On 28 May,2014, at 19:06 , Joe Bowser <[email protected]> wrote: > We don't want this pattern for Android because it is also more bug prone.
Doesn’t the same hold true for iOS? > > On May 28, 2014 8:28 AM, "Erik Jan de Wit" <[email protected]> wrote: >> >> So this security issue is only a problem if you are able to inject some > arbitrary js code. If your app ships with it’s own html and js this is very > hard to do. > > No, it's not. Any trusted input could have the potential to inject JS. > We're not even touching on the third-party ad networks code, frameworks or > other code that developers add on a regular basis. Still in the example android permits any method to be executed (getClass) there could be checks. For instance only public methods that have a JSONArray and a CallbackContext as parameters and have the name of the action. That way you can’t inject any arbitrary code. If a user implements the wrong method the error logging can be in a way that one can easily correct the issue, because of these checks.
