Fix bug where external content in src attribute of input/video tags w…

…as not secured (roundcube#5583)

CHANGELOG

@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
 ===========================
 
 - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
+- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
 
 RELEASE 1.3-beta
 ----------------

program/lib/Roundcube/rcube_washtml.php

@@ -408,7 +408,7 @@ private function is_image_attribute($tag, $attr)
         return $attr == 'background'
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
-            || ($attr == 'src' && preg_match('/^(img|source)$/i', $tag))
+            || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 

tests/Framework/Washtml.php

@@ -336,4 +336,26 @@ function test_wash_mathml()
 
         $this->assertSame(trim($washed), trim($exp), "MathML content");
     }
+
+    /**
+     * Test external links in src of input/video elements (#5583)
+     */
+    function test_src_wash()
+    {
+        $html = "<input type=\"image\" src=\"http://TRACKING_URL/\">";
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue($washer->extlinks);
+        $this->assertNotContains('TRACKING', $washed, "Src attribute of <input> tag (#5583)");
+
+        $html = "<video src=\"http://TRACKING_URL/\">";
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue($washer->extlinks);
+        $this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
+    }
 }