XSS in topics because of bandcamp preview engine vulnerability

1. Load http://try.discourse.org 2. Click "New topic" 3. Enter this payload https://89.223.28.48/bandcamp.com/album/index.html?XSSa2 to field with placeholder "Type title or paste a link here" 4. Wait for the preview engine to parse the link 4. XSS will fire {F151439} You should sanitize external data in this engine and replace *matches_regexp* from `^https?:\/\/.*bandcamp\.com\/album\/` to `^https?:\/\/.*\.bandcamp\.com\/album\/` to fix the issue.