CommonSpot 10.6.1

Release Notes

Copyright 1998-2020 PaperThin, Inc. All rights reserved.

About this Document 3

Platform Support Updates 3

Enhancements 4 ADF 2.5 4 Hooks 4 Images 4 Security / Custom Authentication 5 See Also Reference 5

Notable Bug Fixes 5 Accessibility 5 API 5 Approval 6 Base Templates 6 Bookmarks and Anchors 6 Breadcrumb 6 Cache 6 Chrome Browser 6 CKEditor 6 ColdFusion 7 Container 7 Content Categories 7 Custom Element 7 Custom Script 7 Database Migration Tool 7 Datasheet 7 Elements 8 Facebook Integration 8 Formatted Text Block 8 Freshness Reminders 8 Images 8 Left Pane (L-View) 8 Link Management 9 Multimedia 9 My CommonSpot 9 Page Properties 9 Page Rename 9 Page Sets 9 Permissions 10

1 Pop-up Menu 10 Referring Pages 10 Render Handlers 10 Replication 10 Saved Search 11 Security 11 Search 11 SEO 11 Shared Database 11 Short Cuts 11 Simple Forms 12 Site Administration 12 Social Media 12 Subsite Administration 12 Tabular Layout Element 12 Upgrade 12 Uploaded Documents 12 User Administration 13 Utilities 13 Work Requests 13

Important Notes 13 Removal of Cookie Login option 13 Developers Guide Update 13 Upgrading with MySQL 14 Lucee Only Settings 14 Multimedia 15 Run Upgrade & Other Utilities 15 Full-Text Search 15 Style Sheet Considerations 16 Other Notes 17

Special Upgrade Offer 17

2 About this Document

This document summarizes the following for the CommonSpot 10.6.1 release: ● E nhancements ● N otable Bug Fixes ● I mportant Notes (required reading) ● Special Upgrade Offer

For detailed instructions about installing CommonSpot, see the current release of the CommonSpot Installation Guide.

For detailed instructions about upgrading from a previous version of CommonSpot, see the current release of the C ommonSpot Upgrade Guide. Review carefully all Pre-Upgrade instructions.

NOTE: Before installing or upgrading to this release, review all other Release Notes documents from your current version of CommonSpot to this version. For example if you are upgrading from version 9.0, please refer to all CommonSpot 10.0.x and 10.5.x Release notes, as well as the 10.6.0 Release Notes.

Platform Support Updates

Release 10.6.1 of CommonSpot now includes support for the following: ● Adobe ColdFusion 2018 with updater 7 and above ● Adobe ColdFusion 2016 with updater 13 and above ● Lucee ColdFusion version 5.3.3.62 ● Microsoft SQL Server 2017 (with Adobe ColdFusion 2018 and Lucee) ● Oracle 19c & 18c (with Adobe ColdFusion 2018 and Lucee) ● MySQL 5.7 and 8.0 ● JDK 11 ● Java providers other than Oracle ● Solr 8.2.0 ● Windows Server 2019 (with Adobe 2018 and Lucee)

The following platforms are no longer supported: ● Adobe ColdFusion 11 ● Lucee 5.2.9 and 5.3.2.77 ● Windows Server 2008 ● SQL Server 2014 (for Lucee) ● MySQL 5.6.x ● Solr 5.x and 6.x ● Java JDK 8, 9 and 10 ● 'Native' Full Text Search (using the search engines provided with ColdFusion and Lucee)

3 Be sure to see the current T ech-Specs page for the most up-to-date information.

Enhancements

Release 10.6.1 of CommonSpot includes the following e nhancements.

ADF 2.5

● To complement the robust security enhancements that have been added to CommonSpot 10.5.2 and 10.6.1, we are proud to release version 2.5 of the CommonSpot ADF (Application Development Framework). This ADF release includes notable enhancements, bug fixes and security protections, as well as updates to the ADF applications.

