From 9806f75920e01f85c2119865577e59842f45cc86 Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Wed, 29 Apr 2026 23:08:20 +0100
Subject: [PATCH] Fix #699

---
 CHANGES.md                      | 1 +
 lib/markdown2.py                | 4 ++++
 test/tm-cases/xss_issue699.html | 1 +
 test/tm-cases/xss_issue699.opts | 1 +
 test/tm-cases/xss_issue699.text | 1 +
 5 files changed, 8 insertions(+)
 create mode 100644 test/tm-cases/xss_issue699.html
 create mode 100644 test/tm-cases/xss_issue699.opts
 create mode 100644 test/tm-cases/xss_issue699.text

diff --git a/CHANGES.md b/CHANGES.md
index cacf36fb..900bdbbe 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,7 @@
 - [pull #687] Fix AssertionError hashing HTML blocks spread over multiple lines (#686)
 - [pull #692] Fix XSS from code spans in link titles (#691)
 - [pull #695] Fix XSS issue from incomplete tags with no attributes (#694)
+- [pull #700] Fix XSS from code spans in image alt text (#699)
 
 
 ## python-markdown2 2.5.5
diff --git a/lib/markdown2.py b/lib/markdown2.py
index d3787250..e50a2d9b 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -3279,6 +3279,10 @@ def run(self, text: str):
                     curr_pos = start_idx + 1
                     continue
 
+                if link_text and self.md.safe_mode:
+                    # expose code span contents for escaping - fix #699
+                    link_text = self.md._unhash_html_spans(link_text, spans=False, code=True)
+
                 start_idx -= 1
                 result, skip = self.process_image(url, title_str, link_text)
             elif start_idx >= anchor_allowed_pos:
diff --git a/test/tm-cases/xss_issue699.html b/test/tm-cases/xss_issue699.html
new file mode 100644
index 00000000..cc3c2bd7
--- /dev/null
+++ b/test/tm-cases/xss_issue699.html
@@ -0,0 +1 @@
+<p><img src="" alt="&lt;code&gt;&quot; onerror=&quot;alert(1)//&lt;/code&gt;" /></p>
diff --git a/test/tm-cases/xss_issue699.opts b/test/tm-cases/xss_issue699.opts
new file mode 100644
index 00000000..54de31a8
--- /dev/null
+++ b/test/tm-cases/xss_issue699.opts
@@ -0,0 +1 @@
+{"safe_mode": "escape"}
\ No newline at end of file
diff --git a/test/tm-cases/xss_issue699.text b/test/tm-cases/xss_issue699.text
new file mode 100644
index 00000000..d2e88285
--- /dev/null
+++ b/test/tm-cases/xss_issue699.text
@@ -0,0 +1 @@
+![`" onerror="alert(1)//`]()
\ No newline at end of file