#2702 closed bug (Fixed)
markup like <br/> in torrent comments -> harmless? error message
Reported by: | Peter Cordes | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 2.0.0 |
Component: | GTK UI | Version: | develop |
Keywords: | security comments html | Cc: |
Description
deluge 1.4.0.dev366 (git 1e75b7bd1269d9d374652e917e9522749d0e5a56) on Ubuntu 14.04. (libgtk-3-0 version 3.10.8)
With a torrent with a <br/> in its comment field, switching to the details tab (or covering / uncovering the window, so GTK redraws it) leads to a warning about an unknown tag. And the comment field in the details tab shows as empty.
switching to the tab: /usr/local/lib/python2.7/dist-packages/deluge-1.4.0.dev366-py2.7.egg/deluge/ui/gtkui/details_tab.py:100: GtkWarning: Failed to set text from markup due to error parsing markup: Unknown tag 'br' on line 1 char 51
widget[0].set_markup(txt.replace('&', '&'))
When uncovering the window triggered the redraw: /usr/lib/python2.7/dist-packages/twisted/internet/_glibbase.py:309: GtkWarning: Failed to set text from markup due to error parsing markup: Unknown tag 'br' on line 1 char 51
self._run()
There's some caching somewhere, so you don't get the error repeatedly when flipping back and forth.
Better behaviour might to to escape or quote or whatever is needed, so text from the torrent is just displayed literally without being fed to anything that's going to try to parse it as markup. Apparently some torrents are out there with HTML newlines in their comments, so it would be better to display the raw HTML than to throw an error and display nothing.
Also better for security reasons to not feed un-treated data into something that might choke on it, unless set_markup is supposed to be able to handle potentially hostile data without risk.
Change History (4)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
Milestone: | Future → 2.0 |
---|
comment:3 by , 10 years ago
Resolution: | → Fixed |
---|---|
Status: | new → closed |
The markup usage was added in #850 but didn't account for stray markup attributes. It's not that serious as all you are seeing is a gtk warning (granted text is not displayed) rather than an error so does not affect the running Deluge.
Fixed in develop: [41f08e4e29]
oops, deluge uses gtk2, not gtk3. Ubuntu 14.04 ships gtk2 v2.24.0-3ubuntu3. In case that matters.