diff options
| author | Aleksander Machniak <alec@alec.pl> | 2012-08-15 10:12:18 +0200 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2012-08-15 10:13:17 +0200 |
| commit | b3206b4b2822b8c9d18c4730aa1afdf72a758f8c (patch) | |
| tree | eea04c253cbdcf8129b9e8c982dc3cf0b0cfd4dc | |
| parent | 5e251574ddac6cb9a25ece27df1599f45f69dda4 (diff) | |
Fix XSS issue with href="javascript:" not being removed (#1488613)
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | program/lib/washtml.php | 8 |
2 files changed, 7 insertions, 2 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS issue with href="javascript:" not being removed (#1488613) - Fix impossible to create message with empty plain text part (#1488610) - Fix stripped apostrophes when replying in plain text to HTML message (#1488606) - Fix inactive Save search option after advanced search (#1488607) diff --git a/program/lib/washtml.php b/program/lib/washtml.php index c12315fec..98ae5ed5a 100644 --- a/program/lib/washtml.php +++ b/program/lib/washtml.php @@ -214,8 +214,11 @@ class washtml $key = strtolower($key); $value = $node->getAttribute($key); if (isset($this->_html_attribs[$key]) || - ($key == 'href' && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))) + ($key == 'href' && !preg_match('!^javascript!i', $value) + && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)) + ) { $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; + } else if ($key == 'style' && ($style = $this->wash_style($value))) { $quot = strpos($style, '"') !== false ? "'" : '"'; $t .= ' style=' . $quot . $style . $quot; @@ -237,7 +240,8 @@ class washtml else if (preg_match('/^data:.+/i', $value)) { // RFC2397 $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; } - } else + } + else $washed .= ($washed?' ':'') . $key; } return $t . ($washed && $this->config['show_washed']?' x-washed="'.$washed.'"':''); |