Bug report #7371
QgsProject.writeEntry() makes it very easy to make a project file unreadable
Status: | Closed | ||
---|---|---|---|
Priority: | Normal | ||
Assignee: | - | ||
Category: | Project Loading/Saving | ||
Affected QGIS version: | master | Regression?: | No |
Operating System: | Easy fix?: | No | |
Pull Request or Patch supplied: | Yes | Resolution: | fixed/implemented |
Crashes QGIS or corrupts data: | No | Copied to github as #: | 16344 |
Description
Hi !
When using QgsProject.instance().writeEntry(scope, key, value)
, it's really easy to make the whole project file unreadable.
This happens because scope and keys are used as XML elements names in the project file.
In case a plugin developer uses user input as the key
, he may not notice that he's endangering the user's files.
I'd suggest to sanitize scope and keys to make sure the project's XML remains valid whatever scope/key is used.
I'm providing a patch which is not finished.
Here are the regexp that should be used for sanitation : http://www.w3.org/TR/REC-xml/#NT-NameStartChar
But I didn't manage to make that work, so the patch provides a much simpler regexp which is too restrictive (refuses foreign characters for instance).
Thanks !
Olivier
History
#1 Updated by Olivier Dalang almost 12 years ago
- % Done changed from 50 to 100
Ok I think I found the right regexp !
So I made a pull request : https://github.com/qgis/Quantum-GIS/pull/469
#2 Updated by Jürgen Fischer over 10 years ago
- Category set to Project Loading/Saving
#3 Updated by Nyall Dawson about 8 years ago
- Resolution set to fixed/implemented
- Status changed from Open to Closed