diff --git a/CHANGES.md b/CHANGES.md
index f07fb095..66a15743 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,7 @@
- [pull #590] Fix underscores within bold text getting emphasized (#589)
- [pull #591] Add Alerts extra
- [pull #595] Fix img alt text being processed as markdown (#594)
+- [pull #602] Fix XSS issue in safe mode (#601)
- [pull #604] Fix XSS injection in image URLs (#603)
diff --git a/lib/markdown2.py b/lib/markdown2.py
index 26e5b075..5d8106fc 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -1260,8 +1260,13 @@ def _run_span_gamut(self, text: str) -> str:
(?:
# tag
"'=/]+:)?
+ [^<>"'=/]+= # attr name
+ (?:".*?"|'.*?'|[^<>"'=/\s]+) # value, quoted or unquoted. If unquoted, no spaces allowed
+ )*
\s*/?>
|
# auto-link (e.g., )
diff --git a/test/tm-cases/issue601_xss.html b/test/tm-cases/issue601_xss.html
new file mode 100644
index 00000000..e369d54e
--- /dev/null
+++ b/test/tm-cases/issue601_xss.html
@@ -0,0 +1 @@
+<img src=# onerror="alert()"></p>
diff --git a/test/tm-cases/issue601_xss.opts b/test/tm-cases/issue601_xss.opts
new file mode 100644
index 00000000..ad487c04
--- /dev/null
+++ b/test/tm-cases/issue601_xss.opts
@@ -0,0 +1 @@
+{"safe_mode": "escape"}
diff --git a/test/tm-cases/issue601_xss.text b/test/tm-cases/issue601_xss.text
new file mode 100644
index 00000000..3d584a21
--- /dev/null
+++ b/test/tm-cases/issue601_xss.text
@@ -0,0 +1 @@
+