Release information

• Version number: 4.0.1
• Release date: June 12th, 2011
• Release type: Bug fixes and new features
• Backwards incompatible changes: Yes

New features

Default HTML escaping

A security related change to the Print element and HammerScript. Both the Print element and HammerScript in their default modes printed out text which very often caused possibilities for XSS (Cross Site Scripting) vulnerabilities on sites. As text is usually printed out into HTML it should by default be HTML escaped to prevent injecting possibly malicious JavaScript into the site. In the Print Element the default mode “Normal” now does HTML escaping . Another mode “Plain” prints out the text as without any changes done to it.

The same change has also been done to HammerScript where the default mode of "{$ ... }" now does HTML escaping of the text. A new mode "{! ... }" prints out the text as without any changes done to it.

HammerScript enabled in style properties

Previously it was not possible to define values with HammerScript in style properties that used object choosers. For example the background-color property. Now HammerScript can be written directly into the file chooser's text input field.

JavaScript Elements for document body

The JavaScript Element can now add a JavaScript script tag directly to the body of the document where the element is placed. Previously the code could only be added to the document head.

Preloader animation added

Added a preloader for resources like images when logging into HammerKit Studio. This makes the user experience much smoother and faster when images are not anymore loaded at the time they are first needed and shown in the user interface.

Container DIV/SPAN elements made more visual

We have added 5 pixels of padding inside DIV element's tags. This makes it clearer to work with the elements inside a DIV element.

Bug fixes

Recursion depth counter for evading infinite loops

It has been possible to create infinite loops by including a component inside itself. This caused the site to crash with an Internal Server Error (500 error). Now this has been fixed with a recursion depth counter giving a maximum recursion depth of 1000. It is still possible to include a component inside itself. This is needed if one wants to build a recursive function with components. But after the recursion depth has reached 1000 the system will throw an exception and stop any further inclusions.

Session break issues fixed

Two separate bugs related to breaking sessions have been fixed. In the first case the bug created erroneously two sessions sending two cookies to the client. This sometimes resulted in breaking sessions. The other bug broke sessions by sometimes storing the session data file into a wrong location on the server.

The bug that started the session twice also gave a wrong value to the previously called document component (the "previous" identifier for components). Now this bug has also been fixed.

Component template and access settings copying

Bugs related with copying component’s settings have been fixed. The template and access settings of a component were lost when copying a component. Now these settings are also correctly copied.

Backwards incompatible changes

The change to the default print mode in the Print element and HammerScript affects elements where the printed texts has contained HTML markup. Before this change the text was printed out as is without any HTML escaping. From this version on the default mode in the Print element and HammerScript will perform HTML escaping on the text. If the intention of the element has been to add HTML markup to the output then the print mode of the Print element needs to be changed from "Normal" to the value "Plain". If the HTML markup has been added to the output with HammerScript then the opening tag of the script needs to be changed from "{$" to "{!".

This change was made to improve the default security of sites built with HammerKit. Text containing malicious HTML markup with JavaScript could in many cases be easily added to the document output causing a so called cross-site request forgery (CSRF).