Skip to content

Commit 8894fdd

Browse files
committed
Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
1 parent ddd6789 commit 8894fdd

File tree

3 files changed

+6
-1
lines changed

3 files changed

+6
-1
lines changed

Diff for: CHANGELOG.md

+1
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
- Fix some PHP8 compatibility issues (#8363)
1515
- Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
1616
- Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
17+
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
1718

1819
## Release 1.5.1
1920

Diff for: program/lib/Roundcube/rcube_washtml.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -347,7 +347,7 @@ private function wash_attribs($node)
347347
if ($url = $this->wash_uri($match[2])) {
348348
$result .= ' ' . $attr->nodeName . '="' . $match[1]
349349
. '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
350-
. substr($value, strlen($match[0])) . '"';
350+
. htmlspecialchars(substr($value, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"';
351351
continue;
352352
}
353353
}

Diff for: tests/Framework/Washtml.php

+4
Original file line numberDiff line numberDiff line change
@@ -463,6 +463,10 @@ function data_wash_xss_tests()
463463
'<html><body background="javascript:alert(1)">',
464464
'<body x-washed="background"></body>'
465465
],
466+
[
467+
'<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
468+
'<body><img fill="asd:url(#asd)&quot; src=&quot;x&quot; onerror=&quot;alert(1)" /></body>'
469+
],
466470
[
467471
'<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
468472
'<body><math x-washed="href"><mi>clickme</mi></math></body>',

0 commit comments

Comments
 (0)