Databases
StackOverflow2013
Postsdbo
POAndroid - Trying to sanitize user input on a preference
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAndroid - Trying to sanitize user input on a preference
    text
    copied!<p>I am trying to sanitize some user input on my app that will be sent server side. Based on the server settings, the data entered by the user may be used when creating or accessing files and folders. Obviously, sanitation will be also handled on the server but I will not and the app will not be able to control this due to the nature of the app. Therefore I feel it is my responsibility to have end to end sanitation where I or my app have control.</p> <p>The preference I am trying to sanitize is for a photo album name that will be passed to the server.</p> <p>According to the <code>Log.d</code> output this is working correctly. However, when I click the preference field to edit it, it shows the unsanitized input and when the preference is passed to the server it is also showing the unsanitized input.</p> <p><code>FileUtil.sanitize(stringValue)</code> is a simple method that trims leading and trailing spaces and removes <code>../</code> and <code>..\</code> from the string, for now atleast. I know there are others that I need to watch, just not 100% what they are yet.</p> <p>So, the obvious question is, what am I missing? Is there an event that fires after this is complete that overwrites the changes that I am making here? I have a feeling that something is overwriting my changes because when I get the value immediately after the change, it shows the correct, sanitized data.</p> <pre><code> /** * A preference value change listener that updates the preference's summary * to reflect its new value. */ private static Preference.OnPreferenceChangeListener sBindPreferenceSummaryToValueListener = new Preference.OnPreferenceChangeListener() { @Override public boolean onPreferenceChange(Preference preference, Object value) { String stringValue = value.toString(); if (preference instanceof ListPreference) { // For list preferences, look up the correct display value in // the preference's 'entries' list. ListPreference listPreference = (ListPreference) preference; int index = listPreference.findIndexOfValue(stringValue); // Set the summary to reflect the new value. preference.setSummary( index &gt;= 0 ? listPreference.getEntries()[index] : null); } else if (preference.getKey().equals("text_default_album")) { Log.d(TAG, "default pref: "+preference.getKey()+" value: "+stringValue); stringValue = FileUtil.sanitize(stringValue); Log.d(TAG, "default pref: "+preference.getKey()+" value: "+stringValue); preference.setSummary(stringValue); SharedPreferences prefs = preference.getSharedPreferences(); String def = prefs.getString("text_default_album", ""); Boolean updated = prefs.edit().putString("text_default_album", stringValue).commit(); String def2 = prefs.getString("text_default_album", ""); Log.d(TAG, "def: "+def); Log.d(TAG, "def2: "+def2); Log.d(TAG, "updated: "+updated); } else { // For all other preferences, set the summary to the value's // simple string representation. preference.setSummary(stringValue); } return true; } }; </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload