All posts by Dylan Schiemann

About Dylan Schiemann

Known for things called Dojo, SitePen, and Comet.

JSON Schema and SVG to GFX Articles

David Walsh of SitePen has authored a pair of articles this week about various Dojo-related topics:

Large Scale Apps, New Examples, API Viewer

A few quick updates in case you don’t obsessively follow @dojo on Twitter.

Large Scale Apps

There are a pair of recent posts about using Dojo for building large scale apps:

  • Kris Zyp of SitePen, Dojo, and Persevere talks about how to go from jQuery to large applications, showing how to sprinkle Dojo features on top of jQuery applications.
  • Mike Woloszynowicz, a developer currently using Dojo in a large-scale project, writes an informative article about his Dojo lessons from the trenches

Both are worth reading for regular Dojo users, and for anyone considering Dojo for their project.

Some Simple Examples

Unless you like watching paint dry, you probably didn’t notice a few of the subtle changes made to the Dojo web site. On the home page, a pair of the items on the left side now link to simple live examples that show off the power of Dojo: Grids and Charts, and Rich UI Widgets. Thanks to David Walsh, Tom Trenka, Torrey Rice, Dustin Machi, and Chris Anderson from SitePen for helping implement these updates, as well as many other refinements throughout the site.

API Viewer Updates

The Dojo Toolkit API Viewer has received some much needed love, and has significant improvement in navigation, contains docs for Dojo versions 1.5, 1.4, and 1.3, and just looks so much better. Yes, the docs themselves have been improving as well. Check it out, and help us make the docs even better. Thanks to many in the Dojo community for helping with this effort, including Tom Trenka and Peter Higgins.

Joining Forces

Over the past several months we here at Dojo have been contemplating how much of what we do is duplicated effort. When we started this whole project years ago it was because we wanted to do things our own way, but as Dojo and JavaScript in general have progressed, we find ourselves facing the tedium of all the low lying code that has to be written to get Browsers to play nice, not to mention the richer things like our build system and other utilities like dojo.fx, dojo.ready, etc. etc.

At FOSDEM we ended up hanging out with the MooTools crew. We like them; they are always doing interesting things and their framework is one that we’ve always looked at and said to ourselves, "If we ever needed feature X we’d probably just ask for a CLA and patch from them." Anyway, at FOSDEM a group of their developers and ours got together and started brainstorming about closer ways to work together. Since then the discussion has gotten closer and closer to where we are now.

Dojools

Starting today the Dojo and MooTools projects will begin merging and joining forces. Part of this is to share resources – more hands coding makes more code, right? But part of it is, well, we’ll be frank, we’re kind of tired of reinventing the wheel. We love the solutions in Dojo, but at the end of the day, the API is all that matters. It doesn’t matter how you detect that the DOM is ready, so long as when it is your code runs. The same could be said for selector engines, XMLHttpRequest, and a whole host of other things. What this means in practical terms is that we just don’t have to do as much work and, to be frank, after 6 years of working on Dojo, we’re happy to cede some of the more tedious tasks to MooTools. Sure, their architecture isn’t quite the same (or maybe even as good) as ours, but it works. This will free our development team’s time to work on their own projects and maybe start getting paid for it, which brings us to the second point.

Making Dojools Profitable

For the past six years we’ve been writing code and releasing it for free. In our talks with the MooTools team we all agreed that all this free time donated to anyone who happened to want our work just wasn’t quite worth the hassle. Don’t get us wrong, writing the code is fun, but it’s all the other stuff. The bug reports, the hand-holding in the mailing list and on IRC, the constant demand to "compete" with other toolkits (whatever that means). It just sucks the pleasure right out of it. We find ourselves burning nights and weekends to write code for strangers to use and it gets old.

Going forward, the code base will continue to be free, but access to the documentation will require a small "donation" (we’ll probably set a really small minimum, like, say $.25) – frankly, the documentation has gotten too good to be free (we contemplated printing it and just selling it as a book, but micropayments is much more "Web 2.0"). Filing bugs will still be free of course. But we’re working on a system that lets our users put money towards the bugs they care about the most. The bug with the most money donated gets our time and gets in the next release. We think this will cut down on both the number of bugs we get but also help manage expectations. If you have a bug that you think is important, you either need a lot of people to agree with you (which they will if the bug is really broad) or you need to pay a lot (in which case it’s like you’re hiring us as freelancers).

What will we do with the money raised? We’ll probably start sponsoring more meet-ups and sending out t-shirts with the new Dojools logo, but we’ll also be able to compensate the developers who bring you all this great stuff. Certainly no one can argue with that.

Dojools

Compatibility

As we begin merging functionality we’ll likely retire large portions of both frameworks. MooTools has a great effects library while Dojo has a lot of solid widgets. MooTools ART will likely get shelved in favor of dojo.gfx, dojo.fx will likely be dropped in favor of MooTools’ effects which are really nice, much of MooTools More will either be retired (in favor of existing Dijits) or turned into Dojo widgets themselves, etc.

For backwards compatibility we’ll be implementing the "donation" system as well. For the portions of the MooTools and Dojo cores that are deprecated we’ll allow the users to prioritize which parts we offer compatibility for. Same goes for effects, plugins, etc. We hope this new model will encourage businesses that use our awesome frameworks to recognize the value we bring and to compensate us for our time.

If you have any questions, post them in the comments below. Comments are still free – we haven’t implemented the "donation" system for them yet, either.

Dojo Week in Review #4

First Dojo security advisory in 2+ years, a number of great Dojo articles and tutorials, and many improvements.

Dojo 1.4.2

Dojo 1.4.2 is live. Regardless of the version of Dojo you are using, please read the full Dojo Security Advisory and upgrade your version of Dojo now. We have new versions of Dojo for 0.4, 1.0, 1.1, 1.2, and 1.3 as well. The AOL and Google CDNs are also updated to resolve this security concern. If you have any issues with upgrading, please contact us.

New Community Tutorials and Demos

David Walsh has authored a nice News Scroller demo. Dojo the Definitive Guide author Matthew Russell has a tutorial on charting, USAID Data Charted with Dojo . Tom Elliott whom we met at Dojo Beer in London has created a great new explanation of using the Dojo build system.

Cody Lindley (SitePen) has authored a Learning Dojo blog post outlining the best resources available for someone new to learning Dojo. Kris Zyp (SitePen) has a number of interesting new blog posts:

eWeek has a nice write-up about Dojo user Coyote Point Systems.

A new XForms and Dojo-based rapid application development tool is available from BetterForm. “betterFORM allows easy creation of highly dynamic Web 2.0 user interfaces with attractive controls and layout. You can add validations, calculations, actions and events to build complete webapplications in a declarative way.” A demo is available.

Improvements to Dojo in trunk

Significant improvements were made from March 3rd to March 12th.

Nicola Rizzo has been improving DojoX’s effects using CSS3 animations, be sure to check out the demos.

James Burke (Mozilla Messaging), Mike Wilcox, Bill Keese (IBM), and Adam Peller (IBM) addressed the Dojo Security Advisory with fixes and new releases for Dojo 0.4, 1.0, 1.1, 1.2, 1.3, and 1.4. Please upgrade now.

A number of other improvements throughout Dojo, Dijit, and DojoX were made by Bill Keese, Nicola Rizzo, Jared Jurkiewicz (IBM), and Doug Hays (IBM).

Recent Events

QCon London occurred this week (March 10-12). On the evening of March 11th there was be a Dojo Beer event with Nikolai Onken, Tobias von Klipstein, Sam Foster, and I. On March 12th, Nikolai, Torrey, and I gave talks on the Browser as a Platform track along with Joe Walker (Mozilla) and Simon Oxley (Aware Monitoring). Conference slides and video will be available on the QCon web site in the near future.

