From 6fbc0986fa2d49a1cb65b60eca71c25c84842a54 Mon Sep 17 00:00:00 2001
From: "Wladimir J. van der Laan" <laanwj@gmail.com>
Date: Tue, 6 Mar 2018 16:39:45 +0100
Subject: gui: Show messages as text not html

Currently, error messages (such as InitError) are displayed as-is, which
means Qt does auto detection on the format.

This means that it's possible to inject HTML from the command line
though e.g. specifying a wallet name with HTML in it. This isn't
a direct security risk because fetching content from internet is
disabled (and as far as I know we never report strings received
from the network this way). However, it can be confusing.

So explicitly force the format as text.
---
 src/qt/bitcoingui.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/qt/bitcoingui.cpp b/src/qt/bitcoingui.cpp
index 4e868b7c17..427eb95a84 100644
--- a/src/qt/bitcoingui.cpp
+++ b/src/qt/bitcoingui.cpp
@@ -923,6 +923,7 @@ void BitcoinGUI::message(const QString &title, const QString &message, unsigned
 
         showNormalIfMinimized();
         QMessageBox mBox(static_cast<QMessageBox::Icon>(nMBoxIcon), strTitle, message, buttons, this);
+        mBox.setTextFormat(Qt::PlainText);
         int r = mBox.exec();
         if (ret != nullptr)
             *ret = r == QMessageBox::Ok;
-- 
cgit v1.2.3