Merge pull request #602 from Crozzers/fix-xss-601

Fix XSS issue in safe mode (#601)
trentm · Sep 23, 2024 · cc432bf · cc432bf
2 parents ded5e74 + e266576
commit cc432bf
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,6 +5,7 @@
 - [pull #590] Fix underscores within bold text getting emphasized (#589)
 - [pull #591] Add Alerts extra
 - [pull #595] Fix img alt text being processed as markdown (#594)
+- [pull #602] Fix XSS issue in safe mode (#601)
 - [pull #604] Fix XSS injection in image URLs (#603)
 
 

diff --git a/lib/markdown2.py b/lib/markdown2.py
@@ -1260,8 +1260,13 @@ def _run_span_gamut(self, text: str) -> str:
             (?:
                 # tag
                 </?
-                (?:\w+)                                     # tag name
-                (?:\s+(?:[\w-]+:)?[\w-]+=(?:".*?"|'.*?'))*  # attributes
+                (?:\w+)         # tag name
+                (?:             # attributes
+                    \s+                           # whitespace after tag
+                    (?:[^\t<>"'=/]+:)?
+                    [^<>"'=/]+=                   # attr name
+                    (?:".*?"|'.*?'|[^<>"'=/\s]+)  # value, quoted or unquoted. If unquoted, no spaces allowed
+                )*
                 \s*/?>
                 |
                 # auto-link (e.g., <http://www.activestate.com/>)

diff --git a/test/tm-cases/issue601_xss.html b/test/tm-cases/issue601_xss.html
@@ -0,0 +1 @@
+<p>&lt;img src=# onerror="alert()"&gt;&lt;/p&gt;</p>
diff --git a/test/tm-cases/issue601_xss.opts b/test/tm-cases/issue601_xss.opts
@@ -0,0 +1 @@
+{"safe_mode": "escape"}
diff --git a/test/tm-cases/issue601_xss.text b/test/tm-cases/issue601_xss.text
@@ -0,0 +1 @@
+<img src=# onerror="alert()"></p>