Additional security protections have been added specifically to mitigate XSS and CSRF attacks. However, due to the flexibility and customizability of the ADF and ADF Applications, not all security features are enabled by default. Parts of the CSRF attack prevention validation must be enabled for AjaxProxy requests once all customizations have been enhanced to take advantage of this security feature. Please review the ADF 2.5 release notes, install and upgrade guide for more information regarding these enhancements at https://community.paperthin.com/projects/ADF/docs/release-notes/Release-Notes-v2-5.c fm

Hooks

● Two new hook files are now supported for Uploaded Documents. pre-doccreate.cfm is called after the document has been uploaded but prior to processing the file and creating the appropriate CommonSpot records. post-doccreate.cfm is called after the document has been fully processed. Place either of the hooks files in the root subsite for global application or in a specific subsite or subsites, for more selective application. More details are available in the Developers Guide section 3.4.

Images

● Image rendering was updated to remove non-style attributes, such as width, height, border etc. ● Added the copy-down functionality for upload image dialog. This reduces the amount of typing when most of these fields usually contain the same text.

4 Security / Custom Authentication

● CommonSpot has been enhanced to prevent CSRF (Cross-Site Request Forgery) vulnerabilities. All forms now include a private CSRF token. If you have custom code that submits to loader.cfm it must call it with a ‘CSRF_Token’ url parameter or form field. You can access the CSRF token by calling Server.CommonSpot.UDF.Security.getCSRF_Token(). ● The ability to set Persistent Cookies for Auto Login has been removed. See Removal of Cookie Login in the Important Notes section below. ● Updated XML processing to protect against XML External Entity Injection. ● Updated command API and public components argument validation. Improved database error handling to prevent database errors showing on rendered pages. ● Closed security issues with XML processing. ● The Custom Authentication hook module has been updated to provide more flexibility when creating new users. You can now optional specify the contributor type (none, dedicated, shared or default), company, organization and email address of the user. ● An error in a custom script may expose sensitive data via JavaScript. ● In replication configurations, custom element data may be different between the authoring and read-only servers (particularly for fields such as checkboxes which may be empty). ● Security was enhanced by rotating CFID/CFToken and CSRF tokens after login.

See Also Reference

● It is now possible to define See Also References via the Advanced Search interface.

Notable Bug Fixes

Accessibility

● Eliminated non lowercase values for input controls of type hidden. This complies with the WCAG 2.0 and 508 Accessibility standards. ● The submit control for Simple Form elements was updated for Accessibility standards. It is now of type=submit.

API

● Error messages for the API method Users.delete were incorrect and confusing.

5 Approval

● An error may occur when rendering the "Changes Pending My Groups' Approval" section of "My CommonSpot", particularly if the site is using SQL Server.

Base Templates

● Corrected an error seen in the New Base Template dialog below the Dependencies box. ● Base Templates may not be rendered from within CommonSpot. Removed the hover link to open a base template in a new window, as it was not applicable.

Bookmarks and Anchors

● Bookmarks and Anchors to the current page remained pointed to the current page when the page was copied. The links are now page relative.

Breadcrumb

● The Breadcrumb element Display option 2 was updated from 'Site Name' to 'Subsite Name' for clarity. ‘Site Name’ was incorrect. ● It may appear that the Breadcrumb element is rendering incorrectly if the Subsite Display Name field is chosen to render in the Breadcrumb and the” Display Name field is empty. This field is optional and may be left blank in Subsite Administration > Properties > Subsite Name.

Cache

● When using the 'memCacheName' attribute with ct-render-named-element, the resulting cache was not cleared as expected when the specified element was updated. ● In some configurations, a new element added by a contributor in 'Edit' mode is not visible until published (or until the user switches to 'Author' mode).

Chrome Browser

● Creating a new Registered URL did not refresh the dialog. The new item was not rendered until a manual refresh was performed.

CKEditor

● Upon upgrading to CommonSpot 10.5.0,10.5.1 or 10.6.0 any customized Toolbar settings in Custom Element Formatted Textblock fields was set back to default settings upon ColdFusion or Lucee restart.

6 ColdFusion

● Rendering large pages may result in 'Failed to add HTML header' errors, particularly for Adobe ColdFusion installations.

Container

● Fixed an issue where trying to edit a grid Row or grid-row-Column properties for a newly added grid row in the Container layout properties dialog was returning 'Row Index is Incorrect' error.

Content Categories

● The factory description of some of the content categories was larger than was allowed to save. Adjusted maximum size of the description field so the content can be saved.

Custom Element

● Custom Elements would sort numbers in some circumstances, as if they were text. ● A Custom Element cloned in Site Administration did not offer any Component Styles to customize. ● Errors may occur in element management if a custom field type name contains one or more spaces. ● Viewing custom element data in Author mode did not honor the sort of a Number column when using Adobe ColdFusion. Lucee was not affected. ● Custom Element in Reuse mode was sorting the Taxonomy field by the TaxonomyID instead of the Term name. ● Submitting a Custom Metadata form with an RTE field freezes on "Cleaning HTML..."

Custom Script

● Custom script error output is now encoded to prevent any code in the custom script from running.

Database Migration Tool

● Migration of data to a new database, under certain circumstances would fail to create all required tables.

Datasheet

● There was an issue with the DataSheet Element > Edit Columns > DataSheet View Columns dialog. Columns added to the view were not displayed.

7 ● A Datasheet view name with an ampersand "&" in it would prevent adding or editing an action column. ● The Alphabet filter characters were in some cases, filtering on the wrong values. This affected columns of type Formatted Text Block and Extended URL.

Elements

● In some circumstances, moving elements with the green Move Element tool might result in a corrupted page. ● Improved the inconsistent styling of the Confirm Delete Element dialog.

Facebook Integration

● Corrected a condition where Facebook integration no longer worked due to changes in the Facebook API and further tightening of their configuration.

Formatted Text Block

● Under certain circumstances, the Rich Text Editor would not properly render when maximized.

Freshness Reminders

● Freshness Reminder emails to Groups were not delivered due to an incorrect email format. ● Freshness Reminder dialog was missing the hover text to open the page in a new window.

Images

● Fixed the Rescan Image Utility to include all visible galleries not just the current user’s favorites. ● Corrected an issue where the "&" character was rendered escaped in the Description field of an Image Gallery. ● An error may occur attempting to upload a new image via the Image field in a Custom Element. ● Under certain circumstances, the Cancel button of the Custom Properties of an Image may not respond. ● The ‘Small Images’ View for Image Galleries had cut off menus. Now the entire gallery is shown.

Left Pane (L-View)

● In the Left Pane > Page Tools > Broken/Verified Links, clicking on the links did not highlight the link on the page as expected.

8 Link Management

● In some situations, an incorrect link usage count is displayed when deleting objects and checking link references. ● Bookmarks and Anchors to the current page remained pointed to the current page when the page was copied. ● Users may encounter problems when validating links on sites backed by an Oracle database. ● Error may occur when running the page level Validate Links tool after having deleted an image from the Image Gallery that is in use on the page.

Multimedia

● Pages set to Expire in the future that were set more than 1 year, did not appear in the My Commonspot > Reminders > Content Scheduled For Expiration dialog. ● Fixed a bug where Multimedia Player Property settings like UserEditable configured at the time of player creation were not honored.

My CommonSpot

● Reminders Reports may not display the counts of Pages with Blocked Approvals correctly.

Page Properties

● Creating a page incorrectly allowed HTML tags to be saved in the page title. The page title now does not allow HTML at all.

Page Rename

● The Rename Page dialog did not always refresh after saving. ● The Rename Page dialog didn't reload after submission if the file was not renamed in addition to one of the other 3 fields. ● Renaming a page momentarily displayed an error dialog, that quickly closed. The Rename operation was successful.

Page Sets

● There was an issue with the Page Set Contents > Select Page Set dialog. Incorrect Page Sets and an incorrect message was displayed. Select list is now ordered alphabetically and now includes hover text with path, CommonSpot title and description.

9 Permissions

● The Manage Replication permission could not actually allow a user or group to manage replication. It is correctly bound to the Replication section of the UI now. ● Restricted Anonymous Users group and Accounts that are not Contributors from being given access to Left Pane Tools. These accounts could not get there anyway since Dashboard access is only for Contributors.

Pop-up Menu

● A crash may occur if submitting the page from within the editing dialog of the Pop-up Menu.

Referring Pages

● Deleting a Page Set and reviewing the referring links in the process, would crash opening the Referring Pages dialog.

Render Handlers

● Changing the settings in Layout Properties for a custom render handler did not present the correct dialog options. ● Attempting to save an XSLT Render Hander did not save it as the correct type.

