cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <>
Subject Re: Android Plugin API
Date Wed, 28 May 2014 18:35:10 GMT
On May 28, 2014 11:21 AM, "Erik Jan de Wit" <> wrote:
> On 28 May,2014, at 19:06 , Joe Bowser <> wrote:
> > We don't want this pattern for Android because it is also more bug
> Doesn’t the same hold true for iOS?

I don't know, it very much could be.  It could be that this makes sense in
Obj-C but not in Java based on how they handle NoSuchMethod.  I'd prefer to
not have to rely on an exception being caught, especially since it could
suppress other exceptions being thrown that I want to know about.

Also, I'm assuming the exception is NoSuchMethod, which isn't a safe
assumption given that each device has their own quirks and this isn't

> >
> > On May 28, 2014 8:28 AM, "Erik Jan de Wit" <> wrote:
> >>
> >> So this security issue is only a problem if you are able to inject some
> > arbitrary js code. If your app ships with it’s own html and js this is
> > hard to do.
> >
> > No, it's not. Any trusted input could have the potential to inject JS.
> > We're not even touching on the third-party ad networks code, frameworks
> > other code that developers add on a regular basis.
> Still in the example android permits any method to be executed (getClass)
there could be checks. For instance only public methods that have a
JSONArray and a CallbackContext as parameters and have the name of the
action. That way you can’t inject any arbitrary code. If a user implements
the wrong method the error logging can be in a way that one can easily
correct the issue, because of these checks.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message