From 69920f4ddeaa5dbdee555e0a607fd21eb42e2bbc Mon Sep 17 00:00:00 2001
From: Matthew Vogt <matthew.vogt@nokia.com>
Date: Thu, 19 Jan 2012 16:39:53 +1000
Subject: Encode user input before insertion into URLs

Encode user input strings used to formulate URLs, to ensure they do not
cause the structure of the URL to be subverted.

Task-number: QTBUG-19925
Change-Id: I6173f4df67a4bc1676ac32be6072763fc16f9720
Reviewed-by: Martin Jones <martin.jones@nokia.com>
---
 examples/declarative/flickr/content/RssModel.qml                 | 7 ++-----
 examples/declarative/particles/itemparticle/content/RssModel.qml | 4 +++-
 examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml    | 4 +++-
 examples/declarative/twitter/TwitterCore/RssModel.qml            | 5 ++++-
 4 files changed, 12 insertions(+), 8 deletions(-)

(limited to 'examples')

diff --git a/examples/declarative/flickr/content/RssModel.qml b/examples/declarative/flickr/content/RssModel.qml
index 9dfcba513d..ba1cf7e62d 100644
--- a/examples/declarative/flickr/content/RssModel.qml
+++ b/examples/declarative/flickr/content/RssModel.qml
@@ -45,12 +45,9 @@ import QtQuick.XmlListModel 2.0
 XmlListModel {
     property string tags : ""
 
-    function commasep(x)
-    {
-        return x.replace(' ',',');
-    }
+    function encodeTags(x) { return encodeURIComponent(x.replace(' ',',')); }
 
-    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+commasep(tags)+"&" : "")+"format=rss2"
+    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+encodeTags(tags)+"&" : "")+"format=rss2"
     query: "/rss/channel/item"
     namespaceDeclarations: "declare namespace media=\"http://search.yahoo.com/mrss/\";"
 
diff --git a/examples/declarative/particles/itemparticle/content/RssModel.qml b/examples/declarative/particles/itemparticle/content/RssModel.qml
index 33b6da38da..f5abf28e1a 100644
--- a/examples/declarative/particles/itemparticle/content/RssModel.qml
+++ b/examples/declarative/particles/itemparticle/content/RssModel.qml
@@ -44,7 +44,9 @@ import QtQuick.XmlListModel 2.0
 XmlListModel {
     property string tags : ""
 
-    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+tags+"&" : "")
+    function encodeTags(x) { return encodeURIComponent(x.replace(' ',',')); }
+
+    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+encodeTags(tags)+"&" : "")
     query: "/feed/entry"
     namespaceDeclarations: "declare default element namespace 'http://www.w3.org/2005/Atom';"
 
diff --git a/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml b/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml
index 4126367dff..9438637ebc 100644
--- a/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml
+++ b/examples/declarative/photoviewer/PhotoViewerCore/RssModel.qml
@@ -45,7 +45,9 @@ import QtQuick.XmlListModel 2.0
 XmlListModel {
     property string tags : ""
 
-    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+tags+"&" : "")
+    function encodeTags(x) { return encodeURIComponent(x.replace(' ',',')); }
+
+    source: "http://api.flickr.com/services/feeds/photos_public.gne?"+(tags ? "tags="+encodeTags(tags)+"&" : "")
     query: "/feed/entry"
     namespaceDeclarations: "declare default element namespace 'http://www.w3.org/2005/Atom';"
 
diff --git a/examples/declarative/twitter/TwitterCore/RssModel.qml b/examples/declarative/twitter/TwitterCore/RssModel.qml
index 61145f7efc..4e381f5e0f 100644
--- a/examples/declarative/twitter/TwitterCore/RssModel.qml
+++ b/examples/declarative/twitter/TwitterCore/RssModel.qml
@@ -51,11 +51,14 @@ Item { id: wrapper
     property string mode : "everyone"
     property int status: xmlModel.status
     function reload() { xmlModel.reload(); }
+
     XmlListModel {
         id: xmlModel
 
+        function encodePhrase(x) { return encodeURIComponent(x); }
+
         source: (from=="" && to=="" && phrase=="") ? "" :
-            'http://search.twitter.com/search.atom?from='+from+"&to="+to+"&phrase="+phrase
+            'http://search.twitter.com/search.atom?from='+from+"&to="+to+"&phrase="+encodePhrase(phrase)
 
         namespaceDeclarations: "declare default element namespace 'http://www.w3.org/2005/Atom'; " +
                                "declare namespace twitter=\"http://api.twitter.com/\";";
-- 
cgit v1.2.3