From 4851ae9776442265f4bb7f16b81d4debefc83521 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 01:41:30 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?= =?UTF-8?q?x=20XSS=20vulnerability=20in=20WebView=20data=20passing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Migrates data passing in HomeScreen and ShiftScreen WebViews from `injectJavaScript` string interpolation to the native `postMessage` API. This prevents script injection attacks while correctly maintaining the original engine readiness fallbacks. Co-authored-by: TargetMisser <52361977+TargetMisser@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ src/screens/HomeScreen.tsx | 18 +++++++++--------- src/screens/ShiftScreen.tsx | 21 ++++++++++----------- 3 files changed, 23 insertions(+), 20 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..39bab3e --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-04-20 - XSS in WebView injectJavaScript +**Vulnerability:** XSS vulnerability through string interpolation in WebView `injectJavaScript`. +**Learning:** Avoid using `injectJavaScript` with string interpolation for data transfer. It can lead to script injection attacks if the data is not properly sanitized. +**Prevention:** Use `webViewRef.current.postMessage(data)` and set up corresponding `message` event listeners in the WebView's JavaScript context for both `window` and `document` (`window.addEventListener('message', ...)` and `document.addEventListener('message', ...)`) to ensure cross-platform compatibility between iOS and Android. diff --git a/src/screens/HomeScreen.tsx b/src/screens/HomeScreen.tsx index 8475bcb..c2ebd54 100644 --- a/src/screens/HomeScreen.tsx +++ b/src/screens/HomeScreen.tsx @@ -42,7 +42,12 @@ const weatherMap: Record = { const engineHtml = ` `; function PinnedFlightCardComponent({ item, colors }: { item: any; colors: any }) { @@ -288,14 +295,7 @@ export default function HomeScreen() { const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`); const base64Json = JSON.stringify(base64List); // Use postMessage pattern to avoid script-injection risks with injectJavaScript - webViewRef.current?.injectJavaScript(` - if(window.runTesseract){ - window.runTesseract(${JSON.stringify(base64Json)}); - } else { - window.ReactNativeWebView.postMessage(JSON.stringify({success:false,error:'OCR non pronto'})); - } - true; - `); + webViewRef.current?.postMessage(base64Json); } } catch (e) { if (__DEV__) console.error('[imagePicker]', e); setProcessing(false); } }; diff --git a/src/screens/ShiftScreen.tsx b/src/screens/ShiftScreen.tsx index e04f2fb..fba8736 100644 --- a/src/screens/ShiftScreen.tsx +++ b/src/screens/ShiftScreen.tsx @@ -31,17 +31,9 @@ export default function ShiftScreen() { setOcrText(''); const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`); - const base64Json = JSON.stringify(base64List).replace(/'/g, "\\'"); + const base64Json = JSON.stringify(base64List); - const jsCode = ` - if (window.runTesseract) { - window.runTesseract('${base64Json}'); - } else { - window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: "Motore OCR non pronto." })); - } - true; - `; - webViewRef.current?.injectJavaScript(jsCode); + webViewRef.current?.postMessage(base64Json); } } catch (e) { Alert.alert("Errore OCR", "Impossibile elaborare l'immagine."); @@ -216,7 +208,12 @@ export default function ShiftScreen() {