Fix filter bypass leading to XSS (#362)

[Crozzers]

As reported by @terjanq:

The new regex _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)") in #351 introduced a more severe bypass on any HTML element by using a new line that does not match to .+.

In [2]: markdown2.markdown('<iframe\nonload=alert()//',safe_mode=True)
Out[2]: '<p><iframe\nonload=alert()//</p>\n'

I was able to reproduce this issue.
The proposed change ignores whitespace between the tag name and the .+ and from my tests this seems to do the trick.

- _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
+ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w)\s*.+?[\s/]+?)")

However, I will admit that I'm not a security guy so it's possible that this change has it's own issues.

Furthermore, I was unable to reproduce the second example given in #362, so that might already have been fixed.

[nicholasserra]

Thanks, will take a close look at this soon.

[nicholasserra]

@terjanq wondering if you'd peek this fix, see if you notice any issues with it

[nicholasserra]

I wasn't able to reproduce the first issue anymore at all. But this looks fine to merge anyway.

[HavayaG]

Hey @nicholasserra,
My name is Havaya, and I’m contacting you on behalf of the Snyk security team.
We tried to reach out to you regarding possible vulnerabilities in the package but we couldn’t get an answer, also, there is no SECURITY.md.
I was wondering how or who should we contact to disclose vulnerabilities privately?
Many thanks!

[SuperSandro2000]

Can you tag a release with this fix? Thanks!

[nicholasserra]

@SuperSandro2000 2.4.4 has been released with this and another xss fix