Encode user input before insertion into URLs

Encode user input strings used to formulate URLs, to ensure they do not
cause the structure of the URL to be subverted.

Task-number: QTBUG-19925
Change-Id: I6173f4df67a4bc1676ac32be6072763fc16f9720
Reviewed-by: Martin Jones <martin.jones@nokia.com>

4 files changed, 12 insertions, 8 deletions

diff --git a/examples/declarative/flickr/content/RssModel.qml b/examples/declarative/flickr/content/RssModel.qml
index 9dfcba513d..ba1cf7e62d 100644
--- a/examples/declarative/flickr/content/RssModel.qml
+++ b/examples/declarative/flickr/content/RssModel.qml
@@ -45,12 +45,9 @@ import QtQuick.XmlListModel 2.0
 XmlListModel {
     property string tags : ""
 
-    function commasep(x)
-    {
-        return x.replace(' ',',');
-    }
+    function encodeTags(x) { return encodeURIComponent(x.replace(' ',',')); }
 
-    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+commasep(tags)+"&" : "")+"format=rss2"
+    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+encodeTags(tags)+"&" : "")+"format=rss2"
     query: "/rss/channel/item"
     namespaceDeclarations: "declare namespace media=\"http://search.yahoo.com/mrss/\";"
 
diff --git a/examples/declarative/particles/itemparticle/content/RssModel.qml b/examples/declarative/particles/itemparticle/content/RssModel.qml
index 33b6da38da..f5abf28e1a 100644
--- a/examples/declarative/particles/itemparticle/content/RssModel.qml
+++ b/examples/declarative/particles/itemparticle/content/RssModel.qml
@@ -44,7 +44,9 @@ import QtQuick.XmlListModel 2.0
 XmlListModel {
     property string tags : ""
 
-    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+tags+"&" : "")
+    function encodeTags(x) { return encodeURIComponent(x.replace(' ',',')); }
+
+    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+encodeTags(tags)+"&" : "")
     query: "/feed/entry"
     namespaceDeclarations: "declare default element namespace 'http://www.w3.org/2005/Atom';"
 
diff --git a/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml b/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml
index 4126367dff..9438637ebc 100644
--- a/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml
+++ b/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml
@@ -45,7 +45,9 @@ import QtQuick.XmlListModel 2.0
 XmlListModel {
     property string tags : ""
 
-    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+tags+"&" : "")
+    function encodeTags(x) { return encodeURIComponent(x.replace(' ',',')); }
+
+    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+encodeTags(tags)+"&" : "")
     query: "/feed/entry"
     namespaceDeclarations: "declare default element namespace 'http://www.w3.org/2005/Atom';"
 
diff --git a/examples/declarative/twitter/TwitterCore/RssModel.qml b/examples/declarative/twitter/TwitterCore/RssModel.qml
index 61145f7efc..4e381f5e0f 100644
--- a/examples/declarative/twitter/TwitterCore/RssModel.qml
+++ b/examples/declarative/twitter/TwitterCore/RssModel.qml
@@ -51,11 +51,14 @@ Item { id: wrapper
     property string mode : "everyone"
     property int status: xmlModel.status
     function reload() { xmlModel.reload(); }
+
     XmlListModel {
         id: xmlModel
 
+        function encodePhrase(x) { return encodeURIComponent(x); }
+
         source: (from=="" && to=="" && phrase=="") ? "" :
-            'http://search.twitter.com/search.atom?from='+from+"&to="+to+"&phrase="+phrase
+            'http://search.twitter.com/search.atom?from='+from+"&to="+to+"&phrase="+encodePhrase(phrase)
 
         namespaceDeclarations: "declare default element namespace 'http://www.w3.org/2005/Atom'; " +
                                "declare namespace twitter=\"http://api.twitter.com/\";";