New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add test for nested incomplete tag sanitization #473
Conversation
I think this can be fixed relatively easily without breaking too much. Safe mode calls upon
The regex will match the substring of 'img <img '. Currently the function returns like so: python-markdown2/lib/markdown2.py Line 2359 in af5407d
Which only replaces the initial def incomplete_tags_sub(match):
return match.group().replace('<', '<')
return self._incomplete_tags_re.sub(incomplete_tags_sub, text) Then this would fix the problem. From the tests I've done, this does seem to work as intended, with the output of the above line being: <img <img src="" onerror=alert(/XSS/) |
Another example Vin emailed to me, might as well put it in here:
I think it's fine we keep chasing these assuming they don't take too much time. Maybe we add a warning for users to use bleach if they want better xss handling. |
Just tested this:
And my suggested fix does cover this with no breakages of the test suite. |
Nice. I was planning on doing a release this week. If you wanna try to sneak that in let me know. Then going to probably cut another release after that with your setup.py changes PR. |
Remove trailing whitespaces in `nested_incomplete_tags_xss.html` to make tests pass
…ation Fix sanitization for nested incomplete tags (see trentm#473)
Thanks! |
Hi, this is just a test demonstrating nested incomplete tags resulting in XSS. As there. have been multiple bypasses since I reported #285, I still think introducing Bleach might be worthwhile. Perhaps in a major version as it might involve breaking changes for rendering. Bleach is a bit more aggressive than current implementation for escaping and replacing in markdown2.