Page History

XperienCentral R33

Release date: July 26, 2021

<br />

Check Configuration Files

See Check Configuration Files.

Google Sitemap Automatic Upload

In XperienCentral R33, a new setting for controlling whether XperienCentral automatically uploads generated sitemaps to Google has been introduced. The setting google_sitemap_automatic_upload can be found in the application_settings section of the General tab of the Setup Tool. When enabled, if a Google sitemap is generated, it is automatically uploaded according to the schedule configured in the setting google_sitemap_generator_schedule. When disabled, the latest generated sitemap is not uploaded.

Because it is disabled by default, when upgrading from R32, the option must be enabled manually if XperienCentral should continue to automatically submit the sitemap to Google.

New "iafpanel" channel for the Interactive Forms Panel

The Interactive Forms panel uses a new "iafpanel" channel to render the forms. That way its visual representations can be completely decoupled from the website presentation. New presentations should use it for all standard fragment types unless the representation inside the IAF panel must resemble the website presentation. However, when upgrading there are 3 possible options:

1. Follow the new standard and add the "iafpanel" channel to all custom formStep, FormSectionVersion and form fragment presentation descriptors. For example, for a FormFragmentTextInput this will look as follows:

   Code Block
   theme Eclipse
   <channel> <name>iafpanel</name>   <presentation>FormFragmentTextInput</presentation> <!-- Name of IAF's own presentation --> </channel>

   Subsequently, any code in the presentation JSPs that is specific to the preview mode can be removed.

2. Add the "iafpanel" channel to all custom formStep, FormSectionVersion and form fragment presentation descriptors and have it refer to itself.
3. Add "iafpanel" (without quotes) to the channels_using_fallback setting in the application_settings section of the General tab of the Setup Tool. The Interactive Forms Panel will then continue to use the custom presentations. Note however that they will probably look different because of CSS changes in the IAF panel. In addition, when the fragmentDiv tag is overruled in a custom presentation, the new logic for setting adding the data-jcr-uuid attribute in Edit mode must be copied from the official version in IAF's wmpformelement plugin.

Note that a different option can be chosen for each presentation.

Interactive Forms fragmentDiv.tag File

Due to changes in the way the Interactive Form panel works, an extra attribute is required in the fragmentDiv.tag to make sure the Interactive Form panel keeps functioning. The attribute data-jcr-uuid has been added which is only shown in Edit mode. If you have a custom implementation that modifies fragmentDiv.tag, be sure that you pick up this change to ensure that the Interactive Forms module functions correctly.

CSRF Settings

To better protect websites hosted by XperienCentral against CSRF attacks, a new mechanism has been introduced that uses a CSRF token that is stored in a cookie, and an SHA-256 hash of this token plus a random 16 character long nonce, postfixed with the used nonce, must be included in all non-GET requests to the server as a header or form field. This change could affect custom functionality in the following ways:

• If a custom version of the Interactive Form file formvalidationbindings.js is used, it must be updated with the anti-CSRF changes which can be found by searching for "csrf" in the upgraded formvalidationbindings.js.
• If the Interactive Form formsHeadTag presentation is not called from a custom presentation plugin, then the page presentations of this plugin must include the /<context path>/js/form/csrfprotection.js script.
• If XHR form posts are performed in custom panels, elements or widgets, the X-CSRF-Token header must be added to these posts.
• The secure_rest_against_csrf configuration setting and the mandatory use of the X-Session-Verify header when it is enabled are now only relevant for GET requests to XperienCentral's REST API. All other types of requests to the REST API are now always checked irrespective of the secure_rest_against_csrf configuration setting, and must contain the X-CSRF-Token header. See the application_settings section of the General tab of the Setup Tool for complete information on the secure_rest_against_csrf setting.
• If custom voting presentations are used, the X-CSRF-Token must be added to the form posts they execute. See voting.jspf in the Community Edition presentation for an example.
• External requests to /services/oembed must add a X-CSRF-Token header to the request. It can be retrieved from the X-CSRF-Token response header when the steps on Security Guidelines for Developers have been followed.
• It is not possible to submit forms to XperienCentral from other domains, even when that domain is another channel of the same XperienCentral installation, because browsers do not allow reading cookies from another domain.

See also Security Guidelines for Developers for more information.

formvalidationbindings.js

The following changes have been made to the formvalidationbindngs.js file:

• A new initCSFW function has been added that is called in the $(document).ready for all forms and from the IAF_FormLoaded event listener.
• initCSFW calls the new loadScript function which adds a script tag to load the client-side framework.
• The IAF_ShowFormFragment and IAF_HideFormFragment event listeners have been updated to prevent event propagation.
• The IAF_SubmitForm event listener has been updated to add the anti-CSRF header when submitting the form using Ajax and to support form fields that have "submit" as their identifier.
• The IAF_AjaxShowFormStep event listener now checks whether the response contains the "X-CSRF-Token" header. If it does, then it creates a hidden input with its value. This is done to support IAF forms on external domains.
• The formObj.submit function defined in the init function has been updated to add the anti-CSRF input field when submitting the form.
• A new showGeneralErrorMessage function has been defined that shows a general error message at the top of a form when a communication error occurs.

Interactive Forms Upload Element

The Upload element in Interactive Forms has been modified to allow multiple file uploads. You can also set a minimum and maximum number of allowed files in an Upload element. See Creating Forms for complete information.

Interactive Forms Deprecated Methods

In XperienCentral versions R33 and higher, the following form methods have been deprecated.

FormScope

The following method has been deprecated:

void setUploadFragmentValue(String fragment, UploadedFile file);

use the following method instead:

void setUploadFragmentValues(String fragment, List<UploadedFile> files);

FormValuesMap

The following method has been deprecated:

public UploadedFile getUploadedFile(String key)

use the following method instead:

public List<UploadedFile> getUploadedFiles(String key)

UploadFragmentScope

All methods have been deprecated. Use the following method instead:

List<Object> files = scope.getValues();
if (files != null) {
   for (Object fileObj : files) {
      if (fileObj instanceof UploadedFile) {
         UploadedFile file = (UploadedFile) fileObj;
      
         // Now read the attributes
         File file = file.getFile();
         long size = file.getSize();
         String contentType = file.getContentType();
         ...
      }
   }
}