diff options
| author | Jamie Mansfield <jmansfield@cadixdev.org> | 2021-12-24 15:20:34 +0000 |
|---|---|---|
| committer | Jamie Mansfield <jmansfield@cadixdev.org> | 2022-04-02 13:53:43 +0100 |
| commit | f267375ac2d0086bf7cde7512b34ab324da375d4 (patch) | |
| tree | f2f5ae796ddb156d2995458464a950e3d2b4efa8 /launcher/ui/pages | |
| parent | d44fa416ca556de678def8d2846349ff190e641e (diff) | |
| download | PrismLauncher-f267375ac2d0086bf7cde7512b34ab324da375d4.tar.gz PrismLauncher-f267375ac2d0086bf7cde7512b34ab324da375d4.tar.bz2 PrismLauncher-f267375ac2d0086bf7cde7512b34ab324da375d4.zip | |
Technic: Prevent potential HTML injection
Diffstat (limited to 'launcher/ui/pages')
| -rw-r--r-- | launcher/ui/pages/modplatform/technic/TechnicPage.cpp | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/launcher/ui/pages/modplatform/technic/TechnicPage.cpp b/launcher/ui/pages/modplatform/technic/TechnicPage.cpp index c3807269..25b6fd44 100644 --- a/launcher/ui/pages/modplatform/technic/TechnicPage.cpp +++ b/launcher/ui/pages/modplatform/technic/TechnicPage.cpp @@ -202,14 +202,12 @@ void TechnicPage::metadataLoaded() QString name = current.name; if (current.websiteUrl.isEmpty()) - // This allows injecting HTML here. - text = name; + text = name.toHtmlEscaped(); else - // URL not properly escaped for inclusion in HTML. The name allows for injecting HTML. - text = "<a href=\"" + current.websiteUrl + "\">" + name + "</a>"; + text = "<a href=\"" + current.websiteUrl.toHtmlEscaped() + "\">" + name.toHtmlEscaped() + "</a>"; + if (!current.author.isEmpty()) { - // This allows injecting HTML here - text += tr(" by ") + current.author; + text += tr(" by ") + current.author.toHtmlEscaped(); } ui->frame->setModText(text); |