Bug 382243

Summary: Does not sanitize HTML in device names
Product: [Applications] kdeconnect Reporter: Fabian Vogt <fabian>
Component: commonAssignee: Albert Vaca Cintora <albertvaka>
Status: RESOLVED FIXED    
Severity: major    
Priority: NOR    
Version First Reported In: 1.5   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: https://commits.kde.org/kdeconnect-kde/5641d818dc6875edf82b1b4e91d861997c3ecfc1 Version Fixed/Implemented In:
Sentry Crash Report:

Description Fabian Vogt 2017-07-11 14:44:33 UTC 
By calling my device "<h1>BIG FONT</h1>" and sending unauthorized pings to other devices, they parse and display it as HTML. Works with img, a, etc. as well.

This affects every place where the label is displayed (notification, label in the kcm, plasmoid), except the list of available devices in the kcm.
Comment 1 Fabian Vogt 2017-07-12 09:00:28 UTC 
Made a patch: https://phabricator.kde.org/D6640
Comment 2 Fabian Vogt 2017-07-12 09:35:13 UTC 
Git commit 5641d818dc6875edf82b1b4e91d861997c3ecfc1 by Fabian Vogt.
Committed on 12/07/2017 at 09:33.
Pushed by fvogt into branch '1.x'.

Treat device names as plaintext, not rich text

Summary:
Notifications, QML Text and QLabel accept a HTML subset,
which does not make sense for device names.

Test Plan:
Sent a pair request and accepted it, device name
now shown as plain text everywhere.

Reviewers: #kde_connect, albertvaka

Reviewed By: #kde_connect, albertvaka

Subscribers: #kde_connect

Differential Revision: https://phabricator.kde.org/D6640

M  +1    -1    daemon/kdeconnectd.cpp
M  +3    -0    kcm/kcm.ui
M  +1    -0    plasmoid/package/contents/ui/DeviceDelegate.qml

https://commits.kde.org/kdeconnect-kde/5641d818dc6875edf82b1b4e91d861997c3ecfc1