From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
CHANGELOG | 2 ++
program/lib/Roundcube/rcube_washtml.php | 2 +-
tests/Framework/Washtml.php | 17 +++++++++++++++++
3 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 054de01..1f755a0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,8 @@
CHANGELOG Roundcube Webmail
===========================
+- Fix XSS issue in href attribute on area tag (#5240)
+
RELEASE 1.0.9
-------------
- Fix a regression where some contact data was missing in export and PHP warnings were logged (Kolab #4522)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 2b31033..f5a48e8 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -366,7 +366,7 @@
*/
private function is_link_attribute($tag, $attr)
{
- return $tag == 'a' && $attr == 'href';
+ return ($tag == 'a' || $tag == 'area') && $attr == 'href';
}
/**
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 0c84094..fc7a61e 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -38,6 +38,23 @@
}
/**
+ * Test XSS in area's href (#5240)
+ */
+ function test_href_area()
+ {
+ $html = '<p><area href="data:text/html,<script>alert(document.cookie)</script>">'
+ . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
+ . '<area href="javascript:alert(document.domain)" shape=default>';
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
+ $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
+ $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
+ }
+
+ /**
* Test handling HTML comments
*/
function test_comments()
--
Gitblit v1.9.1