Skip to content

feature/cp-10963-add-bridge-function-in-mobile-sdk-to-send-subscription #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gbhrdt-cp merged 3 commits into from
Mar 11, 2026
Merged

feature/cp-10963-add-bridge-function-in-mobile-sdk-to-send-subscription #331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
28a11c2
feature/cp-10963-add-bridge-function-in-mobile-sdk-to-send-subscription
Feb 24, 2026
8703eea
feature/cp-10963-add-bridge-function-in-mobile-sdk-to-send-subscription
Feb 24, 2026
a75daae
feature/cp-10963-add-bridge-function-in-mobile-sdk-to-send-subscription
Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 75 additions & 8 deletions cleverpush/src/main/java/com/cleverpush/banner/AppBannerCarouselAdapter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
Expand Down Expand Up @@ -667,14 +668,25 @@ public void onPageFinished(WebView view, String url) {
"};\n" +
"CleverPush.trackClick = function(buttonId, customData) {\n" +
" CleverPush.trackClickStringified(buttonId, customData ? JSON.stringify(customData) : null);\n" +
"};\n" +
"CleverPush.getSubscriptionContext = function() {\n" +
" return new Promise(function(resolve) {\n" +
" window.CleverPush._resolveSubscriptionContext = resolve;\n" +
" CleverPush.getSubscriptionContextRequest();\n" +
" });\n" +
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concurrent Promise calls overwrite resolver

Medium Severity

If JavaScript calls CleverPush.getSubscriptionContext() multiple times concurrently, the second call overwrites window.CleverPush._resolveSubscriptionContext, causing the first Promise to never resolve. Only the most recent call's Promise will resolve; all previous Promises hang indefinitely, leaking memory and blocking any code waiting on those Promises.

Additional Locations (1)

Fix in Cursor Fix in Web

"};\n",
null
);
String contextJson = getSubscriptionContextJson();
webView.evaluateJavascript(
"if (typeof CleverPush !== 'undefined') { CleverPush.subscriptionContext = " + contextJson + "; }",
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

XSS vulnerability from unescaped JSON in JavaScript

High Severity

The raw JSON from getSubscriptionContextJson() is directly concatenated into JavaScript code without proper escaping. If subscription IDs or channel IDs contain characters like </script>, <, >, or /, they could break out of the JavaScript context and enable XSS attacks. While Gson.toJson() handles basic JSON escaping, it doesn't prevent script injection when the JSON is embedded directly in JavaScript code.

Additional Locations (2)

Fix in Cursor Fix in Web

null
);
}
});

webView.loadUrl(block.getUrl());
webView.addJavascriptInterface(new CleverpushInterface(), "CleverPush");
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Promise never rejects leading to unhandled hangs

Medium Severity

The CleverPush.getSubscriptionContext Promise only accepts a resolve callback, never a reject. If getSubscriptionContextRequest returns early due to null webView (line 996) or if any other error prevents resolution, the Promise hangs indefinitely. JavaScript callers using await or .then() will never receive a response, blocking execution.

Additional Locations (1)

Fix in Cursor Fix in Web

webView.addJavascriptInterface(new CleverpushInterface(webView), "CleverPush");
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JavaScript interface added after URL load

High Severity

The addJavascriptInterface is called after loadUrl, but according to Android WebView documentation, adding an interface is not reflected on the JavaScript side until the next page load. This means the CleverPush object won't be available when the page loads or in onPageFinished, causing JavaScript errors when code tries to call CleverPush.getSubscriptionContextRequest() and other interface methods.

