diff --git a/CHANGES.md b/CHANGES.md
index fb590036..718fb9ed 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,6 +7,7 @@
- [pull #695] Fix XSS issue from incomplete tags with no attributes (#694)
- [pull #700] Fix XSS from code spans in image alt text (#699)
- [pull #701] Allow boolean attribute syntax in `markdown-in-html` extra
+- [pull #704] Fix XSS from smuggling spans into image attributes (#702, #703)
## python-markdown2 2.5.5
diff --git a/lib/markdown2.py b/lib/markdown2.py
index f2368e20..dc698970 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -1984,7 +1984,7 @@ def _do_code_blocks(self, text: str) -> str:
(? str:
c = match.group(2).strip(" \t")
@@ -3262,8 +3262,8 @@ def run(self, text: str):
)
if title:
if self.md.safe_mode:
- # expose code span contents for escaping - fix #691
- title = self.md._unhash_html_spans(title, spans=False, code=True)
+ # expose span contents for escaping - fix #691, #703
+ title = self.md._unhash_html_spans(title, spans=True, code=True)
title = (
_xml_escape_attr(title)
.replace('*', self.md._escape_table['*'])
@@ -3282,8 +3282,8 @@ def run(self, text: str):
continue
if link_text and self.md.safe_mode:
- # expose code span contents for escaping - fix #699
- link_text = self.md._unhash_html_spans(link_text, spans=False, code=True)
+ # expose span contents for escaping - fix #699, #703
+ link_text = self.md._unhash_html_spans(link_text, spans=True, code=True)
start_idx -= 1
result, skip = self.process_image(url, title_str, link_text)
diff --git a/test/tm-cases/image_title_xss_issue691.html b/test/tm-cases/image_title_xss_issue691.html
deleted file mode 100644
index 25c81d83..00000000
--- a/test/tm-cases/image_title_xss_issue691.html
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/test/tm-cases/image_title_xss_issue691.text b/test/tm-cases/image_title_xss_issue691.text
deleted file mode 100644
index ee6625f1..00000000
--- a/test/tm-cases/image_title_xss_issue691.text
+++ /dev/null
@@ -1 +0,0 @@
-![](x "`" onerror=alert(1)//`"")
diff --git a/test/tm-cases/latex.html b/test/tm-cases/latex.html
index b91fd4b9..c1ea0ff6 100644
--- a/test/tm-cases/latex.html
+++ b/test/tm-cases/latex.html
@@ -5,14 +5,14 @@ Simple Test
-This code block will not have the math rendered.
-
-some random code, describing $a and $b will not be rendered, $y=mx$
-
-This will not work either $\sqrt{2} or
+This code block will not have the math rendered.
-
-$$
+some random code, describing $a and $b will not be rendered, $y=mx$
+
+
+This will not work either $\sqrt{2} or
+
+$$
f = 12
$$
-
+
diff --git a/test/tm-cases/latex.opts b/test/tm-cases/latex.opts
index 627b9f1f..a8b97c4b 100644
--- a/test/tm-cases/latex.opts
+++ b/test/tm-cases/latex.opts
@@ -1 +1 @@
-{"extras": ["latex","latex2mathml"]}
\ No newline at end of file
+{"extras": ["latex","latex2mathml", "fenced-code-blocks"]}
\ No newline at end of file
diff --git a/test/tm-cases/xss_code_spans_with_link_defs.html b/test/tm-cases/xss_code_spans_with_link_defs.html
new file mode 100644
index 00000000..5eac7a84
--- /dev/null
+++ b/test/tm-cases/xss_code_spans_with_link_defs.html
@@ -0,0 +1,2 @@
+`
+<img src onerror="alert(origin)">
diff --git a/test/tm-cases/xss_issue699.opts b/test/tm-cases/xss_code_spans_with_link_defs.opts
similarity index 100%
rename from test/tm-cases/xss_issue699.opts
rename to test/tm-cases/xss_code_spans_with_link_defs.opts
diff --git a/test/tm-cases/xss_code_spans_with_link_defs.text b/test/tm-cases/xss_code_spans_with_link_defs.text
new file mode 100644
index 00000000..52d480cf
--- /dev/null
+++ b/test/tm-cases/xss_code_spans_with_link_defs.text
@@ -0,0 +1,3 @@
+`
+![]()
+[x]: `
\ No newline at end of file
diff --git a/test/tm-cases/xss_issue699.html b/test/tm-cases/xss_issue699.html
deleted file mode 100644
index cc3c2bd7..00000000
--- a/test/tm-cases/xss_issue699.html
+++ /dev/null
@@ -1 +0,0 @@
-![<code>" onerror="alert(1)//</code>]()
diff --git a/test/tm-cases/xss_issue699.text b/test/tm-cases/xss_issue699.text
deleted file mode 100644
index d2e88285..00000000
--- a/test/tm-cases/xss_issue699.text
+++ /dev/null
@@ -1 +0,0 @@
-![`" onerror="alert(1)//`]()
\ No newline at end of file
diff --git a/test/tm-cases/xss_smuggling_spans_in_image_attrs.html b/test/tm-cases/xss_smuggling_spans_in_image_attrs.html
new file mode 100644
index 00000000..37cd276e
--- /dev/null
+++ b/test/tm-cases/xss_smuggling_spans_in_image_attrs.html
@@ -0,0 +1,5 @@
+
+
+![<code>" onerror="alert(1)//</code>]()
+
+
diff --git a/test/tm-cases/image_title_xss_issue691.opts b/test/tm-cases/xss_smuggling_spans_in_image_attrs.opts
similarity index 100%
rename from test/tm-cases/image_title_xss_issue691.opts
rename to test/tm-cases/xss_smuggling_spans_in_image_attrs.opts
diff --git a/test/tm-cases/xss_smuggling_spans_in_image_attrs.text b/test/tm-cases/xss_smuggling_spans_in_image_attrs.text
new file mode 100644
index 00000000..4a5c25a8
--- /dev/null
+++ b/test/tm-cases/xss_smuggling_spans_in_image_attrs.text
@@ -0,0 +1,5 @@
+![](x "`" onerror=alert(1)//`"")
+
+![`" onerror="alert(1)//`]()
+
+
\ No newline at end of file