From 5898fcc1090ef7cd7783fa1422cc0e53cbca9d1b Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Sun, 10 Apr 2022 21:42:02 +0100
Subject: [PATCH] Fix filter bypass leading to XSS (#362)

---
 lib/markdown2.py                 | 2 +-
 test/tm-cases/xss_issue_362.html | 2 ++
 test/tm-cases/xss_issue_362.opts | 1 +
 test/tm-cases/xss_issue_362.text | 2 ++
 4 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 test/tm-cases/xss_issue_362.html
 create mode 100644 test/tm-cases/xss_issue_362.opts
 create mode 100644 test/tm-cases/xss_issue_362.text

diff --git a/lib/markdown2.py b/lib/markdown2.py
index aa74ab1b..750a50a0 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -2249,7 +2249,7 @@ def _encode_amps_and_angles(self, text):
         text = self._naked_gt_re.sub('&gt;', text)
         return text
 
-    _incomplete_tags_re = re.compile(r"<(/?\w+?(?!\w).+?[\s/]+?)")
+    _incomplete_tags_re = re.compile(r"<(/?\w+?(?!\w)\s*?.+?[\s/]+?)")
 
     def _encode_incomplete_tags(self, text):
         if self.safe_mode not in ("replace", "escape"):
diff --git a/test/tm-cases/xss_issue_362.html b/test/tm-cases/xss_issue_362.html
new file mode 100644
index 00000000..9d878bd3
--- /dev/null
+++ b/test/tm-cases/xss_issue_362.html
@@ -0,0 +1,2 @@
+<p>&lt;iframe
+onload=alert()//</p>
diff --git a/test/tm-cases/xss_issue_362.opts b/test/tm-cases/xss_issue_362.opts
new file mode 100644
index 00000000..8d202ad0
--- /dev/null
+++ b/test/tm-cases/xss_issue_362.opts
@@ -0,0 +1 @@
+{"safe_mode": True}
\ No newline at end of file
diff --git a/test/tm-cases/xss_issue_362.text b/test/tm-cases/xss_issue_362.text
new file mode 100644
index 00000000..3016199a
--- /dev/null
+++ b/test/tm-cases/xss_issue_362.text
@@ -0,0 +1,2 @@
+<iframe
+onload=alert()//