diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | program/lib/washtml.php | 2 | ||||
| -rw-r--r-- | tests/MailFunc.php | 14 |
3 files changed, 16 insertions, 1 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850) - Fix broken message/part bodies when FETCH response contains more untagged lines (#1488836) - Fix empty email on identities list after identity update (#1488834) - Add new identities_level: (4) one identity with possibility to edit only signature diff --git a/program/lib/washtml.php b/program/lib/washtml.php index 0d4ffdb4b..d13d66404 100644 --- a/program/lib/washtml.php +++ b/program/lib/washtml.php @@ -214,7 +214,7 @@ class washtml $key = strtolower($key); $value = $node->getAttribute($key); if (isset($this->_html_attribs[$key]) || - ($key == 'href' && !preg_match('!^javascript!i', $value) + ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value) && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)) ) { $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; diff --git a/tests/MailFunc.php b/tests/MailFunc.php index 967277c2a..4d4250c22 100644 --- a/tests/MailFunc.php +++ b/tests/MailFunc.php @@ -97,6 +97,20 @@ class MailFunc extends PHPUnit_Framework_TestCase } /** + * Test the elimination of some XSS vulnerabilities + */ + function test_html_xss3() + { + // #1488850 + $html = '<p><a href="data:text/html,<script>alert(document.cookie)</script>">Firefox</a>' + .'<a href="vbscript:alert(document.cookie)">Internet Explorer</a></p>'; + $washed = rcmail_wash_html($html, array('safe' => true), array()); + + $this->assertNotRegExp('/data:text/', $washed, "Remove data:text/html links"); + $this->assertNotRegExp('/vbscript:/', $washed, "Remove vbscript: links"); + } + + /** * Test washtml class on non-unicode characters (#1487813) */ function test_washtml_utf8() |