whitelist acceptable syntax highlighting classes

app/assets/javascripts/discourse/dialects/github_code_dialect.js

@@ -5,11 +5,25 @@
   @event register
   @namespace Discourse.Dialect
 **/
+
+var acceptableCodeClasses =
+  ["lang-auto", "1c", "actionscript", "apache", "applescript", "avrasm", "axapta", "bash", "brainfuck",
+   "clojure", "cmake", "coffeescript", "cpp", "cs", "css", "d", "delphi", "diff", "xml", "django", "dos",
+   "erlang-repl", "erlang", "glsl", "go", "handlebars", "haskell", "http", "ini", "java", "javascript",
+   "json", "lisp", "lua", "markdown", "matlab", "mel", "nginx", "objectivec", "parser3", "perl", "php",
+   "profile", "python", "r", "rib", "rsl", "ruby", "rust", "scala", "smalltalk", "sql", "tex", "text",
+   "vala", "vbscript", "vhdl"];
+
 Discourse.Dialect.replaceBlock({
   start: /^`{3}([^\n\[\]]+)?\n?([\s\S]*)?/gm,
   stop: '```',
   emitter: function(blockContents, matches) {
-    return ['p', ['pre', ['code', {'class': matches[1] || 'lang-auto'}, blockContents.join("\n") ]]];
+
+    var klass = 'lang-auto';
+    if (matches[1] && acceptableCodeClasses.indexOf(matches[1]) !== -1) {
+      klass = matches[1];
+    }
+    return ['p', ['pre', ['code', {'class': klass}, blockContents.join("\n") ]]];
   }
 });
 

test/javascripts/components/markdown_test.js

@@ -300,6 +300,9 @@ test("Code Blocks", function() {
          "<p><pre><code class=\"ruby\">hello &#x60;eviltrout&#x60;</code></pre></p>",
          "it allows code with backticks in it");
 
+  cooked("```eviltrout\nhello\n```",
+          "<p><pre><code class=\"lang-auto\">hello</code></pre></p>",
+          "it doesn't not whitelist all classes");
 
   cooked("```[quote=\"sam, post:1, topic:9441, full:true\"]This is `<not>` a bug.[/quote]```",
          "<p><pre><code class=\"lang-auto\">[quote=&quot;sam, post:1, topic:9441, full:true&quot;]This is &#x60;&lt;not&gt;&#x60; a bug.[/quote]</code></pre></p>",