openxava
Blog

May 15, 2023

OpenXava 7.1 released

This new version of OpenXava comes loaded with exciting updates, with things you have been requesting for a long time, and we have finally had the time to include them, such as a calendar for list mode, an @Mask annotation, editable combo with value, a button to clear references, and much, much more.

In addition, we have made a Herculean effort to enhance the web security of the applications. So, if your applications are accessible on the internet to the general public and various hackers, they will now be much more secure.

To update edit the pom.xml file in your project and change the value of the openxava.version property, in this way:

<properties>
    <openxava.version>7.1</openxava.version>
    ...
</properties>

Then rebuild your project:

  • With OpenXava Studio:
    • Right mouse button in your project > Run As > Maven clean
    • Right mouse button in your project > Run As > Maven install
  • Or with command line: mvn clean package

Look at the migration instructions.

Calendar in list mode

This first version of the calendar is magical and automatic, without you as programmers having to do anything. Simply having a date in the entity of the module will display a new icon in list mode, allowing you to choose the calendar format:



The appearance of the calendar is as follows:


You can create a new record by clicking on a day with the mouse, and you can edit existing records by clicking on them.

Web security enhancements.

We have made several changes to the web interface generated by OpenXava to make it much more secure and harder to hack. Here is a list of what we have fixed:

  • Fix: Denial of service vulnerability.
  • Fix: Inline JavaScript for events in HTML elements.
  • Fix: XSLT injection vulnerabilities.
  • Fix: X-Content-Type-Options header missing.
  • Fix: Cookie without SameSite attribute.
  • Fix: Application error disclosure.
  • Fix: Session ID in URL rewrite.
  • Fix: Cross-Site Scripting (XSS) vulnerabilities.
  • Fix: Data filtering in .htaccess for some URLs.
  • Fix: Content Security Policy (CSP) header not set.
If your application is public or runs in an environment where security is important, we recommend updating to version 7.1.

@Mask annotation

Now you can annotate any property with @Mask to indicate a data input mask. A mask is a string of characters that defines the valid format for input values. You can use some of the following validators:

  • 'L': The user must enter an alphabetical letter from A to z.
  • '0': The user must enter a digit.
  • 'A': The user must enter an alphanumeric character.
  • '#': The user must enter a digit, whitespace, '+', or '-'.

You can also add special characters, static whitespace, and even combine validators. For example:

@Mask("L-000000")
private String passport;

@Mask("0000 0000 0000 0000")
private String creditCard;

@Mask("LL 000 AA")
private String carPlate;

@Mask("0.000/0-000")
private String customMask;

Button to clear references

Finally, there is now a button in the user interface to clear the value of a reference:


Also for the @DescriptionsList:

Combos with editable value

We have a new editor called EditableValidValues that you can assign to a String property. This way:

@Editor("EditableValidValues")
@Column(length = 15)
private String color;
If later we add values programmatically to make it a dynamic combo, like this:
getView().addValidValue("color", "wht", "White");
getView().addValidValue("color", "blk", "Black");
Since it uses EditableValidValues in addition to a combo with predefined values, the field remains editable. In this example, by selecting "White", you can edit it to "White beige" or enter a new value like "Yellow." These new values will not be added to the original list of options for use in other records:

New rich text editor

The JavaScript library we were using until now, CKEditor 4, does not support the use of Content Security Policy, which means it cannot be used in a secure environment. Due to licensing issues, we cannot update to CKEditor 5, so we had to opt for TinyCME. The result is not only a more secure library but also a much more modern rich text editor:

Upgraded libraries

We have upgraded the following third party libraries:

  • FilePond JavaScript library used by the upload editor upgraded to 4.30.4 for security reasons.
  • Leaflet JavaScript library used for maps upgraded to 1.9.3.
  • HtmlUnit upgraded to 2.70.
  • Embedded Tomcat used in development upgraded to 9.0.73.
  • Log4j-api and core upgraded to 2.20.0.
  • Jersey client, hk2 and media upgraded to 2.39.
  • Lombok upgraded to 1.18.26.
  • Jsoup upgraded to 1.15.4.
  • Groovy upgraded to 4.0.10.
  • Hibernate upgraded to 5.6.15.Final.
  • Commons-fileupload upgraded to 1.5.
  • Driver version in doc and new projects upgraded for PostgreSQL, Oracle and AS/400.

Other improvements

We have done a lot of improvements in other areas:

  • New article in documentation to use Kotlin to develop with OpenXava in English, Spanish and Chinese.
  • New @ZerosFilled annotation equivalent to ZEROS_FILLED/RELLENADO_CON_CEROS stereotype.
  • Automatic translation of English labels improved for qualified properties.
  • defaultDescriptionPropertiesValueForDescriptionsList in xava.properties for @DescriptionsList defaults.
  • New property signInJSP in naviox.properties to define a custom login page.
  • Inline style is no longer allowed in HTML.
  • Inline style removed from all generated HTML code by OpenXava.
  • Many methods from org.openxava.web.Style removed, used internally by the UI generator.
  • Data and time for posts in @Discussion use the format of date fields.
  • Attribute cssStyle ignored in <xava:link> and <xava:image> taglibs.
  • New classes in base.css to use as alternative to inline style, like ox-display-none, ox-width-100, etc. 
  • New <xava:nonce/> taglib to generate a nonce number for use in inline JavaScript.
  • New getDefaultBrowser() method in HtmlUnitUtils.
  • New getSignInURL() method in ISignInHelperProvider.
  • Return type for init() method in ISignInHelperProvider now is String[] instead of String.
  • New start(String dbName, int port) method with port number in DBServer.
  • New defaultValues property in NewAction to send default values in a string with key/value format.
  • Some new common use labels to be used in applications.

Bug fixes

Though this is not a maintenance version we have done some fixes:

  • Fix: Broken links in customizing doc of reference guide.
  • Fix: UI with no CSS style at all if the user has as preference a no longer existing theme. 
  • Fix: Link in migration English doc for migration from OpenXava 6.6.3 to OpenXava 7.0 to incorrect section.
  • Fix: @Editor has no effect calling View.addValidValue() on the property.

blog comments powered by Disqus

Español - 中文