From 87e4cd0cf2c550e77586860b94e5c75d2b7686d0 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 26 Apr 2020 07:59:47 +0200 Subject: [PATCH] Fix XSS issue in handling of CDATA in HTML messages --- CHANGELOG | 1 + program/lib/Roundcube/rcube_washtml.php | 3 --- tests/Framework/Washtml.php | 13 +++++++++++++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 3f1242d83..33ca74f19 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -41,6 +41,7 @@ CHANGELOG Roundcube Webmail - Make install-jsdeps.sh script working without the 'file' program installed (#7325) - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125) +- Security: Fix XSS issue in handling of CDATA in HTML messages RELEASE 1.4.3 ------------- diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index cb1c5b1d1..f2200e538 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -548,9 +548,6 @@ class rcube_washtml break; case XML_CDATA_SECTION_NODE: - $dump .= $node->nodeValue; - break; - case XML_TEXT_NODE: $dump .= htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->config['charset']); break; diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index 84c9af646..d66a3dd1f 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -506,4 +506,17 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase $this->assertContains('First line', $washed); } + + /** + * Test CDATA cleanup + */ + function test_cdata() + { + $html = '

alert(document.cookie)]]>

'; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertTrue(strpos($washed, '