Release notes for Magnolia CMS 6.2.14

LTS release • Delivered on December 13, 2021 • Changelog: 11770

Magnolia CMS 6.2.14 is a bug-fixing and security release that also delivers a number of updates and improvements.

magnolia-dx-core-webapp-6.2.14.war
magnolia-dx-core-demo-webapp-6.2.14.war
magnolia-community-demo-webapp-6.2.14.war
mtk_2.0.1.zip (as a light module)

Connector Pack and Special Feature updates

Live Copy 3.2.7 released on December 13, 2021.

See the Connector Pack and Special Feature changelog for details on that release.

Improvements

i18n easier with Copy blocks

We have released version 2.1-beta2 of the Content Editor module, which adds the Copy blocks button to the language selector. The button allows you to easily create a new language variant of a story by reusing the blocks from the original language version.

For more details, see Copy blocks button.

External SPA

With the release of SPA front-end helpers 1.2.0, we are also pleased to announce the general availability of the Magnolia External SPA capability, making it possible for your SPA project to be running or hosted on a remote server.

For more details, see Hosting the SPA.

New CSRF filter implementation

CsrfTokenSecurityFilter has been deprecated and replaced with CsrfCookieTokenFilter and CsrfSessionTokenFilter. These two classes cover the following functionality:

CsrfCookieTokenFilter implements a stateless technique called Double Submit Cookie to prevent login CSRF attacks.
CsrfSessionTokenFilter implements a stateful technique called Synchronizer Token Pattern to prevent CSRF attacks on authenticated users.

Splitting the functionality across two classes simplifies implementation, allowing bypasses to be configured more specifically. Both filters define a CSRF token strategy that exposes methods for creating, validating and renewing tokens. The default strategy is HmacCsrfToken.

MAGNOLIA-8210

Fully revamped slider field

The slider field has been modified as follows to address several issues:

A tooltip displays the current value on the slider as you drag the handle.
The field layout works properly when the SliderFieldDefinition#min property is set to a value other than 0.
A new SliderFieldDefinition#title property allows you to set a title for the slider.
A new displayStepSize property in SliderFieldDefinition replaces the deprecated gridStepSize property.

See Slider field for more information.

MGNLUI-6718, MGNLUI-6130, MGNLUI-6719

Rich text field moved to `magnolia-ui-framework-jcr` module

RichTextFieldDefinition has been moved from magnolia-ui-framework to magnolia-ui-framework-jcr as it depends heavily on the JCR API. This binary incompatible change has fixed an issue in the rich text field where the current link to an item was not preselected in the chooser dialog when editing that link.

The class and package names remain the same, so you are not affected at runtime. If you have custom code, you may need to add the magnolia-ui-framework-jcr dependency after upgrading to Magnolia 6.2.14.

MGNLUI-6749

Editable JCR property types

The new EditPropertyActionDefinition allows you to edit JCR property types. In the JCR Browser app, you can now choose to edit property types inline or via the action bar.

The Date property type must follow the ISO 8601 standard.

MGNLUI-6439

More accessible icons for publication status

The publication status icons have been redesigned to improve accessibility. See Publication status for the new icons.

MGNLICONS-25

Notable bug fixes

Any default values that you set for fields are now applied to both default and edited locales (MGNLUI-6833, MGNLUI-6906).
i18n nodes of complex fields are only created for edited languages (MGNLUI-6905).
Role-based access control is no longer bypassed for actions at the root level (MGNLUI-6920).
Synchronization now only affects nodes that have been modified (MGNLSYNC-59).
When uploading a ZIP file in the Assets app, it is again possible to choose an extraction location (MGNLDAM-896).

Third-party library updates

This release comes with the following third-party library updates to fix some security and compatibility issues:

AutoFactory updated to 1.0.1 (BUILD-582).
AutoService updated to 1.0.1 (BUILD-591).
CKEditor updated to 4.17.1 (MGNLUI-6944).
EasyUploads updated to 8.0.1 (BUILD-593).
EvoInflector updated to 1.2.2 (BUILD-594).
Gson updated to 2.8.9 (BUILD-585).
GwtMockito updated to 1.1.9 (BUILD-601).
Jackrabbit, Derby and Tika updated to 2.20.4, 10.14.2.0 and 1.27 respectively (BUILD-570).
Log4j updated to 2.15.0 (BUILD-603).

We keep the details of security fixes private in line with our security policy. Contact our Support team if you need more information.

Security advisory

To prevent XSS exploits, we have changed how HTTP request content is escaped. For more details, see Security: HTTP requests.

MAGNOLIA-8238 (restricted access)

Others

Known issues

If you are upgrading from an earlier version, read the Upgrading to Magnolia page first and check the Known issues page.

Documentation screenshot updates

Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.

Updated modules

Community Edition 6.2.14
DAM 3.0.12
Demo Projects 1.6.5
DX Core 6.2.14
Icons 25
Imaging 3.5.2
Language Bundles 1.1.8
Magnolia 6.2.14
Multisite 2.1.2
Pages 6.2.13
Personalization 2.0.13
Publishing 1.3.3
REST Framework 2.2.10
Soft Locking 3.1.1
Synchronization 2.0
Templating Essentials 2.0.1
Third-party library BOM 6.2.14
UI 6.2.14

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Christopher Chard, Simon Curty, Thomas Duffey, Marvin Kerkhoff, Jens Kolb, Eduard Lehel Reichenberger, Ulrich Scheel, Fabian Schneider, Frank Sommer, Vivian Steller, Sebastian Tauch, Simon Tourville, Jeffrey van der Heide, Jörg Wirsig and Pascal Zingg.

Feedback

DX Core