gui: Show messages as text not html #12617
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text.
randolf
approved these changes
Mar 6, 2018
Contributor
randolf
left a comment
There was a problem hiding this comment.
This is a good practice none-the-less as a preventive measure just in case something were to change in a future Qt version with regard to how it detects and interprets HTML or some other not-yet-invented format.
promag
reviewed
Mar 6, 2018
| buttons = QMessageBox::Ok; | ||
|
|
||
| showNormalIfMinimized(); | ||
| QMessageBox mBox(static_cast<QMessageBox::Icon>(nMBoxIcon), strTitle, message, buttons, this); |
Contributor
There was a problem hiding this comment.
Nit, since it's not possible to specify the format in the constructor, change everything to setters:
QMessageBox mBox(this);
mBox.setIcon(static_cast<QMessageBox::Icon>(nMBoxIcon));
mBox.setWindowTitle(strTitle);
mBox.setTextFormat(Qt::PlainText);
mBox.setText(message);
mBox.setStandardButtons(buttons);
Member
Author
There was a problem hiding this comment.
Meh... let's not add more work here than is necessary. It works so it's ok, imo.
Member
|
tACK 6fbc098 No more cats: |
Member
|
No more cats? What is this? Dogecoin? |
fanquake
pushed a commit
to fanquake/bitcoin
that referenced
this pull request
Mar 6, 2018
6fbc098 gui: Show messages as text not html (Wladimir J. van der Laan) Pull request description: Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. Tree-SHA512: 96c9196f20552544b862071bca61817ef03653019cc3548023d435f3a9c48b6cd501fab3246783cb0be68c8c7bb1b865913d92070a7c4e84e82c6577709f0934
maflcko
pushed a commit
to maflcko/bitcoin-core
that referenced
this pull request
Jul 13, 2018
Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. Github-Pull: bitcoin#12617 Rebased-From: 6fbc098
HashUnlimited
pushed a commit
to chaincoin/chaincoin
that referenced
this pull request
Jan 11, 2019
Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. Github-Pull: bitcoin#12617 Rebased-From: 6fbc098
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Dec 20, 2019
Summary: 6fbc098 gui: Show messages as text not html (Wladimir J. van der Laan) --- Pull request description: Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. --- This is a backport from Core PR12617 (bitcoin/bitcoin#12617) Test Plan: ninja check Reviewers: O1 Bitcoin ABC, #bitcoin_abc, deadalnix, Fabien Reviewed By: O1 Bitcoin ABC, #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D4761
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Apr 16, 2020
Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text.
jonspock
pushed a commit
to jonspock/devault
that referenced
this pull request
Oct 2, 2020
Summary: 6fbc0986f gui: Show messages as text not html (Wladimir J. van der Laan) --- Pull request description: Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. --- This is a backport from Core PR12617 (bitcoin/bitcoin#12617) Test Plan: ninja check Reviewers: O1 Bitcoin ABC, #bitcoin_abc, deadalnix, Fabien Reviewed By: O1 Bitcoin ABC, #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D4761
jonspock
pushed a commit
to jonspock/devault
that referenced
this pull request
Oct 5, 2020
Summary: 6fbc0986f gui: Show messages as text not html (Wladimir J. van der Laan) --- Pull request description: Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. --- This is a backport from Core PR12617 (bitcoin/bitcoin#12617) Test Plan: ninja check Reviewers: O1 Bitcoin ABC, #bitcoin_abc, deadalnix, Fabien Reviewed By: O1 Bitcoin ABC, #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D4761
jonspock
pushed a commit
to devaultcrypto/devault
that referenced
this pull request
Oct 10, 2020
Summary: 6fbc0986f gui: Show messages as text not html (Wladimir J. van der Laan) --- Pull request description: Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format. This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing. So explicitly force the format as text. --- This is a backport from Core PR12617 (bitcoin/bitcoin#12617) Test Plan: ninja check Reviewers: O1 Bitcoin ABC, #bitcoin_abc, deadalnix, Fabien Reviewed By: O1 Bitcoin ABC, #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D4761
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format.
This means that it's possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn't a direct security risk because fetching content from internet is
disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing.
So explicitly force the format as text.