Verify that all strings are properly escaped (#5558)

- I checked every occurence of a '%2' and make correct use of the QString::arg overload that takes several argument instead of chaining them, because the first argument can contains a '%1' - I tried to look for every label that they either use plain text or richtext and escape the user provided strings in there.
author: Olivier Goffart <olivier@woboq.com> 2017-02-23 16:54:17 +0300
committer: Markus Goetz <markus@woboq.com> 2017-02-23 16:54:17 +0300
commit: 7bfe0613827aa7cee93a77ccbedab9b07ea9ca78 (patch)
tree: 585a4921dcf43b67495e14525905a662a4fb38ae /src/gui/owncloudsetupwizard.cpp
parent: 13332529022b0e1f6f02ec3a62d2233fce3f8d9c (diff)
1 files changed, 23 insertions, 19 deletions
diff --git a/src/gui/owncloudsetupwizard.cpp b/src/gui/owncloudsetupwizard.cpp
index bf67c9acf..53e360e41 100644
--- a/src/gui/owncloudsetupwizard.cpp
+++ b/src/gui/owncloudsetupwizard.cpp
@@ -178,10 +178,10 @@ void OwncloudSetupWizard::slotOwnCloudFoundAuth(const QUrl& url, const QVariantM
     auto serverVersion = CheckServerJob::version(info);
 
     _ocWizard->appendToConfigurationLog(tr("<font color=\"green\">Successfully connected to %1: %2 version %3 (%4)</font><br/><br/>")
-                                        .arg(url.toString())
-                                        .arg(Theme::instance()->appNameGUI())
-                                        .arg(CheckServerJob::versionString(info))
-                                        .arg(serverVersion));
+                                        .arg(Utility::escape(url.toString()),
+                                             Utility::escape(Theme::instance()->appNameGUI()),
+                                             Utility::escape(CheckServerJob::versionString(info)),
+                                             Utility::escape(serverVersion)));
 
     _ocWizard->account()->setServerVersion(serverVersion);
 
@@ -212,9 +212,9 @@ void OwncloudSetupWizard::slotNoOwnCloudFoundAuth(QNetworkReply *reply)
         msg = tr("Invalid URL");
     } else {
         msg = tr("Failed to connect to %1 at %2:<br/>%3")
-            .arg(Theme::instance()->appNameGUI(),
-                 reply->url().toString(),
-                 reply->errorString());
+                  .arg(Utility::escape(Theme::instance()->appNameGUI()),
+                       Utility::escape(reply->url().toString()),
+                       Utility::escape(reply->errorString()));
     }
     bool isDowngradeAdvised = checkDowngradeAdvised(reply);
 
@@ -244,9 +244,10 @@ void OwncloudSetupWizard::slotNoOwnCloudFoundAuth(QNetworkReply *reply)
 
 void OwncloudSetupWizard::slotNoOwnCloudFoundAuthTimeout(const QUrl&url)
 {
-    _ocWizard->displayError(tr("Timeout while trying to connect to %1 at %2.")
-                            .arg(Theme::instance()->appNameGUI(),
-                                 url.toString()), false);
+    _ocWizard->displayError(
+        tr("Timeout while trying to connect to %1 at %2.")
+            .arg(Utility::escape(Theme::instance()->appNameGUI()), Utility::escape(url.toString())),
+        false);
 }
 
 void OwncloudSetupWizard::slotConnectToOCUrl( const QString& url )
@@ -307,7 +308,7 @@ void OwncloudSetupWizard::slotAuthError()
         }
         errorMsg = tr("The authenticated request to the server was redirected to "
                       "'%1'. The URL is bad, the server is misconfigured.")
-                   .arg(redirectUrl.toString());
+                       .arg(Utility::escape(redirectUrl.toString()));
 
