Need to escape title

Question

Need to escape title

dim0xff opened this issue 6 years ago · 3 comments

Looks like window title is parsed as HTML and should be escaped

Options:

Show window title: yes
Text type: Window title

You can go to https://stackoverflow.com/questions/20953888/is-a-href-javascripthistory-go-1go-back-a-safe and check title in the bar

Actual title is php - Is <a href=“javascript:history.go(-1)”>Go back</a> safe? - Stack Overflow
But I see it as php - Is Go back safe? - Stack Overflow

Answer 1 · 2018-04-05T17:45:03.000Z

Sure, I can use "Window title".replace < to >
But it doesn't create global Regexp (so I can replace only first match)

Answer 2 · 2018-04-05T17:54:35.000Z

As quick solution in package/contents/ui/main.qml replace replaceTitle function.

    function replaceTitle(title) {
        if (!plasmoid.configuration.useWindowTitleReplace) {
            var tagsToReplace = {
                '&': '&amp;',
                '<': '&lt;',
                '>': '&gt;'
            };

            function replaceTag(tag) {
                return tagsToReplace[tag] || tag;
            }

            return title.replace(/[&<>]/g, replaceTag);
        }
        return title.replace(new RegExp(plasmoid.configuration.replaceTextRegex), plasmoid.configuration.replaceTextReplacement);
    }

PS: sorry, I don't know how to make pull request to Phabricator

Answer 3 · 2018-10-20T06:53:50.000Z

By default, QML Text labels will switch to rich text mode if it discovers a few whitelisted html tags.

http://doc.qt.io/qt-5/qml-qtquick-text.html#textFormat-prop

So we'll need to add textFormat: Text.PlainText to the windowTitleText to prevent this behaviour.

https://github.com/KDE/plasma-active-window-control/blob/master/package/contents/ui/main.qml#L306

If you know how to run git diff > MyPatch.diff, you could follow the "New PR" instructions in #148.