GHSA-8g87-j6q8-g93x MEDIUM pip/mistune

CVE: CVE-2026-44708

Summary

The mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM.

The result is a silent contract violation: a developer who enables escape=True reasonably expects complete XSS protection, but the math plugin operates as an independent render path that ignores the renderer's _escape flag entirely.

Details

File: src/mistune/plugins/math.py

def render_inline_math(renderer, text):
    # `text` is raw user input — no escape() call anywhere
    return r'<span class="math">\(' + text + r"\)</span>"

def render_block_math(renderer, text):
    # same issue for block-level $$...$$
    return '<div class="math">$$\n' + text + "\n$$</div>\n"

Both functions take text directly from the parsed token and concatenate it into the output string. Neither function:

• calls escape(text) from mistune.util
• checks renderer._escape
• calls safe_entity(text) or any other sanitisation helper

The escape=True flag only influences the main HTMLRenderer methods (paragraph, heading, codespan, etc.). Plugin render functions registered via md.renderer.register() receive the renderer instance but have no mechanism that enforces the escape contract - they must opt in manually, and math.py does not.

PoC

Step 1 — Establish the baseline (escape=True works for plain HTML)

The script creates a markdown parser with escape=True and the math plugin enabled, then feeds it a raw <script> tag that is *not* inside math delimiters:

md = create_markdown(escape=True, plugins=["math"])
bl_src = "<script>alert(document.cookie)</script>\n"
bl_out = str(md(bl_src))

Expected and actual output — the script tag is correctly escaped:

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44708 | 📅 2026-05-08