This bug disappears if you comment out line 906 (in commit 27):
text = this._unescapeHTML.unescape(text.replace(/&/g,"&"));
I assume the unescape function is causing the content of angle brackets to be treated like html tags and removed, but I don't know if this line is necessary, so I'm hesitant to commit the change. Any thoughts?
someone could easily setup a laconi.ca install to produce evil messages, so you want to do some sort of escaping on the clientside.
This is happening in the unescape though, so I wonder if you need the unescape. Once you've treated the potentially problematic tags as html entities, what's to gain by turning them back into tags?
Yeah, that's what I'm thinking -- if the text is coming through unescaped despite this line, I don't know what it's supposed to be doing. Ampersands also seem to appear just fine without the text.replace.