Vaadin Framework 8.30.0

Vaadin Framework 8.30.0 is an Extended Maintenance release with the following changes:

• Updated the behavior of captions of Actions to remove any HTML from the passed-in caption string by default to guard against unexpected XSS vulnerabilities. This change may require updating your code.

  Rationale: the Action class is used for a lot of things throughout the Framework, including things such as populating custom drop-down menus.
  An issue was discovered in Spreadsheet where the caption string was being passed as-is into the DOM. This would normally be a benign unintended feature, but in the event that the caption string is populated from an untrusted source (such as from direct user input, which is then shared between sessions, or a translation table that can be edited by a third party) this can allow for the injection of malicious HTML, leading to cross site scripting vulnerabilities.

  The default behavior is now to use JSoup to strip any and all HTML tags out of the Caption string. Since some users may be relying on the caption string being able to contain HTML, overloaded constructors for Action as well as an overloaded setCaption function that take ContentMode as a second parameter were added. This allows specifying ContentMode.HTML to have the caption string be passed through without sanitation, and this also provides an indicator in the code that HTML content is to be expected in the caption string.

• Added ChartElement class to testbench-api for Vaadin Charts support in Testbench.

• Added ARIA handling to VListSelect. This allows screen readers to respond to ListSelect components.

• Changed ComboBox dropdown's ARIA role from List to ListBox to improve screen reader behavior with ComboBox components.

• Included vaadin-testbench artifact as part of vaadin-bom to provide a compatible default version whenever vaadin-bom is used in dependency management.

Vaadin Framework 8.29.0

Vaadin Framework 8.29.0 is an Extended Maintenance release with the following changes:

• Implemented ARIA caption handling in VNativeSelect, allowing ARIA captions to be used in NativeSelect components.

• Improved the server-side WebBrowser class and the client-side BrowserInfo class' implementation of the .isIOS() call by adding an additional heuristic of checking for a maximum touch points value greater than 2 if an operating system of MacOS X is reported by the user agent.

  Also improved the WebBrowser class by adding null checks for all functions requiring a valid VBrowserDetails instance, so that they adhere to documented behavior, and added the WebBrowser.onInformationAvailable(Runnable) method that can be used to register a callback that fires once as soon as information about the client's browser is available.

  Also improved documentation around these facilities.

• Updated atmosphere version to 2.4.30.vaadin9 to fix a NullPointerException in DefaultAtmosphereResourceSessionFactory when resource is null.

  Atmopshere could experience a race condition, where event.destroy() would be called before notifyEventListeners(), setting the resource to null, triggering the bug.

  Fixes Atmosphere issue #2527.

• Updated commons-io to version 2.20.0 to address CVE-2022-42889.

Vaadin Framework 7.7.49

The Vaadin Framework 7.7.49 is an extended-support release with the following changes:

• Made loading of scripts happen synchronously like in Vaadin 8
• Added support for the usage of multiple @JavaScript and @StyleSheet annotations on a class
• Bumped Atmosphere version to fix a potential NPE issue
• Fixed internal Atmosphere version check to correctly detect MPR/Jakarta version of Push
• Updated license checker invocations to be compatible with upstream technical licensing changes.

Vaadin Framework 8.28.4

Vaadin Framework 8.28.4 is an Extended Maintenance update release with the following changes:

• Fixed critical issue in license checking which became evident with 8.28.3 during the release. While the 8.28.3 release artifacts are available, build announcements were held back due to this issue. This release restores old behavior.
• Fixed a NullPointerException in Push (Atmosphere) where a missing null check in a logging call would create a mystery stack trace on the server when attempting to communicate with an already disconnected client. This is likely the fix to an issue reported in Flow.
• Fixed the Push version check to not complain about vaadin-push-jakarta.
• Fixed an issue where getBeanPropertyDescriptors() could include
  properties more than once in the returned results list.
  This is a backport of Flow PR #21836.
• Updated license checker for improved compatibility.

Vaadin Framework 7.7.48

The Vaadin Framework 7.7.48 is an extended-support release with the following changes:

• Updated to Atmosphere 2.4.x, and consequently, Java 8. This bumps the minimum Java requirement from 7 to 8.
• Added changes to make interrupting uploads more reliable, and block a possible security issue in the process.

Vaadin Framework 8.28.2

Vaadin Framework 8.28.2 is an Extended Maintenance hotfix release with the following changes:

• Fixed a bug where scrolling in a UI with a menubar would attempt to close the menubar popup even when the popup didn't exist, resulting in a cascade of JavaScript errors in the console.
• Improved Upload component handling so that the receiveUpload handler will not get triggered if the upload has been interrupted in startListener.
• Updated the JNA and OSHI dependencies for security.

Vaadin Framework 8.28.1

Vaadin Framework 8.28.1 is an Extended Maintenance hotfix release with the following change:

• The Grid fix in 8.28.0 that made sure that DOM contents are not altered unless there is a need to update them was missing the logic for the Vaadin 8 version of Grid's TextRenderer, while it was added for the Vaadin 7 compatibility Grid. This hotfix version adds the TextRenderer logic to the Vaadin 8 Grid.

Vaadin Framework 8.28.0

Vaadin Framework 8.28.0 is an Extended Maintenance release with the following changes:

• Fixed a Grid issue that was affecting at least Firefox where attempts to copy and paste text became difficult or impossible due to how Grid handled cell value updates during a refresh. Cells are refreshed every time a cell is clicked.

• Fixed a MenuBar issue where the popup menu would become detached from the MenuBar and possibly inaccessible if the browser window was resized or scrolled. The popup menu will now be closed if a resize or mousewheel event is detected.

• Improved Grid accessibility regarding navigation.
  A new accessible navigation mode is introduced which changes Grid focus handling and DOM properties such that NVDA and similar screen readers will correctly announce current cell contents, allow proper tab navigation, properly reacts to header rows and adjusts the handling of the focus visuals to match.
  This new functionality can be toggled on and off using the API Grid.setAccessibleNavigation(boolean) and the status checked using Grid.isAccessibleNavigation().

• Fixed Combobox behavior so that the aria-expanded property is correctly handled when the combobox dropdown is opened and closed. This fixes combobox related issues with screen readers.

Vaadin Framework 7.7.47

The Vaadin Framework 7.7.47 is an extended-support release with the following changes:

• Fixed the text selection problems within Grid cells, so copying the contents of a single cell is possible
• Added a Jakarta-compatible Push module
• Fixed root module POM Source Code Management URLs to point to the correct repository

Vaadin Framework 7.7.46

The Vaadin Framework 7.7.46 is an extended-support release with the following changes:

• Updated the Maven plugin to get rid of dependencies with known vulnerabilities

Note: Vaadin 7 projects require Java 8 when doing development builds, production mode builds will still work with Java 7. This is due to updates in the license checker, which internally is using Java 8