Bug 442077

Summary: Unescaped HTML in metadata
Product: [Applications] Elisa Reporter: Nagy Tibor <xnagytibor>
Component: generalAssignee: Matthieu Gallien <matthieu_gallien>
Severity: normal    
Priority: NOR    
Version: 21.08.1   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed In: 21.12
Attachments: Repro

Description Nagy Tibor 2021-09-06 13:47:02 UTC
Created attachment 141335 [details]

Elisa currently doesn't escape HTML tags inside the track metadata. For example this allows injecting <img> tags through these metadata fields onto Elisa's interface where they are never supposed to be, obstructing things and making a mess in general. Doesn't seem to have any security impact due to how limited Qt's HTML subset is.

Grab some audio file and set its metadata fields (title, artist, album, etc.) to something like this:
<img src="file:/some/local/path/image.jpg">

Operating System: KDE neon 5.22
KDE Plasma Version: 5.22.5
KDE Frameworks Version: 5.85.0
Qt Version: 5.15.3
Comment 1 Nate Graham 2021-09-08 20:27:29 UTC
Git commit 2867b6f77bb2d7e701eec565b99cdf4c5fdf4cf9 by Nate Graham.
Committed on 08/09/2021 at 20:26.
Pushed by ngraham into branch 'master'.

Don't parse HTML in metadata fields

This is user-provided data we can't guarantee; better safe than sorry.
FIXED-IN: 21.12

M  +1    -0    src/qml/ContextView.qml
M  +2    -0    src/qml/LabelWithToolTip.qml
M  +2    -0    src/qml/ListBrowserDelegate.qml
M  +1    -0    src/qml/MediaTrackMetadataDelegate.qml
M  +1    -1    src/qml/PlayListEntry.qml
M  +2    -0    src/qml/mobile/MobileMinimizedPlayerControl.qml
M  +2    -0    src/qml/mobile/MobilePlayListDelegate.qml

Comment 2 Nagy Tibor 2021-09-13 07:09:27 UTC
This was a privacy issue. I though this HTML subset was only constrained to local resources, but turns out Qt happily makes HTTP requests straight from GUI markup.

Sorry that I assumed some sanity from Qt.