gui: Show messages as text not html #12617

1. 
   laanwj commented at 5:36 pm on March 6, 2018: member

   Currently, error messages (such as InitError) are displayed as-is, which means Qt does auto detection on the format.

   This means that it’s possible to inject HTML from the command line though e.g. specifying a wallet name with HTML in it. This isn’t a direct security risk because fetching content from internet is disabled (and as far as I know we never report strings received from the network this way). However, it can be confusing.

   So explicitly force the format as text.

2. gui: Show messages as text not html

   Currently, error messages (such as InitError) are displayed as-is, which
   means Qt does auto detection on the format.
   
   This means that it's possible to inject HTML from the command line
   though e.g. specifying a wallet name with HTML in it. This isn't
   a direct security risk because fetching content from internet is
   disabled (and as far as I know we never report strings received
   from the network this way). However, it can be confusing.
   
   So explicitly force the format as text.

   6fbc0986fa
3. laanwj added the label GUI on Mar 6, 2018
4. laanwj requested review from practicalswift on Mar 6, 2018
5. laanwj requested review from jonasschnelli on Mar 6, 2018
6. randolf approved
7. 
   randolf commented at 5:51 pm on March 6, 2018: contributor

   This is a good practice none-the-less as a preventive measure just in case something were to change in a future Qt version with regard to how it detects and interprets HTML or some other not-yet-invented format.
8. in src/qt/bitcoingui.cpp:925 in 6fbc0986fa

   922@@ -923,6 +923,7 @@ void BitcoinGUI::message(const QString &title, const QString &message, unsigned
   923 
   924         showNormalIfMinimized();
   925         QMessageBox mBox(static_cast<QMessageBox::Icon>(nMBoxIcon), strTitle, message, buttons, this);
   

   ---

   ---

   

   promag commented at 5:52 pm on March 6, 2018:

   Nit, since it’s not possible to specify the format in the constructor, change everything to setters:

   0QMessageBox mBox(this);
   1mBox.setIcon(static_cast<QMessageBox::Icon>(nMBoxIcon));
   2mBox.setWindowTitle(strTitle);
   3mBox.setTextFormat(Qt::PlainText);
   4mBox.setText(message);
   5mBox.setStandardButtons(buttons);
   

   ---

   

   laanwj commented at 5:55 pm on March 6, 2018:

   Meh… let’s not add more work here than is necessary. It works so it’s ok, imo.
9. 
   promag commented at 5:53 pm on March 6, 2018: member

   utACK.
10. 
    fanquake commented at 5:55 pm on March 6, 2018: member

    tACK 6fbc098

    No more cats:

11. 
    sipa commented at 6:05 pm on March 6, 2018: member

    No more cats? What is this? Dogecoin?
12. fanquake referenced this in commit 20e3b9a485 on Mar 6, 2018
13. laanwj merged this on Mar 6, 2018
14. laanwj closed this on Mar 6, 2018

    ---

15. MarcoFalke referenced this in commit 21dd5127a4 on Jul 13, 2018
16. HashUnlimited referenced this in commit 502eefc33f on Jan 11, 2019
17. jasonbcox referenced this in commit 3a6fe21792 on Dec 20, 2019
18. PastaPastaPasta referenced this in commit 8a3e4a4a2c on Apr 12, 2020
19. PastaPastaPasta referenced this in commit 8a2c5c1693 on Apr 16, 2020
20. PastaPastaPasta referenced this in commit 5aee3ef4e9 on Apr 16, 2020
21. jonspock referenced this in commit 4a68c0fd9f on Oct 2, 2020
22. jonspock referenced this in commit cba88ca372 on Oct 5, 2020
23. jonspock referenced this in commit 001c0ba3b4 on Oct 10, 2020
24. ckti referenced this in commit c033fafb6f on Mar 28, 2021
25. MarcoFalke locked this on Sep 8, 2021

Contributors
laanwj randolf promag fanquake sipa

Review Requested
jonasschnelli practicalswift

Labels
GUI