'D10188: Sanitise notification HTML'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-panel-devel
Subject:    D10188: Sanitise notification HTML
From:       Kai Uwe Broulik <noreply () phabricator ! kde ! org>
Date:       2018-02-02 16:16:16
Message-ID: 20180202161616.1.C456E271DE88EF5D () phabricator ! kde ! org
[Download RAW message or body]

broulik added a comment.


  Thanks for taking care of this.

INLINE COMMENTS

> notificationsanitizer.cpp:45
> +
> +    QXmlStreamReader r(QStringLiteral("<html>") + t + QStringLiteral("</html>"));
> +    QString result;

We need a `QXmlStreamEntityResolver` like `KNotification` has otherwise HTML entities \
like `&Auml;` (for `Ä`) will error out.

> notificationsanitizer.cpp:72
> +
> +                out.writeAttribute(QStringLiteral("alt"), alt);
> +            }

Don't write `alt` if it doesn't have one?

> notificationsanitizer.h:2
> +/*
> + *   Copyright (C) 2017 David Edmundson <davidedmundson@kde.org>
> + *

2018

> notificationsengine.cpp:265
> QString bodyFinal = (partOf == 0 ? body : _body);
> -    // First trim whitespace from beginning and end
> -    bodyFinal = bodyFinal.trimmed();
> -    // Now replace all \ns with <br/>
> -    bodyFinal = bodyFinal.replace(QLatin1String("\n"), QLatin1String("<br/>"));
> -    // Now remove all inner whitespace (\ns are already <br/>s
> -    bodyFinal = bodyFinal.simplified();
> -    // Finally, check if we don't have multiple <br/>s following,
> -    // can happen for example when "\n       \n" is sent, this replaces
> -    // all <br/>s in succsession with just one
> -    bodyFinal.replace(QRegularExpression(QStringLiteral("<br/>\\s*<br/>(\\s|<br/>)*")), \
>                 QLatin1String("<br/>"));
> -    // This fancy RegExp escapes every occurence of & since QtQuick Text will \
>                 blatantly cut off
> -    // text where it finds a stray ampersand.
> -    // Only &{apos, quot, gt, lt, amp}; as well as &#123 character references will \
>                 be allowed
> -    bodyFinal.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), \
>                 QLatin1String("&amp;"));
> -    // The Text.StyledText format handles only html3.2 stuff and &apos; is html4 \
>                 stuff
> -    // so we need to replace it here otherwise it will not render at all.
> -    bodyFinal.replace(QLatin1String("&apos;"), QChar('\''));
> +    bodyFinal = NotificationSanitizer::parse(bodyFinal);
> 

Won't you end up with piles of `<html>` tags since `_body` is the body text of the \
notification it would group to.

  <html>
  <html>
  old notification
  </html>
  new notification
  </html>

Not that it really matters, though.

REPOSITORY
  R120 Plasma Workspace

REVISION DETAIL
  https://phabricator.kde.org/D10188

To: davidedmundson, #plasma, fvogt
Cc: broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, \
jensreuterberg, abetts, sebas, apol, mart


[Attachment #3 (unknown)]

<table><tr><td style="">broulik added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: \
right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: \
#F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: \
inline-block; border: 1px solid rgba(71,87,120,.2);" \
href="https://phabricator.kde.org/D10188" rel="noreferrer">View \
Revision</a></tr></table><br /><div><div><p>Thanks for taking care of \
this.</p></div></div><br /><div><strong>INLINE COMMENTS</strong><div><div \
style="margin: 6px 0 12px 0;"><div style="border: 1px solid #C7CCD9; border-radius: \
3px;"><div style="padding: 0; background: #F7F7F7; border-color: #e3e4e8; \
border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div style="color: #74777d; \
background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a style="float: right; \
text-decoration: none;" href="https://phabricator.kde.org/D10188#inline-47438" \
rel="noreferrer">View Inline</a><span style="color: #4b4d51; font-weight: \
bold;">notificationsanitizer.cpp:45</span></div> <div style="font: 11px/15px \
&quot;Menlo&quot;, &quot;Consolas&quot;, &quot;Monaco&quot;, monospace; white-space: \
pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; \
margin: 0 4px; background: rgba(151, 234, 151, .6);">    <span \
class="n">QXmlStreamReader</span> <span style="color: #004012">r</span><span \
class="p">(</span><span class="n">QStringLiteral</span><span class="p">(</span><span \
style="color: #766510">&quot;&lt;html&gt;&quot;</span><span class="p">)</span> <span \
style="color: #aa2211">+</span> <span class="n">t</span> <span style="color: \
#aa2211">+</span> <span class="n">QStringLiteral</span><span class="p">(</span><span \
style="color: #766510">&quot;&lt;/html&gt;&quot;</span><span class="p">));</span> \
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, \
.6);">    <span class="n">QString</span> <span class="n">result</span><span \
class="p">;</span> </div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: 8px;">We \
need a <tt style="background: #ebebeb; font-size: \
13px;">QXmlStreamEntityResolver</tt> like <tt style="background: #ebebeb; font-size: \
13px;">KNotification</tt> has otherwise HTML entities like <tt style="background: \
#ebebeb; font-size: 13px;">&amp;Auml;</tt> (for <tt style="background: #ebebeb; \
font-size: 13px;">Ä</tt>) will error out.</p></div></div><br /><div style="border: \
1px solid #C7CCD9; border-radius: 3px;"><div style="padding: 0; background: #F7F7F7; \
border-color: #e3e4e8; border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div \
style="color: #74777d; background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a \
style="float: right; text-decoration: none;" \
href="https://phabricator.kde.org/D10188#inline-47437" rel="noreferrer">View \
Inline</a><span style="color: #4b4d51; font-weight: \
bold;">notificationsanitizer.cpp:72</span></div> <div style="font: 11px/15px \
&quot;Menlo&quot;, &quot;Consolas&quot;, &quot;Monaco&quot;, monospace; white-space: \
pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; \
margin: 0 4px; background: rgba(151, 234, 151, .6);">                <span \
class="n">out</span><span class="p">.</span><span \
class="n">writeAttribute</span><span class="p">(</span><span \
class="n">QStringLiteral</span><span class="p">(</span><span style="color: \
#766510">&quot;alt&quot;</span><span class="p">),</span> <span \
class="n">alt</span><span class="p">);</span> </div><div style="padding: 0 8px; \
margin: 0 4px; background: rgba(151, 234, 151, .6);">            <span \
class="p">}</span> </div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: \
8px;">Don&#039;t write <tt style="background: #ebebeb; font-size: 13px;">alt</tt> if \
it doesn&#039;t have one?</p></div></div><br /><div style="border: 1px solid #C7CCD9; \
border-radius: 3px;"><div style="padding: 0; background: #F7F7F7; border-color: \
#e3e4e8; border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div style="color: \
#74777d; background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a style="float: \
right; text-decoration: none;" href="https://phabricator.kde.org/D10188#inline-47439" \
rel="noreferrer">View Inline</a><span style="color: #4b4d51; font-weight: \
bold;">notificationsanitizer.h:2</span></div> <div style="font: 11px/15px \
&quot;Menlo&quot;, &quot;Consolas&quot;, &quot;Monaco&quot;, monospace; white-space: \
pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; \
margin: 0 4px; background: rgba(151, 234, 151, .6);"><span style="color: \
#74777d">/*</span> </div><div style="padding: 0 8px; margin: 0 4px; background: \
rgba(151, 234, 151, .6);"><span style="color: #74777d"> *   Copyright (C) 2017 David \
Edmundson &lt;davidedmundson@kde.org&gt;</span> </div><div style="padding: 0 8px; \
margin: 0 4px; background: rgba(151, 234, 151, .6);"><span style="color: #74777d"> \
*</span> </div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: \
8px;">2018</p></div></div><br /><div style="border: 1px solid #C7CCD9; border-radius: \
3px;"><div style="padding: 0; background: #F7F7F7; border-color: #e3e4e8; \
border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div style="color: #74777d; \
background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a style="float: right; \
text-decoration: none;" href="https://phabricator.kde.org/D10188#inline-47436" \
rel="noreferrer">View Inline</a><span style="color: #4b4d51; font-weight: \
bold;">notificationsengine.cpp:265</span></div> <div style="font: 11px/15px \
&quot;Menlo&quot;, &quot;Consolas&quot;, &quot;Monaco&quot;, monospace; white-space: \
pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; \
margin: 0 4px; ">    <span class="n">QString</span> <span class="n">bodyFinal</span> \
<span style="color: #aa2211">=</span> <span class="p">(</span><span \
class="n">partOf</span> <span style="color: #aa2211">==</span> <span style="color: \
#601200">0</span> <span style="color: #aa2211">?</span> <span style="color: \
#a0a000">body</span> <span class="p">:</span> <span class="n">_body</span><span \
class="p">);</span> </div><div style="padding: 0 8px; margin: 0 4px; background: \
rgba(251, 175, 175, .7);">    <span class="bright"></span><span style="color: \
#74777d"><span class="bright">// First trim whitespace from beginning and \
end</span></span> </div><div style="padding: 0 8px; margin: 0 4px; background: \
rgba(251, 175, 175, .7);">    <span class="n">bodyFinal</span> <span style="color: \
#aa2211">=</span> <span class="n">bodyFinal</span><span class="p">.</span><span \
class="n">trimmed</span><span class="p">();</span> </div><div style="padding: 0 8px; \
margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span style="color: \
#74777d">// Now replace all \ns with &lt;br/&gt;</span> </div><div style="padding: 0 \
8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span \
class="n">bodyFinal</span> <span style="color: #aa2211">=</span> <span \
class="n">bodyFinal</span><span class="p">.</span><span class="n">replace</span><span \
class="p">(</span><span class="n">QLatin1String</span><span class="p">(</span><span \
style="color: #766510">&quot;</span><span style="color: #bb6622">\n</span><span \
style="color: #766510">&quot;</span><span class="p">),</span> <span \
class="n">QLatin1String</span><span class="p">(</span><span style="color: \
#766510">&quot;&lt;br/&gt;&quot;</span><span class="p">));</span> </div><div \
style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span \
style="color: #74777d">// Now remove all inner whitespace (\ns are already \
&lt;br/&gt;s</span> </div><div style="padding: 0 8px; margin: 0 4px; background: \
rgba(251, 175, 175, .7);">    <span class="n">bodyFinal</span> <span style="color: \
#aa2211">=</span> <span class="n">bodyFinal</span><span class="p">.</span><span \
class="n">simplified</span><span class="p">();</span> </div><div style="padding: 0 \
8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span style="color: \
#74777d">// Finally, check if we don&#39;t have multiple &lt;br/&gt;s \
following,</span> </div><div style="padding: 0 8px; margin: 0 4px; background: \
rgba(251, 175, 175, .7);">    <span style="color: #74777d">// can happen for example \
when &quot;\n       \n&quot; is sent, this replaces</span> </div><div style="padding: \
0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span style="color: \
#74777d">// all &lt;br/&gt;s in succsession with just one</span> </div><div \
style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span \
class="n">bodyFinal</span><span class="p">.</span><span class="n">replace</span><span \
class="p">(</span><span class="n">QRegularExpression</span><span \
class="p">(</span><span class="n">QStringLiteral</span><span class="p">(</span><span \
style="color: #766510">&quot;&lt;br/&gt;</span><span style="color: \
#bb6622">\\</span><span style="color: #766510">s*&lt;br/&gt;(</span><span \
style="color: #bb6622">\\</span><span style="color: \
