CactiChameleon9/PrismLauncher
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Technic: Prevent potential HTML injection

Browse Source
This commit is contained in:
Jamie Mansfield 2021-12-24 15:20:34 +00:00
parent d44fa416ca
commit f267375ac2
No known key found for this signature in database
GPG Key ID: 36F61598F39F67B0
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
launcher/ui/pages/modplatform/technic/TechnicPage.cpp
View File

@ -202,14 +202,12 @@ void TechnicPage::metadataLoaded()
QString name = current.name;
if (current.websiteUrl.isEmpty())
// This allows injecting HTML here.
text = name;
text = name.toHtmlEscaped();
else
// URL not properly escaped for inclusion in HTML. The name allows for injecting HTML.
text = "<a href=\"" + current.websiteUrl + "\">" + name + "</a>";
text = "<a href=\"" + current.websiteUrl.toHtmlEscaped() + "\">" + name.toHtmlEscaped() + "</a>";
if (!current.author.isEmpty()) {
// This allows injecting HTML here
text += tr(" by ") + current.author;
text += tr(" by ") + current.author.toHtmlEscaped();
}
ui->frame->setModText(text);