Security issues with the new "open external links" function in the chat window

[corrados]

In the pull request #592, the openExternalLinks is set to true for the QTextBrowser. This opens a wide range of security concerns. E.g., you could send something like: <a href="http://fraudulentsite.com">https://www.google.com/search?q=lyrics+sunshine+of+my+love</a> (see 18b1fca#r42649147).

We already discussed some security concerns in #360 and, e.g., #380 (comment) and #360 (comment).

[ann0see]

I would consider opening sites automatically without warning as dangerous.

What could be done: BB Code or Markdown support. This is much easier and less dangerous in my opinion.
The implementation would look like follows:

client sends markdown --> server sends markdown to all clients --> all clients use something like htmlspecialchars in php (see here) convert e.g. markdown to html.

For further (security) issues I just found https://www.codacy.com/product
I‘m not sure how it works, but it might be worth a try.

[corrados]

Some of the security issues should be solved now. I do not use the openExternalLinks of the QTextBrowser anymore but have implemented my own code for opening the URL in an external browser. That way I can make sure that only https links are opened and nothing else (e.g. no ftp, file, etc.).

[corrados]

So for the upcoming release I will implement the following:

So, when you click on a link, a message box opens which shows you the actual link and asks you if you really want to open the link.
I know this is not the optimal solution but it is better than nothing.

[ann0see]

Yeah. That’s much better.

[corrados]

Since we now have a dialog asking if the link should really be opened in an external browser and the actual link address is clearly shown, this issue can be closed now.