github
diff --git a/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.qhelp
Lines changed: 32 additions & 0 deletions b/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.qhelp
Lines changed: 32 additions & 0 deletions
diff --git a/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEvalBad.swift
Lines changed: 6 additions & 0 deletions b/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEvalBad.swift
Lines changed: 6 additions & 0 deletions
diff --git a/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEvalGood.swift
Lines changed: 10 additions & 0 deletions b/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEvalGood.swift
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Evaluating JavaScript that contains a substring from a remote origin may lead to remote code execution. Code under control of an attacker can execute arbitrary unauthorized actions, including exfiltration of local data by sending it to a third party web service.</p>
+
+</overview>
+<recommendation>
+
+<p>When loading JavaScript into a web view, evaluate only known, locally-defined source code. If a part of the input does come from a remote source, instead of injecting it into the JavaScript code to be evaluated, prefer sending it as data to the web view using an API such as <code>WKWebView.callAsyncJavaScript</code> with the <code>arguments</code> dictionary to pass remote data objects.</p>
+
+</recommendation>
+<example>
+
+<p>In the following example, a call to <code>WKWebView.evaluateJavaScript</code> evaluates JavaScript source code that is tainted with remote data, potentially introducing a code injection vulnerability.</p>
+
+<sample src="UnsafeJsEvalBad.swift" />
+
+<p>To fix the problem, we sanitize the remote data by passing it using the <code>arguments</code> dictionary of <code>WKWebView.callAsyncJavaScript</code>. This ensures that untrusted data cannot be evaluated as JavaScript source code.</p>
+
+<sample src="UnsafeJsEvalGood.swift" />
+
+</example>
+<references>
+
+<li>
+  <a href="https://developer.apple.com/documentation/webkit/wkwebview/3824703-callasyncjavascript">Apple Developer Documentation - WKWebView.callAsyncJavaScript(_:arguments:in:contentWorld:)</a>
+</li>
+
+</references>
+</qhelp>
@@ -0,0 +1,6 @@
+let webview: WKWebView
+let remoteData = try String(contentsOf: URL(string: "http://example.com/evil.json")!)
+
+...
+
+_ = try await webview.evaluateJavaScript("alert(" + remoteData + ")") // BAD
@@ -0,0 +1,10 @@
+let webview: WKWebView
+let remoteData = try String(contentsOf: URL(string: "http://example.com/evil.json")!)
+
+...
+
+_ = try await webview.callAsyncJavaScript(
+    "alert(JSON.parse(data))",
+    arguments: ["data": remoteData], // GOOD
+    contentWorld: .page
+)