OmarHawk
diff --git a/‎CHANGELOG.txt
+2 b/‎CHANGELOG.txt
+2
diff --git a/‎minified/jquery.sceditor.bbcode.min.js
+3-3 b/‎minified/jquery.sceditor.bbcode.min.js
+3-3
diff --git a/‎minified/jquery.sceditor.min.js
+2-2 b/‎minified/jquery.sceditor.min.js
+2-2
diff --git a/‎minified/jquery.sceditor.xhtml.min.js
+2-2 b/‎minified/jquery.sceditor.xhtml.min.js
+2-2
diff --git a/‎minified/plugins/bbcode.js
+1-1 b/‎minified/plugins/bbcode.js
+1-1
diff --git a/‎src/jquery.sceditor.js
+53-4 b/‎src/jquery.sceditor.js
+53-4
diff --git a/‎src/plugins/bbcode.js
+76-27 b/‎src/plugins/bbcode.js
+76-27
@@ -26,6 +26,8 @@ Version 1.4.5:
 		- Thanks to @gan068 for translating.
 	Updated Polish translation.
 		- Thanks to @gnysek for updating.
+	Fix possible XSS if editing loading BBCode that someone else has written.
+		- Thanks to for Sergiu reporting.
 
 Version 1.4.4:
 	Fixed height auto expanding when resized.
 
@@ -2446,13 +2446,14 @@
 		 * @memberOf jQuery.sceditor.prototype
 		 */
 		base._ = function() {
-			var args = arguments;
+			var	undef,
+				args = arguments;
 
 			if(locale && locale[args[0]])
 				args[0] = locale[args[0]];
 
 			return args[0].replace(/\{(\d+)\}/g, function(str, p1) {
-				return typeof args[p1-0+1] !== 'undefined' ?
+				return args[p1-0+1] !== undef ?
 					args[p1-0+1] :
 					'{' + p1 + '}';
 			});
@@ -3389,22 +3390,70 @@
 	/**
 	 * Escapes all HTML entities in a string
 	 *
+	 * If quote is set to true, single and double quotes will also be escaped
+	 *
 	 * @param {String} str
+	 * @param {Boolean} [quote=false]
 	 * @return {String}
 	 * @name escapeEntities
 	 * @memberOf jQuery.sceditor
 	 * @since 1.4.1
 	 */
-	$.sceditor.escapeEntities = function(str) {
+	$.sceditor.escapeEntities = function(str, quote) {
 		if(!str)
 			return str;
 
-		return str.replace(/&/g, '&amp;')
+		str = str.replace(/&/g, '&amp;')
 			.replace(/</g, '&lt;')
 			.replace(/>/g, '&gt;')
 			.replace(/ {2}/g, ' &nbsp;')
 			.replace(/\r\n|\r/g, '\n')
 			.replace(/\n/g, '<br />');
+
+		if (quote)
+			str = str.replace(/"/g, '&#34;').replace(/'/g, '&#39;');
+
+		return str;
+	};
+
+	/**
+	 * Escape URI scheme.
+	 *
+	 * Appends the current URL to a url if it has a scheme that is not:
+	 *
+	 * http
+	 * https
+	 * sftp
+	 * ftp
+	 * mailto
+	 * spotify
+	 * skype
+	 * ssh
+	 * teamspeak
+	 * tel
+	 * //
+	 *
+	 * @param  {String} url
+	 * @return {String}
+	 * @name escapeUriScheme
+	 * @memberOf jQuery.sceditor
+	 * @since 1.4.5
+	 */
+	$.sceditor.escapeUriScheme = function(url) {
+		var	path,
+			validSchemes = /^(?:https?|s?ftp|mailto|spotify|skype|ssh|teamspeak|tel):|(?:\/\/)/i,
+			// If there is a : before a / then it has a scheme
+			hasScheme = /^[^\/]*:/i,
+			location = window.location;
+
+		// Has no scheme or a valid scheme
+		if ((!url || !hasScheme.test(url)) || validSchemes.test(url))
+			return url;
+
+		path = location.pathname.split('/');
+		path.pop();
+
+		return location.protocol + '://' + location.host + path.join('/') + '/' + url;
 	};
 
 	/**
 
@@ -23,6 +23,9 @@
 (function($, window, document) {
 	'use strict';
 
+	var escapeEntities = $.sceditor.escapeEntities;
+	var escapeUriScheme = $.sceditor.escapeUriScheme;
+
 	/**
 	 * SCEditor BBCode parser class
 	 *
@@ -874,10 +877,13 @@
 								content += '<br />';
 						}
 
-						if($.isFunction(bbcode.html))
-							html = bbcode.html.call(base, token, token.attrs, content);
+						if(!$.isFunction(bbcode.html))
+						{
+							token.attrs['0'] = content;
+							html = $.sceditor.plugins.bbcode.formatBBCodeString(bbcode.html, token.attrs);
+						}
 						else
-							html = $.sceditor.plugins.bbcode.formatString(bbcode.html, content);
+							html = bbcode.html.call(base, token, token.attrs, content);
 					}
 					else
 						html = token.val + content + (token.closing ? token.closing.val : '');
@@ -926,7 +932,7 @@
 				else // content
 				{
 					needsBlockWrap = isRoot;
-					html           = $.sceditor.escapeEntities(token.val);
+					html           = escapeEntities(token.val, true);
 				}
 
 				if(needsBlockWrap && !blockWrapOpen)
@@ -1760,14 +1766,51 @@
 	 * @since v1.4.0
 	 */
 	$.sceditor.plugins.bbcode.formatString = function() {
-		var args = arguments;
+		var	undef,
+			args = arguments;
+
 		return args[0].replace(/\{(\d+)\}/g, function(str, p1) {
-			return typeof args[p1-0+1] !== 'undefined' ?
+			return args[p1-0+1] !== undef ?
 				args[p1-0+1] :
 				'{' + p1 + '}';
 		});
 	};
 
+	/**
+	 * Formats a string replacing {name} with the values of
+	 * obj.name properties.
+	 *
+	 * If there is no property for the specified {name} then
+	 * it will be left intact.
+	 *
+	 * @param  {String} str
+	 * @param  {Object} obj
+	 * @return {String}
+	 * @since 1.4.5
+	 */
+	$.sceditor.plugins.bbcode.formatBBCodeString = function(str, obj) {
+		return str.replace(/\{(!?[^}]+)\}/g, function(match, group) {
+			var	undef,
+				escape = true;
+
+			if (group[0] === '!')
+			{
+				escape = false;
+				group = group.substring(1);
+			}
+
+			if (group[0] === '0')
+				escape = false;
+
+			if (obj[group] === undef)
+				return match;
+
+			return escape ?
+				escapeEntities(obj[group], true) :
+				obj[group];
+		});
+	};
+
 	/**
 	 * Converts CSS RGB and hex shorthand into hex
 	 *
@@ -1898,9 +1941,7 @@
 
 				return '[font=' + this.stripQuotes(font) + ']' + content + '[/font]';
 			},
-			html: function(token, attrs, content) {
-				return '<font face="' + attrs.defaultattr + '">' + content + '</font>';
-			}
+			html: '<font face="{defaultattr}">{0}</font>'
 		},
 		// END_COMMAND
 
@@ -1944,9 +1985,7 @@
 
 				return '[size=' + size + ']' + content + '[/size]';
 			},
-			html: function(token, attrs, content) {
-				return '<font size="' + attrs.defaultattr + '">' + content + '</font>';
-			}
+			html: '<font size="{defaultattr}">{!0}</font>'
 		},
 		// END_COMMAND
 
@@ -1971,7 +2010,9 @@
 				return '[color=' + normaliseColour(color) + ']' + content + '[/color]';
 			},
 			html: function(token, attrs, content) {
-				return '<font color="' + normaliseColour(attrs.defaultattr) + '">' + content + '</font>';
+				return '<font color="' +
+					escapeEntities(normaliseColour(attrs.defaultattr), true) +
+					'">' + content + '</font>';
 			}
 		},
 		// END_COMMAND
@@ -2068,8 +2109,8 @@
 					'data-sceditor-emoticon': null
 				}
 			},
-			format: function(element, content) {
-				return element.data('sceditor-emoticon') + content;
+			format: function($elm, content) {
+				return $elm.data('sceditor-emoticon') + content;
 			},
 			html: '{0}'
 		},
@@ -2096,6 +2137,7 @@
 					src: null
 				}
 			},
+			allowedChildren: ['#'],
 			quoteType: $.sceditor.BBCodeParser.QuoteType.never,
 			format: function($element, content) {
 				var	w, h,
@@ -2119,24 +2161,29 @@
 				return '[img' + attribs + ']' + $element.attr('src') + '[/img]';
 			},
 			html: function(token, attrs, content) {
-				var	parts,
+				var	undef, w, h, parts,
 					attribs = '';
 
 				// handle [img width=340 height=240]url[/img]
-				if(typeof attrs.width !== 'undefined')
-					attribs += ' width="' + attrs.width + '"';
-				if(typeof attrs.height !== 'undefined')
-					attribs += ' height="' + attrs.height + '"';
+				if(attrs.width !== undef)
+					w = attrs.width;
+				if(attrs.height !== undef)
+					h = attrs.height;
 
 				// handle [img=340x240]url[/img]
 				if(attrs.defaultattr) {
 					parts = attrs.defaultattr.split(/x/i);
 
-					attribs = ' width="' + parts[0] + '"' +
-						' height="' + (parts.length === 2 ? parts[1] : parts[0]) + '"';
+					w = parts[0];
+					h = (parts.length === 2 ? parts[1] : parts[0]);
 				}
 
-				return '<img' + attribs + ' src="' + content + '" />';
+				if (w !== undef)
+					attribs += ' width="' + escapeEntities(w, true) + '"';
+				if (h !== undef)
+					attribs += ' height="' + escapeEntities(h, true) + '"';
+
+				return '<img' + attribs + ' src="' + escapeUriScheme(content) + '" />';
 			}
 		},
 		// END_COMMAND
@@ -2157,10 +2204,12 @@
 				if(url.substr(0, 7) === 'mailto:')
 					return '[email="' + url.substr(7) + '"]' + content + '[/email]';
 
-				return '[url=' + decodeURI(url) + ']' + content + '[/url]';
+				return '[url=' + url + ']' + content + '[/url]';
 			},
 			html: function(token, attrs, content) {
-				return '<a href="' + encodeURI(attrs.defaultattr || content) + '">' + content + '</a>';
+				attrs.defaultattr = escapeEntities(attrs.defaultattr, true) || content;
+
+				return '<a href="' + escapeUriScheme(attrs.defaultattr) + '">' + content + '</a>';
 			}
 		},
 		// END_COMMAND
@@ -2169,7 +2218,7 @@
 		email: {
 			quoteType: $.sceditor.BBCodeParser.QuoteType.never,
 			html: function(token, attrs, content) {
-				return '<a href="mailto:' + (attrs.defaultattr || content) + '">' + content + '</a>';
+				return '<a href="mailto:' + (escapeEntities(attrs.defaultattr, true) || content) + '">' + content + '</a>';
 			}
 		},
 		// END_COMMAND
@@ -2203,7 +2252,7 @@
 			},
 			html: function(token, attrs, content) {
 				if(attrs.defaultattr)
-					content = '<cite>' + attrs.defaultattr + '</cite>' + content;
+					content = '<cite>' + escapeEntities(attrs.defaultattr) + '</cite>' + content;
 
 				return '<blockquote>' + content + '</blockquote>';
 			}