From 5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 15 Aug 2012 04:12:18 -0400
Subject: [PATCH] Fix XSS issue with href="javascript:" not being removed (#1488613)

---
 CHANGELOG               |    1 +
 program/lib/washtml.php |    8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 4e2b22a..9326806 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS issue with href="javascript:" not being removed (#1488613)
 - Fix impossible to create message with empty plain text part (#1488610)
 - Fix stripped apostrophes when replying in plain text to HTML message (#1488606)
 - Fix inactive Save search option after advanced search (#1488607)
diff --git a/program/lib/washtml.php b/program/lib/washtml.php
index c12315f..98ae5ed 100644
--- a/program/lib/washtml.php
+++ b/program/lib/washtml.php
@@ -214,8 +214,11 @@
       $key = strtolower($key);
       $value = $node->getAttribute($key);
       if (isset($this->_html_attribs[$key]) ||
-         ($key == 'href' && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)))
+         ($key == 'href' && !preg_match('!^javascript!i', $value)
+           && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
+      ) {
         $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+      }
       else if ($key == 'style' && ($style = $this->wash_style($value))) {
         $quot = strpos($style, '"') !== false ? "'" : '"';
         $t .= ' style=' . $quot . $style . $quot;
@@ -237,7 +240,8 @@
         else if (preg_match('/^data:.+/i', $value)) { // RFC2397
           $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
         }
-      } else
+      }
+      else
         $washed .= ($washed?' ':'') . $key;
     }
     return $t . ($washed && $this->config['show_washed']?' x-washed="'.$washed.'"':'');

--
Gitblit v1.9.1