Phil -- did you remove those entries from you intelxdk.config.additions.xml file? If so, could you provide a complete copy of that file? I'd like to see what is in there, that's not the sort of thing we've recommended people include in that file. If not that file, where did you remove these lines from?

Paul,

We're starting close down and getting ready to update the security settings which means changing them from wide open to restricted and adding the CSP...

Since we have an href="tel:911" link that uses the dialer we added the allow-intent and allow-navigation to the ios side and the allow-intent to Android. Builds stopped with the Build Log I posted (essentially nothing). Took us a bit to figure out what the heck was going on but as soon as we removed those two lines, it went back to building.

Granted, we probably did something wrong but the UI should have caught what we were doing wrong and stopped or warned us and if not that, the build log should have had some information.

Thanks for those details, this is useful information regarding the whitelist settings. I'll inform engineering and, if we can reproduce the issue, will fix the issue in a future release. There's been some significant changes by Cordova to the whitelisting and I think our attempts to preserve compatibility for older CLI builds versus newer CLI builds as well as the old/new whitelist specs for Android may have caused this. It would be very helpful to have a copy of the <project-name>.xdk file for your project that causes this error, as a way to confirm some hunches.

I'll send you a separate private message that you can reply to if you're willing to share that information.

I can confirm that this kills the build.  I'm sending you two files:

1) <project-name>.xdk (this builds)

2)<project-name-with-intent-fails>.xdk (this does not build)

If this keeps up, you should start a bug bounty... ;-)

Sometimes, this just gets funny!

Your upload doesn't accept a file type of .xdk and dragging and dropping a .zip file caused the browser to lock up... after restarting the browser I used the manual method of attaching the file.  You should have it by now.

Phil -- thanks for providing those .xdk files. Sorry about the behavior of this forum, there is a larger ongoing project to update and replace it, the sooner the better. I really dislike the way these forums work. :-(

It's okay... I just spent two weeks tracking down, seeking help for, documenting and finding a workaround for a sqlite bug... there comes a point where hitting another bug is just funny... or, at least, all you can do is laugh! LOL

Phil -- are you putting the following into those whitelist fields in the UI:

<allow-intent href="tel:*" />

or this:

tel:*

I inserted it exactly as in comment #2 in this thread; https://software.intel.com/en-us/forums/intel-xdk/topic/681624#comment-1883131

Those fields are meant for entering just the data part of that XML field, not the entire tag. The appropriate tags will be generated by the XDK. So you should just be entering things like "tel:*" or "geo:*" (without the quotes) into the whitelist UI. I suspect the XML parser on the backend got confused by some XML embedded in XML.

Some examples here > https://software.intel.com/en-us/articles/cordova-whitelisting-with-intel-xdk-for-ajax-and-launching-external-apps < and docs here > https://software.intel.com/en-us/xdk/docs/using-cordova-whitelist-rules-with-intel-xdk <

I've asked for some better input validation on those fields, I'll as that it be enhanced to catch this sort of an issue.

If it's not allowed or will break the system, you have to catch it!

Also, I would suggest looking at the screenshot I provided.... the Labels say Intent (<allow-intent>) and Navigation (<allow-navigation>) both of which would imply that we should enter the entire tag.

Send a private message about some security concerns...

I can understand the confusion, and I have already requested input validation on our whitelist fields, even before this incident. We're waiting for some engineering cycles tho get them implemented. We'd love to have perfect input validation on all fields in the product, but we don't. It's an evolving process.

Yes, if you go down to the bottom of that article... I just realized you wrote it so now I know who to ask when I have questions... you reference using the allow-navigation but none of that says not to use the entire xml tag.

We provided the (<allow-intent>) and similar references in order to make it easier to cross-reference with the Cordova documentation.