Merge pull request #4577

23ec5eb qml: escape untrusted text in RichText views (selsta)
2026-04-21 05:47:27 -04:00 · 2026-04-18 08:09:49 +00:00
parent 081848bab0 23ec5eb6a1
commit bb4bc4a77e
3 changed files with 13 additions and 2 deletions
--- a/components/TxConfirmationDialog.qml
+++ b/components/TxConfirmationDialog.qml
@@ -32,6 +32,7 @@ import QtQuick.Controls 2.2
 import QtQuick.Layouts 1.1

 import "../components" as MoneroComponents
+import "../js/Utils.js" as Utils
 import FontAwesome 1.0

 Rectangle {
@@ -306,7 +307,7 @@ Rectangle {
                            }
                            var title;
                            if (addressBookName) {
-                                title = FontAwesome.addressBook + " " + addressBookName;
+                                title = FontAwesome.addressBook + " " + Utils.htmlEscape(addressBookName);
                            } else {
                                title = qsTr("Monero address") + translationManager.emptyString;
                            }
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -130,3 +130,13 @@ function parseDateStringOrRestoreHeightAsInteger(value) {
    }
    return restoreHeight;
 }
+
+function htmlEscape(s) {
+    if (s === null || s === undefined)
+        return "";
+    return String(s)
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;");
+}
--- a/pages/settings/SettingsLog.qml
+++ b/pages/settings/SettingsLog.qml
@@ -180,7 +180,7 @@ Rectangle {
                        consoleArea.append(msg);
                    }
                    function logMessage(msg){
-                        msg = msg.trim();
+                        msg = Utils.htmlEscape(msg.trim());
                        var color = MoneroComponents.Style.defaultFontColor;
                        if(msg.toLowerCase().indexOf('error') >= 0){
                            color = MoneroComponents.Style.errorColor;