Skyve 7.1.2 Released
This release of Skyve changes the default escaping and sanitisation throughout the user interface as well as tightening up any XSS possibilities. A new Signature widget has been added in responsive mode to allow digital signatures to be added to views. Internationalisation support has been made pervasive throughout the interface and a default translation for Hindi and Vietnamese has been added.
Signatures
A new type of content has been added in responsive mode to support digitally signing within a Skyve view. A new type of content has been added in responsive mode to support digitally signing within a Skyve view. These can be included by specifying the widget type as contentSignature
. For example, declare as a standard content
attribute:
<content name="signature">
<displayName>Signature</displayName>
</content>
and as a contentSignature
in the view:
<row>
<item>
<contentSignature binding="signature" />
</item>
</row>
Internationalisation
Skyve has supported internationalisation as well as LTR and RTL for several years, but this release makes the usage much more pervasive to include things like validation messages. 7.1.2 also includes transaltions of the admin module into Hindi and Vietnamese thanks two two of our community members @seema-source and @vanruc.
Framework
- Attempt to instantiate content manager add-in only if there is no content manager class specified in json
- Redo i18n to permeate all functional layers via
CORE.getUser()
- Add getLocalised...() convenience methods to Skyve metadata
- Enable spring security session fixation defence
- Add autocomplete, spellcheck, autocapitalize & autocorrect attributes to generated password elements in views for SC and PF
- Canonicalise the RouteCriteria based on the given binding before checking if it is unsecured or finding the outcome URL in home.jsp
- Add max width to SC logo img without affecting DynamicImage max sizes
- Introduce JUnit 5
- Update maven plugin NewDocumentMojo to generate a persistent name
- Test and configure (disabled by default) the SAML 2 configuration for Azure AD integration
- Update semantic jquery version from 3.3.1 to 3.6.0
- Protect against reflected XSS from URL parameters inside SC script tags
- Add content type and charset to all jsp and faces pages
- Protect reflected XSS on password reset token
- Add Cache-control no-store headers to faces pages
- Add contentType view attribute and remove http-equiv caching headers from faces pages
- Add UTF-8 char encoding filter to everything served
- Set secure and httpOnly on JSESSIONID and set SameSite on all server cookies
- Add X-Content-Type_options header
- Add X-XSS-Protection header
- Add CSRF Token management to PF
- Sanitise all SC request parameters
- Add
<s:csrfForm />
- Ensure resource paths lie within the web root before serving them
- Allow temporal bucket charts on American date formats
- Update Content-Security-Policy header
- Add i18n to
WebContext.message()
,WebContext.growl()
,PushMessage.message()
andPushMessage.growl()
- Remove Snapshot and Tag menu items from PF
- Guard reflected XSS attacks in upload forms
- Set content type and charset on xml partial redirect in
SkyveFacesFilter
- Update login.jsp to use input type email when self-registration is enabled
- Refine the
SkyveAuthenticationSuccessHandler
for use behind TLS terminating reverse proxies
Responsive Renderer
- Upgrade to PrimeFaces 8
- Add ContentSignature widget
- Manage PF menu state cookies. Turn off cookie manipulation for ultima and ecuador menus which do not react well.
- Add sanitise and escape function / metadata to various UI elements
Notes for Upgrading
Make the following changes to your projects pom.xml
:
- Update Skyve version in the pom to 7.1.2
- Update the skyve-content phase to
clean
:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-content-addin-dependency</id>
<phase>clean</phase>
- Replace the JUnit 4 dependency with a new dependeny for JUnit 5 and a legacy dependency for JUnit 4.
Remove
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
Add
<dependencies>
...
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>5.7.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
<version>5.7.1</version>
<scope>test</scope>
</dependency>
</dependencies>
- Remove the
guava
test dependency:
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>23.0</version>
<scope>test</scope>
</dependency>
- Exclude the
guava
transitive dependency fromselenium
:
<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-support</artifactId>
<version>3.141.59</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
</exclusions>
</dependency>
Make the following changes in your project .json
configuration file:
- Replace the existing
conversations
stanza within your project json configuration file with the followingstate
stanza (keeping any previous customisations to these values you may have had):
// State settings
state: {
// Conversation cache settings
conversations: {
// Max conversations allowed in heap memory before being moved off-heap or to disk
heapSizeEntries: 1000,
// Max off-heap memory size - 0 indicates no usage
offHeapSizeMB: 64,
// Max disk size - 0 indicates no usage
diskSizeGB: 10,
// Number of seconds to wait until expiring a conversation from the cache
expiryTimeMinutes: 60
},
// CSRF Token cache settings
csrfTokens: {
// Max session tokens allowed in heap memory before being moved off-heap or to disk
heapSizeEntries: 1000,
// Max off-heap memory size - 0 indicates no usage
offHeapSizeMB: 64,
// Max disk size - 0 indicates no usage
diskSizeGB: 10,
// Number of seconds to wait until expiring session tokens from the cache
expiryTimeMinutes: 60
},
// CRON Expression for Evicting Expired State job - run at 12:37 - null indictes no eviction
evictCron: "0 37 0 1/1 * ? *"
},
- docker h2/mysql/postgres
- make the same change as above to your 3 database specific docker project configuration files
Perorm an assemble (See the complete upgrade instructions on GitHub).
In any custom xhtmls:
- change
p:fileUpload
attributefileUploadListener
tolistener
- use
s:csrfForm
instead ofh:form
to include the hidden csrf token
In any custom UxUi folders (in src/main/webapp):
- security changes were made to the xhtml files, copy these from external and revert any local customisations
In any custom template folders (in src/main/webapp/WEB-INF/pages/templates):
- security changes were made to the xhtml files, copy these from external and revert any local customisations
Generate domain and deploy locally before committing.