adin.6.8.8.source-code.release-notes.html Maven / Gradle / Ivy
Show all versions of vaadin Show documentation
Vaadin Framework 6.8.8
Vaadin – thinking of U and I
Version 6.8.8
Version 6.8.8 built on 2013-01-29.
Release Notes for Vaadin Framework 6.8.8
- Security fixes in Vaadin 6.8
- Overview of Vaadin 6.8 Release
- Changes in Vaadin 6.8.8
- Enhancements in Vaadin 6.8
- Backwards
incompatible changes in Vaadin 6.8
- Package contents
- Vaadin 6.8.8 dependencies
- Upgrading to Vaadin 6.8
- Known problems and limitations in
Vaadin 6.8.8
- Supported technologies
- Vaadin on the Web
Vaadin is a Java application development framework for building modern web
applications that look great, perform well and make you and your users
happy. Vaadin is available under the Apache 2 license (see license.html
in the JAR).
Security fixes in Vaadin Framework 6.8.8
Vaadin 6.8.8 fixes a security issue discovered during an internal
review.
Allowing unfiltered user input as the key in a map used for
communication in a Vaadin UI component may enable a cross-site
scripting (XSS) attack on a Vaadin application. Specifically, in
certain cases it is possible to use a specially-crafted debug ID to
inject arbitrary Javascript to be executed in an end user's browser.
This requires specific actions both from the application developer and
from the end user.
The vulnerability has been classified as moderate as it potentially
allows unauthorized access to server or user data but is
significantly limited by factors such as default settings, requires
certain behavior from the application or is very difficult to
exploit.
Certain Vaadin layout components store metadata about their child
components in maps, keyed by the component ID. The IDs are not
escaped when the maps are sent to the client as JSON objects,
allowing a specially-crafted debug ID assigned to a child component
to inject arbitrary JSON, or, in some cases, arbitrary Javascript to
be executed by the user's browser.
To be used as an attack, this requires an application to accept
malicious user input and assign it, unfiltered, as the debug ID of a
component in another user's application instance. The following Core
Vaadin layouts are vulnerable when containing a component with a
malicious debug ID:
- HorizontalLayout, VerticalLayout, OrderedLayout, ExpandLayout, and
FormLayout when using the setComponentAlignment() and
setExpandRatio() methods;
- CssLayout subclasses that override the protected getCss() method.
Additionally, any third-party components which invoke the
com.vaadin.terminal.PaintTarget#addAttribute(String, Map) method are
vulnerable if unfiltered user input is allowed as the keys of the
Map argument.
Overview of Vaadin 6.8.8 Release
Vaadin 6.8.8 is a maintenance release that includes a number of important bug
fixes.
Changes in Vaadin 6.8.8
This release includes the following closed issues:
- #9197: IE 8 Memory Leak with Component Table added to a Window
- #10317: Table scrolling broken on iOS 6 devices
- #10873: Potential XSS vulnerability in JsonPaintTarget
- #8238: Tabsheet fails to render tab content when content is dynamically created
- #10609: Add automated test for #9986
- #10862: SQLContainer FreeformQuery class leaks resources on errors
- #10563: Logging must consider Log Level
- #9548: AbstractCommunicationManager doHandleSimpleMultipartFileUpload does calculate Upload size incorrectly
- #10475: Add support for Chrome for Android
- #10763: DoubleClick on table row failed in IE7
The full
list of the closed issues can be found at dev.vaadin.com.
Enhancements in Vaadin 6.8
Below is a list of enchacements in the current minor release branch, first
released in 6.8.0.
-
Native scrolling support for Android and iOS (#8763)
-
Non-native scrolling implementation used in iOS 5 because of an iOS bug (see #8792)
-
Possibility to fire Button click events on the server-side (#8209)
-
Possibility to use HTML inside a Button caption (#8663)
-
Possibility to set "alternative text" (alt attribute) for the Embedded component (#6085)
-
Possibility to query the browser window width and height on the server-side (#5655)
-
Keyboard navigation in TabSheet (#5100)
-
Max/min limits for splitter position in SplitPanel (#1744)
-
Extended day range in month view to six full weeks in DateField (#6718)
-
Non-collapsible Table columns (#7495)
-
Selecting a TabSheet tab by its position or a Tab instance (#8203)
-
Getting a component by its index or the index of a given component in CssLayout (#7614)
-
Removing all Validators of a Field at once (#8307)
-
Debug IDs unique to a window, not the whole application (#5109)
-
Larger default size for the debug window (#8523)
-
Compatibility with Google SuperDevMode (#8924)
-
An add-on for handling broken classloaders (#8447)
-
Available in Vaadin Directory: Vaadin-application-server-class-loader-workaround
Backwards incompatible changes in Vaadin
6.8
The following backward incompatible changes have been introduced since Vaadin 6.7:
- Splitter position in SplitPanel is now float instead if int (#4296)
Package Contents
Vaadin Framework is distributed as a single JAR file. Inside the JAR you will
find:
- Vaadin server and client side classes (/com)
- Vaadin server and client side sources (/com)
- The default widget set (/VAADIN/widgetsets)
- Themes: Runo, Reindeer and Chameleon (/VAADIN/themes)
- Release notes (/release-notes.html)
- Licensing information (/license.html)
Vaadin 6.8.8 dependencies
Vaadin uses GWT 2.3.0 for widget set compilation. GWT can be
downloaded from http://code.google.com/webtoolkit/.
GWT can also be automatically downloaded by the Vaadin Plug-in for
Eclipse. Please note that GWT 2.3.0 requires the validation-api-1.0.0.GA.jar
and validation-api-1.0.0.GA-sources.jar files in addition to gwt-dev.jar
and gwt-user.jar for widget set compilation.
