From b086f51e71d2e329a6ba68de044fffa36078a5e4 Mon Sep 17 00:00:00 2001 From: Vidhun K <29324367+V1dhun@users.noreply.github.com> Date: Fri, 1 May 2020 18:56:07 +0530 Subject: [PATCH 1/5] FIX: Filter bypass leading to XSS --- lib/markdown2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/markdown2.py b/lib/markdown2.py index 3a5d5d9b..4910622d 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -2164,7 +2164,7 @@ def _encode_amps_and_angles(self, text): text = self._naked_gt_re.sub('>', text) return text - _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)") + _incomplete_tags_re = re.compile("(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script") def _encode_incomplete_tags(self, text): if self.safe_mode not in ("replace", "escape"): From b30ddb833928f51705b28a962324cf9e29f77f30 Mon Sep 17 00:00:00 2001 From: Vidhun K <29324367+V1dhun@users.noreply.github.com> Date: Fri, 1 May 2020 20:32:15 +0530 Subject: [PATCH 2/5] Update markdown2.py --- lib/markdown2.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/markdown2.py b/lib/markdown2.py index 4910622d..c9bf3988 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -2164,12 +2164,12 @@ def _encode_amps_and_angles(self, text): text = self._naked_gt_re.sub('>', text) return text - _incomplete_tags_re = re.compile("(\b)(on\S+)(\s*)=|javascript|(<\s*)(\/*)script") + _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)") def _encode_incomplete_tags(self, text): if self.safe_mode not in ("replace", "escape"): return text - + self._incomplete_tags_re.re.sub("(\b)(on\S+)=",'', text) return self._incomplete_tags_re.sub("<\\1", text) def _encode_backslash_escapes(self, text): From e37351ee8b7a73c8bf89343278de58ff18fa61b1 Mon Sep 17 00:00:00 2001 From: Vidhun K <29324367+V1dhun@users.noreply.github.com> Date: Fri, 1 May 2020 21:13:52 +0530 Subject: [PATCH 3/5] Update markdown2.py --- lib/markdown2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/markdown2.py b/lib/markdown2.py index c9bf3988..2ee33f12 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -2169,7 +2169,7 @@ def _encode_amps_and_angles(self, text): def _encode_incomplete_tags(self, text): if self.safe_mode not in ("replace", "escape"): return text - self._incomplete_tags_re.re.sub("(\b)(on\S+)=",'', text) + self._incomplete_tags_re.re.sub(r'(\b)(on\S+)=','', text) return self._incomplete_tags_re.sub("<\\1", text) def _encode_backslash_escapes(self, text): From 18106ad14ea701bd7d8a9f5a702a88a602f6908c Mon Sep 17 00:00:00 2001 From: Vidhun K <29324367+V1dhun@users.noreply.github.com> Date: Fri, 1 May 2020 21:18:13 +0530 Subject: [PATCH 4/5] Update markdown2.py --- lib/markdown2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/markdown2.py b/lib/markdown2.py index 2ee33f12..19aa47d4 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -2169,7 +2169,7 @@ def _encode_amps_and_angles(self, text): def _encode_incomplete_tags(self, text): if self.safe_mode not in ("replace", "escape"): return text - self._incomplete_tags_re.re.sub(r'(\b)(on\S+)=','', text) + re.sub(r'(\b)(on\S+)=','', text) return self._incomplete_tags_re.sub("<\\1", text) def _encode_backslash_escapes(self, text): From 8c613ba336950955fa21a05f5a6adb09c22e7a4d Mon Sep 17 00:00:00 2001 From: Vidhun K <29324367+V1dhun@users.noreply.github.com> Date: Sun, 3 May 2020 09:53:44 +0530 Subject: [PATCH 5/5] Update markdown2.py --- lib/markdown2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/markdown2.py b/lib/markdown2.py index 19aa47d4..471106c4 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -2169,7 +2169,7 @@ def _encode_amps_and_angles(self, text): def _encode_incomplete_tags(self, text): if self.safe_mode not in ("replace", "escape"): return text - re.sub(r'(\b)(on\S+)=','', text) + re.sub(r'(\b)(on\S+)=|(on\S+\s*([! ])\s*)=','', text) return self._incomplete_tags_re.sub("<\\1", text) def _encode_backslash_escapes(self, text):