CODEBROWSER

KDAB|Training

Expertise

Trusted Software Excellence across Desktop and Embedded

Take a glance at the areas of expertise where KDAB excels ranging from swift troubleshooting, ongoing consulting and training to multi-year, large-scale software development projects.

Find out why customers from innovative industries rely on our extensive expertise, including Medical, Biotech, Science, Renewable Energy, Transportation, Mobility, Aviation, Automation, Electronics, Agriculture and Defense.

Embedded Devices Embedded Devices

High-quality Embedded Engineering across the Stack

To successfully develop an embedded device that meets your expectations regarding quality, budget and time to market, all parts of the project need to fit perfectly together.

Learn more about KDAB's expertise in embedded software development.

Read More

Cross-platform Desktop Cross-platform Desktop

Create complex Applications for the Desktop

Where the capabilities of modern mobile devices or web browsers fall short, KDAB engineers help you expertly architect and build high-functioning desktop and workstation applications.

Read More

Medical Medical

Extensible, Safety-compliant Software for the Medical Sector

Create intelligent, patient-focused medical software and devices and stay ahead with technology that adapts to your needs.

KDAB offers you expertise in developing a broad spectrum of clinical and home-healthcare devices, including but not limited to, internal imaging systems, robotic surgery devices, ventilators and non-invasive monitoring systems.

Read More

Vehicle Dashboards Vehicle Dashboards

Fluid animations and gesture-controlled UIs

Building digital dashboards and cockpits with fluid animations and gesture-controlled touchscreens is a big challenge.

In over two decades of developing intricate UI solutions for cars, trucks, tractors, scooters, ships, airplanes and more, the KDAB team has gained market leading expertise in this realm.

Read More

Custom Industrial HMI Custom Industrial HMI

Build on Advanced Expertise when creating Modern UIs

KDAB assists you in the creation of user-friendly interfaces designed specifically for industrial process control, manufacturing, and fabrication.

Our specialties encompass the custom design and development of HMIs, enabling product accessibility from embedded systems, remote desktops, and mobile devices on the move.

Read More

Modernizing Legacy Software Modernizing Legacy Software

Reduce Technical Debt

Legacy software is a growing but often ignored problem across all industries. KDAB helps you elevate your aging code base to meet the dynamic needs of the future.

Whether you want to migrate from an old to a modern GUI toolkit, update to a more recent version, or modernize your code base, you can rely on over 25 years of modernization experience.

Read More

Services

Software Consulting, Development and Training

KDAB offers a wide range of services to address your software needs including consulting, development, workshops and training tailored to your requirements.

Our expertise spans cross-platform desktop, embedded and 3D application development, using the proven technologies for the job.

Software Consulting Software Consulting

Guidance for your Software Project across the Stack

Get expert advice on any phase of your project's journey, from inception to execution, across multiple platforms and hardware.

KDAB provides guidance on architectural approach, UI strategy, development tooling, test infrastructure, deployment model, runtime execution and more.

Read More

Code Modernization

UI Modernization

CI/CD

Performance optimization

Software Architecture

Migration from legacy frameworks

Qt Services Qt Services

Expert Qt Solutions for Your Needs

When working with KDAB, the first-ever Qt consultancy, you benefit from a deep understanding of Qt internals, that allows us to provide effective solutions, irrespective of the depth or scale of your Qt project.

Qt Services include developing applications, building runtimes, mixing native and web technologies, solving performance issues, and porting problems.

Read More

Qt 5 to Qt 6 Migration Services

Embedded Development Embedded Development

Build rich embedded applications for your embedded UI

Turn your vision into reality and unleash the potential of your embedded development projects.

KDAB helps you navigate the complex landscape of embedded development, ensuring your software performs optimally on your chosen hardware.

Read More

Cross-platform Development Cross-platform Development

Get help with all Aspects of Desktop Applications

KDAB helps create commercial, scientific or industrial desktop applications from scratch, or update its code or framework to benefit from modern features.

Discover clean, efficient solutions that precisely meet your requirements.

Read More

3D Software 3D Software

Simplify the complexity of 3D

Creating 3D applications can be overwhelming due to terminology, visual concepts, and advanced math.

KDAB simplifies this task, providing you with the best solution for your 3D project, easing complexities and maximizing efficiency.

