XSS in escape safe mode

Question

XSS in escape safe mode

sebastianosrt opened this issue 3 months ago · 1 comments

Describe the bug
The parser inserts code blocks into image src attribute, and does not escape quotes in <code> blocks. This can lead to XSS vulnerabilities.

To Reproduce
Execute poc.py

import markdown2
malicious = """![](`" onerror=alert()//`)"""
print(markdown2.markdown(malicious, safe_mode="escape"))

Result:

<img src="code&gt;" onerror=alert()//&lt;/code" alt="" />

Expected behavior
The resulting html should look like this

<img src="code&gt;&quot; onerror=alert()//&lt;/code" alt="" />

Debug info
Version of library being used: 2.5.0

Answer 1 · 2024-09-23T18:34:44.000Z

Thank you!