Join GitHub today
renderer link not escaped #80
@nitely found out that the same problem appears in images, too. This could be moved to an own issue or be collected in here, but that's your call.
>>> mistune.markdown('![text]("><script>alert`1`</script>)') '<p><img src=""><script>alert`1`</script>" alt="text"></p>\n'