FIX: Change the approach to sanitization. Includes a more detailed API

for allowing classes and attributes for only certain tag names.

test/javascripts/lib/markdown_test.js

@@ -6,6 +6,8 @@ module("Discourse.Markdown", {
 
 var cooked = function(input, expected, text) {
   var result = Discourse.Markdown.cook(input, {sanitize: true});
+  expected = expected.replace(/\/>/g, ">");
+  // result = result.replace("/>", ">");
   equal(result, expected, text);
 };
 
@@ -138,6 +140,8 @@ test("Links", function() {
   cooked("User [MOD]: Hello!",
          "<p>User [MOD]: Hello!</p>",
          "It does not consider references that are obviously not URLs");
+
+  cooked("<small>http://eviltrout.com</small>", "<p><small><a href=\"http://eviltrout.com\">http://eviltrout.com</a></small></p>", "Links within HTML tags");
 });
 
 test("simple quotes", function() {
@@ -240,6 +244,9 @@ test("Mentions", function() {
                 "<p><a class=\"mention\" href=\"/users/eviltrout\">@eviltrout</a></p>",
                 "it doesn't onebox mentions");
 
+  cookedOptions("<small>a @sam c</small>", alwaysTrue,
+                "<p><small>a <a class=\"mention\" href=\"/users/sam\">@sam</a> c</small></p>",
+                "it allows mentions within HTML tags");
 });
 
 
@@ -370,7 +377,7 @@ test("sanitize", function() {
 
   cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
 
-  cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i><br/>&lt;!-- --&gt;</p>", "it doesn't circumvent XSS with comments");
+  cooked("<i class=\"fa fa-bug fa-spin\" style=\"font-size:600%\"></i>\n<!-- -->", "<p><i></i><br/></p>", "it doesn't circumvent XSS with comments");
 });
 
 test("URLs in BBCode tags", function() {

test/javascripts/mdtest/fixtures/Images.xhtml

@@ -12,7 +12,7 @@
 
 <p><img src="/url/" alt="alt text" title="with a title" />.</p>
 
-<p><img src="" alt="Empty" /></p>
+<p><img alt="Empty" /></p>
 
 <p><img src="http://example.com/(parens).jpg" alt="this is a stupid URL" /></p>
 

test/javascripts/mdtest/fixtures/Links, inline style.xhtml

@@ -10,9 +10,9 @@
 
 <p><a href="/url/">URL wrapped in angle brackets</a>.</p>
 
-<p><a href="/url/" title="Here&#39;s the title">URL w/ angle brackets + title</a>.</p>
+<p><a href="/url/" title="Here's the title">URL w/ angle brackets + title</a>.</p>
 
-<p><a href="">Empty</a>.</p>
+<p><a>Empty</a>.</p>
 
 <p><a href="http://en.wikipedia.org/wiki/WIMP_(computing)">With parens in the URL</a></p>
 

test/javascripts/mdtest/mdtest.js.erb

@@ -8,13 +8,42 @@ module("MDTest", {
 // do not affect formatting. 
 function normalize(str) {
   return str.replace(/\n\s*/g, '').
-             replace(/ \/\>/g, '/>').
+             replace(/ \/\>/g, '>').
              replace(/    ?/g, "\t").
              replace(/"/g, '"');
 }
 
+// We use a custom sanitizer for MD test that hoists out comments. In Discourse
+// they are stripped, but to be compliant with the spec they should not be.
+function hoistingSanitizer(result) {
+  var hoisted,
+      m = result.match(/<!--[\s\S]*?-->/g);
+  if (m && m.length) {
+    hoisted = [];
+    for (var i=0; i<m.length; i++) {
+      var c = m[i],
+          id = "discourse:hoisted-comment:" + i;
+      result = result.replace(c, id);
+      hoisted.push([c, id]);
+    }
+  }
+
+  result = Discourse.Markdown.sanitize(result);
+
+  if (hoisted) {
+    hoisted.forEach(function(tuple) {
+      result = result.replace(tuple[1], tuple[0]);
+    });
+  }
+
+  return result;
+}
+
 var md = function(input, expected, text) {
-  var result = Discourse.Markdown.cook(input, {sanitize: true, traditional_markdown_linebreaks: true}),
+  var result = Discourse.Markdown.cook(input, {
+        sanitizerFunction: hoistingSanitizer,
+        traditional_markdown_linebreaks: true
+      }),
       resultNorm = normalize(result),
       expectedNorm = normalize(expected),
       same = (result === expected) || (resultNorm === expectedNorm);