Skip to content

Commit

Permalink
Fix XSS issue with href="javascript:" not being removed (#1488613)
Browse files Browse the repository at this point in the history
  • Loading branch information
alecpl committed Aug 15, 2012
1 parent f326e95 commit 5ef8e4a
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================

- Fix XSS issue with href="javascript:" not being removed (#1488613)
- Fix impossible to create message with empty plain text part (#1488610)
- Fix stripped apostrophes when replying in plain text to HTML message (#1488606)
- Fix inactive Save search option after advanced search (#1488607)
Expand Down
8 changes: 6 additions & 2 deletions program/lib/washtml.php
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,11 @@ private function wash_attribs($node)
$key = strtolower($key);
$value = $node->getAttribute($key);
if (isset($this->_html_attribs[$key]) ||
($key == 'href' && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)))
($key == 'href' && !preg_match('!^javascript!i', $value)
&& preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
) {
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
}
else if ($key == 'style' && ($style = $this->wash_style($value))) {
$quot = strpos($style, '"') !== false ? "'" : '"';
$t .= ' style=' . $quot . $style . $quot;
Expand All @@ -237,7 +240,8 @@ private function wash_attribs($node)
else if (preg_match('/^data:.+/i', $value)) { // RFC2397
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
}
} else
}
else
$washed .= ($washed?' ':'') . $key;
}
return $t . ($washed && $this->config['show_washed']?' x-washed="'.$washed.'"':'');
Expand Down

0 comments on commit 5ef8e4a

Please sign in to comment.