Orchard Core 1.2.2 release, Media search indexing - This week in Orchard (26/01/2022)
Orchard Core 1.2.2 is now available that addresses some other security issues. Check out this post to know the content of this release of Orchard Core and to see the latest features of the framework!
Orchard Core updates
Media search indexing
The idea here was to allow to search for content in files. Last summer, you could see a demo in this This week in Orchard post that shows a feature that provides a simple implementation to index media for search. More precisely, it indexes media files related to content items, so said content items will turn up in search when one of their media files matches the search query. And now this feature is merged to the main branch of Orchard Core! Check out the updated documentation to know more!
Remove multiple compilation paths on MediaTokenService
From the next minor version, Orchard Core will only build with .NET 6.0, so we can remove all the things from the code that do not target .NET 6.0 specifically. This time the ParseQuery method of the MediaTokenService got simpler because now we don't need to use the slower version, we can use the fast version with structs now.
Add response to SmtpResult
When you send an SMTP request, the response can be read, and now you can do whatever you want with the response. We already know if it failed or not from the SmtpResult, but now there is even more information in the Response.
News from the community
Orchard Core 1.2.2 release
Orchard Core 1.2.1 has been released a few days after the 1.2.0 one, and here comes 1.2.2 to address some other security issues. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core!
Don't forget that 1.2.x is the latest minor version of Orchard Core that can be built by .NET Core 3.1 and .NET 5. If you take the main branch, it will only build with .NET 6.0, and the upcoming versions will be only shipped with .NET 6.0. .NET 6.0 is an LTS and shipped for many months now with some security updates already. It will also make the local builds with Visual Studio faster, the CI is faster because it doesn't have to build everything three times and run the tests three times. Now let's see the fix that is in this release!
If you have a Link Field, you can provide a URL to that field, and the URL is now sanitized. Before this change, you could pass some JavaScript in the URL. With that what we are doing is checking the link that we are generating is sanitized. This issue was also in the Menu Item Link Field and also in the HTML Menu Item Link Field, so everywhere where we pass a link.
Another fix was in the AuditTrailContentController.cs to be consistent with the other fixes. Error messages can't contain HTML and the issue that the _notifier.WarningAsync is asking for a LocalizedHtmlString. Why is it asking for a LocalizedHtmlString? It's because WarningAsync expects a LocalizedString using H[""]. In this case, the goal was to render an error message as a notification. But the error message is a string. So the developer decided to wrap the error message into a LocalizedHtmlString and pass it. And by doing that we say this is a safe string, this is already encoded, so it can be used in a view. This is what the H[""] does. So, everything here is safe. So, it can be passed as a LocalizedHtmlString. We are lucky that the error message is safe because internally it's a static string. But we don't do that, because it could be like some other developers will copy this code without understanding that this is safe or not. So, let's assume that it's not safe, and you shouldn't pass it as a LocalizedHtmlString, because that will prevent the notifier from encoding the result. The fix here is to pass the error message as an argument and because it's passed as an argument it will be encoded. So, this is how we pass a LocalizedHtmlString to a notifier from an unknown string safely. We can just pass it as an argument. And if you would like to know more about the fixed security issues, don't forget to check out this recording on YouTube!
Looking for some useful Orchard Core extensions that can help improve your Orchard Core 1.2.2 application faster and easier? Here's a bundle solution of all of Lombiq's open-source Orchard Core extensions (modules and themes). Clone and try them out now!
This is an Orchard Core CMS Visual Studio solution that contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries. And we have also updated the solution to use Orchard Core 1.2.2!
Orchard Dojo Newsletter
Lombiq's Orchard Dojo Newsletter has 240 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.
Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!