cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Jan de Wit <>
Subject Re: Android Plugin API
Date Wed, 28 May 2014 18:20:56 GMT

On 28 May,2014, at 19:06 , Joe Bowser <> wrote:

> We don't want this pattern for Android because it is also more bug prone.

Doesn’t the same hold true for iOS?

> On May 28, 2014 8:28 AM, "Erik Jan de Wit" <> wrote:
>> So this security issue is only a problem if you are able to inject some
> arbitrary js code. If your app ships with it’s own html and js this is very
> hard to do.
> No, it's not. Any trusted input could have the potential to inject JS.
> We're not even touching on the third-party ad networks code, frameworks or
> other code that developers add on a regular basis.

Still in the example android permits any method to be executed (getClass) there could be checks.
For instance only public methods that have a JSONArray and a CallbackContext as parameters
and have the name of the action. That way you can’t inject any arbitrary code. If a user
implements the wrong method the error logging can be in a way that one can easily correct
the issue, because of these checks.

View raw message