Issue: Using setJavaScriptEnabled can introduce XSS vulnerabilities

By -

Issue: “Using setJavaScriptEnabled can introduce XSS vulnerabilities into you application review carefully”.

Android Lint returns you the above warning whenever you enable JavaScript by calling setJavaScriptEnabled(true) method on the WebSettings for a WebView.

setJavaScriptEnabled() lint warning

Because WebView consumes web content that can include HTML and JavaScript, which may cause security issues if you haven’t used it properly. Here, XSS stands for “cross-site scripting” which is a form of hacking and by enabling client-side script into WebView which user is accessing from application and this way you are opening up your application to such attacks.

But Android provides a number of mechanisms to reduce the scope of these potential issues by limiting the capability of WebView to the minimum functionality required by your application.

There are 2 possible solutions we can go either with:

  1. If your app really doesn’t require JavaScript usage within a WebView then don’t call setJavaScriptEnabled(true).
  2. If you are sure that cross-site scripting is not possible (e.g. Either you load web content from internal resource or doesn’t actually access web pages on the WWW), then simply suppress the warning by adding the Android annotation SuppressLint above the activity declaration, example:
@SuppressLint("SetJavaScriptEnabled")
public class MyActivity extends Activity
{
...
}

Note: By default, WebView does not execute JavaScript so cross-site-scripting is not possible.

Paresh Mayani

Paresh Mayani is a lead android developer from India. Currently, He is Sr. Software engineer at InfoStretch Solutions Pvt. Ltd. He has been developing android apps since very 1st version i.e. Android 1.5, he says he has seen days and nights of Android history. He is the Head/Organizer of Google Developers Group (GDG), Ahmedabad

Loading Facebook Comments ...
Loading Disqus Comments ...