Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix XSS vulnerability in WebView injection #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TargetMisser wants to merge 1 commit into
base: main
Choose a base branch
from
+37 βˆ’36
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix XSS vulnerability in WebView injection #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-04-29 - Cross-Site Scripting (XSS) risk via injectJavaScript
**Vulnerability:** React Native WebViews used `injectJavaScript` with dynamically stringified data (e.g. `JSON.stringify(base64List)`) that could be intercepted or manipulated, leading to potential Cross-Site Scripting (XSS) in the WebView context.
**Learning:** Even when the data being injected is ostensibly secure (like base64 image strings), directly injecting it into a JavaScript string for evaluation within `injectJavaScript` carries XSS risks.
**Prevention:** Use `webViewRef.current.postMessage` to pass data safely across the React Native and WebView boundary. Implement `message` event listeners in the WebView to handle the incoming data instead of dynamically constructing script strings.
17 changes: 1 addition & 16 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 16 additions & 9 deletions src/screens/HomeScreen.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,20 @@ window.runTesseract = async function(base64JsonStr) {
window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: e.message || e.toString() }));
}
};
document.addEventListener("message", function(event) {
if (window.runTesseract) {
window.runTesseract(event.data);
} else {
window.ReactNativeWebView.postMessage(JSON.stringify({success:false,error:'OCR non pronto'}));
}
});
window.addEventListener("message", function(event) {
if (window.runTesseract) {
window.runTesseract(event.data);
} else {
window.ReactNativeWebView.postMessage(JSON.stringify({success:false,error:'OCR non pronto'}));
}
});
</script></body></html>`;

function PinnedFlightCardComponent({ item, colors }: { item: any; colors: any }) {
Expand Down Expand Up @@ -283,15 +297,8 @@ export default function HomeScreen({ isFocused }: { isFocused?: boolean }) {
setProcessing(true); setOcrText('');
const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`);
const base64Json = JSON.stringify(base64List);
// Use postMessage pattern to avoid script-injection risks with injectJavaScript
webViewRef.current?.injectJavaScript(`
if(window.runTesseract){
window.runTesseract(${JSON.stringify(base64Json)});
} else {
window.ReactNativeWebView.postMessage(JSON.stringify({success:false,error:'OCR non pronto'}));
}
true;
`);
// Use postMessage to securely send data to WebView
webViewRef.current?.postMessage(base64Json);
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Wait for WebView readiness before posting OCR payload

This postMessage call is now unconditional, but the WebView only registers its message listeners after the inline script runs (which is blocked by loading tesseract.min.js from CDN). If the user picks images before the WebView is ready (cold start/slow network), the payload is dropped, no onMessage reply is emitted, and processing remains stuck true indefinitely. The previous path returned an explicit "OCR non pronto" error when the engine was unavailable, so this introduces a user-visible hang (same pattern is present in ShiftScreen).

Useful? React with πŸ‘Β / πŸ‘Ž.

}
} catch (e) { if (__DEV__) console.error('[imagePicker]', e); setProcessing(false); }
};
Expand Down
27 changes: 16 additions & 11 deletions src/screens/ShiftScreen.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,8 @@ export default function ShiftScreen() {
setOcrText('');

const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`);
const base64Json = JSON.stringify(base64List).replace(/'/g, "\\'");

const jsCode = `
if (window.runTesseract) {
window.runTesseract('${base64Json}');
} else {
window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: "Motore OCR non pronto." }));
}
true;
`;
webViewRef.current?.injectJavaScript(jsCode);
const base64Json = JSON.stringify(base64List);
webViewRef.current?.postMessage(base64Json);
}
} catch (e) {
Alert.alert("Errore OCR", "Impossibile elaborare l'immagine.");
Expand Down Expand Up @@ -230,6 +221,20 @@ export default function ShiftScreen() {
window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: e.message || e.toString() }));
}
};
document.addEventListener("message", function(event) {
if (window.runTesseract) {
window.runTesseract(event.data);
} else {
window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: "Motore OCR non pronto." }));
}
});
window.addEventListener("message", function(event) {
if (window.runTesseract) {
window.runTesseract(event.data);
} else {
window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: "Motore OCR non pronto." }));
}
});
</script>
</body>
</html>
Expand Down
Loading