From a77116e470e9a702a474d1195ec543c09e480512 Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Fri, 27 Mar 2026 21:02:21 +0000
Subject: [PATCH] Fix #694

---
 CHANGES.md                                     | 1 +
 lib/markdown2.py                               | 2 +-
 test/tm-cases/incomplete_tag_xss_issue694.html | 2 ++
 test/tm-cases/incomplete_tag_xss_issue694.opts | 1 +
 test/tm-cases/incomplete_tag_xss_issue694.text | 2 ++
 5 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 test/tm-cases/incomplete_tag_xss_issue694.html
 create mode 100644 test/tm-cases/incomplete_tag_xss_issue694.opts
 create mode 100644 test/tm-cases/incomplete_tag_xss_issue694.text

diff --git a/CHANGES.md b/CHANGES.md
index 662ee46c..cacf36fb 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,6 +4,7 @@
 
 - [pull #687] Fix AssertionError hashing HTML blocks spread over multiple lines (#686)
 - [pull #692] Fix XSS from code spans in link titles (#691)
+- [pull #695] Fix XSS issue from incomplete tags with no attributes (#694)
 
 
 ## python-markdown2 2.5.5
diff --git a/lib/markdown2.py b/lib/markdown2.py
index 138e804d..ea08820f 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -2215,7 +2215,7 @@ def _encode_amps_and_angles(self, text: str) -> str:
         text = self._naked_gt_re.sub('&gt;', text)
         return text
 
-    _incomplete_tags_re = re.compile(r"\\*<(!--|/?\w+?(?!\w)\s*?.+?(?:[\s/]+?|$))")
+    _incomplete_tags_re = re.compile(r"\\*<(!--|/?\w+?(?!\w)\s*?.*?(?:[\s/]+?|$))")
 
     def _encode_incomplete_tags(self, text: str) -> str:
         if self.safe_mode not in ("replace", "escape"):
diff --git a/test/tm-cases/incomplete_tag_xss_issue694.html b/test/tm-cases/incomplete_tag_xss_issue694.html
new file mode 100644
index 00000000..34fe52ad
--- /dev/null
+++ b/test/tm-cases/incomplete_tag_xss_issue694.html
@@ -0,0 +1,2 @@
+<p>&lt;iframe
+&lt;http:&gt; srcdoc="&lt;script&gt;alert()&lt;/script&gt;" a=</p>
diff --git a/test/tm-cases/incomplete_tag_xss_issue694.opts b/test/tm-cases/incomplete_tag_xss_issue694.opts
new file mode 100644
index 00000000..de64198e
--- /dev/null
+++ b/test/tm-cases/incomplete_tag_xss_issue694.opts
@@ -0,0 +1 @@
+{'safe_mode': 'escape'}
\ No newline at end of file
diff --git a/test/tm-cases/incomplete_tag_xss_issue694.text b/test/tm-cases/incomplete_tag_xss_issue694.text
new file mode 100644
index 00000000..0ed4c984
--- /dev/null
+++ b/test/tm-cases/incomplete_tag_xss_issue694.text
@@ -0,0 +1,2 @@
+<iframe
+<http:> srcdoc="<script>alert()</script>" a=
\ No newline at end of file