Don't double HTML escape JavaScript messages

See https://bugreports.qt.io/browse/QTBUG-66104

3 files changed, 19 insertions, 9 deletions

diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc
index 26294d7ca..5bb2a3818 100644
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@@ -116,6 +116,7 @@ Fixed
   * Fixed hangs/segfaults on exit with Qt 5.10.1.
   * Fixed favicons sometimes getting cleared with Qt 5.10.
   * Qt download objects are now cleaned up properly when a download is removed.
+  * JavaScript messages are now not double-HTML escaped anymore on Qt < 5.11
 - QtWebKit bugfixes:
   * Fixed GreaseMonkey-related crashes.
   * `:view-source` now displays a valid URL.
diff --git a/qutebrowser/browser/shared.py b/qutebrowser/browser/shared.py
index d82b741e5..238fdc1cc 100644
--- a/qutebrowser/browser/shared.py
+++ b/qutebrowser/browser/shared.py
@@ -74,14 +74,15 @@ def authentication_required(url, authenticator, abort_on):
     return answer
 
 
-def javascript_confirm(url, js_msg, abort_on):
+def javascript_confirm(url, js_msg, abort_on, *, escape_msg=True):
     """Display a javascript confirm prompt."""
     log.js.debug("confirm: {}".format(js_msg))
     if config.val.content.javascript.modal_dialog:
         raise CallSuper
 
+    js_msg = html.escape(js_msg) if escape_msg else js_msg
     msg = 'From <b>{}</b>:<br/>{}'.format(html.escape(url.toDisplayString()),
-                                          html.escape(js_msg))
+                                          js_msg)
     urlstr = url.toString(QUrl.RemovePassword | QUrl.FullyEncoded)
     ans = message.ask('Javascript confirm', msg,
                       mode=usertypes.PromptMode.yesno,
@@ -89,7 +90,7 @@ def javascript_confirm(url, js_msg, abort_on):
     return bool(ans)
 
 
-def javascript_prompt(url, js_msg, default, abort_on):
+def javascript_prompt(url, js_msg, default, abort_on, *, escape_msg=True):
     """Display a javascript prompt."""
     log.js.debug("prompt: {}".format(js_msg))
     if config.val.content.javascript.modal_dialog:
@@ -97,8 +98,9 @@ def javascript_prompt(url, js_msg, default, abort_on):
     if not config.val.content.javascript.prompt:
         return (False, "")
 
+    js_msg = html.escape(js_msg) if escape_msg else js_msg
     msg = '<b>{}</b> asks:<br/>{}'.format(html.escape(url.toDisplayString()),
-                                          html.escape(js_msg))
+                                          js_msg)
     urlstr = url.toString(QUrl.RemovePassword | QUrl.FullyEncoded)
     answer = message.ask('Javascript prompt', msg,
                          mode=usertypes.PromptMode.text,
@@ -111,7 +113,7 @@ def javascript_prompt(url, js_msg, default, abort_on):
         return (True, answer)
 
 
-def javascript_alert(url, js_msg, abort_on):
+def javascript_alert(url, js_msg, abort_on, *, escape_msg=True):
     """Display a javascript alert."""
     log.js.debug("alert: {}".format(js_msg))
     if config.val.content.javascript.modal_dialog:
@@ -120,8 +122,9 @@ def javascript_alert(url, js_msg, abort_on):
     if not config.val.content.javascript.alert:
         return
 
+    js_msg = html.escape(js_msg) if escape_msg else js_msg
     msg = 'From <b>{}</b>:<br/>{}'.format(html.escape(url.toDisplayString()),
-                                          html.escape(js_msg))
+                                          js_msg)
     urlstr = url.toString(QUrl.RemovePassword | QUrl.FullyEncoded)
     message.ask('Javascript alert', msg, mode=usertypes.PromptMode.alert,
                 abort_on=abort_on, url=urlstr)
diff --git a/qutebrowser/browser/webengine/webview.py b/qutebrowser/browser/webengine/webview.py
index 91c5bfab6..1e8c442fc 100644
--- a/qutebrowser/browser/webengine/webview.py
+++ b/qutebrowser/browser/webengine/webview.py
@@ -243,10 +243,12 @@ class WebEnginePage(QWebEnginePage):
         """Override javaScriptConfirm to use qutebrowser prompts."""
         if self._is_shutting_down:
             return False
+        escape_msg = qtutils.version_check('5.11')  # QTBUG-66104
         try:
             return shared.javascript_confirm(url, js_msg,
                                              abort_on=[self.loadStarted,
-                                                       self.shutting_down])
+                                                       self.shutting_down],
+                                             escape_msg=escape_msg)
         except shared.CallSuper:
             return super().javaScriptConfirm(url, js_msg)
 
@@ -256,12 +258,14 @@ class WebEnginePage(QWebEnginePage):
         # https://www.riverbankcomputing.com/pipermail/pyqt/2016-November/038293.html
         def javaScriptPrompt(self, url, js_msg, default):
             """Override javaScriptPrompt to use qutebrowser prompts."""
+            escape_msg = qtutils.version_check('5.11')  # QTBUG-66104
             if self._is_shutting_down:
                 return (False, "")
             try:
                 return shared.javascript_prompt(url, js_msg, default,
                                                 abort_on=[self.loadStarted,
-                                                          self.shutting_down])
+                                                          self.shutting_down],
+                                                escape_msg=escape_msg)
             except shared.CallSuper:
                 return super().javaScriptPrompt(url, js_msg, default)
 
@@ -269,10 +273,12 @@ class WebEnginePage(QWebEnginePage):
         """Override javaScriptAlert to use qutebrowser prompts."""
         if self._is_shutting_down:
             return
+        escape_msg = qtutils.version_check('5.11')  # QTBUG-66104
         try:
             shared.javascript_alert(url, js_msg,
                                     abort_on=[self.loadStarted,
-                                              self.shutting_down])
+                                              self.shutting_down],
+                                    escape_msg=escape_msg)
         except shared.CallSuper:
             super().javaScriptAlert(url, js_msg)