From 1f1f0606f5b6bf14a0db55a28cfd03e1e42e3550 Mon Sep 17 00:00:00 2001
From: Christopher Slowe <cslowe@toph.local>
Date: Mon, 28 Sep 2009 01:56:46 -0400
Subject: [PATCH] remove markdown onmouseover exploit

---
 r2/r2/lib/contrib/markdown.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/r2/r2/lib/contrib/markdown.py b/r2/r2/lib/contrib/markdown.py
index 559dbaf2d..789515a36 100644
--- a/r2/r2/lib/contrib/markdown.py
+++ b/r2/r2/lib/contrib/markdown.py
@@ -28,9 +28,14 @@ def htmlquote(text):
     text = text.replace('"', "&quot;")
     return text
 
+def mangle_text(text):
+    from pylons import g
+    return md5.new(text + g.SECRET).hexdigest()
+
 def semirandom(seed):
+    from pylons import g
     x = 0
-    for c in md5.new(seed).digest(): x += ord(c)
+    for c in md5.new(seed + g.SECRET).digest(): x += ord(c)
     return x / (255*16.)
 
 class _Markdown:
@@ -40,7 +45,7 @@ class _Markdown:
     escapechars = '\\`*_{}[]()>#+-.!'
     escapetable = {}
     for char in escapechars:
-        escapetable[char] = md5.new(char).hexdigest()
+        escapetable[char] = mangle_text(char)
     
     r_multiline = re.compile("\n{2,}")
     r_stripspace = re.compile(r"^[ \t]+$", re.MULTILINE)
@@ -155,7 +160,7 @@ class _Markdown:
                 key = key.encode('utf8')
             except UnicodeDecodeError:
                 key = ''.join(k for k in key if ord(k) < 128)
-            key = md5.new(key).hexdigest()
+            key = mangle_text(key)
             self.html_blocks[key] = m.group(1)
             return "\n\n%s\n\n" % key
 
@@ -288,7 +293,7 @@ class _Markdown:
             res += ">%s</a>" % htmlquote(link_text)
             return res
 
-        text = self.r_DoAnchors1.sub(handler1, text)
+        #text = self.r_DoAnchors1.sub(handler1, text)
         text = self.r_DoAnchors2.sub(handler2, text)
         return text