Issue 341 - XSS in link text

lib/markdown2.py

@@ -200,7 +200,8 @@ class Markdown(object):
     titles = None
     html_blocks = None
     html_spans = None
-    html_removed_text = "[HTML_REMOVED]"  # for compat with markdown.py
+    html_removed_text = "{(#HTML#)}"  # placeholder removed text that does not trigger bold
+    html_removed_text_compat = "[HTML_REMOVED]"  # for compat with markdown.py
 
     _toc = None
 
@@ -388,6 +389,8 @@ def convert(self, text):
 
         if self.safe_mode:
             text = self._unhash_html_spans(text)
+            # return the removed text warning to its markdown.py compatible form
+            text = text.replace(self.html_removed_text, self.html_removed_text_compat)
 
         if "nofollow" in self.extras:
             text = self._a_nofollow.sub(r'<\1 rel="nofollow"\2', text)
@@ -1375,6 +1378,11 @@ def _do_links(self, text):
                 continue
             link_text = text[start_idx+1:p]
 
+            # Fix for issue 341 - Injecting XSS into link text
+            if self.safe_mode:
+                link_text = self._hash_html_spans(link_text)
+                link_text = self._unhash_html_spans(link_text)
+
             # Possibly a footnote ref?
             if "footnotes" in self.extras and link_text.startswith("^"):
                 normed_id = re.sub(r'\W', '-', link_text[1:])

test/tm-cases/issue341_xss.html

@@ -0,0 +1,5 @@
+<p>Example 1:
+<ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;<ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
+
+<p>Example 2:
+<http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/*</a>->a><http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>

test/tm-cases/issue341_xss.opts

@@ -0,0 +1 @@
+{"safe_mode": "replace"}

test/tm-cases/issue341_xss.text

@@ -0,0 +1,5 @@
+Example 1:
+<ftp:[<script>alert(1);//]()><ftp:[</script>]()>
+
+Example 2:
+<http://g<!s://q?<!-<[<script>alert(1);/\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>alert(1);/*](http://g)->a>