User input in "loadHTMLString" will result in JavaScript Injection.

objectivec.platform.ios_load_html_string

Severity

low

Resource

Platform

Language

Objective-C

Description

User input in "loadHTMLString" will result in JavaScript Injection.

Rationale

User input in "loadHTMLString" will result in JavaScript Injection.

The following code illustrates a vulnerable pattern detected by this rule:

@interface BadViewController : UIViewController
@property (nonatomic, strong) WKWebView *webView;
@end

@implementation BadViewController

- (void)badLoadUserHTML:(NSString *)userInput {
    // VULNERABLE: User input in "loadHTMLString" will result in JavaScript Injection.
    [self.webView loadHTMLString:userInput baseURL:nil];
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-95
OWASP Top 10 2021 - A03 : Injection.
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md#testing-webview-protocol-handlers-mstg-platform-6