- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)

Conflicts: CHANGELOG tests/MailFunc.php
12 years ago · 9019025222
parent caffe4d317
commit 9019025222
2 changed files with 2 additions and 1 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
 - Fix absolute positioning in HTML messages (#1488819)
 - Fix keybord events on messages list in opera browser (#1488823)
 - Fix cache (in)validation after setting \Deleted flag
--- a/program/lib/washtml.php
+++ b/program/lib/washtml.php
@ -214,7 +214,7 @@ class washtml
      $key = strtolower($key);
      $value = $node->getAttribute($key);
      if (isset($this->_html_attribs[$key]) ||
-         ($key == 'href' && !preg_match('!^javascript!i', $value)
+         ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value)
           && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
      ) {
        $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';