Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-83338

Default implementations of javaScriptAlert/Confirm/Prompt treat message as rich text

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P3: Somewhat important
    • 5.15.0 Beta4
    • 5.14.2
    • WebEngine
    • None
    • 9136c16ae640aec8ab393237ce1a1c7f89c8bb1d (qt/qtwebengine/5.14), 3fcf62c0c (dev), b9c8cfba0 (6.7), 3484a9bb1 (6.6)

    Description

      When e.g. running alert("<h1>foo</h1>") (and same with confirm() and prompt()) in the simplebrowser devtools, the message window shows formatted text.

      Compare this with Chromium, where the text is output as-is, as JavaScript dialogs shouldn't be able to show HTML as part of the browser UI.

      It could be argued that this is a (small) security vulnerability, since it could be used for phishing purposes with some elaborate text (think faking an "update available" dialog from a web browser with a link to some malware).

      This happens because in src/webenginewidgets/api/qwebenginepage.cpp, QWebEnginePage::javaScriptAlert uses QMessageBox::information() which uses Qt::RichText as text format by default (and javaScriptConfirm / javaScriptPrompt do something similar).

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            allan.jensen Allan Sandfeld Jensen
            the compiler Florian Bruhin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes