Prevent HTML Injection on the Device Admin request screen
The root issue is that CharSequence is an interface.
String implements that interface, however, Spanned class
too which is a rich text format that can store HTML code.
The solution is enforce to use String type which won't include
any HTML function.
Test: Rebuilt apk and see the string without HTML style.
Bug: 179042963
Change-Id: I53b460b12da918e022d2f2934f114d205dbaadb0
Merged-In: I53b460b12da918e022d2f2934f114d205dbaadb0
(cherry picked from commit 0bf3c98b2f325f70d5492a7c7ade16951a802600)
(cherry picked from commit 52f9039d5cc775a02dab90492cca98850a82872a)
diff --git a/src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java b/src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java
index 9afb2b4..113922e 100644
--- a/src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java
+++ b/src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java
@@ -102,7 +102,7 @@
DevicePolicyManager mDPM;
AppOpsManager mAppOps;
DeviceAdminInfo mDeviceAdmin;
- CharSequence mAddMsgText;
+ String mAddMsgText;
String mProfileOwnerName;
ImageView mAdminIcon;
@@ -274,7 +274,11 @@
}
}
- mAddMsgText = getIntent().getCharSequenceExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION);
+ final CharSequence addMsgCharSequence = getIntent().getCharSequenceExtra(
+ DevicePolicyManager.EXTRA_ADD_EXPLANATION);
+ if (addMsgCharSequence != null) {
+ mAddMsgText = addMsgCharSequence.toString();
+ }
if (mAddingProfileOwner) {
// If we're trying to add a profile owner and user setup hasn't completed yet, no
@@ -628,7 +632,7 @@
} catch (Resources.NotFoundException e) {
mAdminDescription.setVisibility(View.GONE);
}
- if (mAddMsgText != null) {
+ if (!TextUtils.isEmpty(mAddMsgText)) {
mAddMsg.setText(mAddMsgText);
mAddMsg.setVisibility(View.VISIBLE);
} else {
