avoid-unrestricted-javascript
Warns when JavaScript execution is enabled for WebViews.
Mobile applications using WebViews face severe risks if they render untrusted code, making them highly vulnerable to Cross-Site Scripting (XSS). Within a WebView context, malicious JavaScript can exfiltrate sensitive local files from the device. Even more critically, it can interact with exposed native application functions, potentially leading to catastrophic flaws like remote code execution.
Example
❌ Bad:
void fn() {
WebViewController()
// LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
// Consider disabling JavaScript for WebViews.
..setJavaScriptMode(JavaScriptMode.unrestricted);
// LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
// Consider disabling JavaScript for WebViews.
InAppWebViewSettings();
// LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
// Consider disabling JavaScript for WebViews.
InAppWebViewSettings(javaScriptEnabled: true);
// LINT: Avoid unrestricted JavaScript as it expands the attack surface to cross-site scripting (XSS) vulnerabilities.
// Consider disabling JavaScript for WebViews.
HeadlessInAppWebView(InAppWebViewSettings(javaScriptEnabled: true));
}
✅ Good:
void fn() {
WebViewController()
..setJavaScriptMode(JavaScriptMode.disabled);
InAppWebViewSettings(javaScriptEnabled: false);
HeadlessInAppWebView(InAppWebViewSettings(javaScriptEnabled: false));
}