Dojo 1.14 released

While most of our attention recently has gone into the new modern Dojo framework releases, we are still maintaining and updating versions of Dojo 1.x as we receive pull requests and updates.

Today we are pleased to announce version 1.14 of the Dojo Toolkit, as well as backported releases 1.13.1, 1.12.4, 1.11.6, and 1.10.10. Note that we will no longer be shipping updated releases prior to 1.10, though you may of course still build your own version from source. Patches are still backported, but the time to push a release for each version is non-trivial.

As these releases are smaller in nature, it is fairly easy to look at the commit history to see what has changed. For example, the Dojo package commit history has details about the Dojo package.

We did receive two small security related reports. These issues are unlikely to impact most of our users in production, but are worth reviewing:

Updated releases on the Google CDN are forthcoming.

Thanks for your help in making this release possible. Please let us know if you have any issues. Note that all bug reports should now be filed on GitHub.

Dojo 2 beta 4, 1.13, and Discourse

Dojo 2 beta 4

Dojo 2 beta 4 was recently released! Read more about the release on the Dojo 2 beta 4 blog post! The new website for Dojo 2+ also has a number of tutorials and examples to help you get started with Dojo 2.

Dojo 1.13

Also note that Dojo 1.13 and point releases to 1.12, 1.11, and 1.10 were also recently released and are now also available on the Google CDN.

Dojo Discourse

Finally, the Dojo mailing list has been retired. Questions may be asked on our new Dojo Discourse forum, Dojo 1.x Gitter channel, or Stack Overflow.

Dojo Winter and Spring 2015 events

There are a number of Dojo events this winter and spring. Some of these events are still tentative, so we’ll add links once they are confirmed. We hope to meet you at one of these events. Let us know if there’s an event you would like to host in your area.

Dojo Community Day

A Dojo community day is planned, but the details are not yet available.

Conferences

Conferences we’re planning to attend and/or deliver talks.

Meetups

  • Hong Kong, March 31st
  • Atlanta, TBD
  • Stockholm, May 21st
  • Stuttgart, TBD
  • Copenhagen, TBD
  • Dublin, TBD
  • London, May 18th
  • Ottawa, June 3rd

Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!

Case study: Softeco Sismat (TELL ME Project, #2)

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. Eight months ago, we conducted a case study about the TELL ME project with Stefano Bianchi from Softeco Sismat, an ICT Italian company. Here we have followed with up Stefano to get an update on their progression from desktop web app to mobile with Dojo.

TELL ME Login
TELL ME Mobile UI – login

Continue reading Case study: Softeco Sismat (TELL ME Project, #2)

Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B
http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Autumn 2014 Dojo events

There are a number of Dojo events this autumn. We hope to meet you at one of these events:

Dojo Community Day

Meetups

  • Intern 2. October 9, Nick Nisi, SitePen. London, UK. Free registration required.
  • Intern 2. October 16, Dylan Schiemann, SitePen. Boston, MA. Free registration required

Conferences

  • EdgeConf. September 20, Dylan Schiemann, SitePen. San Francisco. Paid registration required.
  • FullStack. October 23-24, Dylan Schiemann, SitePen. London, UK. Paid registration required

Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!

Case study: HPCC Systems

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. This time, we interview Gordon Smith from HPCC Systems, a subsidiary of LexisNexis RISK Solutions.

Q: How did you first learn about Dojo?

A: Through Google / Stack Overflow. I suspect my “discovery” of Dojo was a bit different to the norm, as prior to 2013 I had never really done any Web Development. Up until then I was predominantly a C++ Developer, some Java and a smattering of C#. Initially I wanted to knock together a single page proof of concept, consisting of a code editor (CodeMirror), a result view (HTML Table) and an “activity graph” (ActiveX Control) and wanted something that would handle the layout, resizing and ideally something with splitters – after a few searches online I found the Border Container Docs and away I went! Shortly after, I added a Tab Container and switched to using the basic Grid.

ECL Playground
ECL Playground – How the original POC Looks today

Continue reading Case study: HPCC Systems