Describe the bug
It's possible to bypass the safe mode (escape only, not replace)
To Reproduce
Run markdown2 with safe_mode="escape" on the following markdown input:
 >")
The output HTML is:
<p><img src="B" alt="A" title="<C D="E" onerror=alert(origin) >" /></p>
The browser sees this as an image with src, alt, title and an onerror attribute. The onerror executes JavaScript, causing XSS.
This was found through fuzzing so I'm not sure exactly why it happens, but this was the minimal PoC.
Debug info
Version of library being used: c2d73a3
Any extras being used: no
Describe the bug
It's possible to bypass the safe mode (escape only, not replace)
To Reproduce
Run markdown2 with
safe_mode="escape"on the following markdown input:The output HTML is:
The browser sees this as an image with
src,alt,titleand anonerrorattribute. The onerror executes JavaScript, causing XSS.This was found through fuzzing so I'm not sure exactly why it happens, but this was the minimal PoC.
Debug info
Version of library being used: c2d73a3
Any extras being used: no