1 |
From 641aa7c75631084260ae89aecbdb625e918c6689 Mon Sep 17 00:00:00 2001 |
2 |
From: Albert Astals Cid <aacid@kde.org> |
3 |
Date: Thu, 13 Nov 2014 15:06:01 +0100 |
4 |
Subject: [PATCH] Sanitize html |
5 |
|
6 |
As discussed by the security team |
7 |
--- |
8 |
src/webpage.cpp | 11 +++++++---- |
9 |
1 file changed, 7 insertions(+), 4 deletions(-) |
10 |
|
11 |
diff --git a/src/webpage.cpp b/src/webpage.cpp |
12 |
index df1c41c..3e20b38 100644 |
13 |
--- a/src/webpage.cpp |
14 |
+++ b/src/webpage.cpp |
15 |
@@ -226,23 +226,26 @@ QString WebPage::errorPage(int code, const QString& text, const KUrl& reqUrl) co |
16 |
doc += QL1S( "<h3>" ); |
17 |
doc += i18n( "Details of the Request:" ); |
18 |
doc += QL1S( "</h3><ul><li>" ); |
19 |
- doc += i18n( "URL: %1", reqUrl.url() ); |
20 |
+ // escape URL twice: once for i18n, and once for HTML. |
21 |
+ doc += i18n( "URL: %1", Qt::escape( Qt::escape( reqUrl.prettyUrl() ) ) ); |
22 |
doc += QL1S( "</li><li>" ); |
23 |
|
24 |
const QString protocol (reqUrl.protocol()); |
25 |
if ( !protocol.isNull() ) { |
26 |
- doc += i18n( "Protocol: %1", protocol ); |
27 |
+ // escape protocol twice: once for i18n, and once for HTML. |
28 |
+ doc += i18n( "Protocol: %1", Qt::escape( Qt::escape( protocol ) ) ); |
29 |
doc += QL1S( "</li><li>" ); |
30 |
} |
31 |
|
32 |
doc += i18n( "Date and Time: %1", |
33 |
KGlobal::locale()->formatDateTime(QDateTime::currentDateTime(), KLocale::LongDate) ); |
34 |
doc += QL1S( "</li><li>" ); |
35 |
- doc += i18n( "Additional Information: %1" , text ); |
36 |
+ // escape text twice: once for i18n, and once for HTML. |
37 |
+ doc += i18n( "Additional Information: %1", Qt::escape( Qt::escape( text ) ) ); |
38 |
doc += QL1S( "</li></ul><h3>" ); |
39 |
doc += i18n( "Description:" ); |
40 |
doc += QL1S( "</h3><p>" ); |
41 |
- doc += description; |
42 |
+ doc += Qt::escape( description ); |
43 |
doc += QL1S( "</p>" ); |
44 |
|
45 |
if ( causes.count() ) { |
46 |
-- |
47 |
1.9.3 |
48 |
|