Commits

Anonymous committed 85fb88e Merge

Merge "HTML injection fix for bluetooth pairing, issue 65946"

  • Participants
  • Parent commits 7f1c81b, 7b0686a

Comments (0)

Files changed (1)

src/com/android/settings/bluetooth/BluetoothPairingDialog.java

                 return null;
         }
 
-        // Format the message string, then parse HTML style tags
-        String messageText = getString(messageId1, deviceName);
+        // HTML escape deviceName, Format the message string, then parse HTML style tags
+        String messageText = getString(messageId1, Html.escapeHtml(deviceName));
         messageView.setText(Html.fromHtml(messageText));
         messageView2.setText(messageId2);
         mPairingView.setInputType(InputType.TYPE_CLASS_NUMBER);
 
     private View createView(CachedBluetoothDeviceManager deviceManager) {
         View view = getLayoutInflater().inflate(R.layout.bluetooth_pin_confirm, null);
-        String name = deviceManager.getName(mDevice);
+	// Escape device name to avoid HTML injection.
+        String name = Html.escapeHtml(deviceManager.getName(mDevice));
         TextView messageView = (TextView) view.findViewById(R.id.message);
 
         String messageText; // formatted string containing HTML style tags