Fix bug in remote content blocking on HTML image and style tags (#6178)

CHANGELOG

@@ -1,6 +1,8 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix security issue in remote content blocking on HTML image and style tags (#6178)
+
 RELEASE 1.0.12
 --------------
 - Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)

program/lib/Roundcube/rcube_utils.php

@@ -552,7 +552,7 @@ class rcube_utils
     {
         $out = html_entity_decode(html_entity_decode($content));
         $out = strip_tags($out);
-        $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
+        $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i',
             array(self, 'xss_entity_decode_callback'), $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);
         $out = strip_tags($out);

program/lib/Roundcube/rcube_washtml.php

@@ -382,7 +382,7 @@ class rcube_washtml
         return $attr == 'background'
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
-            || ($attr == 'src' && preg_match('/^(img|source)$/i', $tag))
+            || ($attr == 'src' && preg_match('/^(img|image|source)$/i', $tag))
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 

tests/Framework/Utils.php

@@ -200,6 +200,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
         $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
 
+        $mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
+
         // position: fixed (#5264)
         $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
         $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");