TargetMisser · TargetMisser · Apr 7, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-05-18 - [Insecure JavaScript Injection via String Interpolation in WebViews]
+**Vulnerability:** Found a pattern in `src/screens/ShiftScreen.tsx` where string interpolation (`'${base64Json}'`) and manual quote replacement (`.replace(/'/g, "\\'")`) were used to pass a JSON payload directly into a `WebView`'s `injectJavaScript` function.
+**Learning:** This approach creates an XSS / JS Injection vulnerability if the payload contains unescaped quotes or malicious executable sequences.
+**Prevention:** To prevent this, always rely on `JSON.stringify()` to safely escape values before interpolating them into JavaScript code (e.g., `window.runTesseract(${JSON.stringify(base64Json)});`) rather than using manual text replacement and raw string interpolation.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/screens/ShiftScreen.tsx b/src/screens/ShiftScreen.tsx
@@ -31,11 +31,11 @@ export default function ShiftScreen() {
         setOcrText('');
 
         const base64List = result.assets.map(a => `data:image/jpeg;base64,${a.base64}`);
-        const base64Json = JSON.stringify(base64List).replace(/'/g, "\\'");
+        const base64Json = JSON.stringify(base64List);
 
         const jsCode = `
           if (window.runTesseract) {
-            window.runTesseract('${base64Json}');
+            window.runTesseract(${JSON.stringify(base64Json)});
           } else {
             window.ReactNativeWebView.postMessage(JSON.stringify({ success: false, error: "Motore OCR non pronto." }));
           }