Orchard Core 1.3.0, fix missing permission checks and encoding - This week in Orchard (24/03/2022)
We are thrilled to announce that Orchard Core 1.3.0 is now available! Check out this post to know everything about the latest release of Orchard Core! Now let's see the newest features and additions of the current release that we will continue next week too! Let's get started!
Orchard Core updates
Fix missing permission checks and encoding
These are security fixes that are fixed with Orchard Core 1.3.0. In this case, the fix targets two major issues. The first is that some authorization checks were not done correctly for some controllers. Here you can see the changes of the AdminController of the Features module.
The second change is in the SEO module. There were XSS issues in the module. They were not very critical issues because you have to reach the admin editor to do that, and when you define SEO things for the front-end, you might want to render an HTML. But now it's sanitized for XSS reasons. The properties in the SeoPart are now encoded, in a way that you can use the Shortcodes, but you can't type anything else. You can't write any HTML you want, just the ones that make sense. And there is one special case when you set up the Google Schema: now it's not outputting anything, it's just validating the JSON format that you have provided.
And when you create custom Shortcodes now the usage of the Shortcode (which is just some documentation) is now also sanitized, such that you can't inject custom JavaScript code in the description of the Shortcodes and try to hack people on the same admin page.
Update full-text search index documentation
Orchard Core provides a Lucene module/feature that allows you to do a full-text search on your websites. It is possible to configure which text/data you want to index in the Content Type configuration by using Liquid. And the following guide is helping you with how to implement a website full-text search step by step. And now the page has been updated with the following section: if your content item is also a set of content items, then you need to call the full_text_aspect helper to include the content of the content item inside the full-text search index.
Fix NRE with TaxonomyIndex
The index runs while cloning a content item, right after an empty content item was created (so before the actual cloning). The fields are there, but all are null. Casting this to JObject fails, as null is a JValue. The solution is that you have to do the casting in another way by using the as keyword.
News from the community
Orchard Core 1.3.0
Orchard Core 1.3.0 is now available! If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the updated version of Orchard Core!
There is a new page in the documentation with the breaking changes and the new features. Upgrade your solution to 1.3.0 now! Feel free to drop on the dedicated Gitter chat and ask questions!
And don't forget: this release is removing support for netcoreapp3.1 and net5.0. Only net6.0 is supported.
Updated Lombiq's Open-Source Orchard Core Extensions
Lombiq's Open-Source Orchard Core Extensions is an Orchard Core CMS Visual Studio solution. It contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, like the Lombiq UI Testing Toolbox or the Training Demo module that guides you to become an Orchard Core developer. And from now, this solution with all the extensions inside is updated to Orchard Core v1.3.0 and .NET 6!
Orchard Dojo Newsletter
Lombiq's Orchard Dojo Newsletter has 241 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.
Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!