Merge pull request #586 from Crozzers/xss-fix

nicholasserra · web-flow · commit 768c820d529e · 2024-07-05T13:58:36.000-04:00
Fix #583 by tweaking incomplete tag regex
diff --git a/lib/markdown2.py b/lib/markdown2.py
@@ -2342,7 +2342,7 @@ def _encode_amps_and_angles(self, text: str) -> str:
         text = self._naked_gt_re.sub('&gt;', text)
         return text
 
-    _incomplete_tags_re = re.compile(r"<(!--|/?\w+?(?!\w)\s*?.+?[\s/]+?)")
+    _incomplete_tags_re = re.compile(r"<(!--|/?\w+?(?!\w)\s*?.+?(?:[\s/]+?|$))")
 
     def _encode_incomplete_tags(self, text: str) -> str:
         if self.safe_mode not in ("replace", "escape"):
diff --git a/test/tm-cases/issue341_xss.html b/test/tm-cases/issue341_xss.html
@@ -1,5 +1,5 @@
 <p>Example 1:
-<ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;<ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
+&lt;ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;&lt;ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
 
 <p>Example 2:
 &lt;http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/\*</a>->a>&lt;http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>
diff --git a/test/tm-cases/issue583_xss.html b/test/tm-cases/issue583_xss.html
@@ -0,0 +1 @@
+<p>&lt;img onerror=alert("hi")[HTML_REMOVED] src=a</p>
diff --git a/test/tm-cases/issue583_xss.opts b/test/tm-cases/issue583_xss.opts
@@ -0,0 +1 @@
+{'safe_mode': 'replace'}
diff --git a/test/tm-cases/issue583_xss.text b/test/tm-cases/issue583_xss.text
@@ -0,0 +1 @@
+<img onerror=alert("hi")<a> src=a

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<p><img onerror=alert("hi")[HTML_REMOVED] src=a</p>`