Created attachment 144147 [details] Screenshot SUMMARY When saving .kra files the Description metadata field at "File"->"Document Information"->"General" is not properly escaped. This field is written as a CDATA section into documentinfo.xml and the closing CDATA "]]>" delimiters are not escaped as "]]]]><![CDATA[>" inside the field. This may lead to invalid/corrupt metadata XMLs. STEPS TO REPRODUCE Put the following string into the description field: description]]></abstract> <blink>Hi there! I escaped this CDATA section</blink> <!-- SOFTWARE/OS VERSIONS Operating System: KDE neon 5.23 KDE Plasma Version: 5.23.3 KDE Frameworks Version: 5.88.0 Qt Version: 5.15.3 Graphics Platform: X11
The name field in the predefinedimage XMLs are also affected by this.
Git commit 74eb1ffa9cafc529585e7a47bf5c84f0ec4d0bf7 by Halla Rempt. Committed on 15/05/2022 at 08:10. Pushed by rempt into branch 'master'. Escape text strings we put in xml files and sanitize filenames KoXmlWriter already escaped strings, but QDomDocument doesn't do that when adding text. This uses xml entities. We should also sanitize filenames before trying to write them out. This uses percent endcoding from QUrl. M +3 -2 libs/flake/resources/KisSeExprScript.cpp M +7 -1 libs/global/KisFileUtils.cpp M +6 -1 libs/global/KisFileUtils.h M +59 -12 libs/global/kis_dom_utils.cpp M +12 -1 libs/global/kis_dom_utils.h M +0 -1 libs/global/kis_global.h M +13 -8 libs/image/kis_properties_configuration.cc M +1 -1 libs/resources/KoResource.cpp M +1 -1 libs/ui/KisMainWindow.cpp M +22 -20 libs/ui/KoDocumentInfo.cpp M +2 -2 libs/ui/animation/KisAnimationRenderingOptions.cpp M +8 -2 libs/ui/widgets/kis_custom_image_widget.cc M +20 -18 libs/widgets/KoConfigAuthorPage.cpp M +2 -2 libs/widgets/kis_file_name_requester.cpp M +5 -5 plugins/dockers/tasksetdocker/taskset_resource.cpp M +2 -2 plugins/filters/levelfilter/KisLevelsFilterConfiguration.cpp https://invent.kde.org/graphics/krita/commit/74eb1ffa9cafc529585e7a47bf5c84f0ec4d0bf7
I had to revert that commit here: https://invent.kde.org/graphics/krita/-/commit/9e12726bf39cf1053755fc7fbf35ba39a32e7ed1 because it caused bug 455541. The issue mentioned here is not important enough to change the way brush presets are saved. Next time someone tries to fix it, only the user submitted strings should be escaped, and not everything. I did assign it to myself to not lose it.