diff --git a/lib/markdown2.py b/lib/markdown2.py
index dc698970..4ba78a4f 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -1537,8 +1537,10 @@ def _safe_href(self):
         safe = r'-\w'
         # omitted ['"<>] for XSS reasons
         less_safe = r'#/\.!#$%&\(\)\+,/:;=\?@\[\]^`\{\}\|~'
+        # html encoded colon in a URL still functions as a normal colon, so need to detect those
+        protocol_seperators = [':', '&#x3a;', '&#58;', '&colon;']
         # dot seperated hostname, optional port number, not followed by protocol seperator
-        domain = r'(?:[{}]+(?:\.[{}]+)*)(?:(?<!tel):\d+/?)?(?![^:/]*:/*)'.format(safe, safe)
+        domain = r'(?:[{}]+(?:\.[{}]+)*)(?:(?<!tel)(?<!javascript):\d+/?)?(?![^:/]*(?:{})/*)'.format(safe, safe, '|'.join(protocol_seperators))
         fragment = r'[%s]*' % (safe + less_safe)
 
         return re.compile(r'^(?:({})?({})({})|(#|\.{{,2}}/)({}))$'.format(self._safe_protocols, domain, fragment, fragment), re.I)
@@ -3269,6 +3271,8 @@ def run(self, text: str):
                     .replace('*', self.md._escape_table['*'])
                     .replace('_', self.md._escape_table['_'])
                 )
+                if self.md.safe_mode:
+                    title = self.md._hash_span(title)
                 title_str = f' title="{title}"'
             else:
                 title_str = ''
diff --git a/test/tm-cases/xss_smuggling_spans_in_image_attrs.html b/test/tm-cases/xss_smuggling_spans_in_image_attrs.html
index 37cd276e..ccd398e7 100644
--- a/test/tm-cases/xss_smuggling_spans_in_image_attrs.html
+++ b/test/tm-cases/xss_smuggling_spans_in_image_attrs.html
@@ -3,3 +3,14 @@
 <p><img src="" alt="&lt;code&gt;&quot; onerror=&quot;alert(1)//&lt;/code&gt;" /></p>
 
 <p><img src="B" alt="A" title="&lt;C D=&quot;E&quot; onerror=alert(origin) &gt;" /></p>
+
+<p><a href="#">x</a></p>
+
+<p><a href="#">x</a></p>
+
+<ul>
+<li>
+<ul>
+<li><img src="x" alt="" title="&lt;code&gt;![](&lt;/code&gt;" /> onerror=alert(origin) )</li>
+</ul></li>
+</ul>
diff --git a/test/tm-cases/xss_smuggling_spans_in_image_attrs.text b/test/tm-cases/xss_smuggling_spans_in_image_attrs.text
index 4a5c25a8..3f025a00 100644
--- a/test/tm-cases/xss_smuggling_spans_in_image_attrs.text
+++ b/test/tm-cases/xss_smuggling_spans_in_image_attrs.text
@@ -2,4 +2,11 @@
 
 ![`" onerror="alert(1)//`]()
 
-![A](B "<C D="E" onerror=alert(origin) >")
\ No newline at end of file
+![A](B "<C D="E" onerror=alert(origin) >")
+
+[x](javascript&#58;alert(origin))
+
+[x](javascript:1/alert(origin))
+
+- 
+- ![](x '`![](`') onerror=alert(origin) )
\ No newline at end of file