On 9/5/19 5:00 AM, Alexander Ivash wrote:
Thank you for fast response, but my question is purely about QML. On
C++ side I have a lot of ways for nullifying / erasing sensitive
information*after* it is not needed (let say after particular QML
screen gets' closed). But on QML / JS side I have no any control at
all. Would be great if one of QML guys could step in and comment too.
The correct solution is to never use QML for anything. It's a needless
burden on the processor _and_ it's insecure. Who wouldn't want to write
everything with that???
Thiago tried to point you in the correct direction, but I think you
missed it. All data must be owned by C++. Never use Q_PROPERTY() so you
can control the lifespan and communications.
I'm guessing you prompt for a username &/or password and have one
control enter the entire thing. Upon success you navigate to a new
dialog/screen/whatever and the insecure luggage is left laying around.
You can "solve" this problem architecturally by not doing that.
Cheap hack #1: assign both fields new values once validated, say "*****"
and force screen update before navigating away.
A much better solution would be to have your own entry control which
sends each character back to C++ and displays first a string with that
character, then after 1-3 seconds changes all visible characters to a *
so the string in QML never contains the complete username or password.
Perform all validation logic within C++ and have C++ own the data. Let
QML be no more than a screen surface.
The best solution would be to use Widgets.
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
