From b3206b4b2822b8c9d18c4730aa1afdf72a758f8c Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 15 Aug 2012 10:12:18 +0200 Subject: Fix XSS issue with href="javascript:" not being removed (#1488613) --- CHANGELOG | 1 + program/lib/washtml.php | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 64d39670f..ba1ab48fc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS issue with href="javascript:" not being removed (#1488613) - Fix impossible to create message with empty plain text part (#1488610) - Fix stripped apostrophes when replying in plain text to HTML message (#1488606) - Fix inactive Save search option after advanced search (#1488607) diff --git a/program/lib/washtml.php b/program/lib/washtml.php index c12315fec..98ae5ed5a 100644 --- a/program/lib/washtml.php +++ b/program/lib/washtml.php @@ -214,8 +214,11 @@ class washtml $key = strtolower($key); $value = $node->getAttribute($key); if (isset($this->_html_attribs[$key]) || - ($key == 'href' && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))) + ($key == 'href' && !preg_match('!^javascript!i', $value) + && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)) + ) { $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; + } else if ($key == 'style' && ($style = $this->wash_style($value))) { $quot = strpos($style, '"') !== false ? "'" : '"'; $t .= ' style=' . $quot . $style . $quot; @@ -237,7 +240,8 @@ class washtml else if (preg_match('/^data:.+/i', $value)) { // RFC2397 $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; } - } else + } + else $washed .= ($washed?' ':'') . $key; } return $t . ($washed && $this->config['show_washed']?' x-washed="'.$washed.'"':''); -- cgit v1.2.3