https://bugs.kde.org/show_bug.cgi?id=506793
postix <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|dbus generated |dbus generated |notifications render |notifications display |arbitrary HTML in the body |images without imposing a | |size limit --- Comment #2 from postix <[email protected]> --- > Rendering some tags is defined expected behaviour. See > https://specifications.freedesktop.org/notification-spec/1.3/markup.html > We escape other tags, we don't allow arbitrary HTML injection. That's great, I will rephrase the title. ---- > As far as I am aware we are compliant with that spec, please let me know if > not. I think GLib maintainer Philip Withnall has posted a qualified answer https://gitlab.gnome.org/GNOME/glib/-/issues/3720#note_2491853 > Fundamentally I think this is a problem with the xdg notification > specification: > * In the top-level ‘Markup’ section it says the notification server should > filter out > markup tags if it doesn’t support them, which suggests the client > should be able to unconditionally send markup. > * In the capabilities table, however, it says that the client > should strip out markup if the server doesn’t advertise the body-markup > capability. > Those two statements are slightly contradictory, > although it would be possible to get them both to work. > (...) I guess body-markup is advertised and therefor clients are free to unconditionally send markup in case of Plasma, correct? ---- > The issue with opening /dev/urandom is indeed valid. Quoting from above mentioned comment: > If a server implementation reads an image without imposing some kind of size > limit on what it reads, > that’s a server bug. Yes, this is then hopefully the only real threat here. -- You are receiving this mail because: You are watching all bug changes.
