Fix WebView JavaScript string escaping for backslashes and quotes#33726
Merged
jfversluis merged 2 commits intoinflight/currentfrom Jan 29, 2026
Merged
Fix WebView JavaScript string escaping for backslashes and quotes#33726jfversluis merged 2 commits intoinflight/currentfrom
jfversluis merged 2 commits intoinflight/currentfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes JavaScript escaping used when wrapping WebView.EvaluateJavaScriptAsync scripts in eval('...'), ensuring backslashes are escaped (and in the correct order) alongside single quotes to avoid mis-parsing and potential script injection/breakout.
Changes:
- Updated
WebViewHelper.EscapeJsStringto escape backslashes before single quotes and removed the regex-based approach. - Expanded unit tests to cover backslash-only and mixed backslash/quote scenarios, including the reported attack vector.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Core/src/Handlers/WebView/WebViewHelper.cs | Updates JS escaping logic (backslashes + single quotes) for safe embedding into eval('...'). |
| src/Controls/tests/Core.UnitTests/WebViewHelperTests.cs | Adds/updates unit tests to validate backslash and mixed escaping behavior. |
Member
|
/azp run maui-pr-uitests, maui-pr-devicetests |
|
Azure Pipelines successfully started running 2 pipeline(s). |
PureWeen
previously approved these changes
Jan 27, 2026
StephaneDelcroix
force-pushed
the
fix/webview-js-escape
branch
from
3e5bb92 to
83d1a37
Compare
StephaneDelcroix
force-pushed
the
fix/webview-js-escape
branch
from
83d1a37 to
0890a12
Compare
Member
|
/azp run maui-pr-uitests, maui-pr-devicetests |
|
Azure Pipelines successfully started running 2 pipeline(s). |
This was referenced Jan 27, 2026
Open
PureWeen
approved these changes
Jan 28, 2026
jfversluis
approved these changes
Jan 29, 2026
PureWeen
added a commit
that referenced
this pull request
Jan 29, 2026
…3726) > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Fixes JavaScript string escaping in `WebViewHelper.EscapeJsString` to properly handle both backslashes and single quotes. ### Changes - Escape backslashes **before** single quotes (order matters for `eval()`) - Prevents potential injection issues when passing strings to JavaScript - Updated unit tests to cover backslash escaping scenarios ## Testing - Unit tests added/updated in `WebViewHelperTests.cs` --------- Co-authored-by: Shane Neuville <shane94@hotmail.com>
PureWeen
added a commit
that referenced
this pull request
Feb 2, 2026
…3726) > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Fixes JavaScript string escaping in `WebViewHelper.EscapeJsString` to properly handle both backslashes and single quotes. ### Changes - Escape backslashes **before** single quotes (order matters for `eval()`) - Prevents potential injection issues when passing strings to JavaScript - Updated unit tests to cover backslash escaping scenarios ## Testing - Unit tests added/updated in `WebViewHelperTests.cs` --------- Co-authored-by: Shane Neuville <shane94@hotmail.com>
github-actions bot
pushed a commit
that referenced
this pull request
Feb 4, 2026
…3726) > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Fixes JavaScript string escaping in `WebViewHelper.EscapeJsString` to properly handle both backslashes and single quotes. ### Changes - Escape backslashes **before** single quotes (order matters for `eval()`) - Prevents potential injection issues when passing strings to JavaScript - Updated unit tests to cover backslash escaping scenarios ## Testing - Unit tests added/updated in `WebViewHelperTests.cs` --------- Co-authored-by: Shane Neuville <shane94@hotmail.com>
github-actions bot
pushed a commit
that referenced
this pull request
Feb 8, 2026
