Merge pull request #303 from thombashi/fix_cve-2018-5773

Fix CVE-2018-5773: #285

Author: nicholasserra

lib/markdown2.py

@@ -1203,7 +1203,7 @@ def _is_auto_link(s):
                 self.html_spans[key] = sanitized
                 tokens.append(key)
             else:
-                tokens.append(token)
+                tokens.append(self._encode_incomplete_tags(token))
             is_html_markup = not is_html_markup
         return ''.join(tokens)
 
@@ -2140,6 +2140,14 @@ def _encode_amps_and_angles(self, text):
         text = self._naked_gt_re.sub('>', text)
         return text
 
+    _incomplete_tags_re = re.compile("<(/?\w+\s+)")
+
+    def _encode_incomplete_tags(self, text):
+        if self.safe_mode not in ("replace", "escape"):
+            return text
+            
+        return self._incomplete_tags_re.sub("&lt;\\1", text)
+
     def _encode_backslash_escapes(self, text):
         for ch, escape in list(self._escape_table.items()):
             text = text.replace("\\"+ch, escape)

test/tm-cases/CVE-2018-5773.html

@@ -0,0 +1,3 @@
+<p>&lt;img src="" onerror=alert(/XSS/) </p>
+
+<p>&lt;/img src="" onerror=alert(/XSS/) </p>

test/tm-cases/CVE-2018-5773.opts

@@ -0,0 +1 @@
+{"safe_mode": "replace"}

test/tm-cases/CVE-2018-5773.text

@@ -0,0 +1,3 @@
+<img src="" onerror=alert(/XSS/) 
+
+</img src="" onerror=alert(/XSS/) 

test/tm-cases/basic_safe_mode.html

@@ -28,7 +28,7 @@
 
 <p><img src="http://example.com&gt;[HTML_REMOVED]alert(1)[HTML_REMOVED]" alt="img3" /></p>
 
-<p><img src="javascript:alert(1)"</p>
+<p>&lt;img src="javascript:alert(1)"</p>
 
 <p><img src="http://example.com/image.gif?h=200&amp;w=500" alt="ok img" /></p>