acw is now security vulnerable with showing Tor bootstrap messages. We must make sure acw won’t aid in exploitation of the gateway.
If a Tor malfunction could lead to make Tor show weird messages as bootstrap status, these would be shown during bootstrap status. And Qt is parsing these for formatting.
Therefore we shouldn’t show Tor bootstrap messages verbatim as Tor is telling us. These need to be parsed and sanatized before shown in gui. Only static messages should be shown. (Possible to have sanazited variables such as digits of the length of three for bootstrap percent as reported by Tor.)
This is a good chance to translate all bootstrap status messages by Tor into user understandable speech.
As a stopgap, do you think you could make it show only the percentage and no bootstrap messages by Tor (until these are properly parsed, sanatized and translated to static strings)?