From 186ce78cb578fc03ffc3b6afd95c873f33119148 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Mon, 14 Jul 2014 11:24:25 -0400
Subject: [PATCH] FIX: BBCode sanitization and tests

---
 .../javascripts/discourse/dialects/bbcode_dialect.js  |  3 +++
 app/assets/javascripts/discourse/lib/markdown.js      |  2 --
 test/javascripts/lib/bbcode_test.js                   | 11 ++++++-----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/app/assets/javascripts/discourse/dialects/bbcode_dialect.js b/app/assets/javascripts/discourse/dialects/bbcode_dialect.js
index 74f2968b9a1..fe27c9c0a3d 100644
--- a/app/assets/javascripts/discourse/dialects/bbcode_dialect.js
+++ b/app/assets/javascripts/discourse/dialects/bbcode_dialect.js
@@ -73,6 +73,7 @@ replaceBBCode('b', function(contents) { return ['span', {'class': 'bbcode-b'}].c
 replaceBBCode('i', function(contents) { return ['span', {'class': 'bbcode-i'}].concat(contents); });
 replaceBBCode('u', function(contents) { return ['span', {'class': 'bbcode-u'}].concat(contents); });
 replaceBBCode('s', function(contents) { return ['span', {'class': 'bbcode-s'}].concat(contents); });
+Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-[bius]$/);
 
 replaceBBCode('ul', function(contents) { return ['ul'].concat(contents); });
 replaceBBCode('ol', function(contents) { return ['ol'].concat(contents); });
@@ -100,6 +101,7 @@ replaceBBCodeParamsRaw("email", function(param, contents) {
 replaceBBCodeParams("size", function(param, contents) {
   return ['span', {'class': "bbcode-size-" + (parseInt(param, 10) || 1)}].concat(contents);
 });
+Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
 
 // Handles `[code] ... [/code]` blocks
 Discourse.Dialect.replaceBlock({
@@ -112,3 +114,4 @@ Discourse.Dialect.replaceBlock({
     return ['p', ['pre', ['code', {'class': Discourse.SiteSettings.default_code_lang}, inner]]];
   }
 });
+
diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js
index 0fab3033289..b8c908538c4 100644
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@@ -258,6 +258,4 @@ Discourse.Markdown.whiteListTag('span', 'bbcode-i');
 Discourse.Markdown.whiteListTag('span', 'bbcode-u');
 Discourse.Markdown.whiteListTag('span', 'bbcode-s');
 
-Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
-
 Discourse.Markdown.whiteListIframe(/^(https?:)?\/\/www\.google\.com\/maps\/embed\?.+/i);
diff --git a/test/javascripts/lib/bbcode_test.js b/test/javascripts/lib/bbcode_test.js
index 83fcd65867d..760add102a4 100644
--- a/test/javascripts/lib/bbcode_test.js
+++ b/test/javascripts/lib/bbcode_test.js
@@ -1,12 +1,12 @@
 module("Discourse.BBCode");
 
 var format = function(input, expected, text) {
-  var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false});
+  var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false, sanitize: true});
   equal(cooked, "<p>" + expected + "</p>", text);
 };
 
 var formatQ = function(input, expected, text) {
-  var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false});
+  var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false, sanitize: true});
   equal(cooked, expected, text);
 };
 
@@ -15,7 +15,7 @@ test('basic bbcode', function() {
   format("[i]emphasis[/i]", "<span class=\"bbcode-i\">emphasis</span>", "italics text");
   format("[u]underlined[/u]", "<span class=\"bbcode-u\">underlined</span>", "underlines text");
   format("[s]strikethrough[/s]", "<span class=\"bbcode-s\">strikethrough</span>", "strikes-through text");
-  format("[img]http://eviltrout.com/eviltrout.png[/img]", "<img src=\"http://eviltrout.com/eviltrout.png\"/>", "links images");
+  format("[img]http://eviltrout.com/eviltrout.png[/img]", "<img src=\"http://eviltrout.com/eviltrout.png\">", "links images");
   format("[url]http://bettercallsaul.com[/url]", "<a href=\"http://bettercallsaul.com\">http://bettercallsaul.com</a>", "supports [url] without a title");
   format("[email]eviltrout@mailinator.com[/email]", "<a href=\"mailto:eviltrout@mailinator.com\">eviltrout@mailinator.com</a>", "supports [email] without a title");
   format("[b]evil [i]trout[/i][/b]",
@@ -37,7 +37,8 @@ test('code', function() {
 
 test('spoiler', function() {
   format("[spoiler]it's a sled[/spoiler]", "<span class=\"spoiler\">it's a sled</span>", "supports spoiler tags on text");
-  format("[spoiler]<img src='http://eviltrout.com/eviltrout.png' width='50' height='50'>[/spoiler]", "<div class=\"spoiler\"><img src='http://eviltrout.com/eviltrout.png' width='50' height='50'></div>", "supports spoiler tags on images");
+  format("[spoiler]<img src='http://eviltrout.com/eviltrout.png' width='50' height='50'>[/spoiler]",
+         "<div class=\"spoiler\"><img src=\"http://eviltrout.com/eviltrout.png\" width=\"50\" height=\"50\"></div>", "supports spoiler tags on images");
 });
 
 test('lists', function() {
@@ -105,7 +106,7 @@ test("quotes", function() {
          "it doesn't insert a new line for italics");
 
   format("[quote=,script='a'><script>alert('test');//':a][/quote]",
-         "<aside class=\"quote\" data-script=&#x27;a&#x27;&gt;&lt;script&gt;alert(&#x27;test&#x27;);//&#x27;=\"a\"><blockquote></blockquote></aside>",
+         "<aside class=\"quote\" data-script=\"'a'&gt;&lt;script&gt;alert('test');//'=\"><blockquote></blockquote></aside>",
          "It will not create a script tag within an attribute");
 });