Read More

OpenGL Expert Services

Vulkan

Developer Training Developer Training

Professional Developer Training Courses

Boost your team's programming skills with in-depth, constantly updated, hands-on training courses delivered by active software engineers who love to teach and share their knowledge.

Our courses cover Modern C++, Qt/QML, Rust, 3D programming, Debugging, Profiling and more.

Read More

Technologies

Make the right Technology Choices

The collective expertise of KDAB's engineering team is at your disposal to help you choose the software stack for your project or master domain-specific challenges.

Our particular focus is on software technologies you use for cross-platform applications or for embedded devices.

Qt / QML Qt / QML

Leading Qt Expertise

Since 1999, KDAB has been the largest independent Qt consultancy worldwide and today is a Qt Platinum partner. Our experts can help you with any aspect of software development with Qt and QML.

Read More

Modern C++ Modern C++

Deep understanding of Modern C++

KDAB specializes in Modern C++ development, with a focus on desktop applications, GUI, embedded software, and operating systems.

Our experts are industry-recognized contributors and trainers, leveraging C++'s power and relevance across these domains to deliver high-quality software solutions.

Read More

Rust Rust

Integrate Rust into your application

KDAB can guide you incorporating Rust into your project, from as overlapping element to your existing C++ codebase to a complete replacement of your legacy code.

Read More

How to build Hybrid Rust and C++ Applications

Memory-Safety Roadmap for Secure Programming

Platforms Platforms

Unique Expertise for Desktop and Embedded Platforms

Whether you are using Linux, Windows, MacOS, Android, iOS or real-time OS, KDAB helps you create performance optimized applications on your preferred platform.

Read More

Windows

MacOS/iOS

QNX

Unix / X11 (Motif)

Android

Web Engines

Linux

Embedded Linux

Slint Slint

A lightweight GUI toolkit

If you are planning to create projects with Slint, a lightweight alternative to standard GUI frameworks especially on low-end hardware, you can rely on the expertise of KDAB being one of the earliest adopters and official service partner of Slint.

Read More

Flutter Flutter

Flutter for Embedded and Desktop

KDAB has deep expertise in embedded systems, which coupled with Flutter proficiency, allows us to provide comprehensive support throughout the software development lifecycle.

Our engineers are constantly contributing to the Flutter ecosystem, for example by developing flutter-pi, one of the most used embedders.

Read More

3D / OpenGL / Vulkan 3D / OpenGL / Vulkan

Cutting-edge 3D / XR

Incorporating 3D into 2D UIs or creating compelling XR experiences can be challenging.

Create visually stunning, ultra-realistic 3D graphics, dynamic 2D user interfaces, or leveraging the power of hardware-accelerated computation.

The 3D experts at KDAB bring incisive know-how for your project.

Read More

Qt 3D

Vulkan – next generation graphics & compute

OpenGL expert services

Developer Tools Developer Tools

Developer Tools from KDAB

The right tools and libraries can skyrocket developers' productivity.

Take advantage of KDAB's popular open source tools for tasks including profiling, debugging and continuous integration (CI).

Read More

GammaRay

KD Reports

KD Chart

Hotspot

KD SOAP

KDDockWidgets

KDAB Labs KDAB Labs

Research & Development at KDAB

KDAB invests significant time in exploring new software technologies to maintain its position as software authority. Benefit from this research and incorporate it eventually into your own project.

Read More

KDGpu

Resources

Start here to browse information on the KDAB website(s) and take advantage of useful developer resources like blogs, publications and videos about Qt, C++, Rust, 3D technologies like OpenGL and Vulkan, the KDAB developer tools and more.

Blogs Blogs

KDAB engineers and designers constantly share cutting-edge technology insights with regard to Qt, QML, C++, Rust, Linux, Vulkan, OpenGL, Qt 3D, scalable UIs and more topics.

Stay up-to-date and be inspired with their blogs.

Read More

Events Events

Get a quick overview of events relevant to the software industry and with involvment of KDAB, be it as speakers, sponsors, exhibitors or organizer.

Take the opportunity to reach out to our experts directly. See you there!

Read More

Publications Publications

KDAB regularly publishes in-depth papers, brochures and other material on topics relevant to software developers and desicion makers.

