diff --git a/lib/markdown2.py b/lib/markdown2.py index f55d84f0..2a3f364f 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -124,6 +124,7 @@ hr_tag_re_from_tab_width, xml_escape_attr, xml_encode_email_char_at_random, + html_escape_url, ) # ---- globals @@ -1511,7 +1512,7 @@ def _do_links(self, text): if is_img: img_class_str = self._html_class_str_from_tag("img") result = '%s', '>')) - if safe_mode: - escaped = escaped.replace('+', ' ') - escaped = escaped.replace("'", "'") - return escaped - # ---- mainline diff --git a/lib/utils.py b/lib/utils.py index 18293824..ce0087db 100644 --- a/lib/utils.py +++ b/lib/utils.py @@ -307,3 +307,15 @@ def xml_encode_email_char_at_random(ch): return "&#%s;" % hex(ord(ch))[1:] else: return "&#%s;" % ord(ch) + + +def html_escape_url(attr, safe_mode=False): + """Replace special characters that are potentially malicious in url string.""" + escaped = (attr + .replace('"', '"') + .replace('<', '<') + .replace('>', '>')) + if safe_mode: + escaped = escaped.replace('+', ' ') + escaped = escaped.replace("'", "'") + return escaped \ No newline at end of file