Additional Locations (1)

Fix in Cursor Fix in Web


LinearLayout.LayoutParams params = new LinearLayout.LayoutParams(
LinearLayout.LayoutParams.MATCH_PARENT,
Expand Down Expand Up @@ -725,6 +737,7 @@ private void composeHtmlBanner(LinearLayout body, String htmlContent) {
activity.runOnUiThread(() -> {
String html = VoucherCodeUtils.replaceVoucherCodeString(htmlContent, voucherCode);
String lower = html.toLowerCase(Locale.ROOT);
String contextJson = getSubscriptionContextJson();
String jsToInject = "" +
"<script type=\"text/javascript\">\n" +
"// Below conditions will take care of all ids and classes which contains defined keywords at start and end of string\n"
Expand All @@ -741,6 +754,13 @@ private void composeHtmlBanner(LinearLayout body, String htmlContent) {
"for (var i = 0; i < closeBtns.length; i++) {\n" +
" closeBtns[i].addEventListener('click', onCloseClick);\n" +
"}\n" +
"if (typeof CleverPush !== 'undefined') { CleverPush.subscriptionContext = " + contextJson + "; }\n" +
"CleverPush.getSubscriptionContext = function() {\n" +
" return new Promise(function(resolve) {\n" +
" window.CleverPush._resolveSubscriptionContext = resolve;\n" +
" CleverPush.getSubscriptionContextRequest();\n" +
" });\n" +
"};\n" +
"CleverPush.trackEvent = function(eventId, properties) {\n" +
" CleverPush.trackEventStringified(eventId, properties ? JSON.stringify(properties) : null);\n" +
"};\n" +
Expand Down Expand Up @@ -770,7 +790,7 @@ private void composeHtmlBanner(LinearLayout body, String htmlContent) {
WebView webView = webLayout.findViewById(R.id.webView);
webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setLoadsImagesAutomatically(true);
webView.addJavascriptInterface(new CleverpushInterface(), "CleverPush");
webView.addJavascriptInterface(new CleverpushInterface(webView), "CleverPush");
webView.setWebViewClient(new AppBannerWebViewClient());

webView.getViewTreeObserver().addOnGlobalLayoutListener(() -> {
Expand Down Expand Up @@ -813,6 +833,12 @@ public static int pxToDp(int px) {
}

public class CleverpushInterface {
private final WebView webView;

public CleverpushInterface(WebView webView) {
this.webView = webView;
}
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Memory leak from circular WebView reference

Medium Severity

The CleverpushInterface stores a reference to the WebView that it's added to via addJavascriptInterface. This creates a circular reference: WebView holds the interface, and the interface holds the WebView. This prevents garbage collection and causes memory leaks when WebViews are destroyed, particularly in RecyclerView scenarios where views are recycled.

Additional Locations (1)

Fix in Cursor Fix in Web


@JavascriptInterface
public void subscribe() {
CleverPush.getInstance(CleverPush.context).subscribe();
Expand Down Expand Up @@ -959,14 +985,55 @@ public void handleLinkBySystem(String link) {
}
});
}

/**
* Called by JS when getSubscriptionContext() Promise is used. Resolves the Promise with
* subscription context (same behavior as iOS).
*/
@JavascriptInterface
public void getSubscriptionContextRequest() {
activity.runOnUiThread(() -> {
if (webView == null) return;
String contextJson = getSubscriptionContextJson();
String escaped = contextJson.replace("\\", "\\\\").replace("\"", "\\\"")
.replace("\r", "\\r").replace("\n", "\\n");
Copy link

@cursor cursor bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incomplete character escaping for JavaScript injection

Medium Severity

The manual escaping only handles backslash, quote, carriage return, and newline characters, but omits tab (\t) and other control characters. If the JSON contains unescaped tabs or control characters, they could cause JavaScript syntax errors when the string is parsed by JSON.parse(), breaking the Promise resolution and preventing subscription context from being delivered.

Additional Locations (1)

Fix in Cursor Fix in Web

String jsCallback = "try { if (window.CleverPush && window.CleverPush._resolveSubscriptionContext) { "
+ "window.CleverPush._resolveSubscriptionContext(JSON.parse(\"" + escaped + "\")); "
+ "window.CleverPush._resolveSubscriptionContext = null; } } catch (e) {}";
webView.evaluateJavascript(jsCallback, null);
});
}

@JavascriptInterface
public void copyToClipboard(String text) {
ClipboardManager clipboard = (ClipboardManager) CleverPush.context.getSystemService(Context.CLIPBOARD_SERVICE);
if (clipboard != null) {
ClipData clip = ClipData.newPlainText("label", text);
clipboard.setPrimaryClip(clip);
}
}
}

