Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-19925

URL encoding - XSS with XmlListModel

    XMLWordPrintable

Details

    • Change-Id: I6173f4df67a4bc1676ac32be6072763fc16f9720

    Description

      Hello Trolls

      It is easily possible to do cross-site-scripting (XSS) with XmlListModel.

      As a simple example, you can take the QML Flickr sample application provided with Qt and in the search box enter the single character '#'. The application no longer displays images. In fact, the # character commented out half of the http request sent to flickr.

      This problem is due to the fact it is not (yet?) possible to properly escape characters in the query part of the URL given to the "XmlListModel.source" property.

      I think, it should be simple to escape elements in the query part of http request (http://en.wikipedia.org/wiki/URI_scheme#Generic_syntax).

      Best regards,
      Eric

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-22756 QML VideoPlayer can not use percent encoded urls containing %2f ( "/" symbol)

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed

          Suggestion - Public suggestions QTBUG-19217 QML Image treats source as flawed unencoded URL

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              mvogt Matthew Vogt (closed Nokia identity) (Inactive)
              ericbout Eric Bouteillon
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes