From 14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@curecanti.org>
Date: Mon, 23 Nov 2009 22:15:43 -0700
Subject: [PATCH] Bug #8715: Fix XSS vulnerability.

---
 framework/Text_Filter/lib/Horde/Text/Filter/Xss.php              | 9 +++++++++
 framework/Text_Filter/package.xml                                | 3 ++-
 framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html | 1 +
 framework/Text_Filter/test/Horde/Text/Filter/xss.phpt            | 2 ++
 4 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html

diff --git a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
index ad26f4ee1..1498c75bd 100644
--- a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
+++ b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
@@ -196,6 +196,15 @@ class Horde_Text_Filter_Xss extends Horde_Text_Filter
             $patterns[$pattern] = '<$1' . $this->_params['replace'] . '_tag';
         }
 
+        /* Strip out data URLs living in an A HREF element (Bug #8715). */
+        $malicious = '/<((?:a|&#0*65;?|&#0*41;?|&#0*97;?|&#0*61;?)\b[^>]+?)' .
+            '(?:h|&#0*72;?|&#0*48;?|&#0*104;?|&#0*68;?)\s*' .
+            '(?:r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
+            '(?:e|&#0*69;?|&#0*45;?|&#0*101;?|&#0*65;?)\s*' .
+            '(?:f|&#0*70;?|&#0*46;?|&#0*102;?|&#0*66;?)\s*=' .
+            '("|\')?\s*data:(?(2)[^"\')>]*|[^\s)>]*)(?(2)\\2)/is';
+        $patterns[$malicious] = '<$1';
+
         /* Comment out style/link tags. */
         if ($this->_params['strip_styles']) {
             if ($this->_params['strip_style_attributes']) {
diff --git a/framework/Text_Filter/package.xml b/framework/Text_Filter/package.xml
index 8a9a69bcb..47594442b 100644
--- a/framework/Text_Filter/package.xml
+++ b/framework/Text_Filter/package.xml
@@ -37,7 +37,8 @@ http://pear.php.net/dtd/package-2.0.xsd">
   <api>beta</api>
  </stability>
  <license uri="http://www.gnu.org/copyleft/lesser.html">LGPL</license>
- <notes>* Add support for Google Closure Compiler in javascript minfiy filter.
+ <notes>* Add XSS filtering for data URLs in A HREF parameters (Bug #8715).
+ * Add support for Google Closure Compiler in javascript minfiy filter.
  * Fix dimming signatures when mixed with quoted text (Bug #4299).
  * Added javscript minify filter.
  * Add support for using the tidy extension when filtering HTML data.
diff --git a/framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html b/framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html
new file mode 100644
index 000000000..74e5d2e78
--- /dev/null
+++ b/framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html
@@ -0,0 +1 @@
+<a href="data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPnRlc3Q8L3RpdGxlPjwvaGVhZD48Ym9keT48c2NyaXB0PmFsZXJ0KCd4c3M6ICcgKyBkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4=">Click me</a>
diff --git a/framework/Text_Filter/test/Horde/Text/Filter/xss.phpt b/framework/Text_Filter/test/Horde/Text/Filter/xss.phpt
index f6fdd5066..84c8fade3 100644
--- a/framework/Text_Filter/test/Horde/Text/Filter/xss.phpt
+++ b/framework/Text_Filter/test/Horde/Text/Filter/xss.phpt
@@ -221,6 +221,8 @@ xss84.html
 <XSSCleaned_script />
 xss85.html
 <XSSCleaned_script />PT SRC="http://ha.ckers.org/a.js"></XSSCleaned_tag>
+xss96.html
+<a >Click me</a>
 xss97.html
 <body/onloadXSSCleaned=alert(/xss/)>
 xss98.html
-- 
2.11.0