Details
-
Suggestion
-
Resolution: Done
-
P2: Important
-
4.7.1
-
None
Description
The QML Text element has a textFormat property that determines whether the text value is interpreted as plain text, rich text, styled text or automatic. The default is automatic, which means the text value is checked using Qt::mightBeRichText() and then interpreted based on this.
This means that text values that are actually plain text strings but include either HTML tags or otherwise HTML-looking text causes the element to switch to rch text mode. Since text values often come from untrusted sources this means that applications either have to each time specifically set Text elements to use the Text.PlainText format or alternatively escape the text so that it works correctly when rich text formated. Failure to do so makes applications prone to HTML injection into their UI, which has security implications.
The common case is no doubt that text is actually plain text and thus having the default be automatic and thus imposing this risk and/or extra work on the application and developer seem like a bad enough thing that it can be called a bug.
The suggested fix is to change the default text format to plain text.