Fix for [ 545933 ] Cross-site scripting vulnerability.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@2750 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/mime.php b/functions/mime.php
index 4451dbfce8ea27ca42d8cafbb444243ca782a991..14caa71b5a4cb6c447bd5e6fef1bb3287faab272 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -1361,6 +1361,22 @@ function stripEvent( &$i, $j, &$body, $id, $base ) {
 
     while ( $body{$i} <> '>' &&
            $i < $j ) {
+        /**
+         * [ 545933 ] Cross-site scripting vulnerability
+         * <hr>
+         * <img x="<foo>" src=javascript:alert(1) y="</foo>">
+         * <hr>
+         *
+         * This code will ignore anything within the quotes
+         * so they don't mess us up.
+         */
+        if ( $body{$i} == '"' || $body{$i} == "'" ){
+            $quotechar = $body{$i};
+            do {
+                $ret .= $body{$i};
+                $i++;
+            } while ($body{$i} != $quotechar && $i < $j);
+        }
         $etg = strtolower($body{$i}.$body{$i+1}.$body{$i+2});
         switch( $etg ) {
         case 'src':