Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security: Fix cross-site scripting (XSS) via HTML messages with malic…
…ious CSS content
  • Loading branch information
alecpl committed Dec 29, 2021
1 parent 786fb18 commit b2400a4
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG
@@ -1,6 +1,8 @@
CHANGELOG Roundcube Webmail
===========================

- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

RELEASE 1.4.12
--------------
- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
Expand Down
2 changes: 1 addition & 1 deletion program/lib/Roundcube/rcube_washtml.php
Expand Up @@ -338,7 +338,7 @@ private function wash_attribs($node)
if ($url = $this->wash_uri($match[2])) {
$result .= ' ' . $attr->nodeName . '="' . $match[1]
. '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
. substr($val, strlen($match[0])) . '"';
. htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"';
continue;
}
}
Expand Down
4 changes: 4 additions & 0 deletions tests/Framework/Washtml.php
Expand Up @@ -447,6 +447,10 @@ function data_wash_xss_tests()
'<html><body background="javascript:alert(1)">',
'<!-- html ignored --><body x-washed="background"></body>'
],
[
'<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
'<body><img fill="asd:url(#asd)&quot; src=&quot;x&quot; onerror=&quot;alert(1)" /></body>'
],
[
'<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
'<!-- html ignored --><body><math x-washed="href"><mi>clickme</mi></math></body>',
Expand Down

0 comments on commit b2400a4

Please sign in to comment.