Properly escape JavaScript code on Android (#20366)

Summary: These changes will fix executing javascript with any special characters, by making use of the `evaluateJavascript` function on Android 4.4+, and by properly escaping the URI on Android <4.4. Fixes #19611 • Fixes #20365 • Fixes #9749 • Closes #19655 • Closes #12321 This PR supersedes #19655 by patching the same problem in all the places, and fixing it for Android <4.4 as well. Pull Request resolved: #20366 Differential Revision: D9242968 Pulled By: hramos fbshipit-source-id: f2e1abc786ba333dbd8aaa8922e716fd99ec26e0
facebook · Aug 9, 2018 · e6b305b · e6b305b · fungilation · Aug 26, 2018
1 parent 8ee9002
commit e6b305b
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/ReactAndroid/src/main/java/com/facebook/react/views/webview/ReactWebViewManager.java b/ReactAndroid/src/main/java/com/facebook/react/views/webview/ReactWebViewManager.java
@@ -16,6 +16,7 @@
 import javax.annotation.Nullable;
 
 import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Locale;
@@ -325,11 +326,25 @@ public void setMessagingEnabled(boolean enabled) {
       }
     }
 
+    protected void evaluateJavascriptWithFallback(String script) {
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
+        evaluateJavascript(script, null);
+        return;
+      }
+
+      try {
+        loadUrl("javascript:" + URLEncoder.encode(script, "UTF-8"));
+      } catch (UnsupportedEncodingException e) {
+        // UTF-8 should always be supported
+        throw new RuntimeException(e);
+      }
+    }
+
     public void callInjectedJavaScript() {
       if (getSettings().getJavaScriptEnabled() &&
           injectedJS != null &&
           !TextUtils.isEmpty(injectedJS)) {
-        loadUrl("javascript:(function() {\n" + injectedJS + ";\n})();");
+        evaluateJavascriptWithFallback("(function() {\n" + injectedJS + ";\n})();");
       }
     }
 
@@ -348,7 +363,7 @@ public void onReceiveValue(String value) {
           });
         }
 
-        loadUrl("javascript:(" +
+        evaluateJavascriptWithFallback("(" +
           "window.originalPostMessage = window.postMessage," +
           "window.postMessage = function(data) {" +
             BRIDGE_NAME + ".postMessage(String(data));" +
@@ -637,9 +652,10 @@ public void receiveCommand(WebView root, int commandId, @Nullable ReadableArray
         break;
       case COMMAND_POST_MESSAGE:
         try {
+          ReactWebView reactWebView = (ReactWebView) root;
           JSONObject eventInitDict = new JSONObject();
           eventInitDict.put("data", args.getString(0));
-          root.loadUrl("javascript:(function () {" +
+          reactWebView.evaluateJavascriptWithFallback("(function () {" +
             "var event;" +
             "var data = " + eventInitDict.toString() + ";" +
             "try {" +
@@ -655,7 +671,8 @@ public void receiveCommand(WebView root, int commandId, @Nullable ReadableArray
         }
         break;
       case COMMAND_INJECT_JAVASCRIPT:
-        root.loadUrl("javascript:" + args.getString(0));
+        ReactWebView reactWebView = (ReactWebView) root;
+        reactWebView.evaluateJavascriptWithFallback(args.getString(0));
         break;
     }
   }