Created attachment 141335 [details] Repro SUMMARY Elisa currently doesn't escape HTML tags inside the track metadata. For example this allows injecting <img> tags through these metadata fields onto Elisa's interface where they are never supposed to be, obstructing things and making a mess in general. Doesn't seem to have any security impact due to how limited Qt's HTML subset is. STEPS TO REPRODUCE Grab some audio file and set its metadata fields (title, artist, album, etc.) to something like this: <img src="file:/some/local/path/image.jpg"> SOFTWARE/OS VERSIONS Operating System: KDE neon 5.22 KDE Plasma Version: 5.22.5 KDE Frameworks Version: 5.85.0 Qt Version: 5.15.3
Git commit 2867b6f77bb2d7e701eec565b99cdf4c5fdf4cf9 by Nate Graham. Committed on 08/09/2021 at 20:26. Pushed by ngraham into branch 'master'. Don't parse HTML in metadata fields This is user-provided data we can't guarantee; better safe than sorry. FIXED-IN: 21.12 M +1 -0 src/qml/ContextView.qml M +2 -0 src/qml/LabelWithToolTip.qml M +2 -0 src/qml/ListBrowserDelegate.qml M +1 -0 src/qml/MediaTrackMetadataDelegate.qml M +1 -1 src/qml/PlayListEntry.qml M +2 -0 src/qml/mobile/MobileMinimizedPlayerControl.qml M +2 -0 src/qml/mobile/MobilePlayListDelegate.qml https://invent.kde.org/multimedia/elisa/commit/2867b6f77bb2d7e701eec565b99cdf4c5fdf4cf9
This was a privacy issue. I though this HTML subset was only constrained to local resources, but turns out Qt happily makes HTTP requests straight from GUI markup. Sorry that I assumed some sanity from Qt.