am 31df7cdc: am b1140053: am 85fb88ee: Merge "HTML injection fix for bluetooth pairing, issue 65946"

* commit '31df7cdcb31993c4c62bd1995af72fca57946e10':
  HTML injection fix for bluetooth pairing, issue 65946

1 files changed, 4 insertions, 3 deletions

diff --git a/src/com/android/settings/bluetooth/BluetoothPairingDialog.java b/src/com/android/settings/bluetooth/BluetoothPairingDialog.java
index 9b2a3e898..d6f27efbc 100755
--- a/src/com/android/settings/bluetooth/BluetoothPairingDialog.java
+++ b/src/com/android/settings/bluetooth/BluetoothPairingDialog.java
@@ -207,8 +207,8 @@ public final class BluetoothPairingDialog extends AlertActivity implements
                 return null;
         }
 
-        // Format the message string, then parse HTML style tags
-        String messageText = getString(messageId1, deviceName);
+        // HTML escape deviceName, Format the message string, then parse HTML style tags
+        String messageText = getString(messageId1, Html.escapeHtml(deviceName));
         messageView.setText(Html.fromHtml(messageText));
         messageView2.setText(messageId2);
         mPairingView.setInputType(InputType.TYPE_CLASS_NUMBER);
@@ -220,7 +220,8 @@ public final class BluetoothPairingDialog extends AlertActivity implements
 
     private View createView(CachedBluetoothDeviceManager deviceManager) {
         View view = getLayoutInflater().inflate(R.layout.bluetooth_pin_confirm, null);
-        String name = deviceManager.getName(mDevice);
+	// Escape device name to avoid HTML injection.
+        String name = Html.escapeHtml(deviceManager.getName(mDevice));
         TextView messageView = (TextView) view.findViewById(R.id.message);
 
         String messageText; // formatted string containing HTML style tags