From 91cd4f2d666687e3ffcd062424ffd4e90464432b Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 17 Jul 2014 16:09:35 +1000
Subject: [PATCH] SECURITY: improve escaping protection

---
 app/assets/javascripts/discourse/dialects/quote_dialect.js | 6 +++++-
 app/assets/javascripts/discourse/lib/markdown.js           | 3 +--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/assets/javascripts/discourse/dialects/quote_dialect.js b/app/assets/javascripts/discourse/dialects/quote_dialect.js
index 6640e24bc..69ac28dcb 100644
--- a/app/assets/javascripts/discourse/dialects/quote_dialect.js
+++ b/app/assets/javascripts/discourse/dialects/quote_dialect.js
@@ -22,7 +22,11 @@ Discourse.Dialect.replaceBlock({
         if (i > 0) {
           var assignment = p.split(':');
           if (assignment[0] && assignment[1]) {
-            params['data-' + esc(assignment[0])] = esc(assignment[1].trim());
+            var escaped = esc(assignment[0]);
+            // don't escape attributes, makes no sense
+            if(escaped === assignment[0]) {
+              params['data-' + assignment[0]] = esc(assignment[1].trim());
+            }
           }
         }
       });
diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js
index 7229b49c2..66b2a7ea9 100644
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@@ -19,8 +19,7 @@ function validateAttribute(tagName, attribName, value) {
   //
   // We are SUPER strict cause nokogiri will sometimes "correct"
   //  this stuff "incorrectly"
-  var escaped = Handlebars.Utils.escapeExpression(value);
-  if(escaped !== value){
+  if(/[<>"'`]/.test(value)){
     return;
   }