summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2012-12-04 09:17:08 +0100
committerAleksander Machniak <alec@alec.pl>2012-12-04 09:21:09 +0100
commit9019025222470462ea075560c287af4f260cdd8f (patch)
tree970769d520ba5cb3ad26e6be9ea0ae1138a45d98
parentcaffe4d317b22c61881e48aebe85a9e5b334affd (diff)
- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
Conflicts: CHANGELOG tests/MailFunc.php
-rw-r--r--CHANGELOG1
-rw-r--r--program/lib/washtml.php2
2 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 981031c58..bc8b902e5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
- Fix absolute positioning in HTML messages (#1488819)
- Fix keybord events on messages list in opera browser (#1488823)
- Fix cache (in)validation after setting \Deleted flag
diff --git a/program/lib/washtml.php b/program/lib/washtml.php
index 0d4ffdb4b..d13d66404 100644
--- a/program/lib/washtml.php
+++ b/program/lib/washtml.php
@@ -214,7 +214,7 @@ class washtml
$key = strtolower($key);
$value = $node->getAttribute($key);
if (isset($this->_html_attribs[$key]) ||
- ($key == 'href' && !preg_match('!^javascript!i', $value)
+ ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value)
&& preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
) {
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';