LogicalBreach Academy

Unquoted body background attribute enables CSS injection that bypasses remote image blocking | Free Bug Bounty Writeup | LogicalBreach Academy

Back

Resource Injection (CWE-99)CVSS 5.4Medium

Unquoted body background attribute enables CSS injection that bypasses remote image blocking

hackerone-reports

April 21, 2026

0 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3590583 by nullcathedral

When allow_remote is set to false, Roundcube's HTML sanitizer rcube_washtml blocks external resources in image-loading attributes by checking their values through wash_uri().

The body callback in index.php washtml_callback() processes the background attribute from the email's <body> element and constructs an inline CSS background-image: url(VALUE) on the output container <div>. The VALUE is inserted into the url() function without quoting. Although VALUE passes through wash_uri() first (which allows data:image/* URIs), a crafted data: URI containing ) terminates the url() function early, allowing injection of arbitrary CSS properties into the container's inline style.

Because the injected CSS is inline style on the container <div> (not inside a <style> block), it completely bypasses the mod_css_styles() URL callback — meaning injected background:url(//evil.com) or border-image:url(//evil.com) loads external resources even when allow_remote=false.

Steps To Reproduce

Step 1: Remote resource loading bypass

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Related Writeups

hackerone-reports

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

HackerOne disclosed report --> https://hackerone.com/reports/3590586 by nullcathedral

Read Writeup →

Discussion

No comments yet.

Be the first to share your thoughts