Details
-
Bug
-
Resolution: Done
-
P3: Somewhat important
-
5.14.2
-
None
-
9136c16ae640aec8ab393237ce1a1c7f89c8bb1d (qt/qtwebengine/5.14), 3fcf62c0c (dev), b9c8cfba0 (6.7), 3484a9bb1 (6.6)
Description
When e.g. running alert("<h1>foo</h1>") (and same with confirm() and prompt()) in the simplebrowser devtools, the message window shows formatted text.
Compare this with Chromium, where the text is output as-is, as JavaScript dialogs shouldn't be able to show HTML as part of the browser UI.
It could be argued that this is a (small) security vulnerability, since it could be used for phishing purposes with some elaborate text (think faking an "update available" dialog from a web browser with a link to some malware).
This happens because in src/webenginewidgets/api/qwebenginepage.cpp, QWebEnginePage::javaScriptAlert uses QMessageBox::information() which uses Qt::RichText as text format by default (and javaScriptConfirm / javaScriptPrompt do something similar).
Attachments
| For Gerrit Dashboard: QTBUG-83338 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 296431,3 | Avoid HTML encodings in default JS QMessageBox'es | 5.14 | qt/qtwebengine | Status: MERGED | +2 | 0 |
| 520243,6 | Fix text formatting in JS Dialogs | dev | qt/qtwebengine | Status: MERGED | +2 | 0 |
| 529568,2 | Fix text formatting in JS Dialogs | 6.7 | qt/qtwebengine | Status: MERGED | +2 | 0 |
| 530303,2 | Fix text formatting in JS Dialogs | 6.6 | qt/qtwebengine | Status: MERGED | +2 | 0 |