From d185adfc27487d1972054a324fb18897622726e7 Mon Sep 17 00:00:00 2001
From: Jesse Vincent <jesse@fsck.com>
Date: Sat, 2 May 2009 22:06:42 +0000
Subject: [PATCH] Fix up text/plain message view to escape < and > and & when
 converting plain text to html for display

---
 src/com/android/email/activity/MessageView.java | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/com/android/email/activity/MessageView.java b/src/com/android/email/activity/MessageView.java
index 9c4e8c5b2..a9c2a7908 100644
--- a/src/com/android/email/activity/MessageView.java
+++ b/src/com/android/email/activity/MessageView.java
@@ -1068,6 +1068,15 @@ public class MessageView extends Activity
                     } else {
                         Matcher m = Regex.WEB_URL_PATTERN.matcher(text);
                         StringBuffer sb = new StringBuffer();
+                        /*
+                         * Convert plain text to HTML by replacing
+                         * \r?\n with <br> and adding a html/body wrapper as well as escaping & < >
+                         */
+                        text = text.replaceAll("&", "&amp;");
+                        text = text.replaceAll("<", "&lt;");
+                        text = text.replaceAll(">", "&gt;");
+                        text = text.replaceAll("\r?\n", "<br>");
+
                         while (m.find()) {
                             int start = m.start();
                             if (start == 0 || (start != 0 && text.charAt(start - 1) != '@')) {
@@ -1079,12 +1088,6 @@ public class MessageView extends Activity
                         }
                         m.appendTail(sb);
 
-/*
-                         * Convert plain text to HTML by replacing
-                         * \r?\n with <br> and adding a html/body wrapper.
-                         */
-                        text = sb.toString().replaceAll("\r?\n", "<br>");
-
 
 
                         text = "<html><body>" + text + "</body></html>";