From 1568bd9e0492df1d39f006598bc20c1cfddcc52d Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 7 Jan 2017 20:00:18 +0100
Subject: [PATCH] Fix bug where external content in src attribute of
 input/video tags was not secured (#5583)

---
 CHANGELOG                               |  1 +
 program/lib/Roundcube/rcube_washtml.php |  2 +-
 tests/Framework/Washtml.php             | 22 ++++++++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 1abd7af61..00b3eb032 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ CHANGELOG Roundcube Webmail
 - Fix some advanced search issues with multiple addressbooks (#5572)
 - Fix so group/addressbook selection is retained on page refresh
 - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
+- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
 
 RELEASE 1.2.3
 -------------
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 21e28bb59..46b699874 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -386,7 +386,7 @@ class rcube_washtml
         return $attr == 'background'
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
-            || ($attr == 'src' && preg_match('/^(img|source)$/i', $tag))
+            || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 50454cd4e..dcc8f883e 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -283,4 +283,26 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
 
         $this->assertTrue(strpos($washed, $exp) !== false, "Position:fixed (#5264)");
     }
+
+    /**
+     * Test external links in src of input/video elements (#5583)
+     */
+    function test_src_wash()
+    {
+        $html = "<input type=\"image\" src=\"http://TRACKING_URL/\">";
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue($washer->extlinks);
+        $this->assertNotContains('TRACKING', $washed, "Src attribute of <input> tag (#5583)");
+
+        $html = "<video src=\"http://TRACKING_URL/\">";
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue($washer->extlinks);
+        $this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
+    }
 }