Merge pull request #586 from Crozzers/xss-fix

Fix #583 by tweaking incomplete tag regex
trentm · Jul 5, 2024 · 768c820 · 768c820
2 parents adfc3fc + f507607
commit 768c820
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 2 deletions.
diff --git a/lib/markdown2.py b/lib/markdown2.py
@@ -2342,7 +2342,7 @@ def _encode_amps_and_angles(self, text: str) -> str:
         text = self._naked_gt_re.sub('&gt;', text)
         return text
 
-    _incomplete_tags_re = re.compile(r"<(!--|/?\w+?(?!\w)\s*?.+?[\s/]+?)")
+    _incomplete_tags_re = re.compile(r"<(!--|/?\w+?(?!\w)\s*?.+?(?:[\s/]+?|$))")
 
     def _encode_incomplete_tags(self, text: str) -> str:
         if self.safe_mode not in ("replace", "escape"):

diff --git a/test/tm-cases/issue341_xss.html b/test/tm-cases/issue341_xss.html
@@ -1,5 +1,5 @@
 <p>Example 1:
-<ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;<ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
+&lt;ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;&lt;ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
 
 <p>Example 2:
 &lt;http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/\*</a>->a>&lt;http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>
diff --git a/test/tm-cases/issue583_xss.html b/test/tm-cases/issue583_xss.html
@@ -0,0 +1 @@
+<p>&lt;img onerror=alert("hi")[HTML_REMOVED] src=a</p>
diff --git a/test/tm-cases/issue583_xss.opts b/test/tm-cases/issue583_xss.opts
@@ -0,0 +1 @@
+{'safe_mode': 'replace'}
diff --git a/test/tm-cases/issue583_xss.text b/test/tm-cases/issue583_xss.text
@@ -0,0 +1 @@
+<img onerror=alert("hi")<a> src=a