Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. How to avoid script injection from QLineEdit object?
Forum Updated to NodeBB v4.3 + New Features

How to avoid script injection from QLineEdit object?

Scheduled Pinned Locked Moved Unsolved General and Desktop
6 Posts 4 Posters 1.6k Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • X Offline
    X Offline
    xtingray
    wrote on 24 Sept 2016, 15:13 last edited by xtingray
    #1

    Hi!
    I am trying to protect a desktop form from any malicious attack. As the form data is posted to a database, I want to be careful about every field I have to process.

    I am using several QLineEdit objects as part of my form. So I started to simulate a cracker action putting some javascript code as part of my input. The funny thing is that I am checking the input from a control function, but when I try to clear the malicious lines from the form, the QLineEdit items keep showing me the javascript text but without "<" ">" characters. That's weird for me.

    If you want to reproduce this issue, just create a QLineEdit item and then fill it using something like "<script></script>". Use a method to detect special characters and try to clear the line, if I am right, you won't be able to do it from the code.

    Any comment/suggestion is very welcome!

    Qt Developer

    1 Reply Last reply
    0
    • S Offline
      S Offline
      SGaist
      Lifetime Qt Champion
      wrote on 24 Sept 2016, 22:05 last edited by
      #2

      Hi,

      How are you doing the cleanup ?

      Interested in AI ? www.idiap.ch
      Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

      1 Reply Last reply
      0
      • X Offline
        X Offline
        xtingray
        wrote on 25 Sept 2016, 01:33 last edited by xtingray
        #3

        This is part of the method I use to check the value of a field:

        // Test pattern: "<script></script>"
QString value = input->text();
if ((value.contains("<")) && (value.contains(">"))) {
     // None of these methods are working. Part of the string is removed but the words "script" remain 
     input = new QLineEdit;
     input->clear();
     input->setText("");
}

        Qt Developer

        1 Reply Last reply
        0
        • S Offline
          S Offline
          SGaist
          Lifetime Qt Champion
          wrote on 25 Sept 2016, 06:34 last edited by
          #4

          Why are you creating a new QLineEdit ? Like it is right now, it's never shown so you still have the content of the original on display.

          Calling input->clear() directly should be enough.

          Interested in AI ? www.idiap.ch
          Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

          1 Reply Last reply
          0
          • R Offline
            R Offline
            raspe88
            wrote on 25 Sept 2016, 08:57 last edited by
            #5

            What kind of database do you use? If there already exists an official Qt-Interface for it as for e.g. SQLite you will not have to worry about that if you use QSqlRecord and QSqlField. As far as I know they are already escaping Strings properly.

            K 1 Reply Last reply 25 Sept 2016, 09:56
            0
            • R raspe88
              25 Sept 2016, 08:57

              What kind of database do you use? If there already exists an official Qt-Interface for it as for e.g. SQLite you will not have to worry about that if you use QSqlRecord and QSqlField. As far as I know they are already escaping Strings properly.

              K Offline
              K Offline
              kshegunov
              Moderators
              wrote on 25 Sept 2016, 09:56 last edited by
              #6

              @raspe88 said in How to avoid script injection from QLineEdit object?:

              What kind of database do you use?

              Unimportant in this case. The database driver will escape (provided you bind the values, not just insert them in the query string) with the SQL syntax in mind. It will not escape JS.

              Read and abide by the Qt Code of Conduct

              1 Reply Last reply
              0

              2/6

              24 Sept 2016, 22:05

              topic:navigator.unread, 4
              • Login
              • Login or register to search.
              2 out of 6
              • First post
                2/6
                Last post
              0
              • Categories
              • Recent
              • Tags
              • Popular
              • Users
              • Groups
              • Search
              • Get Qt Extensions
              • Unsolved