Fix cross-site scripting (XSS) vulnerability in handling SVG animate …

…attributes Reported by Valentin T. and Lutz Wolf of CrowdStrike.
roundcube · May 19, 2024 · 43aaaa5 · 43aaaa5
1 parent cde4522
commit 43aaaa5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
 - Fix missing field labels in CSV import, for some locales (#9393)
 - Fix command injection via crafted im_convert_path/im_identify_path on Windows
 - Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
+- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
 
 ## Release 1.6.6
 

diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
@@ -541,7 +541,7 @@ private static function attribute_value($node, $attr_name, $attr_value)
 
         foreach ($node->attributes as $name => $attr) {
             if (strtolower($name) === $attr_name) {
-                if (strtolower($attr_value) === strtolower($attr->nodeValue)) {
+                if (strtolower($attr_value) === strtolower(trim($attr->nodeValue))) {
                     return true;
                 }
             }

diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
@@ -473,6 +473,10 @@ function data_wash_svg_tests()
                     . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
                 '<svg><use x-washed="href"></use></svg>'
             ],
+            [
+                '<html><svg><animate attributeName="href " values="javascript:alert(\'XSS\')" href="#link" /></animate></svg></html>',
+                '<svg><!-- animate blocked --></svg>',
+            ],
         ];
     }