summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2012-12-04 09:17:08 +0100
committerAleksander Machniak <alec@alec.pl>2012-12-04 09:17:08 +0100
commit74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba (patch)
tree005192c324221b18ed83994de18c10b14ec42eff
parent0fa54df638a0b0f514d1bfba3cefb93e38991a35 (diff)
- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
-rw-r--r--CHANGELOG1
-rw-r--r--program/lib/washtml.php2
-rw-r--r--tests/MailFunc.php14
3 files changed, 16 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index a47c95dcf..af7d29c04 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
- Fix broken message/part bodies when FETCH response contains more untagged lines (#1488836)
- Fix empty email on identities list after identity update (#1488834)
- Add new identities_level: (4) one identity with possibility to edit only signature
diff --git a/program/lib/washtml.php b/program/lib/washtml.php
index 0d4ffdb4b..d13d66404 100644
--- a/program/lib/washtml.php
+++ b/program/lib/washtml.php
@@ -214,7 +214,7 @@ class washtml
$key = strtolower($key);
$value = $node->getAttribute($key);
if (isset($this->_html_attribs[$key]) ||
- ($key == 'href' && !preg_match('!^javascript!i', $value)
+ ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value)
&& preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
) {
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
diff --git a/tests/MailFunc.php b/tests/MailFunc.php
index 967277c2a..4d4250c22 100644
--- a/tests/MailFunc.php
+++ b/tests/MailFunc.php
@@ -97,6 +97,20 @@ class MailFunc extends PHPUnit_Framework_TestCase
}
/**
+ * Test the elimination of some XSS vulnerabilities
+ */
+ function test_html_xss3()
+ {
+ // #1488850
+ $html = '<p><a href="data:text/html,&lt;script&gt;alert(document.cookie)&lt;/script&gt;">Firefox</a>'
+ .'<a href="vbscript:alert(document.cookie)">Internet Explorer</a></p>';
+ $washed = rcmail_wash_html($html, array('safe' => true), array());
+
+ $this->assertNotRegExp('/data:text/', $washed, "Remove data:text/html links");
+ $this->assertNotRegExp('/vbscript:/', $washed, "Remove vbscript: links");
+ }
+
+ /**
* Test washtml class on non-unicode characters (#1487813)
*/
function test_washtml_utf8()