D10188: Sanitise notification HTML
Jason A. Donenfeld
noreply at phabricator.kde.org
Sun Feb 4 23:42:39 UTC 2018
zx2c4 added a comment.
In https://phabricator.kde.org/D10188#201097, @davidedmundson wrote:
> That would break very core functionality of existing clients and goes against the notification spec.
Then the spec itself is vulnerable and needs to change.
Switch people to data: URIs, or come up with some other kind of mechanism. Allowing remote users to load and render local paths is not okay. Full stop.
REPOSITORY
R120 Plasma Workspace
REVISION DETAIL
https://phabricator.kde.org/D10188
To: davidedmundson, #plasma, fvogt
Cc: zx2c4, broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20180204/952a8134/attachment-0001.html>
More information about the Plasma-devel
mailing list