Fix XSS issue with href="javascript:" not being removed (#1488613)

CHANGELOG

@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS issue with href="javascript:" not being removed (#1488613)
 - Fix impossible to create message with empty plain text part (#1488610)
 - Fix stripped apostrophes when replying in plain text to HTML message (#1488606)
 - Fix inactive Save search option after advanced search (#1488607)

program/lib/washtml.php

@@ -214,8 +214,11 @@ class washtml
       $key = strtolower($key);
       $value = $node->getAttribute($key);
       if (isset($this->_html_attribs[$key]) ||
-         ($key == 'href' && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)))
+         ($key == 'href' && !preg_match('!^javascript!i', $value)
+           && preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
+      ) {
         $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+      }
       else if ($key == 'style' && ($style = $this->wash_style($value))) {
         $quot = strpos($style, '"') !== false ? "'" : '"';
         $t .= ' style=' . $quot . $style . $quot;
@@ -237,7 +240,8 @@ class washtml
         else if (preg_match('/^data:.+/i', $value)) { // RFC2397
           $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
         }
-      } else
+      }
+      else
         $washed .= ($washed?' ':'') . $key;
     }
     return $t . ($washed && $this->config['show_washed']?' x-washed="'.$washed.'"':'');