Have a look at the list of KDAB publictions.

Read More

Videos Videos

The KDAB Youtube channel has become a go-to source for developers looking for high-quality tutorial and information material around software development with Qt/QML, C++, Rust and other technologies.

Click to navigate the all KDAB videos directly on this website.

Read More

Why KDAB

A software supplier you can rely on

In over 25 years KDAB has served hundreds of customers from various industries, many of them having become long-term customers who value our unique expertise and dedication.

Learn more about KDAB as a company, understand why we are considered a trusted partner by many and explore project examples in which we have proven to be the right supplier.

About KDAB About KDAB

Committed, compassionate, trustworthy

The KDAB Group is a globally recognized provider for software consulting, development and training, specializing in embedded devices and complex cross-platform desktop applications.

Read more about the history, the values, the team and the founder of the company.

Read More

Proven Excellence Proven Excellence

Customer Success Stories

When working with KDAB you can expect quality software and the desired business outcomes thanks to decades of experience gathered in hundreds of projects of different sizes in various industries.

Have a look at selected examples where KDAB has helped customers to succeed with their projects.

Read More

Trusted Partner Trusted Partner

Benefit from a strong partner network

Lasting relationships reduce frictions in software development projects and help to guarantee success.

Benefit from the established relationships KDAB has with well-selected hardware suppliers and specialized domain experts.

Read More

Software Excellence for Texas Instruments

Better Software Better Software

Constantly improving Software Quality

KDAB is committed to developing high-quality and high-performance software, and helping other developers deliver to the same high standards.

We create software with pride to improve your engineering and your business, making your products more resilient and maintainable with better performance.

Read More

ISO 9001 ISO 9001

ISO 9001 certified software services

KDAB has been the first certified Qt consulting and software development company in the world, and continues to deliver quality processes that meet or exceed the highest expectations.

Read More

Working at KDAB Working at KDAB

Looking for a new challenge?

In KDAB we value practical software development experience and skills higher than academic degrees. We strive to ensure equal treatment of all our employees regardless of age, ethnicity, gender, sexual orientation, nationality.

Interested? Read more about working at KDAB and how to apply for a job in software engineering or business administration.

Read More

Contact

Search

Better_Software_Header_Mobile Better_Software_Header_Web

Find what you need - explore our website and developer resources

Anchoring Qt Quick Components Instantiated with JSON

Factory Design Techniques - Parts 3 and 4

4 comments

Javier Cordero

20 June 2024

Advanced Search

Tags

qmlqtux/ui

You've reached the third and final entry of the Instantiating arbitrary Qt Quick components with JSON series. Part 1 and Part 2 can be found at their respective links.

The first part focuses on the software design pattern used to dynamically instantiate components. The second one shows how to layout these dynamic components by incorporating QML' s positioning and layout APIs.

Part 3: Anchors and the Dangers of Remote Code Execution

On the last entry I wrote about:

  • Coordinate positioning
  • Item positioners
  • Qt Quick Layouts

Now there's:

  • Anchors

Unfortunately for us, this is were the QML Engine becomes a limiting factor. Items in QML, instantiate QObjects. Every QObject in Qt contains an ID. We can set that ID from QML the moment we instantiate our component, like so:

Item {
    id: myID
}

Nevertheless, id is not a normal QML property. In fact it is no property at all. As a result, we're unable to set an id after instantiation. Since neither Repeater or Instantiator allows us to set individual IDs during object creation, we have no means for naming our instantiated components, and therefore we cannot refer to them from other components. This limits our ability to anchor components to siblings that come from the repeater. We can only anchor to the parent and to siblings defined traditionally from the QML document.

With this in mind, let's see how far can we take the use of anchors in our components factory.

But first, a quick reminder... Qt provides us with two syntaxes for using anchors, an object syntax and a shorthand for its individual properties:

anchors.left: parent.right
anchors: {
    left: parent.right
}

To keep things simple, I make use of the longer syntax in our model:

// This model lays out buttons vertically
property var factoryModel: [
    {
        "component": "RowLayout"
        "anchors": {
            "fill": "parent"
        }
        "children": [
            {
               "component": "Button"
               "text": "Button 1"
            },
            {
               "component": "Button"
               "text": "Button 2"
            }
        ]
    }
]

Let's start by implementing fill: parent. If we were to assign the string from our model, which says "parent", to our instantiator, the assignment would fail because we cannot assign a string where an object id is expected.

