diff --git a/app/assets/javascripts/discourse/dialects/github_code_dialect.js b/app/assets/javascripts/discourse/dialects/github_code_dialect.js
index 725b14a572..31fc8d97bf 100644
--- a/app/assets/javascripts/discourse/dialects/github_code_dialect.js
+++ b/app/assets/javascripts/discourse/dialects/github_code_dialect.js
@@ -5,11 +5,25 @@
@event register
@namespace Discourse.Dialect
**/
+
+var acceptableCodeClasses =
+ ["lang-auto", "1c", "actionscript", "apache", "applescript", "avrasm", "axapta", "bash", "brainfuck",
+ "clojure", "cmake", "coffeescript", "cpp", "cs", "css", "d", "delphi", "diff", "xml", "django", "dos",
+ "erlang-repl", "erlang", "glsl", "go", "handlebars", "haskell", "http", "ini", "java", "javascript",
+ "json", "lisp", "lua", "markdown", "matlab", "mel", "nginx", "objectivec", "parser3", "perl", "php",
+ "profile", "python", "r", "rib", "rsl", "ruby", "rust", "scala", "smalltalk", "sql", "tex", "text",
+ "vala", "vbscript", "vhdl"];
+
Discourse.Dialect.replaceBlock({
start: /^`{3}([^\n\[\]]+)?\n?([\s\S]*)?/gm,
stop: '```',
emitter: function(blockContents, matches) {
- return ['p', ['pre', ['code', {'class': matches[1] || 'lang-auto'}, blockContents.join("\n") ]]];
+
+ var klass = 'lang-auto';
+ if (matches[1] && acceptableCodeClasses.indexOf(matches[1]) !== -1) {
+ klass = matches[1];
+ }
+ return ['p', ['pre', ['code', {'class': klass}, blockContents.join("\n") ]]];
}
});
diff --git a/test/javascripts/components/markdown_test.js b/test/javascripts/components/markdown_test.js
index 239748467f..ad6d5edd15 100644
--- a/test/javascripts/components/markdown_test.js
+++ b/test/javascripts/components/markdown_test.js
@@ -300,6 +300,9 @@ test("Code Blocks", function() {
"hello `eviltrout`
",
"it allows code with backticks in it");
+ cooked("```eviltrout\nhello\n```",
+ "hello
",
+ "it doesn't not whitelist all classes");
cooked("```[quote=\"sam, post:1, topic:9441, full:true\"]This is `` a bug.[/quote]```",
"[quote="sam, post:1, topic:9441, full:true"]This is `<not>` a bug.[/quote]
",