Dojo 2 beta 4
Dojo 2 beta 4 was recently released! Read more about the release on the Dojo 2 beta 4 blog post! The new website for Dojo 2+ also has a number of tutorials and examples to help you get started with Dojo 2.
Also note that Dojo 1.13 and point releases to 1.12, 1.11, and 1.10 were also recently released and are now also available on the Google CDN.
There are a number of Dojo events this winter and spring. Some of these events are still tentative, so we’ll add links once they are confirmed. We hope to meet you at one of these events. Let us know if there’s an event you would like to host in your area.
Dojo Community Day
A Dojo community day is planned, but the details are not yet available.
Conferences we’re planning to attend and/or deliver talks.
- Esri DevSummit, Palm Springs, CA, March 10-13
- JSConf, Amelia Island, May 27-29
- Esri UK Developer conference, London, May 19
- FullStack, London, June 25-26
- EdgeConf, London, June 27
- Hong Kong, March 31st
- Atlanta, TBD
- Stockholm, May 21st
- Stuttgart, TBD
- Copenhagen, TBD
- Dublin, TBD
- London, May 18th
- Ottawa, June 3rd
- Dojo core and Dojo widgets: The essentials. SitePen. March 9-13, 2015. Online. Paid registration required.
- Dojo 101 and 201. SitePen. March 16-18. Salt Lake City, UT. Paid registration required.
- Dojo 101, 201, and 202. SitePen. April 20-24. Chicago, IL. Paid registration required.
- Dojo 101, 201, and 202. SitePen. April 27 – May 1, 2015. Boston, MA. Paid registration required.
- Dojo 101, 201, and 202. SitePen. May 18-22, 2015. Amsterdam, NL. Paid registration required.
- Dojo 101, 201, and 202. SitePen. June 1-5, 2015. Ottawa, ON. Paid registration required.
- Dojo 101, 201, and 202. SitePen. June 29 – July 3, 2015. London, UK. Paid registration required.
Let us know if you’re speaking at an event, and we’ll add you to our listings!
The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. Eight months ago, we conducted a case study about the TELL ME project with Stefano Bianchi from Softeco Sismat, an ICT Italian company. Here we have followed with up Stefano to get an update on their progression from desktop web app to mobile with Dojo.
Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.
Masato Kinugawa discovered a security flaw in the SWF component of the
dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.
After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including
dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in
Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.
Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier
New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:
Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.
1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.
CVSS Severity (2.0)
CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2
CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to
ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through
ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through
dojo.publish, introducing a cross-site scripting vulnerability.
dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses
dojox/embed/Flash if unsanitised user input were passed to it.
2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.
What can I do to prevent this from happening in the future?
There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.
There are a number of Dojo events this autumn. We hope to meet you at one of these events:
Dojo Community Day
- Dojo Community Day. October 26, Amsterdam. Free registration required.
- Intern 2. October 9, Nick Nisi, SitePen. London, UK. Free registration required.
- Intern 2. October 16, Dylan Schiemann, SitePen. Boston, MA. Free registration required
- EdgeConf. September 20, Dylan Schiemann, SitePen. San Francisco. Paid registration required.
- FullStack. October 23-24, Dylan Schiemann, SitePen. London, UK. Paid registration required
- Dojo 101, 201, and 202. SitePen. September 22-26, 2014. Ottawa, ON. Paid registration required.
- Dojo 101, 201, and 202. SitePen. October 6-10, 2014. London, UK. Paid registration required.
- Dojo 101, 201, and 202. SitePen. October 6-10, 2014. Atlanta, GA. Paid registration required.
- Dojo 101, 201, and 202. SitePen. January 12-16, 2015. Chandler, AZ. Paid registration required.
- Dojo 101, 201, and 202. SitePen. February 23-27, 2015. Washington, DC. Paid registration required.
- Dojo 101, 201, and 202. SitePen. March 2-6, 2015. Amsterdam, NL. Paid registration required.
Let us know if you’re speaking at an event, and we’ll add you to our listings!
We recently hosted a Dojo Community Day in Brugg, Switzerland on the Saturday following a week of Dojo workshops. We had about 25 Dojo users and committers join us from England, France, Netherlands, Germany, Romania, Austria, and Switzerland for a fun day of hacking and discussions about current and future directions of Dojo.
The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. This time, we interview Gordon Smith from HPCC Systems, a subsidiary of LexisNexis RISK Solutions.
Q: How did you first learn about Dojo?
A: Through Google / Stack Overflow. I suspect my “discovery” of Dojo was a bit different to the norm, as prior to 2013 I had never really done any Web Development. Up until then I was predominantly a C++ Developer, some Java and a smattering of C#. Initially I wanted to knock together a single page proof of concept, consisting of a code editor (CodeMirror), a result view (HTML Table) and an “activity graph” (ActiveX Control) and wanted something that would handle the layout, resizing and ideally something with splitters – after a few searches online I found the Border Container Docs and away I went! Shortly after, I added a Tab Container and switched to using the basic Grid.
Ten years ago, we humbly started a project to create a “next generation DHTML toolkit”, based on an initial email, Selling the future of DHTML. Today, we are pleased to announce the immediate release of Dojo 1.10, our 16th major release of the toolkit!
Release Notes and Documentation
Dojo 1.10 is primarily a stability and bug fix release, with over 275 issues resolved. Read the Dojo 1.10 release notes for the complete list of what’s new and improved in 1.10. API features and enhancements primarily occurred within the following areas:
- Core (DOM, events, request, WebWorkers, etc.)
- dojox/charting and dojox/gfx
- dojox/mobile (including an iOS 7 theme)
- dojox/store (offline store supporting WebSQL and IndexedDB support)
- Uglify 2 support for Dojo builder
Use Direct from the CDN, or Download
Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.
The new dstore project is being worked on as the eventual successor to dojo/store. It works with Dojo 1.8+, but is intended to also define the object store APIs for Dojo 2. Tutorials and documentation will accompany the dstore 1.0 release that is expected in a few weeks. Read the Looking ahead with stores blog post for more details on the direction of this module.
dgrid 0.4 is currently under development, and will be the first component to leverage the new dstore API.
Intern is the replacement for DOH. Work is currently underway to update all DOH tests in Dojo core and Dijit to use Intern, to make it easier to prevent regressions with Dojo 1.x releases. You can learn more about Intern via the Intro to Intern webcast, and also read What’s next for Intern and the 2.0 release that is expected soon.
What’s Next? 1.10.1, 1.11, and 2.0
We continue working on Dojo 2.0. We continue to issue periodic maintenance releases on 1.4+, primarily to fix issues when new browsers are released. We will likely will have a 1.11 release for anything that might change or enhance an API, or backport key improvements made for 2.0.
This release would not have been possible without significant contributions from the Dojo team. Special thanks to everyone who helped make this release possible, including:
- Adrian Rakovsky
- Adrian Vasiliu
- Akira Sudoh
- Alexander Kaidalov
- Allen Shiels
- Avraham Rozenzweig
- Ben Hockey
- Benjamin Santalucia
- Bill Keese
- Brandon Payton
- Bryan Forbes
- Christophe Jolif
- Chuck Dumont
- Clement Mathieu
- Colin Snover
- Damien Garbarino
- Damien Mandrioli
- Dasa Paddock
- Douglas Hays
- Dylan Schiemann
- Ed Chatelain
- Ed Hager
- Eduardo Matos
- Eric Durocher
- Erwin Verdonk
- Gabriel Aszalos
- Gaurav Ramanan
- Heng Liu
- Hugh Winkler
- James Morrin
- Jochen Schäfer
- Joerg Sonnenberger
- Julien Mathevet
- Justin Bumpus-Barnett
- Kitson Kelly
- Kris Zyp
- Lajos Veres
- Lamiaa Said
- Lee Bodzak
- Lorenzo Solano
- Mangala Sadhu Sangeet Singh Khalsa
- Mark Hays
- Mark Szymanski
- Matthew Maxwell
- Mustafa Celik
- Nick Nisi
- Pascale Dardailler
- Patrick Ruzand
- Peter Kokot
- Philip Jägenstedt
- Rawld Gill
- Scott Davis
- Sebastien Brunot
- Sebastien Pereira
- Semion Chichelnitsky
- Simon Speich
- Stephen Davis
- Stephen Simpson
- Steve Hearnden
- Terence Kent
- Tim Roediger
- Virgil Ciobanu
- Vitaly Trushkov
- Wouter Hager
- Youngho Cho
Dojo community day!
We’re hosting a free Dojo community day in Switzerland on July 5th, and plan to host similar events in other locations later this year. If you cannot make it to Switzerland, we still encourage you to join us on the #dojo IRC channel (irc.freenode.net) for an afternoon of hacking. We’ll be online from approximately 9am – 6pm in Switzerland. Or join us at another Dojo event this summer.
We hope you’ll find Dojo 1.10 to be exceptionally stable and reliable. Please let us know if you run into any issues by opening a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. We also encourage you to get involved, to help improve Dojo and to work on Dojo 2.0. We hope you find value in using Dojo 1.10!