Fix XSS on image link

lepture · Dec 30, 2021 · bce17c5 · bce17c5
1 parent 43f1c48
commit bce17c5
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/mistune/inline_parser.py b/mistune/inline_parser.py
@@ -138,7 +138,7 @@ def parse_std_link(self, m, state):
             title = ESCAPE_CHAR.sub(r'\1', title[1:-1])
 
         if line[0] == '!':
-            return 'image', link, text, title
+            return 'image', escape_url(link), text, title
 
         return self.tokenize_link(line, link, text, title, state)
 
@@ -156,7 +156,7 @@ def parse_ref_link(self, m, state):
             title = ESCAPE_CHAR.sub(r'\1', title)
 
         if line[0] == '!':
-            return 'image', link, text, title
+            return 'image', escape_url(link), text, title
 
         return self.tokenize_link(line, link, text, title, state)