Page History

XperienCentral R30.1

Release date: December 10, 2020

<br />

XSS Features

• In XperienCentral R29.3, extended protections against XSS vulnerabilities have been introduced. A number of input fields in XperienCentral are now more rigorously validated against known XSS attacks. If the value of an input field is forbidden, the old value of the input field will remain unchanged and the upgrade is ignored. You can of course still allow this sort of input by adding it to a trusted list, however GX Software strongly recommends against doing so.
• When input fields contain unsafe input before the upgrade, the content of these fields remains unchanged after the upgrade. If the content of one of these input fields is subsequently changed to other content considered unsafe, the updated content is ignored and the old (unsafe) content will remain.

External Application Support

• The External Applications module has been removed from XperienCentral in version R29.3. Because that also removes the xslStyleSheetApplicationInclude.xml presentation, all references to this presentation should be manually removed from your project. For example, in the XperienCentral Community Edition plugin's xslStyleSheet.jspf file, the following line is removed:
  
   <wm:render presentationName="xslStyleSheetApplicationInclude" />

Uploaded File Handling

• A new Apache rule should be added when upgrading to R30.1 in order to prevent uploaded files from being be opened inside the browser. Add the following rule to one of the configuration files included in the Apache httpd.conf file: 

         <Location ~ "(/upload|/upload_mm)">
        Header set Content-Disposition "attachment"
     </Location>

See also Linux Server Installation.

xss_allowlist_siteworks_expressions

The setting xss_allowlist_siteworks_expressions was added in this version in the application_settings section of the General tab of the Setup Tool. To avoid generating error WARNING messages in the log, change the value of this setting to wm_language_search.help,