https://bugs.kde.org/show_bug.cgi?id=442077
Bug ID: 442077
Summary: Unescaped HTML in metadata
Product: Elisa
Version: 21.08.1
Platform: Neon Packages
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: matthieu_gall...@yahoo.fr
Reporter: xnagyti...@gmail.com
Target Milestone: ---
Created attachment 141335
--> https://bugs.kde.org/attachment.cgi?id=141335&action=edit
Repro
SUMMARY
Elisa currently doesn't escape HTML tags inside the track metadata. For example
this allows injecting <img> tags through these metadata fields onto Elisa's
interface where they are never supposed to be, obstructing things and making a
mess in general. Doesn't seem to have any security impact due to how limited
Qt's HTML subset is.
STEPS TO REPRODUCE
Grab some audio file and set its metadata fields (title, artist, album, etc.)
to something like this:
<img src="file:/some/local/path/image.jpg">
SOFTWARE/OS VERSIONS
Operating System: KDE neon 5.22
KDE Plasma Version: 5.22.5
KDE Frameworks Version: 5.85.0
Qt Version: 5.15.3
--
You are receiving this mail because:
You are watching all bug changes.
