Bug 405593

Summary: Notification content is parsed and rendered as HTML
Product: [Plasma] plasmashell Reporter: Christian Muehlhaeuser <muesli>
Component: NotificationsAssignee: Kai Uwe Broulik <kde>
Status: RESOLVED FIXED    
Severity: normal CC: kde, plasma-bugs-null
Priority: NOR    
Version First Reported In: 5.15.3   
Target Milestone: 1.0   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Christian Muehlhaeuser 2019-03-18 12:52:43 UTC 
SUMMARY

Notification content is parsed, interpreted and rendered as HTML. This results in various applications breaking notifications, trying to show a message that contains the character "<", for example:

"Notification Test <gotcha - You can't see this"

This also sounds like a bit of a security risk: essentially I can trigger rendering bugs (just thinking of WebKit's security track record) by sending people direct messages now, which will cause HTML content to be rendered on their systems.
Comment 1 David Edmundson 2019-03-18 13:03:06 UTC 
Webkit is not used.

It's QTextDocument's very very limited HTML rendering, and even within that we sanitize the input even more to be a subset.

Can you tell me which app is sending the '<'?
Comment 2 Christian Muehlhaeuser 2019-03-18 13:10:35 UTC 
The notifications in this example are triggered by Firefox. I'd expect it not to be able to show links within a notification, change the style or load an image either. Frankly, I'd like to suggest to html-sanitize the entire notification and disable HTML rendering altogether, at least for "external" notifications.