From d54c28adc18cb7252eaece3b7718113dfd1394d4 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 10 Jul 2014 09:59:54 +1000
Subject: [PATCH] FIX: better whitelisting

---
 app/assets/javascripts/discourse/lib/markdown.js | 2 +-
 spec/components/pretty_text_spec.rb              | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js
index a3068fb148d..0fab3033289 100644
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@@ -258,6 +258,6 @@ Discourse.Markdown.whiteListTag('span', 'bbcode-i');
 Discourse.Markdown.whiteListTag('span', 'bbcode-u');
 Discourse.Markdown.whiteListTag('span', 'bbcode-s');
 
-Discourse.Markdown.whiteListTag('span', 'class', /bbcode-size-\d+$/);
+Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
 
 Discourse.Markdown.whiteListIframe(/^(https?:)?\/\/www\.google\.com\/maps\/embed\?.+/i);
diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb
index c418a45b760..19b242de442 100644
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@@ -244,6 +244,8 @@ describe PrettyText do
 
     it "sanitizes spans" do
       PrettyText.cook("<span class=\"-bbcode-size-0 fa fa-spin\">a</span>").should match_html "<p><span>a</span></p>"
+      PrettyText.cook("<span class=\"fa fa-spin -bbcode-size-0\">a</span>").should match_html "<p><span>a</span></p>"
+      PrettyText.cook("<span class=\"bbcode-size-10\">a</span>").should match_html "<p><span class=\"bbcode-size-10\">a</span></p>"
     end
 
     it "bolds stuff in parens" do