Technic: Prevent potential HTML injection

This commit is contained in:
Jamie Mansfield 2021-12-24 15:20:34 +00:00
parent d44fa416ca
commit f267375ac2
No known key found for this signature in database
GPG Key ID: 36F61598F39F67B0

View File

@ -202,14 +202,12 @@ void TechnicPage::metadataLoaded()
QString name = current.name;
if (current.websiteUrl.isEmpty())
// This allows injecting HTML here.
text = name;
text = name.toHtmlEscaped();
else
// URL not properly escaped for inclusion in HTML. The name allows for injecting HTML.
text = "<a href=\"" + current.websiteUrl + "\">" + name + "</a>";
text = "<a href=\"" + current.websiteUrl.toHtmlEscaped() + "\">" + name.toHtmlEscaped() + "</a>";
if (!current.author.isEmpty()) {
// This allows injecting HTML here
text += tr(" by ") + current.author;
text += tr(" by ") + current.author.toHtmlEscaped();
}
ui->frame->setModText(text);