@JavascriptInterface
public void copyToClipboard(String text) {
ClipboardManager clipboard = (ClipboardManager) CleverPush.context.getSystemService(Context.CLIPBOARD_SERVICE);
if (clipboard != null) {
ClipData clip = ClipData.newPlainText("label", text);
clipboard.setPrimaryClip(clip);
/**
* Returns subscription ID and channel ID as JSON for survey workflow / JS layer (iOS-compatible:
* null for missing values). Used when resolving getSubscriptionContext Promise and when
* injecting subscriptionContext via evaluateJavascript.
*/
private String getSubscriptionContextJson() {
try {
CleverPush cleverPush = CleverPush.getInstance(activity);
String subscriptionId = cleverPush.getSubscriptionId(CleverPush.context);
String channelId = cleverPush.getChannelId(CleverPush.context);
Map<String, Object> context = new LinkedHashMap<>();
context.put("subscriptionId", subscriptionId);
context.put("channelId", channelId);
return new Gson().toJson(context);
} catch (Exception ex) {
Logger.e(TAG, "Error in getSubscriptionContextJson.", ex);
Map<String, Object> empty = new LinkedHashMap<>();
empty.put("subscriptionId", (Object) null);
empty.put("channelId", (Object) null);
return new Gson().toJson(empty);
Copy link

@cursor cursor bot Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gson silently drops null values from subscription context JSON

High Severity

new Gson().toJson(context) silently omits null map entries because Gson's default is serializeNulls = false. When getSubscriptionId or getChannelId returns null, the output becomes {} instead of the intended {"subscriptionId":null,"channelId":null}. The catch block is equally broken — it explicitly puts null values, but Gson strips them. This contradicts the stated goal of matching iOS behavior with null for missing values. Using new GsonBuilder().serializeNulls().create() instead of new Gson() would fix this.

Additional Locations (1)

Fix in Cursor Fix in Web

}
}

Expand Down
83 changes: 81 additions & 2 deletions cleverpush/src/main/java/com/cleverpush/inbox/InboxDetailBannerCarouselAdapter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

import android.annotation.SuppressLint;
import android.app.Activity;
import android.content.ClipData;
import android.content.ClipboardManager;
import android.content.Context;
import android.content.Intent;
import android.content.res.Resources;
import android.graphics.Bitmap;
Expand Down Expand Up @@ -62,6 +65,7 @@
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
Expand Down Expand Up @@ -405,14 +409,25 @@ public void onPageFinished(WebView view, String url) {
"};\n" +
"CleverPush.trackClick = function(buttonId, customData) {\n" +
" CleverPush.trackClickStringified(buttonId, customData ? JSON.stringify(customData) : null);\n" +
"};\n" +
"CleverPush.getSubscriptionContext = function() {\n" +
" return new Promise(function(resolve) {\n" +
" window.CleverPush._resolveSubscriptionContext = resolve;\n" +
" CleverPush.getSubscriptionContextRequest();\n" +
" });\n" +
"};\n",
null
);
String contextJson = getSubscriptionContextJson();
webView.evaluateJavascript(
"if (typeof CleverPush !== 'undefined') { CleverPush.subscriptionContext = " + contextJson + "; }",
null
);
}
});

webView.loadUrl(block.getUrl());
webView.addJavascriptInterface(new CleverpushInterface(), "CleverPush");
webView.addJavascriptInterface(new CleverpushInterface(webView), "CleverPush");

