VectorImage: Sanitize source string used in output

Source string is used as object name in output, so we sanitize it to make sure it does not contain illegal characters. SVG already mandates a limited character set here, but rather than trust the parser we sanitize before passing to the generator like the Lottie visitor does. Fixes: QTBUG-142556 Pick-to: 6.8 6.10 6.11 Change-Id: I0684e726ab69a0735dcb5f91369b090d58a90b7b Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
author: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> 2025-12-09 07:39:32 +0100
committer: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io> 2025-12-09 08:40:42 +0000
commit: cfc3e783fed4e876c2c29d008b5ef43c547b16b7 (patch)
tree: 93ed767ab1456e90045fda1db5b8a62d2e8db3d4 /src
parent: f9e25bbbb4e99941e3a4fef0cb2e64c1b6451d12 (diff)
1 files changed, 22 insertions, 3 deletions
diff --git a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
index 32724a6e12..38f8bb4369 100644
--- a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
+++ b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
@@ -1490,11 +1490,30 @@ void QSvgVisitorImpl::visitDocumentNodeEnd(const QSvgTinyDocument *node)
     m_generator->generateRootNode(info);
 }
 
+static QString scrub(const QString &raw)
+{
+    QString res(raw.left(80));
+
+    if (!res.isEmpty()) {
+        constexpr QLatin1StringView legalSymbols("_-.:"); // Only valid SVG id characters
+        qsizetype i = 0;
+        do {
+            if (res.at(i).isLetterOrNumber() || legalSymbols.contains(res.at(i)))
+                i++;
+            else
+                res.remove(i, 1);
+        } while (i < res.size());
+    }
+
+    return res;
+}
+
 void QSvgVisitorImpl::fillCommonNodeInfo(const QSvgNode *node, NodeInfo &info, const QString &idSuffix)
 {
-    const QString key = node->nodeId().isEmpty()
+    const QString nodeId = scrub(node->nodeId());
+    const QString key = nodeId.isEmpty()
                             ? QString::number(quintptr(node), 16)
-                            : node->nodeId();
+                            : nodeId;
     info.id = m_idForNodeId.value(key);
     if (info.id.isEmpty()) {
         info.id = nextNodeId();
@@ -1507,7 +1526,7 @@ void QSvgVisitorImpl::fillCommonNodeInfo(const QSvgNode *node, NodeInfo &info, c
     if (!m_linkSuffix.isEmpty())
         info.id += m_linkSuffix;
 
-    info.nodeId = node->nodeId();
+    info.nodeId = nodeId;
     info.typeName = node->typeName();
     info.isDefaultTransform = node->style().transform.isDefault();
author	Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>	2025-12-09 07:39:32 +0100
committer	Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>	2025-12-09 08:40:42 +0000
commit	cfc3e783fed4e876c2c29d008b5ef43c547b16b7 (patch)
tree	93ed767ab1456e90045fda1db5b8a62d2e8db3d4 /src
parent	f9e25bbbb4e99941e3a4fef0cb2e64c1b6451d12 (diff)