XSS in WKWebView iOS: Risks, Exploits, and Fixes
WKWebView is one of those APIs that looks harmless until you ship a hybrid app, load a little untrusted HTML, and accidentally hand JavaScript access to native code. That’s where XSS in iOS apps gets ugly. Browser XSS is already bad. XSS inside WKWebView can be worse because the payload may not stop at stealing cookies or rewriting the DOM. If your app exposes native functionality through WKScriptMessageHandler, custom URL schemes, or sloppy navigation delegates, injected JavaScript can start poking at app internals. ...