From 7d14065baa6c51346e0ec0253c06ac822f082278 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 6 May 2016 08:28:15 +0200 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) Conflicts: CHANGELOG --- CHANGELOG | 1 + program/lib/Roundcube/rcube_washtml.php | 2 +- tests/Framework/Washtml.php | 17 +++++++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 4d7719a14..7420e7c4e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail - Fix message list multi-select/deselect issue (#5219) - Fix bug where contact search menu fields where always unchecked in Larry skin +- Fix XSS issue in href attribute on area tag (#5240) RELEASE 1.1.5 ------------- diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index 54c1cd88d..6535e3b4a 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -370,7 +370,7 @@ class rcube_washtml */ private function is_link_attribute($tag, $attr) { - return $tag == 'a' && $attr == 'href'; + return ($tag == 'a' || $tag == 'area') && $attr == 'href'; } /** diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index 9515f0d7a..2e681791c 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -37,6 +37,23 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase $this->assertRegExp('|href="http://test.com">|', $washed, "Link href with newlines (#1488940)"); } + /** + * Test XSS in area's href (#5240) + */ + function test_href_area() + { + $html = '

' + . 'Internet Explorer

' + . ''; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href"); + $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href"); + $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href"); + } + /** * Test handling HTML comments */