Address field not sanitized
Bug #1420851 reported by
Víctor R. Ruiz
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu UI Toolkit |
New
|
Undecided
|
Unassigned | ||
address-book-app (Ubuntu) |
In Progress
|
Medium
|
Renato Araujo Oliveira Filho |
Bug Description
While testing the fix for #1390110, I did this:
- Open webbrowser
- Go to http://
- Select all content.
- Go to address book.
- Create a new contact
- Fill name ("Tester").
- Add address field.
- Paste content.
- Save contact.
Expected result:
- Address field shows only text content.
Actual result:
- An images from the webpage is displayed (see attached screenshot).
current build number: 233
device name: krillin
channel: ubuntu-
Related branches
lp:~renatofilho/address-book-app/fix-1420851
Ready for review
for merging
into
lp:address-book-app
- system-apps-ci-bot: Needs Fixing (continuous-integration)
- PS Jenkins bot: Needs Fixing (continuous-integration)
- Ubuntu Phablet Team: Pending requested
-
Diff: 88 lines (+23/-6)4 files modifiedsrc/imports/Ubuntu/Contacts/BasicFieldView.qml (+1/-0)
src/imports/Ubuntu/Contacts/ContactDelegate.qml (+1/-0)
src/imports/Ubuntu/Contacts/ContactPreviewPage.qml (+18/-3)
tests/qml/tst_ContactPreviewPage.qml (+3/-3)
Changed in address-book-app: | |
assignee: | nobody → Renato Araujo Oliveira Filho (renatofilho) |
importance: | Undecided → Medium |
status: | New → In Progress |
affects: | address-book-app → address-book-app (Ubuntu) |
To post a comment you must log in.
Based on irc conversation, what is being pasted is an <img> tag, which is how the clipboard is supposed to work. Furthermore, the textfield is showing rich text by default (this should be configurable on a per widget basis), which is why the image is displayed. As such, this is not a security concern so I'll unsubscribe the security team.