Fix Cross-Site-Scripting vulnerability via SVG's animate tag

reported by Valentin T., CrowdStrike
2025-12-27 23:45:58 +00:00 · 2025-12-14 09:01:26 +01:00 · 2025-12-14 09:01:26 +01:00 · f4856e3f91
commit f4856e3f91
parent 56d7b6fdd3
3 changed files with 21 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,10 @@

 ## Unreleased

+- Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+
+## Release 1.5.11
+
 - Makefile: Make sure to use proper composer version (for PHP 5.5 support)

 ## Release 1.5.10
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@ -303,7 +303,8 @@ class rcube_washtml

                // in SVG to/from attribs may contain anything, including URIs
                if ($key == 'to' || $key == 'from') {
-                    $key = strtolower($node->getAttribute('attributeName'));
+                    $key = strtolower((string) $node->getAttribute('attributeName'));
+                    $key = trim(preg_replace('/^.*:/', '', $key));
                    if ($key && !isset($this->_html_attribs[$key])) {
                        $key = null;
                    }
@ -509,10 +510,14 @@ class rcube_washtml
    private static function attribute_value($node, $attr_name, $attr_value)
    {
        $attr_name = strtolower($attr_name);
+        $attr_value = strtolower($attr_value);

        foreach ($node->attributes as $name => $attr) {
            if (strtolower($name) === $attr_name) {
-                if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) {
+                // Read the attribute name, remove the namespace (e.g. xlink:href => href)
+                $val = strtolower(trim($attr->nodeValue));
+                $val = trim(preg_replace('/^.*:/', '', $val));
+                if ($attr_value === $val) {
                    return true;
                }
            }
@ -740,8 +745,7 @@ class rcube_washtml
            '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/',
            // washtml/DOMDocument cannot handle xml namespaces
            '/<html\s[^>]+>/i',
-            // washtml/DOMDocument cannot handle xml namespaces
-            // HTML5 parser cannot handler <?xml
+            // HTML5 parser cannot handle <?xml
            '/<\?xml[^>]*>/i',
        ];

--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@ -341,7 +341,7 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
  <!-- foreignObject ignored -->
  <set attributeName="onmouseover" x-washed="to" />
  <animate attributeName="onunload" x-washed="to" />
-  <animate attributeName="xlink:href" begin="0" x-washed="from" />
+  <!-- animate blocked -->
 </svg>';

        $washer = new rcube_washtml;
@ -411,6 +411,14 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
                    . '<a id="xss"><text x="20" y="20">XSS</text></a></svg>',
                '<svg><!-- set blocked --><a id="xss"><text x="20" y="20">XSS</text></a></svg>',
            ],
+            [
+                '<svg><a class="a"><animate attributeName="xlink:href" values="javascript:alert(1)" /></a></svg>',
+                '<svg><a class="a"><!-- animate blocked --></a></svg>',
+            ],
+            [
+                '<title><html><head><meta><body></title><svg><a class="a"><animate attributeName="xlink:href" values="javascript:alert(1)" /></a></svg>',
+                '<svg><a class="a"><!-- animate blocked --></a></svg>',
+            ],
            [
                '<svg><animate xlink:href="#xss" attributename="href" dur="5s" repeatCount="indefinite" keytimes="0;0;1" values="https://portswigger.net?;javascript:alert(1);0" />'
                    . '<a id="xss"><text x="20" y="20">XSS</text></a></svg>',