Category Archives: Announcements

The Road to Dojo 2

“When will Dojo 2 be released?” That’s pretty much the number one question we’ve been asked about Dojo since Dojo 1.0 was released in 2007. Over the past seven plus years, we have made numerous updates and improvements, while preserving a high level of stability for our users.

What’s in a number?

Our shift to AMD in Dojo 1.7 was a massive change that could have been called Dojo 2.0, but because we kept backwards compatibility to help developers transition over to AMD syntax, it felt right to call it 1.7. We continued building on that groundwork releasing 1.8, 1.9 and 1.10!

What should Dojo 2 do?

We have spent many months collecting thoughts and ideas from our users as well as reviewing the current and near future state of the web, to decide what Dojo 2 should and should not do.

Moving to the next major version number is an opportunity for us to assess our strengths and weaknesses, and to formulate a vision for 2.0.

The Roadmap

We’ve added a new section to our (brand new!) site, the Dojo 2 Roadmap. On the roadmap you will find a proposal for each of the planned Dojo 2 core packages. We will continue to update the Roadmap as we progress through the various phases of development for Dojo 2.

Get Involved!

We are very interested in community feedback on the package proposals. Some of the proposals are very polished, and others are less complete and noted as such. If you are interested, now is the time to take a deep look at these proposals!

We plan to discuss packages at each of the upcoming Dojo weekly meetings, IRC, 9am Pacific time on Tuesdays, irc.freenode.net, #dojo-meeting. For April 21st, we will start with the loader and platform packages. If you cannot make the meeting, or have feedback you want to provide prior to then about a specific package, please leave comments within each package proposal document found in the roadmap. We don’t want to lose your feedback, so the best place to offer that feedback is within the proposal documents.

On Widgets…

The roadmap currently excludes Dijit and other user interface elements, as we’re aiming to get core planning finalized and development underway, and then determine the path forward for user interfaces and widgets. The team at IBM has been working in parallel on an effort called Delite and Deliteful, and we hope that we will be able to efficiently align efforts in the near future.

Thanks!

We look forward to working together to release Dojo 2 in the near future. Thank you for your ongoing support and interest!

Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//

http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B

http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Dojo turns (1.)10

Ten years ago, we humbly started a project to create a “next generation DHTML toolkit”, based on an initial email, Selling the future of DHTML. Today, we are pleased to announce the immediate release of Dojo 1.10, our 16th major release of the toolkit!

Release Notes and Documentation

Dojo 1.10 is primarily a stability and bug fix release, with over 275 issues resolved. Read the Dojo 1.10 release notes for the complete list of what’s new and improved in 1.10. API features and enhancements primarily occurred within the following areas:

  • Core (DOM, events, request, WebWorkers, etc.)
  • Dijit
  • dojox/charting and dojox/gfx
  • dojox/app
  • dojox/calendar
  • dojox/mobile (including an iOS 7 theme)
  • dojox/store (offline store supporting WebSQL and IndexedDB support)
  • Uglify 2 support for Dojo builder

The tutorials, reference guide, and API viewer have also been updated for the 1.10 release.

Use Direct from the CDN, or Download

Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.

Get Dojo

dstore

The new dstore project is being worked on as the eventual successor to dojo/store. It works with Dojo 1.8+, but is intended to also define the object store APIs for Dojo 2. Tutorials and documentation will accompany the dstore 1.0 release that is expected in a few weeks. Read the Looking ahead with stores blog post for more details on the direction of this module.

Grids

As reminder, while the source code is still available for DataGrid and EnhancedGrid, these modules are formally deprecated. We instead recommend that you use dgrid or gridx.

dgrid 0.4 is currently under development, and will be the first component to leverage the new dstore API.

Intern

Intern is the replacement for DOH. Work is currently underway to update all DOH tests in Dojo core and Dijit to use Intern, to make it easier to prevent regressions with Dojo 1.x releases. You can learn more about Intern via the Intro to Intern webcast, and also read What’s next for Intern and the 2.0 release that is expected soon.

What’s Next? 1.10.1, 1.11, and 2.0

We continue working on Dojo 2.0. We continue to issue periodic maintenance releases on 1.4+, primarily to fix issues when new browsers are released. We will likely will have a 1.11 release for anything that might change or enhance an API, or backport key improvements made for 2.0.

Thanks!

This release would not have been possible without significant contributions from the Dojo team. Special thanks to everyone who helped make this release possible, including:

  • Adrian Rakovsky
  • Adrian Vasiliu
  • Akira Sudoh
  • Alexander Kaidalov
  • Allen Shiels
  • Avraham Rozenzweig
  • Ben Hockey
  • Benjamin Santalucia
  • Bill Keese
  • Brandon Payton
  • Bryan Forbes
  • Christophe Jolif
  • Chuck Dumont
  • Clement Mathieu
  • Colin Snover
  • Damien Garbarino
  • Damien Mandrioli
  • Dasa Paddock
  • Douglas Hays
  • Dylan Schiemann
  • Ed Chatelain
  • Ed Hager
  • Eduardo Matos
  • Eric Durocher
  • Erwin Verdonk
  • Gabriel Aszalos
  • Gaurav Ramanan
  • Heng Liu
  • Hugh Winkler
  • James Morrin
  • Jochen Schäfer
  • Joerg Sonnenberger
  • Julien Mathevet
  • Justin Bumpus-Barnett
  • Kitson Kelly
  • Kris Zyp
  • Lajos Veres
  • Lamiaa Said
  • Lee Bodzak
  • Lorenzo Solano
  • Mangala Sadhu Sangeet Singh Khalsa
  • Mark Hays
  • Mark Szymanski
  • Matthew Maxwell
  • Mustafa Celik
  • Nick Nisi
  • Pascale Dardailler
  • Patrick Ruzand
  • Peter Kokot
  • Philip Jägenstedt
  • Rawld Gill
  • Scott Davis
  • Sebastien Brunot
  • Sebastien Pereira
  • Semion Chichelnitsky
  • Simon Speich
  • Stephen Davis
  • Stephen Simpson
  • Steve Hearnden
  • Terence Kent
  • Tim Roediger
  • Virgil Ciobanu
  • Vitaly Trushkov
  • Wouter Hager
  • Youngho Cho

We also thank AltoViso, IBM, SitePen, and TimeTrade for their generous contributions of development time and financial support.

Dojo community day!

We’re hosting a free Dojo community day in Switzerland on July 5th, and plan to host similar events in other locations later this year. If you cannot make it to Switzerland, we still encourage you to join us on the #dojo IRC channel (irc.freenode.net) for an afternoon of hacking. We’ll be online from approximately 9am – 6pm in Switzerland. Or join us at another Dojo event this summer.

Thanks!

We hope you’ll find Dojo 1.10 to be exceptionally stable and reliable. Please let us know if you run into any issues by opening a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. We also encourage you to get involved, to help improve Dojo and to work on Dojo 2.0. We hope you find value in using Dojo 1.10!

Dojo 1.10 release schedule, beta 1 now available

In preparation for the release of Dojo 1.10, trunk is now in feature freeze, which means this code is considered feature complete for Dojo 1.10. The release schedule is currently as follows:

  • May 13: Dojo 1.10.0-beta1
  • May 29: Release candidate 1 (note: if additional beta releases are necessary, each release will push this out by 1 week)
  • June 12: Final release (note: if additional rc releases are necessary, each release will push this out by 1 week)

We encourage you to grab the beta and help us find any bugs or regressions with your code base and report any issues you find by following our contributor workflow.

The documentation for 1.10 has not yet been built, though the API changes from 1.9 are minimal. Work in progress release notes are available to see a highlight of the additions we have made.

Thank you to everyone that has helped make this release a success, including the 61 contributors that have had code land in this release!

Dojo 1.9.2 and more

We have a number of December announcements.

Dojo 1.9.2

Dojo version 1.9.2 is now available for immediate use. The most prominent changes are:

  • Support for IE11
  • Support for W3C Pointer Events API in touch-enabled components (necessary for IE11 support)
  • Fixes for modern Firefox and Chrome
  • Fixes to star-mapping and aliases when using built layers
  • Fixes to sorting Date objects in dojo/store/Memory and other stores that use SimpleQueryEngine
  • Fixes to Dijit pop-up scrolling when using the scrollbar

Full details of the Dojo 1.9.2 release are available on the mailing list. We expect to have backsupported IE11 support available for Dojo 1.8 within a few weeks.

Help wanted: Migrating DOH tests to Intern

As many of you know, Intern is our replacement for DOH for Dojo 2.0. In order to make it easier for us to test and maintain multiple versions of Dojo, we are starting the process of replacing all existing DOH tests with Intern tests in the 1.x codebase. If you would like to get involved, please volunteer to assist in migrating tests. We will post additional instructions shortly on how to get involved.

Dojo training workshops

SitePen is running a December promotion with a free Dojo 101 workshop when registering for any of their Dojo 201 or 202 workshops in 2014. They are also offering both free 101 and 201 to the first person to register for all 3 workshops in each city on their calendar. Read the full details on this Dojo workshop promotion. The full Dojo workshop schedule for 2014 is also available.

The road to Dojo 2

The road to Dojo 2 is underway, and we have a substantial amount of work to complete to achieve our goals. Many early efforts have started towards building the best possible JavaScript toolkit. If you are interested in helping with Dojo 2, we encourage you to get involved by contacting us via the mailing list or on IRC.

Needs More Dojo plugin for JetBrains’ IDEs

The following is a guest post from Christopher Folger, creator of a Dojo plugin for the JetBrains IDE. Thanks Christopher for sharing information about your plugin.

Needs More Dojo is a plugin that provides awareness of Dojo’s AMD system and object model to the IDE. Its main purpose is to simplify the management of the imported modules array (and corresponding function parameters) in a define block.

For example, instead of typing “dijit/layout/ContentPane” and adding a “ContentPane” parameter, Needs More Dojo lets you type “ContentPane” then inserts the correct module path and parameter for you into the existing list of imports. As you are writing code, when you reference an AMD module, you can use a hot-key to import the module instead of adding it manually. It will also flag unused modules with a strike-through and allows you to remove all unused modules at once.

Apart from this, it has several other features:

  • Allows you to organize, remove duplicates, or move items in a module’s list of imports via hot-keys or menu items
  • Highlights mismatches between an imported module and its parameter
  • Scans your sources and updates module references in define blocks when using the move/rename refactoring actions
  • Detects and optionally highlights cyclic dependencies
  • Allows navigation to attach points in modules that use _TemplatedWidget and i18n resource keys when using dojo/i18n!
  • The upcoming release provides support for require blocks in addition to better navigation to modules, methods, and this.inherited references

Needs More Dojo is listed under the JavaScript category of the JetBrains plugin repository, which you can access in the IDE. Alternatively, you can visit the Needs More Dojo plugin directly.

It is open-source and is currently under development. Any feedback or feature requests are always welcome and can be made on GitHub

Chrome 29 and Dojo 1.4-1.6

If you’re using Dojo 1.4, 1.5, or 1.6, you’ll need to update to the latest patch to fix a regression with the release of Chrome version 29.

Ticket 17400 has the details on the fix.

You can get the patch from GitHub for your particular version of Dojo, and this fix will be included in the next release for each of Dojo 1.4.x, 1.5.x. and 1.6.x.

If you are already using Dojo 1.7 or newer, this fix already exists within your code base.

Dojo is now hosted on GitHub

I’m pleased to announce that after a prolonged period of incomplete mirroring, we’ve now fully migrated Dojo’s source code to GitHub. Future development will be performed there instead of the Subversion repository, which is now read-only and effectively dead. We will continue to use bugs.dojotoolkit.org for issue tracking, but patches should now be submitted directly as pull requests. The CONTRIBUTING.md guidelines in each repository provide guidelines on sending patches.

As an unavoidable part of this update, the old repositories on GitHub have had their histories rewritten. This means that any Git projects with submodules pointing to those old repositories will be broken. If you have such a project, please make sure you update your submodules. The old mirror repositories have been temporarily renamed with an `-oldmirror` suffix so you can find the correct commit ID for your project. These old mirror repositories will be going away in the near future.

Dojo 1.9 Released!

The Dojo team is very excited to announce the immediate release of Dojo 1.9!

This release would not have been possible without significant contributions from the Dojo team. Special thanks to Adam Peller, Adrian Vasiliu, Ben Hockey, Bill Keese, Brandon Payton, Brian Arnold, Bryan Forbes, Christophe Jolif, Colin Snover, Damien Mandrioli, Doug Hays, Dylan Schiemann, Ed Chatelain, Eric Durocher, Evan Huang, Ken Franqueiro, Kitson Kelly, Kris Zyp, Mangala Sadhu Sangeet Singh Khalsa, Patrick Ruzand, Paul Bouchon, Rawld Gill, Sergey Grebnov, Yoshiroh Kamiyama, and dozens of others, and to IBM, SitePen, AltoViso, and BlackBerry for their generous contributions of development time and financial support.

Use Direct from the CDN, or Download

Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.

Get Dojo

Release Notes and Documentation

Dojo 1.9 is primarily a stability and bug fix release, with over 700 issues resolved. Read the Dojo 1.9 release notes for the complete list of what’s new and improved in 1.9. API features and enhancements primarily occurred within the following areas:

  • Mobile and touch events
  • Dijit support for mobile
  • Dijit enhancements and additions
  • BlackBerry 10
  • IE 10/Windows Phone 8, Windows Surface/RT
  • iOS and Android theme refinements
  • dojox/charting and dojox/gfx
  • dojox/app
  • dojox/calendar
  • Source maps

The tutorials, reference guide, and API viewer have also been updated for the 1.9 release.

Grids

While the source code is still available for DataGrid and EnhancedGrid, these modules are formally deprecated. We instead recommend that you use dgrid or gridx.

What’s Next? 1.9.1, 1.10, and 2.0

We continue working on Dojo 2.0 core. We continue to issue periodic maintenance releases on 1.4+, primarily to fix issues when new browsers are released. We will likely will have a 1.10 release for anything that might change or enhance an API, or backport key improvements made for 2.0.

We’ve also just released 1.8.4, which is now available for download, as well as via the CDN.

Thanks!

We hope you’ll find Dojo 1.9 to be exceptionally stable and reliable. Please let us know if you run into any issues by opening a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. We also encourage you to get involved, to help improve Dojo and to work on Dojo 2.0. We hope you find value in using Dojo 1.9!

Dojo 1.8 Released!

The Dojo team is very excited to announce the immediate release of Dojo 1.8, our last major release before the big 2.0!

This release would not have been possible without significant contributions from the Dojo team. Special thanks to Colin Snover, Bill Keese, Dylan Schiemann, Rawld Gill, Ken Franqueiro, Bryan Forbes, Kitson Kelly, Brian Arnold, Doug Hays, Christophe Jolif, Mark Wubben, Doug Hays, Yoshiroh Kamiyama, Kris Zyp, Patrick Ruzand, Adam Peller, Evan Huang, and dozens of others, and to IBM, SitePen, AltoViso, and Research in Motion for their generous contributions of development time and financial support.

With that out of the way, let’s talk about what’s new in Dojo 1.8!

Better Documentation

The top goal of Dojo 1.8 was to significantly improve the quality of our documentation. In order to achieve this, in this release, we’ve:

  • made more than 500 fixes to our documentation based on community feedback (thank you!)
  • re-organized and committed over 1500 changes to our reference guide
  • developed a brand new, extensible JavaScript-based documentation parser, which we use to generate output for the API viewer
  • significantly enhanced the API viewer with full AMD support, module cross-linking, property source information (useful for modules that are augmented by other modules, like dojo/NodeList), and other improvements

We’re still in the process of updating the Dojo tutorial series to bring you the latest and greatest advice, but over 70% of our existing tutorial series have already been updated, with the remainder to be completed in the coming weeks. We’re also adding ten brand new tutorials to teach you about the new features added to Dojo 1.8. We’ll be announcing the remaining tutorials as they are released on our Twitter account (@dojo), so keep an eye out there.

New Features

Dojo 1.8 isn’t all documentation, of course! We’ve also been hard at work adding several major new features to the toolkit that we think you’ll enjoy. These new components include:

dojo/request: A cross-platform AJAX component, designed to be more flexible and extensible than the existing dojo/_base/xhr component (which it deprecates). Notable new features of this component include the ability to perform AJAX calls from Node.js, XHR2 support, and a mechanism for registering handlers to convert arbitrary response payloads into usable objects.

dojo/node: A new loader plugin that enables server-side code to load Node.js/CommonJS modules from within the AMD loader.

dojo/router: A component that enables client-side applications to register and navigate between discrete “pages” that change based on the current browser URL, like the navigation of a “traditional” server-side application.

dojo/promise: A redesigned, Promises/A-compliant deferreds/promises implementation which deprecates dojo/_base/Deferred. Notable new features include improved instrumentation and error handling, an easier-to-use API, and a reduced footprint for applications that only need a subset of its features.

dijit/Destroyable: A new base widget class that makes it easier to ensure event handlers, topic subscribers, and other connections are properly cleaned up when their owner objects are destroyed.

dojox/Calendar: A new, feature-rich calendaring widget that enables you to quickly and easily create event calendars. View a demo.

dojox/dgauges: A new framework for creating graphically rich gauges used to represent and manipulate data. View a demo.

dojox/treemap: A component for creating treemap data visualizations. View a demo.

In addition to these all-new features, we’ve also significantly enhanced several other components from earlier versions of the toolkit. Some of the more notable improvements include:

  • dojox/mobile includes 28 new mobile widgets including audio, video, grid layout, and tree view. (View a demo.)
  • dojo/dnd and dojox/gfx are both now fully functional on mobile devices.
  • dojo/parser now accepts AMD module IDs in the data-dojo-type attribute. It also includes a new asynchronous mode that allows modules to be automatically required based on the data-dojo-type attribute if they haven’t been explicitly required yet.
  • dojo/Stateful now allows the use of getter and setter functions; previously, only dijit/_WidgetBase enabled getter/setter functions.
  • Dijit’s Claro theme now uses CSS3 gradients instead of images in browsers that support it.
  • DOH Robot now works with the loader set to asynchronous mode.

A more exhaustive list of new features and enhancements can be found in the Dojo 1.8 release notes, along with some migration instructions for any changes that are known to be incompatible with code written for Dojo 1.7 and earlier. The complete list of 971 new features, enhancements, and bug fixes can be found at the bug tracker.

What’s Next? 1.8.1 and 2.0

Now that we’ve released our “final” version of the Dojo 1.x series, we’re moving full speed ahead into planning for Dojo 2.0! In the meantime, we’ll continue to issue maintenance releases for all major Dojo versions 1.4 and later as necessary to ensure your apps continue to work well into the future. We’ll also be releasing a Dojo 1.8.1 release in the next 2–6 weeks to address any bugs that were introduced in Dojo 1.8.

We’ll be providing more information on the blog shortly about our vision for Dojo 2.0 and how you can help to make it the best version of Dojo ever.

Thanks!

We hope you’ll find Dojo 1.8 to be exceptionally stable and reliable. However, if you do run into any issues, please let us know by open a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. Otherwise, enjoy the release!