Verify that all strings are properly escaped (#5558)

- I checked every occurence of a '%2' and make correct use of the
QString::arg overload that takes several argument instead of chaining
them, because the first argument can contains a '%1'

 - I tried to look for every label that they either use plain text or richtext
and escape the user provided strings in there.

Author: ogoffart

src/gui/accountsettings.cpp

@@ -552,10 +552,12 @@ void AccountSettings::slotAccountStateChanged(int state)
             _model->slotUpdateFolderState(folder);
         }
 
-        QString server = QString::fromLatin1("<a href=\"%1\">%2</a>").arg(account->url().toString(), safeUrl.toString());
+        QString server = QString::fromLatin1("<a href=\"%1\">%2</a>")
+                             .arg(Utility::escape(account->url().toString()),
+                                  Utility::escape(safeUrl.toString()));
         QString serverWithUser = server;
         if (AbstractCredentials *cred = account->credentials()) {
-           serverWithUser = tr("%1 as <i>%2</i>").arg(server, cred->user());
+            serverWithUser = tr("%1 as <i>%2</i>").arg(server, Utility::escape(cred->user()));
         }
 
         if (state == AccountState::Connected) {
@@ -569,13 +571,14 @@ void AccountSettings::slotAccountStateChanged(int state)
         } else if (state == AccountState::SignedOut) {
             showConnectionLabel( tr("Signed out from %1.").arg(serverWithUser) );
         } else {
-            showConnectionLabel( tr("No connection to %1 at %2.")
-                                 .arg(Theme::instance()->appNameGUI(),
-                                      server), _accountState->connectionErrors() );
+            showConnectionLabel(tr("No connection to %1 at %2.")
+                                    .arg(Utility::escape(Theme::instance()->appNameGUI()), server),
+                                _accountState->connectionErrors());
         }
     } else {
         // ownCloud is not yet configured.
-        showConnectionLabel( tr("No %1 connection configured.").arg(Theme::instance()->appNameGUI()) );
+        showConnectionLabel(tr("No %1 connection configured.")
+                                .arg(Utility::escape(Theme::instance()->appNameGUI())));
     }
 
     /* Allow to expand the item if the account is connected. */
@@ -664,7 +667,8 @@ void AccountSettings::refreshSelectiveSyncStatus()
             }
             QModelIndex theIndx = _model->indexForPath(folder, myFolder);
             if(theIndx.isValid()) {
-                msg += QString::fromLatin1("<a href=\"%1?folder=%2\">%1</a>").arg(myFolder).arg(folder->alias());
+                msg += QString::fromLatin1("<a href=\"%1?folder=%2\">%1</a>")
+                           .arg(Utility::escape(myFolder), Utility::escape(folder->alias()));
             } else {
                 msg += myFolder; // no link because we do not know the index yet.
             }

src/gui/accountsettings.ui

@@ -41,6 +41,9 @@
         <property name="text">
          <string>Connected with &lt;server&gt; as &lt;user&gt;</string>
         </property>
+        <property name="textFormat">
+         <enum>Qt::RichText</enum>
+        </property>
         <property name="wordWrap">
          <bool>true</bool>
         </property>
@@ -75,6 +78,9 @@
        <property name="text">
         <string>Storage space: ...</string>
        </property>
+       <property name="textFormat">
+        <enum>Qt::PlainText</enum>
+       </property>
        <property name="wordWrap">
         <bool>false</bool>
        </property>
@@ -145,6 +151,9 @@
           <property name="text">
            <string>Unchecked folders will be &lt;b&gt;removed&lt;/b&gt; from your local file system and will not be synchronized to this computer anymore</string>
           </property>
+          <property name="textFormat">
+           <enum>Qt::RichText</enum>
+          </property>
           <property name="wordWrap">
            <bool>true</bool>
           </property>

src/gui/activityitemdelegate.cpp

@@ -142,9 +142,9 @@ void ActivityItemDelegate::paint(QPainter *painter, const QStyleOptionViewItem &
 
