April 15, 2024

OpenXava 7.3 released

In our latest version of OpenXava, we have improved many security aspects of web applications generated by OpenXava and finally they can be OWASP compliant. Also we have done a lot of user experience and user interface improvements, including improvements in the calendar list format. And many other things, read the details below.

OpenXava 7.3 released

To update edit the pom.xml file in your project and change the value of the openxava.version property, in this way:


Then rebuild your project:

  • With OpenXava Studio:
    • Right mouse button in your project > Run As > Maven clean
    • Right mouse button in your project > Run As > Maven install
  • Or with command line: mvn clean package

Look at the migration instructions.

Security enhancements (OWASP)

Since OpenXava 7.3 your applications can comply with OWASP Top Ten, which means having the highest security standards for web applications. In fact, OpenXava passes the OWASP ZAP web security test 100%, without any critical, medium or low level alerts.

These are the security enhancements for this version:

  • ZAP web security scanner from OWASP passed at 100%.
  • New section in documentation to configure your application to be OWASP compliant.
  • Removed the use of eval() and equivalents completely from OpenXava JavaScript code.
  • Content Security Policy does not allow the use of eval() in JavaScript code by default.
  • New property unsafeEvalInScripts in to enable the use of eval() in JavaScript.
  • Archetypes for creating new projects have error pages and cookies configuration compatible with OWASP.
  • DWR engine tuned to remove the use of eval() in its JavaScript code.
  • Fixed 1 critical security vulnerability in dependencies, now we have 0 vulnerabilities.
  • Fixed 2 critical security vulnerabilities in third party JavaScript libraries.
Look at the documentation about OWASP support in OpenXava.

UX/UI improvements

We have done a lot of the improvements in the user interface and user experience for this version:

  • A X button in each tab to close the latest visited modules on top.
  • Navigation in collections with buttons to see the next or previous record from the dialog.
  • Dialogs fit in the screen, so dialog bottom buttons are always visible without scrolling.
  • Single number typed in a date editor is assumed as day, with current month/year auto-completed.
  • @Email and @EmailList editors use a mask to ensure in real time that the emails are correctly typed.
  • New and modern Dark theme.

Calendar improvements

Calendar list format finally has all the details finished, ready to be useful in your applications:

  • The width of the calendar in list mode dynamically adjusts to occupy the entire available space.
  • Year navigation buttons added to calendar list format for fast year navigation to distant dates.
  • When several dates in an entity the user can choose which to use in calendar list format with a combo.
  • Drag & drop support for calendar list format.

Other improvements

We have done some improvements in other areas:

  • Support for java.time.LocalTime as a type for properties, with a special editor for time.
  • Improved editor for the time part of DateTimeSeparatedCalendar including a popup to change the time.
  • has-type/has-annotation/has-stereotype in for-tabs of editors.xml to discriminate list formats by entity.
  • Archetypes for creating new projects include the welcome.jsp page and a sample custom editor.
  • New method createWebClient() in ModuleTestBase.

Upgraded libraries

We have upgraded the following third party libraries:

  • DWR upgraded to 3.0.2.
  • Commons Logging upgraded to 1.3.1.
  • Commons Validator upgraded to 1.8.0.
  • Groovy upgraded to 4.0.20.
  • JSoup upgraded to 1.17.2.
  • Lombok upgraded to 1.18.32.
  • Embedded Tomcat used in development upgraded to 9.0.87.
  • Jersey upgraded to 2.42.
  • Log4j upgraded to 2.23.1.
  • Json upgraded to 20240303.
  • Commons IO upgraded to 2.16.0.
  • JasperReports and font upgraded to 6.21.2.
  • HtmlUnit upgraded to 4.0.0.
  • PdfBox upgraded to 2.0.31.
  • TinyMCE JavaScript library upgraded to 6.8.3.
  • Driver version in doc and new projects upgraded for PostgreSQL, AS/400, Microsoft SQL Server, Firebird.


We have been working to improve documentation:

  • MySQL and MS SQL Server configuration documentation includes video.
  • Reverse engineering documentation includes video.
  • AS/400 connection documentation improved to cover performance problems in Windows Server.
  • Customization documentation adapted to no script inclusion in HTML editor code.  
  • Documentation for database configuration improved to include schema/database creation.

We release new docs and videos constantly, not waiting for the official release of the code. So you have been already using some of the above material, although all the above docs are in the GitHub under the 7.3 tag.

Bug fixes

Though this is not a maintenance version we have done some fixes:

  • Fix: Error page in browser when some problem destroys a servlet request.
  • Fix: Inoffensive string "null" in the HTML code for editors.

blog comments powered by Disqus