2 files changed, 12 insertions, 9 deletions

diff --git a/src/static/js/Changeset.js b/src/static/js/Changeset.js
index b1604212..f9270385 100644
--- a/src/static/js/Changeset.js
+++ b/src/static/js/Changeset.js
@@ -2105,7 +2105,9 @@ exports.follow = function (cs1, cs2, reverseInsertOrder, pool) {
       exports.copyOp(op2, opOut);
       op2.opcode = '';
     } else if (!op2.opcode) {
-      exports.copyOp(op1, opOut);
+      // @NOTE: Critical bugfix for EPL issue #1625. We do not copy op1 here
+      // in order to prevent attributes from leaking into result changesets.
+      // exports.copyOp(op1, opOut);
       op1.opcode = '';
     } else {
       // both keeps
diff --git a/src/static/js/changesettracker.js b/src/static/js/changesettracker.js
index 7e95cc75..8c4c1c21 100644
--- a/src/static/js/changesettracker.js
+++ b/src/static/js/changesettracker.js
@@ -174,19 +174,20 @@ function makeChangesetTracker(scheduler, apool, aceCallbacksProvider)
     	  
         // Get my authorID
         var authorId = parent.parent.pad.myUserInfo.userId;
-        // Rewrite apool authors with my author information
 
-        // We need to replace all new author attribs with thisSession.author, in case someone copy/pasted or otherwise inserted other peoples changes
+        // Sanitize authorship
+        // We need to replace all author attribs with thisSession.author, in case they copy/pasted or otherwise inserted other peoples changes
         if(apool.numToAttrib){
           for (var attr in apool.numToAttrib){
-            if (apool.numToAttrib[attr][0] == 'author' && apool.numToAttrib[attr][1] == authorId) authorAttr = attr
+            if (apool.numToAttrib[attr][0] == 'author' && apool.numToAttrib[attr][1] == authorId) authorAttr = Number(attr).toString(36)
           }
-          
+
           // Replace all added 'author' attribs with the value of the current user
           var cs = Changeset.unpack(userChangeset)
             , iterator = Changeset.opIterator(cs.ops)
             , op
             , assem = Changeset.mergingOpAssembler();
+
           while(iterator.hasNext()) {
             op = iterator.next()
             if(op.opcode == '+') {
@@ -194,13 +195,13 @@ function makeChangesetTracker(scheduler, apool, aceCallbacksProvider)
 
               op.attribs.split('*').forEach(function(attrNum) {
                 if(!attrNum) return
-                attr = apool.getAttrib(attrNum)
+                var attr = apool.getAttrib(parseInt(attrNum, 36))
                 if(!attr) return
-                if('author' == attr[0] && !~newAttrs.indexOf(authorAttr))  {
+                if('author' == attr[0])  {
+                  // replace that author with the current one
                   newAttrs += '*'+authorAttr; 
-                  // console.log('replacing author attribute ', attrNum, '(', attr[1], ') with', authorAttr) 
                 }
-                else newAttrs += '*'+attrNum
+                else newAttrs += '*'+attrNum // overtake all other attribs as is
               })
               op.attribs = newAttrs
             }