Merge pull request #473 from vin01/master

Add test for nested incomplete tag sanitization
trentm · Sep 22, 2022 · 9b6fc0b · 9b6fc0b
2 parents 47d3653 + eb5ff1a
commit 9b6fc0b
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/lib/markdown2.py b/lib/markdown2.py
@@ -2358,7 +2358,10 @@ def _encode_incomplete_tags(self, text):
         if text.endswith(">"):
             return text  # this is not an incomplete tag, this is a link in the form <http://x.y.z>
 
-        return self._incomplete_tags_re.sub("&lt;\\1", text)
+        def incomplete_tags_sub(match):
+            return match.group().replace('<', '&lt;')
+
+        return self._incomplete_tags_re.sub(incomplete_tags_sub, text)
 
     def _encode_backslash_escapes(self, text):
         for ch, escape in list(self._escape_table.items()):

diff --git a/test/tm-cases/nested_incomplete_tags_xss.html b/test/tm-cases/nested_incomplete_tags_xss.html
@@ -0,0 +1,7 @@
+<p>&lt;img &lt;img src="" onerror=alert(/XSS/)</p>
+
+<p>&lt;img&lt;img src="" onerror=alert(/XSS/)</p>
+
+<p>&lt;img&lt;img/src="" onerror=alert(/XSS/)</p>
+
+<p>&lt;img&lt;img&lt;img src="" onerror=alert(/XSS/)</p>
diff --git a/test/tm-cases/nested_incomplete_tags_xss.opts b/test/tm-cases/nested_incomplete_tags_xss.opts
@@ -0,0 +1 @@
+{"safe_mode": "replace"}
diff --git a/test/tm-cases/nested_incomplete_tags_xss.text b/test/tm-cases/nested_incomplete_tags_xss.text
@@ -0,0 +1,7 @@
+<img <img src="" onerror=alert(/XSS/)
+
+<img<img src="" onerror=alert(/XSS/)
+
+<img<img/src="" onerror=alert(/XSS/)
+
+<img<img<img src="" onerror=alert(/XSS/)