[Development] Requesting a break in behavior in QML Text element

[Rutledge Shawn]

On 29 Jan 2015, at 23:46, Olivier Goffart <olivier at woboq.com> wrote:

> On Thursday 29 January 2015 23:24:51 Robin Burchell wrote:
>> tl;dr: I'd like to request a behavior break in QML's Text element. I
>> would like to change the default value of Text::textFormat from
>> Text.AutoText to Text.PlainText.
> 
> Personally, that's what I am doing in the QML project I am working on
> (We had to develop our own set of component (it was started before QtQuick 
> controls), and the text component default to Test.PlainText)
> 
> Given the security implication, I do believe PlainText should be the default.
> 
> However, I think it's too much of a breaking change for anyone who has used 
> html tags on purpose and did not explicitly set the format.
> 
> Is it possible to do the change if we do
> import QtQuick 2.5
> That is, the default of textFormat changes depending on the number in the 
> import statement.

+1 to that.  If you update your import versions, you can expect some minor changes; and if you are editing the QML anyway, it implies that you are ready to take the time to re-test your application and make small fixes and improvements.

On 29 Jan 2015, at 23:24, Robin Burchell <robin+qt at viroteck.net> wrote:
> Seperately, we may want to look at a restriction on the loading of
> remote resources in Text. I can understand allowing remote URIs in
> Image, but Text seems like an unexpected behavior to me.

If we do that, there needs to be a way to override the restriction, maybe by adding a property to control whether loading of anything outside the QML is allowed.  It would IMO be OK to have this property false by default, since the majority of use cases don’t need it.

I can imagine that loading remote resources is a useful feature which some apps are relying on.  In fact, a single Text element is practically a web browser already, for certain limited purposes.  It's kindof cool to forego the need for a real web engine if you need only to display lightweight mid-90’s HTML.

I also think we should add a source URL property like Image has.  It’s unfortunate to need to rely on ugly hacks like this one http://rschroll.github.io/beru/2013/08/12/opening-a-file-in-qml.html just to be able to read a file.  And I/O should be more agnostic about local and remote resources, as long as the fact that you are doing I/O is explicit rather than unintended.

Sometimes you want network access to be really easy.  Other times you want to avoid security problems that come from unintentional network or filesystem access.  So we need to make it easy to go either direction, and enforce it consistently.