Details
-
Bug
-
Resolution: Done
-
P2: Important
-
None
-
4.7.3
-
None
-
Change-Id: I6173f4df67a4bc1676ac32be6072763fc16f9720
Description
Hello Trolls
It is easily possible to do cross-site-scripting (XSS) with XmlListModel.
As a simple example, you can take the QML Flickr sample application provided with Qt and in the search box enter the single character '#'. The application no longer displays images. In fact, the # character commented out half of the http request sent to flickr.
This problem is due to the fact it is not (yet?) possible to properly escape characters in the query part of the URL given to the "XmlListModel.source" property.
I think, it should be simple to escape elements in the query part of http request (http://en.wikipedia.org/wiki/URI_scheme#Generic_syntax).
Best regards,
Eric
Attachments
Issue Links
- relates to
-
QTBUG-22756 QML VideoPlayer can not use percent encoded urls containing %2f ( "/" symbol)
- Closed
-
QTBUG-19217 QML Image treats source as flawed unencoded URL
- Closed