Upcoming Events

SWDC 2010 is coming up in June and is hosted by Dojo contributor Peter Svensson. It features a great line-up of speakers including a number of Dojo committers or contributors (Nikolai Onken, Wolfram Kriesing, Mark Wubben, and I). And Stockholm in early June is amazing.

Dojo Beer events are also coming soon in Washington DC (JSConf), Israel, Austin Texas (for SXSW) and more. Let us know if you want to schedule an event in your area.

Dojo Security Advisory

If you have Dojo 0.4 through Dojo 1.4 installed on your site, you are strongly encouraged to read all of this message and take immediate action.

We recently had a security review done on the Dojo codebase, and some issues were discovered. Most of the issues were in test files or related PHP files, but there were some issues discovered with a few files used by modules. You are strongly encouraged to remove some files immediately to give yourself the best protection. While we are not aware of any specific exploits, we take security issues very seriously and we encourage you to take quick preventative action.

Quick instructions

Some of the files listed below may not be in your version or build of Dojo. These instructions are listed to be comprehensive across all the Dojo versions.

  1. If you use Dojo from the AOL or Google CDN, the issue is already fixed.
  2. If you have PHP enabled on your site, turn off PHP for the directories that contain dojo/dijit/dojox. Dojo only used PHP files in some tests and demos, but PHP is not required to use Dojo.
  3. Remove the following files:
  • util/doh/runner.html – a file used for tests, should not affect production/deployed code.
  • dojo/resources/iframe_history.html – in 0.4 it is just iframe_history.html in the dojo directory. This file is used by dojo.back. In Dojo 0.4, it was used by dojo.undo.browser and dojo.io.IframeIO.
  • dojox/av/resources/video.swf – used by dojox.av.FLVideo
  • dojox/av/resources/audio.swf – used by dojox.av.FLAudio

If you use one of the modules listed above, instead of deleting the files you can do one of the following:

  1. Get an updated release with the security fixes.
  2. Pull the specific files from one of the updated builds.

If you do your own custom builds, you are encouraged to also get an updated release or pull the correct files, both options listed below.

Updated Releases

New releases of the 0.4, 1.0, 1.1, 1.2, 1.3 and 1.4 branches have been done that contain all the security fixes. These builds only have the security fixes applied, and have some new defaults for some build commands.

Here are the updated builds:

To avoid accidentally copying files test files during custom builds, the build option “copyTests” now defaults to false, and “mini” defaults to true. The “mini” option removes the demos directories and now removes all PHP files regardless of location. With these new defaults, it should reduce the attack surface for the future. If you need the tests or demos in your builds, then pass “copyTests=true mini=false” as part of the build command.

Pull Specific Files

If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the “Updated Builds” section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution.

Some branches do not have all of these files, just replace the files that exist in your distribution:

Dojo 1.0+

  • dojo/resources/iframe_history.html
  • dojox/av/FLAudio.js
  • dojox/av/FLVideo.js
  • dojox/av/resources/audio.swf
  • dojox/av/resources/video.swf
  • util/buildscripts/jslib/build.js
  • util/buildscripts/jslib/buildUtil.js
  • util/doh/runner.html

Dojo 0.4:

  • iframe_history.html

In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server.

Description of Issues

The main issues that are being fixed in this update:

  • Some PHP files did not properly escape input.
  • Some files could operate like “open redirects”. An bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor’s site.
  • A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
  • The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.

Actions to Prevent Further Issues

We take security issues very seriously. We are fortunate that the issues above were brought to us via a security review by community members, and we have addressed the issues as quickly as we can but at the same time making sure we have comprehensive, safe fixes.

We changed the build defaults so that the area with the most issues, tests and demos, are not copied automatically in builds, reducing the surface of attack.

The non-test-related issues were in a very old file that did not get enough attention, or in newer flash modules. We do not expect to have the same issues again for those kinds of files now that we know better how to review them.

However, security requires continued vigilance. To that end we have set up new dojo-sec mailing list to handle any further security-related inquires, see next section.

