Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)

2026-03-24 00:36:59 +01:00 · 2023-10-14 18:16:22 +02:00
parent ef7c00ac2d
commit 8d823e2947
3 changed files with 32 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 ## Unreleased

+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
+
+## Release 1.5.4
+
 - Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
 - Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
 - Fix so N property always exists in a vCard export (#8771)
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -424,17 +424,22 @@ class rcube_washtml
                return $this->config['blocked_src'];
            }
        }
+<<<<<<< HEAD
        else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/i', $uri, $matches)) { // RFC2397
+=======
+        else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+            $type = preg_replace('/\s/', '', $matches[1]);
+
+>>>>>>> 6ee6e7ae3... Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
            // svg images can be insecure, we'll sanitize them
-            if (stripos($matches[1], 'svg') !== false) {
+            if (stripos($type, 'svg') !== false) {
                $svg = $matches[2];

-                if (stripos($matches[1], ';base64') !== false) {
-                    $svg  = base64_decode($svg);
-                    $type = $matches[1];
+                if (stripos($type, ';base64') !== false) {
+                    $svg = base64_decode($svg);
                }
                else {
-                    $type = $matches[1] . ';base64';
+                    $type .= ';base64';
                }

                $washer = new self($this->config);
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -435,6 +435,24 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
                '<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
                '<svg><text x="20" y="20">XSS</text></svg>'
            ],
+            [
+                '<html><svg><use href="data:image/s vg+xml;base64,' // space
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
+            [
+                '<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
+            [
+                '<html><svg><use href="data:image/s	vg+xml;base64,' // tab
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
        ];
    }