From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/lib/Roundcube/html.php | 33 +++++++++++++++++++++------------
1 files changed, 21 insertions(+), 12 deletions(-)
diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php
index ed7eea3..31bacbf 100644
--- a/program/lib/Roundcube/html.php
+++ b/program/lib/Roundcube/html.php
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2005-2011, The Roundcube Dev Team |
+ | Copyright (C) 2005-2013, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -32,8 +32,8 @@
public static $doctype = 'xhtml';
public static $lc_tags = true;
- public static $common_attrib = array('id','class','style','title','align');
- public static $containers = array('iframe','div','span','p','h1','h2','h3','form','textarea','table','thead','tbody','tr','th','td','style','script');
+ public static $common_attrib = array('id','class','style','title','align','unselectable');
+ public static $containers = array('iframe','div','span','p','h1','h2','h3','ul','form','textarea','table','thead','tbody','tr','th','td','style','script');
/**
@@ -153,7 +153,7 @@
$attr = array('src' => $attr);
}
return self::tag('img', $attr + array('alt' => ''), null, array_merge(self::$common_attrib,
- array('src','alt','width','height','border','usemap','onclick')));
+ array('src','alt','width','height','border','usemap','onclick','onerror')));
}
/**
@@ -269,17 +269,26 @@
return '';
}
- $allowed_f = array_flip((array)$allowed);
+ $allowed_f = array_flip((array)$allowed);
$attrib_arr = array();
+
foreach ($attrib as $key => $value) {
// skip size if not numeric
if ($key == 'size' && !is_numeric($value)) {
continue;
}
- // ignore "internal" or not allowed attributes
- if ($key == 'nl' || ($allowed && !isset($allowed_f[$key])) || $value === null) {
+ // ignore "internal" or empty attributes
+ if ($key == 'nl' || $value === null) {
continue;
+ }
+
+ // ignore not allowed attributes
+ if (!empty($allowed)) {
+ $is_data_attr = @substr_compare($key, 'data-', 0, 5) === 0;
+ if (!isset($allowed_f[$key]) && (!$is_data_attr || !isset($allowed_f['data-*']))) {
+ continue;
+ }
}
// skip empty eventhandlers
@@ -645,7 +654,7 @@
$option_content = self::quote($option_content);
}
- $this->content .= self::tag('option', $attr + $option, $option_content, array('class','style','title','disabled','selected'));
+ $this->content .= self::tag('option', $attr + $option, $option_content, array('value','label','class','style','title','disabled','selected'));
}
return parent::show();
@@ -677,8 +686,8 @@
*/
public function __construct($attrib = array())
{
- $default_attrib = self::$doctype == 'xhtml' ? array('summary' => '', 'border' => 0) : array();
- $this->attrib = array_merge($attrib, $default_attrib);
+ $default_attrib = self::$doctype == 'xhtml' ? array('summary' => '', 'border' => '0') : array();
+ $this->attrib = array_merge($attrib, $default_attrib);
if (!empty($attrib['tagname']) && $attrib['tagname'] != 'table') {
$this->tagname = $attrib['tagname'];
@@ -880,7 +889,7 @@
private function _row_tagname()
{
static $row_tagnames = array('table' => 'tr', 'ul' => 'li', '*' => 'div');
- return $row_tagnames[$this->tagname] ?: $row_tagnames['*'];
+ return $row_tagnames[$this->tagname] ? $row_tagnames[$this->tagname] : $row_tagnames['*'];
}
/**
@@ -889,7 +898,7 @@
private function _col_tagname()
{
static $col_tagnames = array('table' => 'td', '*' => 'span');
- return $col_tagnames[$this->tagname] ?: $col_tagnames['*'];
+ return $col_tagnames[$this->tagname] ? $col_tagnames[$this->tagname] : $col_tagnames['*'];
}
}
--
Gitblit v1.9.1