LinearLayout.LayoutParams params = new LinearLayout.LayoutParams(
LinearLayout.LayoutParams.MATCH_PARENT,
Expand Down Expand Up @@ -452,6 +467,7 @@ private void composeHtmlBanner(LinearLayout body, String htmlContent) {
activity.runOnUiThread(() -> {
String html = VoucherCodeUtils.replaceVoucherCodeString(htmlContent, voucherCode);
String lower = html.toLowerCase(Locale.ROOT);
String contextJson = getSubscriptionContextJson();
String jsToInject = "" +
"<script type=\"text/javascript\">\n" +
"// Below conditions will take care of all ids and classes which contains defined keywords at start and end of string\n"
Expand All @@ -468,6 +484,13 @@ private void composeHtmlBanner(LinearLayout body, String htmlContent) {
"for (var i = 0; i < closeBtns.length; i++) {\n" +
" closeBtns[i].addEventListener('click', onCloseClick);\n" +
"}\n" +
"if (typeof CleverPush !== 'undefined') { CleverPush.subscriptionContext = " + contextJson + "; }\n" +
"CleverPush.getSubscriptionContext = function() {\n" +
" return new Promise(function(resolve) {\n" +
" window.CleverPush._resolveSubscriptionContext = resolve;\n" +
" CleverPush.getSubscriptionContextRequest();\n" +
" });\n" +
"};\n" +
"CleverPush.trackEvent = function(eventId, properties) {\n" +
" CleverPush.trackEventStringified(eventId, properties ? JSON.stringify(properties) : null);\n" +
"};\n" +
Expand Down Expand Up @@ -497,7 +520,7 @@ private void composeHtmlBanner(LinearLayout body, String htmlContent) {
WebView webView = webLayout.findViewById(R.id.webView);
webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setLoadsImagesAutomatically(true);
webView.addJavascriptInterface(new CleverpushInterface(), "CleverPush");
webView.addJavascriptInterface(new CleverpushInterface(webView), "CleverPush");
webView.setWebViewClient(new AppBannerWebViewClient());

webView.getViewTreeObserver().addOnGlobalLayoutListener(() -> {
Expand Down Expand Up @@ -541,6 +564,12 @@ public ViewHolder(@NonNull View itemView) {
}

public class CleverpushInterface {
private final WebView webView;

public CleverpushInterface(WebView webView) {
this.webView = webView;
}

@JavascriptInterface
public void subscribe() {
CleverPush.getInstance(CleverPush.context).subscribe();
Expand Down Expand Up @@ -687,5 +716,55 @@ public void handleLinkBySystem(String link) {
}
});
}

/**
* Called by JS when getSubscriptionContext() Promise is used. Resolves the Promise with
* subscription context (same behavior as iOS).
*/
@JavascriptInterface
public void getSubscriptionContextRequest() {
activity.runOnUiThread(() -> {
if (webView == null) return;
String contextJson = getSubscriptionContextJson();
String escaped = contextJson.replace("\\", "\\\\").replace("\"", "\\\"")
.replace("\r", "\\r").replace("\n", "\\n");
String jsCallback = "try { if (window.CleverPush && window.CleverPush._resolveSubscriptionContext) { "
+ "window.CleverPush._resolveSubscriptionContext(JSON.parse(\"" + escaped + "\")); "
+ "window.CleverPush._resolveSubscriptionContext = null; } } catch (e) {}";
webView.evaluateJavascript(jsCallback, null);
});
}

@JavascriptInterface
public void copyToClipboard(String text) {
ClipboardManager clipboard = (ClipboardManager) CleverPush.context.getSystemService(Context.CLIPBOARD_SERVICE);
if (clipboard != null) {
ClipData clip = ClipData.newPlainText("label", text);
clipboard.setPrimaryClip(clip);
}
}
}

/**
* Returns subscription ID and channel ID as JSON for survey workflow / JS layer (iOS-compatible:
* null for missing values). Used when resolving getSubscriptionContext Promise and when
* injecting subscriptionContext via evaluateJavascript.
*/
private String getSubscriptionContextJson() {
try {
CleverPush cleverPush = CleverPush.getInstance(activity);
String subscriptionId = cleverPush.getSubscriptionId(CleverPush.context);
String channelId = cleverPush.getChannelId(CleverPush.context);
Map<String, Object> context = new LinkedHashMap<>();
context.put("subscriptionId", subscriptionId);
context.put("channelId", channelId);
return new Gson().toJson(context);
} catch (Exception ex) {
Logger.e(TAG, "Error in getSubscriptionContextJson.", ex);
Map<String, Object> empty = new LinkedHashMap<>();
empty.put("subscriptionId", (Object) null);
empty.put("channelId", (Object) null);
return new Gson().toJson(empty);
}
}
}
Loading