packages/apps/Settings
修訂 | c182674de735dba1d99e7d5eddefe72cbfdc74dc (tree) |
---|---|
時間 | 2021-07-01 20:01:16 |
作者 | Tsung-Mao Fang <tmfang@goog...> |
Commiter | Android Build Coastguard Worker |
Prevent HTML Injection on the Device Admin request screen
The root issue is that CharSequence is an interface.
String implements that interface, however, Spanned class
too which is a rich text format that can store HTML code.
The solution is enforce to use String type which won't include
any HTML function.
Test: Rebuilt apk and see the string without HTML style.
Bug: 179042963
Change-Id: I53b460b12da918e022d2f2934f114d205dbaadb0
Merged-In: I53b460b12da918e022d2f2934f114d205dbaadb0
(cherry picked from commit 0bf3c98b2f325f70d5492a7c7ade16951a802600)
(cherry picked from commit 52f9039d5cc775a02dab90492cca98850a82872a)
@@ -102,7 +102,7 @@ public class DeviceAdminAdd extends Activity { | ||
102 | 102 | DevicePolicyManager mDPM; |
103 | 103 | AppOpsManager mAppOps; |
104 | 104 | DeviceAdminInfo mDeviceAdmin; |
105 | - CharSequence mAddMsgText; | |
105 | + String mAddMsgText; | |
106 | 106 | String mProfileOwnerName; |
107 | 107 | |
108 | 108 | ImageView mAdminIcon; |
@@ -274,7 +274,11 @@ public class DeviceAdminAdd extends Activity { | ||
274 | 274 | } |
275 | 275 | } |
276 | 276 | |
277 | - mAddMsgText = getIntent().getCharSequenceExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION); | |
277 | + final CharSequence addMsgCharSequence = getIntent().getCharSequenceExtra( | |
278 | + DevicePolicyManager.EXTRA_ADD_EXPLANATION); | |
279 | + if (addMsgCharSequence != null) { | |
280 | + mAddMsgText = addMsgCharSequence.toString(); | |
281 | + } | |
278 | 282 | |
279 | 283 | if (mAddingProfileOwner) { |
280 | 284 | // If we're trying to add a profile owner and user setup hasn't completed yet, no |
@@ -628,7 +632,7 @@ public class DeviceAdminAdd extends Activity { | ||
628 | 632 | } catch (Resources.NotFoundException e) { |
629 | 633 | mAdminDescription.setVisibility(View.GONE); |
630 | 634 | } |
631 | - if (mAddMsgText != null) { | |
635 | + if (!TextUtils.isEmpty(mAddMsgText)) { | |
632 | 636 | mAddMsg.setText(mAddMsgText); |
633 | 637 | mAddMsg.setVisibility(View.VISIBLE); |
634 | 638 | } else { |