Commits

Anonymous committed 7b0686a

HTML injection fix for bluetooth pairing, issue 65946

During bluetooth pairing, HTML injection is possible via the device name displayed to the user. This escapes the device name, before creating HTML from it, so it will preserve things like < and > but will not affect rendering of HTML

Bug: 12976386
Change-Id: I8a02d3be8c1a779dc9ed1c9ef8083a1159ab3f2b

  • Participants
  • Parent commits 0223f9c

Comments (0)

Files changed (1)

src/com/android/settings/bluetooth/BluetoothPairingDialog.java

                 return null;
         }
 
-        // Format the message string, then parse HTML style tags
-        String messageText = getString(messageId1, deviceName);
+        // HTML escape deviceName, Format the message string, then parse HTML style tags
+        String messageText = getString(messageId1, Html.escapeHtml(deviceName));
         messageView.setText(Html.fromHtml(messageText));
         messageView2.setText(messageId2);
         mPairingView.setInputType(InputType.TYPE_CLASS_NUMBER);
 
     private View createView(CachedBluetoothDeviceManager deviceManager) {
         View view = getLayoutInflater().inflate(R.layout.bluetooth_pin_confirm, null);
-        String name = deviceManager.getName(mDevice);
+	// Escape device name to avoid HTML injection.
+        String name = Html.escapeHtml(deviceManager.getName(mDevice));
         TextView messageView = (TextView) view.findViewById(R.id.message);
 
         String messageText; // formatted string containing HTML style tags