android-v10.1.2 Updated version and RELEASENOTES.md for release 10.1.2

.npmrc

@@ -0,0 +1,2 @@
+registry=https://registry.npmjs.org
+

RELEASENOTES.md

@@ -20,6 +20,28 @@
 -->
 ## Release Notes for Cordova (Android)
 
+### 10.1.2 (Apr 11, 2022)
+
+**Fixes:**
+
+* [GH-1372](https://github.com/apache/cordova-android/pull/1372) fix(`AndroidManifest`): explicitly define the `activity` attribute `android:exported`
+* [GH-1406](https://github.com/apache/cordova-android/pull/1406) fix: detect `JAVA_HOME` with Java 11
+* [GH-1401](https://github.com/apache/cordova-android/pull/1401) fix(GH-1391): Reword minimum build tools version to make it more clear what is actually required.
+* [GH-1384](https://github.com/apache/cordova-android/pull/1384) fix: escape `strings.xml` app name
+
+**Chores:**
+
+* [GH-1413](https://github.com/apache/cordova-android/pull/1413) chore: update `package-lock` to satisfy `npm audit`
+* [GH-1348](https://github.com/apache/cordova-android/pull/1348) chore: `npmrc`
+
+### 10.1.1 (Sep 13, 2021)
+
+**Fixes:**
+
+* [GH-1349](https://github.com/apache/cordova-android/pull/1349) fix(`PluginManager`): `AllowNavigation` default policy to handle scheme & hostname
+* [GH-1342](https://github.com/apache/cordova-android/pull/1342) fix(`AllowListPlugin`): Safely handle default allow navigation policy in allow request
+* [GH-1332](https://github.com/apache/cordova-android/pull/1332) fix(`PluginManager`): `AllowBridgeAccess` default policy to handle scheme & hostname
+
 ### 10.1.0 (Aug 13, 2021)
 
 **Features:**

framework/cordova.gradle

@@ -64,16 +64,16 @@ String doFindLatestInstalledBuildTools(String minBuildToolsVersionString) {
 
     if (highestBuildToolsVersion == null) {
         throw new RuntimeException("""
-            No installed build tools found. Install the Android build tools
-            version ${minBuildToolsVersionString} or higher.
+            No installed build tools found. Please install the Android build tools
+            version ${minBuildToolsVersionString}.
         """.replaceAll(/\s+/, ' ').trim())
     }
 
     if (highestBuildToolsVersion.isLowerThan(minBuildToolsVersionString)) {
         throw new RuntimeException("""
             No usable Android build tools found. Highest ${minBuildToolsVersion.getMajor()}.x installed version is
-            ${highestBuildToolsVersion.getOriginalString()}; minimum version
-            required is ${minBuildToolsVersionString}.
+            ${highestBuildToolsVersion.getOriginalString()}; Recommended version
+            is ${minBuildToolsVersionString}.
         """.replaceAll(/\s+/, ' ').trim())
     }
 

framework/src/org/apache/cordova/AllowListPlugin.java

@@ -82,11 +82,6 @@ public class AllowListPlugin extends CordovaPlugin {
             if (strNode.equals("content")) {
                 String startPage = xml.getAttributeValue(null, "src");
                 allowedNavigations.addAllowListEntry(startPage, false);
-
-                // Allow origin for WebViewAssetLoader
-                if (!this.prefs.getBoolean("AndroidInsecureFileModeEnabled", false)) {
-                    allowedNavigations.addAllowListEntry("https://" + this.prefs.getString("hostname", "localhost"), false);
-                }
             } else if (strNode.equals("allow-navigation")) {
                 String origin = xml.getAttributeValue(null, "href");
                 if ("*".equals(origin)) {
@@ -127,7 +122,7 @@ public class AllowListPlugin extends CordovaPlugin {
 
     @Override
     public Boolean shouldAllowRequest(String url) {
-        return (this.shouldAllowNavigation(url) || this.allowedRequests.isUrlAllowListed(url))
+        return (Boolean.TRUE.equals(this.shouldAllowNavigation(url)) || this.allowedRequests.isUrlAllowListed(url))
             ? true
             : null; // default policy
     }

framework/src/org/apache/cordova/CordovaWebView.java

@@ -31,7 +31,7 @@ import android.webkit.WebChromeClient.CustomViewCallback;
  * are not expected to implement it.
  */
 public interface CordovaWebView {
-    public static final String CORDOVA_VERSION = "10.1.0";
+    public static final String CORDOVA_VERSION = "10.1.2";
 
     void init(CordovaInterface cordova, List<PluginEntry> pluginEntries, CordovaPreferences preferences);
 

framework/src/org/apache/cordova/PluginManager.java

@@ -41,6 +41,12 @@ import android.os.Build;
  */
 public class PluginManager {
     private static String TAG = "PluginManager";
+
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String SCHEME_HTTPS = "https";
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String DEFAULT_HOSTNAME = "localhost";
+
     private static final int SLOW_EXEC_WARNING_THRESHOLD = Debug.isDebuggerConnected() ? 60 : 16;
 
     // List of service entries
@@ -366,6 +372,24 @@ public class PluginManager {
         }
     }
 
