Bug 343301

Summary: Klipper's tooltip renders HTML inlcuding remote images
Product: [Unmaintained] klipper Reporter: Martin Klapetek <mklapetek>
Component: plasma-widgetAssignee: Martin Flöser <mgraesslin>
Status: RESOLVED FIXED    
Severity: critical CC: notmart
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
URL: https://git.reviewboard.kde.org/r/122289/
Latest Commit: http://commits.kde.org/plasma-workspace/97b71c3f72f7669b7966ea4a433486756844b5a2 Version Fixed In: 5.3.0
Sentry Crash Report:
Attachments: Screenshot

Description Martin Klapetek 2015-01-26 00:27:41 UTC 
Created attachment 90659 [details]
Screenshot

For example copy this line:

<p>Hello! <img src="https://community.kde.org/images.community/5/5f/Kde-in-progress.png" /></p>

The popup will show the image. This looks vulnerable to cross-site scripting and other malicious stuff. It should probably escape the content before setting it to tooltip.
Comment 1 Martin Klapetek 2015-01-26 00:28:36 UTC 
I may have used to wrong word - it's the applet's tooltip which appears on mouse hover, not the popup. The popup is correct.
Comment 2 Martin Flöser 2015-01-26 06:37:31 UTC 
the tooltip content is just assigned to Plasmoid.toolTipSubText. I do not know whether it's possible to add textFormat for it. Adding Marco for more insight.
Comment 3 Martin Klapetek 2015-01-26 11:08:31 UTC 
I don't think the textFormat should change, maybe, but the tooltip should/could still escape the string properly, no?
Comment 4 Martin Flöser 2015-01-26 11:41:24 UTC 
(In reply to Martin Klapetek from comment #3)
> I don't think the textFormat should change, maybe, but the tooltip
> should/could still escape the string properly, no?

I think escaping is wrong as it would turn every "<" into &lt; - this is comparable stupid if you have for example copied something like "1 < 2".
Comment 5 Martin Klapetek 2015-01-26 11:54:36 UTC 
What I was thinking is that if that tooltip renders html correctly, it would render those escaped sequences correctly too.
Comment 6 Martin Klapetek 2015-01-26 11:55:29 UTC 
Oh and fwiw, it actually does. So copying "&lt;" actually puts "<" into the tooltip.

So escaping the tooltip text would easily solve it.
Comment 7 Martin Flöser 2015-01-26 12:19:08 UTC 
>  So escaping the tooltip text would easily solve it.

but only if it might be rich text. Try copying a line break first, it would encode it as PlainText. E.g. copy this section: "
&lt;p&gt;Test&lt;/p&gt;"

once with and once without the line break.
Comment 8 Martin Klapetek 2015-01-26 12:29:28 UTC 
Both cases work correct for me. Maybe the tooltip is set to always-rich text or the detection improved in qt5.4, dunno.
Comment 9 Martin Flöser 2015-01-29 08:07:10 UTC 
Git commit 97b71c3f72f7669b7966ea4a433486756844b5a2 by Martin Gräßlin.
Committed on 28/01/2015 at 13:24.
Pushed by graesslin into branch 'master'.

[applets/clipboard] Force tooltips to be PlainText

Prevents cross-side scripting attempts.
This requires 8044e15 of plasma-framework.
FIXED-IN: 5.3.0
REVIEW: 122289

M  +1    -0    applets/clipboard/contents/ui/clipboard.qml

http://commits.kde.org/plasma-workspace/97b71c3f72f7669b7966ea4a433486756844b5a2