Dart Webview Html Injection
Description
This detector identifies HTML injection vulnerabilities in Dart WebView components where untrusted user input is directly embedded into HTML content without proper sanitization. When malicious HTML or JavaScript is injected through WebView, it can lead to cross-site scripting (XSS) attacks, allowing attackers to execute arbitrary code in the WebView context.
Detection Strategy
• The code must import WebView libraries (webview_flutter, flutter_webview_plugin, or webview_flutter_plus)
• A WebView method that accepts HTML content must be called (such as loadHtmlString, loadUrl with data URI, or evaluateJavascript)
• The HTML argument passed to the WebView method must contain tainted data from untrusted sources
• The tainted data must flow to the HTML parameter without going through proper sanitization functions
• The vulnerability is reported on the WebView method call that receives the unsanitized user input
Vulnerable code example
import 'dart:io';
import 'package:shelf/shelf.dart';
import 'package:path_provider/path_provider.dart';
import 'package:webview_flutter/webview_flutter.dart';
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
// VULNERABLE: User-controlled HTML loaded into WebView
Future<Response> handleRequest(Request req, WebViewController controller) async {...✅ Secure code example
import 'dart:io';
import 'dart:convert';
import 'package:shelf/shelf.dart';
import 'package:path_provider/path_provider.dart';
import 'package:webview_flutter/webview_flutter.dart';
import 'package:flutter_inappwebview/flutter_inappwebview.dart';
// SAFE: Input sanitized before WebView loading...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.