From 4da20eb1d113d9d9bd9c98229be2cebb9dce5446 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 19 May 2024 10:20:09 +0200 Subject: [PATCH] Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes Reported by Valentin T. and Lutz Wolf of CrowdStrike. --- CHANGELOG.md | 1 + program/lib/Roundcube/rcube_washtml.php | 2 +- tests/Framework/Washtml.php | 4 ++++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a73bc1b3e60..59e55406677 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313) - Fix command injection via crafted im_convert_path/im_identify_path on Windows - Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences +- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes ## Release 1.5.6 diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index e531628cd47..27562c7359f 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -538,7 +538,7 @@ private static function attribute_value($node, $attr_name, $attr_value) foreach ($node->attributes as $name => $attr) { if (strtolower($name) === $attr_name) { - if (strtolower($attr_value) === strtolower($attr->nodeValue)) { + if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) { return true; } } diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index 855e84653d9..351a3c5fe88 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -453,6 +453,10 @@ function data_wash_svg_tests() . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x">', '' ], + [ + '', + '', + ], ]; }