From 7c545537a6cdd229b2e2d33b0500cf615c2dfc2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Wed, 13 May 2015 23:12:53 +0200
Subject: [PATCH] FIX: prevent pollception

---
 plugins/poll/assets/javascripts/poll_dialect.js    | 14 +++++++++-----
 .../poll/spec/controllers/posts_controller_spec.rb |  9 +++++++++
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/plugins/poll/assets/javascripts/poll_dialect.js b/plugins/poll/assets/javascripts/poll_dialect.js
index d2e0b4c93c..cc2ed60b91 100644
--- a/plugins/poll/assets/javascripts/poll_dialect.js
+++ b/plugins/poll/assets/javascripts/poll_dialect.js
@@ -67,11 +67,18 @@
         }
       }
 
-      // make sure the first child is a list with at least 1 option
-      if (contents.length === 0 || contents[0].length <= 1 || (contents[0][0] !== "numberlist" && contents[0][0] !== "bulletlist")) {
+      // make sure there's only 1 child and it's a list with at least 1 option
+      if (contents.length !== 1 || contents[0].length <= 1 || (contents[0][0] !== "numberlist" && contents[0][0] !== "bulletlist")) {
         return ["div"].concat(contents);
       }
 
+      // make sure there's only options in the list
+      for (o = 1; o < contents[0].length; o++) {
+        if (contents[0][o][0] !== "listitem") {
+          return ["div"].concat(contents);
+        }
+      }
+
       // TODO: remove non whitelisted content
 
       // generate <li> styles (if any)
@@ -86,9 +93,6 @@
 
       // add option id (hash) + style
       for (o = 1; o < contents[0].length; o++) {
-        // break as soon as the list is done
-        if (contents[0][o][0] !== "listitem") { break; }
-
         var attr = {};
         // apply styles if any
         if (style.length > 0) { attr["style"] = style; }
diff --git a/plugins/poll/spec/controllers/posts_controller_spec.rb b/plugins/poll/spec/controllers/posts_controller_spec.rb
index ad373624ce..f0f128f3a3 100644
--- a/plugins/poll/spec/controllers/posts_controller_spec.rb
+++ b/plugins/poll/spec/controllers/posts_controller_spec.rb
@@ -65,6 +65,15 @@ describe PostsController do
       expect(json["polls"]).to be
     end
 
+    it "prevents pollception" do
+      xhr :post, :create, { title: title, raw: "[poll name=1]\n- A\n[poll name=2]\n- B\n- C\n[/poll]\n- D\n[/poll]" }
+      expect(response).to be_success
+      json = ::JSON.parse(response.body)
+      expect(json["cooked"]).to match("data-poll-")
+      expect(json["polls"]["1"]).to_not be
+      expect(json["polls"]["2"]).to be
+    end
+
     describe "edit window" do
 
       describe "within the first 5 minutes" do