JavaScript execution in WebView

[prashant-ERA]

Describe the bug A clear and concise description of what the bug is. I am using flutter_stripe in my project. During code review it was found that WebView Permits JavaScript execution in its WebView implementation. Whilst this setting can be essential for certain interactive web content, it can also introduce various security weaknesses if the WebView is used to load untrusted or dynamically generated content. Vulnerabilities like Cross-Site Scripting (XSS) have become a significant concern in such scenarios and could expose the application and its users to various security threats. These threats include stealing user data, accessing local resources, or manipulating application behaviour.

To Reproduce Steps to reproduce the behavior:

1. Entering number 123-456-789 into the cardfield.
2. Tapping the confirm button.
3. Observe a failure with exception (including the part of the stack trace, belonging to this package) …

Expected behavior A clear and concise description of what you expected to happen.

Smartphone / tablet

• Device: [e.g. iPhone X]
• OS: [e.g. iOS 13, Android 10]
• Package version: [e.g. 1.0.0]
• Flutter version [e.g. 2.0.0.]

Additional context Add any other context about the problem here.

[remonh87]

Can you give me some more information? For example why are you using a webview for Flutter Stripe? What is the element that you are talking about?

We do not create elements ourselves and host only Stripe Native elements that are tested and verified against the highest security requirements