Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security: Fix cross-site scripting (XSS) via HTML messages with malic…
…ious CSS content
  • Loading branch information
alecpl committed Dec 29, 2021
1 parent ddd6789 commit 8894fdd
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Expand Up @@ -14,6 +14,7 @@
- Fix some PHP8 compatibility issues (#8363)
- Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
- Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

## Release 1.5.1

Expand Down
2 changes: 1 addition & 1 deletion program/lib/Roundcube/rcube_washtml.php
Expand Up @@ -347,7 +347,7 @@ private function wash_attribs($node)
if ($url = $this->wash_uri($match[2])) {
$result .= ' ' . $attr->nodeName . '="' . $match[1]
. '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
. substr($value, strlen($match[0])) . '"';
. htmlspecialchars(substr($value, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"';
continue;
}
}
Expand Down
4 changes: 4 additions & 0 deletions tests/Framework/Washtml.php
Expand Up @@ -463,6 +463,10 @@ function data_wash_xss_tests()
'<html><body background="javascript:alert(1)">',
'<body x-washed="background"></body>'
],
[
'<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
'<body><img fill="asd:url(#asd)&quot; src=&quot;x&quot; onerror=&quot;alert(1)" /></body>'
],
[
'<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
'<body><math x-washed="href"><mi>clickme</mi></math></body>',
Expand Down

0 comments on commit 8894fdd

Please sign in to comment.