Replication

● In replication configurations, custom element data may be different between the authoring and read-only servers (particularly for fields such as checkboxes which may be empty). ● In the Replication.replicate() method in the command API, the 'manuallyTransportPacket' argument is interpreted incorrectly. ● The method 'replication.getRecordStatus()' did not return the expected fields. ● On a replication read-only server, attempts to update the CommonSpot server configuration may be denied. ● The checkbox to select Manual Transport was backwards. Checked would NOT transport the packet as expected. ● Repaired a crash in Replication under certain circumstances involving setting permissions. Added validation to ensure we do not pass an empty string in Attributes.Params. ● In replication environments, scheduled jobs could not be managed on read-only servers. With this update, scheduled jobs are now independently managed for all read-only servers.

10 ● In replication environments, scheduled jobs could not be managed on read-only servers. With this update, scheduled jobs are now independently managed for all read-only servers.

Saved Search

● Corrected an issue where a Saved Search that was designated a “Favorite” was not saved as a Favorite. The Favorite checkbox was ignored. ● Using a Saved Search as a means to retrieve a PDF for the PDF element, did not respond when "Use Highlighted Content" was clicked. ● An error may occur when running a Saved Search to report on Multimedia files. ● Under certain conditions, creating a new Saved Search would fail to save it.

Security

● The "Cancel" button in the CommonSpot Security Exception dialog did not respond.

Search

● Solr-related errors may be logged on shared-database read-only servers if the authoring server has sites which are not known to the read-only server. ● Search form element updated to WCAG 2.0 standard for submit buttons, changed type from button to submit. Changed search criteria input to use placeholder text.

SEO

● Adding an SEO Reporting group may generate an error. ● SEO validation did not allow description to contain html tags, or fix error in fields as it was validating on focus.

Shared Database

● Processing of pending file actions may be unacceptably slow on a shared-database read-only server after a restart. ● Resolved an issue rebuilding cache on the read only servers for saved searches.

Short Cuts

● Creating a new Shortcut did not refresh the dialog to display the shortcut just created. ● A new Shortcut created as a "Favorite" did not render with the existing Favorites. The flag designating the shortcut as a Favorite was not saved during its creation. Subsequent editing resolved the problem. ● Cloning a shortcut for uploading a new image threw an error.

11 Simple Forms

● The Submit button for Simple Form elements updated for Accessibility standards.

Site Administration

● The Description field factory content for the Site Administration Content Classification > Categories dialog was larger than what was allowed to be saved. We can now save much more data in the Description field. ● Run Performance Analysis Name populated with date one month behind.

Social Media

● Updated UI in the Site Administration > Utilities > Scheduled Jobs dialog to hide the “Next” button if there are no channels saved.

Subsite Administration

● Removed the option to create redirects to items in a Subsite, when the Subsite is renamed and the URL Redirects feature under Site Administration > Utilities is disabled.

Tabular Layout Element

● The Layout Properties dialog button to add an image as the background of a Tabular Layout element did not respond, nor did the Save button of that dialog. ● Corrected an issue where a JavaScript error was seen editing a Page Index Element inside a Tabular Layout Element.

Upgrade

● Upgrade may fail in certain circumstances with customized toolbar buttons in formatted textblock settings. ● During upgrade, while adding the SVG image type factory data, existing sites did not grant the Contributor Group permission to upload the new SVG image format. ● Upon upgrading to CommonSpot 10.5.0, 10.5.1 or 10.5.2, any customized Toolbar settings in Custom Element Formatted Textblock fields was set back to default settings upon Adobe ColdFusion or Lucee restart.

Uploaded Documents

● Uploading multiple documents at the same time did not save the Search Availability setting.

12 User Administration

● Improved warning message when sending Username and/or Password to the user from User Administration. ● Error messages for the API method Users.delete were incorrect and confusing.

Utilities

● Database Conversion tool may not include all users data sources. ● Added code to handle the case when no channels have been saved. Next button is hidden if we have no channels. ● New shortcuts created in Site Administration > Utilities > Manage Shortcuts, did not render without a manual cache clear. ● Fixed an error when Site Admin > Utilities > “Fix Spaces in File Names” utility was run. ● The Site Administration > Utilities > Site Tools > Fix Spaces in File Names utility may crash due to using an incorrect path. ● Migration of data to a new database failed to create all required tables.

