We don't want this pattern for Android because it is also more bug prone. On May 28, 2014 8:28 AM, "Erik Jan de Wit" <ede...@redhat.com> wrote: > > So this security issue is only a problem if you are able to inject some arbitrary js code. If your app ships with it’s own html and js this is very hard to do.
No, it's not. Any trusted input could have the potential to inject JS. We're not even touching on the third-party ad networks code, frameworks or other code that developers add on a regular basis.
