SECURITY: sanitizer allowing invalid attributes

app/assets/javascripts/discourse/lib/markdown.js

@@ -14,6 +14,16 @@ var _validClasses = {},
 function validateAttribute(tagName, attribName, value) {
   var tag = _validTags[tagName];
 
+  // Handle possible attacks
+  // if you include html in your markdown, it better be valid
+  //
+  // We are SUPER strict cause nokogiri will sometimes "correct"
+  //  this stuff "incorrectly"
+  var escaped = Handlebars.Utils.escapeExpression(value);
+  if(escaped !== value){
+    return;
+  }
+
   // Handle classes
   if (attribName === "class") {
     if (_validClasses[value]) { return value; }

spec/components/pretty_text_spec.rb

@@ -76,6 +76,7 @@ describe PrettyText do
   describe "Excerpt" do
 
     context "images" do
+
       it "should dump images" do
         PrettyText.excerpt("<img src='http://cnn.com/a.gif'>",100).should == "[image]"
       end
@@ -286,6 +287,10 @@ describe PrettyText do
     it "allows bold chinese" do
       PrettyText.cook("**你hello**").should match_html "<p><strong>你hello</strong></p>"
     end
+
+    it "sanitizes attempts to inject invalid attributes" do
+      PrettyText.cook("<a href=\"http://thedailywtf.com/\" data-bbcode=\"' class='fa fa-spin\">WTF</a>").should == "<p><a href=\"http://thedailywtf.com/\" rel=\"nofollow\">WTF</a></p>"
+    end
   end
 
 end