Work Requests

● The Export to Excel feature did not work for Work Requests.

Important Notes

The following describes issues that may affect the operation of your CommonSpot site. Please review these notes before installing or upgrading to this release.

Removal of Cookie Login option

In order to make CommonSpot more secure, this release has removed from the Client Variables dialog the “Enable Persistent Cookies” option. This dialog is accessed via Server Administration > Configuration > Client Variables. This prevents the cookies from being hijacked for cross site scripting exploits.

In addition, the Server Administration > Configuration > Authentication dialog has been removed for the same reason.

Developers Guide Update

3.2.8 Custom Authentication - (custom-authentication.cfm) - c reateNewUserVar - This variable had been documented as deprecated, which is not the case. It is defaulted t o 1. While this attribute is passed to your custom-authentication.cfm module, there is no need to set it unless you do not wish to create the user record account.

13 Additional variables have been added for n ewUserContributorTypeVar, newUserCompanyNameVar, a nd n ewUserOrganizationNameVar and n ewuserEmail. See additional details in the Developers Guide, section 3.2.8.

Upgrading with MySQL

If MySQL 5.6 is in use, all MySQL databases must be migrated to MySQL 5.7 (not 8.0) BEFORE r unning upgrade. Failure to do so will cause the upgrade to fail. To upgrade these databases, follow the upgrade instructions provided in MySQL 5.7 documentation, or use the built in Server Administration > Utilities > Server Tools > Database Conversion tool to migrate your databases from MySQL 5.6 to MySQL 5.7.

Upgrades to MySQL 8.0 cannot be completed before upgrading CommonSpot to version 10.7. See Knowledge Base Article for details.

For Linux ONLY On Linux installations, pages or uploaded documents with extended characters in the filename may cause problems (including crashes) if the JVM is not configured correctly. CommonSpot now verifies the configuration at startup time.

Add the following lines to the startup scripts for both Adobe ColdFusion and Lucee:

export LC_ALL="en_US.UTF-8" export LANG="en_US.UTF-8"

These need to run before the 'coldfusion start' (ACF) or 'lucee_ctl start' step. The locale can be different (i.e. the first part doesn't have to be 'en_US'), but the second part must be UTF-8 - and the two settings should be the same.

Lucee Only Settings

● If Apache and Lucee are NOT running as the same user, the following setting change must be made in catalina.sh.

Set UMASK to be 0022 instead of the default of 0027, which blocks access to everyone except admin and the Lucee process user. ● Lucee data sources are created with the Connection limit (max) setting defaulted to 100. On a busy site, this can cause problems. Because the Lucee API does not provide access to this setting, we recommend the setting be changed to -inf- (infinite) to prevent crashes.

14 Multimedia

● In order to play a multimedia file from the Multimedia Report, there must be at least one player set with each multimedia file type as the default. Go to Site Administration > Multimedia Services > [ External and/or Local ] > Players > Edit > Supported Formats - Select at least one so that all formats used on your site have a default player.

Run Upgrade & Other Utilities

All releases require running /commonspot/upgrade/ to reset factory data, database indexes, and database functions. Then restart ColdFusion/Lucee.

PaperThin also recommends the following: ● Clear Browser Cache ○ Instruct all users to clear browser cache. This step is required for using the Rich Text Editor in CommonSpot as well as native dialogs. ● Rebuild Stub Files ○ You should run the Rebuild Stub Files update utility. See Site Administration - Utilities - Rebuild Stub Files. ● Rebuild Cache ○ This update may result in outdated cache files. For best results, schedule a Rebuild Cache job to run periodically to make sure that even the oldest cache files are reasonably current. See Server Administration - Utilities - Server Scheduled Jobs.

Full-Text Search

● Because of limitations in the 'built-in' search engines provided with ColdFusion and Lucee, these engines are no longer supported by CommonSpot. We recommend installing the latest available Solr as described in this K nowledge Base Article. ● REINDEXING REQUIRED: The Solr schema used with CommonSpot 10.6 has been extended to include several new fields to allow more optimal performance. All full-text collections need to be deleted and recreated. If a custom interface has been written using the API, several methods have new arguments which will need to be handled. ● For security reasons, ensure that the Solr engine is not visible beyond the local network (i.e. ensure that port 8980 (or whatever port Solr is configured to use) is closed to outside requests). ● SOLR interface no longer requires use of the setting 'e nableStreamBody=true' in SOLR configuration files. Use of this setting creates a security vulnerability, so PaperThin recommends updating the configuration file for each SOLR collection to remove it.

