From 80c3f6d4d84f822d1c3f41e6cb55fc05130e2b17 Mon Sep 17 00:00:00 2001 From: Tsung-Mao Fang Date: Tue, 13 Apr 2021 16:26:12 +0800 Subject: [PATCH] Prevent HTML Injection on the Device Admin request screen The root issue is that CharSequence is an interface. String implements that interface, however, Spanned class too which is a rich text format that can store HTML code. The solution is enforce to use String type which won't include any HTML function. Test: Rebuilt apk and see the string without HTML style. Bug: 179042963 Change-Id: I53b460b12da918e022d2f2934f114d205dbaadb0 Merged-In: I53b460b12da918e022d2f2934f114d205dbaadb0 --- src/com/android/settings/DeviceAdminAdd.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/com/android/settings/DeviceAdminAdd.java b/src/com/android/settings/DeviceAdminAdd.java index 2fd769b42a2..ebad4115318 100644 --- a/src/com/android/settings/DeviceAdminAdd.java +++ b/src/com/android/settings/DeviceAdminAdd.java @@ -95,7 +95,7 @@ public class DeviceAdminAdd extends Activity { DevicePolicyManager mDPM; AppOpsManager mAppOps; DeviceAdminInfo mDeviceAdmin; - CharSequence mAddMsgText; + String mAddMsgText; String mProfileOwnerName; ImageView mAdminIcon; @@ -278,7 +278,11 @@ public class DeviceAdminAdd extends Activity { return; } - mAddMsgText = getIntent().getCharSequenceExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION); + final CharSequence addMsgCharSequence = getIntent().getCharSequenceExtra( + DevicePolicyManager.EXTRA_ADD_EXPLANATION); + if (addMsgCharSequence != null) { + mAddMsgText = addMsgCharSequence.toString(); + } setContentView(R.layout.device_admin_add); @@ -558,7 +562,7 @@ public class DeviceAdminAdd extends Activity { if (mAddingProfileOwner) { mProfileOwnerWarning.setVisibility(View.VISIBLE); } - if (mAddMsgText != null) { + if (!TextUtils.isEmpty(mAddMsgText)) { mAddMsg.setText(mAddMsgText); mAddMsg.setVisibility(View.VISIBLE); } else {