Created attachment 170765 [details] poc *** If you're not sure this is actually a bug, instead post about it at https://discuss.kde.org If you're reporting a crash, attach a backtrace with debug symbols; see https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports *** SUMMARY information panel treat text/informations like html. which leads to html injection through file name. STEPS TO REPRODUCE 1. take one exFat formated usb/drive 2. create a file on your linux machine with name `<h1>test` and copy this file 3. now go to exfat formated drive and paste the file. 4. it will give warning about special charecter on filename will be replaced with underscore. but it will also treat the file name as html and render it with given html tag OBSERVED RESULT Html rendered filename which means html injection EXPECTED RESULT escaped file name like other panels SOFTWARE/OS VERSIONS Linux/KDE Plasma: Debian gnu/linux 12 (available in About System) KDE Plasma Version: 5.27.5 KDE Frameworks Version: 5.103.0 Qt Version: 5.15.8 ADDITIONAL INFORMATION
>Html rendered filename which means html injection It's not too bad in this case. You're limited within the label and can only do a tiny bit of markup. It's not like on a website when you can redirect the login button or anything. Still worth fixing.