To locate this setting, click on the 'CommonSpot Search Settings' link on the

15 CommonSpot 'Server Administration' page. Click 'next' and make note of the 'Solr Collection Directory' setting.

This directory contains a child directory for each Solr collection. Review the 'solrconfig.xml' file in the 'conf' subdirectory for each collection and remove the 'e nableStreamBody=true' attribute from the 'requestParsers' item.

Example:

Style Sheet Considerations

If upgrading from any version prior to 10.5.0, this section may require action by you prior to the upgrade. Failure to take these steps could result in unexpected styles being applied.

Some of CommonSpot's core styles have changed to make CommonSpot fully 508 compliant. Use of inline styles and Presentational attributes has been removed for CommonSpot elements in favor of classes. Prior to 10.5.0, the 'default.css' style sheet in the site's root 'style' folder was not overwritten so as to avoid discarding any customizations.

CommonSpot 10.5.0 had moved all the stock classes from default.css to \commonspot\site-default.css to allow separation between CommonSpot default values and site-specific customizations.

If your Style Sheet Sets include default.css (from the \site root\style folder) the upgrade to 10.5.0 will change the reference to \commonspot\site-default.css instead. ● If you have made no alterations to default.css there is no action needed on your part ● If all your custom styles are made via additional style sheets added to the style sheet set, there is no action needed on your part. ● If you have modified default.css (changed or added) you must make modifications in order to keep the custom styles you need. Compare your copy of \yoursite\style\default.css to \commonspot\site-default.css. There are two options available to keep your custom styles. 1. Move the custom styles you wish to keep to \site root\style\default-override.css. If this file is present, it will be loaded automatically for the whole site. . If that is an acceptable option no further action is necessary. If you do NOT want all your custom styles to be loaded for the whole site, use option 2. 2. Move the custom styles to a new style sheet and register that sheet with the appropriate style sheet set(s)

16 Other Notes

Read a ll interim release notes. This is particularly important if you are upgrading from a release earlier than 9.0.5. Interim release notes document important changes to system and configuration requirements, browser and server cache handling, scheduled jobs, text handling, and performance considerations. Read all Release Notes starting with versions greater than your current version including 9.0.5, 10.0.0, 10.0.1, 10.0.2, 10.5.0, 10.5.1, 10.5.2, and 10.6.0 available from: http://www.paperthin.com/support/knowledgebase/doclibrary/index.cfm

Recommendations and requirements for ColdFusion, Lucee and MySQL settings may be found here: https://www.paperthin.com/support/knowledgebase/articles/configuration-settings.cfm https://www.paperthin.com/support/knowledgebase/articles/lucee-requirements.cfm https://www.paperthin.com/support/knowledgebase/articles/Supported-MySQL-Versions.cfm

If you have custom code using CommonSpot variables, review updates to deprecated values on the PaperThin Support site for all releases. Please visit: https://www.paperthin.com/support/knowledgebase/deprecated-variables.cfm

Special Upgrade Offer

PaperThin has launched a new online product which helps organizations more efficiently test their website upgrades. In a nutshell, the product reduces the manual testing effort required to ensure your website upgrade did not adversely affect your site, while providing more accurate automated testing results.

How does it work? The cloud-based Website Upgrade Tester tool takes screenshots of pages within your site, before and after your Website upgrade. It then visually compares the screenshots, examining them pixel-by-pixel to see if there are any differences, and reports those to you. You can quickly view either a 'difference' image, which shows the changed pixels in red, or a side by side comparison of the before and after screenshot to see exactly what changed. The tool also detects JavaScript and resource loading errors that may affect your site's behavior.

So, don't waste time manually testing your next Website upgrade. Visually compare the 'before' and 'after' automatically.

If you are planning to upgrade your site in the near term, please reach out to Support at [email protected]. For more information on our new product you can watch a short explainer video at h ttps://www.websiteupgradetester.com/explainervideo, or view our website at https://www.websiteupgradetester.com.

17