Page History

XperienCentral R33

Release date: July 30, 2021

<br />

Check Configuration Files

See Check Configuration Files.

Google Sitemap Automatic Upload

In XperienCentral R33, a new setting for controlling whether XperienCentral automatically uploads generated sitemaps to Google has been introduced. The setting google_sitemap_automatic_upload can be found in the application_settings section of the General tab of the Setup Tool. When enabled, if a Google sitemap is generated, it is automatically uploaded according to the schedule configured in the setting google_sitemap_generator_schedule. When disabled, the latest generated sitemap is not uploaded.

Because it is disabled by default, when upgrading from R32, the option must be enabled manually if XperienCentral should continue to automatically submit the sitemap to Google.

New Channel for the Interactive Forms Panel

Beginning in XperienCentral version R33, the Interactive Forms panel uses the "iafpanel" channel to render forms. This mechanism makes it possible to decouple the IAF visual representations from the website presentation. New presentations should use it for all standard fragment types unless the representation inside the IAF panel must resemble the website's presentation. When upgrading, there are 3 possible options for handling this situation:

1. Add "iafpanel" (without quotes) to the channels_using_fallback setting in the application_settings section of the General tab of the Setup Tool. This will make all presentations without an explicit "iafpanel" channel declaration behave as described in option 3 below. This is the quickest fix. The notes in option 3 below also apply to this option.

2. Add the "iafpanel" channel to all custom formStep, FormSectionVersion and form fragment presentation descriptors. This will deliver the best Edit side presentation and will prevent the custom presentations from being cluttered with Edit-side logic. For a text input fragment, the channel declaration looks like this:
   
   

   Code Block
   theme Eclipse
   <channel> <name>iafpanel</name>  <presentation>FormFragmentTextInput</presentation> <!-- Name of IAF's own presentation --> </channel>

   
   As a result, any code in the presentation JSPs that is specific to the preview mode can be removed.
   
   

3. Add the "iafpanel" channel to all custom formStep, FormSectionVersion and form fragment presentation descriptors and have it refer to itself. The Interactive Forms panel will then continue to use the custom presentations, making it possible to have the same HTML output in the panel as on the website.
   
   

   Note
   title Notes
   Option 1 has the same effect as Option 3 but it is easier to implement. The disadvantage of using Option 1 is that it might not be obvious that an "iafpanel" channel that you want to point to the IAF's own presentation (Option 2) is missing from a presentation descriptor. The IAF panel presentation(s) may look different than the pre-R33 version(s) because of changes to the CSS. Option 2 or 3 can be used separately for each presentation.

   
   

fragmentDiv tag

When the fragmentDiv tag is overruled in a custom presentation plugin,

the data-jcr-uuid attribute must now be added in Edit mode

by the custom fragmentDiv tag.

An example how this can be implemented can be found in the standard IAF fragmentDiv tag inside the wmformelement plugin

.

CSRF Settings

To better protect websites hosted by XperienCentral against CSRF attacks, a new mechanism has been introduced that uses a CSRF token that is stored in a cookie, and an SHA-256 hash of this token plus a random 16 character long nonce, postfixed with the used nonce, must be included in all non-GET requests to the server as a header or form field. This change could affect custom functionality in the following ways:

• If a custom version of the Interactive Form file formvalidationbindings.js is used, it must be updated with the anti-CSRF changes which can be found by searching for "csrf" in the upgraded formvalidationbindings.js.
• If the Interactive Form formsHeadTag presentation is not called from a custom presentation plugin, then the page presentations of this plugin must include the /<context path>/js/form/csrfprotection.js script.
• If XHR form posts are performed in custom panels, elements or widgets, the X-CSRF-Token header must be added to these posts.
• The secure_rest_against_csrf configuration setting and the mandatory use of the X-Session-Verify header when it is enabled are now only relevant for GET requests to XperienCentral's REST API. All other types of requests to the REST API are now always checked, irrespective of the secure_rest_against_csrf configuration setting, and they must contain the X-CSRF-Token header. See the application_settings section of the General tab of the Setup Tool for complete information on the secure_rest_against_csrf setting.
• If custom voting presentations are used, the X-CSRF-Token must be added to the form posts they execute. See voting.jspf in the Community Edition presentation for an example.
• External requests to /services/oembed must add a X-CSRF-Token header to the request. It can be retrieved from the X-CSRF-Token response header when the steps on Security Guidelines for Developers have been followed.
• It is not possible to submit forms to XperienCentral from other domains, even when that domain is another channel of the same XperienCentral installation, because browsers do not allow reading cookies from another domain.

