However if someone got my application and will try invoke content showing in Html.fromHtml, it might be very risky
Why? Are you deathly allergic to italics? :-)
is it safe to use Html.fromHtml()?
It is as safe as just about any other method in any other class in Android. You are welcome to inspect the source code for it, write your own replacement for it, etc. if you so choose.
Penetration test
What do you think a "penetration test" has to do with displaying simple HTML in a TextView
?
and invoking the content with any scripts
TextView
(and Html.fromHtml()
) does not process JavaScript, or CSS, or <iframe>
, or most HTML tags for that matter. It handles a few basic tags, and that's it.