Fix bug where comment notation within style tag would cause the whole…

… style to be ignored (#5747)
roundcube · May 5, 2017 · dade481 · dade481
1 parent 5b741ab
commit dade481
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail
 - Fix bug where invalid recipients could be silently discarded (#5739)
 - Fix conflict with _gid cookie of Google Analytics (#5748)
 - Print error from CLI scripts when system/exec function is disabled (#5744)
+- Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
 
 RELEASE 1.3-rc
 --------------

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
@@ -489,6 +489,7 @@ public static function xss_entity_decode($content)
         $callback = function($matches) { return chr(hexdec($matches[1])); };
 
         $out = html_entity_decode(html_entity_decode($content));
+        $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out)));
         $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $callback, $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);
         $out = strip_tags($out);

diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
@@ -227,6 +227,10 @@ function test_xss_entity_decode()
 
         $mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}');
         $this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property");
+
+        // #5747
+        $mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->');
+        $this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content");
     }
 
     /**