Dojo 0.4.3 is now available to download. This is a security release. Dojo 0.4.1 and 0.4.2 users are strongly recommended to upgrade as soon as possible. 0.4.1 and 0.4.2 have a flaw in two files that could allow cross site scripting (XSS) attacks against your site if you do not upgrade.
If you cannot upgrade right away, you can protect yourself by removing
the following two files from your dojo distribution:
src/io/xip_client.htmlsrc/io/xip_server.html
You can also get a fresh download of 0.4.1 or 0.4.2 that have fixes.
Note that if you were using the 0.4.2 AOL CDN build, your site was *not* vulnerable to the flaws. You are only vulnerable if you had the files on your server domain. You can verify you have the up-to-date files by looking for "Security protection: uncomment the script tag to enable" in the file.
0.4.3 also has another security feature: if you use dojo.io.bind() to fetch JSON data via the XMLHttpRequest transport, dojo.io.bind() will now warn you if the server is not enclosing the JSON data in JavaScript comments. This is to help prevent other sites from stealing your data. The server code has the ultimate responsibility to prevent those types of attacks, but Dojo will give you a warning if it thinks your server might be vulnerable.
0.4.3 Bugs
0.4.3 Features
- Fixes for xip_client.html and xip_server.html
- Comment-filtered JSON response support
- Layered build support (no documentation available yet, but see the
buildscripts/profiles/layers.profile.jsfor an example)
The web build tool and CDN build information is available here:
http://build.dojotoolkit.org/0.4.3