From 9019025222470462ea075560c287af4f260cdd8f Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 4 Dec 2012 09:17:08 +0100
Subject: - Fix XSS vulnerability in vbscript: and data:text links handling
 (#1488850)

Conflicts:

	CHANGELOG
	tests/MailFunc.php
---
 CHANGELOG               | 1 +
 program/lib/washtml.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 981031c58..bc8b902e5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
 - Fix absolute positioning in HTML messages (#1488819)
 - Fix keybord events on messages list in opera browser (#1488823)
 - Fix cache (in)validation after setting \Deleted flag
diff --git a/program/lib/washtml.php b/program/lib/washtml.php
index 0d4ffdb4b..d13d66404 100644
--- a/program/lib/washtml.php
+++ b/program/lib/washtml.php
@@ -214,7 +214,7 @@ class washtml
       $key = strtolower($key);
       $value = $node->getAttribute($key);
       if (isset($this->_html_attribs[$key]) ||
-         ($key == 'href' && !preg_match('!^javascript!i', $value)
+         ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value)
            && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
       ) {
         $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
-- 
cgit v1.2.3