// This would fail...
instantiator.anchors.fill = modelData.anchors.fill;

// because it evaluates to this:
instantiator.anchors.fill = "parent";

Instead, we must parse the value from our model into valid JavaScript, and for that we use Javascript's eval function. Calling eval will return whichever value the JS expression inside the string evaluates to. Here "parent" will point to the parent property relative to the context where eval is run. For the purposes of anchoring, this is fine.

Our code now looks like:

if (typeof(modelData.anchors.fill) === "string")
    instantiator.anchors.fill = eval("instantiator."
                                     + modelData.anchors.fill);

There's a couple of issues:

  • Qt Creator's annotator suggests not to use eval. You may ask: Why is this? Because eval treats the string from our model as a JavaScript expression. Nothing prevents a malicious actor from injecting JS code into that string that could attach a payload to our app to our app to later perform a remote code execution attack. A malicious actor might write something like:
"parent;this.onPressed=function(){/*arbitrary_code_goes_here*/};"  // Note that I don't know if this example really works

This takes care of the parent assignment, then overrides the contents of onPressed with a function that runs arbitrary code for the user to unsuspectingly execute. This is why every respectable linter and static analyzer for JavaScript will warn you not to use eval or any of its equivalent methods; in order to prevent remote code execution.

  • If security is not a big enough concern for you, eval cannot be parsed by the new JavaScript compilers introduced with Qt 6. The compiler will error out saying:

error: The use of eval() or the use of the arguments object in signal handlers is not supported when compiling qml files ahead of time. That is because it's ambiguous if any signal parameter is called "arguments". Similarly the string passed to eval might use "arguments". Unfortunately we cannot distinguish between it being a parameter or the JavaScript arguments object at this point.

Part 4: Defeat Remote Code Execution by Sanitizing Inputs

My preferred way to sanitize inputs is using Regular Expressions. We want to guarantee the strings from our models evaluate to a valid anchor name.

Valid anchor names include:

  • parent
  • idName.top
  • idName.right
  • idName.bottom
  • idName.left
  • idName.baseline
  • idName.verticalCenter
  • idName.horizontalCenter

Here's a RegEx I wrote that covers all anchors:

const anchorsRegex =
/[a-z_][a-zA-Z_0-9]*(\.(top|right|bottom|left|baseline|(vertical|horizontal)Center))?/;

We can use it to sanitize anchor inputs from the model, like so:

anchorsRegex.test(modelData.anchors.fill))

The key is to remove all characters that could be used to execute malicious content. If one of such characters must be present, then we make sure its uses are restricted, as we've seen here.

Here's what my final code for attaching anchors looks like:

Component {
  id: loaderComp
  Loader {
    id: instantiator
    // ...
    onItemChanged: {
  // Anchor properties
  if (typeof(modelData.anchors) === "object") {
    // Regex for validating id and id.validAnchorline
    const anchorsRegex = /[a-z_][a-zA-Z_0-9]*(\.(top|right|bottom|left|baseline|(vertical|horizontal)Center))?/;
    // Before attempting to assign,
    // check that properties are present in object
    // and that model attributes aren't undefined.
    if ((typeof(modelData.anchors.fill) === "string")
      && anchorsRegex.test(modelData.anchors.fill)) {
      instantiator.anchors.fill = eval("instantiator."
                                         + modelData.anchors.fill);
    }
    else if ((typeof(modelData.anchors.centerIn) === "string")
      && anchorsRegex.test(modelData.anchors.centerIn)) {
      instantiator.anchors.centerIn = eval("instantiator."
                                         + modelData.anchors.centerIn);
    }
    else {
      if ((typeof(modelData.anchors.left) === "string")
        && anchorsRegex.test(modelData.anchors.left)) {
        instantiator.anchors.left = eval("instantiator."
                                         + modelData.anchors.left);
        item.anchors.left = item.parent.anchors.left;
      }
      if ((typeof(modelData.anchors.right) === "string")
        && anchorsRegex.test(modelData.anchors.right)) {
        instantiator.anchors.right = eval("instantiator."
                                         + modelData.anchors.right);
        item.anchors.right = item.parent.anchors.right;
      }
      if ((typeof(modelData.anchors.baseline) === "string")
        && anchorsRegex.test(modelData.anchors.baseline)) {
        instantiator.anchors.baseline = eval("instantiator."
                                         + modelData.anchors.baseline);
        item.anchors.top = item.parent.anchors.top;
      }
      else {
        if ((typeof(modelData.anchors.top) === "string")
          && anchorsRegex.test(modelData.anchors.top)) {
          instantiator.anchors.top = eval("instantiator."
                                         + modelData.anchors.top);
          item.anchors.top = item.parent.anchors.top;
        }
        if ((typeof(modelData.anchors.bottom) === "string")
          && anchorsRegex.test(modelData.anchors.bottom)) {
          instantiator.anchors.bottom = eval("instantiator."
                                         + modelData.anchors.bottom);
          item.anchors.bottom = item.parent.anchors.bottom;
        }
      }
    }
    // ...

Like with Layouts, we attach our anchors to the instantiator, and not just the item. The item must attach itself to the instantiator where applicable.

Then take care of the rest of the anchor's properties like so:

// ...
        // Anchor number properties
if (typeof(modelData.anchors.margins) !== "undefined")
  instantiator.anchors.margins = Number(modelData.anchors.margins);
if (typeof(modelData.anchors.leftMargin) !== "undefined")
  instantiator.anchors.leftMargin = Number(modelData.anchors.leftMargin);
if (typeof(modelData.anchors.rightMargin) !== "undefined")
  instantiator.anchors.rightMargin = Number(modelData.anchors.rightMargin);
if (typeof(modelData.anchors.topMargin) !== "undefined")
  instantiator.anchors.topMargin = Number(modelData.anchors.topMargin);
if (typeof(modelData.anchors.bottomMargin) !== "undefined")
  instantiator.anchors.bottomMargin = Number(modelData.anchors.bottomMargin);
if (typeof(modelData.anchors.horizontalCenterOffset) !== "undefined")
  instantiator.anchors.horizontalCenterOffset = Number(modelData.anchors.horizontalCenterOffset);
if (typeof(modelData.anchors.verticalCenterOffset) !== "undefined")
  instantiator.anchors.verticalCenterOffset = Number(modelData.anchors.verticalCenterOffset);
if (typeof(modelData.anchors.baselineOffset) !== "undefined")
  instantiator.anchors.baselineOffset = Number(modelData.anchors.baselineOffset);
      }
    }
  }
}

As you can see, we nullify the dangers of eval by sanitizing our inputs properly. This doesn't fix our inability to anchor to sibling components or our inability to pre-compile the QML, but we can use this tool to refer to other items in the QML tree. The tree itself may come from a document loaded from a remote location, using a Loader.

Running any remote document in our QML code would also open the doors to arbitrary code execution attacks. We may not be able to sanitize an entire QML document like we can sanitize for individual properties, therefore you should only allow QML and JS file downloads from a trusted source, and always use an encrypted connection to prevent a targeted attack. Self-signed certificates are better than no certificate. Without encryption, a malicious actor could intercept the traffic and alter our code while it's on its way.

This has been the last entry in this series. Thanks to Jan Marker for his time reviewing my code. I hope you've learned something from it. I personally enjoyed looking back at Part I the most, because the technique shown there has more real world applications.

Reference

  • Learn how to write Regular Expressions by playing with the editor and cheat sheet at https://regexr.com/
    The more precise you learn to make your definitions, while attempting to keep them small, the better you'll get at writing them.

Tags:

qmlqtux/ui

About KDAB

The KDAB Group is a globally recognized provider for software consulting, development and training, specializing in embedded devices and complex cross-platform desktop applications. In addition to being leading experts in Qt, C++ and 3D technologies for over two decades, KDAB provides deep expertise across the stack, including Linux, Rust and modern UI frameworks. With 100+ employees from 20 countries and offices in Sweden, Germany, USA, France and UK, we serve clients around the world.

4 Comments

20 - Jun - 2024

Grecko

Hello,

Interesting project, is the final code available somewhere? I'd like to play with it.

