avoid-unrestricted-javascript

v1.38.0

effort: 5m

pro+

Warns when JavaScript execution is enabled for WebViews.

A mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered. In the context of a WebView, JavaScript code can exfiltrate local files that might be sensitive or even worse, access exposed functions of the application that can result in more severe vulnerabilities such as code injection.

Example

❌ Bad:

void fn() {
  WebViewController()
    // LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
    // Consider disabling JavaScript for WebViews.
    ..setJavaScriptMode(JavaScriptMode.unrestricted);

  // LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
  // Consider disabling JavaScript for WebViews.
  InAppWebViewSettings();

  // LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
  // Consider disabling JavaScript for WebViews.
  InAppWebViewSettings(javaScriptEnabled: true);

  // LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
  // Consider disabling JavaScript for WebViews.
  HeadlessInAppWebView(InAppWebViewSettings(javaScriptEnabled: true));
}

✅ Good:

void fn() {
  WebViewController()
    ..setJavaScriptMode(JavaScriptMode.disabled);

  InAppWebViewSettings(javaScriptEnabled: false);

  HeadlessInAppWebView(InAppWebViewSettings(javaScriptEnabled: false));
}

Additional Resources

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Example​

Additional Resources​

Example

Additional Resources