From 38e0c6645e403ffadb2836653fffef4e13570b8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Tue, 28 Oct 2014 22:58:22 +0100
Subject: [PATCH] FIX: prevent iframe in expended quote

---
 app/assets/javascripts/discourse/views/post_view.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/discourse/views/post_view.js b/app/assets/javascripts/discourse/views/post_view.js
index 62cd2aa1a3..95cffdf64e 100644
--- a/app/assets/javascripts/discourse/views/post_view.js
+++ b/app/assets/javascripts/discourse/views/post_view.js
@@ -126,7 +126,9 @@ Discourse.PostView = Discourse.GroupedView.extend(Ember.Evented, {
       topicId = parseInt(topicId, 10);
 
       Discourse.ajax("/posts/by_number/" + topicId + "/" + postId).then(function (result) {
-        var parsed = $(result.cooked);
+        // slightly double escape the cooked html to prevent jQuery from unescaping it
+        var escaped = result.cooked.replace("&", "&amp;");
+        var parsed = $(escaped);
         parsed.replaceText(originalText, "<span class='highlighted'>" + originalText + "</span>");
         $blockQuote.showHtml(parsed);
       });