Skip to content

Fix XSS injection in image URLs (#603) #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 23, 2024
Merged

Fix XSS injection in image URLs (#603) #604

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b633861
Fix XSS injection in image URLs (#603)
Crozzers Sep 22, 2024
1b3d705
Expand link shortcut tests in XSS issue 604 case
Crozzers Sep 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
- [pull #590] Fix underscores within bold text getting emphasized (#589)
- [pull #591] Add Alerts extra
- [pull #595] Fix img alt text being processed as markdown (#594)
- [pull #604] Fix XSS injection in image URLs (#603)


## python-markdown2 2.5.0
Expand Down
25 changes: 20 additions & 5 deletions lib/markdown2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1354,9 +1354,23 @@ def _is_comment(token):
is_html_markup = not is_html_markup
return ''.join(tokens)

def _unhash_html_spans(self, text: str) -> str:
for key, sanitized in list(self.html_spans.items()):
text = text.replace(key, sanitized)
def _unhash_html_spans(self, text: str, spans=True, code=False) -> str:
'''
Recursively unhash a block of text

Args:
spans: unhash anything from `self.html_spans`
code: unhash code blocks
'''
orig = ''
while text != orig:
if spans:
for key, sanitized in list(self.html_spans.items()):
text = text.replace(key, sanitized)
if code:
for code, key in list(self._code_table.items()):
text = text.replace(key, code)
orig = text
return text

def _sanitize_html(self, s: str) -> str:
Expand Down Expand Up @@ -1582,8 +1596,9 @@ def _do_links(self, text: str) -> str:

# We've got to encode these to avoid conflicting
# with italics/bold.
url = url.replace('*', self._escape_table['*']) \
.replace('_', self._escape_table['_'])
url = self._unhash_html_spans(url, code=True) \
.replace('*', self._escape_table['*']) \
.replace('_', self._escape_table['_'])
if title:
title_str = ' title="%s"' % (
_xml_escape_attr(title)
Expand Down
6 changes: 6 additions & 0 deletions test/tm-cases/issue603_xss.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<p><img src="code&gt;&quot; onerror=alert()//&lt;/code" alt="" /></p>

<p><img src="&quot; onerror=alert()//" alt="" />
<a href="#"></a>
<img src="`&quot; onerror=alert()//`" alt="" />
<img src="&lt;code&gt;&quot; onerror=alert()//&lt;code&gt;" alt="" /></p>
1 change: 1 addition & 0 deletions test/tm-cases/issue603_xss.opts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"safe_mode": "escape"}
12 changes: 12 additions & 0 deletions test/tm-cases/issue603_xss.text
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
![](`" onerror=alert()//`)


![][XSS]
[][XSS]
![][XSS2]
![][XSS3]


[XSS]: " onerror=alert()//
[XSS2]: `" onerror=alert()//`
[XSS3]: <code>" onerror=alert()//<code>
Loading