[ktp-text-ui] Html post-processing in chat styles is wrong!
Martin Klapetek
martin.klapetek at gmail.com
Mon Feb 9 14:33:22 UTC 2015
On Wed, Jan 28, 2015 at 7:13 PM, ChALkeR <chalkerx at gmail.com> wrote:
> Atm, the core of ktp-text-ui is trying hard to escape things, parse links
> and auto-convert them, embed videos and bugzilla info, etc.
>
> And the new default style breaks it all with careless innerHTML unescaping
> and post-processing.
> For example, line
> ./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:24:
> messageNode.innerHTML = rawMessage.replace(/(@"*[\d\w]*)/, '<span
> class="atTag">$1</span>');
> Breaks messages with @ in links, try «http://foo@example.org».
>
Fixed.
> Html unescaping in line
> ./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:22:
> rawMessage = scrubHTML(rawMessage);
> makes things like «<div
> style="position:absolute;left:0;right:0;top:0;bottom:0"
> onmouseover="window.location='http://' + 'kde.org'"></div>» possible
> (replace kde.org with some random site). Btw, that makes it easy to crash
> the chat.
>
Also fixed.
> Aside from the fact that the abovementioned behaviour is bad by itself,
> that in-style-postprocessing behaviour is inconsistent between styles,
> which could be unexpected by users, and is inconsistent with built-in
> message filters.
>
> IMO, all the innerHTML post-processing should be stripped of all bundled
> styles, and no such «features» should be bundled inside styles. Can anyone
> comment on this, please?
>
I've removed the whole scrubHTML function of that style.
Cheers
--
Martin Klapetek | KDE Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-telepathy/attachments/20150209/148baee4/attachment.html>
More information about the KDE-Telepathy
mailing list