From 8a95911c1ca5ab52f69e02653bc36f9d4dd94ca1 Mon Sep 17 00:00:00 2001 From: Kai Uwe Broulik Date: Thu, 11 May 2017 12:12:38 +0200 Subject: [PATCH] [Notification Jobs] Enforce plain text and escape HTML QtQuick Text auto-interprets HTML tags when it finds them, this can lead to unexpected results if a file is named e.g. `

foo

`. Since notifications do interpret HTML tags by design, we manually escape them there. Differential Revision: https://phabricator.kde.org/D5706 --- .../notifications/package/contents/ui/JobDelegate.qml | 2 ++ .../package/contents/ui/JobDetailsItem.qml | 5 +++++ applets/notifications/package/contents/ui/Jobs.qml | 11 ++++++++++- 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/applets/notifications/package/contents/ui/JobDelegate.qml b/applets/notifications/package/contents/ui/JobDelegate.qml index 2f803ef55..157214be0 100644 --- a/applets/notifications/package/contents/ui/JobDelegate.qml +++ b/applets/notifications/package/contents/ui/JobDelegate.qml @@ -52,6 +52,7 @@ Column { opacity: 0.6 level: 3 text: jobItem.isSuspended ? i18nc("Placeholder is job name, eg. 'Copying'", "%1 (Paused)", infoMessage) : infoMessage + textFormat: Text.PlainText } RowLayout { @@ -65,6 +66,7 @@ Column { var labelSplit = label0.split("/") return labelSplit[labelSplit.length-1] } + textFormat: Text.PlainText } PlasmaComponents.ToolButton { diff --git a/applets/notifications/package/contents/ui/JobDetailsItem.qml b/applets/notifications/package/contents/ui/JobDetailsItem.qml index 9e25acb43..f278c8f4d 100644 --- a/applets/notifications/package/contents/ui/JobDetailsItem.qml +++ b/applets/notifications/package/contents/ui/JobDetailsItem.qml @@ -92,6 +92,7 @@ Column { font: theme.smallestFont text: jobItem["labelName" + index] ? i18nc("placeholder is row description, such as Source or Destination", "%1:", jobItem["labelName" + index]) : "" horizontalAlignment: Text.AlignRight + textFormat: Text.PlainText } PlasmaComponents.Label { @@ -101,11 +102,13 @@ Column { font: theme.smallestFont text: jobItem["label" + index] || "" + textFormat: Text.PlainText elide: Text.ElideMiddle PlasmaCore.ToolTipArea { anchors.fill: parent subText: labelText.truncated ? labelText.text : "" + textFormat: Text.PlainText } } } @@ -125,6 +128,7 @@ Column { height: paintedHeight text: localizeProcessedAmount(index) + textFormat: Text.PlainText font: theme.smallestFont visible: text !== "" } @@ -141,6 +145,7 @@ Column { font: theme.smallestFont text: eta > 0 ? i18nc("Speed and estimated time to completion", "%1 (%2 remaining)", speed, KCoreAddons.Format.formatSpelloutDuration(eta)) : speed + textFormat: Text.PlainText visible: eta > 0 || parseInt(speed) > 0 } diff --git a/applets/notifications/package/contents/ui/Jobs.qml b/applets/notifications/package/contents/ui/Jobs.qml index 6a5386e54..0fba93e38 100644 --- a/applets/notifications/package/contents/ui/Jobs.qml +++ b/applets/notifications/package/contents/ui/Jobs.qml @@ -80,11 +80,20 @@ Column { summary = infoMessage ? i18nc("the job, which can be anything, failed to complete", "%1: Failed", infoMessage) : i18n("Job Failed") } + // notification body interprets HTML, so we need to manually escape the name + var body = (errorText || message || "").replace(/[&<>]/g, function (tag) { + return { + '&': '&', + '<': '<', + '>': '>' + }[tag] || tag + }); + var op = { appIcon: runningJobs[source].appIconName, appName: runningJobs[source].appName, summary: summary, - body: errorText || message, + body: body, isPersistent: !!error, // we'll assume success to be the note-unworthy default, only be persistent in error case urgency: 0, configurable: false,