…3726) > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Fixes JavaScript string escaping in `WebViewHelper.EscapeJsString` to properly handle both backslashes and single quotes. ### Changes - Escape backslashes **before** single quotes (order matters for `eval()`) - Prevents potential injection issues when passing strings to JavaScript - Updated unit tests to cover backslash escaping scenarios ## Testing - Unit tests added/updated in `WebViewHelperTests.cs` --------- Co-authored-by: Shane Neuville <shane94@hotmail.com>
PureWeen
added a commit
that referenced
this pull request
Feb 9, 2026
…3726) > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Fixes JavaScript string escaping in `WebViewHelper.EscapeJsString` to properly handle both backslashes and single quotes. ### Changes - Escape backslashes **before** single quotes (order matters for `eval()`) - Prevents potential injection issues when passing strings to JavaScript - Updated unit tests to cover backslash escaping scenarios ## Testing - Unit tests added/updated in `WebViewHelperTests.cs` --------- Co-authored-by: Shane Neuville <shane94@hotmail.com>
github-actions bot
pushed a commit
that referenced
this pull request
Feb 9, 2026
…3726) > [!NOTE] > Are you waiting for the changes in this PR to be merged? > It would be very helpful if you could [test the resulting artifacts](https://github.com/dotnet/maui/wiki/Testing-PR-Builds) from this PR and let us know in a comment if this change resolves your issue. Thank you! ## Description Fixes JavaScript string escaping in `WebViewHelper.EscapeJsString` to properly handle both backslashes and single quotes. ### Changes - Escape backslashes **before** single quotes (order matters for `eval()`) - Prevents potential injection issues when passing strings to JavaScript - Updated unit tests to cover backslash escaping scenarios ## Testing - Unit tests added/updated in `WebViewHelperTests.cs` --------- Co-authored-by: Shane Neuville <shane94@hotmail.com>
PureWeen
added a commit
that referenced
this pull request
Feb 10, 2026
.NET MAUI inflight/candidate introduces significant improvements across all platforms with focus on quality, performance, and developer experience. This release includes 20 commits with various improvements, bug fixes, and enhancements. ## Blazor - Fix for BlazorWebView Back Navigation Issues on Android 13+ After Predictive Back Gesture Changes by @SuthiYuvaraj in #33213 <details> <summary>🔧 Fixes</summary> - [Back navigation different between .net 9 and .net 10 blazor hybrid](#32767) </details> ## CollectionView - [Android] Fix for CollectionView.EmptyView does not remeasure its height when the parent layout changes dynamically, causing incorrect sizing. by @BagavathiPerumal in #33559 <details> <summary>🔧 Fixes</summary> - [`CollectionView.EmptyView` does not remeasure its height when the parent layout changes dynamically, causing incorrect sizing.](#33324) </details> - [Android] Fixed CollectionView reordering last item by @vitalii-vov in #17825 <details> <summary>🔧 Fixes</summary> - [Android app crashes when dragging into CollectionView](#17823) </details> ## DateTimePicker - [iOS] Fix VoiceOver focus not shifting to Picker/DatePicker/TimePicker popups by @kubaflo in #33152 <details> <summary>🔧 Fixes</summary> - [Voiceover does not automatically shift focus to the "Category" popup when it opens.: A11y_Developer balance version .NET 10_Project_ScreenReader](#30746) </details> ## Dialogalert - [iOS 26] Fix DisplayPromptAsync maxLength not enforced due to new multi-range delegate by @Shalini-Ashokan in #33616 <details> <summary>🔧 Fixes</summary> - [[iOS 26.1] DisplayPromptAsync ignores maxLength and does not respect RTL FlowDirection](#33549) </details> ## Flyout - [iOS] Shell: Account for SafeArea when positioning flyout footer by @kubaflo in #32891 <details> <summary>🔧 Fixes</summary> - [[IOS] Footer not displaying in iOS when StackOrientation.Horizontal is set on FlyoutFooter](#26395) </details> ## Fonts - Hide