Skip to content
Browse files

Fix XSS issue with href="javascript:" not being removed (#1488613)

  • Loading branch information...
1 parent f326e95 commit 5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee @alecpl alecpl committed Aug 15, 2012
Showing with 7 additions and 2 deletions.
  1. +1 −0 CHANGELOG
  2. +6 −2 program/lib/washtml.php
View
1 CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Fix XSS issue with href="javascript:" not being removed (#1488613)
- Fix impossible to create message with empty plain text part (#1488610)
- Fix stripped apostrophes when replying in plain text to HTML message (#1488606)
- Fix inactive Save search option after advanced search (#1488607)
View
8 program/lib/washtml.php
@@ -214,8 +214,11 @@ private function wash_attribs($node)
$key = strtolower($key);
$value = $node->getAttribute($key);
if (isset($this->_html_attribs[$key]) ||
- ($key == 'href' && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)))
+ ($key == 'href' && !preg_match('!^javascript!i', $value)
+ && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
+ ) {
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+ }
else if ($key == 'style' && ($style = $this->wash_style($value))) {
$quot = strpos($style, '"') !== false ? "'" : '"';
$t .= ' style=' . $quot . $style . $quot;
@@ -237,7 +240,8 @@ private function wash_attribs($node)
else if (preg_match('/^data:.+/i', $value)) { // RFC2397
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
}
- } else
+ }
+ else
$washed .= ($washed?' ':'') . $key;
}
return $t . ($washed && $this->config['show_washed']?' x-washed="'.$washed.'"':'');

0 comments on commit 5ef8e4a

Please sign in to comment.
Something went wrong with that request. Please try again.