Prevent HTML injection in labels from unchecked sources

Authored by bruns on Nov 10 2019, 4:31 PM.

Description

Prevent HTML injection in labels from unchecked sources

Summary:
Properties from arbitrary sources may contain any character, also
valid Qt richtext (HTML subset) sequences. In best case, this only
causes parsing and display issues, but may also inject malicious links:
<a href="http://malicous.domain/">unconspicious</a>.

The originUrl value is not affected, as QUrl percent-encodes '<' and '>',
thus can not contain any HTML tags. Explicitly cast the originUrl
QVariant to QUrl, which is always valid for values coming from KFileMetadata.

This affects all versions prior to 19.08.00. D21470 accidentally disabled
interactive links in the labels, thus malicious links are disabled.

Depends on D25239

Test Plan:

  1. Create a document with e.g. a title resembling HTML tags
  2. Text should be rendered verbatirm

Reviewers: Baloo, ngraham, astippich

Reviewed By: Baloo, ngraham

Tags: Baloo

Differential Revision: https://phabricator.kde.org/D25240

Details

Committed
brunsNov 11 2019, 1:26 AM
Reviewer
Baloo
Differential Revision
D25240: Prevent HTML injection in labels from unchecked sources
Parents
R824:84a0d9b23297: Do not mangle angle brackets in value widgets
Branches
Unknown
Tags
Unknown