[ktp-text-ui] Html post-processing in chat styles is wrong!

[ChALkeR]

Atm, the core of ktp-text-ui is trying hard to escape things, parse links
and auto-convert them, embed videos and bugzilla info, etc.

And the new default style breaks it all with careless innerHTML unescaping
and post-processing.
For example, line
./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:24:
 messageNode.innerHTML = rawMessage.replace(/(@"*[\d\w]*)/, '<span
class="atTag">$1</span>');
Breaks messages with @ in links, try «http://foo@example.org».

Html unescaping in line
./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:22:
 rawMessage = scrubHTML(rawMessage);
makes things like «<div
style="position:absolute;left:0;right:0;top:0;bottom:0"
onmouseover="window.location='http://' + 'kde.org'"></div>» possible
(replace kde.org with some random site). Btw, that makes it easy to crash
the chat.

Aside from the fact that the abovementioned behaviour is bad by itself,
that in-style-postprocessing behaviour is inconsistent between styles,
which could be unexpected by users, and is inconsistent with built-in
message filters.

IMO, all the innerHTML post-processing should be stripped of all bundled
styles, and no such «features» should be bundled inside styles. Can anyone
comment on this, please?

(And in the long-term, Adium themes support is evil. Along with html-based
styles).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-telepathy/attachments/20150128/c4567a99/attachment.html>