From 2b2eb972ddbfdc9419d05c1c93b39e85923376f7 Mon Sep 17 00:00:00 2001
From: Warren Konkel <wkonkel@gmail.com>
Date: Tue, 21 Apr 2015 23:53:33 -0700
Subject: [PATCH] Use angular's $sanitize to prevent XSS

Addresses https://github.com/showdownjs/showdown/issues/70 at least within angular.
---
 src/ng-showdown.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/ng-showdown.js b/src/ng-showdown.js
index 9e9e617..3358b23 100644
--- a/src/ng-showdown.js
+++ b/src/ng-showdown.js
@@ -10,7 +10,7 @@ if (typeof angular !== 'undefined'  && typeof Showdown !== 'undefined') {
 
         module
             .provider('$Showdown', provider)
-            .directive('sdModelToHtml', ['$Showdown', markdownToHtmlDirective])
+            .directive('sdModelToHtml', ['$Showdown', '$sanitize', markdownToHtmlDirective])
             .filter('sdStripHtml', stripHtmlFilter);
 
         /**
@@ -106,13 +106,13 @@ if (typeof angular !== 'undefined'  && typeof Showdown !== 'undefined') {
          * @param $Showdown
          * @returns {*}
          */
-        function markdownToHtmlDirective($Showdown) {
+        function markdownToHtmlDirective($Showdown, $sanitize) {
 
             var link = function (scope, element) {
                 scope.$watch('model', function (newValue) {
                     var val;
                     if (typeof newValue === 'string') {
-                        val = $Showdown.makeHtml(newValue);
+                        val = $sanitize($Showdown.makeHtml(newValue));
                     } else {
                         val = typeof newValue;
                     }
@@ -140,7 +140,7 @@ if (typeof angular !== 'undefined'  && typeof Showdown !== 'undefined') {
             };
         }
 
-    })(angular.module('Showdown', []), Showdown);
+    })(angular.module('Showdown', ['ngSanitize']), Showdown);
 
 } else {