On Wed, Jan 28, 2015 at 7:13 PM, ChALkeR <[email protected]> wrote: > Atm, the core of ktp-text-ui is trying hard to escape things, parse links > and auto-convert them, embed videos and bugzilla info, etc. > > And the new default style breaks it all with careless innerHTML unescaping > and post-processing. > For example, line > ./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:24: > messageNode.innerHTML = rawMessage.replace(/(@"*[\d\w]*)/, '<span > class="atTag">$1</span>'); > Breaks messages with @ in links, try «http://[email protected]». >
Fixed. > Html unescaping in line > ./data/styles/WoshiChat.AdiumMessageStyle/Contents/Resources/Footer.html:22: > rawMessage = scrubHTML(rawMessage); > makes things like «<div > style="position:absolute;left:0;right:0;top:0;bottom:0" > onmouseover="window.location='http://' + 'kde.org'"></div>» possible > (replace kde.org with some random site). Btw, that makes it easy to crash > the chat. > Also fixed. > Aside from the fact that the abovementioned behaviour is bad by itself, > that in-style-postprocessing behaviour is inconsistent between styles, > which could be unexpected by users, and is inconsistent with built-in > message filters. > > IMO, all the innerHTML post-processing should be stripped of all bundled > styles, and no such «features» should be bundled inside styles. Can anyone > comment on this, please? > I've removed the whole scrubHTML function of that style. Cheers -- Martin Klapetek | KDE Developer
_______________________________________________ KDE-Telepathy mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-telepathy
