Release notes for Magnolia CMS 6.2.14
LTS release • Delivered on December 13, 2021 • Changelog: 20522
Magnolia CMS 6.2.14 is a bug-fixing and security release that also delivers a number of updates and improvements.
Connector Pack and Special Feature updates
-
Live Copy 3.2.7 released on December 13, 2021.
See the Connector Pack and Special Feature changelog for details on that release.
Improvements
i18n easier with Copy blocks
We have released version 2.1-beta2
of the Content Editor module, which adds the Copy blocks
button to the language selector. The button allows you to easily create a new language variant of a story by reusing the blocks from the original language version.
For more details, see Copy blocks button.
External SPA
With the release of SPA front-end helpers 1.2.0
, we are also pleased to announce the general availability of the Magnolia External SPA capability, making it possible for your SPA project to be running or hosted on a remote server.
For more details, see Hosting the SPA: Externally hosted SPA.
New CSRF filter implementation
CsrfTokenSecurityFilter
has been deprecated and replaced with CsrfCookieTokenFilter
and CsrfSessionTokenFilter
. These two classes cover the following functionality:
-
CsrfCookieTokenFilter
implements a stateless technique called Double Submit Cookie to prevent login CSRF attacks. -
CsrfSessionTokenFilter
implements a stateful technique called Synchronizer Token Pattern to prevent CSRF attacks on authenticated users.
Splitting the functionality across two classes simplifies implementation, allowing bypasses to be configured more specifically. Both filters
define a CSRF token strategy that exposes methods for creating, validating and renewing tokens. The default strategy is HmacCsrfToken
.
Fully revamped slider field
The slider field has been modified as follows to address several issues:
-
A tooltip displays the current value on the slider as you drag the handle.
-
The field layout works properly when the
SliderFieldDefinition#min
property is set to a value other than0
. -
A new
SliderFieldDefinition#title
property allows you to set a title for the slider. -
A new
displayStepSize
property inSliderFieldDefinition
replaces the deprecatedgridStepSize
property.
See Slider field for more information.
Rich text field moved to magnolia-ui-framework-jcr
module
RichTextFieldDefinition
has been moved from magnolia-ui-framework
to magnolia-ui-framework-jcr
as it depends heavily on the
JCR API. This binary incompatible change has fixed an issue in
the rich text field where the current link to an item was not preselected in
the chooser dialog when editing that link.
The class and package names remain the same, so you are not affected at runtime. If you have custom code,
you may need to add the |
Editable JCR property types
The new EditPropertyActionDefinition
allows you to edit JCR property types. In the
JCR Browser app,
you can now choose to edit property types inline or via the action bar.
The |
More accessible icons for publication status
The publication status icons have been redesigned to improve accessibility. See Publication status for the new icons.
Notable bug fixes
-
Any default values that you set for fields are now applied to both default and edited locales (MGNLUI-6833, MGNLUI-6906).
-
i18n nodes of complex fields are only created for edited languages (MGNLUI-6905).
-
Role-based access control is no longer bypassed for actions at the root level (MGNLUI-6920).
-
Synchronization now only affects nodes that have been modified (MGNLSYNC-59).
-
When uploading a ZIP file in the Assets app, it is again possible to choose an extraction location (MGNLDAM-896).
Third-party library updates
This release comes with the following third-party library updates to fix some security and compatibility issues:
-
AutoFactory updated to 1.0.1 (BUILD-582).
-
AutoService updated to 1.0.1 (BUILD-591).
-
CKEditor updated to 4.17.1 (MGNLUI-6944).
-
EasyUploads updated to 8.0.1 (BUILD-593).
-
EvoInflector updated to 1.2.2 (BUILD-594).
-
Gson updated to 2.8.9 (BUILD-585).
-
GwtMockito updated to 1.1.9 (BUILD-601).
-
Jackrabbit, Derby and Tika updated to 2.20.4, 10.14.2.0 and 1.27 respectively (BUILD-570).
-
Log4j updated to 2.15.0 (BUILD-603).
We keep the details of security fixes private in line with our security policy. Contact our Support team if you need more information.
Security advisory
To prevent XSS exploits, we have changed how HTTP request content is escaped. For more details, see Security: HTTP requests.
MAGNOLIA-8238 (restricted access)
Others
Known issues
If you are upgrading from an earlier version, read the Upgrading to Magnolia page first and check the Known issues page.
Updated modules
-
Community Edition 6.2.14
-
DAM 3.0.12
-
Demo Projects 1.6.5
-
DX Core 6.2.14
-
Icons 25
-
Imaging 3.5.2
-
Language Bundles 1.1.8
-
Magnolia 6.2.14
-
Multisite 2.1.2
-
Pages 6.2.13
-
Personalization 2.0.13
-
Publishing 1.3.3
-
REST Framework 2.2.10
-
Soft Locking 3.1.1
-
Synchronization 2.0
-
Templating Essentials 2.0.1
-
Third-party library BOM 6.2.14
-
UI 6.2.14
Acknowledgements
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Christopher Chard, Simon Curty, Thomas Duffey, Marvin Kerkhoff, Jens Kolb, Eduard Lehel Reichenberger, Ulrich Scheel, Fabian Schneider, Frank Sommer, Vivian Steller, Sebastian Tauch, Simon Tourville, Jeffrey van der Heide, Jörg Wirsig and Pascal Zingg.