diff options
author | Aleksander Machniak <alec@alec.pl> | 2012-12-04 09:17:08 +0100 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2012-12-04 09:21:09 +0100 |
commit | 9019025222470462ea075560c287af4f260cdd8f (patch) | |
tree | 970769d520ba5cb3ad26e6be9ea0ae1138a45d98 | |
parent | caffe4d317b22c61881e48aebe85a9e5b334affd (diff) |
- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
Conflicts:
CHANGELOG
tests/MailFunc.php
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | program/lib/washtml.php | 2 |
2 files changed, 2 insertions, 1 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850) - Fix absolute positioning in HTML messages (#1488819) - Fix keybord events on messages list in opera browser (#1488823) - Fix cache (in)validation after setting \Deleted flag diff --git a/program/lib/washtml.php b/program/lib/washtml.php index 0d4ffdb4b..d13d66404 100644 --- a/program/lib/washtml.php +++ b/program/lib/washtml.php @@ -214,7 +214,7 @@ class washtml $key = strtolower($key); $value = $node->getAttribute($key); if (isset($this->_html_attribs[$key]) || - ($key == 'href' && !preg_match('!^javascript!i', $value) + ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value) && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)) ) { $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; |