search

kotelnik / plasma-applet-active-window-control

Plasma 5 applet for controlling currently active window.
GNU General Public License v2.0
120 stars 18 forks source link

Need to escape title #135

Open dim0xff opened 6 years ago

dim0xff commented 6 years ago

Looks like window title is parsed as HTML and should be escaped

Options:

You can go to https://stackoverflow.com/questions/20953888/is-a-href-javascripthistory-go-1go-back-a-safe and check title in the bar

Actual title is php - Is <a href=“javascript:history.go(-1)”>Go back</a> safe? - Stack Overflow But I see it as php - Is Go back safe? - Stack Overflow

dim0xff commented 6 years ago

Sure, I can use "Window title".replace < to &gt; But it doesn't create global Regexp (so I can replace only first match)

dim0xff commented 6 years ago

As quick solution in package/contents/ui/main.qml replace replaceTitle function.

    function replaceTitle(title) {
        if (!plasmoid.configuration.useWindowTitleReplace) {
            var tagsToReplace = {
                '&': '&amp;',
                '<': '&lt;',
                '>': '&gt;'
            };

            function replaceTag(tag) {
                return tagsToReplace[tag] || tag;
            }

            return title.replace(/[&<>]/g, replaceTag);
        }
        return title.replace(new RegExp(plasmoid.configuration.replaceTextRegex), plasmoid.configuration.replaceTextReplacement);
    }

PS: sorry, I don't know how to make pull request to Phabricator

Zren commented 6 years ago

By default, QML Text labels will switch to rich text mode if it discovers a few whitelisted html tags.

http://doc.qt.io/qt-5/qml-qtquick-text.html#textFormat-prop

So we'll need to add textFormat: Text.PlainText to the windowTitleText to prevent this behaviour.

https://github.com/KDE/plasma-active-window-control/blob/master/package/contents/ui/main.qml#L306

If you know how to run git diff > MyPatch.diff, you could follow the "New PR" instructions in #148.