Category Archives: Announcements

Dojo Recap – Week Ending May 15, 2015

Last week we completed some issues with Dojo 1.x and made more progress on Dojo 2 platform. Thanks for your contributions. Let us know if you would like to get involved!

Dojo 1.x

We continue making small updates towards a Dojo 1.11 release, as well as backporting relevant bug fixes. The 1.11 release is planned as soon as work is completed on a modern flat theme. This past week we landed a few fixes to Dojo and Dijit.

Improvements this week

Last week in Dojo 2

Last week we accomplished a number of things with Dojo 2 platform:

Core

DOM

Initial repository created. Initial work on basic DOM operations. dom.byId and dom.place are pending code review

Routing

Initial repository created.

Class Declaration Decision

As of May 13, 2015, our original proposal submitted to TypeScript was not accepted so we researched options that would cover Dojo 2’s needs for class declaration.

We have decided to proceed without language-level support of mixins and provide decorators to help accomplish what we need. Given that this solution is the least dependent on third-party interaction, we are choosing to explore it first. With what we know about decorators, we may be able to get exactly what we need from TypeScript. While we do not yet know for sure if this is the final solution, it is promising and something we can start working on today and then explore other options if it fails or if it is a burden to use.

This week’s Dojo 2 goals

Here are a few of this week's aspirations towards making progress on Dojo 2!

Core

  • Finish initial development. (excluding features on hold: Set, WeakSet, and Reflect)
  • This includes: Encoding, Request, Date Features, String shims, Map shim, and Readme updates
  • Finish initial development
  • This includes: Seekable Reader, Canned Streams, Iterable Interface, Readme updates, tutorials
  • Finish documentation and code reviews

DOM

  • Basic DOM access/manipulation APIs functional
  • CSS class manipulation APIs

Routing

  • Begin development on Router

Loader

  • Setup repository
  • Draft functional test scenarios

Weekly IRC meeting

As usual, our weekly IRC meeting is on irc.freenode.net #dojo-meeting at 9am Pacific time on Tuesday.

Last week we discussed

  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

This week’s agenda

  • As we are nearly code complete with an initial verison of the Core package, we invite further discussion at this week's meeting:
  • Discuss code in core repository
  • General community and contributor feedback to the Dojo 2 roadmap

Thanks!

Thanks to everyone for their valuable contributions this past week! Please let us know if you plan to work on any features, or would like to get involved!

Dojo Recap – Week Ending April 30, 2015

Another exciting week is underway in the Dojo camp!

Dojo 1.x

In preparation for the 1.11 release planned for late Spring, we are landing high quality pull requests to fix various bugs and add enhancements to the dojo, dijit, and dojox packages.

Improvements this week

Last week in Dojo 2

This week we have some exciting updates to share with you on the planning and development progress of Dojo 2!

First off, we updated the Dojo 2 Roadmap to reflect the changes that took place this week. These changes include:
Continue reading Dojo Recap – Week Ending April 30, 2015

The Road to Dojo 2

“When will Dojo 2 be released?” That’s pretty much the number one question we’ve been asked about Dojo since Dojo 1.0 was released in 2007. Over the past seven plus years, we have made numerous updates and improvements, while preserving a high level of stability for our users.

What’s in a number?

Our shift to AMD in Dojo 1.7 was a massive change that could have been called Dojo 2.0, but because we kept backwards compatibility to help developers transition over to AMD syntax, it felt right to call it 1.7. We continued building on that groundwork releasing 1.8, 1.9 and 1.10!

What should Dojo 2 do?

We have spent many months collecting thoughts and ideas from our users as well as reviewing the current and near future state of the web, to decide what Dojo 2 should and should not do.

Moving to the next major version number is an opportunity for us to assess our strengths and weaknesses, and to formulate a vision for 2.0.

The Roadmap

We’ve added a new section to our (brand new!) site, the Dojo 2 Roadmap. On the roadmap you will find a proposal for each of the planned Dojo 2 core packages. We will continue to update the Roadmap as we progress through the various phases of development for Dojo 2.

Get Involved!

We are very interested in community feedback on the package proposals. Some of the proposals are very polished, and others are less complete and noted as such. If you are interested, now is the time to take a deep look at these proposals!

We plan to discuss packages at each of the upcoming Dojo weekly meetings, IRC, 9am Pacific time on Tuesdays, irc.freenode.net, #dojo-meeting. For April 21st, we will start with the loader and platform packages. If you cannot make the meeting, or have feedback you want to provide prior to then about a specific package, please leave comments within each package proposal document found in the roadmap. We don’t want to lose your feedback, so the best place to offer that feedback is within the proposal documents.

On Widgets…

The roadmap currently excludes Dijit and other user interface elements, as we’re aiming to get core planning finalized and development underway, and then determine the path forward for user interfaces and widgets. The team at IBM has been working in parallel on an effort called Delite and Deliteful, and we hope that we will be able to efficiently align efforts in the near future.

Thanks!

We look forward to working together to release Dojo 2 in the near future. Thank you for your ongoing support and interest!

Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B
http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Dojo turns (1.)10

Ten years ago, we humbly started a project to create a “next generation DHTML toolkit”, based on an initial email, Selling the future of DHTML. Today, we are pleased to announce the immediate release of Dojo 1.10, our 16th major release of the toolkit!

Release Notes and Documentation

Dojo 1.10 is primarily a stability and bug fix release, with over 275 issues resolved. Read the Dojo 1.10 release notes for the complete list of what’s new and improved in 1.10. API features and enhancements primarily occurred within the following areas:

  • Core (DOM, events, request, WebWorkers, etc.)
  • Dijit
  • dojox/charting and dojox/gfx
  • dojox/app
  • dojox/calendar
  • dojox/mobile (including an iOS 7 theme)
  • dojox/store (offline store supporting WebSQL and IndexedDB support)
  • Uglify 2 support for Dojo builder

The tutorials, reference guide, and API viewer have also been updated for the 1.10 release.

Use Direct from the CDN, or Download

Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.

Get Dojo

dstore

The new dstore project is being worked on as the eventual successor to dojo/store. It works with Dojo 1.8+, but is intended to also define the object store APIs for Dojo 2. Tutorials and documentation will accompany the dstore 1.0 release that is expected in a few weeks. Read the Looking ahead with stores blog post for more details on the direction of this module.

Grids

As reminder, while the source code is still available for DataGrid and EnhancedGrid, these modules are formally deprecated. We instead recommend that you use dgrid or gridx.

dgrid 0.4 is currently under development, and will be the first component to leverage the new dstore API.

Intern

Intern is the replacement for DOH. Work is currently underway to update all DOH tests in Dojo core and Dijit to use Intern, to make it easier to prevent regressions with Dojo 1.x releases. You can learn more about Intern via the Intro to Intern webcast, and also read What’s next for Intern and the 2.0 release that is expected soon.

What’s Next? 1.10.1, 1.11, and 2.0

We continue working on Dojo 2.0. We continue to issue periodic maintenance releases on 1.4+, primarily to fix issues when new browsers are released. We will likely will have a 1.11 release for anything that might change or enhance an API, or backport key improvements made for 2.0.

Thanks!

This release would not have been possible without significant contributions from the Dojo team. Special thanks to everyone who helped make this release possible, including:

  • Adrian Rakovsky
  • Adrian Vasiliu
  • Akira Sudoh
  • Alexander Kaidalov
  • Allen Shiels
  • Avraham Rozenzweig
  • Ben Hockey
  • Benjamin Santalucia
  • Bill Keese
  • Brandon Payton
  • Bryan Forbes
  • Christophe Jolif
  • Chuck Dumont
  • Clement Mathieu
  • Colin Snover
  • Damien Garbarino
  • Damien Mandrioli
  • Dasa Paddock
  • Douglas Hays
  • Dylan Schiemann
  • Ed Chatelain
  • Ed Hager
  • Eduardo Matos
  • Eric Durocher
  • Erwin Verdonk
  • Gabriel Aszalos
  • Gaurav Ramanan
  • Heng Liu
  • Hugh Winkler
  • James Morrin
  • Jochen Schäfer
  • Joerg Sonnenberger
  • Julien Mathevet
  • Justin Bumpus-Barnett
  • Kitson Kelly
  • Kris Zyp
  • Lajos Veres
  • Lamiaa Said
  • Lee Bodzak
  • Lorenzo Solano
  • Mangala Sadhu Sangeet Singh Khalsa
  • Mark Hays
  • Mark Szymanski
  • Matthew Maxwell
  • Mustafa Celik
  • Nick Nisi
  • Pascale Dardailler
  • Patrick Ruzand
  • Peter Kokot
  • Philip Jägenstedt
  • Rawld Gill
  • Scott Davis
  • Sebastien Brunot
  • Sebastien Pereira
  • Semion Chichelnitsky
  • Simon Speich
  • Stephen Davis
  • Stephen Simpson
  • Steve Hearnden
  • Terence Kent
  • Tim Roediger
  • Virgil Ciobanu
  • Vitaly Trushkov
  • Wouter Hager
  • Youngho Cho

We also thank AltoViso, IBM, SitePen, and TimeTrade for their generous contributions of development time and financial support.

Dojo community day!

We’re hosting a free Dojo community day in Switzerland on July 5th, and plan to host similar events in other locations later this year. If you cannot make it to Switzerland, we still encourage you to join us on the #dojo IRC channel (irc.freenode.net) for an afternoon of hacking. We’ll be online from approximately 9am – 6pm in Switzerland. Or join us at another Dojo event this summer.

Thanks!

We hope you’ll find Dojo 1.10 to be exceptionally stable and reliable. Please let us know if you run into any issues by opening a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. We also encourage you to get involved, to help improve Dojo and to work on Dojo 2.0. We hope you find value in using Dojo 1.10!

Dojo 1.10 release schedule, beta 1 now available

In preparation for the release of Dojo 1.10, trunk is now in feature freeze, which means this code is considered feature complete for Dojo 1.10. The release schedule is currently as follows:

  • May 13: Dojo 1.10.0-beta1
  • May 29: Release candidate 1 (note: if additional beta releases are necessary, each release will push this out by 1 week)
  • June 12: Final release (note: if additional rc releases are necessary, each release will push this out by 1 week)

We encourage you to grab the beta and help us find any bugs or regressions with your code base and report any issues you find by following our contributor workflow.

The documentation for 1.10 has not yet been built, though the API changes from 1.9 are minimal. Work in progress release notes are available to see a highlight of the additions we have made.

Thank you to everyone that has helped make this release a success, including the 61 contributors that have had code land in this release!

Dojo 1.9.2 and more

We have a number of December announcements.

Dojo 1.9.2

Dojo version 1.9.2 is now available for immediate use. The most prominent changes are:

  • Support for IE11
  • Support for W3C Pointer Events API in touch-enabled components (necessary for IE11 support)
  • Fixes for modern Firefox and Chrome
  • Fixes to star-mapping and aliases when using built layers
  • Fixes to sorting Date objects in dojo/store/Memory and other stores that use SimpleQueryEngine
  • Fixes to Dijit pop-up scrolling when using the scrollbar

Full details of the Dojo 1.9.2 release are available on the mailing list. We expect to have backsupported IE11 support available for Dojo 1.8 within a few weeks.

Help wanted: Migrating DOH tests to Intern

As many of you know, Intern is our replacement for DOH for Dojo 2.0. In order to make it easier for us to test and maintain multiple versions of Dojo, we are starting the process of replacing all existing DOH tests with Intern tests in the 1.x codebase. If you would like to get involved, please volunteer to assist in migrating tests. We will post additional instructions shortly on how to get involved.

Dojo training workshops

SitePen is running a December promotion with a free Dojo 101 workshop when registering for any of their Dojo 201 or 202 workshops in 2014. They are also offering both free 101 and 201 to the first person to register for all 3 workshops in each city on their calendar. Read the full details on this Dojo workshop promotion. The full Dojo workshop schedule for 2014 is also available.

The road to Dojo 2

The road to Dojo 2 is underway, and we have a substantial amount of work to complete to achieve our goals. Many early efforts have started towards building the best possible JavaScript toolkit. If you are interested in helping with Dojo 2, we encourage you to get involved by contacting us via the mailing list or on IRC.

Needs More Dojo plugin for JetBrains’ IDEs

The following is a guest post from Christopher Folger, creator of a Dojo plugin for the JetBrains IDE. Thanks Christopher for sharing information about your plugin.

Needs More Dojo is a plugin that provides awareness of Dojo’s AMD system and object model to the IDE. Its main purpose is to simplify the management of the imported modules array (and corresponding function parameters) in a define block.

For example, instead of typing “dijit/layout/ContentPane” and adding a “ContentPane” parameter, Needs More Dojo lets you type “ContentPane” then inserts the correct module path and parameter for you into the existing list of imports. As you are writing code, when you reference an AMD module, you can use a hot-key to import the module instead of adding it manually. It will also flag unused modules with a strike-through and allows you to remove all unused modules at once.

Apart from this, it has several other features:

  • Allows you to organize, remove duplicates, or move items in a module’s list of imports via hot-keys or menu items
  • Highlights mismatches between an imported module and its parameter
  • Scans your sources and updates module references in define blocks when using the move/rename refactoring actions
  • Detects and optionally highlights cyclic dependencies
  • Allows navigation to attach points in modules that use _TemplatedWidget and i18n resource keys when using dojo/i18n!
  • The upcoming release provides support for require blocks in addition to better navigation to modules, methods, and this.inherited references

Needs More Dojo is listed under the JavaScript category of the JetBrains plugin repository, which you can access in the IDE. Alternatively, you can visit the Needs More Dojo plugin directly.

It is open-source and is currently under development. Any feedback or feature requests are always welcome and can be made on GitHub

Chrome 29 and Dojo 1.4-1.6

If you’re using Dojo 1.4, 1.5, or 1.6, you’ll need to update to the latest patch to fix a regression with the release of Chrome version 29.

Ticket 17400 has the details on the fix.

You can get the patch from GitHub for your particular version of Dojo, and this fix will be included in the next release for each of Dojo 1.4.x, 1.5.x. and 1.6.x.

If you are already using Dojo 1.7 or newer, this fix already exists within your code base.

Dojo is now hosted on GitHub

I’m pleased to announce that after a prolonged period of incomplete mirroring, we’ve now fully migrated Dojo’s source code to GitHub. Future development will be performed there instead of the Subversion repository, which is now read-only and effectively dead. We will continue to use bugs.dojotoolkit.org for issue tracking, but patches should now be submitted directly as pull requests. The CONTRIBUTING.md guidelines in each repository provide guidelines on sending patches.

As an unavoidable part of this update, the old repositories on GitHub have had their histories rewritten. This means that any Git projects with submodules pointing to those old repositories will be broken. If you have such a project, please make sure you update your submodules. The old mirror repositories have been temporarily renamed with an `-oldmirror` suffix so you can find the correct commit ID for your project. These old mirror repositories will be going away in the near future.