From 58f53be96b67b0e06072b03f39d08fede21f8503 Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@curecanti.org>
Date: Mon, 23 Nov 2009 22:15:43 -0700
Subject: [PATCH 2/2] Bug #8715: Fix XSS vulnerability
---
.../Text_Filter/lib/Horde/Text/Filter/Xss.php | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
index ad26f4e..4d0b598 100644
--- a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
+++ b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
@@ -196,6 +196,15 @@ class Horde_Text_Filter_Xss extends Horde_Text_Filter
$patterns[$pattern] = '<$1' . $this->_params['replace'] . '_tag';
}
+ /* Strip out html data living within an A HREF element (Bug #8715). */
+ $malicious = '/<((?:a|�*65;?|�*41;?|�*97;?|�*61;?)\b[^>]+?)' .
+ '(?:h|�*72;?|�*48;?|�*104;?|�*68;?)\s*' .
+ '(?:r|�*82;?|�*52;?|�*114;?|�*72;?)\s*' .
+ '(?:e|�*69;?|�*45;?|�*101;?|�*65;?)\s*' .
+ '(?:f|�*70;?|�*46;?|�*102;?|�*66;?)\s*=' .
+ '("|\')?data:text\/html;(?(2)[^"\')>]*|[^\s)>]*)(?(2)\\2)/is';
+ $patterns[$malicious] = '<$1';
+
/* Comment out style/link tags. */
if ($this->_params['strip_styles']) {
if ($this->_params['strip_style_attributes']) {
--
1.6.5.3