Release Notes / Version 11.2304
Table Of Contentscoremedia.preview.js: Added Note About False Positive SAST Report
coremedia.preview.js might be reported by SAST tools like checkmarx. This is a false positive, the code injection is a central part of the preview integration and can only be performed by postMessage calls of authorized origins (see https://documentation.coremedia.com/cmcc-11/artifacts/2201/webhelp/studio-developer-en/content/SecurityCSP.html ).
(CMS-21402)
Search Query In Download Portal Is Now Escaped
Before the change the search query could contain HTML which was added to the search result without being escaped .
(CMS-21393)
Fixed Links to Categories with Apostrophes in IDs
When rendering a Teaser in a fragment that has pointed to a category in Salesforce with an apostrophe in the ID the Velocity interpreter in Salesforce was crashing during the link building. That was affecting the whole page. Such apostrophes in link parameters will be "escaped".
(CMS-21346)
Fixed Cache Capacity Handling and Reporting of DataViewFactory
The DataViewFactory did not respect the configured cache capacities and fell back to the capacity of "java.lang.Object" for cache capacities whose keys did not represent the names of classes extending
com.coremedia.objectserver.dataviews.AssumesIdentity
or
com.coremedia.objectserver.dataviews.DataView
. This is the case for
com.coremedia.blueprint.common.contentbeans.Page
, for example. The DataViewFactory no longer maintains its own mapping of cache capacities but uses the capacities which are configured at the Cache bean. The DataViewFactory records the used cache classes and reports the corresponding cache capacities via JMX using the
CacheSizes
attribute or the
getCacheSizes
operation.
The cache size definitions from dataviews XML files have lower precedence than those defined at the cache. So if your project contains a
cachesize
entry for class
X
with value
Y
and your application config contains an entry
cache.capacities.X=Z
then the cache capacity is
Z
.
(CMS-20774)
Segment Validator Warns of Unfavourable Segment Names
It is not recommended to use a segment name in pages ending with a number preceded by a minus sign. The default request mapping can get confused by interpreting the number as content ID. In some rare cases that can lead to CAE handler error and such a page is not accessible. The ChannelSegmentValidator warns about such unfavourable segment names.
(CMS-19526)