     QString timeStr;
     if ( accountOnline ) {
-        timeStr = tr("%1 on %2").arg(timeText).arg(accountRole);
+        timeStr = tr("%1 on %2").arg(timeText, accountRole);
     } else {
-        timeStr = tr("%1 on %2 (disconnected)").arg(timeText).arg(accountRole);
+        timeStr = tr("%1 on %2 (disconnected)").arg(timeText, accountRole);
         QPalette p = option.palette;
         painter->setPen(p.color(QPalette::Disabled, QPalette::Text));
     }

src/gui/activitywidget.ui

@@ -25,6 +25,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::PlainText</enum>
+     </property>
     </widget>
    </item>
    <item row="1" column="0">
@@ -64,6 +67,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::RichText</enum>
+     </property>
     </widget>
    </item>
    <item row="3" column="0">
@@ -87,6 +93,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::RichText</enum>
+     </property>
     </widget>
    </item>
    <item row="5" column="0">

src/gui/authenticationdialog.cpp

@@ -30,6 +30,7 @@ AuthenticationDialog::AuthenticationDialog(const QString &realm, const QString &
     setWindowTitle(tr("Authentication Required"));
     QVBoxLayout *lay = new QVBoxLayout(this);
     QLabel *label = new QLabel(tr("Enter username and password for '%1' at %2.").arg(realm, domain));
+    label->setTextFormat(Qt::PlainText);
     lay->addWidget(label);
 
     QFormLayout *form = new QFormLayout;

src/gui/folder.cpp

@@ -383,16 +383,16 @@ void Folder::createGuiLog( const QString& filename, LogStatus status, int count,
             break;
         case LogStatusRename:
             if( count > 1 ) {
-                text = tr("%1 has been renamed to %2 and %n other file(s) have been renamed.", "", count-1).arg(file).arg(renameTarget);
+                text = tr("%1 has been renamed to %2 and %n other file(s) have been renamed.", "", count-1).arg(file, renameTarget);
             } else {
-                text = tr("%1 has been renamed to %2.", "%1 and %2 name files.").arg(file).arg(renameTarget);
+                text = tr("%1 has been renamed to %2.", "%1 and %2 name files.").arg(file, renameTarget);
             }
             break;
         case LogStatusMove:
             if( count > 1 ) {
-                text = tr("%1 has been moved to %2 and %n other file(s) have been moved.", "", count-1).arg(file).arg(renameTarget);
+                text = tr("%1 has been moved to %2 and %n other file(s) have been moved.", "", count-1).arg(file, renameTarget);
             } else {
-                text = tr("%1 has been moved to %2.").arg(file).arg(renameTarget);
+                text = tr("%1 has been moved to %2.").arg(file, renameTarget);
             }
             break;
         case LogStatusConflict:

src/gui/folderstatusmodel.cpp

@@ -164,10 +164,11 @@ QVariant FolderStatusModel::data(const QModelIndex &index, int role) const
     {
         const auto &x = static_cast<SubFolderInfo *>(index.internalPointer())->_subs[index.row()];
         switch (role) {
-        case Qt::ToolTipRole:
         case Qt::DisplayRole:
             //: Example text: "File.txt (23KB)"
             return x._size < 0 ? x._name : tr("%1 (%2)").arg(x._name, Utility::octetsToString(x._size));
+        case Qt::ToolTipRole:
+            return QString(QLatin1String("<qt>") + Utility::escape(x._size < 0 ? x._name : tr("%1 (%2)").arg(x._name, Utility::octetsToString(x._size))) + QLatin1String("</qt>"));
         case Qt::CheckStateRole:
             return x._checked;
         case Qt::DecorationRole:

src/gui/folderwizard.cpp

@@ -65,7 +65,7 @@ FolderWizardLocalPath::FolderWizardLocalPath(const AccountPtr& account)
     connect(_ui.localFolderChooseBtn, SIGNAL(clicked()), this, SLOT(slotChooseLocalFolder()));
     _ui.localFolderChooseBtn->setToolTip(tr("Click to select a local folder to sync."));
 
