Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Dart static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your DART code

Tags

Impact

Clean code attribute

Parameter names should match base declaration
Code Smell
Exposing native code through JavaScript interfaces is security-sensitive
Security Hotspot
"child" properties should be placed last in widget instantiation
Code Smell
Literal constructors parameters of @immutable classes should be const
Code Smell
Unnecessary widget containers should be removed
Code Smell
Widget constructors should have a key parameter
Code Smell
"SizedBox" should be used to add a whitespace to a layout
Code Smell
"mounted" should be checked before using a "BuildContext " after an async operation
Bug
Flutter widget "createState" should only return a new "State"
Code Smell
@immutable classes should only have const constructors
Code Smell
Const constructors should be invoked with const
Code Smell
"part of" directives should be used with strings
Code Smell
Unnecessary getters and setters should be removed
Code Smell
Web-only libraries should only be used in Flutter web plugins
Code Smell
"void" variables should not be assigned a value
Bug
Super parameters should be preferred to forwarding parameters to super
Code Smell
If-null operator shouldn't be used with "null"
Code Smell
Generic function type syntax should be preferred for parameters
Code Smell
Unnecessary nullable in final declaration should be removed
Code Smell
Null-aware assignments should make sense
Code Smell
"new" keyword shouldn't be used
Code Smell
Unnecessary use of "toList" with spread operator
Code Smell
Unnecessary string interpolations
Code Smell
"late" modifier should be necessary
Code Smell
Unnamed constructor should be used instead of `.new`
Code Smell
Initialization formals shouldn't be unnecessarily type annotated
Code Smell
Unnecessary braces in string interpolation should be removed
Code Smell
Constant patterns should not be used with type literals
Bug
Triple slash should be used for documentation comments
Code Smell
Initializing formals should be used
Code Smell
Spread collections should be preferred to chaining list insertions
Code Smell
Inline list literals should be preferred to chains of insertions
Code Smell
Pubspec urls should be secure
Vulnerability
Referenced packages should be listed as dependencies
Code Smell
Dependencies should be sorted
Code Smell
For elements should be preferred to Map.fromIterable
Code Smell
Adjacent string concatenation should be preferred
Code Smell
Fields should not be overridden
Code Smell
Non-constant names should comply with a naming convention
Code Smell
Library prefixes shouldn't start with underscore
Code Smell
Private types shouldn't be exposed in public API
Code Smell
Library prefixes should comply with naming conventions
Code Smell
Library annotations should be attached to library directive
Code Smell
Library doc comments should be attached to library directive
Code Smell
Implementation imports shouldn't be used
Code Smell
Implicit tearoff of "call" shouldn't be used
Code Smell
Single cascade shouldn't be used
Code Smell
Function literals shouldn't be used in foreach calls
Code Smell
Wildcard variable shouldn't be used
Code Smell
"is!" should be used instead of "!is"
Bug
Relative lib imports should not be used
Code Smell
Uninitialized variables and fields should be explicitly typed
Code Smell
Types should not be used as parameter names
Code Smell
Void functions should not return null
Code Smell
Getters should not be recursive
Bug
Function declarations should be preferred over variables
Code Smell
Nullable type parameter values should not be null checked with `!`
Bug
Extension identifiers should comply with a naming convention
Code Smell
Local identifiers should not start with underscore
Code Smell
Null checks in equality operators should be avoided
Code Smell
If-null operator should be preferred
Code Smell
Null-aware operators should be preferred
Code Smell
Unnecessary character escapes should be removed
Code Smell
Redundant type casts should be removed
Code Smell
Enabling JavaScript support for WebViews is security-sensitive
Security Hotspot
Empty constructor bodies should be replaced with a semicolon
Code Smell
Regular expressions should be syntactically valid
Bug
Generic function type aliases should be preferred
Code Smell
Accessing Android external storage is security-sensitive
Security Hotspot
Type parameters should not shadow other type parameters
Code Smell
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Color definitions should be valid
Bug
"await" should only be used with futures
Code Smell
"static final" declarations should be "const" instead
Code Smell
Cognitive Complexity of functions should not be too high
Code Smell
"const" modifier should not be redundant
Bug
"switch" statements should cover all cases
Code Smell
Interpolation should be used instead of String concatenation
Code Smell
Ternary operators should not be nested
Code Smell
Collection literals should be preferred
Code Smell
Conditional assignment should be preferred
Code Smell
Iterable "whereType" should be used to filter by type
Code Smell
"this" should only be used when required
Code Smell
Fields that are only assigned in the constructor should be "readonly"
Code Smell
Exceptions should not be ignored
Code Smell
Variables should not be initialized with "null"
Code Smell
Setters should not declare return types
Bug
"is!" should be used instead of "!(. is .)"
Code Smell
Dart build, compiler, or analyzer configuration errors
Code Smell
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Inappropriate collection calls should not be made
Bug
Unnecessary equality checks should not be made
Bug
Code annotated as deprecated should not be used
Code Smell
Unused assignments should be removed
Code Smell
The original exception object should be rethrown
Bug
File names should comply with a naming convention
Code Smell
Cyclomatic Complexity of functions should not be too high
Code Smell
Unused local variables should be removed
Code Smell
Control structures should use curly braces
Code Smell
"==" operator and "hashCode()" should be overridden in pairs
Bug
Package names should comply with a naming convention
Code Smell
String literals should not be duplicated
Code Smell
Overriding methods should do more than simply call the same method in the super class
Code Smell
"@override" should be used on overriding members
Code Smell
"isEmpty" or "isNotEmpty" should be used to test for emptiness
Code Smell
Constant names should comply with a naming convention
Code Smell
Jump statements should not occur in "finally" blocks
Bug
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
Deprecated code should be removed
Code Smell
Files should end with a newline
Code Smell
Unnecessary imports should be removed
Code Smell
Deprecated elements should include explanation
Code Smell
Utility classes should not have public constructors
Code Smell
Empty statements should be removed
Code Smell
Functions should not have too many parameters
Code Smell
Unused "private" fields should be removed
Code Smell
Unused labels should be removed
Code Smell
Standard outputs should not be used directly to log anything
Code Smell
Class names should comply with a naming convention
Code Smell

