From 2d016751399ed0f4159e72a6cbcd63694a84dabf Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Sun, 17 May 2026 14:32:10 +0200
Subject: [PATCH] Fix reflected XSS in Webmin status messages

* Note: Escape the /webmin/ message parameter, strip restart redirect HTML to plain text, and harden filter_javascript().
---
 t/web-lib-funcs-filter_javascript.t | 39 +++++++++++++++++++++++++++++
 web-lib-funcs.pl                    |  9 +++++--
 webmin/index.cgi                    |  2 +-
 webmin/webmin-lib.pl                | 10 +++++++-
 4 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100644 t/web-lib-funcs-filter_javascript.t

diff --git a/t/web-lib-funcs-filter_javascript.t b/t/web-lib-funcs-filter_javascript.t
new file mode 100644
index 000000000..aa87e936c
--- /dev/null
+++ b/t/web-lib-funcs-filter_javascript.t
@@ -0,0 +1,39 @@
+#!/usr/bin/perl
+# Tests for web-lib-funcs.pl filter_javascript.
+
+use strict;
+use warnings;
+use Test::More;
+use File::Basename qw(dirname);
+use File::Spec;
+
+my $script = File::Spec->rel2abs(
+	File::Spec->catfile(dirname(__FILE__), '..', 'web-lib-funcs.pl'));
+require $script;
+
+is(
+	main::filter_javascript('<video/onloadstart=alert(1) src=1>'),
+	'<video/xonloadstart=alert(1) src=1>',
+	'slash-separated HTML5 event handler is disabled',
+);
+
+is(
+	main::filter_javascript('<img src=x onload=alert(1)>'),
+	'<img src=x xonload=alert(1)>',
+	'classic event handler is disabled',
+);
+
+is(
+	main::filter_javascript('<div onwheel = alert(1) onpointerdown=alert(2)>'),
+	'<div xonwheel = alert(1) xonpointerdown=alert(2)>',
+	'multiple modern event handlers are disabled',
+);
+
+is(
+	main::filter_javascript(
+		'<a data-onload="safe" href="javascript:alert(1)">link</a>'),
+	'<a data-onload="safe" href="xjavascript:alert(1)">link</a>',
+	'non-handler attributes are preserved while script URIs are disabled',
+);
+
+done_testing();
diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 138847899..920949c74 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -10179,10 +10179,15 @@ sub filter_javascript
 my ($rv, $type) = @_;
 if (!$type || $type eq 'html') {
 	$rv =~ s/<\s*script[^>]*>([\000-\377]*?)<\s*\/script\s*>//gi;
-	$rv =~ s/(on(Abort|BeforeUnload|Blur|Change|Click|ContextMenu|Copy|Cut|DblClick|Drag|DragEnd|DragEnter|DragLeave|DragOver|DragStart|DragDrop|Drop|Error|Focus|FocusIn|FocusOut|HashChange|Input|Invalid|KeyDown|KeyPress|KeyUp|Load|MouseDown|MouseEnter|MouseLeave|MouseMove|MouseOut|MouseOver|MouseUp|Move|Paste|PageShow|PageHide|Reset|Resize|Scroll|Search|Select|Submit|Toggle|Unload)=)/x$1/gi;
 	$rv =~ s/(javascript(:|&colon;|&#58;|&#x3A;))/x$1/gi;
 	$rv =~ s/(vbscript(:|&colon;|&#58;|&#x3A;))/x$1/gi;
-	$rv =~ s/<([^>]*\s|)(on\S+=)(.*)>/<$1x$2$3>/gi;
+	my $event_attr = qr/on[a-z][a-z0-9_:-]*\s*=/i;
+	my $event_attrs;
+	do {
+		$event_attrs = 0;
+		$event_attrs += $rv =~ s{(<[^>]*?)([\s/]+)($event_attr)}{$1$2x$3}g;
+		$event_attrs += $rv =~ s{(<)($event_attr)}{$1x$2}g;
+		} while ($event_attrs);
 	}
 if ($type eq 'pdf') {
 	$rv =~ s/([\n]*)<<[\n((?:.*?|\n)*?)][\w\s\/]+[\n((?:.*?|\n)*?)][\w\s\/]+JavaScript[\w\s\/]*[\n((?:.*?|\n)*?)][\w\s\/]+\s.*?>>[\n]*/$1/gmsi;
diff --git a/webmin/index.cgi b/webmin/index.cgi
index 6db8c571d..213f9bc54 100755
--- a/webmin/index.cgi
+++ b/webmin/index.cgi
@@ -83,7 +83,7 @@ for(my $i=0; $i<@wlinks; $i++) {
 		}
 	}
 
-print &ui_alert_box(&filter_javascript($in{'message'}), 'success', undef, 1,
+print &ui_alert_box(&html_escape($in{'message'}), 'success', undef, 1,
 		    &html_escape($in{'title'})) if ($in{'message'});
 
 &icons_table(\@wlinks, \@wtitles, \@wicons);
diff --git a/webmin/webmin-lib.pl b/webmin/webmin-lib.pl
index 0e74543a7..86c3c1f64 100755
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -1962,7 +1962,15 @@ my ($title, $msg) = @_;
 if (!$gconfig{'restart_async'}) {
 	&restart_miniserv();
 	my $msg_redir = "";
-	$msg_redir = "?title=".&urlize($title)."&message=".&urlize($msg) if $msg;
+	if ($msg) {
+		$title = defined($title) ? &html_strip($title, " ") : "";
+		$msg = &html_strip($msg, " ");
+		$title =~ s/\s+/ /g;
+		$title =~ s/^\s+|\s+$//g;
+		$msg =~ s/\s+/ /g;
+		$msg =~ s/^\s+|\s+$//g;
+		$msg_redir = "?title=".&urlize($title)."&message=".&urlize($msg);
+		}
 	&redirect($msg_redir);
 	return;
 	}