Is is possible to have an Android application coded in only JAVA have XSS vulnerabilities (reflect or stored type)?
For Instance, can we call following lines of code written in Android/JAVA :
//input taken from user on EditTextView without any validation
String userAddress = addressInputEditText.getText();
//now just displaying the userAddress on TextView
addressDisplayTextView.setText(userAddress);
has an XSS Vulnerability, if userAddress string object is intercepted and changed to any vulnerable string in between? If so then what can be that string and how can we prevent it?
I myself am not familiar with such an issue. XSS attacks on the web exist because the browser can treat something you think of as a string, as a potential script, for example the string: <script>alert("hello")</script>.
However, in android, the runtime isnt trying to understand whether the input is a string, a script or some other type of data. It treats it as a string. So even if you were trying to type in some malicious code, it would not be executed, and would simply be displayed as any other string would.