Fix bug where external content in src attribute of input/video tags was not secured (#5583)

CHANGELOG

@@ -9,6 +9,7 @@ CHANGELOG Roundcube Webmail
 - Fix some advanced search issues with multiple addressbooks (#5572)
 - Fix so group/addressbook selection is retained on page refresh
 - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
+- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
 
 RELEASE 1.2.3
 -------------

program/lib/Roundcube/rcube_washtml.php

@@ -386,7 +386,7 @@ class rcube_washtml
         return $attr == 'background'
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
-            || ($attr == 'src' && preg_match('/^(img|source)$/i', $tag))
+            || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 

tests/Framework/Washtml.php

@@ -283,4 +283,26 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
 
         $this->assertTrue(strpos($washed, $exp) !== false, "Position:fixed (#5264)");
     }
+
+    /**
+     * Test external links in src of input/video elements (#5583)
+     */
+    function test_src_wash()
+    {
+        $html = "<input type=\"image\" src=\"http://TRACKING_URL/\">";
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue($washer->extlinks);
+        $this->assertNotContains('TRACKING', $washed, "Src attribute of <input> tag (#5583)");
+
+        $html = "<video src=\"http://TRACKING_URL/\">";
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue($washer->extlinks);
+        $this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
+    }
 }