Skyve 7.1.2 Released

This release of Skyve changes the default escaping and sanitisation throughout the user interface as well as tightening up any XSS possibilities. A new Signature widget has been added in responsive mode to allow digital signatures to be added to views. Internationalisation support has been made pervasive throughout the interface and a default translation for Hindi and Vietnamese has been added.

Signatures

Digital signatures now available in Skyve

Digital signatures now available in Skyve

A new type of content has been added in responsive mode to support digitally signing within a Skyve view. A new type of content has been added in responsive mode to support digitally signing within a Skyve view. These can be included by specifying the widget type as contentSignature. For example, declare as a standard content attribute:

<content name="signature">
    <displayName>Signature</displayName>
</content>

and as a contentSignature in the view:

<row>
    <item>
        <contentSignature binding="signature" />
    </item>
</row>

Internationalisation

Skyve has supported internationalisation as well as LTR and RTL for several years, but this release makes the usage much more pervasive to include things like validation messages. 7.1.2 also includes transaltions of the admin module into Hindi and Vietnamese thanks two two of our community members @seema-source and @vanruc.

Skyve admin menu in Hindi

Skyve admin menu in Hindi

Framework

  • Attempt to instantiate content manager add-in only if there is no content manager class specified in json
  • Redo i18n to permeate all functional layers via CORE.getUser()
  • Add getLocalised...() convenience methods to Skyve metadata
  • Enable spring security session fixation defence
  • Add autocomplete, spellcheck, autocapitalize & autocorrect attributes to generated password elements in views for SC and PF
  • Canonicalise the RouteCriteria based on the given binding before checking if it is unsecured or finding the outcome URL in home.jsp
  • Add max width to SC logo img without affecting DynamicImage max sizes
  • Introduce JUnit 5
  • Update maven plugin NewDocumentMojo to generate a persistent name
  • Test and configure (disabled by default) the SAML 2 configuration for Azure AD integration
  • Update semantic jquery version from 3.3.1 to 3.6.0
  • Protect against reflected XSS from URL parameters inside SC script tags
  • Add content type and charset to all jsp and faces pages
  • Protect reflected XSS on password reset token
  • Add Cache-control no-store headers to faces pages
  • Add contentType view attribute and remove http-equiv caching headers from faces pages
  • Add UTF-8 char encoding filter to everything served
  • Set secure and httpOnly on JSESSIONID and set SameSite on all server cookies
  • Add X-Content-Type_options header
  • Add X-XSS-Protection header
  • Add CSRF Token management to PF
  • Sanitise all SC request parameters
  • Add <s:csrfForm />
  • Ensure resource paths lie within the web root before serving them
  • Allow temporal bucket charts on American date formats
  • Update Content-Security-Policy header
  • Add i18n to WebContext.message(), WebContext.growl(), PushMessage.message() and PushMessage.growl()
  • Remove Snapshot and Tag menu items from PF
  • Guard reflected XSS attacks in upload forms
  • Set content type and charset on xml partial redirect in SkyveFacesFilter
  • Update login.jsp to use input type email when self-registration is enabled
  • Refine the SkyveAuthenticationSuccessHandler for use behind TLS terminating reverse proxies

Responsive Renderer

  • Upgrade to PrimeFaces 8
  • Add ContentSignature widget
  • Manage PF menu state cookies. Turn off cookie manipulation for ultima and ecuador menus which do not react well.
  • Add sanitise and escape function / metadata to various UI elements

Notes for Upgrading

Make the following changes to your projects pom.xml:

  • Update Skyve version in the pom to 7.1.2
  • Update the skyve-content phase to clean:
<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <executions>
        <execution>
            <id>copy-content-addin-dependency</id>
            <phase>clean</phase>
  • Replace the JUnit 4 dependency with a new dependeny for JUnit 5 and a legacy dependency for JUnit 4.

Remove

<dependency>
    <groupId>junit</groupId>
    <artifactId>junit</artifactId>
    <version>4.12</version>
    <scope>test</scope>
</dependency>

Add

<dependencies>
    ...
    <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter-engine</artifactId>
        <version>5.7.1</version>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.junit.vintage</groupId>
        <artifactId>junit-vintage-engine</artifactId>
        <version>5.7.1</version>
        <scope>test</scope>
    </dependency>
</dependencies>
  • Remove the guava test dependency:
<dependency>
    <groupId>com.google.guava</groupId>
    <artifactId>guava</artifactId>
    <version>23.0</version>
    <scope>test</scope>
</dependency>
  • Exclude the guava transitive dependency from selenium:
<dependency>
    <groupId>org.seleniumhq.selenium</groupId>
    <artifactId>selenium-support</artifactId>
    <version>3.141.59</version>
    <scope>test</scope>
    <exclusions>
        <exclusion>
            <groupId>net.bytebuddy</groupId>
            <artifactId>byte-buddy</artifactId>
        </exclusion>
        <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Make the following changes in your project .json configuration file:

  • Replace the existing conversations stanza within your project json configuration file with the following state stanza (keeping any previous customisations to these values you may have had):
// State settings
    state: {
        // Conversation cache settings
        conversations: {
            // Max conversations allowed in heap memory before being moved off-heap or to disk
            heapSizeEntries: 1000,
            // Max off-heap memory size - 0 indicates no usage
            offHeapSizeMB: 64,
            // Max disk size - 0 indicates no usage
            diskSizeGB: 10,
            // Number of seconds to wait until expiring a conversation from the cache
            expiryTimeMinutes: 60
        },
        // CSRF Token cache settings
        csrfTokens: {
            // Max session tokens allowed in heap memory before being moved off-heap or to disk
            heapSizeEntries: 1000,
            // Max off-heap memory size - 0 indicates no usage
            offHeapSizeMB: 64,
            // Max disk size - 0 indicates no usage
            diskSizeGB: 10,
            // Number of seconds to wait until expiring session tokens from the cache
            expiryTimeMinutes: 60
        },
        // CRON Expression for Evicting Expired State job - run at 12:37 - null indictes no eviction
        evictCron: "0 37 0 1/1 * ? *"
    },
  • docker h2/mysql/postgres
    • make the same change as above to your 3 database specific docker project configuration files

Perorm an assemble (See the complete upgrade instructions on GitHub).

In any custom xhtmls:

  • change p:fileUpload attribute fileUploadListener to listener
  • use s:csrfForm instead of h:form to include the hidden csrf token

In any custom UxUi folders (in src/main/webapp):

  • security changes were made to the xhtml files, copy these from external and revert any local customisations

In any custom template folders (in src/main/webapp/WEB-INF/pages/templates):

  • security changes were made to the xhtml files, copy these from external and revert any local customisations

Generate domain and deploy locally before committing.