Fix XSS from smuggling spans into image attributes (#702, #703)

CHANGES.md

@@ -7,6 +7,7 @@
 - [pull #695] Fix XSS issue from incomplete tags with no attributes (#694)
 - [pull #700] Fix XSS from code spans in image alt text (#699)
 - [pull #701] Allow boolean attribute syntax in `markdown-in-html` extra
+- [pull #704] Fix XSS from smuggling spans into image attributes (#702, #703)
 
 
 ## python-markdown2 2.5.5

lib/markdown2.py

@@ -1984,7 +1984,7 @@ def _do_code_blocks(self, text: str) -> str:
             (?<!`)
             \1          # Matching closer
             (?!`)
-        ''', re.X | re.S)
+        ''', re.X)
 
     def _code_span_sub(self, match: re.Match[str]) -> str:
         c = match.group(2).strip(" \t")
@@ -3262,8 +3262,8 @@ def run(self, text: str):
             )
             if title:
                 if self.md.safe_mode:
-                    # expose code span contents for escaping - fix #691
-                    title = self.md._unhash_html_spans(title, spans=False, code=True)
+                    # expose span contents for escaping - fix #691, #703
+                    title = self.md._unhash_html_spans(title, spans=True, code=True)
                 title = (
                     _xml_escape_attr(title)
                     .replace('*', self.md._escape_table['*'])
@@ -3282,8 +3282,8 @@ def run(self, text: str):
                     continue
 
                 if link_text and self.md.safe_mode:
-                    # expose code span contents for escaping - fix #699
-                    link_text = self.md._unhash_html_spans(link_text, spans=False, code=True)
+                    # expose span contents for escaping - fix #699, #703
+                    link_text = self.md._unhash_html_spans(link_text, spans=True, code=True)
 
                 start_idx -= 1
                 result, skip = self.process_image(url, title_str, link_text)

test/tm-cases/latex.html

@@ -5,14 +5,14 @@ <h2>Simple Test</h2>
 
 <math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><mrow><mi>x</mi><mo>&#x0003D;</mo><mfrac><mrow><mo>&#x02212;</mo><mi>b</mi><mi>&#x000B1;</mi><msqrt><mrow><msup><mi>b</mi><mn>2</mn></msup><mo>&#x02212;</mo><mn>4</mn><mi>a</mi><mi>c</mi></mrow></msqrt></mrow><mrow><mn>2</mn><mi>a</mi></mrow></mfrac></mrow></math>
 
-<p>This code block will not have the math rendered.
-<code>
-some random code, describing $a and $b will not be rendered, $y=mx$ 
-</code>
-This will not work either <code>$\sqrt{2}</code> or</p>
+<p>This code block will not have the math rendered.</p>
 
-<p><code>
-$$
+<pre><code>some random code, describing $a and $b will not be rendered, $y=mx$ 
+</code></pre>
+
+<p>This will not work either <code>$\sqrt{2}</code> or</p>
+
+<pre><code>$$
 f = 12
 $$
-</code></p>
+</code></pre>

test/tm-cases/latex.opts

@@ -1 +1 @@
-{"extras": ["latex","latex2mathml"]}
+{"extras": ["latex","latex2mathml", "fenced-code-blocks"]}

test/tm-cases/xss_code_spans_with_link_defs.html

@@ -0,0 +1,2 @@
+<p>`
+&lt;img src onerror="alert(origin)"&gt;</p>

test/tm-cases/xss_code_spans_with_link_defs.text

@@ -0,0 +1,3 @@
+`
+<img src onerror="alert(origin)">
+[x]: `

test/tm-cases/xss_smuggling_spans_in_image_attrs.html

@@ -0,0 +1,5 @@
+<p><img src="x" alt="" title="&lt;code&gt;&quot; onerror=alert(1)//&lt;/code&gt;&quot;" /></p>
+
+<p><img src="" alt="&lt;code&gt;&quot; onerror=&quot;alert(1)//&lt;/code&gt;" /></p>
+
+<p><img src="B" alt="A" title="&lt;C D=&quot;E&quot; onerror=alert(origin) &gt;" /></p>

test/tm-cases/xss_smuggling_spans_in_image_attrs.text

@@ -0,0 +1,5 @@
+![](x "`" onerror=alert(1)//`"")
+
+![`" onerror="alert(1)//`]()
+
+![A](B "<C D="E" onerror=alert(origin) >")