From 58f53be96b67b0e06072b03f39d08fede21f8503 Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@curecanti.org>
Date: Mon, 23 Nov 2009 22:15:43 -0700
Subject: [PATCH 2/2] Bug #8715: Fix XSS vulnerability

---
 .../Text_Filter/lib/Horde/Text/Filter/Xss.php      |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
index ad26f4e..4d0b598 100644
--- a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
+++ b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
@@ -196,6 +196,15 @@ class Horde_Text_Filter_Xss extends Horde_Text_Filter
             $patterns[$pattern] = '<$1' . $this->_params['replace'] . '_tag';
         }
 
+        /* Strip out html data living within an A HREF element (Bug #8715). */
+        $malicious = '/<((?:a|&#0*65;?|&#0*41;?|&#0*97;?|&#0*61;?)\b[^>]+?)' .
+            '(?:h|&#0*72;?|&#0*48;?|&#0*104;?|&#0*68;?)\s*' .
+            '(?:r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
+            '(?:e|&#0*69;?|&#0*45;?|&#0*101;?|&#0*65;?)\s*' .
+            '(?:f|&#0*70;?|&#0*46;?|&#0*102;?|&#0*66;?)\s*=' .
+            '("|\')?data:text\/html;(?(2)[^"\')>]*|[^\s)>]*)(?(2)\\2)/is';
+        $patterns[$malicious] = '<$1';
+
         /* Comment out style/link tags. */
         if ($this->_params['strip_styles']) {
             if ($this->_params['strip_style_attributes']) {
-- 
1.6.5.3