From f4856e3f910ae57eb35e5d3ffbfe864e47a9b7f4 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 14 Dec 2025 09:01:26 +0100 Subject: [PATCH] Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike --- CHANGELOG.md | 4 ++++ program/lib/Roundcube/rcube_washtml.php | 12 ++++++++---- tests/Framework/Washtml.php | 10 +++++++++- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 101aca918..9b1733aa9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## Unreleased +- Fix Cross-Site-Scripting vulnerability via SVG's animate tag + +## Release 1.5.11 + - Makefile: Make sure to use proper composer version (for PHP 5.5 support) ## Release 1.5.10 diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index fb8bce651..b02b8c05c 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -303,7 +303,8 @@ class rcube_washtml // in SVG to/from attribs may contain anything, including URIs if ($key == 'to' || $key == 'from') { - $key = strtolower($node->getAttribute('attributeName')); + $key = strtolower((string) $node->getAttribute('attributeName')); + $key = trim(preg_replace('/^.*:/', '', $key)); if ($key && !isset($this->_html_attribs[$key])) { $key = null; } @@ -509,10 +510,14 @@ class rcube_washtml private static function attribute_value($node, $attr_name, $attr_value) { $attr_name = strtolower($attr_name); + $attr_value = strtolower($attr_value); foreach ($node->attributes as $name => $attr) { if (strtolower($name) === $attr_name) { - if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) { + // Read the attribute name, remove the namespace (e.g. xlink:href => href) + $val = strtolower(trim($attr->nodeValue)); + $val = trim(preg_replace('/^.*:/', '', $val)); + if ($attr_value === $val) { return true; } } @@ -740,8 +745,7 @@ class rcube_washtml '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', // washtml/DOMDocument cannot handle xml namespaces '/]+>/i', - // washtml/DOMDocument cannot handle xml namespaces - // HTML5 parser cannot handler ]*>/i', ]; diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index b4a0daa48..a23532b01 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -341,7 +341,7 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase - + '; $washer = new rcube_washtml; @@ -411,6 +411,14 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase . 'XSS', 'XSS', ], + [ + '', + '', + ], + [ + '<html><head><meta><body>', + '', + ], [ '' . 'XSS',