| commit | 60f84b7b8616baaaa544e564e09e7d9c254561c2 | |
| author | Jan Kundrát <jkt@kde.org> | |
| Thu, 4 Jun 2015 12:54:04 +0000 (4 14:54 +0200) | ||
| committer | Jan Kundrát <jkt@kde.org> | |
| Thu, 4 Jun 2015 14:54:33 +0000 (4 16:54 +0200) | ||
| tree | 229bd7c3f14d9c432653032ad40ab731d5352e22 | treesnapshot (tar.gz zip) |
| parent | 202a1757db3d5ac9ce2a7e35a395ab1db743d8c1 | commitdiff |
Escape HTML code in tooltips
Qt has always enabled (a subset of) HTML in tooltips. We even make use
of this property in tooltips of the folder view.
Trojita is however feeding potentially untrusted input into them
(message subjects, senders/recipients etc.), so we have to take care of
proper escaping.
As far as I know, this is *not* remotely exploitable because QToolTip
uses a QLabel which in turn uses QTextDocument which ends up calling
QImageReader in the end, and that class apparently does not contain any
code for actual remote access. It still presents some opportunities for
at least confusing the user by embarrassingly interpreting the
accidental or malicious HTML markup.
The wrapper has to use artificial <span> wrapping, otherwise quotes and
other special chars get rendered as their HTML escape sequences, which
is bad of course. Another benefit of using this wrapper is that we don't
have to clutter the code by numerous #ifdefs due to Qt4/Qt5 support.
Change-Id: Ie550f9854aff566f7ef237a3497d7a75ccf1c33f
Qt has always enabled (a subset of) HTML in tooltips. We even make use
of this property in tooltips of the folder view.
Trojita is however feeding potentially untrusted input into them
(message subjects, senders/recipients etc.), so we have to take care of
proper escaping.
As far as I know, this is *not* remotely exploitable because QToolTip
uses a QLabel which in turn uses QTextDocument which ends up calling
QImageReader in the end, and that class apparently does not contain any
code for actual remote access. It still presents some opportunities for
at least confusing the user by embarrassingly interpreting the
accidental or malicious HTML markup.
The wrapper has to use artificial <span> wrapping, otherwise quotes and
other special chars get rendered as their HTML escape sequences, which
is bad of course. Another benefit of using this wrapper is that we don't
have to clutter the code by numerous #ifdefs due to Qt4/Qt5 support.
Change-Id: Ie550f9854aff566f7ef237a3497d7a75ccf1c33f