Fix XSS issue in href attribute on area tag (#5240, #5241)

Conflicts:

	CHANGELOG
pull/5330/head
Aleksander Machniak 9 years ago
parent 877b911dc4
commit 7d14065baa

@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail
- Fix message list multi-select/deselect issue (#5219) - Fix message list multi-select/deselect issue (#5219)
- Fix bug where contact search menu fields where always unchecked in Larry skin - Fix bug where contact search menu fields where always unchecked in Larry skin
- Fix XSS issue in href attribute on area tag (#5240)
RELEASE 1.1.5 RELEASE 1.1.5
------------- -------------

@ -370,7 +370,7 @@ class rcube_washtml
*/ */
private function is_link_attribute($tag, $attr) private function is_link_attribute($tag, $attr)
{ {
return $tag == 'a' && $attr == 'href'; return ($tag == 'a' || $tag == 'area') && $attr == 'href';
} }
/** /**

@ -37,6 +37,23 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
$this->assertRegExp('|href="http://test.com">|', $washed, "Link href with newlines (#1488940)"); $this->assertRegExp('|href="http://test.com">|', $washed, "Link href with newlines (#1488940)");
} }
/**
* Test XSS in area's href (#5240)
*/
function test_href_area()
{
$html = '<p><area href="data:text/html,&lt;script&gt;alert(document.cookie)&lt;/script&gt;">'
. '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
. '<area href="javascript:alert(document.domain)" shape=default>';
$washer = new rcube_washtml;
$washed = $washer->wash($html);
$this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
$this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
$this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
}
/** /**
* Test handling HTML comments * Test handling HTML comments
*/ */

Loading…
Cancel
Save