From c92db391379cc19738de8bb5008ed619cb049ebe Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 27 Jul 2012 13:22:20 -0700
Subject: [PATCH] ClipData: html attribute values should always be escaped

Failure to properly escape HTML attribute values can lead to
XSS attacks. Technically, HTML of the form

<a href="http://www.google.com/search?x=a&y=b">blah</a>

is malformed (but widely accepted). Such links should be written as

<a href="http://www.google.com/search?x=a&amp;y=b">blah</a>

See: http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2

Change-Id: I188ded00b4cac44acb38884d4728c4cf9500f3b6
---
 core/java/android/content/ClipData.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/java/android/content/ClipData.java b/core/java/android/content/ClipData.java
index 186683091817c..88f1a3d5b4fdd 100644
--- a/core/java/android/content/ClipData.java
+++ b/core/java/android/content/ClipData.java
@@ -563,7 +563,7 @@ public class ClipData implements Parcelable {
         private String uriToHtml(String uri) {
             StringBuilder builder = new StringBuilder(256);
             builder.append("<a href=\"");
-            builder.append(uri);
+            builder.append(Html.escapeHtml(uri));
             builder.append("\">");
             builder.append(Html.escapeHtml(uri));
             builder.append("</a>");