Bug 488910

Summary: html rendering on information panel.
Product: [Applications] dolphin Reporter: Sheikh Ali Akbar <akberbadsha05>
Component: panels: informationAssignee: Dolphin Bug Assignee <dolphin-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: kde, kfm-devel, nate
Priority: HI    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: https://invent.kde.org/frameworks/kio/-/commit/d422bd4a3dceffb98b271758837ce412977ed7f6 Version Fixed In: 6.13
Sentry Crash Report:
Attachments: poc

Description Sheikh Ali Akbar 2024-06-21 17:34:42 UTC 
Created attachment 170765 [details]
poc

***
If you're not sure this is actually a bug, instead post about it at https://discuss.kde.org

If you're reporting a crash, attach a backtrace with debug symbols; see https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

SUMMARY
information panel treat text/informations like html. which leads to html injection through file name.

STEPS TO REPRODUCE
1. take one exFat formated usb/drive
2. create a file on your linux machine with name `<h1>test` and copy this file
3. now go to exfat formated drive and paste the file. 
4. it will give warning about special charecter on filename will be replaced with underscore. but it will also treat the file name as html and render it with given html tag

OBSERVED RESULT
Html rendered filename which means html injection

EXPECTED RESULT
escaped file name like other panels

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Debian gnu/linux 12
(available in About System)
KDE Plasma Version: 5.27.5
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8

ADDITIONAL INFORMATION
Comment 1 David Edmundson 2024-11-01 14:42:10 UTC 
>Html rendered filename which means html injection

It's not too bad in this case.

You're limited within the label and can only do a tiny bit of markup. It's not like on a website when you can redirect the login button or anything. 

Still worth fixing.
Comment 2 xust 2025-03-19 14:17:58 UTC 
Git commit d422bd4a3dceffb98b271758837ce412977ed7f6 by Shitong Xu.
Committed on 19/03/2025 at 05:55.
Pushed by ngraham into branch 'master'.

SkipDialog: show msg with plaintext

label might show richtext and cause html injection.

M  +1    -0    src/widgets/skipdialog.cpp

https://invent.kde.org/frameworks/kio/-/commit/d422bd4a3dceffb98b271758837ce412977ed7f6