🛡️ Sentinel: [HIGH] Fix XSS vulnerability in WebView

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-05-24 - Cross-Site Scripting (XSS) via React Native WebView injectJavaScript
+**Vulnerability:** The React Native components `HomeScreen.tsx` and `ShiftScreen.tsx` used `webViewRef.current?.injectJavaScript()` with string interpolation of `base64Json` to send data to the OCR WebView. While the data was base64 encoded and therefore slightly obfuscated, dynamic string interpolation in `injectJavaScript` carries a structural risk of code injection if the data source contains executable payloads, particularly considering the data payload originates from external image selection.
+**Learning:** React Native developers often use `injectJavaScript` for convenience to execute code in WebViews, but combining it with dynamically stringified inputs creates an evaluation context vulnerability. The safer boundary is to treat the WebView as a separate frame and use structured message passing.
+**Prevention:** Strictly enforce the use of `postMessage` alongside structured event listeners (`window.addEventListener("message", ...)`) in the WebView's JavaScript context for bidirectional communication, instead of executing stringified functions directly with `injectJavaScript`. Use a handshake mechanism (e.g., `'READY'`) to ensure the WebView is prepared to receive messages before sending them.