'[kdepimlibs] akonadi/contact: Fix XSS issue in the contact viewer'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    [kdepimlibs] akonadi/contact: Fix XSS issue in the contact viewer
From:       Tobias Koenig <tokoe () kde ! org>
Date:       2012-10-13 9:58:14
Message-ID: 20121013095814.3B6B3A6078 () git ! kde ! org
[Download RAW message or body]

Git commit d5bb7c20544170e06ecaaeb21c747c3b8905fc63 by Tobias Koenig.
Committed on 13/10/2012 at 11:56.
Pushed by tokoe into branch 'master'.

Fix XSS issue in the contact viewer

This was not really a security risk, since the used QTextBrowser has not way to \
access the network automatically, but fixing it right now makes it future-proof.

BUGS: 305169

M  +13   -12   akonadi/contact/standardcontactformatter.cpp

http://commits.kde.org/kdepimlibs/d5bb7c20544170e06ecaaeb21c747c3b8905fc63

diff --git a/akonadi/contact/standardcontactformatter.cpp \
b/akonadi/contact/standardcontactformatter.cpp index 1437f6b..683352c 100644
--- a/akonadi/contact/standardcontactformatter.cpp
+++ b/akonadi/contact/standardcontactformatter.cpp
@@ -30,6 +30,7 @@
 #include <kstringhandler.h>
 
 #include <QtCore/QSet>
+#include <QtGui/QTextDocument>
 
 using namespace Akonadi;
 
@@ -109,9 +110,9 @@ QString StandardContactFormatter::toHtml( HtmlForm form ) const
 
       QString url;
       if ( number.type() & KABC::PhoneNumber::Cell ) {
-        url = QString::fromLatin1( "<a href=\"phone:?index=%1\">%2</a> (<a \
href=\"sms:?index=%1\">SMS</a>)" ).arg( counter ).arg( number.number() ); +        \
url = QString::fromLatin1( "<a href=\"phone:?index=%1\">%2</a> (<a \
href=\"sms:?index=%1\">SMS</a>)" ).arg( counter ).arg( Qt::escape( number.number() ) \
);  } else {
-        url = QString::fromLatin1( "<a href=\"phone:?index=%1\">%2</a>" ).arg( \
counter ).arg( number.number() ); +        url = QString::fromLatin1( "<a \
href=\"phone:?index=%1\">%2</a>" ).arg( counter ).arg( Qt::escape( number.number() ) \
);  }
 
       counter++;
@@ -123,7 +124,7 @@ QString StandardContactFormatter::toHtml( HtmlForm form ) const
 
   // EMails
   foreach ( const QString &email, rawContact.emails() ) {
-    QString type = i18nc( "a contact's email address", "Email" );
+    const QString type = i18nc( "a contact's email address", "Email" );
 
     const QString fullEmail = QString::fromLatin1( KUrl::toPercentEncoding( \
rawContact.fullEmail( email ) ) );  
@@ -139,14 +140,14 @@ QString StandardContactFormatter::toHtml( HtmlForm form ) const
       url = QLatin1String( "http://" ) + url;
     }
 
-    url = KStringHandler::tagUrls( url );
+    url = KStringHandler::tagUrls( Qt::escape( url ) );
     dynamicPart += rowFmtStr.arg( i18n( "Homepage" ) ).arg( url );
   }
 
   // Blog Feed
   const QString blog = rawContact.custom( QLatin1String( "KADDRESSBOOK" ), \
QLatin1String( "BlogFeed" ) );  if ( !blog.isEmpty() ) {
-    dynamicPart += rowFmtStr.arg( i18n( "Blog Feed" ) ).arg( \
KStringHandler::tagUrls( blog ) ); +    dynamicPart += rowFmtStr.arg( i18n( "Blog \
Feed" ) ).arg( KStringHandler::tagUrls( Qt::escape( blog ) ) );  }
 
   // Addresses
@@ -155,9 +156,9 @@ QString StandardContactFormatter::toHtml( HtmlForm form ) const
     QString formattedAddress;
 
     if ( address.label().isEmpty() ) {
-      formattedAddress = address.formattedAddress().trimmed();
+      formattedAddress = Qt::escape( address.formattedAddress().trimmed() );
     } else {
-      formattedAddress = address.label();
+      formattedAddress = Qt::escape( address.label() );
     }
 
     formattedAddress = formattedAddress.replace( QLatin1Char( '\n' ), QLatin1String( \
"<br>" ) ); @@ -176,7 +177,7 @@ QString StandardContactFormatter::toHtml( HtmlForm \
form ) const  // Note
   QString notes;
   if ( !rawContact.note().isEmpty() ) {
-    notes = rowFmtStr.arg( i18n( "Notes" ) ).arg( rawContact.note().replace( \
QLatin1Char( '\n' ), QLatin1String( "<br>" ) ) ) ; +    notes = rowFmtStr.arg( i18n( \
"Notes" ) ).arg( Qt::escape( rawContact.note() ).replace( QLatin1Char( '\n' ), \
QLatin1String( "<br>" ) ) ) ;  }
 
   // Custom Data
@@ -256,7 +257,7 @@ QString StandardContactFormatter::toHtml( HtmlForm form ) const
           }
         }
 
-        customData += rowFmtStr.arg( key ).arg( value ) ;
+        customData += rowFmtStr.arg( key ).arg( Qt::escape( value ) ) ;
       }
     }
   }
@@ -286,9 +287,9 @@ QString StandardContactFormatter::toHtml( HtmlForm form ) const
     "<td align=\"left\" width=\"70%\">%4</td>"  // organization
     "</tr>")
       .arg( QLatin1String( "contact_photo" ) )
-      .arg( rawContact.realName() )
-      .arg( role )
-      .arg( rawContact.organization() );
+      .arg( Qt::escape( rawContact.realName() ) )
+      .arg( Qt::escape( role ) )
+      .arg( Qt::escape( rawContact.organization() ) );
 
   strAddr.append( dynamicPart );
   strAddr.append( notes );


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic