Loading core/java/android/webkit/WebView.java +29 −24 Original line number Original line Diff line number Diff line Loading @@ -198,10 +198,10 @@ import java.util.regex.Pattern; * <li>Modifying the {@link android.webkit.WebSettings}, such as * <li>Modifying the {@link android.webkit.WebSettings}, such as * enabling JavaScript with {@link android.webkit.WebSettings#setJavaScriptEnabled(boolean) * enabling JavaScript with {@link android.webkit.WebSettings#setJavaScriptEnabled(boolean) * setJavaScriptEnabled()}. </li> * setJavaScriptEnabled()}. </li> * <li>Adding JavaScript-to-Java interfaces with the {@link * <li>Injecting Java objects into the WebView using the * android.webkit.WebView#addJavascriptInterface} method. * {@link android.webkit.WebView#addJavascriptInterface} method. This * This lets you bind Java objects into the WebView so they can be * method allows you to inject Java objects into a page's JavaScript * controlled from the web pages JavaScript.</li> * context, so that they can be accessed by JavaScript in the page.</li> * </ul> * </ul> * * * <p>Here's a more complicated example, showing error handling, * <p>Here's a more complicated example, showing error handling, Loading Loading @@ -4002,34 +4002,39 @@ public class WebView extends AbsoluteLayout } } /** /** * Use this function to bind an object to JavaScript so that the * This method injects the supplied Java object into the WebView. The * methods can be accessed from JavaScript. * object is injected into the JavaScript context of the main frame, using * the supplied name. This allows the Java object to be accessed from * JavaScript. Note that that injected objects will not appear in * JavaScript until the page is next (re)loaded. For example: * <pre> webView.addJavascriptInterface(new Object(), "injectedObject"); * webView.loadData("<!DOCTYPE html><title></title>", "text/html", null); * webView.loadUrl("javascript:alert(injectedObject.toString())");</pre> * <p><strong>IMPORTANT:</strong> * <p><strong>IMPORTANT:</strong> * <ul> * <ul> * <li> Using addJavascriptInterface() allows JavaScript to control your * <li> addJavascriptInterface() can be used to allow JavaScript to control * application. This can be a very useful feature or a dangerous security * the host application. This is a powerful feature, but also presents a * issue. When the HTML in the WebView is untrustworthy (for example, part * security risk. Use of this method in a WebView containing untrusted * or all of the HTML is provided by some person or process), then an * content could allow an attacker to manipulate the host application in * attacker could inject HTML that will execute your code and possibly any * unintended ways, executing Java code with the permissions of the host * code of the attacker's choosing.<br> * application. Use extreme care when using this method in a WebView which * Do not use addJavascriptInterface() unless all of the HTML in this * could contain untrusted content. * WebView was written by you.</li> * <li> JavaScript interacts with Java object on a private, background * <li> The Java object that is bound runs in another thread and not in * thread of the WebView. Care is therefore required to maintain thread * the thread that it was constructed in.</li> * safety.</li> * </ul></p> * </ul></p> * @param obj The class instance to bind to JavaScript, null instances are * @param object The Java object to inject into the WebView's JavaScript * ignored. * context. Null values are ignored. * @param interfaceName The name to used to expose the instance in * @param name The name used to expose the instance in JavaScript. * JavaScript. */ */ public void addJavascriptInterface(Object obj, String interfaceName) { public void addJavascriptInterface(Object object, String name) { checkThread(); checkThread(); if (obj == null) { if (object == null) { return; return; } } WebViewCore.JSInterfaceData arg = new WebViewCore.JSInterfaceData(); WebViewCore.JSInterfaceData arg = new WebViewCore.JSInterfaceData(); arg.mObject = obj; arg.mObject = object; arg.mInterfaceName = interfaceName; arg.mInterfaceName = name; mWebViewCore.sendMessage(EventHub.ADD_JS_INTERFACE, arg); mWebViewCore.sendMessage(EventHub.ADD_JS_INTERFACE, arg); } } Loading Loading
