ClipData: html attribute values should always be escaped

nickkral · nickkral · commit c92db391379c · 2012-07-27T13:27:00.000-07:00
Failure to properly escape HTML attribute values can lead to XSS attacks. Technically, HTML of the form <a href="http://www.google.com/search?x=a&y=b">blah</a> is malformed (but widely accepted). Such links should be written as <a href="http://www.google.com/search?x=a&amp;y=b">blah</a> See: http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2 Change-Id: I188ded00b4cac44acb38884d4728c4cf9500f3b6
diff --git a/core/java/android/content/ClipData.java b/core/java/android/content/ClipData.java
@@ -563,7 +563,7 @@ private CharSequence coerceToHtmlOrStyledText(Context context, boolean styled) {
         private String uriToHtml(String uri) {
             StringBuilder builder = new StringBuilder(256);
             builder.append("<a href=\"");
-            builder.append(uri);
+            builder.append(Html.escapeHtml(uri));
             builder.append("\">");
             builder.append(Html.escapeHtml(uri));
             builder.append("</a>");