-    QString defaultPath = QString::fromLatin1( "%1/%2").arg( QDir::homePath() ).arg(Theme::instance()->appName() );
+    QString defaultPath = QDir::homePath() + QLatin1Char('/') + Theme::instance()->appName();
     _ui.localFolderLineEdit->setText( QDir::toNativeSeparators( defaultPath ) );
     _ui.localFolderLineEdit->setToolTip(tr("Enter the path to the local folder."));
 
@@ -441,7 +441,8 @@ bool FolderWizardRemotePath::isComplete() const
         if (QDir::cleanPath(dir) == QDir::cleanPath(curDir)) {
             warnStrings.append(tr("This folder is already being synced."));
         } else if (dir.startsWith(curDir + QLatin1Char('/'))) {
-            warnStrings.append(tr("You are already syncing <i>%1</i>, which is a parent folder of <i>%2</i>.").arg(curDir).arg(dir));
+            warnStrings.append(tr("You are already syncing <i>%1</i>, which is a parent folder of <i>%2</i>.").arg(
+                Utility::escape(curDir), Utility::escape(dir)));
         }
 
         if (curDir == QLatin1String("/")) {

src/gui/folderwizardsourcepage.ui

@@ -126,7 +126,7 @@
       <string/>
      </property>
      <property name="textFormat">
-      <enum>Qt::AutoText</enum>
+      <enum>Qt::RichText</enum>
      </property>
      <property name="margin">
       <number>3</number>

src/gui/folderwizardtargetpage.ui

@@ -110,7 +110,7 @@
            <string>TextLabel</string>
           </property>
           <property name="textFormat">
-           <enum>Qt::AutoText</enum>
+           <enum>Qt::RichText</enum>
           </property>
           <property name="wordWrap">
            <bool>true</bool>

src/gui/owncloudsetuppage.ui

@@ -35,6 +35,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::RichText</enum>
+     </property>
     </widget>
    </item>
    <item row="3" column="0" colspan="2">
@@ -155,6 +158,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::RichText</enum>
+     </property>
     </widget>
    </item>
    <item row="5" column="1">

src/gui/owncloudsetupwizard.cpp

@@ -178,10 +178,10 @@ void OwncloudSetupWizard::slotOwnCloudFoundAuth(const QUrl& url, const QVariantM
     auto serverVersion = CheckServerJob::version(info);
 
     _ocWizard->appendToConfigurationLog(tr("<font color=\"green\">Successfully connected to %1: %2 version %3 (%4)</font><br/><br/>")
-                                        .arg(url.toString())
-                                        .arg(Theme::instance()->appNameGUI())
-                                        .arg(CheckServerJob::versionString(info))
-                                        .arg(serverVersion));
+                                        .arg(Utility::escape(url.toString()),
+                                             Utility::escape(Theme::instance()->appNameGUI()),
+                                             Utility::escape(CheckServerJob::versionString(info)),
+                                             Utility::escape(serverVersion)));
 
     _ocWizard->account()->setServerVersion(serverVersion);
 
@@ -212,9 +212,9 @@ void OwncloudSetupWizard::slotNoOwnCloudFoundAuth(QNetworkReply *reply)
         msg = tr("Invalid URL");
     } else {
         msg = tr("Failed to connect to %1 at %2:<br/>%3")
-            .arg(Theme::instance()->appNameGUI(),
-                 reply->url().toString(),
-                 reply->errorString());
+                  .arg(Utility::escape(Theme::instance()->appNameGUI()),
+                       Utility::escape(reply->url().toString()),
+                       Utility::escape(reply->errorString()));
     }
     bool isDowngradeAdvised = checkDowngradeAdvised(reply);
 
