Fix lint warnings: AddJavascriptInterface, SetJavaScriptEnabled, WrongConstant#43
Open
jim-daf wants to merge 1 commit into
Open
Fix lint warnings: AddJavascriptInterface, SetJavaScriptEnabled, WrongConstant#43jim-daf wants to merge 1 commit into
jim-daf wants to merge 1 commit into
Conversation
…nabled, WrongConstant - D3SView.java: Add @SuppressLint for SetJavaScriptEnabled and AddJavascriptInterface. JavaScript and the JS bridge are required for 3DS payment flow; only trusted ACS pages are loaded. - D3SRegexUtils.java: Replace static imports with qualified Pattern.compile(), Pattern.DOTALL, Pattern.CASE_INSENSITIVE so lint can verify the flag constants. Fixes LivotovLabs#8
jim-daf
force-pushed
the
fix/lint-warnings-issue-8
branch
from
3624013 to
857be4d
Compare
There was a problem hiding this comment.
Pull request overview
This PR addresses Android lint warnings in the 3DS WebView component by suppressing security-related WebView lint checks where JavaScript/JS-bridging is required, and by restructuring regex compilation to avoid a WrongConstant lint false positive.
Changes:
- Suppress
SetJavaScriptEnabledandAddJavascriptInterfacelint warnings onD3SView.initUI(). - Replace static-import
compile(...)usage withPattern.compile(...)and qualify regex flag constants to satisfyWrongConstant.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| 3DSView/src/main/java/eu/livotov/labs/android/d3s/D3SView.java | Adds @SuppressLint for WebView JavaScript and JS-interface lint warnings. |
| 3DSView/src/main/java/eu/livotov/labs/android/d3s/D3SRegexUtils.java | Qualifies Pattern.compile and flag constants to avoid lint misclassification. |
Comments suppressed due to low confidence (1)
3DSView/src/main/java/eu/livotov/labs/android/d3s/D3SView.java:80
@SuppressLint({"SetJavaScriptEnabled", "AddJavascriptInterface"})silences a real security issue whenminSdkVersionis 10: on API < 17,addJavascriptInterfaceexposes all public methods via reflection (CVE-2012-6636), and this WebView also enables JS and injectsjavascript:URLs. Instead of only suppressing lint, please either (a) raise the libraryminSdkVersionto 17+, or (b) gate theaddJavascriptInterfacecall behindBuild.VERSION.SDK_INT >= 17and provide a safer fallback/explicit failure on older devices. If you intentionally keep API < 17 support, add an in-code comment documenting the threat model and why it is acceptable here so consumers understand the risk.
@SuppressLint({"SetJavaScriptEnabled", "AddJavascriptInterface"})
private void initUI() {
getSettings().setJavaScriptEnabled(true);
getSettings().setBuiltInZoomControls(true);
addJavascriptInterface(new D3SJSInterface(), JavaScriptNS);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix Lint Warnings (Issue #8)
Resolves #8
Changes
1. D3SView.java -- Add @SuppressLint for SetJavaScriptEnabled and AddJavascriptInterface
2. D3SRegexUtils.java -- Use qualified Pattern.compile() instead of static import
Testing
Note on
minSdkVersionThe
AddJavascriptInterfacelint warning exists becauseminSdkVersionis currently set to 10. On API < 17,addJavascriptInterfaceexposes all public methods via JavaScript reflection, which is a known security vulnerability (CVE-2012-6636).This PR suppresses the warning with
@SuppressLint, which is the least invasive approach. However, raisingminSdkVersionto 17 would eliminate the vulnerability at its root rather than just silencing the lint check.That said, changing
minSdkVersionis a project-wide decision -- it would drop support for Android 2.3–4.1 devices entirely and could affect any app that depends on this library. While those API levels represent effectively 0% of active devices today, it's a change the maintainers should evaluate for their user base.If raising the minimum SDK is acceptable, the
@SuppressLint("AddJavascriptInterface")annotation could be removed in favor of that.