Category Archives: Announcements

Dojo Web Builder Source on GitHub

Last month we launched the Dojo Web Builder, an online solution to generate customised versions of The Dojo Toolkit using just your web browser. We are pleased to announce that the technology behind the Dojo Web Builder is now available on Github as an official Dojo Foundation project.

Users can now run the tool locally, which provides access to two really important features….

  • Generate custom Dojo builds for older versions of the Dojo Toolkit. The Web Builder can be easily configured to work with older versions of the toolkit, whereas the hosted version only provides access to the latest version of Dojo. This allows users who aren’t using the latest version of Dojo within their application to generate customised builds with the tool.
  • Expose custom application modules through the Web Builder. Plug your local Dojo modules into the Web Builder and the tool will automatically allow users to build optimised application layers from all modules it has discovered.

Follow the simple instructions in the project’s README file for full details on both of these modes.

Visit the Dojo Web Builder GitHub project and start using it today!

Dojo 1.6.1, 1.7 Beta, Tutorials, Dojo Beer, DojoConf, and more…

If you haven’t been following us on Twitter, it’s been a very busy month in our community, with many exciting announcements and upcoming events.

Recent News

  • Dojo 1.6.1 released. Many minor enhancements and fixes were made, along with official support for Internet Explorer 9 and Firefox 4.
  • Dojo 1.7 beta released. Please start testing your applications now and report issues. A draft of the 1.7 release notes is in progress. 1.7 final is slated for release in the next 3-6 weeks.
  • Dojo Tutorials. In case you missed it, we now have 28 new tutorials, all updated for Dojo 1.6, covering a variety of areas of Dojo and Dojo Mobile, as well as a new section of Dojo Recipes, for solving complex real-world problems.

Upcoming Events

  • Dojo Workshops in your area. SitePen has been offering a number of workshops, with the next Dojo Workshop in Washington DC. Register now for one of the last few slots.
  • Dojo Beer DC. Even if you cannot make the workshop, join us for free Dojo Beer in DC, or any upcoming Dojo Beer event.
  • The first ever DojoConf is coming. Run by the same great team that brings us JSConf, DojoConf will be an amazing event. Stay tuned for tickets, which go on sale in a few weeks. Or submit a talk idea by this Friday, June 10th.
  • The London Ajax Mobile Event will feature a number of great talks on mobile, including Dojo Mobile, EmbedJS, WinkToolkit, and more on July 2nd in London. A few tickets remain, register before it sells out.

We hope to see you at one of these, or many other upcoming Dojo events.

Introducing the New Dojo Web Builder

Background

Dojo’s build system has long been considered as one of the toolkit’s most important features. Using the build system will dramatically improve the performance of your Dojo application by optimising the JavaScript modules and CSS files. This reduces the download size and number of HTTP connections needed to load your application.

Today, The Dojo Toolkit’s build tools are about to improve even further with the launching of a brand new solution, The Dojo Web Builder!

The Web Builder is an online solution providing an intuitive web interface to the existing build tools, allowing you to create customised Dojo builds using just your web browser and much more. This new tool will dramatically lower the barrier to entry for the build system, easing new users into the process of using a build tool and improving the performance of unoptimised Dojo applications everywhere!

To start, use the Dojo Web Builder tool, or continue reading for more details. We have produced a number of screencasts showing off the tool’s features and walking you through the steps required for some common example builds:

Dojo Web Builder – Custom Builds from Dojo Toolkit on Vimeo.

Dojo Web Builder – Auto Analysis from Dojo Toolkit on Vimeo.

Dojo Web Builder – Advanced Mode from Dojo Toolkit on Vimeo.

Features

  • Browse catalogue of every module in Dojo, Dijit and DojoX, using text searching to quickly filter the entire results. Simply select desired modules to include those in a custom build. Currently serving over eight hundred modules for the 1.6 release.
  • Automatically generate custom Dojo builds using our remote service, no need to open terminals and run the intensive build system locally. When the build is complete, it will automatically start the download of the result. Progress indicator keeps you informed of status during a custom build.
  • Auto-analyse existing Dojo applications to discover module dependencies. Provide the Web Builder with a remote URL, upload a HTML page, zip archive or an existing build profile to have the tool show you any Dojo Toolkit or custom module dependencies uncovered. Custom builds using the results will automatically include your custom modules.
  • Customise builds even further in “Advanced Mode”. Want to include a Dijit theme with compressed CSS? Want to use Google’s Closure compiler for aggressive compression? Want to build multiple application layers? Want to generate builds for the WebKit platform? Need to generate a cross-domain build? Switch to using the Web Builder in “Advanced Mode” to unleash the ability to heavily customise build parameters.

