Commit c92db391 authored Jul 27, 2012 by Nick Kralevich

ClipData: html attribute values should always be escaped

Failure to properly escape HTML attribute values can lead to
XSS attacks. Technically, HTML of the form

<a href="http://www.google.com/search?x=a&y=b">blah</a>

is malformed (but widely accepted). Such links should be written as

<a href="http://www.google.com/search?x=a&amp;y=b">blah</a>

See: http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2

Change-Id: I188ded00b4cac44acb38884d4728c4cf9500f3b6

parent 527d14dc

core/java/android/content/ClipData.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -563,7 +563,7 @@ public class ClipData implements Parcelable {
		private String uriToHtml(String uri) {
		StringBuilder builder = new StringBuilder(256);
		builder.append("<a href=\"");
		builder.append(uri);
		builder.append(Html.escapeHtml(uri));
		builder.append("\">");
		builder.append(Html.escapeHtml(uri));
		builder.append("</a>");