Security issues with the new "open external links" function in the chat window

In the pull request https://github.com/corrados/jamulus/pull/592, the openExternalLinks is set to true for the QTextBrowser. This opens a wide range of security concerns. E.g., you could send something like: `<a href="http://fraudulentsite.com">https://www.google.com/search?q=lyrics+sunshine+of+my+love</a>` (see https://github.com/corrados/jamulus/commit/18b1fcab57e178770bab19fe40bab5b94a6fb509#r42649147).

We already discussed some security concerns in https://github.com/corrados/jamulus/issues/360 and, e.g., https://github.com/corrados/jamulus/pull/380#issuecomment-647042975 and https://github.com/corrados/jamulus/issues/360#issuecomment-652938350.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security issues with the new "open external links" function in the chat window #620

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security issues with the new "open external links" function in the chat window #620

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions