diff --git a/lib/markdown2.py b/lib/markdown2.py
index 1652a696..c406865d 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -1203,7 +1203,7 @@ def _is_auto_link(s):
self.html_spans[key] = sanitized
tokens.append(key)
else:
- tokens.append(token)
+ tokens.append(self._encode_incomplete_tags(token))
is_html_markup = not is_html_markup
return ''.join(tokens)
@@ -2140,6 +2140,14 @@ def _encode_amps_and_angles(self, text):
text = self._naked_gt_re.sub('>', text)
return text
+ _incomplete_tags_re = re.compile("<(/?\w+\s+)")
+
+ def _encode_incomplete_tags(self, text):
+ if self.safe_mode not in ("replace", "escape"):
+ return text
+
+ return self._incomplete_tags_re.sub("<\\1", text)
+
def _encode_backslash_escapes(self, text):
for ch, escape in list(self._escape_table.items()):
text = text.replace("\\"+ch, escape)
diff --git a/test/tm-cases/CVE-2018-5773.html b/test/tm-cases/CVE-2018-5773.html
new file mode 100644
index 00000000..86b6da18
--- /dev/null
+++ b/test/tm-cases/CVE-2018-5773.html
@@ -0,0 +1,3 @@
+<img src="" onerror=alert(/XSS/)
+
+</img src="" onerror=alert(/XSS/)
diff --git a/test/tm-cases/CVE-2018-5773.opts b/test/tm-cases/CVE-2018-5773.opts
new file mode 100644
index 00000000..fd31b4e3
--- /dev/null
+++ b/test/tm-cases/CVE-2018-5773.opts
@@ -0,0 +1 @@
+{"safe_mode": "replace"}
diff --git a/test/tm-cases/CVE-2018-5773.text b/test/tm-cases/CVE-2018-5773.text
new file mode 100644
index 00000000..d8bfcbfe
--- /dev/null
+++ b/test/tm-cases/CVE-2018-5773.text
@@ -0,0 +1,3 @@
+![]()
[HTML_REMOVED])
-)
+
<img src="javascript:alert(1)"
