Merge pull request #602 from Crozzers/fix-xss-601

Fix XSS issue in safe mode (#601)

Author: nicholasserra

CHANGES.md

@@ -5,6 +5,7 @@
 - [pull #590] Fix underscores within bold text getting emphasized (#589)
 - [pull #591] Add Alerts extra
 - [pull #595] Fix img alt text being processed as markdown (#594)
+- [pull #602] Fix XSS issue in safe mode (#601)
 - [pull #604] Fix XSS injection in image URLs (#603)
 
 

lib/markdown2.py

@@ -1260,8 +1260,13 @@ def _run_span_gamut(self, text: str) -> str:
             (?:
                 # tag
                 </?
-                (?:\w+)                                     # tag name
-                (?:\s+(?:[\w-]+:)?[\w-]+=(?:".*?"|'.*?'))*  # attributes
+                (?:\w+)         # tag name
+                (?:             # attributes
+                    \s+                           # whitespace after tag
+                    (?:[^\t<>"'=/]+:)?
+                    [^<>"'=/]+=                   # attr name
+                    (?:".*?"|'.*?'|[^<>"'=/\s]+)  # value, quoted or unquoted. If unquoted, no spaces allowed
+                )*
                 \s*/?>
                 |
                 # auto-link (e.g., <http://www.activestate.com/>)

test/tm-cases/issue601_xss.html

@@ -0,0 +1 @@
+<p>&lt;img src=# onerror="alert()"&gt;&lt;/p&gt;</p>

test/tm-cases/issue601_xss.opts

@@ -0,0 +1 @@
+{"safe_mode": "escape"}

test/tm-cases/issue601_xss.text

@@ -0,0 +1 @@
+<img src=# onerror="alert()"></p>