Fix bug where external content in src attribute of input/video tags was not secured (#5583)

pull/5585/head
Aleksander Machniak 8 years ago
parent cb58d37bbc
commit e08f22ef28

@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
=========================== ===========================
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
RELEASE 1.3-beta RELEASE 1.3-beta
---------------- ----------------

@ -408,7 +408,7 @@ class rcube_washtml
return $attr == 'background' return $attr == 'background'
|| $attr == 'color-profile' // SVG || $attr == 'color-profile' // SVG
|| ($attr == 'poster' && $tag == 'video') || ($attr == 'poster' && $tag == 'video')
|| ($attr == 'src' && preg_match('/^(img|source)$/i', $tag)) || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
|| ($tag == 'image' && $attr == 'href'); // SVG || ($tag == 'image' && $attr == 'href'); // SVG
} }

@ -336,4 +336,26 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
$this->assertSame(trim($washed), trim($exp), "MathML content"); $this->assertSame(trim($washed), trim($exp), "MathML content");
} }
/**
* Test external links in src of input/video elements (#5583)
*/
function test_src_wash()
{
$html = "<input type=\"image\" src=\"http://TRACKING_URL/\">";
$washer = new rcube_washtml;
$washed = $washer->wash($html);
$this->assertTrue($washer->extlinks);
$this->assertNotContains('TRACKING', $washed, "Src attribute of <input> tag (#5583)");
$html = "<video src=\"http://TRACKING_URL/\">";
$washer = new rcube_washtml;
$washed = $washer->wash($html);
$this->assertTrue($washer->extlinks);
$this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
}
} }

Loading…
Cancel
Save