From 5db3e6e92a51ad8a98c73411962ecbe96c9a737e Mon Sep 17 00:00:00 2001
From: Gareth Simpson <gareth.simpson@zoodigital.com>
Date: Fri, 1 May 2020 14:21:08 +0100
Subject: [PATCH] Issue 341 - XSS in link text

---
 lib/markdown2.py                | 10 +++++++++-
 test/tm-cases/issue341_xss.html |  5 +++++
 test/tm-cases/issue341_xss.opts |  1 +
 test/tm-cases/issue341_xss.text |  5 +++++
 4 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 test/tm-cases/issue341_xss.html
 create mode 100644 test/tm-cases/issue341_xss.opts
 create mode 100644 test/tm-cases/issue341_xss.text

diff --git a/lib/markdown2.py b/lib/markdown2.py
index 3a5d5d9b..38b7bea8 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -200,7 +200,8 @@ class Markdown(object):
     titles = None
     html_blocks = None
     html_spans = None
-    html_removed_text = "[HTML_REMOVED]"  # for compat with markdown.py
+    html_removed_text = "{(#HTML#)}"  # placeholder removed text that does not trigger bold
+    html_removed_text_compat = "[HTML_REMOVED]"  # for compat with markdown.py
 
     _toc = None
 
@@ -388,6 +389,8 @@ def convert(self, text):
 
         if self.safe_mode:
             text = self._unhash_html_spans(text)
+            # return the removed text warning to its markdown.py compatible form
+            text = text.replace(self.html_removed_text, self.html_removed_text_compat)
 
         if "nofollow" in self.extras:
             text = self._a_nofollow.sub(r'<\1 rel="nofollow"\2', text)
@@ -1375,6 +1378,11 @@ def _do_links(self, text):
                 continue
             link_text = text[start_idx+1:p]
 
+            # Fix for issue 341 - Injecting XSS into link text
+            if self.safe_mode:
+                link_text = self._hash_html_spans(link_text)
+                link_text = self._unhash_html_spans(link_text)
+
             # Possibly a footnote ref?
             if "footnotes" in self.extras and link_text.startswith("^"):
                 normed_id = re.sub(r'\W', '-', link_text[1:])
diff --git a/test/tm-cases/issue341_xss.html b/test/tm-cases/issue341_xss.html
new file mode 100644
index 00000000..48aedff9
--- /dev/null
+++ b/test/tm-cases/issue341_xss.html
@@ -0,0 +1,5 @@
+<p>Example 1:
+<ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;<ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
+
+<p>Example 2:
+<http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/*</a>->a><http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>
diff --git a/test/tm-cases/issue341_xss.opts b/test/tm-cases/issue341_xss.opts
new file mode 100644
index 00000000..fd31b4e3
--- /dev/null
+++ b/test/tm-cases/issue341_xss.opts
@@ -0,0 +1 @@
+{"safe_mode": "replace"}
diff --git a/test/tm-cases/issue341_xss.text b/test/tm-cases/issue341_xss.text
new file mode 100644
index 00000000..8707ce23
--- /dev/null
+++ b/test/tm-cases/issue341_xss.text
@@ -0,0 +1,5 @@
+Example 1:
+<ftp:[<script>alert(1);//]()><ftp:[</script>]()>
+
+Example 2:
+<http://g<!s://q?<!-<[<script>alert(1);/\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>alert(1);/*](http://g)->a>
\ No newline at end of file