Escape textarea contents in Washtml

7 years ago · fb43d2e608
parent f9151f6830
commit fb43d2e608
2 changed files with 14 additions and 0 deletions
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@ -449,6 +449,9 @@ class rcube_washtml
                            }
                        }
                    }
+                    else if ($tagName == 'textarea' && strpos($content, '<') !== false) {
+                        $content = htmlspecialchars($content, ENT_QUOTES);
+                    }

                    $dump .= $this->wash_attribs($node);

--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@ -305,4 +305,15 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
        $this->assertTrue($washer->extlinks);
        $this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
    }
+
+    function test_textarea_content_escaping()
+    {
+        $html = '<textarea><p style="x:</textarea><img src=x onerror=alert(1)>">';
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertNotContains('onerror=alert(1)>', $washed);
+        $this->assertContains('&lt;p style=&quot;x:', $washed);
+    }
 }