Package: python-markdown2 / 2.3.7-2+deb10u1

Metadata

Package Version Patches format
python-markdown2 2.3.7-2+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Incomplete tags with punctuation after as part of th.patch | (download)

lib/markdown2.py | 9 6 + 3 - 0 !
test/tm-cases/issue348_incomplete_tag.html | 1 1 + 0 - 0 !
test/tm-cases/issue348_incomplete_tag.opts | 1 1 + 0 - 0 !
test/tm-cases/issue348_incomplete_tag.text | 1 1 + 0 - 0 !
4 files changed, 9 insertions(+), 3 deletions(-)

 incomplete tags with punctuation after as part of the tag name are a
 source of XSS
Bug: https://github.com/trentm/python-markdown2/issues/348

Fixes CVE-2020-11888.

python-markdown2 through 2.3.8 allows XSS because element names are
mishandled unless a \w+ match succeeds. For example, an attack might use
elementname@ or elementname- with an onclick attribute.