Fix a phishing vulnerability related to HTML in memo fields

Original report by @s-rah here: https://github.com/ZcashFoundation/zecwallet/issues/205
5 years ago · e264af0155
2 changed files with 3 additions and 1 deletions
--- a/src/mainwindow.cpp
+++ b/src/mainwindow.cpp
@ -926,6 +926,7 @@ void MainWindow::setupTransactionsTab() {

        if (!memo.isEmpty()) {
            QMessageBox mb(QMessageBox::Information, tr("Memo"), memo, QMessageBox::Ok, this);
+            mb.setTextFormat(Qt::PlainText);
            mb.setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard);
            mb.exec();
        }
@ -981,6 +982,7 @@ void MainWindow::setupTransactionsTab() {
        if (!memo.isEmpty()) {
            menu.addAction(tr("View Memo"), [=] () {
                QMessageBox mb(QMessageBox::Information, tr("Memo"), memo, QMessageBox::Ok, this);
+                mb.setTextFormat(Qt::PlainText);
                mb.setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard);
                mb.exec();
            });
--- a/src/txtablemodel.cpp
+++ b/src/txtablemodel.cpp
@ -143,7 +143,7 @@ void TxTableModel::updateAllData() {
                        return Settings::paymentURIPretty(Settings::parseURI(dat.memo));
                    } else {
                        return modeldata->at(index.row()).type + 
-                        (dat.memo.isEmpty() ? "" : " tx memo: \"" + dat.memo + "\"");
+                        (dat.memo.isEmpty() ? "" : " tx memo: \"" + dat.memo.toHtmlEscaped() + "\"");
                    }
                }
        case 1: {