Resolves OSQA-674, be sure that we remove all anchors that trigger JavaScript code.

author jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>

Sun, 8 May 2011 14:02:03 +0000 (14:02 +0000)

committer jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>

Sun, 8 May 2011 14:02:03 +0000 (14:02 +0000)
author jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Sun, 8 May 2011 14:02:03 +0000 (14:02 +0000)
committer jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Sun, 8 May 2011 14:02:03 +0000 (14:02 +0000)
diff --git a/forum/skins/default/media/js/wmd/showdown.js b/forum/skins/default/media/js/wmd/showdown.js

index d223f45dca49891b16280e4e44f1871d68c6c364..b890fa8d3735803dcba6e55cc5cc167bb8bbf082 100644 (file)
--- a/forum/skins/default/media/js/wmd/showdown.js
+++ b/forum/skins/default/media/js/wmd/showdown.js
@@ -498,6 +498,11 @@ var _DoAnchors = function(text) {
         */
         text = text.replace(/(\[([^\[\]]+)\])()()()()()/g, writeAnchorTag);
  
+    // Prevent executing JavaScript from the Anchor href.
+    text = text.replace(/(<a.*href=[\"|\']javascript\:([^"]+)[\"|\'].*>([^<]+)<\/a>)/g, function() {
+        return arguments[3];
+    });
+
         return text;
  }
author	jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
	Sun, 8 May 2011 14:02:03 +0000 (14:02 +0000)
committer	jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
	Sun, 8 May 2011 14:02:03 +0000 (14:02 +0000)