Enabling JavaScript support for WebViews is security-sensitive

consistency - conventional

security

Security Hotspot

cwe
android

WebViews can be used to display web content as part of a mobile application. A browser engine is used to render and display the content. Like a web application, a mobile application that uses WebViews can be vulnerable to Cross-Site Scripting if untrusted code is rendered. In the context of a WebView, JavaScript code can exfiltrate local files that might be sensitive or even worse, access exposed functions of the application that can result in more severe vulnerabilities such as code injection. Thus JavaScript support should not be enabled for WebViews unless it is absolutely necessary and the authenticity of the web resources can be guaranteed.

Ask Yourself Whether

The WebWiew only renders static web content that does not require JavaScript code to be executed.
The WebView contains untrusted data that could cause harm when rendered.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to disable JavaScript support for WebViews unless it is necessary to execute JavaScript code. Only trusted pages should be rendered.

Sensitive Code Example

Using v4 and above of the webview_flutter package:

import 'package:webview_flutter/webview_flutter.dart';

class _WebViewPageState extends State<WebViewPage> {
  final WebViewController _controller = WebViewController()
    ..setJavaScriptMode(JavaScriptMode.unrestricted) // Sensitive
    ..setBackgroundColor(const Color(0x00000000));

  @override
  Widget build(BuildContext context) => Scaffold();
}

Using v3 and below of the webview_flutter package:

import 'package:webview_flutter/webview_flutter.dart';

class _WebViewPageState extends State<WebViewPage> {
  final WebView _view = WebView(
    initialUrl: 'https://example.com',
    javascriptMode: JavascriptMode.unrestricted, // Sensitive
  );

  @override
  Widget build(BuildContext context) => Scaffold();
}

Using the flutter_inappwebview package:

import 'package:flutter_inappwebview/flutter_inappwebview.dart';

class _WebViewPageState extends State<WebViewPage> {
  final InAppWebViewController _controller = InAppWebViewController("id", _view)
    ..setOptions(InAppWebViewGroupOptions(
      // In flutter_inappwebview, JS is enabled by default
      crossPlatform: InAppWebViewOptions(), // Sensitive
    ));

  @override
  Widget build(BuildContext context) => Scaffold();
}

Compliant Solution

Using v4 and above of the webview_flutter package:

import 'package:webview_flutter/webview_flutter.dart';

class _WebViewPageState extends State<WebViewPage> {
  final WebViewController _controller = WebViewController()
    ..setBackgroundColor(const Color(0x00000000));

  @override
  Widget build(BuildContext context) => Scaffold();

Using v3 and below of the webview_flutter package:

import 'package:webview_flutter/webview_flutter.dart';

class _WebViewPageState extends State<WebViewPage> {
  final WebView _view = WebView(
    initialUrl: 'https://example.com',
  );

  @override
  Widget build(BuildContext context) => Scaffold();
}

Using the flutter_inappwebview package:

import 'package:flutter_inappwebview/flutter_inappwebview.dart';

class _WebViewPageState extends State<WebViewPage> {
  final InAppWebViewController _controller = InAppWebViewController("id", _view)
    ..setOptions(InAppWebViewGroupOptions(
      // In flutter_inappwebview, JS is enabled by default
      crossPlatform: InAppWebViewOptions(
        javaScriptEnabled: false,
      ),
    ));

  @override
  Widget build(BuildContext context) => Scaffold();
}

See

OWASP - Top 10 2021 Category A3 - Injection
OWASP - Top 10 2017 Category A6 - Security Misconfiguration
OWASP - Top 10 2017 Category A7 - Cross-Site Scripting (XSS)
OWASP - Mobile Top 10 2024 Category M8 - Security Misconfiguration
CWE - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Related rules

S7409 - Exposing Java objects through JavaScript interfaces is security-sensitive

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted