305976 – Plugins should be able to inject code in the <head> section of Template.html

Bug 305976 - Plugins should be able to inject code in the <head> section of Template.html

Summary: Plugins should be able to inject code in the <head> section of Template.html

Status:	RESOLVED FIXED

Alias:	None

Product:	telepathy
Classification:	Frameworks and Libraries
Component:	text-ui-message-filters (show other bugs)
Version:	git-latest
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	0.6-next
Assignee:	Daniele E. Domenichelli

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-08-29 10:09 UTC by Daniele E. Domenichelli
Modified:	2012-09-22 19:03 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:	http://commits.kde.org/telepathy-text-ui/97f1479c91521faf9da0e4e67b6cf2a9bdc25938
Version Fixed In:

Flags:	kde: ReviewRequest+

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Daniele E. Domenichelli 2012-08-29 10:09:33 UTC

In order to include additional script, it should be possible for addon to inject some code (for example some <script> tag) in the <head> section of Template.html

Comment 1 Martin Klapetek 2012-08-29 10:40:26 UTC

Be super careful with allowing third-parties to inject custom javascript. I'm not sure about QtWebKit security, but cross-site scripting can be very dangerous. This also allows sending data (like the conversation history) to any server.

Comment 2 David Edmundson 2012-08-29 11:40:17 UTC

I think there's some confusion, this is about the C++ plugins adding some JS to the view.

If a plugin wanted to, it could be doing that in the C++ part anyway, allowing embedding javascript would make no difference.

There should be no "3rd party" code here, unless someone compiled and installed a third party text-ui plugin, at which point that's their own fault.

Comment 3 Martin Klapetek 2012-08-29 11:47:00 UTC

You have a point with the C++ part and the "user's own fault". But that doesn't mean we should be careless ("because it's user's fault").

Comment 4 Daniele E. Domenichelli 2012-09-22 19:03:52 UTC

Git commit 97f1479c91521faf9da0e4e67b6cf2a9bdc25938 by Daniele E. Domenichelli.
Committed on 22/09/2012 at 20:53.
Pushed by ddomenichelli into branch 'filters'.

Merge branch 'BUG-305976'

Reviewed-by: Lasath Fernando <kde@lasath.org>
REVIEW: 106302


http://commits.kde.org/telepathy-text-ui/97f1479c91521faf9da0e4e67b6cf2a9bdc25938