none
Mobile App executes html scripts RRS feed

  • Question

  • Am testing a mobile app, in one of scenario where there is option to enter text. I have inputted html code say something below and can submit it

    Below codes are executed on my mobile app

    
    <html>
    <body>
    <button type="button" onclick="alert('Hello world!')">Click Me!</button>
    </body>
    </html>

    Result: Shows the input and button controls, however button click doesn't show alert

    OR

    enter code here
    <form action="http://google.com" method="get">
    First name: <input type="text" name="fname"><br>
    <button type="submit">Submit</button><br>
    </form>

    Result: Shows up input and button click opens targeted external page in the app.

    OR

    
    <form action="" method="post">
    <input name="username" value="admin" />
    <input name="password" type="password" value="secret" />
    <input name="injected" value="injected" dirname="password" />
    <input type="submit">
    </form>

    I can even embed a youtube video and play it in app. 1.What kind of security threat is it. 2.To What extent does it harm app security. 3.Does it fall under XSS. Any example scripts to pull app info or alert popup would be helpful


    No Signaturesss!

    Monday, May 8, 2017 10:23 AM

All replies

  • This forum is not for mobile apps. Please identify the technology you're using so we can move this to the correct forums. If this is more of an HTML-related question then please post in the ASP.NET forums.
    Monday, May 8, 2017 1:43 PM
  • I am looking for mobile apps developed on andriod with HTML and other languages. Can you route to appropriate forum

    No Signaturesss!

    Monday, May 8, 2017 4:17 PM
  • I believe you are looking for Xamarin then if you're trying to build via VS. Those forums are not integrated into MSDN Forums. Please post in their dedicated forums.
    Monday, May 8, 2017 4:46 PM