Bug report #7371
QgsProject.writeEntry() makes it very easy to make a project file unreadable
|Affected QGIS version:||master||Regression?:||No|
|Operating System:||Easy fix?:||No|
|Pull Request or Patch supplied:||Yes||Resolution:||fixed/implemented|
|Crashes QGIS or corrupts data:||No||Copied to github as #:||16344|
QgsProject.instance().writeEntry(scope, key, value), it's really easy to make the whole project file unreadable.
This happens because scope and keys are used as XML elements names in the project file.
In case a plugin developer uses user input as the
key, he may not notice that he's endangering the user's files.
I'd suggest to sanitize scope and keys to make sure the project's XML remains valid whatever scope/key is used.
I'm providing a patch which is not finished.
Here are the regexp that should be used for sanitation : http://www.w3.org/TR/REC-xml/#NT-NameStartChar
But I didn't manage to make that work, so the patch provides a much simpler regexp which is too restrictive (refuses foreign characters for instance).