SUMMARY Using wifi name with xss vectors result in wifi not rendering STEPS TO REPRODUCE 1. set wifi SSID to something like <svg/onload=alert('XSS')> 2. open the connect menu in panel. OBSERVED RESULT SSID will not be displayed. EXPECTED RESULT SSID will be displayed/ SOFTWARE/OS VERSIONS Linux/KDE Plasma: openSUSE tumbleweed/Arch linux KDE Plasma Version: 5.19 KDE Frameworks Version: 5.79.0 Qt Version: 5.15 ADDITIONAL INFORMATION his is similar to XSS attacks in web-browsers where the dom parser misses XSS vectors. the issue was not present in the previous version of plasma.
Created attachment 129389 [details] example missing SSID
Can confirm, this was my fault. Will fix it.
Previously we allowed styled text for the subtitle, but not the title. However when I ported the plasma-nm applet to the new ExpandableListItem component, I failed to handle this use case and made it impossible to turn on styled text for only one of them, just both. Fixing this properly will require adding new properties to the component in Frameworks, and then using them in the plasma-nm applet. I'll handle it. Sorry about the mess.
Alternatively, we could remove styled text for both of them in the Plasma 5.19.2 timeframe, which could work since the colorized arrows don't even work anyway now that we shipped the Emoji picker which resulted in distros shipping proper emoji font support, which has the side effect that the colorized unicode arrows used here are getting replaced with color-hardcoded Emojis.
Let's do that for now. I'll submit a merge request.
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/5
(In reply to Nate Graham from comment #5) > Let's do that for now. I'll submit a merge request. anything is fine, honestly right now its a bit of a inconvenience not any major problem. i highly doubt you could pull of any exploit with it
Git commit 3c660d8e20bdea80b3613c02320d1688b677ad98 by Nate Graham. Committed on 19/06/2020 at 01:15. Pushed by ngraham into branch 'Plasma/5.19'. [applet] Remove styled text support from list items This fixes a security regression introduced with the ExpandableListItem port which allowed styled text for the networ name. Unfortunately Qt's styled text allows network access, and people could put malicious text in SSID names. The ExpandableListItem component has no way to allow styled text for the subtitle but not the title, which is what the previous version did. However styled text in the subtitle is only being used for colorizing the arrows, which doesn't even work anymore because the colored arrows get replaced with Emojis for most people now that distros are shipping Emoji font support to make the Emoji Picker introduces in Plasma 5.18 work. Because of this, we can fix the issue by turning off styled text support entirely, and removing the arrow colorization. There won't even be any visual changes for most people. FIXED-IN: 5.19.2 M +1 -8 applet/contents/ui/ConnectionItem.qml https://invent.kde.org/plasma/plasma-nm/commit/3c660d8e20bdea80b3613c02320d1688b677ad98