See also Security Guidelines for Developers for more information.

formvalidationbindings.js

The following changes have been made to the formvalidationbindngs.js file:

• A new initCSFW function has been added that is called in the $(document).ready for all forms and from the IAF_FormLoaded event listener.
• initCSFW calls the new loadScript function which adds a script tag to load the client-side framework.
• The IAF_ShowFormFragment and IAF_HideFormFragment event listeners have been updated to prevent event propagation.
• The IAF_SubmitForm event listener has been updated to add the anti-CSRF header when submitting the form using Ajax and to support form fields that have "submit" as their identifier.
• The IAF_AjaxShowFormStep event listener now checks whether the response contains the X-CSRF-Token header. If it does, then it creates a hidden input with its value. This is done to support IAF forms on external domains.
• The formObj.submit function defined in the init function has been updated to add the anti-CSRF input field when submitting the form.
• A new showGeneralErrorMessage function has been defined that shows a general error message at the top of a form when a communication error occurs.

Interactive Forms Upload Element

The Upload element in Interactive Forms has been modified to allow multiple file uploads. You can also set a minimum and maximum number of allowed files in an Upload element. See Creating Forms for complete information.

Modular Content Tag Property change (v2.0.13)

Properties of type tagare now referenced using an ID instead of by name. For example, suppose you have the following tag property:

TemplateProperty tagProperty = modularVersion.getModularTemplateInstance().getPropertyByIdentifier("mypropertyoftypetag");

Previously, the tag name would be retrieved using tagProperty.getStringValue(). Now the (Siteworks) ID of the property must first be retrieved using getIntegerValue() and, given that, the correspronding MediaTerm can be retrieved using getWrapper. For example:

Previously in Java

TemplateProperty property = modularVersion.getModularTemplateInstance().getPropertyByIdentifier("mypropertyoftypetag");
String tagName = property.getStringValue();

Now in Java

TemplateProperty property = modularVersion.getModularTemplateInstance().getPropertyByIdentifier("mypropertyoftypetag");
Long tagId = property.getIntegerValue();
Session session = getSessionManager().getActiveSession();
MediaTerm categoryTag = (MediaTerm) session.getWrapper(tagId.intValue(), MediaTerm.class);
String tagName = categoryTag.getName();

Previously in JSP Code

<c:set var="mediaItem" value="${presentationcontext.mediaItem}" />
<c:set var="currentMV" value="${mediaItem.current}" />
<c:if test="${wmfn:instanceOf(currentMV, 'nl.gx.product.wmamodularcontent.api.ModularMediaItemArticleVersion')}">
   <c:set var="mti" value="${current.modularTemplateInstance}" />
   <c:set var="supportedContenttype" value="${mti.type.identifier eq 'examplecontenttype'}" />
</c:if>
<c:choose>
   <c:when test="${supportedContenttype && not empty mti.getPropertyByIdentifier('mypropertyoftypetag').getStringValue()}">
      <c:set var="tagName" value="${mti.getPropertyByIdentifier('mypropertyoftypetag').getStringValue()}" />
   </c:when>
   ....
</c:choose>

Now in JSP Code

<c:set var="mediaItem" value="${presentationcontext.mediaItem}" />
<c:set var="currentMV" value="${mediaItem.current}" />
<c:if test="${wmfn:instanceOf(currentMV, 'nl.gx.product.wmamodularcontent.api.ModularMediaItemArticleVersion')}">
   <c:set var="mti" value="${current.modularTemplateInstance}" />
   <c:set var="supportedContenttype" value="${mti.type.identifier eq 'examplecontenttype'}" />
</c:if>
<c:choose>
   <c:when test="${supportedContenttype && not empty mti.getPropertyByIdentifier('mypropertyoftypetag').getIntegerValue()}">
      <c:set var="tagId" value="${mti.getPropertyByIdentifier('mypropertyoftypetag').getIntegerValue()}" />
      <wm:object var="tagObject" objectId="${tagId}" objectType="nl.gx.webmanager.cms.mediarepository.mediaTerm" hideError="true" />
      <c:set var="tagName" value="${tagObject.name}" />
   </c:when>
   ....
</c:choose>

Interactive Forms Deprecated Methods

In XperienCentral versions R33 and higher, the following form methods have been deprecated.

FormScope

The following method has been deprecated:

void setUploadFragmentValue(String fragment, UploadedFile file);

use the following method instead:

void setUploadFragmentValues(String fragment, List<UploadedFile> files);

FormValuesMap

The following method has been deprecated:

public UploadedFile getUploadedFile(String key)

use the following method instead:

public List<UploadedFile> getUploadedFiles(String key)

UploadFragmentScope

All methods have been deprecated. Use the following method instead:

List<Object> files = scope.getValues();
if (files != null) {
   for (Object fileObj : files) {
      if (fileObj instanceof UploadedFile) {
         UploadedFile file = (UploadedFile) fileObj;
      
         // Now read the attributes
         File file = file.getFile();
         long size = file.getSize();
         String contentType = file.getContentType();
         ...
      }
   }
}