Summary

Please take immediate action to make sure your site does not contain one of the files listed in the “Quick Actions” section. In most cases the files can just be safely removed, since the modules affected are usually not heavily used. However, there are new builds of all the branches with the security fixes that can be used.

If you have any questions, please feel free to ask our community

If the concern is something you want to keep private, you can contact our newly created security list: dojo-sec at mail dot dojotoolkit dot org.

Dojo.beer(“London”), March 11th

As Dylan already wrote in the last “This week in Dojo” there will be a Dojo.beer(“London”) in guess what? … London, march 11th.

Right at the same time as QCon, come join Dylan, Torrey, me and others for drinks, food and as always, lots of Dojo, JavaScript and other cool stuff we web-hackers like.

The event will be located at (and is free):

Location: Two Chairmen, 39 Dartmouth Street, SW1H 9BP London

Date/Time: March 11th – 18:30 – until the end 😉

If you are planning to drop by, make sure you let us know via this form.

Looking forward to this one.

P.S. More dojo.beers are planned in April, including Israel, Washington and maybe NYC – watch the regular sources for more info.

P.S/2 If you want to see Dojo access some hardware and display your heart rate, this event might just be right for you

Dojo Week in Review #3

This week’s highlights include preparations for Dojo 1.4.2 RC, Dojo-inspired CommonJS Utils, and many improvements.

Dojo 1.4.2 RC

A release candidate for Dojo 1.4.2 is being prepared. This release will
address this list of issues.

Please give it a try and help us find any potential regressions before it is release. If you find issues, please create an account if you don’t already have one, and login to
bugs.dojotoolkit.org

CommonJS Utilities

Kris Zyp has announced CommonJS Utils, a collection of tools for making it easier to work with CommonJS-compliant toolkits. Some of these tools are inspired by work in Dojo, including an observe pattern implementation similar to dojo.connect, or assistance for JSON schema which already has great support in Dojo and Persevere.

Documentation Improvements

We continue to make refinements and fixes to the incredible new collection of Dojo documentation. Thanks so much for your tremendous feedback. Just let us know here, on the mailing list, or in a bug ticket. Be sure to let us know the page where you see the documentation issue so we can fix it quickly.

New Community Tutorials and Demos

Charles Spraggs has a nice tutorial on creating fancy drop down menus, while David Walsh, known for his involvement with MooTools, has a couple of quick demos on link nudging and removing images which show how easy it is to do things with Dojo when you’re familiar with MooTools or jQuery.

Thanks for taking the time to write these up!

Improvements to Dojo in trunk

Development efforts from February 21st to March 2nd were focused primarily on stabilizations and improvements to Dijit by Bill Keese (IBM) including further refinements for new themes including refinements
to the AccordionContainer and TabContainer. James Burke (Mozilla Messaging) and Bill Keese improved our build process for not adding certain test files to production environments. Korean translation fixes
were contributed by Youngho Cho (Nannet) and by Adam Peller and others at IBM. Adam also added a fix for Norwegian translations. Eugene Lazutkin made minor fixes to DnD. Jared Jurkiewicz (IBM) continued his
frantic pace of perfecting the Editor widget and its plug-ins. Finally, Peter Higgins (Joost) added support for a new hover state on the close icon of the Dialog widget.

Upcoming Events

QCon London is next week (March 10-12). On the evening of March 11th
there will be a Dojo Beer event with Nikolai Onken, Tobias von Klipstein, Torrey Rice,
Sam Foster, and I. On March 12th, Nikolai, Torrey, and I will be speaking on the Browser
as a Platform track
along with Joe Walker (Mozilla) and Simon Oxley (Aware Monitoring).

SWDC 2010 is coming up in June and is hosted by Dojo contributor Peter Svensson. It features a great line-up of speakers including a number of Dojo committers or contributors (Nikolai Onken, Wolfram Kriesing, Mark Wubben, and I). And Stockholm in early June is amazing.

Dojo Week in Review #2

This week’s highlights include a few new Dojo sites and steady improvements to Dojo.

Joost and Wall Street Journal

Joost, an early pioneer in online broadcast videos, has launched a completely revamped version of their platform with Dojo 1.4 as the basis for their new user experience.

/images/joost_website_screenshot_500.png

The Wall Street Journal, the world’s leading financial news service, has updated their web site to make use of Dojo 1.4 (as well as Prototype and script.aculo.us).

/images/wsj_website_screenshot_500.png

Improvements to Dojo in trunk

This week’s development efforts were focused primarily on stabilizations and improvements to Dijit by Bill Keese (IBM). Adam Peller (IBM) made a number of translation resource commits for various Dijits. Mike Wilcox
contributed fixes for the UpgradeBar and FileUploader. Jared Jurkiewicz (IBM) further improved the Editor widget and its plug-ins. Finally, Doug Hays (IBM) contributed additional fixes for minor bugs.

A couple of minor changes were made to the API, moving a couple of Dijit APIs to Dojo Core to make them easier to use outside of Dijit:

  • dojo.window.get() // Get window object associated with document doc
  • dojo.window.getBox() // Returns the dimensions and scroll position of the viewable area of a browser window

Dojo Week in Review

This was an exciting week for the Dojo Toolkit project, with the dojo.connect online conference, and the unveiling of the completely redesigned web site.

dojo.connect

Approximately 150 people attended the 3-day dojo.connect online conference. Many talks were delivered by Dojo committers and users on a wide-range of topics. A couple of talks that I enjoyed in particular were delivered by Jared Jurkiewicz (IBM) and Nicholas Kolba (Thomson Reuters).

Jared gave an overview of the much improved Dijit Editor. This talk reminded me of Jared’s early talks on Dojo Data, which inspired the community to greatly embrace and contribute improvements to his work. The new editor is amazing and is now competitive with the best rich text editors in the market.

Nick’s presentation focused on performance testing and optimization for their platform in Thomson Reuters’ financial services division. He features some excellent work done in partnership with SitePen, to build better tools for testing performance, and explained how Thomson Reuters greatly improved the performance of Dojo and JavaScript in their application by having a great way to measure performance on an extremely granular level.

New web site

The previous web site was a frustrating experience for our community. After much effort by Torrey Rice (SitePen), with assistance from Nikolai Onken (Uxebu), Tobias von Klipstein (Uxebu), and Tom Trenka (SitePen), the first iteration of the new site was launched, and the initial community feedback has been incredibly positive. The new design is beautiful, the information architecture is easy to follow, and the foundation of the site will make it much easier for the community to contribute and improve the site going forward. The site was built with Dojo, Dojango and Django. It was a tough call on what technology stack to use, with so many great options like the Zend Framework also viable options. In the end, we chose Django because the developers working on the site prefer Python and Django to PHP and other options.

The site also integrates features and/or components from Nabble, Echo, Google Search, freenode IRC, Twitter, and others to provide a great experience for our community while leveraging what’s already out there. From here, there’s a lot of work to do to continue improving the site, which will evolve much more rapidly going forward.

Featured here: Your Amazing Dojo-based Application

If you have a great application that you and/or your company have built using Dojo, contact us as we’d love to feature it on the new web site.

Improvements to Dojo and Dijit in trunk

This week’s development efforts were focused primarily on stabilizations and improvements to Dijit by Bill Keese (IBM). The Noir theme was removed from trunk, but still exists in SVN if someone wants to revive and complete it, and the Lucid theme is there as well for anyone that wants to check it out. Nicola Rizzo and Mike Wilcox made some improvements to the CSS3-based experimental animation system, and Mike also fixed some IE issues with the UpgradeBar widget. Jared Jurkiewicz (IBM) improved the Editor widget and its plug-ins. Finally, Adam Peller (IBM), Chris Barber (CB1, Inc.) and Doug Hays (IBM) each contributed fixes for minor bugs.