343301 – Klipper's tooltip renders HTML inlcuding remote images

Bug 343301 - Klipper's tooltip renders HTML inlcuding remote images

Summary: Klipper's tooltip renders HTML inlcuding remote images

Status:	RESOLVED FIXED

Alias:	None

Product:	klipper
Classification:	Unmaintained
Component:	plasma-widget (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR critical
Target Milestone:	---
Assignee:	Martin Flöser

URL:	https://git.reviewboard.kde.org/r/122...
Keywords:

Depends on:
Blocks:

Reported:	2015-01-26 00:27 UTC by Martin Klapetek
Modified:	2015-01-29 08:07 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:	http://commits.kde.org/plasma-workspace/97b71c3f72f7669b7966ea4a433486756844b5a2
Version Fixed In:	5.3.0
Sentry Crash Report:

Attachments
Screenshot (29.54 KB, image/png) 2015-01-26 00:27 UTC, Martin Klapetek	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Klapetek 2015-01-26 00:27:41 UTC

Created attachment 90659 [details]
Screenshot

For example copy this line:

<p>Hello! <img src="https://community.kde.org/images.community/5/5f/Kde-in-progress.png" /></p>

The popup will show the image. This looks vulnerable to cross-site scripting and other malicious stuff. It should probably escape the content before setting it to tooltip.

Comment 1 Martin Klapetek 2015-01-26 00:28:36 UTC

I may have used to wrong word - it's the applet's tooltip which appears on mouse hover, not the popup. The popup is correct.

Comment 2 Martin Flöser 2015-01-26 06:37:31 UTC

the tooltip content is just assigned to Plasmoid.toolTipSubText. I do not know whether it's possible to add textFormat for it. Adding Marco for more insight.

Comment 3 Martin Klapetek 2015-01-26 11:08:31 UTC

I don't think the textFormat should change, maybe, but the tooltip should/could still escape the string properly, no?

Comment 4 Martin Flöser 2015-01-26 11:41:24 UTC

(In reply to Martin Klapetek from comment #3)
> I don't think the textFormat should change, maybe, but the tooltip
> should/could still escape the string properly, no?

I think escaping is wrong as it would turn every "<" into &lt; - this is comparable stupid if you have for example copied something like "1 < 2".

Comment 5 Martin Klapetek 2015-01-26 11:54:36 UTC

What I was thinking is that if that tooltip renders html correctly, it would render those escaped sequences correctly too.

Comment 6 Martin Klapetek 2015-01-26 11:55:29 UTC

Oh and fwiw, it actually does. So copying "&lt;" actually puts "<" into the tooltip.

So escaping the tooltip text would easily solve it.

Comment 7 Martin Flöser 2015-01-26 12:19:08 UTC

>  So escaping the tooltip text would easily solve it.

but only if it might be rich text. Try copying a line break first, it would encode it as PlainText. E.g. copy this section: "
&lt;p&gt;Test&lt;/p&gt;"

once with and once without the line break.

Comment 8 Martin Klapetek 2015-01-26 12:29:28 UTC

Both cases work correct for me. Maybe the tooltip is set to always-rich text or the detection improved in qt5.4, dunno.

Comment 9 Martin Flöser 2015-01-29 08:07:10 UTC

Git commit 97b71c3f72f7669b7966ea4a433486756844b5a2 by Martin Gräßlin.
Committed on 28/01/2015 at 13:24.
Pushed by graesslin into branch 'master'.

[applets/clipboard] Force tooltips to be PlainText

Prevents cross-side scripting attempts.
This requires 8044e15 of plasma-framework.
FIXED-IN: 5.3.0
REVIEW: 122289

M  +1    -0    applets/clipboard/contents/ui/clipboard.qml

http://commits.kde.org/plasma-workspace/97b71c3f72f7669b7966ea4a433486756844b5a2