SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

When allow_remote is set to false, Roundcube's HTML sanitizer rcube_washtml blocks external resources by validating URI attributes through wash_uri(). For SVG SMIL animation elements (<animate>, <set>, etc.), the to and from attributes are correctly validated by resolving the attributeName and routing through the appropriate URI check (washtml.php L302-308).

However, the values and by attributes are both in the allowed attributes list ($html_attribs) and fall through to the generic pass-through at L335-336 with no URI validation whatsoever. Additionally, the element-level animation block at L573-574 only blocks animations targeting attributeName="href" (the CVE-2024-37383 fix), allowing animations targeting mask, cursor, and other resource-loading attributes to pass through.

Combined, these two gaps allow an attacker to use SMIL animations to load arbitrary external URLs, bypassing allow_remote=false.

Steps To Reproduce

Step 1: Zero-click email open tracking via SVG mask animation