Fix XSS issue in handling of CDATA in HTML messages

CHANGELOG

@@ -25,6 +25,7 @@ CHANGELOG Roundcube Webmail
 - Make install-jsdeps.sh script working without the 'file' program installed (#7325)
 - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
 - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
+- Security: Fix XSS issue in handling of CDATA in HTML messages
 
 RELEASE 1.4.3
 -------------

program/lib/Roundcube/rcube_washtml.php

@@ -548,9 +548,6 @@ class rcube_washtml
                 break;
 
             case XML_CDATA_SECTION_NODE:
-                $dump .= $node->nodeValue;
-                break;
-
             case XML_TEXT_NODE:
                 $dump .= htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->config['charset']);
                 break;

tests/Framework/Washtml.php

@@ -506,4 +506,17 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
 
         $this->assertContains('First line', $washed);
     }
+
+    /**
+     * Test CDATA cleanup
+     */
+    function test_cdata()
+    {
+        $html = '<p><![CDATA[<script>alert(document.cookie)</script>]]></p>';
+
+        $washer = new rcube_washtml;
+        $washed = $washer->wash($html);
+
+        $this->assertTrue(strpos($washed, '<script>') === false, "CDATA content");
+    }
 }