Projects
Kolab:16
roundcubemail
CVE-2016-5103.patch
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2016-5103.patch of Package roundcubemail (Revision 4)
Currently displaying revision
4
,
Show latest
From 12b7d5f1b5a8be70a34844685993843456db5f46 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 6 May 2016 08:28:15 +0200 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) --- CHANGELOG | 1 + program/lib/Roundcube/rcube_washtml.php | 2 +- tests/Framework/Washtml.php | 17 +++++++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 71ac25a..0e41baf 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -14,6 +14,7 @@ - Fix PHP7 warning "session_start(): Session callback expects true/false return value" (#1490624) - Fix XSS issue in SVG images handling (#1490625) - Fix missing language name in "Add to Dictionary" request in HTML mode (#1490634) +- Fix XSS issue in href attribute on area tag (#5240) RELEASE 1.2-beta ---------------- diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index 5938d9b..d03f04a 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -370,7 +370,7 @@ private function wash_uri($uri, $blocked_source = false) */ private function is_link_attribute($tag, $attr) { - return $tag == 'a' && $attr == 'href'; + return ($tag == 'a' || $tag == 'area') && $attr == 'href'; } /** diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index 9515f0d..2e68179 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -38,6 +38,23 @@ function test_href() } /** + * Test XSS in area's href (#5240) + */ + function test_href_area() + { + $html = '<p><area href="data:text/html,<script>alert(document.cookie)</script>">' + . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>' + . '<area href="javascript:alert(document.domain)" shape=default>'; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href"); + $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href"); + $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href"); + } + + /** * Test handling HTML comments */ function test_comments()
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.