From a754d9edfdeeac0a360575c7ee8933f566c9fba9 Mon Sep 17 00:00:00 2001
From: Rodrigo Nascimento <rodrigoknascimento@gmail.com>
Date: Mon, 10 Apr 2017 15:56:43 -0300
Subject: [PATCH] Change markdown to escape html by default

---
 packages/rocketchat-markdown/markdown.coffee  | 34 +++++++++----------
 .../client/message.coffee                     |  6 ++--
 2 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/packages/rocketchat-markdown/markdown.coffee b/packages/rocketchat-markdown/markdown.coffee
index 2171d846d60..4caaaf6374f 100644
--- a/packages/rocketchat-markdown/markdown.coffee
+++ b/packages/rocketchat-markdown/markdown.coffee
@@ -3,16 +3,11 @@
 # @param {Object} message - The message object
 ###
 
-class Markdown
-	constructor: (message) ->
-		msg = message
-
-		if not _.isString message
-			if _.trim message?.html
-				msg = message.html
-			else
-				return message
+Markdown = new class MarkdownClass
+	parse: (text) ->
+		@parseNotEscaped(_.escapeHTML(text))
 
+	parseNotEscaped: (msg) ->
 		schemes = RocketChat.settings.get('Markdown_SupportSchemesForLink').split(',').join('|')
 
 		# Support ![alt text](http://image url)
@@ -68,19 +63,22 @@ class Markdown
 		# Remove new-line between blockquotes.
 		msg = msg.replace(/<\/blockquote>\n<blockquote/gm, '</blockquote><blockquote')
 
-		if not _.isString message
-			message.html = msg
-		else
-			message = msg
-
-		console.log 'Markdown', message if window?.rocketDebug
+		console.log 'Markdown', msg if window?.rocketDebug
 
-		return message
+		return msg
 
 
 RocketChat.Markdown = Markdown
-RocketChat.callbacks.add 'renderMessage', Markdown, RocketChat.callbacks.priority.HIGH, 'markdown'
+
+# renderMessage already did html escape
+MarkdownMessage = (message) ->
+	if _.trim message?.html
+		message.html = Markdown.parseNotEscaped(message.html)
+
+	return message
+
+RocketChat.callbacks.add 'renderMessage', MarkdownMessage, RocketChat.callbacks.priority.HIGH, 'markdown'
 
 if Meteor.isClient
 	Blaze.registerHelper 'RocketChatMarkdown', (text) ->
-		return RocketChat.Markdown _.escapeHTML text
+		return Markdown.parse text
diff --git a/packages/rocketchat-ui-message/client/message.coffee b/packages/rocketchat-ui-message/client/message.coffee
index 847594ef4f3..b5c01ec21a7 100644
--- a/packages/rocketchat-ui-message/client/message.coffee
+++ b/packages/rocketchat-ui-message/client/message.coffee
@@ -192,9 +192,9 @@ Template.message.onCreated ->
 				msg = renderMessageBody msg
 
 		if isSystemMessage
-			return RocketChat.Markdown msg
-		else
-			return msg
+			msg.html = RocketChat.Markdown.parse msg.html
+
+		return msg
 
 Template.message.onViewRendered = (context) ->
 	view = this