Fix fixed position mitigation bypass via use of !important

Reported by nullcathedral

Author: alecpl

CHANGELOG.md

@@ -14,6 +14,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
+- Security: Fix fixed position mitigation bypass via use of !important
 
 ## 1.7-rc4
 

program/lib/Roundcube/rcube_utils.php

@@ -552,7 +552,7 @@ public static function sanitize_css_block($styles, $url_callback = null)
             if ($property == 'page') {
                 // Remove 'page' attributes (#7604)
                 continue;
-            } elseif ($property == 'position' && strcasecmp($value, 'fixed') === 0) {
+            } elseif ($property == 'position' && stripos($value, 'fixed') !== false) {
                 // Convert position:fixed to position:absolute (#5264)
                 $value = 'absolute';
             } elseif (preg_match('/expression|image-set/i', $value)) {

tests/Framework/UtilsTest.php

@@ -341,6 +341,9 @@ public function test_mod_css_styles_xss()
         $mod = \rcube_utils::mod_css_styles('.test { position: fixed; top: 0;', 'rcmbody');
         $this->assertSame('#rcmbody .test { position: absolute; top: 0; }', $mod, 'Replace position:fixed with position:absolute (6)');
 
+        $mod = \rcube_utils::mod_css_styles('.test { position: fixed !important; }', 'rcmbody');
+        $this->assertSame('#rcmbody .test { position: absolute; }', $mod, 'Replace position:fixed with position:absolute (7)');
+
         // allow data URIs with images (#5580)
         $mod = \rcube_utils::mod_css_styles('body { background-image: url(data:image/png;base64,123); }', 'rcmbody');
         $this->assertStringContainsString('#rcmbody { background-image: url(data:image/png;base64,123);', $mod, 'Data URIs in url() allowed [1]');