Fixed in Git and Horde 3.3.9.

Git commit:
http://lists.horde.org/archives/commits/2010-May/003766.html

FW_3 CVS commit:
http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/Attic/xss.php?sa=1&r1=1.1.2.19&r2=1.1.2.20

This patch is not working for all cases, but this new version of the 
patch it's working, at least for me.

Hi,

Attached a patch in case the link has two hrefs with data URLs

Changes have been made in CVS for this ticket:

Bug: 8715
Fix XSS vulnerability.
http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/Attic/xss.php?rt=horde&r1=1.1.2.18&r2=1.1.2.19&ty=u
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.583&r2=1.515.2.584&ty=u

Changes have been made in CVS for this ticket:

Bug: 8715
changelog
http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.1288&r2=1.1289&ty=u

Changes have been made in Git for this ticket:

Bug #8715: Fix XSS vulnerability.

  create mode 100644 
framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html
http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php?rt=horde-git&r1=b985abda1822ab9fde68d9e4dc7dcd16b6d6ebbc&r2=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a
http://git.horde.org/diff.php/framework/Text_Filter/package.xml?rt=horde-git&r1=f40aebaffdde11d95282b77c9ca7018cffcb61dd&r2=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a
http://git.horde.org/co.php/framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html?rt=horde-git&r=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a
http://git.horde.org/diff.php/framework/Text_Filter/test/Horde/Text/Filter/xss.phpt?rt=horde-git&r1=8459795203b644a096720099c4f22d4cdc39dc49&r2=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a

Of course attempting to blacklist HTML attributes/elements to fix all 
security issues is dangerous.  That is why we disable HTML inline 
viewing by default.  But a large portion of users want/need this 
inline display and are willing to view these parts even with the 
understanding that the filtering may not be 100% accurate.

That being said, thanks for your examples.  It is clear that we need 
to filter *any* data information contained in the href parameter.

I'm going to go ahead and add this to git and CVS FW_3.  Will leave 
this ticket open for a few days for additional feedback.

Don't forget about other content types. For example, if the data is 
the base64 encoding of:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
      PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <!--a75c305b1c0a6022--><title>Test</title>
   </head>
   <body>
     <script type="text/javascript">alert(document.cookie)</script>
   </body>
</html>

Then, the attacker can also use a link with the following URI:

data:application/xhtml+xml;base64,<encoding of above>

And this is not the only one. If the use the content types text/xml or 
application/xml, the page will be parsed as a xml document. In the 
script, document has now type XMLDocument, and doesn't have the 
property cookie. We can still write something like:

<script type="text/javascript">
if (undefined === document.cookie)
   window.location.replace(window.location.href.replace("text/xml", 
"application/xhtml+xml"))
else
   alert(document.cookie)
</script>
The same for application/xml, or more elaborate code to take care of 
various cases.

I just tested this four cases, text/html, text/xml, application/xml, 
application/xhtml+xml and I don't know if there are others.

I don't have a better suggestion for you, so I just leave the comment 
that blacklisting can be dangerous.

Thank you for your time.

Attachments are not private anyway. :)

Your patch seems to do its job, attached is a test case.

I'm not sure how far Firefox can be tricked to consider a link as a 
data scheme. I'm thinking of variants of "data:text/html".

How about this?

.