From: jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Date: Sun, 8 May 2011 14:02:03 +0000 (+0000)
Subject: Resolves OSQA-674, be sure that we remove all anchors that trigger JavaScript code.
X-Git-Tag: live~283
X-Git-Url: https://git.openstreetmap.org./osqa.git/commitdiff_plain/4447439079a88835d69524ab36ba88ecda384142

Resolves OSQA-674, be sure that we remove all anchors that trigger JavaScript code.

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@1030 0cfe37f9-358a-4d5e-be75-b63607b5c754
---

diff --git a/forum/skins/default/media/js/wmd/showdown.js b/forum/skins/default/media/js/wmd/showdown.js
index d223f45..b890fa8 100644
--- a/forum/skins/default/media/js/wmd/showdown.js
+++ b/forum/skins/default/media/js/wmd/showdown.js
@@ -498,6 +498,11 @@ var _DoAnchors = function(text) {
 	*/
 	text = text.replace(/(\[([^\[\]]+)\])()()()()()/g, writeAnchorTag);
 
+    // Prevent executing JavaScript from the Anchor href.
+    text = text.replace(/(<a.*href=[\"|\']javascript\:([^"]+)[\"|\'].*>([^<]+)<\/a>)/g, function() {
+        return arguments[3];
+    });
+
 	return text;
 }