Fix mangled non-ASCII characters in links in HTML messages (#6028)

roundcube · Nov 8, 2017 · 46faac4 · 46faac4
1 parent 3b439ec
commit 46faac4
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -4,6 +4,7 @@ CHANGELOG Roundcube Webmail
 - Fix decoding of mailto: links with + character in HTML messages (#6020)
 - Fix false reporting of failed upgrade in installto.sh (#6019)
 - Fix file disclosure vulnerability caused by insuficient input validation in relation to attachment plugins (#6026)
+- Fix mangled non-ASCII characters in links in HTML messages (#6028)
 
 RELEASE 1.3.2
 -------------

diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php
@@ -349,7 +349,10 @@ public static function attrib_string($attrib = array(), $allowed = null)
     public static function parse_attrib_string($str)
     {
         $attrib = array();
-        $html   = '<html><body><div ' . rtrim($str, '/ ') . ' /></body></html>';
+        $html   = '<html>'
+            . '<head><meta http-equiv="Content-Type" content="text/html; charset=' . RCUBE_CHARSET . '" /></head>'
+            . '<body><div ' . rtrim($str, '/ ') . ' /></body>'
+            . '</html>';
 
         $document = new DOMDocument('1.0', RCUBE_CHARSET);
         @$document->loadHTML($html);

diff --git a/tests/Framework/Html.php b/tests/Framework/Html.php
@@ -117,6 +117,10 @@ function data_parse_attrib_string()
                 'expression="test == true ? \' test\' : \'\'" ',
                 array('expression' => 'test == true ? \' test\' : \'\''),
             ),
+            array(
+                'href="http://domain.tld/страница"',
+                array('href' => 'http://domain.tld/страница'),
+            ),
         );
     }