android--WebView使用addJavascriptInterface在sdk 17的问题

2019-07-24 15:54:10 浏览数 (1)

当调用WebView 的addJavascriptInterface时,使用android:targetSdkVersion="10"时是没有问题的,能够触发事件,但是毕竟使用版本时一般都使用最新的,我在开发时为了追求新,然后使用了android:targetSdkVersion="17"的属性,开始使用时并没有什么问题,大多数手机是可以使用的,比如中兴的N986,小米的MIMU4.1的系统是没有问题的,系统为2.3的几个机型也没看出问题,后来三星Note3上出问题啦,调用不了这个事件,我也纠结了半天,后来在网上查找原因,是去年android的漏洞所致,

所以修改方法有两个:

1,修改android:targetSdkVersion="10",这个只能为一时的解决方案,

2. 查找官方文件:说在17以上需要添加一个接口JavascriptInterface才能用,后来仔细看了官方的Demo才找到,就是蓝色加粗部分。如果这个问题您也遇到过,希望能帮助你,谢谢

官方给的说明:

public void addJavascriptInterface (Object object, String name)

Added in API level 1

Injects the supplied Java object into this WebView. The object is injected into the JavaScript context of the main frame, using the supplied name. This allows the Java object's methods to be accessed from JavaScript. For applications targeted to API level JELLY_BEAN_MR1 and above, only public methods that are annotated with JavascriptInterface can be accessed from JavaScript. For applications targeted to API level JELLY_BEAN or below, all public methods (including the inherited ones) can be accessed, see the important security note below for implications.

Note that injected objects will not appear in JavaScript until the page is next (re)loaded. For example:

代码语言:javascript复制
 class JsObject {    @JavascriptInterface    public String toString() { return "injectedObject"; } } webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("javascript:alert(injectedObject.toString())");

IMPORTANT:

  • This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN or below, because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.
  • JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety.
  • The Java object's fields are not accessible.
Parameters

object

the Java object to inject into this WebView's JavaScript context. Null values are ignored.

name

the name used to expose the object in JavaScript

0 人点赞