diff options
author | Aleksander Machniak <alec@alec.pl> | 2021-12-29 21:02:43 +0300 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2021-12-29 21:03:16 +0300 |
commit | 8894fddd59b770399eed4ef8d4da5773913b5bf0 (patch) | |
tree | 47fbff307d6d0b3e5c928fa9137bc27bcfe6c53d | |
parent | ddd67891e4e49f22aef82c209d229425456e76c2 (diff) |
Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | program/lib/Roundcube/rcube_washtml.php | 2 | ||||
-rw-r--r-- | tests/Framework/Washtml.php | 4 |
3 files changed, 6 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index cc8377493..eeb668fc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - Fix some PHP8 compatibility issues (#8363) - Fix chpass-wrapper.py helper compatibility with Python 3 (#8324) - Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367) +- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content ## Release 1.5.1 diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index f42f82894..b828200a8 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -347,7 +347,7 @@ class rcube_washtml if ($url = $this->wash_uri($match[2])) { $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')' - . substr($value, strlen($match[0])) . '"'; + . htmlspecialchars(substr($value, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"'; continue; } } diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index a4885f8de..9701ab13a 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -464,6 +464,10 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase '<body x-washed="background"></body>' ], [ + '<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />', + '<body><img fill="asd:url(#asd)" src="x" onerror="alert(1)" /></body>' + ], + [ '<html><math href="javascript:alert(location);"><mi>clickme</mi></math>', '<body><math x-washed="href"><mi>clickme</mi></math></body>', ], |