Fix XSS issue in href attribute on area tag (#5240, #5241)

Conflicts:

	CHANGELOG

CHANGELOG

@@ -1,6 +1,8 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS issue in href attribute on area tag (#5240)
+
 RELEASE 1.0.9
 -------------
 - Fix a regression where some contact data was missing in export and PHP warnings were logged (Kolab #4522)

program/lib/Roundcube/rcube_washtml.php

@@ -366,7 +366,7 @@ private function wash_uri($uri, $blocked_source = false)
      */
     private function is_link_attribute($tag, $attr)
     {
-        return $tag == 'a' && $attr == 'href';
+        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
     }
 
     /**

tests/Framework/Washtml.php

@@ -37,6 +37,23 @@ function test_href()
         $this->assertRegExp('|href="http://test.com">|', $washed, "Link href with newlines (#1488940)");
     }
 
+    /**
+     * Test XSS in area's href (#5240)
+     */
+    function test_href_area()
+    {
+        $html = '<p><area href="data:text/html,&lt;script&gt;alert(document.cookie)&lt;/script&gt;">'
+            . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
+            . '<area href="javascript:alert(document.domain)" shape=default>';
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
+        $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
+        $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
+    }
+
     /**
      * Test handling HTML comments
      */