Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iOS: Escape singlequotes or messages containing ' will fail #138

Merged
merged 1 commit into from
Jun 25, 2018
Merged

iOS: Escape singlequotes or messages containing ' will fail #138

merged 1 commit into from
Jun 25, 2018

Conversation

benvium
Copy link
Contributor

@benvium benvium commented Aug 16, 2016

RCTWebViewBridge.m has a classic 'SQL Injection Attack' issue.

The use of "'%@'" - intending to wrap the string in single quotes, will fail if the string itself contains a single quote.

We discovered this when we noted that JSON payloads containing strings with ' characters were not appearing in the WebView as expected.

This PR simply escapes ' characters before formatting into the JavaScript string.

@chansuke chansuke self-requested a review June 25, 2018 14:01
chansuke
chansuke reviewed Jun 25, 2018
View reviewed changes
ios/RCTWebViewBridge.m
@@ -97,8 +97,11 @@ - (void)sendToBridge:(NSString *)message
}
}());
);

// Escape singlequotes or messages containing ' will fail
NSString *quotedMessage = [message stringByReplacingOccurrencesOfString:@"'" withString:@"\\'"];
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

chansuke
chansuke approved these changes Jun 25, 2018
View reviewed changes
Copy link
Collaborator

@chansuke chansuke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chansuke chansuke merged commit e070577 into alinz:master Jun 25, 2018
fungilation added a commit to fungilation/react-native-webview-bridge that referenced this pull request Jun 25, 2018
@fungilation
merged alinz#138
ce3a399 
- fixes single quote escaping in json payload
@snyk-bot snyk-bot mentioned this pull request Oct 1, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chansuke chansuke chansuke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@benvium @chansuke