ADHOC/replicant-packages_apps_Email
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Sanitize HTML email bodies in Android Email

Browse Source 
b/14567151

Sanitizes HTML email bodies on demand as they are requested from
EmailMessageCursor. Also alters Account settings to indicate that emails can be
assumed to be sanitized and transform scripts can be applied to the email
bodies.

Change-Id: I789e6de3569ae8c7d2c21f0b5aa590d7638a1467
This commit is contained in:
James Lemieux 2014-05-20 14:15:12 -07:00
parent c0ab393308
commit 837aba39d5
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/com/android/email/provider/EmailMessageCursor.java
View File

@ -25,6 +25,7 @@ import android.provider.BaseColumns;
import android.util.SparseArray;
import com.android.emailcommon.provider.EmailContent.Body;
import com.android.mail.utils.HtmlSanitizer;
import com.android.mail.utils.LogUtils;
import org.apache.commons.io.IOUtils;
@ -70,7 +71,8 @@ public class EmailMessageCursor extends CursorWrapper {
final Uri htmlUri = Body.getBodyHtmlUriForMessageWithId(messageId);
final InputStream in = cr.openInputStream(htmlUri);
final String underlyingHtmlString = IOUtils.toString(in);
mHtmlParts.put(position, underlyingHtmlString);
final String sanitizedHtml = HtmlSanitizer.sanitizeHtml(underlyingHtmlString);
mHtmlParts.put(position, sanitizedHtml);
}
} catch (final IOException e) {
LogUtils.v(LogUtils.TAG, e, "Did not find html body for message %d", messageId);

7
src/com/android/email/provider/EmailProvider.java
View File

@ -3383,6 +3383,9 @@ public class EmailProvider extends ContentProvider {
// TODO: Should this be stored per-account, or some other mechanism?
capabilities |= AccountCapabilities.NESTED_FOLDERS;
// sanitization happens lazily in the EmailMessageCursor as HTML email bodies are requested
capabilities |= UIProvider.AccountCapabilities.SANITIZED_HTML;
return capabilities;
}
@ -3486,6 +3489,10 @@ public class EmailProvider extends ContentProvider {
UIProvider.SyncStatus.INITIAL_SYNC_NEEDED);
}
}
if (projectionColumns.contains(UIProvider.AccountColumns.ENABLE_MESSAGE_TRANSFORMS)) {
// Email is now sanitized, which grants the ability to inject beautifying javascript.
values.put(UIProvider.AccountColumns.ENABLE_MESSAGE_TRANSFORMS, 1);
}
if (projectionColumns.contains(
UIProvider.AccountColumns.SettingsColumns.IMPORTANCE_MARKERS_ENABLED)) {
// Email doesn't support priority inbox, so always state importance markers disabled.