DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Swift

Swift

Made by DeepSource
Use Analyzer

Use of unrestricted base URL in web view SW-S1000

Security
Critical
 cwe-79 sans top 25 cwe-95 cwe-749

When a web view loads content from a source (like a web page or HTML string), it can also make additional network requests to fetch resources such as images, scripts, stylesheets, etc. If the base URL for these requests is not properly restricted, an attacker could craft URLs that point to local files or malicious websites. This can result in unintended data leakage or execution of malicious scripts.

For example, if the base URL is not properly restricted, an attacker could use the file:// protocol to access sensitive local files on the user's device. This could potentially expose user data that the app should not allow access to.

The usage of loadHTMLString without properly setting the baseURL exposes the app to these risks. By setting the baseURL to nil, any URLs referenced within the loaded content are unrestricted, and an attacker could exploit this to their advantage.

The recommendation is to always set a proper and controlled baseURL when loading HTML content into a web view. If the content doesn't need to reference external resources, setting the baseURL to about:blank is a safe option.

Bad Practice

let webview = UIWebView()

// Loading HTML content without setting a restricted baseURL
webview.loadHTMLString(htmlData, baseURL: nil)

Recommended

let webview = UIWebView()

// Loading HTML content with a restricted baseURL (about:blank)
webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank"))