3

I have a string that i'd like to stringify in Kotlin (Android), but it seems that org.json.* doesn't support taking a string and re-stringifying it, instead it always tries to parse it first.

val str = "test=\"123\""
val stringified = JSONObject(str).toString() // JSONException: Value a of type java.lang.String cannot be converted to `JSONObject`

The use case for this ability is passing data to JS inside a Webview in a secure manner.

val json = "test=\"123\""
webview.evaluateJavascript("window.onData(${json})")
// on the JS side it will look like this: window.onData(test="123")
// this is both invalid and insecure since it opens the door for raw JS injection

Any attempt to do it manually will result in an insecure and possibly invalid JS string
This example should NOT be used:
val insecureJSON = "'${str.replace("\\", "\\\\").replace("\"", "\\\"").replace("'", "\'")}'"

The desired behavior:

val json = jsonStringifyString("test=\"123\"")
webview.evaluateJavascript("window.onData(${json})")
// rendered JS: window.onData("test=\"123\"")

Is there an easy method for stringifying a string in Android?

MrBar
  • 950
  • 6
  • 15

1 Answers1

3

Ended up using the JSONArray class and removing the array wrapping to trick the class to stringify a plain string

fun jsonStringifyString(str: String): String {
    val jsonStr = JSONArray().put(str).toString()
    return jsonStr.substring(1, jsonStr.length - 1) // remove first and last char
}

val serializedData = jsonStringifyString("test=\"123\"");

webview.evaluateJavascript("window.onData(${serializedData})")
// rendered JS: window.onData("test=\"123\"")
MrBar
  • 950
  • 6
  • 15