From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 06 May 2016 02:32:01 -0400 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) --- CHANGELOG | 2 ++ program/lib/Roundcube/rcube_washtml.php | 2 +- tests/Framework/Washtml.php | 17 +++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 054de01..1f755a0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,8 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS issue in href attribute on area tag (#5240) + RELEASE 1.0.9 ------------- - Fix a regression where some contact data was missing in export and PHP warnings were logged (Kolab #4522) diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index 2b31033..f5a48e8 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -366,7 +366,7 @@ */ private function is_link_attribute($tag, $attr) { - return $tag == 'a' && $attr == 'href'; + return ($tag == 'a' || $tag == 'area') && $attr == 'href'; } /** diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index 0c84094..fc7a61e 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -38,6 +38,23 @@ } /** + * Test XSS in area's href (#5240) + */ + function test_href_area() + { + $html = '<p><area href="data:text/html,<script>alert(document.cookie)</script>">' + . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>' + . '<area href="javascript:alert(document.domain)" shape=default>'; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href"); + $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href"); + $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href"); + } + + /** * Test handling HTML comments */ function test_comments() -- Gitblit v1.9.1