Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Done
Priority: P2: Important
Fix Version/s: 5.0.0
Affects Version/s: 4.7.1
Component/s: QML: Declarative and Javascript Engine
Labels:
None

Description

The QML Text element has a textFormat property that determines whether the text value is interpreted as plain text, rich text, styled text or automatic. The default is automatic, which means the text value is checked using Qt::mightBeRichText() and then interpreted based on this.

This means that text values that are actually plain text strings but include either HTML tags or otherwise HTML-looking text causes the element to switch to rch text mode. Since text values often come from untrusted sources this means that applications either have to each time specifically set Text elements to use the Text.PlainText format or alternatively escape the text so that it works correctly when rich text formated. Failure to do so makes applications prone to HTML injection into their UI, which has security implications.

The common case is no doubt that text is actually plain text and thus having the default be automatic and thus imposing this risk and/or extra work on the application and developer seem like a bad enough thing that it can be called a bug.

The suggested fix is to change the default text format to plain text.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Yann Bodson (Inactive)

Reporter:: Petrus Lundqvist (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24 Nov '10 12:18

Updated:: 23 Mar '12 08:55

Resolved:: 03 Oct '11 01:31

Gerrit Reviews

There are no open Gerrit changes