Joren/qobuz-qt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security hardening and code quality improvements

Browse Source 
Build hardening:
- Add -fstack-protector-strong, -D_FORTIFY_SOURCE=2, PIE, full RELRO
- Enable overflow-checks in Rust release profile

Rust backend:
- Return null (not panic) if Tokio runtime or QobuzClient init fails
- Strip null bytes in FFI JSON callback to prevent CString panics
- Document MD5 and password-in-query as Qobuz API constraints

C++ frontend:
- Validate JSON document before accessing fields in onEvent()
- Handle null backend pointer from failed init
- Set biography label to PlainText and decode HTML entities to prevent
  rendering injected content from API responses
- Clamp slider position and guard negative durations
- Use qint64 for duration formatting to avoid int truncation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
joren
2026-03-24 23:19:04 +01:00
parent eb5c151d3a
commit 5bda2396d1
8 changed files with 51 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/view/artistview.cpp
View File

@@ -133,15 +133,22 @@ void ArtistView::setArtist(const QJsonObject &artist)
// artist/page: name is {"display": "..."}
m_nameLabel->setText(artist["name"].toObject()["display"].toString());
// biography.content is HTML — strip tags for the summary label
// biography.content is HTML — strip tags for safe plain-text display
const QString bioHtml = artist["biography"].toObject()["content"].toString();
if (!bioHtml.isEmpty()) {
// Remove HTML tags for plain-text display
QString plain = bioHtml;
// Strip HTML entities and tags to prevent rendering injected content
plain.remove(QRegularExpression(QStringLiteral("<[^>]*>")));
plain.replace(QStringLiteral("&amp;"), QStringLiteral("&"));
plain.replace(QStringLiteral("&lt;"), QStringLiteral("<"));
plain.replace(QStringLiteral("&gt;"), QStringLiteral(">"));
plain.replace(QStringLiteral("&quot;"), QStringLiteral("\""));
plain.replace(QStringLiteral("&#39;"), QStringLiteral("'"));
plain.replace(QStringLiteral("&nbsp;"), QStringLiteral(" "));
plain = plain.trimmed();
m_bioLabel->setTextFormat(Qt::PlainText);
m_bioLabel->setText(plain);
m_bioLabel->setVisible(true);
m_bioLabel->setVisible(!plain.isEmpty());
} else {
m_bioLabel->setVisible(false);
}