Be more strict on auto linking url

trentm · Oct 16, 2021 · b634a6d · b634a6d
1 parent bd707a8
commit b634a6d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/markdown2.py b/lib/markdown2.py
@@ -1235,7 +1235,7 @@ def _run_span_gamut(self, text):
             \s*/?>
             |
             # auto-link (e.g., <http://www.activestate.com/>)
-            <\w+[^>]*>
+            <[\w~:/?#\[\]@!$&'\(\)*+,;%=\.\\-]+>
             |
             <!--.*?-->      # comment
             |

diff --git a/test/tm-cases/issue341_xss.html b/test/tm-cases/issue341_xss.html
@@ -2,4 +2,4 @@
 <ftp:<a href="#">[HTML_REMOVED]alert(1);//</a>&gt;<ftp:<a href="#">[HTML_REMOVED]</a>&gt;</p>
 
 <p>Example 2:
-<http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/*</a>->a><http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>
+&lt;http://g<!s://q?<!-&lt;<a href="http://g">[HTML_REMOVED]alert(1);/\*</a>->a>&lt;http://g<!s://g.c?<!-&lt;<a href="http://g">a\\*/[HTML_REMOVED]alert(1);/*</a>->a></p>