446376 – Improperly escaped description field may bork documentinfo.xml in .kra files

Bug 446376 - Improperly escaped description field may bork documentinfo.xml in .kra files

Summary: Improperly escaped description field may bork documentinfo.xml in .kra files

Status:	ASSIGNED

Alias:	None

Product:	krita
Classification:	Applications
Component:	File formats (show other bugs)
Version:	4.4.8
Platform:	Neon Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Tiar

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-02 14:50 UTC by Nagy Tibor
Modified:	2022-08-04 08:42 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	https://invent.kde.org/graphics/krita/commit/74eb1ffa9cafc529585e7a47bf5c84f0ec4d0bf7
Version Fixed In:

Attachments
Screenshot (166.28 KB, image/png) 2021-12-02 14:50 UTC, Nagy Tibor	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Nagy Tibor 2021-12-02 14:50:32 UTC

Created attachment 144147 [details]
Screenshot

SUMMARY
When saving .kra files the Description metadata field at "File"->"Document Information"->"General" is not properly escaped. This field is written as a CDATA section into documentinfo.xml and the closing CDATA "]]>" delimiters are not escaped as "]]]]><![CDATA[>" inside the field. This may lead to invalid/corrupt metadata XMLs.

STEPS TO REPRODUCE
Put the following string into the description field:

description]]></abstract>
<blink>Hi there! I escaped this CDATA section</blink>
<!--

SOFTWARE/OS VERSIONS
Operating System: KDE neon 5.23
KDE Plasma Version: 5.23.3
KDE Frameworks Version: 5.88.0
Qt Version: 5.15.3
Graphics Platform: X11

Comment 1 Nagy Tibor 2022-05-01 21:55:51 UTC

The name field in the predefinedimage XMLs are also affected by this.

Comment 2 Halla Rempt 2022-05-15 08:11:04 UTC

Git commit 74eb1ffa9cafc529585e7a47bf5c84f0ec4d0bf7 by Halla Rempt.
Committed on 15/05/2022 at 08:10.
Pushed by rempt into branch 'master'.

Escape text strings we put in xml files and sanitize filenames

KoXmlWriter already escaped strings, but QDomDocument doesn't do
that when adding text. This uses xml entities.

We should also sanitize filenames before trying to write them out.
This uses percent endcoding from QUrl.

M  +3    -2    libs/flake/resources/KisSeExprScript.cpp
M  +7    -1    libs/global/KisFileUtils.cpp
M  +6    -1    libs/global/KisFileUtils.h
M  +59   -12   libs/global/kis_dom_utils.cpp
M  +12   -1    libs/global/kis_dom_utils.h
M  +0    -1    libs/global/kis_global.h
M  +13   -8    libs/image/kis_properties_configuration.cc
M  +1    -1    libs/resources/KoResource.cpp
M  +1    -1    libs/ui/KisMainWindow.cpp
M  +22   -20   libs/ui/KoDocumentInfo.cpp
M  +2    -2    libs/ui/animation/KisAnimationRenderingOptions.cpp
M  +8    -2    libs/ui/widgets/kis_custom_image_widget.cc
M  +20   -18   libs/widgets/KoConfigAuthorPage.cpp
M  +2    -2    libs/widgets/kis_file_name_requester.cpp
M  +5    -5    plugins/dockers/tasksetdocker/taskset_resource.cpp
M  +2    -2    plugins/filters/levelfilter/KisLevelsFilterConfiguration.cpp

https://invent.kde.org/graphics/krita/commit/74eb1ffa9cafc529585e7a47bf5c84f0ec4d0bf7

Comment 3 Tiar 2022-07-04 13:32:33 UTC

I had to revert that commit here: https://invent.kde.org/graphics/krita/-/commit/9e12726bf39cf1053755fc7fbf35ba39a32e7ed1 because it caused bug 455541.

The issue mentioned here is not important enough to change the way brush presets are saved. Next time someone tries to fix it, only the user submitted strings should be escaped, and not everything.

I did assign it to myself to not lose it.