From bffdb2ad09e1bcae63e8b19172ec961961181886 Mon Sep 17 00:00:00 2001 From: Eskil Abrahamsen Blomfeldt Date: Tue, 09 Dec 2025 07:39:32 +0100 Subject: [PATCH] VectorImage: Sanitize source string used in output Source string is used as object name in output, so we sanitize it to make sure it does not contain illegal characters. SVG already mandates a limited character set here, but rather than trust the parser we sanitize before passing to the generator like the Lottie visitor does. Fixes: QTBUG-142556 Change-Id: I0684e726ab69a0735dcb5f91369b090d58a90b7b Reviewed-by: Eirik Aavitsland (cherry picked from commit cfc3e783fed4e876c2c29d008b5ef43c547b16b7) Reviewed-by: Qt Cherry-pick Bot (cherry picked from commit ce82a78b0d10703f9b172f9afeb3d5e832e05074) (cherry picked from commit 1f35339b03fcb8787028e1301012a559328815fb) --- diff --git a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp index 1e09be0..ec3bb82 100644 --- a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp +++ b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp @@ -1043,9 +1043,27 @@ m_generator->generateRootNode(info); } +static QString scrub(const QString &raw) +{ + QString res(raw.left(80)); + + if (!res.isEmpty()) { + constexpr QLatin1StringView legalSymbols("_-.:"); // Only valid SVG id characters + qsizetype i = 0; + do { + if (res.at(i).isLetterOrNumber() || legalSymbols.contains(res.at(i))) + i++; + else + res.remove(i, 1); + } while (i < res.size()); + } + + return res; +} + void QSvgVisitorImpl::fillCommonNodeInfo(const QSvgNode *node, NodeInfo &info) { - info.nodeId = node->nodeId(); + info.nodeId = scrub(node->nodeId()); info.typeName = node->typeName(); info.isDefaultTransform = node->style().transform.isDefault(); info.transform = !info.isDefaultTransform ? node->style().transform->qtransform() : QTransform();