Fix XSS issue in handling of CDATA in HTML messages

4 years ago · 87e4cd0cf2
parent 6b5fc8db95
commit 87e4cd0cf2
3 changed files with 14 additions and 3 deletions
--- a/1
+++ b/1
@ -41,6 +41,7 @@ CHANGELOG Roundcube Webmail
 - Make install-jsdeps.sh script working without the 'file' program installed (#7325)
 - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
 - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
+- Security: Fix XSS issue in handling of CDATA in HTML messages

 RELEASE 1.4.3
 -------------
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@ -548,9 +548,6 @@ class rcube_washtml
                break;

            case XML_CDATA_SECTION_NODE:
-                $dump .= $node->nodeValue;
-                break;
-
            case XML_TEXT_NODE:
                $dump .= htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->config['charset']);
                break;
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@ -506,4 +506,17 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase

        $this->assertContains('First line', $washed);
    }
+
+    /**
+     * Test CDATA cleanup
+     */
+    function test_cdata()
+    {
+        $html = '<p><![CDATA[<script>alert(document.cookie)</script>]]></p>';
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue(strpos($washed, '<script>') === false, "CDATA content");
+    }
 }