Open source

The Dojo Web Builder project consists of two new components that were developed:

  • Dojo-based web application providing the interface to the build system through a web browser.
  • Backend service, allowing existing build system to be controlled through a RESTful interface.

The entire project will shortly be open-sourced, living on the Dojo Foundation’s Github repository, allowing anyone to contribute to its continuing development. More importantly, other users will be able to run local versions of the tool pointing at their own modules. For example, an organisation might provide an internal version allowing teams to easily generate new custom builds of a project’s modules, without having to distribute the entire project source. In addition, the tool can be configured to generate custom builds for older versions of The Dojo Toolkit, such as 1.5 and 1.4.3. Future plans for the project include native support for the AMD module and CommonJS package formats. This will allow the Dojo Web Builder to be used with a broad variety of JavaScript modules and packages external to Dojo. A full announcement will follow when the project’s source code is available.

Conclusion

Start using the Dojo Web Builder today. The hosted version is configured to provide access to the custom builds using the latest version of The Dojo Toolkit, 1.6.

Dojo 1.6 Released!

Now available, and ready for your web app!

The Dojo 1.6 release was a substantial undertaking and involves efforts from the largest Dojo team ever. We’re reinventing Dojo for the present and the future, and this release is the first major step towards our plans for Dojo 2.0. The tremendous efforts and work of the Dojo community has made this release possible, with significant improvements in a short amount of time.

Get Dojo

What’s New in 1.6?

Dojo 1.6 contains a number of great additions and refinements. Key highlights include:

We’ve also made substantial progress on Dojo Mobile, available now for your mobile web apps!

Visit the new Dojo Features section to watch interviews with key Dojo committers and users and learn more about this release, as well as the thousands of outstanding features that have been in Dojo for several years.

Learn More

Testing and Compatibility

In total, we’ve resolved more than 600 issues since Dojo 1.5. The DOH test suite of tens of thousands of tests passes in all officially supported browsers:

  • Chrome: 8.x and newer
  • Firefox: 3.5.x and 3.6.x
  • Internet Explorer: 6, 7, and 8
  • Opera: 11.x
  • Safari: 4.1.x and 5.0.x

The code was completed before Internet Explorer 9 and Firefox 4 were released. That said, we’ve fixed all known issues with these browsers as well (testing was done with IE9 RC and Firefox 4 RC1).

Dojo is also tested with popular mobile browsers including iOS 4.x, Android 2.x and 3.x, and passes for all supported features in Dojo Mobile, and most features throughout Dojo. Work is also near completion for support with Blackberry 6 on mobile phones and the PlayBook.

Use Direct from the CDN, or Download

Get the Dojo release that’s right for you. Choose from CDN, optimized builds, or source versions with full demos and utilities.

Get Dojo

Documentation

Many improvements have been made to the Dojo documentation. Most notable is a collection of new tutorials on using Dojo 1.6, in addition to the reference guide and API documentation.

Documentation

Roadmap

Work on Dojo 1.7 is already underway. We’re anticipating releases every 3 months in 2011 as we make progress towards Dojo 2.0! A full roadmap will be available shortly so you’re aware of the latest changes, and to know how to get involved.

Release Notes

Read the complete Dojo 1.6 release notes for full details on everything that has changed with Dojo since 1.5.

Thanks!

And as always, we appreciate your interest and usage. If you find an issue with Dojo, have a suggestion, or see anything on the site or within the documentation that you think should be better, please register for a Dojo Foundation account and open a ticket.

Dojo 1.6 Beta 1

We’re pleased to announce the first Dojo 1.6 beta.

When Dojo 1.6 final is released in February, it will be our first release that includes a number of retrofitted, backwards-compatible, significant changes towards Dojo 2.0.

Because there are a number of changes in progress, we will also soon release Dojo 1.5.1 which includes just the most important fixes for what has been our most stable and popular release ever.

Please check out the in draft Dojo 1.6 beta release notes and the list of resolved issues for more details. Try it out, and as usual file tickets in http://bugs.dojotoolkit.org/. And if you’re interested in Dojo Mobile, many significant additions and improvements have landed in trunk, with many more planned for 1.7 and 2.0.

Stay tuned in February for the Dojo 1.6 release.

More improvements to the API documentation

We’ve fixed some small nits with the new API documentation tools:

The last example will be the final structure of any URL for deep-linking into the new documentation tools.

We hope these and continuing improvements to the documentation are useful to the community at large, and don’t forget: you can download and use these documentation tools for your own custom projects!

Joining Forces

Over the past several months we here at Dojo have been contemplating how much of what we do is duplicated effort. When we started this whole project years ago it was because we wanted to do things our own way, but as Dojo and JavaScript in general have progressed, we find ourselves facing the tedium of all the low lying code that has to be written to get Browsers to play nice, not to mention the richer things like our build system and other utilities like dojo.fx, dojo.ready, etc. etc.

At FOSDEM we ended up hanging out with the MooTools crew. We like them; they are always doing interesting things and their framework is one that we’ve always looked at and said to ourselves, "If we ever needed feature X we’d probably just ask for a CLA and patch from them." Anyway, at FOSDEM a group of their developers and ours got together and started brainstorming about closer ways to work together. Since then the discussion has gotten closer and closer to where we are now.

Dojools

Starting today the Dojo and MooTools projects will begin merging and joining forces. Part of this is to share resources – more hands coding makes more code, right? But part of it is, well, we’ll be frank, we’re kind of tired of reinventing the wheel. We love the solutions in Dojo, but at the end of the day, the API is all that matters. It doesn’t matter how you detect that the DOM is ready, so long as when it is your code runs. The same could be said for selector engines, XMLHttpRequest, and a whole host of other things. What this means in practical terms is that we just don’t have to do as much work and, to be frank, after 6 years of working on Dojo, we’re happy to cede some of the more tedious tasks to MooTools. Sure, their architecture isn’t quite the same (or maybe even as good) as ours, but it works. This will free our development team’s time to work on their own projects and maybe start getting paid for it, which brings us to the second point.

Making Dojools Profitable

For the past six years we’ve been writing code and releasing it for free. In our talks with the MooTools team we all agreed that all this free time donated to anyone who happened to want our work just wasn’t quite worth the hassle. Don’t get us wrong, writing the code is fun, but it’s all the other stuff. The bug reports, the hand-holding in the mailing list and on IRC, the constant demand to "compete" with other toolkits (whatever that means). It just sucks the pleasure right out of it. We find ourselves burning nights and weekends to write code for strangers to use and it gets old.

Going forward, the code base will continue to be free, but access to the documentation will require a small "donation" (we’ll probably set a really small minimum, like, say $.25) – frankly, the documentation has gotten too good to be free (we contemplated printing it and just selling it as a book, but micropayments is much more "Web 2.0"). Filing bugs will still be free of course. But we’re working on a system that lets our users put money towards the bugs they care about the most. The bug with the most money donated gets our time and gets in the next release. We think this will cut down on both the number of bugs we get but also help manage expectations. If you have a bug that you think is important, you either need a lot of people to agree with you (which they will if the bug is really broad) or you need to pay a lot (in which case it’s like you’re hiring us as freelancers).

What will we do with the money raised? We’ll probably start sponsoring more meet-ups and sending out t-shirts with the new Dojools logo, but we’ll also be able to compensate the developers who bring you all this great stuff. Certainly no one can argue with that.

Dojools

Compatibility

As we begin merging functionality we’ll likely retire large portions of both frameworks. MooTools has a great effects library while Dojo has a lot of solid widgets. MooTools ART will likely get shelved in favor of dojo.gfx, dojo.fx will likely be dropped in favor of MooTools’ effects which are really nice, much of MooTools More will either be retired (in favor of existing Dijits) or turned into Dojo widgets themselves, etc.

