Fix Information Disclosure vulnerability in the HTML style sanitizer

alecpl · alecpl · commit 08de250fba73 · 2025-12-14T09:10:51.000+01:00
reported by somerandomdev
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@
 - Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
 - Fix parsing of inline styles that aren't well-formatted (#9948)
 - Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+- Fix Information Disclosure vulnerability in the HTML style sanitizer
 
 ## Release 1.6.11
 
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
@@ -559,6 +559,9 @@ public static function sanitize_css_block($styles, $url_callback = null)
                                 $value .= ' url(' . $url . ')';
                             }
                         }
+                    } elseif (preg_match('/;.*/', $val)) {
+                        // Invalid or evil content, ignore
+                        continue;
                     } else {
                         // whitelist ?
                         $value .= ' ' . $val;
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
@@ -291,9 +291,9 @@ function test_mod_css_styles_xss()
         $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
         $this->assertSame("#rcmbody { content: ''; color: red; }", $mod);
 
-        $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }";
+        $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\\'hello\\');\">'; color: red; }";
         $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
-        $this->assertSame("#rcmbody { content: '< page: ;/style>< page: ;img src onerror=\"alert('hello');\">'; color: red; }", $mod);
+        $this->assertSame("#rcmbody { color: red; }", $mod);
 
         // Removing page: property
         $style = "body { page: test; color: red }";
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
@@ -312,6 +312,13 @@ function test_style_wash_xss()
         $washed = $washer->wash($html);
 
         $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)");
+
+        $html = '<div style=\'content: "\0026quot;; background: url(//http.cat/418); content:""; width: 100%; height: 100%;\'>test</div>';
+
+        $washer = new \rcube_washtml();
+        $washed = $washer->wash($html);
+
+        $this->assertTrue(strpos($washed, '<div x-washed="style">test</div>') !== false);
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -559,6 +559,9 @@ public static function sanitize_css_block($styles, $url_callback = null)`
`559`	`559`	`$value .= ' url(' . $url . ')';`
`560`	`560`	`}`
`561`	`561`	`}`
	`562`	`+ } elseif (preg_match('/;.*/', $val)) {`
	`563`	`+ // Invalid or evil content, ignore`
	`564`	`+ continue;`
`562`	`565`	`} else {`
`563`	`566`	`// whitelist ?`
`564`	`567`	`$value .= ' ' . $val;`