Bug 102383 - [icq] raw html not escaped on receipt
Summary: [icq] raw html not escaped on receipt
Status: RESOLVED FIXED
Alias: None
Product: kopete
Classification: Applications
Component: ICQ and AIM Plugins (show other bugs)
Version: unspecified
Platform: Debian testing Linux
: NOR normal
Target Milestone: ---
Assignee: Kopete Developers
URL:
Keywords:
: 102333 111928 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-03-24 18:57 UTC by Gunter Ohrner
Modified: 2005-09-02 16:36 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gunter Ohrner 2005-03-24 18:57:58 UTC
Version:            (using KDE KDE 3.4.0)
Installed from:    Debian testing/unstable Packages
OS:                Linux

Hi!

Kopete does not seem to HTML-escape incoming chat messages, interpreting arbitrary HTML send by another client. Tested with another Kopete and LICQ CVS on the "remote end", "<" and ">" brackets sent to my and any text between is swallowed while a HTML entity referencre entered in the remote client (eg. &uuml;) is displayed as the corresponding character by my kopete...

Greetings,

  Gunter
Comment 1 Michel Hermier 2005-03-24 19:14:29 UTC
This problem is protocol dependent. Can you say with which protocol you 
observed this beaviour?
Comment 2 Gunter Ohrner 2005-03-24 21:52:42 UTC
Sorry, I didn't know.

It happened with ICQ (Oscar Plugin).

Kopete even shows complete HTML forms in the chat window if HTML-code is entered on the remote side. Looks funky. ;)

I could imagine that this might become a potential security hole if specially crafted HTML-whatever-code is sent to Kopete...

Greetings,

  Gunter
Comment 3 Matt Rogers 2005-03-25 17:46:17 UTC
sometimes i wish we didn't use an HTML widget to display things...
Comment 4 Matt Rogers 2005-03-25 17:47:01 UTC
CVS commit by mattr: 

Use escaped body all the time. Fixes bug 102383

CCBUG: 102383


  M +1 -4      oscarcontact.cpp   1.171


--- kdenetwork/kopete/protocols/oscar/oscarcontact.cpp  #1.170:1.171
@@ -183,7 +183,4 @@ void OscarContact::slotSendMsg( Kopete::
         Oscar::Message message;
         
-        if ( account()->engine()->isIcq() )
-                message.setText( msg.plainBody() );
-        else
                 message.setText( msg.escapedBody() );
         
Comment 5 Matt Rogers 2005-03-25 17:47:46 UTC
CVS commit by mattr: 

Use the escaped body of the message all the time. Fixes #102383.
The fix will be in KDE 3.4.1
BUG: 102383


  M +1 -4      oscarcontact.cpp   1.166.4.4


--- kdenetwork/kopete/protocols/oscar/oscarcontact.cpp  #1.166.4.3:1.166.4.4
@@ -183,7 +183,4 @@ void OscarContact::slotSendMsg( Kopete::
         Oscar::Message message;
         
-        if ( account()->engine()->isIcq() )
-                message.setText( msg.plainBody() );
-        else
                 message.setText( msg.escapedBody() );
         
Comment 6 Matt Rogers 2005-03-25 18:21:15 UTC
*** Bug 102333 has been marked as a duplicate of this bug. ***
Comment 7 Jan Ritzerfeld 2005-09-02 16:36:22 UTC
*** Bug 111928 has been marked as a duplicate of this bug. ***