[ktp-text-ui] Html post-processing in chat styles is wrong!
Martin Klapetek
martin.klapetek at gmail.com
Tue Feb 3 11:53:00 UTC 2015
On Wed, Jan 28, 2015 at 7:13 PM, ChALkeR <chalkerx at gmail.com> wrote:
> Atm, the core of ktp-text-ui is trying hard to escape things, parse links
> and auto-convert them, embed videos and bugzilla info, etc.
>
> And the new default style breaks it all with careless innerHTML unescaping
> and post-processing.
> For example, line
> ./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:24:
> messageNode.innerHTML = rawMessage.replace(/(@"*[\d\w]*)/, '<span
> class="atTag">$1</span>');
> Breaks messages with @ in links, try «http://foo@example.org».
>
> Html unescaping in line
> ./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:22:
> rawMessage = scrubHTML(rawMessage);
> makes things like «<div
> style="position:absolute;left:0;right:0;top:0;bottom:0"
> onmouseover="window.location='http://' + 'kde.org'"></div>» possible
> (replace kde.org with some random site). Btw, that makes it easy to crash
> the chat.
>
> Aside from the fact that the abovementioned behaviour is bad by itself,
> that in-style-postprocessing behaviour is inconsistent between styles,
> which could be unexpected by users, and is inconsistent with built-in
> message filters.
>
I don't think we can easily fix it for every single style that's out in the
world. If users download
some 3rd party style that's breaking things, we can do only so much.
However our default styles should all be fixed and correct.
> IMO, all the innerHTML post-processing should be stripped of all bundled
> styles, and no such «features» should be bundled inside styles. Can anyone
> comment on this, please?
>
Yes.
> (And in the long-term, Adium themes support is evil. Along with html-based
> styles).
>
It's not ideal, yes. There is an almost finished QML port. I'm not sure
what's the status
but ideally that should replace the Adium view. And should have QML styles
too.
Cheers
--
Martin Klapetek | KDE Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-telepathy/attachments/20150203/bebc87d5/attachment-0001.html>
More information about the KDE-Telepathy
mailing list