Skip to content

Commit b2400a4

Browse files
committed
Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
1 parent 786fb18 commit b2400a4

File tree

3 files changed

+7
-1
lines changed

3 files changed

+7
-1
lines changed

Diff for: CHANGELOG

+2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
CHANGELOG Roundcube Webmail
22
===========================
33

4+
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
5+
46
RELEASE 1.4.12
57
--------------
68
- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)

Diff for: program/lib/Roundcube/rcube_washtml.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -338,7 +338,7 @@ private function wash_attribs($node)
338338
if ($url = $this->wash_uri($match[2])) {
339339
$result .= ' ' . $attr->nodeName . '="' . $match[1]
340340
. '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
341-
. substr($val, strlen($match[0])) . '"';
341+
. htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"';
342342
continue;
343343
}
344344
}

Diff for: tests/Framework/Washtml.php

+4
Original file line numberDiff line numberDiff line change
@@ -447,6 +447,10 @@ function data_wash_xss_tests()
447447
'<html><body background="javascript:alert(1)">',
448448
'<!-- html ignored --><body x-washed="background"></body>'
449449
],
450+
[
451+
'<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />',
452+
'<body><img fill="asd:url(#asd)&quot; src=&quot;x&quot; onerror=&quot;alert(1)" /></body>'
453+
],
450454
[
451455
'<html><math href="javascript:alert(location);"><mi>clickme</mi></math>',
452456
'<!-- html ignored --><body><math x-washed="href"><mi>clickme</mi></math></body>',

0 commit comments

Comments
 (0)