Keepassxc: Properly escape HTML in message boxes

Created on 28 Jan 2017  路  2Comments  路  Source: keepassxreboot/keepassxc


When entry titles or other fields are used as part of a message box, the string should be properly escaped to prevent HTML evaluation. Right now, this is not always the case (such as the confirmation before moving an entry to the trash).

Since Qt does not allow

All 2 comments

Related: the "headline" when editing an entry isn't properly sanitized. (See this screenshot.) Seems to use both Groups' names and Entrys' entryTitles, by way of EditEntryWidget::loadEntry's parentName parameter, called from (for example) DatabaseWidget::switchToEntryEdit and DatabaseWidget::switchToHistoryView. QLabels should probably be similarly sanitized.

Throne3d picture Throne3d on 29 Jan 2017
👍2

Fixed by above-mentioned commits.

phoerious picture phoerious on 6 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mstarke picture mstarke  路  3Comments
shaneknysh picture shaneknysh  路  3Comments
JosephHatfield picture JosephHatfield  路  3Comments
guihkx picture guihkx  路  3Comments
Throne3d picture Throne3d  路  3Comments