From 7b0686af2f63f63a1a7b703f7414d5f60ab04449 Mon Sep 17 00:00:00 2001 From: Rob Fletcher Date: Tue, 25 Feb 2014 18:16:12 +0000 Subject: [PATCH] HTML injection fix for bluetooth pairing, issue 65946 During bluetooth pairing, HTML injection is possible via the device name displayed to the user. This escapes the device name, before creating HTML from it, so it will preserve things like < and > but will not affect rendering of HTML Bug: 12976386 Change-Id: I8a02d3be8c1a779dc9ed1c9ef8083a1159ab3f2b --- .../android/settings/bluetooth/BluetoothPairingDialog.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/com/android/settings/bluetooth/BluetoothPairingDialog.java b/src/com/android/settings/bluetooth/BluetoothPairingDialog.java index 9b2a3e89810..d6f27efbc18 100755 --- a/src/com/android/settings/bluetooth/BluetoothPairingDialog.java +++ b/src/com/android/settings/bluetooth/BluetoothPairingDialog.java @@ -207,8 +207,8 @@ public final class BluetoothPairingDialog extends AlertActivity implements return null; } - // Format the message string, then parse HTML style tags - String messageText = getString(messageId1, deviceName); + // HTML escape deviceName, Format the message string, then parse HTML style tags + String messageText = getString(messageId1, Html.escapeHtml(deviceName)); messageView.setText(Html.fromHtml(messageText)); messageView2.setText(messageId2); mPairingView.setInputType(InputType.TYPE_CLASS_NUMBER); @@ -220,7 +220,8 @@ public final class BluetoothPairingDialog extends AlertActivity implements private View createView(CachedBluetoothDeviceManager deviceManager) { View view = getLayoutInflater().inflate(R.layout.bluetooth_pin_confirm, null); - String name = deviceManager.getName(mDevice); + // Escape device name to avoid HTML injection. + String name = Html.escapeHtml(deviceManager.getName(mDevice)); TextView messageView = (TextView) view.findViewById(R.id.message); String messageText; // formatted string containing HTML style tags