+    /**
+     * @todo should we move this somewhere public and accessible by all plugins?
+     * For now, it is placed where it is used and kept private so we can decide later and move without causing a breaking change.
+     * An ideal location might be in the "ConfigXmlParser" at the time it generates the "launchUrl".
+     *
+     * @todo should we be restrictive on the "file://" return? e.g. "file:///android_asset/www/"
+     * Would be considered as a breaking change if we apply a more granular check.
+     */
+    private String getLaunchUrlPrefix() {
+        if (!app.getPreferences().getBoolean("AndroidInsecureFileModeEnabled", false)) {
+            String scheme = app.getPreferences().getString("scheme", SCHEME_HTTPS).toLowerCase();
+            String hostname = app.getPreferences().getString("hostname", DEFAULT_HOSTNAME);
+            return scheme + "://" + hostname + '/';
+        }
+
+        return "file://";
+    }
+
     /**
      * Called when the webview is going to request an external resource.
      *
@@ -431,7 +455,7 @@ public class PluginManager {
         }
 
         // Default policy:
-        return url.startsWith("file://") || url.startsWith("about:blank");
+        return url.startsWith(getLaunchUrlPrefix()) || url.startsWith("about:blank");
     }
 
 
@@ -452,7 +476,7 @@ public class PluginManager {
         }
 
         // Default policy:
-        return url.startsWith("file://");
+        return url.startsWith(getLaunchUrlPrefix());
     }
 
     /**

lib/create.js

@@ -255,7 +255,7 @@ exports.create = function (project_path, config, options, events) {
             fs.ensureDirSync(activity_dir);
             fs.copySync(path.join(project_template_dir, 'Activity.java'), activity_path);
             utils.replaceFileContents(activity_path, /__ACTIVITY__/, safe_activity_name);
-            utils.replaceFileContents(path.join(app_path, 'res', 'values', 'strings.xml'), /__NAME__/, project_name);
+            utils.replaceFileContents(path.join(app_path, 'res', 'values', 'strings.xml'), /__NAME__/, utils.escape(project_name));
             utils.replaceFileContents(activity_path, /__ID__/, package_name);
 
             var manifest = new AndroidManifest(path.join(project_template_dir, 'AndroidManifest.xml'));

lib/env/java.js

@@ -99,7 +99,8 @@ const java = {
                 } else {
                     // See if we can derive it from javac's location.
                     var maybeJavaHome = path.dirname(path.dirname(javacPath));
-                    if (fs.existsSync(path.join(maybeJavaHome, 'lib', 'tools.jar'))) {
+                    if (fs.existsSync(path.join(maybeJavaHome, 'bin', 'java')) ||
+                            fs.existsSync(path.join(maybeJavaHome, 'bin', 'java.exe'))) {
                         environment.JAVA_HOME = maybeJavaHome;
                     } else {
                         throw new CordovaError(default_java_error_msg);

lib/utils.js

@@ -66,3 +66,21 @@ exports.forgivingWhichSync = (cmd) => {
 
 exports.isWindows = () => os.platform() === 'win32';
 exports.isDarwin = () => os.platform() === 'darwin';
+
+const UNESCAPED_REGEX = /[&<>"']/g;
+
+const escapes = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#39;'
+};
+
+/**
+ * Converts the characters "&", "<", ">", '"' and "'" in the given string to
+ * their corresponding escaped value
+ * @param {string} str the string to be escaped
+ * @returns the escaped string
+ */
+exports.escape = (str) => UNESCAPED_REGEX.test(str) ? str.replace(UNESCAPED_REGEX, (key) => escapes[key]) : str;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cordova-android",
-  "version": "10.1.0",
+  "version": "10.1.2",
   "description": "cordova-android release",
   "main": "lib/Api.js",
   "repository": "github:apache/cordova-android",

spec/unit/create.spec.js

@@ -275,6 +275,13 @@ describe('create', function () {
                 });
             });
 
+            it('should interpolate the escaped project name into strings.xml', () => {
+                config_mock.name.and.returnValue('<Incredible&App>');
+                return create.create(project_path, config_mock, {}, events_mock).then(() => {
+                    expect(utils.replaceFileContents).toHaveBeenCalledWith(path.join(app_path, 'res', 'values', 'strings.xml'), /__NAME__/, '&lt;Incredible&amp;App&gt;');
+                });
+            });
+
             it('should copy template scripts into generated project', () => {
                 return create.create(project_path, config_mock, {}, events_mock).then(() => {
                     expect(create.copyScripts).toHaveBeenCalledWith(project_path);

templates/project/AndroidManifest.xml

@@ -37,7 +37,8 @@
                 android:launchMode="singleTop"
                 android:theme="@style/Theme.AppCompat.NoActionBar"
                 android:windowSoftInputMode="adjustResize"
-                android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|smallestScreenSize|screenLayout|uiMode">
+                android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|smallestScreenSize|screenLayout|uiMode"
+                android:exported="true">
             <intent-filter android:label="@string/launcher_name">
                 <action android:name="android.intent.action.MAIN" />
                 <category android:name="android.intent.category.LAUNCHER" />