Vaadin Framework 7.7.52

The Vaadin Framework 7.7.52 is an extended-support release with the following changes:

• Fixed a client side crash in ResponsiveConnector.

  • Execution would fail if a CSS rule did not have the selectorText property set. This change handles the unset property gracefully.

• Improved license checking strategy.

  • License checking is now performed more consistently during development. If an application built with Vaadin 8.31+ is deployed in a production environment without a valid license key present, an error event is logged.

  Read more about license validation on production servers here.

Vaadin Framework 8.31.0

Vaadin Framework 8.31.0 is an Extended Maintenance release with the following changes:

• Fixed a client side crash in ResponsiveConnector.

  Execution would fail if a CSS rule did not have the selectorText property set. This change handles the unset property gracefully.

• Fixed a client side compatibility error in DateField when using Java 21.

  The toMap Collector used in AbstractDateFieldConnector would fail to work under Java 21. The code was refactored to avoid the
  usage of toMap.

• A11Y: Improved screen reader compatibility of DatePicker and other Calendar Panel derived widgets when using keyboard navigation.

  This change explicitly modifies the tab index of day elements in the calendar widget which helps screen readers like NVDA properly respond to the keyboard navigation.

• A11Y: Added enhanced ARIA role attributes to Calendar popup widgets to improve accessibility.

• Improved license checking strategy.

  License checking is now performed more consistently during development. If an application built with Vaadin 8.31+ is deployed in a production environment without a valid license key present, an error event is logged.

  Read more about license validation on production servers here.

Vaadin Framework 8.30.1

Vaadin Framework 8.30.1 is an Extended Maintenance update release with the following changes:

• Fixed a packaging issue with Vaadin Maven Plugin, where Maven versions after 3.9.12 would require the use of JDK 11 or later, due to the plugin descriptor specifying that as the required Java version.

  This has not been an issue with previous versions of Maven, and had thus gone unnoticed.

• Added logic to prevent starting a session when accessing the /VAADIN context path to mitigate a potential abuse vector.

• Adjusted scrollbar padding for Firefox to prevent the scrollbar overlapping with Grid content in current Firefox versions.

• Fixed a mention of a nonexistent function in the JavaDoc of the WebBrowser class.

Vaadin Framework 7.7.51

The Vaadin Framework 7.7.51 is an extended-support release with the following changes:

• Fixed a packaging issue with Vaadin Maven Plugin where it would incorrectly advertise the required JVM version as 11 instead of 1.8.
• Added a security check to BootstrapHandler to prevent serving of /VAADIN/* as a context path. Backport of Flow PR #22998.

Vaadin Framework 7.7.50

The Vaadin Framework 7.7.50 is an extended-support release with the following changes:

• Added sanitisation to Action captions unless HTML content mode is specified.
• Added checks to prevent the same CSS strings from being injected into the styles multiple times.

Vaadin Framework 8.30.0

Vaadin Framework 8.30.0 is an Extended Maintenance release with the following changes:

• Updated the behavior of captions of Actions to remove any HTML from the passed-in caption string by default to guard against unexpected XSS vulnerabilities. This change may require updating your code.

  Rationale: the Action class is used for a lot of things throughout the Framework, including things such as populating custom drop-down menus.
  An issue was discovered in Spreadsheet where the caption string was being passed as-is into the DOM. This would normally be a benign unintended feature, but in the event that the caption string is populated from an untrusted source (such as from direct user input, which is then shared between sessions, or a translation table that can be edited by a third party) this can allow for the injection of malicious HTML, leading to cross site scripting vulnerabilities.

  The default behavior is now to use JSoup to strip any and all HTML tags out of the Caption string. Since some users may be relying on the caption string being able to contain HTML, overloaded constructors for Action as well as an overloaded setCaption function that take ContentMode as a second parameter were added. This allows specifying ContentMode.HTML to have the caption string be passed through without sanitation, and this also provides an indicator in the code that HTML content is to be expected in the caption string.

• Added ChartElement class to testbench-api for Vaadin Charts support in Testbench.

• Added ARIA handling to VListSelect. This allows screen readers to respond to ListSelect components.

• Changed ComboBox dropdown's ARIA role from List to ListBox to improve screen reader behavior with ComboBox components.

• Included vaadin-testbench artifact as part of vaadin-bom to provide a compatible default version whenever vaadin-bom is used in dependency management.

Vaadin Framework 8.29.0

Vaadin Framework 8.29.0 is an Extended Maintenance release with the following changes:

• Implemented ARIA caption handling in VNativeSelect, allowing ARIA captions to be used in NativeSelect components.

• Improved the server-side WebBrowser class and the client-side BrowserInfo class' implementation of the .isIOS() call by adding an additional heuristic of checking for a maximum touch points value greater than 2 if an operating system of MacOS X is reported by the user agent.

  Also improved the WebBrowser class by adding null checks for all functions requiring a valid VBrowserDetails instance, so that they adhere to documented behavior, and added the WebBrowser.onInformationAvailable(Runnable) method that can be used to register a callback that fires once as soon as information about the client's browser is available.

  Also improved documentation around these facilities.

• Updated atmosphere version to 2.4.30.vaadin9 to fix a NullPointerException in DefaultAtmosphereResourceSessionFactory when resource is null.

  Atmopshere could experience a race condition, where event.destroy() would be called before notifyEventListeners(), setting the resource to null, triggering the bug.

  Fixes Atmosphere issue #2527.

• Updated commons-io to version 2.20.0 to address CVE-2022-42889.

Vaadin Framework 7.7.49

The Vaadin Framework 7.7.49 is an extended-support release with the following changes:

• Made loading of scripts happen synchronously like in Vaadin 8
• Added support for the usage of multiple @JavaScript and @StyleSheet annotations on a class
• Bumped Atmosphere version to fix a potential NPE issue
• Fixed internal Atmosphere version check to correctly detect MPR/Jakarta version of Push
• Updated license checker invocations to be compatible with upstream technical licensing changes.

Vaadin Framework 8.28.4

Vaadin Framework 8.28.4 is an Extended Maintenance update release with the following changes:

• Fixed critical issue in license checking which became evident with 8.28.3 during the release. While the 8.28.3 release artifacts are available, build announcements were held back due to this issue. This release restores old behavior.
• Fixed a NullPointerException in Push (Atmosphere) where a missing null check in a logging call would create a mystery stack trace on the server when attempting to communicate with an already disconnected client. This is likely the fix to an issue reported in Flow.
• Fixed the Push version check to not complain about vaadin-push-jakarta.
• Fixed an issue where getBeanPropertyDescriptors() could include
  properties more than once in the returned results list.
  This is a backport of Flow PR #21836.
• Updated license checker for improved compatibility.

Vaadin Framework 7.7.48

The Vaadin Framework 7.7.48 is an extended-support release with the following changes:

• Updated to Atmosphere 2.4.x, and consequently, Java 8. This bumps the minimum Java requirement from 7 to 8.
• Added changes to make interrupting uploads more reliable, and block a possible security issue in the process.