diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8c943cddb51..4bb5ae3fd7e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
- Fix PHP8 warnings (#9142, #9160)
- Fix default 'mime.types' path on Windows (#9113)
- Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
## Release 1.6.3
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 14464fcd4af..74d455ec99f 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -428,16 +428,17 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
}
}
else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+ $type = preg_replace('/\s/', '', $matches[1]);
+
// svg images can be insecure, we'll sanitize them
- if (stripos($matches[1], 'svg') !== false) {
+ if (stripos($type, 'svg') !== false) {
$svg = $matches[2];
- if (stripos($matches[1], ';base64') !== false) {
- $svg = base64_decode($svg);
- $type = $matches[1];
+ if (stripos($type, ';base64') !== false) {
+ $svg = base64_decode($svg);
}
else {
- $type = $matches[1] . ';base64';
+ $type .= ';base64';
}
$washer = new self($this->config);
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index b49007fdebc..f9757f3871c 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -455,6 +455,24 @@ function data_wash_svg_tests()
'',
''
],
+ [
+ '',
+ ''
+ ],
+ [
+ '',
+ ''
+ ],
+ [
+ '',
+ ''
+ ],
];
}