Fix Information Disclosure vulnerability in the HTML style sanitizer

reported by somerandomdev
2026-02-20 01:21:20 +01:00 · 2025-12-14 09:02:25 +01:00
parent bfa032631c
commit 08de250fba
4 changed files with 13 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@
 - Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
 - Fix parsing of inline styles that aren't well-formatted (#9948)
 - Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+- Fix Information Disclosure vulnerability in the HTML style sanitizer

 ## Release 1.6.11

--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -559,6 +559,9 @@ class rcube_utils
                                $value .= ' url(' . $url . ')';
                            }
                        }
+                    } elseif (preg_match('/;.*/', $val)) {
+                        // Invalid or evil content, ignore
+                        continue;
                    } else {
                        // whitelist ?
                        $value .= ' ' . $val;
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -291,9 +291,9 @@ class Framework_Utils extends PHPUnit\Framework\TestCase
        $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
        $this->assertSame("#rcmbody { content: ''; color: red; }", $mod);

-        $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }";
+        $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\\'hello\\');\">'; color: red; }";
        $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
-        $this->assertSame("#rcmbody { content: '< page: ;/style>< page: ;img src onerror=\"alert('hello');\">'; color: red; }", $mod);
+        $this->assertSame("#rcmbody { color: red; }", $mod);

        // Removing page: property
        $style = "body { page: test; color: red }";
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -312,6 +312,13 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
        $washed = $washer->wash($html);

        $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)");
+
+        $html = '<div style=\'content: "\0026quot;; background: url(//http.cat/418); content:""; width: 100%; height: 100%;\'>test</div>';
+
+        $washer = new \rcube_washtml();
+        $washed = $washer->wash($html);
+
+        $this->assertTrue(strpos($washed, '<div x-washed="style">test</div>') !== false);
    }

    /**