Hey Bart, 2008/7/14 bvh <[EMAIL PROTECTED]>: > I got hit by a recent change in script stripping on WTexts. As a > background : I have some WText's that must contain some unsafe script > stuff. Basically a href with an onclick handler. Before (2.1.4) I > could first set the text and then change the formatting to unsafexhtml. > > Since CVS update from today I get a warning that the onclick handler is > stripped. From looking at the diff it seems the scriptstripping now > happens right inside the setting of the text instead of being delayed > untill actual use of the widget. > > A quick reversal of the setText and setFormatting lines confirmed this : > no stripping going on anymore (this ain' t vegas!). All good and well, > except one tiny regression : you can't set an unsafe text by passing > it as an argument of the constructor because it gets stripped right > away. This used to be possible.
I nearly broke my head thinking of a solution to update WText without breaking existing code. It needed some work because in its previous form you had no way to detect and react to XML parse errors in XHTMLFormatted WText. The reason was that parsing was only done during rendering. Also, there was no defined behavior when you get an XML parse error. This has now been solved by parsing when setting the text, and the behavior has now been documented (it is now an automatic detection: when the text is not proper XML, it is assumed to be PlainFormatted text, and otherwise XHTMLFormatted). WText::setText() and WText::setFormatting() now return a bool that indicates whether the text/formatting combination is valid. Obviously, it fails to be entirely backward compatible, as you point out, although I believe it is only an issue in the case of XHTMLUnsafeFormatting. A way to solve this case with a practical constructor, would be to add a constructor that accepts the formatting (but Qt does not have these)? Regards, koen PS the good news is that the XSS safety net really works. Who knows, the rebranded Vegas-style XSS prevention might become a design pattern. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