@@ -244,9 +244,10 @@ void OwncloudSetupWizard::slotNoOwnCloudFoundAuth(QNetworkReply *reply)
 
 void OwncloudSetupWizard::slotNoOwnCloudFoundAuthTimeout(const QUrl&url)
 {
-    _ocWizard->displayError(tr("Timeout while trying to connect to %1 at %2.")
-                            .arg(Theme::instance()->appNameGUI(),
-                                 url.toString()), false);
+    _ocWizard->displayError(
+        tr("Timeout while trying to connect to %1 at %2.")
+            .arg(Utility::escape(Theme::instance()->appNameGUI()), Utility::escape(url.toString())),
+        false);
 }
 
 void OwncloudSetupWizard::slotConnectToOCUrl( const QString& url )
@@ -307,7 +308,7 @@ void OwncloudSetupWizard::slotAuthError()
         }
         errorMsg = tr("The authenticated request to the server was redirected to "
                       "'%1'. The URL is bad, the server is misconfigured.")
-                   .arg(redirectUrl.toString());
+                       .arg(Utility::escape(redirectUrl.toString()));
 
     // A 404 is actually a success: we were authorized to know that the folder does
     // not exist. It will be created later...
@@ -320,7 +321,7 @@ void OwncloudSetupWizard::slotAuthError()
         if (!_ocWizard->account()->credentials()->stillValid(reply)) {
             errorMsg = tr("Access forbidden by server. To verify that you have proper access, "
                           "<a href=\"%1\">click here</a> to access the service with your browser.")
-                       .arg(_ocWizard->account()->url().toString());
+                           .arg(Utility::escape(_ocWizard->account()->url().toString()));
         } else {
             errorMsg = errorMessage(reply->errorString(), reply->readAll());
         }
@@ -369,7 +370,9 @@ void OwncloudSetupWizard::slotCreateLocalAndRemoteFolders(const QString& localFo
     if( fi.exists() ) {
         // there is an existing local folder. If its non empty, it can only be synced if the
         // ownCloud is newly created.
-        _ocWizard->appendToConfigurationLog( tr("Local sync folder %1 already exists, setting it up for sync.<br/><br/>").arg(localFolder));
+        _ocWizard->appendToConfigurationLog(
+            tr("Local sync folder %1 already exists, setting it up for sync.<br/><br/>")
+                .arg(Utility::escape(localFolder)));
     } else {
         QString res = tr("Creating local sync folder %1...").arg(localFolder);
         if( fi.mkpath( localFolder ) ) {
@@ -379,7 +382,7 @@ void OwncloudSetupWizard::slotCreateLocalAndRemoteFolders(const QString& localFo
         } else {
             res += tr("failed.");
             qDebug() << "Failed to create " << fi.path();
-            _ocWizard->displayError(tr("Could not create local folder %1").arg(localFolder), false);
+            _ocWizard->displayError(tr("Could not create local folder %1").arg(Utility::escape(localFolder)), false);
             nextStep = false;
         }
         _ocWizard->appendToConfigurationLog( res );
@@ -415,7 +418,7 @@ void OwncloudSetupWizard::slotRemoteFolderExists(QNetworkReply *reply)
     }
 
     if( !ok ) {
-        _ocWizard->displayError(error, false);
+        _ocWizard->displayError(Utility::escape(error), false);
     }
 
