Resolves OSQA-674, be sure that we remove all anchors that trigger JavaScript code.

[osqa.git] / forum / skins / default / media / js / wmd / showdown.js

diff --git a/forum/skins/default/media/js/wmd/showdown.js b/forum/skins/default/media/js/wmd/showdown.js
index d223f45dca49891b16280e4e44f1871d68c6c364..b890fa8d3735803dcba6e55cc5cc167bb8bbf082 100644 (file)
--- a/forum/skins/default/media/js/wmd/showdown.js
+++ b/forum/skins/default/media/js/wmd/showdown.js
@@ -498,6 +498,11 @@ var _DoAnchors = function(text) {
        */
        text = text.replace(/(\[([^\[\]]+)\])()()()()()/g, writeAnchorTag);
 
+    // Prevent executing JavaScript from the Anchor href.
+    text = text.replace(/(<a.*href=[\"|\']javascript\:([^"]+)[\"|\'].*>([^<]+)<\/a>)/g, function() {
+        return arguments[3];
+    });
+
        return text;
 }