Hi guys, I also posted this on github here: https://github.com/Bitcoin-ABC/bitcoin-abc/issues/332
And also alerted core to this here: https://github.com/bitcoin/bitcoin/issues/16154
The issue is this code:
Which ends up generating a user-facing string in a message box in Qt which comes from an untrusted source (read: a server's error response).
This is a potential phishing attack surface.
It's a tiny attack surface and very unlikely due to the way Payment Requests work -- just probably not the best idea to show untrusted strings in the UI.
Thanks so much,