From ba683bc611371b54c19356730225581cd4cceb8b Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Mon, 28 Apr 2014 14:43:49 -0400
Subject: [PATCH] FIX: XSS in markdown converter.

---
 app/assets/javascripts/discourse/dialects/dialect.js | 5 ++---
 test/javascripts/lib/markdown_test.js                | 2 ++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/assets/javascripts/discourse/dialects/dialect.js b/app/assets/javascripts/discourse/dialects/dialect.js
index 6dfe71cfb..c3071ae35 100644
--- a/app/assets/javascripts/discourse/dialects/dialect.js
+++ b/app/assets/javascripts/discourse/dialects/dialect.js
@@ -42,7 +42,6 @@ function processTextNodes(node, event, emitter) {
   for (var j=1; j<node.length; j++) {
     var textContent = node[j];
     if (typeof textContent === "string") {
-
       if (dialect.options.sanitize && !skipSanitize[textContent]) {
         textContent = Discourse.Markdown.sanitize(textContent);
       }
@@ -63,9 +62,9 @@ function processTextNodes(node, event, emitter) {
 
     }
   }
-
 }
 
+
 /**
   Parse a JSON ML tree, using registered handlers to adjust it if necessary.
 
@@ -96,7 +95,7 @@ function parseTree(tree, path, insideCounts) {
 
       insideCounts[tagName] = (insideCounts[tagName] || 0) + 1;
 
-      if (n && n.length === 2 && n[0] === "p" && /^<!--([\s\S]*)-->$/m.exec(n[1])) {
+      if (n && n.length === 2 && n[0] === "p" && /^<!--([\s\S]*)-->$/.exec(n[1])) {
         // Remove paragraphs around comment-only nodes.
         tree[i] = n[1];
       } else {
diff --git a/test/javascripts/lib/markdown_test.js b/test/javascripts/lib/markdown_test.js
index e46ebc946..87d891ae2 100644
--- a/test/javascripts/lib/markdown_test.js
+++ b/test/javascripts/lib/markdown_test.js
@@ -354,6 +354,8 @@ test("sanitize", function() {
   equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
 
   cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
+
+  cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i><br/>&lt;!-- --&gt;</p>", "it doesn't circumvent XSS with comments");
 });
 
 test("URLs in BBCode tags", function() {