Skip to content

Commit 87e4cd0

Browse files
committed
Fix XSS issue in handling of CDATA in HTML messages
1 parent 6b5fc8d commit 87e4cd0

File tree

3 files changed

+14
-3
lines changed

3 files changed

+14
-3
lines changed

Diff for: CHANGELOG

+1
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ CHANGELOG Roundcube Webmail
4141
- Make install-jsdeps.sh script working without the 'file' program installed (#7325)
4242
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
4343
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
44+
- Security: Fix XSS issue in handling of CDATA in HTML messages
4445

4546
RELEASE 1.4.3
4647
-------------

Diff for: program/lib/Roundcube/rcube_washtml.php

-3
Original file line numberDiff line numberDiff line change
@@ -548,9 +548,6 @@ private function dumpHtml($node, $level = 20)
548548
break;
549549

550550
case XML_CDATA_SECTION_NODE:
551-
$dump .= $node->nodeValue;
552-
break;
553-
554551
case XML_TEXT_NODE:
555552
$dump .= htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->config['charset']);
556553
break;

Diff for: tests/Framework/Washtml.php

+13
Original file line numberDiff line numberDiff line change
@@ -506,4 +506,17 @@ function test_missing_tags()
506506

507507
$this->assertContains('First line', $washed);
508508
}
509+
510+
/**
511+
* Test CDATA cleanup
512+
*/
513+
function test_cdata()
514+
{
515+
$html = '<p><![CDATA[<script>alert(document.cookie)</script>]]></p>';
516+
517+
$washer = new rcube_washtml;
518+
$washed = $washer->wash($html);
519+
520+
$this->assertTrue(strpos($washed, '<script>') === false, "CDATA content");
521+
}
509522
}

0 commit comments

Comments
 (0)