obsolete FontSize values from IDE autocomplete by @noiseonwires in #33694 ## Gestures - Android pan fixes by @BurningLights in #21547 <details> <summary>🔧 Fixes</summary> - [Flickering occurs while updating the width of ContentView through PanGestureRecognizer.](#20772) </details> ## Navigation - Shell: Add duplicate route validation for sibling elements by @SubhikshaSf4851 in #32296 <details> <summary>🔧 Fixes</summary> - [OnNavigatedTo is not called when navigating from a specific page](#14000) </details> ## Picker - Improved Unfocus support for Picker on Mac Catalyst by @kubaflo in #33127 <details> <summary>🔧 Fixes</summary> - [When using voiceover unable to access expanded list of project combo box: A11y_.NET maui_user can creat a tak_Screen reader](#30897) - [Task and Project controls are not accessible with keyboard:A11y_.NET maui_User can create a new task_Keyboard](#30891) </details> ## SafeArea - [iOS] SafeArea: Return Empty for non-ISafeAreaView views (opt-in model) by @praveenkumarkarunanithi in #33526 <details> <summary>🔧 Fixes</summary> - [[iOS] SafeArea is not applied when a ContentPage uses a ControlTemplate](#33458) </details> ## Shell - [iOS] Fix ObjectDisposedException in TraitCollectionDidChange on window disposal by @jeremy-visionaid in #33353 <details> <summary>🔧 Fixes</summary> - [Intermittent crash on exit on MacCatalyst - ObjectDisposedException](#33352) </details> - [Issue-Resolver] Explicit fallback for BackButtonBehavior lookup by @kubaflo in #33204 <details> <summary>🔧 Fixes</summary> - [Setting BackButtonBehavior to not visible or not enabled does not work](#28570) - [BackButtonBehavior not bound](#33139) </details> ## Templates - [Templates] Remove redundant SemanticProperties.Description attribute by @kubaflo in #33621 <details> <summary>🔧 Fixes</summary> - [Task and Project controls are not accessible with keyboard:A11y_.NET maui_User can create a new task_Keyboard](#30891) - [Unable to select "Tags" when Voiceover is turned on.: A11y_Developer balance version .NET 10_Project_ScreenReader](#30749) </details> ## Theme - [Windows] Fix runtime theme update for controls and TitleBar by @Tamilarasan-Paranthaman in #31714 <details> <summary>🔧 Fixes</summary> - [[Windows][MacOS?] Change title bar color when switching light/dark theme at runtime](#12507) - [OS system components ignore app theme](#22058) - [[Mac Catalyst][Windows] TitleBar not reacting on UserAppTheme changes](#30518) - [In dark theme "Back" and "hamburger" button icon color contrast with background color is less than 3:1: A11y_.NET maui_User can get all the insights of Dashboard_Non text Contrast](#30807) - [`Switch` is invisible on `PointOver` when theme has changed](#31819) </details> ## Theming - [XSG] Fix Style Setters referencing source-generated bindable properties by @simonrozsival in #33562 ## Titlebar - [Windows] Fix TitleBar.IsVisible = false the caption buttons become unresponsive by @devanathan-vaithiyanathan in #33256 <details> <summary>🔧 Fixes</summary> - [When TitleBar.IsVisible = false the caption buttons become unresponsive on Windows](#33171) </details> ## WebView - Fix WebView JavaScript string escaping for backslashes and quotes by @StephaneDelcroix in #33726 ## Xaml - [XSG] Fix NaN value in XAML generating invalid code by @StephaneDelcroix in #33533 <details> <summary>🔧 Fixes</summary> - [[XSG] NaN value in XAML generates invalid code](#33532) </details> <details> <summary>📦 Other (1)</summary> - Remove InternalsVisibleTo attributes for .NET MAUI Community Toolkit by @jfversluis via @Copilot in #33442 </details> **Full Changelog**: main...inflight/candidate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!
Description
Fixes JavaScript string escaping in
WebViewHelper.EscapeJsStringto properly handle both backslashes and single quotes.Changes
eval())Testing
WebViewHelperTests.cs