Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 549a39b4 authored by Rob Fletcher's avatar Rob Fletcher Committed by Matthew Xie
Browse files

DO NOT MERGE HTML injection fix for bluetooth pairing, issue 65946 

During bluetooth pairing, HTML injection is possible via the device name displayed to the user. This escapes the device name, before creating HTML from it, so it will preserve things like < and > but will not affect rendering of HTML

Bug: 12976386
Change-Id: I8a02d3be8c1a779dc9ed1c9ef8083a1159ab3f2b
parent d83484db

src/com/android/settings/bluetooth/BluetoothPairingDialog.java

+4 −3
Original line number Diff line number Diff line
@@ -207,8 +207,8 @@ public final class BluetoothPairingDialog extends AlertActivity implements 
                return null;

        }



        // Format the message string, then parse HTML style tags

        String messageText = getString(messageId1, deviceName);

        // HTML escape deviceName, Format the message string, then parse HTML style tags

        String messageText = getString(messageId1, Html.escapeHtml(deviceName));

        messageView.setText(Html.fromHtml(messageText));

        messageView2.setText(messageId2);

        mPairingView.setInputType(InputType.TYPE_CLASS_NUMBER);
@@ -220,7 +220,8 @@ public final class BluetoothPairingDialog extends AlertActivity implements 


    private View createView(CachedBluetoothDeviceManager deviceManager) {

        View view = getLayoutInflater().inflate(R.layout.bluetooth_pin_confirm, null);

        String name = deviceManager.getName(mDevice);

	// Escape device name to avoid HTML injection.

        String name = Html.escapeHtml(deviceManager.getName(mDevice));

        TextView messageView = (TextView) view.findViewById(R.id.message);



        String messageText; // formatted string containing HTML style tags