FIX: Change the approach to sanitization. Includes a more detailed API

for allowing classes and attributes for only certain tag names.

test/javascripts/mdtest/fixtures/Images.xhtml

@@ -12,7 +12,7 @@
 
 <p><img src="/url/" alt="alt text" title="with a title" />.</p>
 
-<p><img src="" alt="Empty" /></p>
+<p><img alt="Empty" /></p>
 
 <p><img src="http://example.com/(parens).jpg" alt="this is a stupid URL" /></p>
 

test/javascripts/mdtest/fixtures/Links, inline style.xhtml

@@ -10,9 +10,9 @@
 
 <p><a href="/url/">URL wrapped in angle brackets</a>.</p>
 
-<p><a href="/url/" title="Here&#39;s the title">URL w/ angle brackets + title</a>.</p>
+<p><a href="/url/" title="Here's the title">URL w/ angle brackets + title</a>.</p>
 
-<p><a href="">Empty</a>.</p>
+<p><a>Empty</a>.</p>
 
 <p><a href="http://en.wikipedia.org/wiki/WIMP_(computing)">With parens in the URL</a></p>
 

test/javascripts/mdtest/mdtest.js.erb

@@ -8,13 +8,42 @@ module("MDTest", {
 // do not affect formatting. 
 function normalize(str) {
   return str.replace(/\n\s*/g, '').
-             replace(/ \/\>/g, '/>').
+             replace(/ \/\>/g, '>').
              replace(/    ?/g, "\t").
              replace(/"/g, '"');
 }
 
+// We use a custom sanitizer for MD test that hoists out comments. In Discourse
+// they are stripped, but to be compliant with the spec they should not be.
+function hoistingSanitizer(result) {
+  var hoisted,
+      m = result.match(/<!--[\s\S]*?-->/g);
+  if (m && m.length) {
+    hoisted = [];
+    for (var i=0; i<m.length; i++) {
+      var c = m[i],
+          id = "discourse:hoisted-comment:" + i;
+      result = result.replace(c, id);
+      hoisted.push([c, id]);
+    }
+  }
+
+  result = Discourse.Markdown.sanitize(result);
+
+  if (hoisted) {
+    hoisted.forEach(function(tuple) {
+      result = result.replace(tuple[1], tuple[0]);
+    });
+  }
+
+  return result;
+}
+
 var md = function(input, expected, text) {
-  var result = Discourse.Markdown.cook(input, {sanitize: true, traditional_markdown_linebreaks: true}),
+  var result = Discourse.Markdown.cook(input, {
+        sanitizerFunction: hoistingSanitizer,
+        traditional_markdown_linebreaks: true
+      }),
       resultNorm = normalize(result),
       expectedNorm = normalize(expected),
       same = (result === expected) || (resultNorm === expectedNorm);