You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
_This is a _shadow issue* for Issue 30 on Google Code (from which this project was moved).
Added 2009-09-29T17:29:09.000Z by c2531...@tyldd.com. Closed (Fixed).
Labels: Type-Defect, Priority-Critical.
Please make updates to the bug there.*
Original description
Quotation marks are not filtered from attributes, you can inject javascript
events into elements. Here is an example:
from markdown2 import markdown
test = """
![a][b]
[b]: http://static.reddit.com/reddit.com.header.png"
onload="alert('javascript injected')
"""
print markdown(test, safe_mode=True)
The result is:
<p><img src="http://static.reddit.com/reddit.com.header.png"
onload="alert('javascript injected')" alt="a" /></p>
Expected result is:
<p><img src="http://static.reddit.com/reddit.com.header.png"
onload="alert('javascript injected')" alt="a" /></p>
The text was updated successfully, but these errors were encountered:
_This is a _shadow issue* for Issue 30 on Google Code (from which this project was moved).
Added 2009-09-29T17:29:09.000Z by c2531...@tyldd.com. Closed (Fixed).
Labels: Type-Defect, Priority-Critical.
Please make updates to the bug there.*
Original description
The text was updated successfully, but these errors were encountered: