Important: Please read the Qt Code of Conduct -

Security implications of loading user style file

  • I'm thinking about adding the ability for my users to load a custom style sheet into my app. Are there any security implications with doing that? Like could they type anything into the style sheet that would allow for some sort of attack? Or does Qt validate the style sheet well enough to prevent this?

    Right now I'm just loading the file as a QString and then calling setStyleSheet on the main dialog. All sub dialogs are loaded with a parent pointer so the style sheet propagates out.

  • Lifetime Qt Champion


    AFAIR, if the stylesheet contains invalid syntax, it will simply not be applied.

  • @SGaist OK thanks. Just wanted to be sure before I exposed it.

    I really don't want to have to proxy custom styles for the handful of users who actually care about this. We had a system in our old version which was XML based and applied colors and a few other settings to custom drawn MFC controls, but we had maybe a dozen users who actually used it beyond the included styles that I personally wrote. Allowing those people to just edit the CSS would be so much easier.

  • Lifetime Qt Champion

    Since the file is being parsed on load, its hard to imagine how it can be used for an attack
    considering it is hard to instrument a buffer overflow or anything that would allow code execution.

  • @mrjj still risky. What if the file size is gigantic? Better to create a pop up for the user to add.

  • @JoeCFD Thanks for the input. I'll have to consider how I can limit that. I really want to avoid creating a whole UI for the user to modify the control looks. I did that before and no one ever used it. I want to offer the option to customize without any real effort on my part because very few people are going to actually use it.

Log in to reply