How to avoid script injection from QLineEdit object?



  • Hi!
    I am trying to protect a desktop form from any malicious attack. As the form data is posted to a database, I want to be careful about every field I have to process.

    I am using several QLineEdit objects as part of my form. So I started to simulate a cracker action putting some javascript code as part of my input. The funny thing is that I am checking the input from a control function, but when I try to clear the malicious lines from the form, the QLineEdit items keep showing me the javascript text but without "<" ">" characters. That's weird for me.

    If you want to reproduce this issue, just create a QLineEdit item and then fill it using something like "<script></script>". Use a method to detect special characters and try to clear the line, if I am right, you won't be able to do it from the code.

    Any comment/suggestion is very welcome!


  • Lifetime Qt Champion

    Hi,

    How are you doing the cleanup ?



  • This is part of the method I use to check the value of a field:

    // Test pattern: "<script></script>"
    QString value = input->text();
    if ((value.contains("<")) && (value.contains(">"))) {
         // None of these methods are working. Part of the string is removed but the words "script" remain 
         input = new QLineEdit;
         input->clear();
         input->setText("");
    }
    

  • Lifetime Qt Champion

    Why are you creating a new QLineEdit ? Like it is right now, it's never shown so you still have the content of the original on display.

    Calling input->clear() directly should be enough.



  • What kind of database do you use? If there already exists an official Qt-Interface for it as for e.g. SQLite you will not have to worry about that if you use QSqlRecord and QSqlField. As far as I know they are already escaping Strings properly.


  • Qt Champions 2016

    @raspe88 said in How to avoid script injection from QLineEdit object?:

    What kind of database do you use?

    Unimportant in this case. The database driver will escape (provided you bind the values, not just insert them in the query string) with the SQL syntax in mind. It will not escape JS.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.