diff options
author | Aleksander Machniak <alec@alec.pl> | 2019-08-27 16:57:47 +0300 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2019-08-27 16:57:47 +0300 |
commit | 21ebf3ff5a1f014fef6ad0b9d684ea625b0fae94 (patch) | |
tree | 6af34331b506ae7d998442f2b1f187b946819da3 /program/lib | |
parent | 63730cf84229cede81792c6dbeb84c169bafd193 (diff) |
Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
Diffstat (limited to 'program/lib')
-rw-r--r-- | program/lib/Roundcube/rcube_washtml.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index 468491fb0..516a12471 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -320,7 +320,7 @@ class rcube_washtml $out = $this->wash_uri($value, true); } else if ($this->is_link_attribute($node->nodeName, $key)) { - if (!preg_match('!^(javascript|vbscript|data:text)!i', $value) + if (!preg_match('!^(javascript|vbscript|data:)!i', $value) && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value) ) { $out = $value; |