From 12fc6b80e2df85afcf12ecb115fcd36207e793ab Mon Sep 17 00:00:00 2001 From: Denio Date: Wed, 27 Nov 2019 19:52:44 +0100 Subject: [PATCH] Fix a phishing vulnerability related to HTML in memo fields Original report by @s-rah here: ZcashFoundation#205 --- src/mainwindow.cpp | 2 ++ src/txtablemodel.cpp | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/mainwindow.cpp b/src/mainwindow.cpp index 6353bf0..1ed095b 100644 --- a/src/mainwindow.cpp +++ b/src/mainwindow.cpp @@ -886,6 +886,7 @@ void MainWindow::setupTransactionsTab() { if (!memo.isEmpty()) { QMessageBox mb(QMessageBox::Information, tr("Memo"), memo, QMessageBox::Ok, this); + mb.setTextFormat(Qt::PlainText); mb.setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard); mb.exec(); } @@ -934,6 +935,7 @@ void MainWindow::setupTransactionsTab() { if (!memo.isEmpty()) { menu.addAction(tr("View Memo"), [=] () { QMessageBox mb(QMessageBox::Information, tr("Memo"), memo, QMessageBox::Ok, this); + mb.setTextFormat(Qt::PlainText); mb.setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard); mb.exec(); }); diff --git a/src/txtablemodel.cpp b/src/txtablemodel.cpp index 7d21e12..d4119ad 100644 --- a/src/txtablemodel.cpp +++ b/src/txtablemodel.cpp @@ -137,7 +137,7 @@ QVariant TxTableModel::data(const QModelIndex &index, int role) const { return Settings::paymentURIPretty(Settings::parseURI(memo)); } else { return modeldata->at(index.row()).type + - (memo.isEmpty() ? "" : " tx memo: \"" + memo + "\""); + (memo.isEmpty() ? "" : " tx memo: \"" + memo.toHtmlEscaped() + "\""); } } else { return concatMultipleMemos(dat);