlebars.Utils.escapeExpression(value);
-  if(escaped !== value){
+  if(/[<>"'`]/.test(value)){
     return;
   }