     finalizeSetup( ok );
@@ -455,8 +458,8 @@ void OwncloudSetupWizard::slotCreateRemoteFolderFinished( QNetworkReply::Network
         _remoteFolder.clear();
         success = false;
     } else {
-        _ocWizard->appendToConfigurationLog( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(_remoteFolder).arg(error));
-        _ocWizard->displayError( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(_remoteFolder).arg(error), false );
+        _ocWizard->appendToConfigurationLog( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(Utility::escape(_remoteFolder)).arg(error));
+        _ocWizard->displayError( tr("Remote folder %1 creation failed with error <tt>%2</tt>.").arg(Utility::escape(_remoteFolder)).arg(error), false );
         _remoteFolder.clear();
         success = false;
     }
@@ -472,8 +475,9 @@ void OwncloudSetupWizard::finalizeSetup( bool success )
     const QString localFolder = _ocWizard->property("localFolder").toString();
     if( success ) {
         if( !(localFolder.isEmpty() || _remoteFolder.isEmpty() )) {
-            _ocWizard->appendToConfigurationLog( tr("A sync connection from %1 to remote directory %2 was set up.")
-                                                 .arg(localFolder).arg(_remoteFolder));
+            _ocWizard->appendToConfigurationLog(
+                tr("A sync connection from %1 to remote directory %2 was set up.")
+                    .arg(localFolder, _remoteFolder));
         }
         _ocWizard->appendToConfigurationLog( QLatin1String(" "));
         _ocWizard->appendToConfigurationLog( QLatin1String("<p><font color=\"green\"><b>")

src/gui/protocolwidget.ui

@@ -19,6 +19,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::PlainText</enum>
+     </property>
     </widget>
    </item>
    <item row="1" column="0" colspan="2">

src/gui/proxyauthdialog.ui

@@ -73,6 +73,9 @@
      <property name="text">
       <string>TextLabel</string>
      </property>
+     <property name="textFormat">
+      <enum>Qt::PlainText</enum>
+     </property>
     </widget>
    </item>
   </layout>

src/gui/proxyauthhandler.cpp

@@ -58,8 +58,7 @@ void ProxyAuthHandler::handleProxyAuthenticationRequired(
         return;
     }
 
-    QString key = QString::fromLatin1("%1:%2").arg(
-            proxy.hostName(), QString::number(proxy.port()));
+    QString key = proxy.hostName() + QLatin1Char(':') + QString::number(proxy.port());
 
     // If the proxy server has changed, forget what we know.
     if (key != _proxy) {

src/gui/settingsdialog.cpp

@@ -252,7 +252,7 @@ void SettingsDialog::customizeStyle()
     QString altBase(palette().alternateBase().color().name());
     QString dark(palette().dark().color().name());
     QString background(palette().base().color().name());
-    _toolBar->setStyleSheet(QString::fromAscii(TOOLBAR_CSS).arg(background).arg(dark).arg(highlightColor).arg(altBase));
+    _toolBar->setStyleSheet(QString::fromAscii(TOOLBAR_CSS).arg(background,dark,highlightColor,altBase));
 
     Q_FOREACH(QAction *a, _actionGroup->actions()) {
         QIcon icon = createColorAwareIcon(a->property("iconPath").toString());

src/gui/sharedialog.ui

@@ -27,6 +27,9 @@
        <property name="text">
         <string>share label</string>
        </property>
+       <property name="textFormat">
+        <enum>Qt::PlainText</enum>
+       </property>
       </widget>
      </item>
      <item row="1" column="1">
@@ -46,6 +49,9 @@
        <property name="text">
         <string>ownCloud Path:</string>
        </property>
+       <property name="textFormat">
+        <enum>Qt::PlainText</enum>
+       </property>
       </widget>
      </item>
      <item row="0" column="0" rowspan="2">

src/gui/sharelinkwidget.cpp

@@ -321,7 +321,7 @@ void ShareLinkWidget::redrawElidedUrl()
         const QUrl realUrl(_shareUrl);
         QString elidedUrl = fm.elidedText(_shareUrl, Qt::ElideRight, linkLengthPixel);
 
-        u = QString("<a href=\"%1\">%2</a>").arg(realUrl.toString(QUrl::None)).arg(elidedUrl);
+        u = QString("<a href=\"%1\">%2</a>").arg(Utility::escape(realUrl.toString(QUrl::None)), Utility::escape(elidedUrl));
     }
     _ui->_labelShareLink->setText(u);
 }