     // A 404 is actually a success: we were authorized to know that the folder does
     // not exist. It will be created later...
@@ -320,7 +321,7 @@ void OwncloudSetupWizard::slotAuthError()
         if (!_ocWizard->account()->credentials()->stillValid(reply)) {
             errorMsg = tr("Access forbidden by server. To verify that you have proper access, "
                           "<a href=\"%1\">click here</a> to access the service with your browser.")
-                       .arg(_ocWizard->account()->url().toString());
+                           .arg(Utility::escape(_ocWizard->account()->url().toString()));
         } else {
             errorMsg = errorMessage(reply->errorString(), reply->readAll());
         }
@@ -369,7 +370,9 @@ void OwncloudSetupWizard::slotCreateLocalAndRemoteFolders(const QString& localFo
     if( fi.exists() ) {
         // there is an existing local folder. If its non empty, it can only be synced if the
         // ownCloud is newly created.
-        _ocWizard->appendToConfigurationLog( tr("Local sync folder %1 already exists, setting it up for sync.<br/><br/>").arg(localFolder));
+        _ocWizard->appendToConfigurationLog(
+            tr("Local sync folder %1 already exists, setting it up for sync.<br/><br/>")
+                .arg(Utility::escape(localFolder)));
     } else {
         QString res = tr("Creating local sync folder %1...").arg(localFolder);
         if( fi.mkpath( localFolder ) ) {
@@ -379,7 +382,7 @@ void OwncloudSetupWizard::slotCreateLocalAndRemoteFolders(const QString& localFo
         } else {
             res += tr("failed.");
             qDebug() << "Failed to create " << fi.path();
-            _ocWizard->displayError(tr("Could not create local folder %1").arg(localFolder), false);
+            _ocWizard->displayError(tr("Could not create local folder %1").arg(Utility::escape(localFolder)), false);
             nextStep = false;
         }
         _ocWizard->appendToConfigurationLog( res );
@@ -415,7 +418,7 @@ void OwncloudSetupWizard::slotRemoteFolderExists(QNetworkReply *reply)
     }
 
     if( !ok ) {
-        _ocWizard->displayError(error, false);
+        _ocWizard->displayError(Utility::escape(error), false);
     }
 
     finalizeSetup( ok );
@@ -455,8 +458,8 @@ void OwncloudSetupWizard::slotCreateRemoteFolderFinished( QNetworkReply::Network
         _remoteFolder.clear();
         success = false;
     } else {
-        _ocWizard->appendToConfigurationLog( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(_remoteFolder).arg(error));
-        _ocWizard->displayError( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(_remoteFolder).arg(error), false );
+        _ocWizard->appendToConfigurationLog( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(Utility::escape(_remoteFolder)).arg(error));
+        _ocWizard->displayError( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(Utility::escape(_remoteFolder)).arg(error), false );
         _remoteFolder.clear();
         success = false;
     }
@@ -472,8 +475,9 @@ void OwncloudSetupWizard::finalizeSetup( bool success )
     const QString localFolder = _ocWizard->property("localFolder").toString();
     if( success ) {
         if( !(localFolder.isEmpty() || _remoteFolder.isEmpty() )) {
-            _ocWizard->appendToConfigurationLog( tr("A sync connection from %1 to remote directory %2 was set up.")
-                                                 .arg(localFolder).arg(_remoteFolder));
+            _ocWizard->appendToConfigurationLog(
+                tr("A sync connection from %1 to remote directory %2 was set up.")
+                    .arg(localFolder, _remoteFolder));
         }
         _ocWizard->appendToConfigurationLog( QLatin1String(" "));
         _ocWizard->appendToConfigurationLog( QLatin1String("<p><font color=\"green\"><b>")
author	Olivier Goffart <olivier@woboq.com>	2017-02-23 16:54:17 +0300
committer	Markus Goetz <markus@woboq.com>	2017-02-23 16:54:17 +0300
commit	7bfe0613827aa7cee93a77ccbedab9b07ea9ca78 (patch)
tree	585a4921dcf43b67495e14525905a662a4fb38ae /src/gui/owncloudsetupwizard.cpp
parent	13332529022b0e1f6f02ec3a62d2233fce3f8d9c (diff)