Fix XSS issue in href attribute on area tag (#5240, #5241)

9 years ago · 12b7d5f1b5
parent 311c207d0a
commit 12b7d5f1b5
3 changed files with 19 additions and 1 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ CHANGELOG Roundcube Webmail
 - Fix bug where contact search menu fields where always unchecked in Larry skin
 - Fix autoloading of 'html' class
 - Fix bug where Encrypt button appears when switching editor to HTML (#5235)
+- Fix XSS issue in href attribute on area tag (#5240)

 RELEASE 1.2-rc
 --------------
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@ -370,7 +370,7 @@ class rcube_washtml
     */
    private function is_link_attribute($tag, $attr)
    {
-        return $tag == 'a' && $attr == 'href';
+        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
    }

    /**
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@ -37,6 +37,23 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
        $this->assertRegExp('|href="http://test.com">|', $washed, "Link href with newlines (#1488940)");
    }

+    /**
+     * Test XSS in area's href (#5240)
+     */
+    function test_href_area()
+    {
+        $html = '<p><area href="data:text/html,&lt;script&gt;alert(document.cookie)&lt;/script&gt;">'
+            . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
+            . '<area href="javascript:alert(document.domain)" shape=default>';
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
+        $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
+        $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
+    }
+
    /**
     * Test handling HTML comments
     */