Commit 4cb94129 authored by Stefan Brüns's avatar Stefan Brüns

Prevent HTML injection in labels from unchecked sources

Summary:
Properties from arbitrary sources may contain any character, also
valid Qt richtext (HTML subset) sequences. In best case, this only
causes parsing and display issues, but may also inject malicious links:
<a href="http://malicous.domain/">unconspicious</a>.

The originUrl value is not affected, as QUrl percent-encodes '<' and '>',
thus can not contain any HTML tags. Explicitly cast the originUrl
QVariant to QUrl, which is always valid for values coming from KFileMetadata.

This affects all versions prior to 19.08.00. D21470 accidentally disabled
interactive links in the labels, thus malicious links are disabled.

Depends on D25239

Test Plan:
# Create a document with e.g. a title resembling HTML tags
# Text should be rendered verbatirm

Reviewers: #baloo, ngraham, astippich

Reviewed By: #baloo, ngraham

Tags: #baloo

Differential Revision: https://phabricator.kde.org/D25240
parent 84a0d9b2
......@@ -120,12 +120,16 @@ QWidget* WidgetFactory::createWidget(const QString& prop, const QVariant& value,
}
else {
QString valueString;
QLabel* valueWidget = createValueWidget(parent);
auto pi = KFileMetaData::PropertyInfo::fromName(prop);
if (pi.name() == QLatin1String("originUrl")) {
valueString = value.toString();
//Shrink link label
auto url = value.toUrl();
valueString = url.toString();
// Shrink link label
auto labelString = KStringHandler::csqueeze(valueString, maxUrlLength);
valueString = QStringLiteral("<a href=\"%1\">%2</a>").arg(valueString, labelString);
valueWidget->setTextFormat(Qt::RichText);
} else if (pi.name() != QLatin1String("empty")) {
if (pi.valueType() == QVariant::DateTime || pi.valueType() == QVariant::Date) {
......@@ -137,7 +141,8 @@ QWidget* WidgetFactory::createWidget(const QString& prop, const QVariant& value,
valueString = toString(value, m_dateFormat);
}
widget = createValueWidget(valueString, parent);
valueWidget->setText(valueString);
widget = valueWidget;
}
widget->setForegroundRole(parent->foregroundRole());
......@@ -218,13 +223,13 @@ QSize ValueWidget::sizeHint() const
return metrics.size(Qt::TextSingleLine, text());
}
QWidget* WidgetFactory::createValueWidget(const QString& value, QWidget* parent)
QLabel* WidgetFactory::createValueWidget(QWidget* parent)
{
ValueWidget* valueWidget = new ValueWidget(parent);
valueWidget->setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard);
valueWidget->setTextFormat(Qt::PlainText);
valueWidget->setWordWrap(true);
valueWidget->setAlignment(Qt::AlignTop | Qt::AlignLeft);
valueWidget->setText(value);
connect(valueWidget, &ValueWidget::linkActivated, this, &WidgetFactory::slotLinkActivated);
return valueWidget;
......
......@@ -27,6 +27,7 @@
#include <QStringList>
class KJob;
class QLabel;
class QUrl;
class KCommentWidget;
class KRatingWidget;
......@@ -69,7 +70,7 @@ namespace Baloo {
QWidget* createRatingWidget(int rating, QWidget* parent);
QWidget* createTagWidget(const QStringList& tags, QWidget* parent);
QWidget* createCommentWidget(const QString& comment, QWidget* parent);
QWidget* createValueWidget(const QString& value, QWidget* parent);
QLabel* createValueWidget(QWidget* parent);
TagWidget* m_tagWidget;
KRatingWidget* m_ratingWidget;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment