Bug 382243 - Does not sanitize HTML in device names
Summary: Does not sanitize HTML in device names
Status: RESOLVED FIXED
Alias: None
Product: kdeconnect
Classification: Applications
Component: common (other bugs)
Version First Reported In: 1.5
Platform: openSUSE Linux
: NOR major
Target Milestone: ---
Assignee: Albert Vaca Cintora
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-11 14:44 UTC by Fabian Vogt
Modified: 2017-07-12 09:35 UTC (History)
0 users

See Also:
Latest Commit: https://commits.kde.org/kdeconnect-kde/5641d818dc6875edf82b1b4e91d861997c3ecfc1
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2017-07-11 14:44:33 UTC 
By calling my device "<h1>BIG FONT</h1>" and sending unauthorized pings to other devices, they parse and display it as HTML. Works with img, a, etc. as well.

This affects every place where the label is displayed (notification, label in the kcm, plasmoid), except the list of available devices in the kcm.
Comment 1 Fabian Vogt 2017-07-12 09:00:28 UTC 
Made a patch: https://phabricator.kde.org/D6640
Comment 2 Fabian Vogt 2017-07-12 09:35:13 UTC 
Git commit 5641d818dc6875edf82b1b4e91d861997c3ecfc1 by Fabian Vogt.
Committed on 12/07/2017 at 09:33.
Pushed by fvogt into branch '1.x'.

Treat device names as plaintext, not rich text

Summary:
Notifications, QML Text and QLabel accept a HTML subset,
which does not make sense for device names.

Test Plan:
Sent a pair request and accepted it, device name
now shown as plain text everywhere.

Reviewers: #kde_connect, albertvaka

Reviewed By: #kde_connect, albertvaka

Subscribers: #kde_connect

Differential Revision: https://phabricator.kde.org/D6640

M  +1    -1    daemon/kdeconnectd.cpp
M  +3    -0    kcm/kcm.ui
M  +1    -0    plasmoid/package/contents/ui/DeviceDelegate.qml

https://commits.kde.org/kdeconnect-kde/5641d818dc6875edf82b1b4e91d861997c3ecfc1