Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-19925

URL encoding - XSS with XmlListModel

XMLWordPrintable

    • Change-Id: I6173f4df67a4bc1676ac32be6072763fc16f9720

      Hello Trolls

      It is easily possible to do cross-site-scripting (XSS) with XmlListModel.

      As a simple example, you can take the QML Flickr sample application provided with Qt and in the search box enter the single character '#'. The application no longer displays images. In fact, the # character commented out half of the http request sent to flickr.

      This problem is due to the fact it is not (yet?) possible to properly escape characters in the query part of the URL given to the "XmlListModel.source" property.

      I think, it should be simple to escape elements in the query part of http request (http://en.wikipedia.org/wiki/URI_scheme#Generic_syntax).

      Best regards,
      Eric

        For Gerrit Dashboard: QTBUG-19925
        # Subject Branch Project Status CR V
        13629,1 Encode user input before insertion into URLs master qt/qtdeclarative Status: MERGED +2 0

            mvogt Matthew Vogt (closed Nokia identity) (Inactive)
            ericbout Eric Bouteillon
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes