Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)

author: Aleksander Machniak <alec@alec.pl> 2019-08-27 16:33:23 +0300
committer: Aleksander Machniak <alec@alec.pl> 2019-08-27 16:33:23 +0300
commit: 63730cf84229cede81792c6dbeb84c169bafd193 (patch)
tree: 094cab2dba749edb1ad2a1803e6d34d6697e77a6 /tests
parent: 057fb69bb9ac93aa069b064aedc3a7fe02ceb873 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index 22cf9c581..3df90ffd0 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -256,6 +256,8 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
             @media screen and (max-width: 699px) and (min-width: 520px) {
                 li a.button { padding-left: 30px; }
             }
+            :root * { color: red; }
+            :root > * { top: 0; }
         ';
         $mod = rcube_utils::mod_css_styles($css, 'rc', true, 'test');
 
@@ -268,6 +270,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $this->assertContains('#rc p > i ', $mod);
         $this->assertContains('#rc div#testsome', $mod);
         $this->assertContains('#rc li a.testbutton', $mod);
+        $this->assertNotContains(':root', $mod);
+        $this->assertContains('#rc * ', $mod);
+        $this->assertContains('#rc > * ', $mod);
     }
 
     function test_xss_entity_decode()
author	Aleksander Machniak <alec@alec.pl>	2019-08-27 16:33:23 +0300
committer	Aleksander Machniak <alec@alec.pl>	2019-08-27 16:33:23 +0300
commit	63730cf84229cede81792c6dbeb84c169bafd193 (patch)
tree	094cab2dba749edb1ad2a1803e6d34d6697e77a6 /tests
parent	057fb69bb9ac93aa069b064aedc3a7fe02ceb873 (diff)