405593 – Notification content is parsed and rendered as HTML

Bug 405593 - Notification content is parsed and rendered as HTML

Summary: Notification content is parsed and rendered as HTML

Status:	RESOLVED FIXED

Alias:	None

Product:	plasmashell
Classification:	Plasma
Component:	Notifications (other bugs)
Version First Reported In:	5.15.3
Platform:	Arch Linux Linux

Importance:	NOR normal
Target Milestone:	1.0
Assignee:	Kai Uwe Broulik

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-18 12:52 UTC by Christian Muehlhaeuser
Modified:	2019-03-18 13:10 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Muehlhaeuser 2019-03-18 12:52:43 UTC

SUMMARY

Notification content is parsed, interpreted and rendered as HTML. This results in various applications breaking notifications, trying to show a message that contains the character "<", for example:

"Notification Test <gotcha - You can't see this"

This also sounds like a bit of a security risk: essentially I can trigger rendering bugs (just thinking of WebKit's security track record) by sending people direct messages now, which will cause HTML content to be rendered on their systems.

Comment 1 David Edmundson 2019-03-18 13:03:06 UTC

Webkit is not used.

It's QTextDocument's very very limited HTML rendering, and even within that we sanitize the input even more to be a subset.

Can you tell me which app is sending the '<'?

Comment 2 Christian Muehlhaeuser 2019-03-18 13:10:35 UTC

The notifications in this example are triggered by Firefox. I'd expect it not to be able to show links within a notification, change the style or load an image either. Frankly, I'd like to suggest to html-sanitize the entire notification and disable HTML rendering altogether, at least for "external" notifications.