Magnolia 5.4.12 fixes a cross-site scripting (XSS) vulnerability and delivers the following changes and improvements:
Changes for authors
Personalize pages and components at the same time
Page and component personalization are no longer mutually exclusive. You can now personalize a page and its components at the same time to create detailed personalization scenarios. The feature is disabled by default but you can enable it in
personalization-components module configuration. Component personalization is an EE Pro feature.
Visitor trait values are simplified
Values in the Visitor trait are now simplified: New, Returning or Logged in. Previously this trait allowed a combination of multiple values through checkboxes which lead to confusion about the actual status of the visitor. The trait now allows only values that are mutually exclusive via a radio button.
Also, we replaced the Registered visitor value with Returning visitor. Targeting a returning user is very common use case, much more common than a registered user who has not yet logged in. With this change we hope the visitor trait matches typical personalization scenarios better out of the box. You can add the old Registered option (radio button) back in the UI with configuration if you rely on this value. The underlying functionality still exists to process the option.
|Old values||New values|
maxAge property specifies how long a visitor is considered new before being assigned the status of a returning visitor. You can set the property in
/server/filters/visitor/visitorCookies/new/maxAge. The default value is 86400 seconds (24 hours).
Change template in a personalized component variant
It is now easy to change the template in a component variant. This allows you to show a text component to one audience, an image to another audience or a video to a third audience. Select the component variant and change its template to one you think works best for the target audience. A video may work best for visitors who have previously watched videos, for example.
Component variant icon displayed
Magnolia now displays thevariant icon on any page variants that contain further component variants in the Pages app. This makes it easier to see where both levels of personalization are used.
Changes for developers
Translation exports can include composite fields
Subfields are included if:
info.magnolia.ui.form.field.definition.CompositeFieldDefinitionis registered as a control type to export.
- The subfields have an
i18nproperty set to
See Registering additional field types for more.
Fixed an exception thrown after downloading a translation file
The PathNotFound exception bound to the
downloadTranslationFile command in the Content Translation Support module no longer shows up after downloading a translation file. The correct path is specified by the
formPath property of the new
contentTransporter node in the module.
Node type change for personalization component variants
The parent node type of component variant nodes was changed from
mgnl:componentVariants. This change fixes a bug where re-publishing the original page deleted all variants from public instances.
An update task migrates content in your
website workspace automatically. You must update any existing bootstrap files yourself to be able to publish component variants.
To see an example in the demo, look at the node
/travel/main/0/variants in the JCR browser.
Security-related and other changes
- Fixed a cross-site scripting (XSS) vulnerability.
- Restored page editing capabilities and elements of the UI on hybrid devices running Firefox 52/Chrome 57. PAGES-129
- The MVCServlet and related classes were moved to a separate module and unusable legacy apps removed from the App launcher. You can re-enable legacy apps in a secure environment by:
- Setting the given servlet's
- Adding them back to the App launcher.
- Users are warned when deleting a node with modified children. MGNLUI-3242
This release also comes with a number of bug fixes and several security improvements. It is an important and recommended update for all Magnolia 5.4.x users.
An aggregated changelog for 5.4.12 contains all the changes.
This release includes the following new module versions:
Admininterface Legacy 5.3.4
- Community Edition 5.4.12
- Contacts 1.4.3
- Content Dependencies 1.6.4
- Content Translation Support 2.1.8
- DAM 2.1.9
- Demo Projects 1.0.1
- Enterprise Edition 5.4.12
- Language Bundles 1.0.10
- Magnolia 5.4.12
- Pages 5.4.11
- Personalization 1.3.3
- UI 5.4.12
- Workflow 5.5.4
How to update from earlier versions
- Generally, follow the standard update procedure.
- Please check Changes for Magnolia 5.4.x users.
- Please check Important changes for Magnolia 5.2 and 5.3 users.
- Please check how to update from Magnolia 5.2 and earlier if required.
- Please check how to update from Magnolia 4.5 and earlier if required.
Change for 5.4.x
The following change only applies to users running Magnolia 5.4 (major release) and maintenance releases 5.4.1 to 5.4.3.
Add the following lines:
Important changes for Magnolia 5.2 and 5.3 users
If you had STK installed
If you continue to work with STK, use the new
magnolia-enterprise-pro-stk-bundle as a basis for your project. It includes Enterprise Pro, STK and the old demo project. You get all STK functionality out of the box. Exclude the demo-project if it's in your way.
In order to enable getting an HTML excerpt in a query result, you should update the configuration files of your Jackrabbit instances. Add the two
<param/> directives within your
Add the log configuration for org.reflections
How to update from Magnolia 5.2 and earlier
To update your project, follow the standard update procedure, then make the following changes:
- Update your content apps with the content app upgrade task. It automatically takes care of the following:
Using the content connector.
Updating configuration of availability rules and default rule classes
Updating selected action definitions with node-type based availability
- If you used the DAM:
- If you have a custom jBPM workflow:
- In the
info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#completeWorkItemmethod, checking for present parameters is obsolete and refers to publication related workitems. The method is no longer used for completing a workitem in the new human task context. It is still valid in the context of completing service tasks, however.
Stop using the
info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#getWorkItemmethod. It was used to complete a work item for human tasks. Furthermore, the wrapper we initialize only holds the
The previously hardcoded
mgnlDataparameter is now configurable in
- In the
- If you have custom widgets or Vaadin add-ons:
- Magnolia's default widgetset was relocated to
- Update your webapps's
- Otherwise Magnolia will automatically fall back to the new widgetset but will issue warnings during upgrade, and whenever a user logs in to Magnolia.
- Magnolia's default widgetset was relocated to
How to update from Magnolia 4.5 and earlier
Allocate more JVM memory
Magnolia 5.4.12 ee-bundle may require you to allocate more memory to the Java Virtual Machine (JVM). If you see a
java.lang.OutOfMemoryError in the startup log or the system stops responding during installation, increase the Java heap size. The default maximum heap size is 512M. Try a higher value such as 1024M. We are working on uncovering the root cause for the increased memory need.
See: Java out of memory
Processed Resources app conflict
If you upgrade to Magnolia 5.4.12 from 5.4.2 or earlier then you will experience UUID conflict if you try to also install the new Processed Resources app during the upgrade.
To work around this issue complete the upgrade before installing the Processed Resources app.
The Magnolia team would also like to thank everyone who reported issues, contributed patches, or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to: Nils Breunese, Marcus Büttner, Andrea Castelli, Marcus Käppi, Karsten Martin, Tobias Mattsson, Federico Navarro, Sathyaprakash Rao, Frank Sommer, Vivian Steller, Richard Unger, Nickolaus Wing and Fadi Wissa.