Security: Fix cross-site scripting (XSS) via HTML messages with malic…

…ious CSS content

CHANGELOG.md

@@ -68,6 +68,7 @@
 - Fix some PHP8 compatibility issues (#8363)
 - Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
 - Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
+- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
 
 ## Release 1.5.1
 

program/lib/Roundcube/rcube_washtml.php

@@ -347,7 +347,7 @@ private function wash_attribs($node)
                             if ($url = $this->wash_uri($match[2])) {
                                 $result .= ' ' . $attr->nodeName . '="' . $match[1]
                                     . '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
-                                    . substr($value, strlen($match[0])) . '"';
+                                    . htmlspecialchars(substr($value, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"';
                                 continue;
                             }
                         }

tests/Framework/Washtml.php

@@ -470,6 +470,10 @@ function data_wash_xss_tests()
                 '<html><body background="javascript:alert(1)">',
                 '<body x-washed="background"></body>'
             ],
+            [
+                '<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
+                '<body><img fill="asd:url(#asd)&quot; src=&quot;x&quot; onerror=&quot;alert(1)" /></body>'
+            ],
             [
                 '<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
                 '<body><math x-washed="href"><mi>clickme</mi></math></body>',