Change markdown to escape html by default

packages/rocketchat-markdown/markdown.coffee

@@ -3,16 +3,11 @@
 # @param {Object} message - The message object
 ###
 
-class Markdown
-	constructor: (message) ->
-		msg = message
-
-		if not _.isString message
-			if _.trim message?.html
-				msg = message.html
-			else
-				return message
+Markdown = new class MarkdownClass
+	parse: (text) ->
+		@parseNotEscaped(_.escapeHTML(text))
 
+	parseNotEscaped: (msg) ->
 		schemes = RocketChat.settings.get('Markdown_SupportSchemesForLink').split(',').join('|')
 
 		# Support ![alt text](http://image url)
@@ -68,19 +63,22 @@ class Markdown
 		# Remove new-line between blockquotes.
 		msg = msg.replace(/<\/blockquote>\n<blockquote/gm, '</blockquote><blockquote')
 
-		if not _.isString message
-			message.html = msg
-		else
-			message = msg
-
-		console.log 'Markdown', message if window?.rocketDebug
+		console.log 'Markdown', msg if window?.rocketDebug
 
-		return message
+		return msg
 
 
 RocketChat.Markdown = Markdown
-RocketChat.callbacks.add 'renderMessage', Markdown, RocketChat.callbacks.priority.HIGH, 'markdown'
+
+# renderMessage already did html escape
+MarkdownMessage = (message) ->
+	if _.trim message?.html
+		message.html = Markdown.parseNotEscaped(message.html)
+
+	return message
+
+RocketChat.callbacks.add 'renderMessage', MarkdownMessage, RocketChat.callbacks.priority.HIGH, 'markdown'
 
 if Meteor.isClient
 	Blaze.registerHelper 'RocketChatMarkdown', (text) ->
-		return RocketChat.Markdown _.escapeHTML text
+		return Markdown.parse text

packages/rocketchat-ui-message/client/message.coffee

@@ -192,9 +192,9 @@ Template.message.onCreated ->
 				msg = renderMessageBody msg
 
 		if isSystemMessage
-			return RocketChat.Markdown msg
-		else
-			return msg
+			msg.html = RocketChat.Markdown.parse msg.html
+
+		return msg
 
 Template.message.onViewRendered = (context) ->
 	view = this