Upgrading to Vaadin 6.8
When upgrading from an earlier Vaadin version, you must:
- Recompile your classes using the new Vaadin JAR. Binary
compatibility is only guaranteed for maintenance releases of
Vaadin.
- Recompile any add-ons you have created using the new Vaadin
JAR.
- Recompile your widget set using the new Vaadin JAR and the
newly compiled add-ons.
- If you have extracted a theme from the Vaadin JAR, you need
to update it with the theme provided in the new Vaadin JAR.
Remember also to refresh the project in your IDE to ensure that the new version
of everything is in use.
Using the "?debug" URL parameter you can verify that the
version of the servlet (JAR), the theme and the widgetset all match.
Eclipse users should always check if there is a new version of the Eclipse
Plug-in available. The Eclipse Plug-in can be used to update the Vaadin version in
the project (Project properties » Vaadin).
Maven users should update the Vaadin dependency version in the
pom.xml unless it is defined as LATEST . You must also ensure
that the GWT dependency uses the correct version and recompile your project and
your widget set.
Liferay and other portal users must install the new
vaadin-6.8.8.jar as
ROOT/WEB-INF/lib/vaadin.jar in the portal. Additionally the
contents of the VAADIN folder from the JAR must be extracted
to the ROOT/html/VAADIN directory in the Liferay
installation. If your portal uses custom widgets, install the latest
version of Vaadin
Control Panel for Liferay for easy widget set compilation.
Upgrading from Vaadin 6.5 or earlier
If you are upgrading from 6.5.x or earlier, notice that Vaadin
6.8.8 uses GWT 2.3.0. Upgrade your dependencies as
necessary. See the dependencies section
for more information.
Upgrading from Vaadin 6.1 or earlier
The way widget sets are created was completely changed in Vaadin 6.2. Existing
projects, where custom widgets (a custom widget set) are used, must be migrated
when upgrading to Vaadin 6.2 or later. Projects where the default widget set is
used do not need migration. See Vaadin
6.2.0 release notes for more details.
Notes and Limitations for Google App Engine
The following instructions and limitations apply when you run a Vaadin application
under the Google App Engine.
Applications must use GAEApplicationServlet instead of
ApplicationServlet in web.xml.
Session support must be enabled in
appengine-web.xml
:
<sessions-enabled>true</sessions-enabled>
Avoid using the session for storage, usual App Engine
limitations apply (no synchronization, i.e, unreliable).
Vaadin uses memcache for mutex, the key is of the form
_vmutex<sessionid>.
-
The Vaadin WebApplicationContext class is serialized separately into
memcache and datastore; the memcache key is _vac<sessionid> and
the datastore entity kind is _vac with identifiers of the type
_vac<sessionid>.
-
DO NOT update application state when serving an ApplicationResource
(e.g ClassResource.getStream()).
-
AVOID (or be very careful when) updating application state in a
TransactionListener or a HttpServletRequestListener - they are
called even when the application is not locked and won't be serialized (e.g
ApplicationResource), and changes can thus go missing (it should be
safe to update things that can be safely discarded later - i.e valid only for
the current request)
-
The application remains locked during uploads - a progress bar is not
possible
For other known problems, see open tickets at developer site dev.vaadin.com.
Supported technologies
Vaadin is based on Java 5 and it is also compatible with most other
operating system supporting Java 5 or newer. Vaadin is supported on the following
operating systems:
- Windows
- Linux
- Mac OS X
Vaadin requires Java Servlet API 2.3 but also supports later versions and
should work with any Java application server that conforms to the standard. The
following application servers are supported:
- Apache Tomcat, version 4.1-7.0
- Oracle WebLogic® Server, version 9.2-10.3.5(11gR1)
- IBM WebSphere® Application Server, version 6.1-8.0
- JBoss Application Server, 3.2.8-7.0
- Jetty, version 5.0-7.0
- Glassfish, version 2.0-3.1
Vaadin supports JSR-168 and JSR-286 Portlet specifications. All portals that
implement either of the portlet specifications should work. The following
portals are supported:
- Liferay Portal 5.2-6.0
- GateIn Portal 3.1
- eXo Platform 3
- Oracle WebLogic® Portal 10gR3
- WebSphere Portal 6.1-7.0
Vaadin also supports Google App Engine.
Vaadin supports the following browsers:
- Mozilla Firefox 3-14
- Internet Explorer 6-9
- Safari 4-5
- Opera 10-12
- Google Chrome 13-21
Vaadin supports the built-in browsers in the following mobile operating
systems:
- iOS 4-5
- Android 2-4
Vaadin SQL Container supports the following databases:
- HSQLDB
- MySQL
- MSSQL
- Oracle
- PostgreSQL
Vaadin on the Web
- vaadin.com - The developer portal containing
everything you need to know about Vaadin
- demo.vaadin.com - A collection of demos for
Vaadin
- vaadin.com/learn - Getting started with
Vaadin
- vaadin.com/forum - Forums for Vaadin related
discussions
- vaadin.com/book - Book of Vaadin - everything
you need to know about Vaadin
- vaadin.com/api - Online javadocs
- vaadin.com/directory - Add-ons for
Vaadin
- dev.vaadin.com - Bug tracker
- dev.vaadin.com/svn/versions/6.8
- Source code
- vaadin.com/pro-account
- Commercial support and tools for Vaadin development
- vaadin.com/services
- Expert services for Vaadin
- vaadin.com/company
- Information about the company behind Vaadin