How to set the default XmlReader or SvgReader in a Qt application
-
Hi!
My Application displays html text in all sorts of widgets. I would like to be able to disable some of the features
that come up with HTML, including svg and xml, to protect against e.g. lol bombs.My questions:
-
how can I get/modify the default XmlReader that Qt uses for parsing xml ? I want to set a entityResolver that does nothing, by doing something like:
QApplication::getDefaultXmlReader()->setEntityResolver(NULL);
.. but there's no such method as getDefaultXmlReader()
- how can I disable svg at compilation time ? Apparently setting QT_NO_SVG has no effect except if recompilign Qt.
Thanks a lot for your help!
-
-
Hi,
How are you currently parsing XML documents? There is no "default XML reader". You need to explicitly instantiate a "QXmlStreamReader":http://qt-project.org/doc/qt-5/QXmlStreamReader.html, or explicitly use the classes from the older "Qt XML module":http://qt-project.org/doc/qt-5/qtxml-module.html.
SVG support is provided through a separate "Qt SVG module":http://qt-project.org/doc/qt-5/qtsvg-index.html. Simply omit the module from your project, and don't deploy the SVG-related shared libraries with your app. Your app won't read SVG files then.
-
Thanks for the reply.
I'm parsing XML documents implicitly when I do:
myRTextBrowser->setHtml( string_in_html ) ;
or
myLabel->setText( string_in_html ) ;
when doing that, Qt parses the html in the string and interprets all content, includign embedded images, some of which are SVG => calls a Xml parser.
So there must be somewhere in Qt, a default XmlParser object on which I can call setDefaultEntityResolver(NULL).
-
QTextBrowser and QLabel use a rich text engine which supports a subset of HTML and CSS, but doesn't understand XML entities (see http://qt-project.org/doc/qt-5/richtext-html-subset.html ). Unrecognized tags are simply ignored; any textual content within the unrecognized tags are displayed as plain text.
Inputting a HTML document with embedded SVG (e.g. http://www.w3schools.com/svg/svg_inhtml.asp ) displays the text, but not the image.
Inputting a lol bomb is harmless, as it won't get expanded.