cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <>
Subject Re: Android: Deprecate WebView.sendJavascript()?
Date Mon, 26 May 2014 18:04:06 GMT
On Mon, May 26, 2014 at 9:59 AM, Andrew Grieve <> wrote:
> From:
> Given that you can implement sendJavascript via PluginResults by just
> eval()ing the results, maybe we could just deprecate the function?

And this comment just earned this proposal a -1.

Just eval()ing the results is a completely awful idea because it
assumes that we can trust the data being returned from the plugin,
which security researchers have shown many, many times that you can't.
 That reason alone makes me want to keep this, although it's also bad
in it's current form.

View raw message