You wrote that valid anchor names includes idName. but also mention that "we cannot refer to [our instantiated components] from other components". Does your eval logic works with anything other than parent as the id then? I feel like this could be done without eval and adding for loops would simplify the code.

27 - Jun - 2024

Javier Cordero

Hi Grecko,

Interesting project, is the final code available somewhere? I’d like to play with it.

I would rather not host the full code because I worry that would legitimize it. The techniques I focused on during the conclusion of each blog post are good things on their own, but people should steer away from using tree models to instantiate arbitrary Components from QML, as that would produce code that's difficult to maintain and develop on top of. It also goes in a direction contrary to The Qt Company's efforts in making QML compilers.

Having said that, I made sure one could re-create a working project only by copy-pasting code from each of the blog entries. So, you should be able to get a working project by reading carefully and copy-pasting the right snippets.

You wrote that valid anchor names includes idName. but also mention that “we cannot refer to [our instantiated components] from other components”. Does your eval logic works with anything other than parent as the id then?

The eval logic will work with any id that can be accessed from directly inside of the instantiator component, because "instantiator." is a prefix in all of the calls to eval. The prefix is only there because anchors in QML have a limitation: they will only work with components that are adjacent to them or with the parent, but we cannot anchor to the parent's parent, the root element, or to the child of a sibling. Meaning you could forgo the prefix in other uses.

Now, the reason I said “we cannot refer to [our instantiated components] from other components” is unrelated to that. The components from the model are being instantiated via an instantiator. Both instantiators and Repeaters will not allow us to set ids to their components. Defining a property and calling it id won't do because ids are not properties. Since we can't and therefore don't give the components an id, "we cannot refer to [our instantiated components] from other components".

I feel like this could be done without eval and adding for loops would simplify the code.

You're absolutely right about using for loops to simplify or shorten the code. Nevertheless, eval would still be needed for the anchors because ids are different from properties.

1 - Jul - 2024

Grecko

The eval logic will work with any id that can be accessed from directly inside of the instantiator component, because “instantiator.” is a prefix in all of the calls to eval. The prefix is only there because anchors in QML have a limitation: they will only work with components that are adjacent to them or with the parent.

So here we can only anchors to the parent and not the siblings since we can't set an id to the siblings. In pseudo JS it could be done like this:

for (let [key, value] in modelData.anchors) {
     if (key in ["fill", "centerIn"] && value === "parent") 
         instantiator[key] = instantiator.parent;
     const anchorLines = ["left", "right", "top", "bottom", "baseline" ];
     if (key in anchorLines) {
         let [item, line, excess] = value.split('.');
         if (item === "parent" && line in anchorLines && excess === undefined)
             instantiator[key] = instantiator.parent[line];
      }
      if (key in ["margins", "leftMargin", ...] && typeof value === "Number")
          instantiator[key] = value;
}

No need for an eval here because we always anchors to parent. In your code you do : instantiator.anchors.centerIn = eval("instantiator." + modelData.anchors.centerIn) but modelData.anchors.centerIn would always be "parent" unless I'm mistaken.

1 - Jul - 2024

Javier Cordero

Nice strategy. Given the value would always be parent, we could get rid of eval that way. I stand corrected.

I have read and agree to the privacy policy.

KDAB is committed to ensuring that your privacy is protected.

  • Only the above data is collected about you when you fill out this form.
  • The data will be stored securely.
  • If you wish for us to erase it, email us at info@kdab.com.

For more information about our Privacy Policy, please read our privacy policy.
JavierPérez

Javier Cordero

Software Engineer

Javier Cordero is a Software Engineer at KDAB

Related Content

Integrate QML Window's Background with the System's Color Palette

For a Correct Background Color When Resizing

Laying Out Components with Qt Quick and JSON

Factory Design Techniques - Part 2

Recursive Instantiation with Qt Quick and JSON

Factory Design Techniques - Part 1

Join KDAB Training Day 2025 in Munich

Choose between learning advanced QML programming, Modern C++, integrating Rust and Qt or 3d rendering with Vulkan. The KDAB Training Day 2025 will take place in Munich on the 8th of May, right after the Qt World Summit on 6th to 7th of May.

Learn more

Sign up for the KDAB Newsletter

Stay on top of the latest news, publications, events and more.

Go to Sign-up