diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51e90cef8..b6a355227 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
## Unreleased
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
+
+## Release 1.5.4
+
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
- Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
- Fix so N property always exists in a vCard export (#8771)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 525d32bcd..ef4469cd5 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -424,17 +424,22 @@ class rcube_washtml
return $this->config['blocked_src'];
}
}
+<<<<<<< HEAD
else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/i', $uri, $matches)) { // RFC2397
+=======
+ else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+ $type = preg_replace('/\s/', '', $matches[1]);
+
+>>>>>>> 6ee6e7ae3... Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
// svg images can be insecure, we'll sanitize them
- if (stripos($matches[1], 'svg') !== false) {
+ if (stripos($type, 'svg') !== false) {
$svg = $matches[2];
- if (stripos($matches[1], ';base64') !== false) {
- $svg = base64_decode($svg);
- $type = $matches[1];
+ if (stripos($type, ';base64') !== false) {
+ $svg = base64_decode($svg);
}
else {
- $type = $matches[1] . ';base64';
+ $type .= ';base64';
}
$washer = new self($this->config);
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 4497cbddc..ff0768e36 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -435,6 +435,24 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
'',
''
],
+ [
+ '',
+ ''
+ ],
+ [
+ '',
+ ''
+ ],
+ [
+ '',
+ ''
+ ],
];
}