Properly HTML-escape strings with user-defined contents in message boxes (#247)

* Properly HTML-escape strings with user-defined contents in message boxes, resolves #236 * Also escape group names in EditWidget title
2017-02-06 20:23:51 +01:00
parent 7e4592c1e7
commit 75eb0c6951
4 changed files with 11 additions and 9 deletions
--- a/src/http/Service.cpp
+++ b/src/http/Service.cpp
@@ -480,7 +480,8 @@ void Service::updateEntry(const QString &, const QString &uuid, const QString &l
                    //ShowNotification(QString("%0: You have an entry change prompt waiting, click to activate").arg(requestId));
                    if (   HttpSettings::alwaysAllowUpdate()
                        || QMessageBox::warning(0, tr("KeePassXC: Update Entry"),
-                                                tr("Do you want to update the information in %1 - %2?").arg(QUrl(url).host()).arg(u),
+                                                tr("Do you want to update the information in %1 - %2?")
+                                                .arg(QUrl(url).host().toHtmlEscaped()).arg(u.toHtmlEscaped()),
                                                QMessageBox::Yes|QMessageBox::No) == QMessageBox::Yes ) {
                        entry->beginUpdate();
                        entry->setUsername(login);