Page History

XperienCentral R30.1

Release date: December 10, 2020

<br />

XSS Features

• In XperienCentral R29.3, extended protections against XSS vulnerabilities have been introduced. A number of input fields in XperienCentral are now more rigorously validated against known XSS attacks. If the value of an input field is forbidden, the old value of the input field will remain unchanged and the upgrade is ignored. You can of course still allow this sort of input by adding it to a trusted list, however GX Software strongly recommends against doing so.
• When input fields contain unsafe input before the upgrade, the content of these fields remains unchanged after the upgrade. If the content of one of these input fields is subsequently changed to other content considered unsafe, the updated content is ignored and the old (unsafe) content will remain.

External Application Support

• The External Applications module has been removed from XperienCentral in version R29.3. Because that also removes the xslStyleSheetApplicationInclude.xml presentation, all references to this presentation should be manually removed from your project. For example, in the XperienCentral Community Edition plugin's xslStyleSheet.jspf file, the following line is removed:
  
   <wm:render presentationName="xslStyleSheetApplicationInclude" />

Uploaded File Handling

• A new Apache rule should be added when upgrading to R29R30.3 1 in order to prevent uploaded files from being be opened inside the browser. Add the following rule to one of the configuration files included in the Apache httpd.conf file: 

         <Location ~ "(/upload|/upload_mm)">
        Header set Content-Disposition "attachment"
     </Location>

See also Linux Server Installation.

XperienCentral R29.3

Release date: December 2, 2020

<br />

XSS Features

• In XperienCentral R29.3, extended protections against XSS vulnerabilities have been introduced. A number of input fields in XperienCentral are now more rigorously validated against known XSS attacks. If the value of an input field is forbidden, the old value of the input field will remain unchanged and the upgrade is ignored. You can of course still allow this sort of input by adding it to a trusted list, however GX Software strongly recommends against doing so.
• When input fields contain unsafe input before the upgrade, the content of these fields remains unchanged after the upgrade. If the content of one of these input fields is subsequently changed to other content considered unsafe, the updated content is ignored and the old (unsafe) content will remain.

External Application Support

• The External Applications module has been removed from XperienCentral in version R29.3. Because that also removes the xslStyleSheetApplicationInclude.xml presentation, all references to this presentation should be manually removed from your project. For example, in the XperienCentral Community Edition plugin's xslStyleSheet.jspf file, the following line is removed:
  
   <wm:render presentationName="xslStyleSheetApplicationInclude" />

Uploaded File Handling

• A new Apache rule should be added when upgrading to R29.3 in order to prevent uploaded files from being be opened inside the browser. Add the following rule to one of the configuration files included in the Apache httpd.conf file: 

         <Location ~ "(/upload|/upload_mm)">
        Header set Content-Disposition "attachment"
     </Location>

See also Linux Server Installation.

XperienCentral R28

Release date: May 13, 2020

Performance Dashboard is Removed

The Performance Dashboard has been removed from XperienCentral in R28. Use the Monitoring Dashboard to view statistics and metrics related to your XperienCentral deployment. See also Administrative Pages.

While the upgrade scripts for XperienCentral should in principle remove all components related to the Performance Dashboard, in some circumstances it may not, therefore you need to manually remove any remnants. Follow these steps:

1. Navigate to Configuration > Plugins.
2. Locate "GX WebManager - Performance Dashboard" in the list and select it.
3. Click [Uninstall].
4. Click [Yes] when you are prompted to remove all data related to this plugin (purge).
5. Repeat the steps above for the "GX WebManager - SystemHealthIndicator tracker" plugin.

See also XperienCentral Plugins Management Console.

Code Changes

The nestedPath attribute has been removed from fragmentValue.tag in the wmpformelement plugin. It has been replaced by the attribute formFragment. The value of this attribute contains an object with a nestedPath property. Wherever you use the <forms:fragmentValue> tag, you have to replace the nestedPath property. For example:

<forms:fragmentValue nestedPath="${formFragment.nestedPath}" />

must be changed to:

<forms:fragmentValue formFragment="${formFragment}" />

JCR Index

Beginning in R28, XperienCentral uses an XperienCentral-optimized indexing solution to support queries on frontend nodes instead of the Apache Jackrabbit JCR. This solution generally improves performance and drastically reduces the amount of time it takes to bring a new frontend node online in cloud deployments when traffic demands increase. The new indexing solution will always be used in XperienCentral even if the old JCR index is not disabled. The old JCR index should be disabled on production environments if possible.

See also the new JCR Index Settings that have been added to the Setup Tool.

JCR Query Replacement

If you use custom JCR queries in your deployment, they should be replaced in order to use the new API. The following shows a typical query replacement:

Queries similar to this:

With the JCR index

should be changed to something like this:

 
Without the JCR index

Disabling the Built-in Apache Jackrabbit JCR Index

To disable the old Apache Jackrabbit JCR index, follow these steps:

1. Remove both occurrences of: <SearchIndex>...</SearchIndex> in <wm-root>/work/jcr/repository.xml.
2. Remove the directory <wm-root>/work/jcr/repository.

Content API User Credentials

In the Connector API, there are two locations in Configuration > Import/Export Configuration where user credentials define which user account executes import/export jobs: one on the Configuration tab and one on the Job tab. The Job tab previously contained the fields "Username", "Password" and "Use application key". The Cofiguration tab contained the same fields with an additional "Website" field. These fields have been replaced by a single "User" drop-down list. In R28 a new System user option has been introduced in the User Authorization panel. Only user accounts designated as system users can be authorized to execute automated export/import jobs.

Re-add Users as System Users

After upgrading to R28, the existing username(s) will still be used by the Connector API. As soon as you open either of the panels, however, the user(s) might not be selectable anymore and if you re-save the configuration, the jobs might stop running. This is the intended behavior. The solution is to navigate to the Authorization panel, designate new system users and then designate them as the user accounts that run jobs on the Configuration and Job tabs in Import/Export Configuration.

XperienCentral R24.1

Release date: July 2, 2019

Startup performance has been significantly improved. Bundles are now updated only if they have been modified. In XperienCentral R24.0 and earlier, all bundles were updated at startup, regardless of whether they had been modified. Beginning in XperienCentral R24.1, bundles are only updated if:

• The version is newer than the one installed.
• The last modified date of the bundle's Bnd-LastModified header in the META-INF/MANIFEST.MF (if present) is more recent than the last modified date of the installed bundle.
• The Bundle-Date in the META-INF/MANIFEST.MF is more recent than the last modified date of the installed bundle.

This means that if you update anything in the bundle but not these two properties, the bundle will not be updated. This applies to updating bundles in the WAR file, bundles copied to the work/deploy directory and to bundles manually uploaded from the Plugins panel.