Bug report #7371
QgsProject.writeEntry() makes it very easy to make a project file unreadable
| Status: | Closed | ||
|---|---|---|---|
| Priority: | Normal | ||
| Assignee: | - | ||
| Category: | Project Loading/Saving | ||
| Affected QGIS version: | master | Regression?: | No |
| Operating System: | Easy fix?: | No | |
| Pull Request or Patch supplied: | Yes | Resolution: | fixed/implemented |
| Crashes QGIS or corrupts data: | No | Copied to github as #: | 16344 |
Description
Hi !
When using QgsProject.instance().writeEntry(scope, key, value), it's really easy to make the whole project file unreadable.
This happens because scope and keys are used as XML elements names in the project file.
In case a plugin developer uses user input as the key, he may not notice that he's endangering the user's files.
I'd suggest to sanitize scope and keys to make sure the project's XML remains valid whatever scope/key is used.
I'm providing a patch which is not finished.
Here are the regexp that should be used for sanitation : http://www.w3.org/TR/REC-xml/#NT-NameStartChar
But I didn't manage to make that work, so the patch provides a much simpler regexp which is too restrictive (refuses foreign characters for instance).
Thanks !
Olivier
History
#1
Updated by Olivier Dalang about 11 years ago
- % Done changed from 50 to 100
Ok I think I found the right regexp !
So I made a pull request : https://github.com/qgis/Quantum-GIS/pull/469
#2
Updated by Jürgen Fischer almost 10 years ago
- Category set to Project Loading/Saving
#3
Updated by Nyall Dawson over 7 years ago
- Resolution set to fixed/implemented
- Status changed from Open to Closed