| Summary: | Plugins should be able to inject code in the <head> section of Template.html | ||
|---|---|---|---|
| Product: | [Unmaintained] telepathy | Reporter: | Daniele E. Domenichelli <ddomenichelli> |
| Component: | text-ui-message-filters | Assignee: | Daniele E. Domenichelli <ddomenichelli> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | kde, kde, mklapetek |
| Priority: | NOR | Flags: | kde:
ReviewRequest+
|
| Version: | git-latest | ||
| Target Milestone: | 0.6-next | ||
| Platform: | unspecified | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/telepathy-text-ui/97f1479c91521faf9da0e4e67b6cf2a9bdc25938 | Version Fixed In: | |
| Sentry Crash Report: | |||
|
Description
Daniele E. Domenichelli
2012-08-29 10:09:33 UTC
Be super careful with allowing third-parties to inject custom javascript. I'm not sure about QtWebKit security, but cross-site scripting can be very dangerous. This also allows sending data (like the conversation history) to any server. I think there's some confusion, this is about the C++ plugins adding some JS to the view. If a plugin wanted to, it could be doing that in the C++ part anyway, allowing embedding javascript would make no difference. There should be no "3rd party" code here, unless someone compiled and installed a third party text-ui plugin, at which point that's their own fault. You have a point with the C++ part and the "user's own fault". But that doesn't mean we should be careless ("because it's user's fault").
Git commit 97f1479c91521faf9da0e4e67b6cf2a9bdc25938 by Daniele E. Domenichelli. Committed on 22/09/2012 at 20:53. Pushed by ddomenichelli into branch 'filters'. Merge branch 'BUG-305976' Reviewed-by: Lasath Fernando <kde@lasath.org> REVIEW: 106302 http://commits.kde.org/telepathy-text-ui/97f1479c91521faf9da0e4e67b6cf2a9bdc25938 |