Fix XSS issue in handling of a style tag inside of an svg element

CHANGELOG

@@ -6,6 +6,7 @@ CHANGELOG Roundcube Webmail
 - Fix so group/addressbook selection is retained on page refresh
 - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
 - Fix so microseconds macro (u) in log_date_format works (#1490446)
+- Fix XSS issue in handling of a style tag inside of an svg element
 
 RELEASE 1.1.7
 -------------

program/lib/Roundcube/rcube_utils.php

@@ -540,6 +540,7 @@ class rcube_utils
     public static function xss_entity_decode($content)
     {
         $out = html_entity_decode(html_entity_decode($content));
+        $out = strip_tags($out);
         $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
             array(self, 'xss_entity_decode_callback'), $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);