Merge pull request #692 from Crozzers/xss-issue691

Fix XSS from code spans in link titles (#691)

Author: nicholasserra

CHANGES.md

@@ -3,6 +3,7 @@
 ## python-markdown2 2.5.6 (not yet released)
 
 - [pull #687] Fix AssertionError hashing HTML blocks spread over multiple lines (#686)
+- [pull #692] Fix XSS from code spans in link titles (#691)
 
 
 ## python-markdown2 2.5.5

lib/markdown2.py

@@ -3270,6 +3270,9 @@ def run(self, text: str):
                 .replace('_', self.md._escape_table['_'])
             )
             if title:
+                if self.md.safe_mode:
+                    # expose code span contents for escaping - fix #691
+                    title = self.md._unhash_html_spans(title, spans=False, code=True)
                 title = (
                     _xml_escape_attr(title)
                     .replace('*', self.md._escape_table['*'])

test/tm-cases/image_title_xss_issue691.html

@@ -0,0 +1 @@
+<p><img src="x" alt="" title="&lt;code&gt;&quot; onerror=alert(1)//&lt;/code&gt;&quot;" /></p>

test/tm-cases/image_title_xss_issue691.opts

@@ -0,0 +1 @@
+{'safe_mode': 'escape'}

test/tm-cases/image_title_xss_issue691.text

@@ -0,0 +1 @@
+![](x "`" onerror=alert(1)//`"")