For backwards compatibility we’ll be implementing the "donation" system as well. For the portions of the MooTools and Dojo cores that are deprecated we’ll allow the users to prioritize which parts we offer compatibility for. Same goes for effects, plugins, etc. We hope this new model will encourage businesses that use our awesome frameworks to recognize the value we bring and to compensate us for our time.

If you have any questions, post them in the comments below. Comments are still free – we haven’t implemented the "donation" system for them yet, either.

Dojo Security Advisory

If you have Dojo 0.4 through Dojo 1.4 installed on your site, you are strongly encouraged to read all of this message and take immediate action.

We recently had a security review done on the Dojo codebase, and some issues were discovered. Most of the issues were in test files or related PHP files, but there were some issues discovered with a few files used by modules. You are strongly encouraged to remove some files immediately to give yourself the best protection. While we are not aware of any specific exploits, we take security issues very seriously and we encourage you to take quick preventative action.

Quick instructions

Some of the files listed below may not be in your version or build of Dojo. These instructions are listed to be comprehensive across all the Dojo versions.

  1. If you use Dojo from the AOL or Google CDN, the issue is already fixed.
  2. If you have PHP enabled on your site, turn off PHP for the directories that contain dojo/dijit/dojox. Dojo only used PHP files in some tests and demos, but PHP is not required to use Dojo.
  3. Remove the following files:
  • util/doh/runner.html – a file used for tests, should not affect production/deployed code.
  • dojo/resources/iframe_history.html – in 0.4 it is just iframe_history.html in the dojo directory. This file is used by dojo.back. In Dojo 0.4, it was used by dojo.undo.browser and dojo.io.IframeIO.
  • dojox/av/resources/video.swf – used by dojox.av.FLVideo
  • dojox/av/resources/audio.swf – used by dojox.av.FLAudio

If you use one of the modules listed above, instead of deleting the files you can do one of the following:

  1. Get an updated release with the security fixes.
  2. Pull the specific files from one of the updated builds.

If you do your own custom builds, you are encouraged to also get an updated release or pull the correct files, both options listed below.

Updated Releases

New releases of the 0.4, 1.0, 1.1, 1.2, 1.3 and 1.4 branches have been done that contain all the security fixes. These builds only have the security fixes applied, and have some new defaults for some build commands.

Here are the updated builds:

To avoid accidentally copying files test files during custom builds, the build option “copyTests” now defaults to false, and “mini” defaults to true. The “mini” option removes the demos directories and now removes all PHP files regardless of location. With these new defaults, it should reduce the attack surface for the future. If you need the tests or demos in your builds, then pass “copyTests=true mini=false” as part of the build command.

Pull Specific Files

If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the “Updated Builds” section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution.

Some branches do not have all of these files, just replace the files that exist in your distribution:

Dojo 1.0+

  • dojo/resources/iframe_history.html
  • dojox/av/FLAudio.js
  • dojox/av/FLVideo.js
  • dojox/av/resources/audio.swf
  • dojox/av/resources/video.swf
  • util/buildscripts/jslib/build.js
  • util/buildscripts/jslib/buildUtil.js
  • util/doh/runner.html

Dojo 0.4:

  • iframe_history.html

In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server.

Description of Issues

The main issues that are being fixed in this update:

  • Some PHP files did not properly escape input.
  • Some files could operate like “open redirects”. An bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor’s site.
  • A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
  • The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.

Actions to Prevent Further Issues

We take security issues very seriously. We are fortunate that the issues above were brought to us via a security review by community members, and we have addressed the issues as quickly as we can but at the same time making sure we have comprehensive, safe fixes.

We changed the build defaults so that the area with the most issues, tests and demos, are not copied automatically in builds, reducing the surface of attack.

The non-test-related issues were in a very old file that did not get enough attention, or in newer flash modules. We do not expect to have the same issues again for those kinds of files now that we know better how to review them.

However, security requires continued vigilance. To that end we have set up new dojo-sec mailing list to handle any further security-related inquires, see next section.

Summary

Please take immediate action to make sure your site does not contain one of the files listed in the “Quick Actions” section. In most cases the files can just be safely removed, since the modules affected are usually not heavily used. However, there are new builds of all the branches with the security fixes that can be used.

If you have any questions, please feel free to ask our community

If the concern is something you want to keep private, you can contact our newly created security list: dojo-sec at mail dot dojotoolkit dot org.