Fix XSS injection in image URLs (#603)

trentm · Sep 22, 2024 · b633861 · b633861
1 parent 1e0fbf2
commit b633861
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 5 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,6 +5,7 @@
 - [pull #590] Fix underscores within bold text getting emphasized (#589)
 - [pull #591] Add Alerts extra
 - [pull #595] Fix img alt text being processed as markdown (#594)
+- [pull #604] Fix XSS injection in image URLs (#603)
 
 
 ## python-markdown2 2.5.0

diff --git a/lib/markdown2.py b/lib/markdown2.py
@@ -1354,9 +1354,23 @@ def _is_comment(token):
             is_html_markup = not is_html_markup
         return ''.join(tokens)
 
-    def _unhash_html_spans(self, text: str) -> str:
-        for key, sanitized in list(self.html_spans.items()):
-            text = text.replace(key, sanitized)
+    def _unhash_html_spans(self, text: str, spans=True, code=False) -> str:
+        '''
+        Recursively unhash a block of text
+
+        Args:
+            spans: unhash anything from `self.html_spans`
+            code: unhash code blocks
+        '''
+        orig = ''
+        while text != orig:
+            if spans:
+                for key, sanitized in list(self.html_spans.items()):
+                    text = text.replace(key, sanitized)
+            if code:
+                for code, key in list(self._code_table.items()):
+                    text = text.replace(key, code)
+            orig = text
         return text
 
     def _sanitize_html(self, s: str) -> str:
@@ -1582,8 +1596,9 @@ def _do_links(self, text: str) -> str:
 
                     # We've got to encode these to avoid conflicting
                     # with italics/bold.
-                    url = url.replace('*', self._escape_table['*']) \
-                             .replace('_', self._escape_table['_'])
+                    url = self._unhash_html_spans(url, code=True) \
+                              .replace('*', self._escape_table['*']) \
+                              .replace('_', self._escape_table['_'])
                     if title:
                         title_str = ' title="%s"' % (
                             _xml_escape_attr(title)

diff --git a/test/tm-cases/issue603_xss.html b/test/tm-cases/issue603_xss.html
@@ -0,0 +1,4 @@
+<p><img src="code&gt;&quot; onerror=alert()//&lt;/code" alt="" /></p>
+
+<p><img src="&quot; onerror=alert()//" alt="" />
+<a href="#"></a></p>
diff --git a/test/tm-cases/issue603_xss.opts b/test/tm-cases/issue603_xss.opts
@@ -0,0 +1 @@
+{"safe_mode": "escape"}
diff --git a/test/tm-cases/issue603_xss.text b/test/tm-cases/issue603_xss.text
@@ -0,0 +1,8 @@
+![](`" onerror=alert()//`)
+
+
+![][XSS]
+[][XSS]
+
+
+[XSS]: " onerror=alert()//