Commit b5a4ec86 authored by Laurent Montel's avatar Laurent Montel 😁
Browse files

Don't allow to use div in head

(cherry picked from commit 4f0a7a4c)
parent 9f79dc6e
......@@ -39,6 +39,7 @@ void MessageViewerUtilsTest::shouldExcludeHeader_data()
QTest::newRow("REFRESH5") << QStringLiteral("<meta content=\"0;URL=http://www.kde.org\" http-equiv=\'&#82;EFRESH\'></head>") << true;
QTest::newRow("REFRESH6") << QStringLiteral("<meta content=\"0;URL=http://www.kde.org\" http-equiv= \"REFRESH\"></head>") << true;
#endif
QTest::newRow("div1") << QStringLiteral("<div><p>ff</p></div></head>") << true;
}
void MessageViewerUtilsTest::shouldExcludeHeader()
......
......@@ -664,11 +664,15 @@ bool Util::excludeExtraHeader(const QString &s)
#if QTWEBENGINEWIDGETS_VERSION < QT_VERSION_CHECK(5, 14, 0)
//Remove this hack with https://codereview.qt-project.org/#/c/256100/2 is merged
//Don't authorize to refresh content.
QRegularExpression ref(QStringLiteral("http-equiv=\\s*(\'|\")(&#82;|R)EFRESH(\'|\")"), QRegularExpression::CaseInsensitiveOption);
static QRegularExpression ref(QStringLiteral("http-equiv=\\s*(\'|\")(&#82;|R)EFRESH(\'|\")"), QRegularExpression::CaseInsensitiveOption);
if (s.contains(ref)) {
return true;
}
#endif
static QRegularExpression divRef(QStringLiteral("</div>"), QRegularExpression::CaseInsensitiveOption);
if (s.contains(divRef)) {
return true;
}
return false;
}
......@@ -727,7 +731,7 @@ Util::HtmlMessageInfo Util::processHtml(const QString &htmlSource)
}
const int index = startIndex + 6;
messageInfo.extraHead = s.mid(index, endIndex - index);
if (MessageViewer::Util::excludeExtraHeader(s)) {
if (MessageViewer::Util::excludeExtraHeader(messageInfo.extraHead)) {
messageInfo.extraHead.clear();
}
s = s.remove(startIndex, endIndex - startIndex + 7).trimmed();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment