Category Archives: Announcements

Dojo 1.14 released

While most of our attention recently has gone into the new modern Dojo framework releases, we are still maintaining and updating versions of Dojo 1.x as we receive pull requests and updates.

Today we are pleased to announce version 1.14 of the Dojo Toolkit, as well as backported releases 1.13.1, 1.12.4, 1.11.6, and 1.10.10. Note that we will no longer be shipping updated releases prior to 1.10, though you may of course still build your own version from source. Patches are still backported, but the time to push a release for each version is non-trivial.

As these releases are smaller in nature, it is fairly easy to look at the commit history to see what has changed. For example, the Dojo package commit history has details about the Dojo package.

We did receive two small security related reports. These issues are unlikely to impact most of our users in production, but are worth reviewing:

Updated releases on the Google CDN are forthcoming.

Thanks for your help in making this release possible. Please let us know if you have any issues. Note that all bug reports should now be filed on GitHub.

Dojo 2 beta 4, 1.13, and Discourse

Dojo 2 beta 4

Dojo 2 beta 4 was recently released! Read more about the release on the Dojo 2 beta 4 blog post! The new website for Dojo 2+ also has a number of tutorials and examples to help you get started with Dojo 2.

Dojo 1.13

Also note that Dojo 1.13 and point releases to 1.12, 1.11, and 1.10 were also recently released and are now also available on the Google CDN.

Dojo Discourse

Finally, the Dojo mailing list has been retired. Questions may be asked on our new Dojo Discourse forum, Dojo 1.x Gitter channel, or Stack Overflow.

Dojo Security Advisory 2014-12-08

Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B
http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//
http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Dojo turns (1.)10

Ten years ago, we humbly started a project to create a “next generation DHTML toolkit”, based on an initial email, Selling the future of DHTML. Today, we are pleased to announce the immediate release of Dojo 1.10, our 16th major release of the toolkit!

Release Notes and Documentation

Dojo 1.10 is primarily a stability and bug fix release, with over 275 issues resolved. Read the Dojo 1.10 release notes for the complete list of what’s new and improved in 1.10. API features and enhancements primarily occurred within the following areas:

  • Core (DOM, events, request, WebWorkers, etc.)
  • Dijit
  • dojox/charting and dojox/gfx
  • dojox/app
  • dojox/calendar
  • dojox/mobile (including an iOS 7 theme)
  • dojox/store (offline store supporting WebSQL and IndexedDB support)
  • Uglify 2 support for Dojo builder

The tutorials, reference guide, and API viewer have also been updated for the 1.10 release.

Use Direct from the CDN, or Download

Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.

Get Dojo

dstore

The new dstore project is being worked on as the eventual successor to dojo/store. It works with Dojo 1.8+, but is intended to also define the object store APIs for Dojo 2. Tutorials and documentation will accompany the dstore 1.0 release that is expected in a few weeks. Read the Looking ahead with stores blog post for more details on the direction of this module.

Grids

As reminder, while the source code is still available for DataGrid and EnhancedGrid, these modules are formally deprecated. We instead recommend that you use dgrid or gridx.

dgrid 0.4 is currently under development, and will be the first component to leverage the new dstore API.

Intern

Intern is the replacement for DOH. Work is currently underway to update all DOH tests in Dojo core and Dijit to use Intern, to make it easier to prevent regressions with Dojo 1.x releases. You can learn more about Intern via the Intro to Intern webcast, and also read What’s next for Intern and the 2.0 release that is expected soon.

What’s Next? 1.10.1, 1.11, and 2.0

We continue working on Dojo 2.0. We continue to issue periodic maintenance releases on 1.4+, primarily to fix issues when new browsers are released. We will likely will have a 1.11 release for anything that might change or enhance an API, or backport key improvements made for 2.0.

Thanks!

This release would not have been possible without significant contributions from the Dojo team. Special thanks to everyone who helped make this release possible, including:

  • Adrian Rakovsky
  • Adrian Vasiliu
  • Akira Sudoh
  • Alexander Kaidalov
  • Allen Shiels
  • Avraham Rozenzweig
  • Ben Hockey
  • Benjamin Santalucia
  • Bill Keese
  • Brandon Payton
  • Bryan Forbes
  • Christophe Jolif
  • Chuck Dumont
  • Clement Mathieu
  • Colin Snover
  • Damien Garbarino
  • Damien Mandrioli
  • Dasa Paddock
  • Douglas Hays
  • Dylan Schiemann
  • Ed Chatelain
  • Ed Hager
  • Eduardo Matos
  • Eric Durocher
  • Erwin Verdonk
  • Gabriel Aszalos
  • Gaurav Ramanan
  • Heng Liu
  • Hugh Winkler
  • James Morrin
  • Jochen Schäfer
  • Joerg Sonnenberger
  • Julien Mathevet
  • Justin Bumpus-Barnett
  • Kitson Kelly
  • Kris Zyp
  • Lajos Veres
  • Lamiaa Said
  • Lee Bodzak
  • Lorenzo Solano
  • Mangala Sadhu Sangeet Singh Khalsa
  • Mark Hays
  • Mark Szymanski
  • Matthew Maxwell
  • Mustafa Celik
  • Nick Nisi
  • Pascale Dardailler
  • Patrick Ruzand
  • Peter Kokot
  • Philip Jägenstedt
  • Rawld Gill
  • Scott Davis
  • Sebastien Brunot
  • Sebastien Pereira
  • Semion Chichelnitsky
  • Simon Speich
  • Stephen Davis
  • Stephen Simpson
  • Steve Hearnden
  • Terence Kent
  • Tim Roediger
  • Virgil Ciobanu
  • Vitaly Trushkov
  • Wouter Hager
  • Youngho Cho

We also thank AltoViso, IBM, SitePen, and TimeTrade for their generous contributions of development time and financial support.

Dojo community day!

We’re hosting a free Dojo community day in Switzerland on July 5th, and plan to host similar events in other locations later this year. If you cannot make it to Switzerland, we still encourage you to join us on the #dojo IRC channel (irc.freenode.net) for an afternoon of hacking. We’ll be online from approximately 9am – 6pm in Switzerland. Or join us at another Dojo event this summer.

Thanks!

We hope you’ll find Dojo 1.10 to be exceptionally stable and reliable. Please let us know if you run into any issues by opening a ticket. If you find a problem in the documentation, you can also provide feedback via the link at the bottom of every page. We also encourage you to get involved, to help improve Dojo and to work on Dojo 2.0. We hope you find value in using Dojo 1.10!

Dojo 1.10 release schedule, beta 1 now available

In preparation for the release of Dojo 1.10, trunk is now in feature freeze, which means this code is considered feature complete for Dojo 1.10. The release schedule is currently as follows:

  • May 13: Dojo 1.10.0-beta1
  • May 29: Release candidate 1 (note: if additional beta releases are necessary, each release will push this out by 1 week)
  • June 12: Final release (note: if additional rc releases are necessary, each release will push this out by 1 week)

We encourage you to grab the beta and help us find any bugs or regressions with your code base and report any issues you find by following our contributor workflow.

The documentation for 1.10 has not yet been built, though the API changes from 1.9 are minimal. Work in progress release notes are available to see a highlight of the additions we have made.

Thank you to everyone that has helped make this release a success, including the 61 contributors that have had code land in this release!

Dojo 1.9.2 and more

We have a number of December announcements.

Dojo 1.9.2

Dojo version 1.9.2 is now available for immediate use. The most prominent changes are:

  • Support for IE11
  • Support for W3C Pointer Events API in touch-enabled components (necessary for IE11 support)
  • Fixes for modern Firefox and Chrome
  • Fixes to star-mapping and aliases when using built layers
  • Fixes to sorting Date objects in dojo/store/Memory and other stores that use SimpleQueryEngine
  • Fixes to Dijit pop-up scrolling when using the scrollbar

Full details of the Dojo 1.9.2 release are available on the mailing list. We expect to have backsupported IE11 support available for Dojo 1.8 within a few weeks.

Help wanted: Migrating DOH tests to Intern

As many of you know, Intern is our replacement for DOH for Dojo 2.0. In order to make it easier for us to test and maintain multiple versions of Dojo, we are starting the process of replacing all existing DOH tests with Intern tests in the 1.x codebase. If you would like to get involved, please volunteer to assist in migrating tests. We will post additional instructions shortly on how to get involved.

Dojo training workshops

SitePen is running a December promotion with a free Dojo 101 workshop when registering for any of their Dojo 201 or 202 workshops in 2014. They are also offering both free 101 and 201 to the first person to register for all 3 workshops in each city on their calendar. Read the full details on this Dojo workshop promotion. The full Dojo workshop schedule for 2014 is also available.

The road to Dojo 2

The road to Dojo 2 is underway, and we have a substantial amount of work to complete to achieve our goals. Many early efforts have started towards building the best possible JavaScript toolkit. If you are interested in helping with Dojo 2, we encourage you to get involved by contacting us via the mailing list or on IRC.

Needs More Dojo plugin for JetBrains’ IDEs

The following is a guest post from Christopher Folger, creator of a Dojo plugin for the JetBrains IDE. Thanks Christopher for sharing information about your plugin.

Needs More Dojo is a plugin that provides awareness of Dojo’s AMD system and object model to the IDE. Its main purpose is to simplify the management of the imported modules array (and corresponding function parameters) in a define block.

For example, instead of typing “dijit/layout/ContentPane” and adding a “ContentPane” parameter, Needs More Dojo lets you type “ContentPane” then inserts the correct module path and parameter for you into the existing list of imports. As you are writing code, when you reference an AMD module, you can use a hot-key to import the module instead of adding it manually. It will also flag unused modules with a strike-through and allows you to remove all unused modules at once.

Apart from this, it has several other features:

  • Allows you to organize, remove duplicates, or move items in a module’s list of imports via hot-keys or menu items
  • Highlights mismatches between an imported module and its parameter
  • Scans your sources and updates module references in define blocks when using the move/rename refactoring actions
  • Detects and optionally highlights cyclic dependencies
  • Allows navigation to attach points in modules that use _TemplatedWidget and i18n resource keys when using dojo/i18n!
  • The upcoming release provides support for require blocks in addition to better navigation to modules, methods, and this.inherited references

Needs More Dojo is listed under the JavaScript category of the JetBrains plugin repository, which you can access in the IDE. Alternatively, you can visit the Needs More Dojo plugin directly.

It is open-source and is currently under development. Any feedback or feature requests are always welcome and can be made on GitHub

Chrome 29 and Dojo 1.4-1.6

If you’re using Dojo 1.4, 1.5, or 1.6, you’ll need to update to the latest patch to fix a regression with the release of Chrome version 29.

Ticket 17400 has the details on the fix.

You can get the patch from GitHub for your particular version of Dojo, and this fix will be included in the next release for each of Dojo 1.4.x, 1.5.x. and 1.6.x.

If you are already using Dojo 1.7 or newer, this fix already exists within your code base.

Dojo is now hosted on GitHub

I’m pleased to announce that after a prolonged period of incomplete mirroring, we’ve now fully migrated Dojo’s source code to GitHub. Future development will be performed there instead of the Subversion repository, which is now read-only and effectively dead. We will continue to use bugs.dojotoolkit.org for issue tracking, but patches should now be submitted directly as pull requests. The CONTRIBUTING.md guidelines in each repository provide guidelines on sending patches.

As an unavoidable part of this update, the old repositories on GitHub have had their histories rewritten. This means that any Git projects with submodules pointing to those old repositories will be broken. If you have such a project, please make sure you update your submodules. The old mirror repositories have been temporarily renamed with an `-oldmirror` suffix so you can find the correct commit ID for your project. These old mirror repositories will be going away in the near future.