[MOB-8537] updates action runner logic to check allowed protocols (#769)

evantk91 · Evan Greer · joaodordio · web-flow · commit d5b9e7dd634a · 2025-07-01T17:55:57.000+01:00
Co-authored-by: Evan Greer &lt;evan.greer@evan.greer&gt;
Co-authored-by: Joao Dordio &lt;joaodordio@icloud.com&gt;
diff --git a/swift-sdk/Internal/ActionRunner.swift b/swift-sdk/Internal/ActionRunner.swift
@@ -29,23 +29,28 @@ struct ActionRunner {
                         customActionHandler: CustomActionHandler? = nil,
                         urlOpener: UrlOpenerProtocol? = nil,
                         allowedProtocols: [String] = []) -> Bool {
-        let handled = callExternalHandlers(action: action,
-                                           from: context.source,
-                                           urlHandler: urlHandler,
-                                           customActionHandler: customActionHandler)
         
-        if handled {
-            return true
-        } else {
-            if case let .openUrl(url) = detectActionType(fromAction: action),
-               shouldOpenUrl(url: url, from: context.source, withAllowedProtocols: allowedProtocols),
-               let urlOpener = urlOpener {
-                urlOpener.open(url: url)
-                return true
-            } else {
+        // For URL actions, validate protocol before proceeding
+        if case let .openUrl(url) = detectActionType(fromAction: action) {
+            guard shouldOpenUrl(url: url, from: context.source, withAllowedProtocols: allowedProtocols) else {
                 return false
             }
         }
+        
+        if case let handled = callExternalHandlers(action: action,
+                                              from: context.source,
+                                              urlHandler: urlHandler,
+                                              customActionHandler: customActionHandler), handled {
+            return true
+        }
+        
+        if case let .openUrl(url) = detectActionType(fromAction: action),
+           let urlOpener = urlOpener {
+            urlOpener.open(url: url)
+            return true
+        }
+        
+        return false
     }
     
     // MARK: - Private
diff --git a/tests/hosting-apps/ui-tests-app/ViewController.swift b/tests/hosting-apps/ui-tests-app/ViewController.swift
@@ -31,7 +31,7 @@ class ViewController: UIViewController {
         ITBInfo()
         
         let html = """
-            <a href="http://website/resource#something">Click Me</a>
+            <a href="https://website/resource#something">Click Me</a>
             <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no'>
         """
         InAppDisplayer.showIterableHtmlMessage(html) { url in
@@ -104,7 +104,7 @@ class ViewController: UIViewController {
         
         let messageId = "zeeMessageId"
         let html = """
-            <a href="http://website/resource#something">Click Me</a>
+            <a href="https://website/resource#something">Click Me</a>
         """
         let content = IterableHtmlInAppContent(edgeInsets: .zero, html: html)
         let message = IterableInAppMessage(messageId: messageId, campaignId: 1234, content: content)
@@ -170,7 +170,7 @@ class ViewController: UIViewController {
         
         let messageId = "zeeMessageId"
         let html = """
-            <a href="http://website/resource#something">Click Me</a>
+            <a href="https://website/resource#something">Click Me</a>
         """
         let padding = Padding(top: .autoExpand,
                               left: 10,
diff --git a/tests/notification-extension-tests/NotificationExtensionTests.swift b/tests/notification-extension-tests/NotificationExtensionTests.swift
@@ -171,7 +171,7 @@ class NotificationExtensionTests: XCTestCase {
                         "openApp": true,
                         "action": [
                             "type": "openUrl",
-                            "data": "http://maps.apple.com/?ll=37.7828,-122.3984"
+                            "data": "https://maps.apple.com/?ll=37.7828,-122.3984"
                         ]
                     ],
                     [
@@ -383,7 +383,7 @@ class NotificationExtensionTests: XCTestCase {
                     "title": "Open App",
                     "action": [
                         "type": "openUrl",
-                        "data": "http://maps.apple.com/?ll=37.7828,-122.3984"
+                        "data": "https://maps.apple.com/?ll=37.7828,-122.3984"
                     ],
                 ] as [String : Any]],
             ] as [String : Any],
@@ -422,7 +422,7 @@ class NotificationExtensionTests: XCTestCase {
                     "title": "Open App",
                     "action": [
                         "type": "openUrl",
-                        "data": "http://maps.apple.com/?ll=37.7828,-122.3984"
+                        "data": "https://maps.apple.com/?ll=37.7828,-122.3984"
                     ],
                     "actionIcon": [
                         "iconType": "systemImage",
@@ -466,7 +466,7 @@ class NotificationExtensionTests: XCTestCase {
                     "title": "Open App",
                     "action": [
                         "type": "openUrl",
-                        "data": "http://maps.apple.com/?ll=37.7828,-122.3984"
+                        "data": "https://maps.apple.com/?ll=37.7828,-122.3984"
                     ],
                     "actionIcon": [
                         "iconType": "templateImage",
diff --git a/tests/ui-tests/UITests.swift b/tests/ui-tests/UITests.swift
@@ -105,7 +105,7 @@ class UITests: XCTestCase {
 //    }
 //    
 //    func testShowInApp1() {
-//        inAppTest(buttonName: "Show InApp#1", linkName: "Click Me", expectedCallbackUrl: "http://website/resource#something")
+//        inAppTest(buttonName: "Show InApp#1", linkName: "Click Me", expectedCallbackUrl: "https://website/resource#something")
 //    }
 //    
 //    // Full Screen
@@ -120,7 +120,7 @@ class UITests: XCTestCase {
 //    
 //    // Full Screen
 //    func testShowInApp4() {
-//        inAppTest(buttonName: "Show InApp#4", linkName: "Click Me", expectedCallbackUrl: "http://website/resource#something")
+//        inAppTest(buttonName: "Show InApp#4", linkName: "Click Me", expectedCallbackUrl: "https://website/resource#something")
 //    }
 //    
 //    // Full Screen
diff --git a/tests/unit-tests/DeepLinkTests.swift b/tests/unit-tests/DeepLinkTests.swift
@@ -15,11 +15,11 @@ class DeepLinkTests: XCTestCase {
         super.tearDown()
     }
     
-    private let iterableRewriteURL = "http://links.iterable.com/a/60402396fbd5433eb35397b47ab2fb83?_e=joneng%40iterable.com&_m=93125f33ba814b13a882358f8e0852e0"
-    private let iterableNoRewriteURL = "http://links.iterable.com/u/60402396fbd5433eb35397b47ab2fb83?_e=joneng%40iterable.com&_m=93125f33ba814b13a882358f8e0852e0"
+    private let iterableRewriteURL = "https://links.iterable.com/a/60402396fbd5433eb35397b47ab2fb83?_e=joneng%40iterable.com&_m=93125f33ba814b13a882358f8e0852e0"
+    private let iterableNoRewriteURL = "https://links.iterable.com/u/60402396fbd5433eb35397b47ab2fb83?_e=joneng%40iterable.com&_m=93125f33ba814b13a882358f8e0852e0"
     
-    private let redirectRequest = "https://httpbin.org/redirect-to?url=http://example.com"
-    private let exampleUrl = "http://example.com"
+    private let redirectRequest = "https://httpbin.org/redirect-to?url=https://example.com"
+    private let exampleUrl = "https://example.com"
     
     func testTrackUniversalDeepLinkRewrite() {
         let expectation1 = expectation(description: #function)
diff --git a/tests/unit-tests/InAppParsingTests.swift b/tests/unit-tests/InAppParsingTests.swift
@@ -309,7 +309,7 @@ class InAppParsingTests: XCTestCase {
                                            saveToInbox: false,
                                            inboxMetadata: nil,
                                            customPayload: nil)
-        let buttonUrl = "http://somewhere.com"
+        let buttonUrl = "https://somewhere.com"
         let expectation1 = expectation(description: "track in app click")
         
         let networkSession = MockNetworkSession(statusCode: 200)
@@ -515,7 +515,7 @@ class InAppParsingTests: XCTestCase {
             "inAppMessages" : [
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId-\(id)",
                     "campaignId" : \(id)
@@ -534,7 +534,7 @@ class InAppParsingTests: XCTestCase {
             "inAppMessages" : [
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId-\(id)",
                     "campaignId" : \(id),
@@ -558,7 +558,7 @@ class InAppParsingTests: XCTestCase {
             "inAppMessages" : [
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId-\(id)",
                     "campaignId" : \(id),
@@ -633,31 +633,31 @@ class InAppParsingTests: XCTestCase {
             "inAppMessages" : [
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId1",
                     "campaignId" : 1,
                     "customPayload" : \(customPayload1.toJsonString())
                 },
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId2",
                     "campaignId" : 2,
                     "customPayload" : \(customPayload2.toJsonString())
                 },
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId3",
                     "campaignId" : 3,
                     "customPayload" : {}
                 },
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId4",
                     "campaignId" : 4,
@@ -716,7 +716,7 @@ class InAppParsingTests: XCTestCase {
                 {
                     "content" : {
                         "type" : "html",
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId1",
                     "campaignId" : 1,
@@ -731,7 +731,7 @@ class InAppParsingTests: XCTestCase {
                     "saveToInbox" : true,
                     "content" : {
                         "type" : "html",
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>",
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>",
                     },
                     "messageId" : "messageId2",
                     "campaignId" : 2,
@@ -748,7 +748,7 @@ class InAppParsingTests: XCTestCase {
                 },
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId3",
                     "campaignId" : 3,
@@ -760,7 +760,7 @@ class InAppParsingTests: XCTestCase {
                 },
                 {
                     "content" : {
-                        "html" : "<a href=\\"http://somewhere.com\\">Click here</a>"
+                        "html" : "<a href=\\"https://somewhere.com\\">Click here</a>"
                     },
                     "messageId" : "messageId4",
                     "campaignId" : 4,
diff --git a/tests/unit-tests/IterableAPITests.swift b/tests/unit-tests/IterableAPITests.swift
@@ -1088,14 +1088,14 @@ class IterableAPITests: XCTestCase {
                 "messageId": "messageId",
                 "defaultAction": [
                     "type": "openUrl",
-                    "data": "http://somewhere.com",
+                    "data": "https://somewhere.com",
                 ],
             ] as [String : Any],
         ]
         let launchOptions: [UIApplication.LaunchOptionsKey: Any] = [UIApplication.LaunchOptionsKey.remoteNotification: userInfo]
         let urlDelegate = MockUrlDelegate(returnValue: true)
         urlDelegate.callback = { url, _ in
-            XCTAssertEqual(url.absoluteString, "http://somewhere.com")
+            XCTAssertEqual(url.absoluteString, "https://somewhere.com")
             expectation1.fulfill()
         }
         let config = IterableConfig()
@@ -1118,7 +1118,7 @@ class IterableAPITests: XCTestCase {
                 "isGhostPush": false,
                 "defaultAction": [
                     "type": "openUrl",
-                    "data": "http://somewhere.com",
+                    "data": "https://somewhere.com",
                 ],
             ] as [String : Any],
         ]
