Versions Compared

Old Version 24

changes.mady.by.user Matthew Wagner

Saved on

compared with

New Version 25

changes.mady.by.user Matthew Wagner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Links are now filtered by scheme. Schemes that are not allowed result in removal of the illegal link. Allowed link schemes can be configured using the Setup Tool, property valid_link_schemes in the website settings. The following schemes are accepted by default: http, https, mailto. In addition to these we accept relative URLs and anchors by default. We advise you to customize which schemes are accepted such that only the bare minimum is accepted.


...

XperienCentral 10.10.0

...

  • Because of security reasons it is recommended to disable the following permissions for the

...

  • Main Editor role when being used: "Maintain design templates", "Maintain application servers",

...

  • "Maintain application proxy servers", "Maintain application proxy servers", "Maintain application

...

  • replacements", "Maintain Layouts", "Maintain XSLT expressions", "Maintain language labels",

...

  • "Maintain users", "Maintain roles" and "Import users".

...

  • For security reasons, it is no longer permitted to use the Interactive Forms "Copy File Handler" to

...

  • copy files to any arbitrary location. The only directories (and its subdirectories) to which the

...

  • copy file handler is allowed to copy files are those specified in the configuration (the property

...

  • "website_settings.file_upload_valid_directories" in the Setup Tool). By default, no directories

...

  • are specified, which means that by default attempting to copy files will fail. When upgrading,

...

  • please configure the allowed directories in the Setup Tool. It is recommended that you only use

...

  • directories that are not part of GX Webmanager 10 XperienCentral itself. The new setting should

...

  • also be used in custom code where files can be uploaded to a user-defined location.

...

  • And also the following functionalities have been removed because of security considerations:

...

  • Design Templates (panel)

...

  • , Design Template Folders (tab)

...

  • Similar functionality is provided by the System Utilities - File Browser which should be used instead.

 

  - Server Configuration (panel) - Host (tab)

...

  • The configuration of Maintainable Folders has been moved to the Setup Tool.

...

  • Error messages from Spring Framework Validators are now escaped. This means HTML markup can not be

...

  • used in these error message any more. Typically you need to remove styling like <font color="red">

...

  • from your message files. CSS styling is possible using the "span.error" selector.

...

  • Labels for the wmedit:radioButton, wmedit:select and wmedit:selectItem

...

  • JSPtags will now be escaped

...

  • to HTML by default. In case HTML is used in such labels, this needs to be replaced.

 

- More robust HTML escaping JSP functions where are introduced as a replacement for fn:escapeXml. These are   wmfn:escapeToHTML for generic use in HTML and wmfn:escapeToHTMLAttribute for escaping HTML attributes.   Unlike fn:escapeXml, these functions do not escape L CODE tags that are used for links and   personalization tags. It is recommended that you replace all instances of fn:escapeXml  in frontend presentations with these functions. In specific cases this is required for L CODE  tags and personalization to work correctly.

...