Update rule S7409: Clarify rule title and rule text (SONARKT-637) (#4826)

* Update rule title and text according to previous discussion

* Fix typo

* Add references to S6362 and S7409 in both rules' descriptions

rules/S6362/see.adoc

@@ -5,3 +5,6 @@
 * OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+
+=== Related rules
+* S7409 - Exposing Java objects through JavaScript interfaces is security-sensitive

rules/S7409/kotlin/metadata.json

@@ -1,5 +1,5 @@
 {
-  "title": "Exposing Java interfaces in WebViews is security-sensitive",
+  "title": "Exposing Java objects through JavaScript interfaces is security-sensitive",
   "type": "SECURITY_HOTSPOT",
   "status": "ready",
   "remediation": {

rules/S7409/kotlin/rule.adoc

@@ -1,15 +1,15 @@
-Using Javascript interfaces in WebViews is unsafe as it allows JavaScript to invoke Java methods,
+Using JavaScript interfaces in WebViews to expose Java objects is unsafe. Doing so allows JavaScript
-potentially giving attackers access to data or sensitive app functionality. WebViews might include
+to invoke Java methods, potentially giving attackers access to data or sensitive app functionality.
-untrusted sources such as third-party iframes, making this functionality particularly risky. As
+WebViews might include untrusted sources such as third-party iframes, making this functionality
-Javascript interfaces are passed to every frame in the WebView, those iframes are also able to
+particularly risky. As JavaScript interfaces are passed to every frame in the WebView, those iframes
-access the exposed Java methods.
+are also able to access the exposed Java object.
 
 == Ask Yourself Whether
 
 * The content in the WebView is fully trusted and secure.
 * Potentially untrusted iframes could be loaded in the WebView.
-* The Javascript interface has to be exposed for the entire lifecycle of the WebView.
+* The JavaScript interface has to be exposed for the entire lifecycle of the WebView.
-* The exposed Java methods will accept input from potentially untrusted sources.
+* The exposed Java object might be called by untrusted sources.
 
 There is a risk if you answered yes to any of these questions.
 
@@ -18,9 +18,9 @@ There is a risk if you answered yes to any of these questions.
 === Disable JavaScript
 
 If it is possible to disable JavaScript in the WebView, this is the most secure option. By default,
-JavaScript is disabled in a WebView, so you do not need to explicitly call
+JavaScript is disabled in a WebView, so ``webSettings.setJavaScriptEnabled(false)`` does not need to
-``webSettings.setJavaScriptEnabled(true)`` in your ``WebSettings`` configuration. Of course, sometimes
+be explicitly called. Of course, sometimes it is necessary to enable JavaScript, in which case the
-it is necessary to enable JavaScript, in which case the following recommendations should be considered.
+following recommendations should be considered.
 
 === Remove JavaScript interface when loading untrusted content
 
@@ -63,7 +63,8 @@ class ExampleActivity : AppCompatActivity() {
 
 == Compliant Solution
 
-The most secure option is to disable JavaScript entirely.
+The most secure option is to disable JavaScript entirely. S6362 further explains why it should not be enabled
+unless absolutely necessary.
 
 [source,kotlin]
 ----
@@ -96,7 +97,8 @@ class ExampleActivity : AppCompatActivity() {
 }
 ----
 
-If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict the origins that can send messages to the JavaScript bridge.
+If a JavaScript bridge must be used, consider using ``WebViewCompat.addWebMessageListener`` instead. This allows you to restrict
+the origins that can send messages to the JavaScript bridge.
 
 [source,kotlin]
 ----
@@ -135,3 +137,6 @@ class ExampleActivity : AppCompatActivity() {
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation.html[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
 * OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration.html[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
 * CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation]
+
+=== Related rules
+* S6362 - Enabling JavaScript support for WebViews is security-sensitive