diff --git a/CHANGELOG b/CHANGELOG
index 3c278211334..1c1c2c13a4f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
===========================
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
+- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
RELEASE 1.3-beta
----------------
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 92c5132ca2c..b45a7474a89 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -408,7 +408,7 @@ private function is_image_attribute($tag, $attr)
return $attr == 'background'
|| $attr == 'color-profile' // SVG
|| ($attr == 'poster' && $tag == 'video')
- || ($attr == 'src' && preg_match('/^(img|source)$/i', $tag))
+ || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
|| ($tag == 'image' && $attr == 'href'); // SVG
}
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 46d6bdb27b1..df831910210 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -336,4 +336,26 @@ function test_wash_mathml()
$this->assertSame(trim($washed), trim($exp), "MathML content");
}
+
+ /**
+ * Test external links in src of input/video elements (#5583)
+ */
+ function test_src_wash()
+ {
+ $html = "";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertTrue($washer->extlinks);
+ $this->assertNotContains('TRACKING', $washed, "Src attribute of tag (#5583)");
+
+ $html = "