zx2c4 reopened this revision. zx2c4 added a comment. This revision is now accepted and ready to land.
+ const QUrl url(src); + if (url.isLocalFile()) { + out.writeAttribute(QStringLiteral("src"), src); + } else { + //image denied for security reasons! Do not copy the image src here! + } This probably isn't a good idea either, since a remote attacker can specify any local path, which could have unintended consequences. It's a nice way, for example, of expanding a remote memory access into a remote file access (loading file into malloc'd buffers), causing traffic on network-mapped file paths, or other mischief. Under no circumstances should a remote user be allowed to supply an arbitrary local file path. I'd recommend entirely denying <img> tags, and instead provide developers with some other API to show photos. I believe this already exists, in fact. If you absolutely must have <img> tags, then at least use an inline data URI, though this of course has its own problems too. REPOSITORY R120 Plasma Workspace REVISION DETAIL https://phabricator.kde.org/D10188 To: davidedmundson, #plasma, fvogt Cc: zx2c4, broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart