Address field not sanitized
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Ubuntu UI Toolkit |
New
|
Undecided
|
Unassigned | |
| | address-book-app (Ubuntu) |
Medium
|
Renato Araujo Oliveira Filho | ||
Bug Description
While testing the fix for #1390110, I did this:
- Open webbrowser
- Go to http://
- Select all content.
- Go to address book.
- Create a new contact
- Fill name ("Tester").
- Add address field.
- Paste content.
- Save contact.
Expected result:
- Address field shows only text content.
Actual result:
- An images from the webpage is displayed (see attached screenshot).
current build number: 233
device name: krillin
channel: ubuntu-
Related branches
- system-apps-ci-bot: Needs Fixing (continuous-integration) on 2016-06-20
- PS Jenkins bot: Needs Fixing (continuous-integration) on 2015-02-12
- Ubuntu Phablet Team: Pending requested 2015-02-11
-
Diff: 88 lines (+23/-6)4 files modifiedsrc/imports/Ubuntu/Contacts/BasicFieldView.qml (+1/-0)
src/imports/Ubuntu/Contacts/ContactDelegate.qml (+1/-0)
src/imports/Ubuntu/Contacts/ContactPreviewPage.qml (+18/-3)
tests/qml/tst_ContactPreviewPage.qml (+3/-3)
| Víctor R. Ruiz (vrruiz) wrote : | #1 |
| Changed in address-book-app: | |
| assignee: | nobody → Renato Araujo Oliveira Filho (renatofilho) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Jamie Strandboge (jdstrand) wrote : | #2 |
Fixed on the address-book-app components. But the Page title property used to display the contact name need to be fixed on the SDK.
| Víctor R. Ruiz (vrruiz) wrote : | #4 |
It also happens in the Name field.
| Jamie Strandboge (jdstrand) wrote : | #5 |
The security team discussed this a bit and we found this:
"Note that the Supported HTML Subset is limited. Also, if the text contains HTML img tags that load remote images, the text is reloaded." - http://
This suggests an <img> tag could specify a remote image. While Victor's bug originated from a user-driven interaction, if/when we support vcards, we'll want to be very careful about importing vcard data that will download remote content when displayed. Changing to non-richtext will future-proof us from this down the line.
| Jamie Strandboge (jdstrand) wrote : | #6 |
Also, for completeness, here is the list of tags that richtext will honor: http://
I noticed that on desktop the clipboard does not copy the "img" tags.
| Zsombor Egri (zsombi) wrote : | #8 |
Please note that the text input has text formatting flags you can choose manually to not to interpret the entered text as rich text. The default setting is Automatic, meaning it'll try to detect the text type. OTOH, if the rich content is desired, you may need to filter the clipboard content before pasting into the input field.
| Christian Dywan (kalikiana) wrote : | #9 |
From discussion this just now, it seems to me there are good arguments both ways, some use cases require rich text, others don't. And this includes the header, for example the Wikipedia scope customizes the font. Arguably only a minority is putting untrusted html into text fields, and it's fair for the address book to override the header.
| Tim Peeters (tpeeters) wrote : | #10 |
For textfields and Labels in apps, the allowed input can be configured.
For internal labels that cannot be configured (like the title in the header, or text in a button) please report separate bugs. For those we need to carefully evaluate if we want to change the current behavior, and if we change it, see if it breaks any existing apps and update those.
| Víctor R. Ruiz (vrruiz) wrote : | #11 |
The rich-text name field propagates to other applications, like the indicator. See screenshot.
i do not have control where this text will appear, probably you will find more places where this happen. (Contacts scope for example).
My suggestion is make all SDK labels plainText by default and the programmer can change it if necessary.
| affects: | address-book-app → address-book-app (Ubuntu) |
Based on irc conversation, what is being pasted is an <img> tag, which is how the clipboard is supposed to work. Furthermore, the textfield is showing rich text by default (this should be configurable on a per widget basis), which is why the image is displayed. As such, this is not a security concern so I'll unsubscribe the security team.