From 8d823e294709ae5ea3e6414aa80fa9e006a2d5d7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 14 Oct 2023 18:16:22 +0200
Subject: [PATCH] Fix cross-site scripting (XSS) vulnerability in handling of
 SVG in HTML messages (#9168)

---
 CHANGELOG.md                            |  4 ++++
 program/lib/Roundcube/rcube_washtml.php | 15 ++++++++++-----
 tests/Framework/Washtml.php             | 18 ++++++++++++++++++
 3 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51e90cef8..b6a355227 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
+
+## Release 1.5.4
+
 - Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
 - Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
 - Fix so N property always exists in a vCard export (#8771)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 525d32bcd..ef4469cd5 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -424,17 +424,22 @@ class rcube_washtml
                 return $this->config['blocked_src'];
             }
         }
+<<<<<<< HEAD
         else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/i', $uri, $matches)) { // RFC2397
+=======
+        else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+            $type = preg_replace('/\s/', '', $matches[1]);
+
+>>>>>>> 6ee6e7ae3... Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
             // svg images can be insecure, we'll sanitize them
-            if (stripos($matches[1], 'svg') !== false) {
+            if (stripos($type, 'svg') !== false) {
                 $svg = $matches[2];
 
-                if (stripos($matches[1], ';base64') !== false) {
-                    $svg  = base64_decode($svg);
-                    $type = $matches[1];
+                if (stripos($type, ';base64') !== false) {
+                    $svg = base64_decode($svg);
                 }
                 else {
-                    $type = $matches[1] . ';base64';
+                    $type .= ';base64';
                 }
 
                 $washer = new self($this->config);
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 4497cbddc..ff0768e36 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -435,6 +435,24 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
                 '<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
                 '<svg><text x="20" y="20">XSS</text></svg>'
             ],
+            [
+                '<html><svg><use href="data:image/s vg+xml;base64,' // space
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
+            [
+                '<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
+            [
+                '<html><svg><use href="data:image/s	vg+xml;base64,' // tab
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
         ];
     }