[Notification Jobs] Enforce plain text and escape HTML

QtQuick Text auto-interprets HTML tags when it finds them, this can lead to unexpected results if a file is named e.g. `<h1>foo</h1>`. Since notifications do interpret HTML tags by design, we manually escape them there. Differential Revision: https://phabricator.kde.org/D5706
9 years ago · 8a95911c1c
parent c5dde9da68
commit 8a95911c1c
3 changed files with 17 additions and 1 deletions
--- a/applets/notifications/package/contents/ui/JobDelegate.qml
+++ b/applets/notifications/package/contents/ui/JobDelegate.qml
@ -52,6 +52,7 @@ Column {
        opacity: 0.6
        level: 3
        text: jobItem.isSuspended ? i18nc("Placeholder is job name, eg. 'Copying'", "%1 (Paused)", infoMessage) : infoMessage
+        textFormat: Text.PlainText
    }

    RowLayout {
@ -65,6 +66,7 @@ Column {
                var labelSplit = label0.split("/")
                return labelSplit[labelSplit.length-1]
            }
+            textFormat: Text.PlainText
        }

        PlasmaComponents.ToolButton {
--- a/applets/notifications/package/contents/ui/JobDetailsItem.qml
+++ b/applets/notifications/package/contents/ui/JobDetailsItem.qml
@ -92,6 +92,7 @@ Column {
                font: theme.smallestFont
                text: jobItem["labelName" + index] ? i18nc("placeholder is row description, such as Source or Destination", "%1:", jobItem["labelName" + index]) : ""
                horizontalAlignment: Text.AlignRight
+                textFormat: Text.PlainText
            }

            PlasmaComponents.Label {
@ -101,11 +102,13 @@ Column {

                font: theme.smallestFont
                text: jobItem["label" + index] || ""
+                textFormat: Text.PlainText
                elide: Text.ElideMiddle

                PlasmaCore.ToolTipArea {
                    anchors.fill: parent
                    subText: labelText.truncated ? labelText.text : ""
+                    textFormat: Text.PlainText
                }
            }
        }
@ -125,6 +128,7 @@ Column {
            height: paintedHeight

            text: localizeProcessedAmount(index)
+            textFormat: Text.PlainText
            font: theme.smallestFont
            visible: text !== ""
        }
@ -141,6 +145,7 @@ Column {

        font: theme.smallestFont
        text: eta > 0 ? i18nc("Speed and estimated time to completion", "%1 (%2 remaining)", speed, KCoreAddons.Format.formatSpelloutDuration(eta)) : speed
+        textFormat: Text.PlainText
        visible: eta > 0 || parseInt(speed) > 0
    }

--- a/applets/notifications/package/contents/ui/Jobs.qml
+++ b/applets/notifications/package/contents/ui/Jobs.qml
@ -80,11 +80,20 @@ Column {
                summary = infoMessage ? i18nc("the job, which can be anything, failed to complete", "%1: Failed", infoMessage) : i18n("Job Failed")
            }

+            // notification body interprets HTML, so we need to manually escape the name
+            var body = (errorText || message || "").replace(/[&<>]/g, function (tag) {
+                return {
+                    '&': '&amp;',
+                    '<': '&lt;',
+                    '>': '&gt;'
+                }[tag] || tag
+            });
+
            var op = {
                appIcon: runningJobs[source].appIconName,
                appName: runningJobs[source].appName,
                summary: summary,
-                body: errorText || message,
+                body: body,
                isPersistent: !!error, // we'll assume success to be the note-unworthy default, only be persistent in error case
                urgency: 0,
                configurable: false,