OSDN > Developer > zulieza_adz > Chamber > packages-apps-Settings > Commit

packages-apps-Settings
Fork

Fork origin: android-x86 / packages-apps-Settings

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revisão	c182674de735dba1d99e7d5eddefe72cbfdc74dc (tree)
Hora	2021-07-01 20:01:16
Autor	Tsung-Mao Fang <tmfang@goog...>
Commiter	Android Build Coastguard Worker

Mensagem de Log

Prevent HTML Injection on the Device Admin request screen

The root issue is that CharSequence is an interface.
String implements that interface, however, Spanned class
too which is a rich text format that can store HTML code.

The solution is enforce to use String type which won't include
any HTML function.

Test: Rebuilt apk and see the string without HTML style.
Bug: 179042963
Change-Id: I53b460b12da918e022d2f2934f114d205dbaadb0
Merged-In: I53b460b12da918e022d2f2934f114d205dbaadb0
(cherry picked from commit 0bf3c98b2f325f70d5492a7c7ade16951a802600)
(cherry picked from commit 52f9039d5cc775a02dab90492cca98850a82872a)

Mudança Sumário

modified: src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java (diff)

Diff

--- a/src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java

+++ b/src/com/android/settings/applications/specialaccess/deviceadmin/DeviceAdminAdd.java

		@@ -102,7 +102,7 @@ public class DeviceAdminAdd extends Activity {
102	102	DevicePolicyManager mDPM;
103	103	AppOpsManager mAppOps;
104	104	DeviceAdminInfo mDeviceAdmin;
105		- CharSequence mAddMsgText;
	105	+ String mAddMsgText;
106	106	String mProfileOwnerName;
107	107
108	108	ImageView mAdminIcon;

		@@ -274,7 +274,11 @@ public class DeviceAdminAdd extends Activity {
274	274	}
275	275	}
276	276
277		- mAddMsgText = getIntent().getCharSequenceExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION);
	277	+ final CharSequence addMsgCharSequence = getIntent().getCharSequenceExtra(
	278	+ DevicePolicyManager.EXTRA_ADD_EXPLANATION);
	279	+ if (addMsgCharSequence != null) {
	280	+ mAddMsgText = addMsgCharSequence.toString();
	281	+ }
278	282
279	283	if (mAddingProfileOwner) {
280	284	// If we're trying to add a profile owner and user setup hasn't completed yet, no

		@@ -628,7 +632,7 @@ public class DeviceAdminAdd extends Activity {
628	632	} catch (Resources.NotFoundException e) {
629	633	mAdminDescription.setVisibility(View.GONE);
630	634	}
631		- if (mAddMsgText != null) {
	635	+ if (!TextUtils.isEmpty(mAddMsgText)) {
632	636	mAddMsg.setText(mAddMsgText);
633	637	mAddMsg.setVisibility(View.VISIBLE);
634	638	} else {

packages-apps-Settings Fork