Permalink
Browse files

Fix bug where external content in src attribute of input/video tags w…

…as not secured (#5583)
  • Loading branch information...
1 parent cb58d37 commit e08f22ef28986a9bd8eb0eba4e15c5b5f3c51471 @alecpl alecpl committed Jan 7, 2017
Showing with 24 additions and 1 deletion.
  1. +1 −0 CHANGELOG
  2. +1 −1 program/lib/Roundcube/rcube_washtml.php
  3. +22 −0 tests/Framework/Washtml.php
View
@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
===========================
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
+- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
RELEASE 1.3-beta
----------------
@@ -408,7 +408,7 @@ private function is_image_attribute($tag, $attr)
return $attr == 'background'
|| $attr == 'color-profile' // SVG
|| ($attr == 'poster' && $tag == 'video')
- || ($attr == 'src' && preg_match('/^(img|source)$/i', $tag))
+ || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
|| ($tag == 'image' && $attr == 'href'); // SVG
}
@@ -336,4 +336,26 @@ function test_wash_mathml()
$this->assertSame(trim($washed), trim($exp), "MathML content");
}
+
+ /**
+ * Test external links in src of input/video elements (#5583)
+ */
+ function test_src_wash()
+ {
+ $html = "<input type=\"image\" src=\"http://TRACKING_URL/\">";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertTrue($washer->extlinks);
+ $this->assertNotContains('TRACKING', $washed, "Src attribute of <input> tag (#5583)");
+
+ $html = "<video src=\"http://TRACKING_URL/\">";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertTrue($washer->extlinks);
+ $this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
+ }
}

0 comments on commit e08f22e

Please sign in to comment.