mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline or a crafted email address, related to the escape and autolink functions.