From 9d2b303b516adb685ef93bf64402da56deca6f3e Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 14 Feb 2018 20:19:32 +0100
Subject: [PATCH] Fix bug in remote content blocking on HTML image and style
 tags (#6178)

---
 CHANGELOG                               | 1 +
 program/lib/Roundcube/rcube_utils.php   | 4 ++--
 program/lib/Roundcube/rcube_washtml.php | 2 +-
 tests/Framework/Utils.php               | 3 +++
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5dd6190d6..dd57d7d42 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -73,6 +73,7 @@ CHANGELOG Roundcube Webmail
 - Fix duplicated labels in Test SMTP Config section (#6166)
 - Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
 - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
+- Fix bug in remote content blocking on HTML image and style tags (#6178)
 
 RELEASE 1.3.4
 -------------
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index 28b281afc..dedaae125 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -514,11 +514,11 @@ class rcube_utils
      */
     public static function xss_entity_decode($content)
     {
-        $callback = function($matches) { return chr(hexdec($matches[1])); };
+        $callback = function($matches) { return chr(hexdec(trim($matches[1]))); };
 
         $out = html_entity_decode(html_entity_decode($content));
         $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out)));
-        $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $callback, $out);
+        $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i', $callback, $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);
         $out = strip_tags($out);
 
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 3b17a3d41..7a4876c5d 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -415,7 +415,7 @@ class rcube_washtml
         return $attr == 'background'
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
-            || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
+            || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag))
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index 5cf5018c1..e4b71044b 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -206,6 +206,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody');
         $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
 
+        $mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
+
         // position: fixed (#5264)
         $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
         $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");