Bug 102383

Summary: [icq] raw html not escaped on receipt
Product: [Unmaintained] kopete Reporter: Gunter Ohrner <kdebugs>
Component: ICQ and AIM PluginsAssignee: Kopete Developers <kopete-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: j_schaef, silver
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Gunter Ohrner 2005-03-24 18:57:58 UTC
Version:            (using KDE KDE 3.4.0)
Installed from:    Debian testing/unstable Packages
OS:                Linux

Hi!

Kopete does not seem to HTML-escape incoming chat messages, interpreting arbitrary HTML send by another client. Tested with another Kopete and LICQ CVS on the "remote end", "<" and ">" brackets sent to my and any text between is swallowed while a HTML entity referencre entered in the remote client (eg. &uuml;) is displayed as the corresponding character by my kopete...

Greetings,

  Gunter
Comment 1 Michel Hermier 2005-03-24 19:14:29 UTC
This problem is protocol dependent. Can you say with which protocol you 
observed this beaviour?
Comment 2 Gunter Ohrner 2005-03-24 21:52:42 UTC
Sorry, I didn't know.

It happened with ICQ (Oscar Plugin).

Kopete even shows complete HTML forms in the chat window if HTML-code is entered on the remote side. Looks funky. ;)

I could imagine that this might become a potential security hole if specially crafted HTML-whatever-code is sent to Kopete...

Greetings,

  Gunter
Comment 3 Matt Rogers 2005-03-25 17:46:17 UTC
sometimes i wish we didn't use an HTML widget to display things...
Comment 4 Matt Rogers 2005-03-25 17:47:01 UTC
CVS commit by mattr: 

Use escaped body all the time. Fixes bug 102383

CCBUG: 102383


  M +1 -4      oscarcontact.cpp   1.171


--- kdenetwork/kopete/protocols/oscar/oscarcontact.cpp  #1.170:1.171
@@ -183,7 +183,4 @@ void OscarContact::slotSendMsg( Kopete::
         Oscar::Message message;
         
-        if ( account()->engine()->isIcq() )
-                message.setText( msg.plainBody() );
-        else
                 message.setText( msg.escapedBody() );
         
Comment 5 Matt Rogers 2005-03-25 17:47:46 UTC
CVS commit by mattr: 

Use the escaped body of the message all the time. Fixes #102383.
The fix will be in KDE 3.4.1
BUG: 102383


  M +1 -4      oscarcontact.cpp   1.166.4.4


--- kdenetwork/kopete/protocols/oscar/oscarcontact.cpp  #1.166.4.3:1.166.4.4
@@ -183,7 +183,4 @@ void OscarContact::slotSendMsg( Kopete::
         Oscar::Message message;
         
-        if ( account()->engine()->isIcq() )
-                message.setText( msg.plainBody() );
-        else
                 message.setText( msg.escapedBody() );
         
Comment 6 Matt Rogers 2005-03-25 18:21:15 UTC
*** Bug 102333 has been marked as a duplicate of this bug. ***
Comment 7 Jan Ritzerfeld 2005-09-02 16:36:22 UTC
*** Bug 111928 has been marked as a duplicate of this bug. ***