coremedia.preview.js: Added Note About False Positive SAST Report

coremedia.preview.js might be reported by SAST tools like checkmarx. This is a false positive, the code injection is a central part of the preview integration and can only be performed by postMessage calls of authorized origins (see https://documentation.coremedia.com/cmcc-11/artifacts/2201/webhelp/studio-developer-en/content/SecurityCSP.html).

(CMS-21402)

Search Query In Download Portal Is Now Escaped

Before the change the search query could contain HTML which was added to the search result without being escaped .

(CMS-21393)

Fixed Links to Categories with Apostrophes in IDs

When rendering a Teaser in a fragment that has pointed to a category in Salesforce with an apostrophe in the ID the Velocity interpreter in Salesforce was crashing during the link building. That was affecting the whole page. Such apostrophes in link parameters will be "escaped".

(CMS-21346)

Fixed Cache Capacity Handling and Reporting of DataViewFactory

The DataViewFactory did not respect the configured cache capacities and fell back to the capacity of "java.lang.Object" for cache capacities whose keys did not represent the names of classes extending com.coremedia.objectserver.dataviews.AssumesIdentity or com.coremedia.objectserver.dataviews.DataView. This is the case for com.coremedia.blueprint.common.contentbeans.Page, for example. The DataViewFactory no longer maintains its own mapping of cache capacities but uses the capacities which are configured at the Cache bean. The DataViewFactory records the used cache classes and reports the corresponding cache capacities via JMX using the CacheSizes attribute or the getCacheSizes operation.

The cache size definitions from dataviews XML files have lower precedence than those defined at the cache. So if your project contains a cachesize entry for class X with value Y and your application config contains an entry cache.capacities.X=Z then the cache capacity is Z.

(CMS-20774)

Segment Validator Warns of Unfavourable Segment Names

It is not recommended to use a segment name in pages ending with a number preceded by a minus sign. The default request mapping can get confused by interpreting the number as content ID. In some rare cases that can lead to CAE handler error and such a page is not accessible. The ChannelSegmentValidator warns about such unfavourable segment names.

(CMS-19526)