How to avoid script injection from QLineEdit object?
-
Hi!
I am trying to protect a desktop form from any malicious attack. As the form data is posted to a database, I want to be careful about every field I have to process.I am using several QLineEdit objects as part of my form. So I started to simulate a cracker action putting some javascript code as part of my input. The funny thing is that I am checking the input from a control function, but when I try to clear the malicious lines from the form, the QLineEdit items keep showing me the javascript text but without "<" ">" characters. That's weird for me.
If you want to reproduce this issue, just create a QLineEdit item and then fill it using something like "<script></script>". Use a method to detect special characters and try to clear the line, if I am right, you won't be able to do it from the code.
Any comment/suggestion is very welcome!
-
Hi,
How are you doing the cleanup ?
-
This is part of the method I use to check the value of a field:
// Test pattern: "<script></script>" QString value = input->text(); if ((value.contains("<")) && (value.contains(">"))) { // None of these methods are working. Part of the string is removed but the words "script" remain input = new QLineEdit; input->clear(); input->setText(""); }
-
Why are you creating a new QLineEdit ? Like it is right now, it's never shown so you still have the content of the original on display.
Calling
input->clear()
directly should be enough. -
@raspe88 said in How to avoid script injection from QLineEdit object?:
What kind of database do you use?
Unimportant in this case. The database driver will escape (provided you bind the values, not just insert them in the query string) with the SQL syntax in mind. It will not escape JS.