Bug 488910

Summary: html rendering on information panel.
Product: [Applications] dolphin Reporter: Sheikh Ali Akbar <akberbadsha05>
Component: panels: informationAssignee: Dolphin Bug Assignee <dolphin-bugs-null>
Status: CONFIRMED ---    
Severity: normal CC: kde, kfm-devel
Priority: HI    
Version: unspecified   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: poc

Description Sheikh Ali Akbar 2024-06-21 17:34:42 UTC 
Created attachment 170765 [details]
poc

***
If you're not sure this is actually a bug, instead post about it at https://discuss.kde.org

If you're reporting a crash, attach a backtrace with debug symbols; see https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

SUMMARY
information panel treat text/informations like html. which leads to html injection through file name.

STEPS TO REPRODUCE
1. take one exFat formated usb/drive
2. create a file on your linux machine with name `<h1>test` and copy this file
3. now go to exfat formated drive and paste the file. 
4. it will give warning about special charecter on filename will be replaced with underscore. but it will also treat the file name as html and render it with given html tag

OBSERVED RESULT
Html rendered filename which means html injection

EXPECTED RESULT
escaped file name like other panels

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Debian gnu/linux 12
(available in About System)
KDE Plasma Version: 5.27.5
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8

ADDITIONAL INFORMATION
Comment 1 David Edmundson 2024-11-01 14:42:10 UTC 
>Html rendered filename which means html injection

It's not too bad in this case.

You're limited within the label and can only do a tiny bit of markup. It's not like on a website when you can redirect the login button or anything. 

Still worth fixing.