From 4278f3e8f8224e290ba3734f15ea3e022f02dfa3 Mon Sep 17 00:00:00 2001 From: Crozzers Date: Sun, 22 Sep 2024 16:06:22 +0100 Subject: [PATCH] Fix XSS issue in safe mode (#601) --- CHANGES.md | 1 + lib/markdown2.py | 9 +++++++-- test/tm-cases/issue601_xss.html | 1 + test/tm-cases/issue601_xss.opts | 1 + test/tm-cases/issue601_xss.text | 1 + 5 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 test/tm-cases/issue601_xss.html create mode 100644 test/tm-cases/issue601_xss.opts create mode 100644 test/tm-cases/issue601_xss.text diff --git a/CHANGES.md b/CHANGES.md index 4283b966..a0625741 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,7 @@ - [pull #590] Fix underscores within bold text getting emphasized (#589) - [pull #591] Add Alerts extra - [pull #595] Fix img alt text being processed as markdown (#594) +- [pull #602] Fix XSS issue in safe mode (#601) ## python-markdown2 2.5.0 diff --git a/lib/markdown2.py b/lib/markdown2.py index d0f10eea..e5356df8 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -1260,8 +1260,13 @@ def _run_span_gamut(self, text: str) -> str: (?: # tag "'=/]+:)? + [^<>"'=/]+= # attr name + (?:".*?"|'.*?'|[^<>"'=/\s]+) # value, quoted or unquoted. If unquoted, no spaces allowed + )* \s*/?> | # auto-link (e.g., ) diff --git a/test/tm-cases/issue601_xss.html b/test/tm-cases/issue601_xss.html new file mode 100644 index 00000000..e369d54e --- /dev/null +++ b/test/tm-cases/issue601_xss.html @@ -0,0 +1 @@ +

<img src=# onerror="alert()"></p>

diff --git a/test/tm-cases/issue601_xss.opts b/test/tm-cases/issue601_xss.opts new file mode 100644 index 00000000..ad487c04 --- /dev/null +++ b/test/tm-cases/issue601_xss.opts @@ -0,0 +1 @@ +{"safe_mode": "escape"} diff --git a/test/tm-cases/issue601_xss.text b/test/tm-cases/issue601_xss.text new file mode 100644 index 00000000..3d584a21 --- /dev/null +++ b/test/tm-cases/issue601_xss.text @@ -0,0 +1 @@ +