From e264af0155325c1b04ab95e92ee34c1711cf55f7 Mon Sep 17 00:00:00 2001
From: Duke Leto <duke@leto.net>
Date: Wed, 27 Nov 2019 08:31:08 -0500
Subject: [PATCH] Fix a phishing vulnerability related to HTML in memo fields

Original report by @s-rah here: https://github.com/ZcashFoundation/zecwallet/issues/205
---
 src/mainwindow.cpp   | 2 ++
 src/txtablemodel.cpp | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/mainwindow.cpp b/src/mainwindow.cpp
index debd622..12793af 100644
--- a/src/mainwindow.cpp
+++ b/src/mainwindow.cpp
@@ -926,6 +926,7 @@ void MainWindow::setupTransactionsTab() {
 
         if (!memo.isEmpty()) {
             QMessageBox mb(QMessageBox::Information, tr("Memo"), memo, QMessageBox::Ok, this);
+            mb.setTextFormat(Qt::PlainText);
             mb.setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard);
             mb.exec();
         }
@@ -981,6 +982,7 @@ void MainWindow::setupTransactionsTab() {
         if (!memo.isEmpty()) {
             menu.addAction(tr("View Memo"), [=] () {
                 QMessageBox mb(QMessageBox::Information, tr("Memo"), memo, QMessageBox::Ok, this);
+                mb.setTextFormat(Qt::PlainText);
                 mb.setTextInteractionFlags(Qt::TextSelectableByMouse | Qt::TextSelectableByKeyboard);
                 mb.exec();
             });
diff --git a/src/txtablemodel.cpp b/src/txtablemodel.cpp
index 0bcb1ed..a13b31e 100644
--- a/src/txtablemodel.cpp
+++ b/src/txtablemodel.cpp
@@ -143,7 +143,7 @@ void TxTableModel::updateAllData() {
                         return Settings::paymentURIPretty(Settings::parseURI(dat.memo));
                     } else {
                         return modeldata->at(index.row()).type + 
-                        (dat.memo.isEmpty() ? "" : " tx memo: \"" + dat.memo + "\"");
+                        (dat.memo.isEmpty() ? "" : " tx memo: \"" + dat.memo.toHtmlEscaped() + "\"");
                     }
                 }
         case 1: {