#766510">s|&lt;br/&gt;)*&quot;</span><span class="p">)),</span> <span \
class="n">QLatin1String</span><span class="p">(</span><span style="color: \
#766510">&quot;&lt;br/&gt;&quot;</span><span class="p">));</span> </div><div \
style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span \
style="color: #74777d">// This fancy RegExp escapes every occurence of &amp; since \
QtQuick Text will blatantly cut off</span> </div><div style="padding: 0 8px; margin: \
0 4px; background: rgba(251, 175, 175, .7);">    <span style="color: #74777d">// text \
where it finds a stray ampersand.</span> </div><div style="padding: 0 8px; margin: 0 \
4px; background: rgba(251, 175, 175, .7);">    <span style="color: #74777d">// Only \
&amp;{apos, quot, gt, lt, amp}; as well as &amp;#123 character references will be \
allowed</span> </div><div style="padding: 0 8px; margin: 0 4px; background: rgba(251, \
175, 175, .7);">    <span class="n">bodyFinal</span><span class="p">.</span><span \
class="n">replace</span><span class="p">(</span><span \
class="n">QRegularExpression</span><span class="p">(</span><span \
class="n">QStringLiteral</span><span class="p">(</span><span style="color: \
#766510">&quot;&amp;(?!(?:apos|quot|[gl]t|amp);|#)&quot;</span><span \
class="p">)),</span> <span class="n">QLatin1String</span><span \
class="p">(</span><span style="color: #766510">&quot;&amp;amp;&quot;</span><span \
class="p">));</span> </div><div style="padding: 0 8px; margin: 0 4px; background: \
rgba(251, 175, 175, .7);">    <span style="color: #74777d">// The Text.StyledText \
format handles only html3.2 stuff and &amp;apos; is html4 stuff</span> </div><div \
style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span \
style="color: #74777d">// so we need to replace it here otherwise it will not render \
at all.</span> </div><div style="padding: 0 8px; margin: 0 4px; background: rgba(251, \
175, 175, .7);">    <span class="n">bodyFinal</span><span class="p">.</span><span \
class="n">replace</span><span class="p">(</span><span \
class="n">QLatin1String</span><span class="p">(</span><span style="color: \
#766510">&quot;&amp;apos;&quot;</span><span class="p">),</span> <span \
class="n">QChar</span><span class="p">(</span><span style="color: \
#766510">&#39;\&#39;&#39;</span><span class="p">));</span> </div><div style="padding: \
0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">    <span \
class="bright"></span><span class="n"><span \
class="bright">bodyFinal</span></span><span class="bright"> </span><span \
style="color: #aa2211"><span class="bright">=</span></span><span class="bright"> \
</span><span class="n"><span class="bright">NotificationSanitizer</span></span><span \
class="bright"></span><span style="color: #aa2211"><span \
class="bright">::</span></span><span class="bright"></span><span class="n"><span \
class="bright">parse</span></span><span class="bright"></span><span class="p"><span \
class="bright">(</span></span><span class="bright"></span><span class="n"><span \
class="bright">bodyFinal</span></span><span class="bright"></span><span \
class="p"><span class="bright">);</span></span> </div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: \
8px;">Won&#039;t you end up with piles of <tt style="background: #ebebeb; font-size: \
13px;">&lt;html&gt;</tt> tags since <tt style="background: #ebebeb; font-size: \
13px;">_body</tt> is the body text of the notification it would group to.</p>

<div class="remarkup-code-block" style="margin: 12px 0;" data-code-lang="text" \
data-sigil="remarkup-code-block"><pre class="remarkup-code" style="font: 11px/15px \
&quot;Menlo&quot;, &quot;Consolas&quot;, &quot;Monaco&quot;, monospace; padding: \
12px; margin: 0; background: rgba(71, 87, 120, 0.08);">&lt;html&gt; &lt;html&gt;
old notification
&lt;/html&gt;
new notification
&lt;/html&gt;</pre></div>

<p style="padding: 0; margin: 8px;">Not that it really matters, \
though.</p></div></div></div></div></div><br \
/><div><strong>REPOSITORY</strong><div><div>R120 Plasma \
Workspace</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a \
href="https://phabricator.kde.org/D10188" \
rel="noreferrer">https://phabricator.kde.org/D10188</a></div></div><br \
/><div><strong>To: </strong>davidedmundson, Plasma, fvogt<br /><strong>Cc: \
</strong>broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, \
ali-mohamed, jensreuterberg, abetts, sebas, apol, mart<br /></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic