From dc79d71ae590a77c803a0e41200eaa59d6d04a1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Olli=20M=C3=A4ntyl=C3=A4?=
 <kalaksi@users.noreply.github.com>
Date: Sun, 26 Apr 2015 22:42:31 +0300
Subject: [PATCH 1/2] Revert "Fix topic exploit"

This reverts commit ef041d6612e20369bf49b17b8162c57b4955a1cc.
To show topic again. Commit was just disabling the topic.
---
 client/js/shout.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/client/js/shout.js b/client/js/shout.js
index 9c2dace5..5b02e23d 100644
--- a/client/js/shout.js
+++ b/client/js/shout.js
@@ -314,6 +314,10 @@ $(function() {
 		}
 	});
 
+	socket.on("topic", function(data) {
+		$("#chan-" + data.chan).find(".header .topic").html(data.topic);
+	});
+
 	socket.on("users", function(data) {
 		var users = chat.find("#chan-" + data.chan).find(".users").html(render("user", data));
 		var nicks = [];

From 4293336f3e728fd349b12f0fab48891eda7c7a7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Olli=20M=C3=A4ntyl=C3=A4?=
 <kalaksi@users.noreply.github.com>
Date: Mon, 27 Apr 2015 01:20:54 +0300
Subject: [PATCH 2/2] Move escaping of topic and improve UI for long topics

- Data should be handled as is and only do the escaping on
the view/template or wherever it is used and escaping is necessary.
Keeps things simple and the focus of escaping values in the right place.
- Remove topic capitalization
- For long topics: hide overflow and add a title to topic span
- Also, simplify the code a tiny bit.
---
 client/css/style.css            |  4 +---
 client/js/shout.js              |  6 +++++-
 src/plugins/irc-events/topic.js | 11 ++++-------
 3 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/client/css/style.css b/client/css/style.css
index 327dce7f..93bf88a3 100644
--- a/client/css/style.css
+++ b/client/css/style.css
@@ -403,16 +403,14 @@ button {
 	line-height: 50px !important;
 	height: 48px;
 	padding: 0 20px;
+	overflow: hidden;
 }
 #windows .header .title {
 	font: 14px Lato;
 }
 #windows .header .topic {
-	/* Hidden for now */
-	display: none;
 	color: #777;
 	margin-left: 8px;
-	text-transform: capitalize;
 }
 #windows .header .right {
 	float: right;
diff --git a/client/js/shout.js b/client/js/shout.js
index 5b02e23d..eb80e928 100644
--- a/client/js/shout.js
+++ b/client/js/shout.js
@@ -315,7 +315,11 @@ $(function() {
 	});
 
 	socket.on("topic", function(data) {
-		$("#chan-" + data.chan).find(".header .topic").html(data.topic);
+		// .text() escapes HTML but not quotes. That only matters with text inside attributes.
+		var topic = $("#chan-" + data.chan).find(".header .topic");
+		topic.text(data.topic);
+		// .attr() is safe escape-wise but consider the capabilities of the attribute
+		topic.attr("title", data.topic);
 	});
 
 	socket.on("users", function(data) {
diff --git a/src/plugins/irc-events/topic.js b/src/plugins/irc-events/topic.js
index 779360bd..1b54c249 100644
--- a/src/plugins/irc-events/topic.js
+++ b/src/plugins/irc-events/topic.js
@@ -9,27 +9,24 @@ module.exports = function(irc, network) {
 			return;
 		}
 		var from = data.nick || chan.name;
-		var self = false;
-		if (from.toLowerCase() == irc.me.toLowerCase()) {
-			self = true;
-		}
 		var topic = data.topic;
+
 		var msg = new Msg({
 			type: Msg.Type.TOPIC,
 			mode: chan.getMode(from),
 			from: from,
 			text: topic,
-			self: self
+			self: (from.toLowerCase() === irc.me.toLowerCase())
 		});
 		chan.messages.push(msg);
 		client.emit("msg", {
 			chan: chan.id,
 			msg: msg
 		});
-		chan.topic = topic
+		chan.topic = topic;
 		client.emit("topic", {
 			chan: chan.id,
-			topic: _.escape(topic)
+			topic: chan.topic
 		});
 	});
 };