Dojo Recap – Week Ending May 22, 2015

Last week we made even more progress on Dojo 2 platform. Thanks for your contributions. Let us know if you would like to get involved!

Last week in Dojo 2

Last week we accomplished a number of things with Dojo 2 platform:

Core

DOM

Basic DOM operations and CSS class manipulation APIs are complete!

Routing

Initial development efforts started.

Loader

We drafted some proposed functional test scenarios

This week’s Dojo 2 goals

Here are a few of this week's aspirations towards making progress on Dojo 2!

Core

Our goals for Core this week are to finish what we started last week:

  • Finish initial development. (excluding features on hold: Set, WeakSet, and Reflect)
  • This includes: Encoding, Request, Date Features, String shims, Map shim, and Readme updates
  • Finish initial development
  • This includes: Seekable Reader, Canned Streams, Iterable Interface, Readme updates, tutorials
  • Finish documentation and code reviews

DOM

  • Forms
  • Style Manipulation and Stylesheet Injections

Routing

  • Continue development on Router

Crypto

  • Setup repository
  • Begin development

Weekly IRC meeting

As usual, our weekly IRC meeting is on irc.freenode.net #dojo-meeting at 9am Pacific time on Tuesday.

Last week we discussed

  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

This week’s agenda

  • As we are nearly code complete with an initial verison of the Core package, we invite further discussion at this week's meeting:
  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

Thanks!

Thanks to everyone for their valuable contributions this past week! Please let us know if you plan to work on any features, or would like to get involved!

Dojo Recap – Week Ending May 15, 2015

Last week we completed some issues with Dojo 1.x and made more progress on Dojo 2 platform. Thanks for your contributions. Let us know if you would like to get involved!

Dojo 1.x

We continue making small updates towards a Dojo 1.11 release, as well as backporting relevant bug fixes. The 1.11 release is planned as soon as work is completed on a modern flat theme. This past week we landed a few fixes to Dojo and Dijit.

Improvements this week

Last week in Dojo 2

Last week we accomplished a number of things with Dojo 2 platform:

Core

DOM

Initial repository created. Initial work on basic DOM operations. dom.byId and dom.place are pending code review

Routing

Initial repository created.

Class Declaration Decision

As of May 13, 2015, our original proposal submitted to TypeScript was not accepted so we researched options that would cover Dojo 2’s needs for class declaration.

We have decided to proceed without language-level support of mixins and provide decorators to help accomplish what we need. Given that this solution is the least dependent on third-party interaction, we are choosing to explore it first. With what we know about decorators, we may be able to get exactly what we need from TypeScript. While we do not yet know for sure if this is the final solution, it is promising and something we can start working on today and then explore other options if it fails or if it is a burden to use.

This week’s Dojo 2 goals

Here are a few of this week's aspirations towards making progress on Dojo 2!

Core

  • Finish initial development. (excluding features on hold: Set, WeakSet, and Reflect)
  • This includes: Encoding, Request, Date Features, String shims, Map shim, and Readme updates
  • Finish initial development
  • This includes: Seekable Reader, Canned Streams, Iterable Interface, Readme updates, tutorials
  • Finish documentation and code reviews

DOM

  • Basic DOM access/manipulation APIs functional
  • CSS class manipulation APIs

Routing

  • Begin development on Router

Loader

  • Setup repository
  • Draft functional test scenarios

Weekly IRC meeting

As usual, our weekly IRC meeting is on irc.freenode.net #dojo-meeting at 9am Pacific time on Tuesday.

Last week we discussed

  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

This week’s agenda

  • As we are nearly code complete with an initial verison of the Core package, we invite further discussion at this week's meeting:
  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

Thanks!

Thanks to everyone for their valuable contributions this past week! Please let us know if you plan to work on any features, or would like to get involved!

Dojo Recap – Week Ending May 8, 2015

Another exciting week is underway in the Dojo camp!

Dojo 1.x

In preparation for the 1.11 release planned for late Spring, we are landing high quality pull requests to fix various bugs and add enhancements to the dojo, dijit, and dojox packages.

Improvements this week

Last week in Dojo 2

Initial Dojo 2 core repository is now public

In the intial core repository, you will find initial efforts in the repo for:

  • async
  • Promise
  • has
  • streams
  • WeakMap
  • decorators
  • lang
  • math
  • number
  • object observation
  • string shims
  • task queuing

Class Declaration

We've run into a small roadblock with our proposal for traits or mixins in TypeScript, so we are evaluating our options.

Style Guide

We have an updated and exhaustive Dojo 2 style guide available. Please follow these guidelines when contributing to Dojo 2.

This week’s Dojo 2 goals

Here are a few of this week's aspirations!

  • Verify all code conforms to Dojo 2 style guide
  • Further core development efforts including Encoding, Request, Events, Batch Processing, Date Features and streams (Transformers, Seekable Reader, Canned Streams, Iterable Interface)
  • Begin dom/html and history/routing development efforts
  • Refine proposals and readmes

Weekly IRC meeting

As usual, our weekly IRC meeting is on irc.freenode.net #dojo-meeting at 9am Pacific time on Tuesday.

Last week we discussed

  • General community and contributor feedback to the Dojo 2 roadmap

This week’s agenda

  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

Thanks!

Thanks to everyone for their valuable contributions this past week! Please let us know if you’d like to help out too!

Dojo Recap – Week Ending April 30, 2015

Another exciting week is underway in the Dojo camp!

Dojo 1.x

In preparation for the 1.11 release planned for late Spring, we are landing high quality pull requests to fix various bugs and add enhancements to the dojo, dijit, and dojox packages.

Improvements this week

Last week in Dojo 2

This week we have some exciting updates to share with you on the planning and development progress of Dojo 2!

First off, we updated the Dojo 2 Roadmap to reflect the changes that took place this week. These changes include:
Continue reading Dojo Recap – Week Ending April 30, 2015

Dojo Recap – Week Ending April 24, 2015

Weekly Update

A lot goes on in Dojo each week and in the past we haven’t done a great job of telling the world about it. As we begin this new chapter (working towards Dojo 2), we will be publishing a weekly update that gives some insight into what was accomplished the previous week, our goals for this week (in case you want to get involved), and a brief agenda for the weekly IRC meeting.

Continue reading Dojo Recap – Week Ending April 24, 2015

The Road to Dojo 2

“When will Dojo 2 be released?” That’s pretty much the number one question we’ve been asked about Dojo since Dojo 1.0 was released in 2007. Over the past seven plus years, we have made numerous updates and improvements, while preserving a high level of stability for our users.

What’s in a number?

Our shift to AMD in Dojo 1.7 was a massive change that could have been called Dojo 2.0, but because we kept backwards compatibility to help developers transition over to AMD syntax, it felt right to call it 1.7. We continued building on that groundwork releasing 1.8, 1.9 and 1.10!

What should Dojo 2 do?

We have spent many months collecting thoughts and ideas from our users as well as reviewing the current and near future state of the web, to decide what Dojo 2 should and should not do.

Moving to the next major version number is an opportunity for us to assess our strengths and weaknesses, and to formulate a vision for 2.0.

The Roadmap

We’ve added a new section to our (brand new!) site, the Dojo 2 Roadmap. On the roadmap you will find a proposal for each of the planned Dojo 2 core packages. We will continue to update the Roadmap as we progress through the various phases of development for Dojo 2.

Get Involved!

We are very interested in community feedback on the package proposals. Some of the proposals are very polished, and others are less complete and noted as such. If you are interested, now is the time to take a deep look at these proposals!

We plan to discuss packages at each of the upcoming Dojo weekly meetings, IRC, 9am Pacific time on Tuesdays, irc.freenode.net, #dojo-meeting. For April 21st, we will start with the loader and platform packages. If you cannot make the meeting, or have feedback you want to provide prior to then about a specific package, please leave comments within each package proposal document found in the roadmap. We don’t want to lose your feedback, so the best place to offer that feedback is within the proposal documents.

On Widgets…

The roadmap currently excludes Dijit and other user interface elements, as we’re aiming to get core planning finalized and development underway, and then determine the path forward for user interfaces and widgets. The team at IBM has been working in parallel on an effort called Delite and Deliteful, and we hope that we will be able to efficiently align efforts in the near future.

Thanks!

We look forward to working together to release Dojo 2 in the near future. Thank you for your ongoing support and interest!

Dojo Winter and Spring 2015 events

There are a number of Dojo events this winter and spring. Some of these events are still tentative, so we’ll add links once they are confirmed. We hope to meet you at one of these events. Let us know if there’s an event you would like to host in your area.

Dojo Community Day

A Dojo community day is planned, but the details are not yet available.

Conferences

Conferences we’re planning to attend and/or deliver talks.

Meetups

Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!

Case study: Softeco Sismat (TELL ME Project, #2)

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. Eight months ago, we conducted a case study about the TELL ME project with Stefano Bianchi from Softeco Sismat, an ICT Italian company. Here we have followed with up Stefano to get an update on their progression from desktop web app to mobile with Dojo.

TELL ME Login
TELL ME Mobile UI – login

Continue reading Case study: Softeco Sismat (TELL ME Project, #2)

Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B
http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Autumn 2014 Dojo events

There are a number of Dojo events this autumn. We hope to meet you at one of these events:

Dojo Community Day

Meetups

  • Intern 2. October 9, Nick Nisi, SitePen. London, UK. Free registration required.
  • Intern 2. October 16, Dylan Schiemann, SitePen. Boston, MA. Free registration required

Conferences

  • EdgeConf. September 20, Dylan Schiemann, SitePen. San Francisco. Paid registration required.
  • FullStack. October 23-24, Dylan Schiemann, SitePen. London, UK. Paid registration required

Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!