core/java/android/webkit/WebView.java +29 −24 Original line number Original line Diff line number Diff line Loading @@ -198,10 +198,10 @@ import java.util.regex.Pattern; * <li>Modifying the {@link android.webkit.WebSettings}, such as * <li>Modifying the {@link android.webkit.WebSettings}, such as * enabling JavaScript with {@link android.webkit.WebSettings#setJavaScriptEnabled(boolean) * enabling JavaScript with {@link android.webkit.WebSettings#setJavaScriptEnabled(boolean) * setJavaScriptEnabled()}. </li> * setJavaScriptEnabled()}. </li> * <li>Adding JavaScript-to-Java interfaces with the {@link * <li>Injecting Java objects into the WebView using the * android.webkit.WebView#addJavascriptInterface} method. * {@link android.webkit.WebView#addJavascriptInterface} method. This * This lets you bind Java objects into the WebView so they can be * method allows you to inject Java objects into a page's JavaScript * controlled from the web pages JavaScript.</li> * context, so that they can be accessed by JavaScript in the page.</li> * </ul> * </ul> * * * <p>Here's a more complicated example, showing error handling, * <p>Here's a more complicated example, showing error handling, Loading Loading @@ -4002,34 +4002,39 @@ public class WebView extends AbsoluteLayout } } /** /** * Use this function to bind an object to JavaScript so that the * This method injects the supplied Java object into the WebView. The * methods can be accessed from JavaScript. * object is injected into the JavaScript context of the main frame, using * the supplied name. This allows the Java object to be accessed from * JavaScript. Note that that injected objects will not appear in * JavaScript until the page is next (re)loaded. For example: * <pre> webView.addJavascriptInterface(new Object(), "injectedObject"); * webView.loadData("<!DOCTYPE html><title></title>", "text/html", null); * webView.loadUrl("javascript:alert(injectedObject.toString())");</pre> * <p><strong>IMPORTANT:</strong> * <p><strong>IMPORTANT:</strong> * <ul> * <ul> * <li> Using addJavascriptInterface() allows JavaScript to control your * <li> addJavascriptInterface() can be used to allow JavaScript to control * application. This can be a very useful feature or a dangerous security * the host application. This is a powerful feature, but also presents a * issue. When the HTML in the WebView is untrustworthy (for example, part * security risk. Use of this method in a WebView containing untrusted * or all of the HTML is provided by some person or process), then an * content could allow an attacker to manipulate the host application in * attacker could inject HTML that will execute your code and possibly any * unintended ways, executing Java code with the permissions of the host * code of the attacker's choosing.<br> * application. Use extreme care when using this method in a WebView which * Do not use addJavascriptInterface() unless all of the HTML in this * could contain untrusted content. * WebView was written by you.</li> * <li> JavaScript interacts with Java object on a private, background * <li> The Java object that is bound runs in another thread and not in * thread of the WebView. Care is therefore required to maintain thread * the thread that it was constructed in.</li> * safety.</li> * </ul></p> * </ul></p> * @param obj The class instance to bind to JavaScript, null instances are * @param object The Java object to inject into the WebView's JavaScript * ignored. * context. Null values are ignored. * @param interfaceName The name to used to expose the instance in * @param name The name used to expose the instance in JavaScript. * JavaScript. */ */ public void addJavascriptInterface(Object obj, String interfaceName) { public void addJavascriptInterface(Object object, String name) { checkThread(); checkThread(); if (obj == null) { if (object == null) { return; return; } } WebViewCore.JSInterfaceData arg = new WebViewCore.JSInterfaceData(); WebViewCore.JSInterfaceData arg = new WebViewCore.JSInterfaceData(); arg.mObject = obj; arg.mObject = object; arg.mInterfaceName = interfaceName; arg.mInterfaceName = name; mWebViewCore.sendMessage(EventHub.ADD_JS_INTERFACE, arg); mWebViewCore.sendMessage(EventHub.ADD_JS_INTERFACE, arg); } } Loading
