From b634a6dafc20dd39caeaabec16c00bf75f01363a Mon Sep 17 00:00:00 2001
From: Nicholas Serra <nickserra@gmail.com>
Date: Fri, 15 Oct 2021 20:07:34 -0400
Subject: [PATCH] Be more strict on auto linking url

---
 lib/markdown2.py                | 2 +-
 test/tm-cases/issue341_xss.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/markdown2.py b/lib/markdown2.py
index 6d060859..634c0987 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -1235,7 +1235,7 @@ def _run_span_gamut(self, text):
             \s*/?>
             |
             # auto-link (e.g., <http://www.activestate.com/>)
-            <\w+[^>]*>
+            <[\w~:/?#\[\]@!$&'\(\)*+,;%=\.\\-]+>
             |
             <!--.*?-->      # comment
             |
diff --git a/test/tm-cases/issue341_xss.html b/test/tm-cases/issue341_xss.html
index 48aedff9..c51acb3d 100644
--- a/test/tm-cases/issue341_xss.html
+++ b/test/tm-cases/issue341_xss.html
@@ -2,4 +2,4 @@
 <ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;<ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
 
 <p>Example 2:
-<http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/*</a>->a><http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>
+&lt;http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/\*</a>->a>&lt;http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>