We are thrilled to announce that Orchard Core 1.4.0 is now available! Check out this post to know everything about the latest release of Orchard Core! Now let's see the newest features and additions of the current release that we will continue next week too! Let's get started! Orchard Core updates Remove form tag from allowed tags during sanitization Now we explicitly remove the form tag when we do sanitization. The default HtmlSanitizerService doesn't do that, but for security reasons, the community decided to do it. The documentation has been updated as well, so if you want to be able to render the form tags, then you need to configure it. Set security stamp when the user is disabled Disabling a user should invalidate the user's security stamp. When the security stamp validator revalidates the cookie, the user will then be expired. Here you can see the new UserDisabledEventHandler, which calls the UpdateSecurityStampAsync method, to update the security stamp for the user who needs to be disabled. Ignore IUpdateModel and BuildPartDisplayContext in console_log The console_log on FlowPart shape returned logs of C# Runtime objects. To reproduce the bug, you had to follow these steps: Use {{ Model.Content | console_log }} or @Orchard.ConsoleLog((object)Model). Log model containing FlowPart. See the browser's log and find C# Runtime properties logged. The expected behavior would be to just log the shape-related properties and ignore IUpdateModel and BuildPartDisplayContext properties in console_log for shape JSON. Now you can see that the view models for editing and displaying the BagParts and FlowParts gets the IgnoreDataMember, and BindNever attributes to do not log these properties. Demos Lombiq Base Theme for Orchard Core A few weeks ago, we mentioned that our Base Theme for Orchard Core is officially released. After that, we showed how you can use the Resource Management feature to include assets based on different conditions easily and how to construct your home page menu structure using the main navigation name in the Base Theme. Our goal with this Base Theme for Orchard Core is to have all the common things that you usually do when making a theme, like setting up the layout and the zones, setting up variables and mixins, and so on. We hope this makes the whole theme development easier and faster for you. This time we just want to give you a short overview of the other useful features that you can get if you build your own custom Orchard Core theme by using our Base Theme for Orchard Core. The theme has some built-in zones (you have to run the Lombiq Orchard Core Base Theme - Layers and Zones recipe that creates these zones), which could be familiar to you if you used Orchard 1.x in the past because it has the same names as you faced with the default theme of the previous version of Orchard. The theme by default uses a front-end menu which is the same as the admin menu just uses the Main name instead of admin. The Layout.cshtml file of the theme automatically sets up the normal things like the viewport, language, etc, injects the Header, and injects the latest Bootstrap, so it actually overrides the one coming from Orchard Core with the one that you set up in your theme via npm. This is good if you need some features that are newer than the one in the release. You can also find a very tiny JavaScript helper that lets you have a ready event. It makes the library a little bit slimmer. If you would like to know more about this theme, head to YouTube for a demo! News from the community Orchard Core 1.4.0 Orchard Core 1.4.0 is now available! If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the updated version of Orchard Core! There is a new page in the documentation with the breaking changes and the new features. Upgrade your solution to 1.4.0 now! Feel free to drop on the dedicated Gitter chat and ask questions or use GitHub Discussions! Orchard Core Commerce MVP planning and survey A few weeks ago, you could see a nice demo about the Orchard Core Commerce module. And in that blog post, we also mentioned that Lombiq provides stewardship for this module. That actually means that we will do code reviews and work on features and fixes. To have that, Márk Bartha (who is the project leader from our side) started this thread and added this survey. This is about asking the community what the most important features for you would be in an Orchard Core-based e-commerce solution. If you do e-commerce or if you have an opinion about e-commerce, please share your opinion here. The point of this is to try to do not all the things but focus on what is really needed first. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 275 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Fixing that unpublishing and editing content item with uninitialized ContentPickerField breaks, renaming ReverseProxySettings permission to ManageReverseProxySettings, and our Base Theme for Orchard Core is officially released! Check out our current post to read about the details! Orchard Core updates Rename ReverseProxySettings permission to ManageReverseProxySettings The Reverse Proxy Configuration module enables the configuration of hosting scenarios with a reverse proxy, like enabling the forwarding of the HTTP header X-Forwarded-For and so on. You can manage these options under Configuration -> Settings -> Reverse Proxy, but you need to have the proper permission to do that. Now this permission has a new name, called Manage Reverse Proxy Settings, that you can manage for every role under Security -> Roles. Unpublishing and editing the content item with an uninitialized ContentPickerField breaks If you have a custom ContentPart that contains a ContentPickerField and it's not initialized (so null) and you try to unpublish the content type, it will say it was unpublished, but that won't be true. If you try to edit and publish the same content item, you will get "An unhandled exception occurred while processing the request." error. Dávid El-Saig realized this can be avoided by giving the field a default value (public ContentPickerField Related { get; set; } = new();), but it's easy to miss, and the resulting symptoms are not easy to connect with the true problem. Steps to reproduce the behavior: Create a content type via migration. Start and set up the web app. Create a new content item of the content type. Add a part (e.g. public class RelatedPart : ContentPart { public ContentPickerField Related { get; set; } }) via migration update step. Start up the web app again. Try to unpublish or edit the content item created in step 3. Experience the bug described above. The expected behavior would be that the unpublishing or editing should be successful. And the problem was the following: the if (jPart == null) and if (jField == null) will never be true because if the value is JSON null, it will be a JValue type, so the cast on the preceding line will cause the exception as you can see on the screenshot. This can be fixed if type matching is used instead of casting. And as you can see, there is a new GetContentFields extension that uses the GetContentField extension which contains using the type matching instead of casting. News from the community Lombiq Base Theme for Orchard Core is officially released Our Base Theme for Orchard Core is now officially released! It contains all the foundations to build Orchard themes efficiently with included detailed samples. It can contain any shared content that is not specific to a specific project's theme. You can find the sample module with a commented walkthrough in this repository here. If you want to quickly try out this project and see it in action, clone our Open-Source Orchard Core Extensions full Orchard Core solution and also see our other useful Orchard Core-related open-source projects! We will clone the Lombiq's Open-Source Orchard Core Extensions repository for this demo as well. If you remember, two weeks ago, we mentioned that the Lombiq Helpful Libraries contains an abstract class called MainMenuNavigationProviderBase for creating a home page menu structure using the main navigation name. If you use the Lombiq.BaseTheme, it automatically displays the generated menu as a widget in the Navigation zone. Now it's time to see it in action! Just run our Open-Source Orchard Core Extensions solution and set up your site using the Agency recipe, for example. After that, you can navigate to Design -> Themes and enable the Lombiq Base Theme and Lombiq Base Theme - Samples themes. You can also make the Samples one as the current site theme. Now let's enable some features. Our home page menu structure will display as a widget in the Navigation zone. To have the MenuWidget, we need to enable the Lombiq Helpful Extensions - Helpful Widgets feature. The HelpfulLibrariesNavigationProvider sits in the Samples project of Helpful Libraries, so we have to enable the Lombiq Helpful Libraries - Samples feature as well. Now we can navigate to the home page of our site. The styling looks quite awful, but that's not the point here. As you can see, the Helpful Libraries drop-down now appears with the submenu items that we defined in the Build method. You can see the special LINQ to DB label, and the divider as well. And of course, you have the option to navigate to the given actions to test out the LinqToDbSamplesController that provides some examples of querying the database with Lombiq.HelpfulLibraries.LinqToDb and the TypedRouteController. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 247 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

This week you can read that the Feature attribute was not working for Razor Pages, the Lucene documentation updates, and a demo of the Orchard Core Commerce module! Are you interested in the details? Check out this post for more! Orchard Core updates Feature attribute was not working for Razor Pages The Feature attribute was not applied to Razor Pages because Razor Pages were always tied to the module. What does it mean? Well, let's follow the steps below: Create a Module with a feature. Add a Razor Page. Add the Feature attribute to a Razor Page. Enable the module and the feature it will serve the Razor Page. Disable the feature - notice that Razor Page is still served. Now, the feature is disabled, and the site should not serve the Razor Page, but it was still served. Now, this has been fixed and you can also try it out if you enable the Orchard Core and Orchard Foo Demo features that sit in the Orchard Demo project. Note that this project is not referenced by default, so if you would like to try it out, you can simply add it to the OrchardCore.Cms.Web, for example. You can find two Razor Pages (Edit and List) with the Feature attribute OrchardCore.Demo.Foo. Meaning that if you enable the Orchard Demo feature but keep the Orchard Demo Foo disabled, you can not reach these pages. Lucene documentation updates You can write elaborate Lucene Queries with the ElasticSearch DSL. This includes the match query type (akin to using the my search term syntax in the search box) and match_all (like writing "my search term" for exact search). And you can optionally use the parsed Lucene search syntax in the search text box. However, the documentation of the Lucene module had some missing examples about how you can combine the two and how to use the search syntax with a Query. The simple_query_string is also available but was missing from the docs, it has been added too. Demos Orchard Core Commerce Orchard Core Commerce will be an Orchard Core port and partial rewrite of the open source Nwazet Commerce module that was built for Orchard CMS 1.x. Nwazet Commerce was initially built in 2012 by Bertrand Le Roy, loosely based on a commerce sample by Sipke Shoorstra. The initial goal of Nwazet Commerce was to power the website of the hardware startup Nwazet. While Nwazet is no longer operating, the Nwazet Commerce project went on, and was further developed by a group of passionate contributors who are using the platform for their own, and their customer's websites. Like Orchard, Nwazet Commerce was built with extensibility in mind, and as such it has its own extensions (typical examples include local tax and shipping modules). It's also pure, idiomatic Orchard. Orchard Core represents a major evolution of the Orchard design principles and is sufficiently different that running Nwazet Commerce on it will necessitate significant work. As such, the community decided that starting from a blank slate was the best way to go, so they will port Nwazet Commerce piece by piece, being careful to accurately apply Orchard Core's new design principles. The community also decided to adopt a new name that gets rid of the now obsolete origins and establishes our ambition for the module to become the go-to commerce module for Orchard Core. This work is in its initial design phases and will focus at first on porting a minimum viable feature set. In this demo, we will check out the current state of the module. To set up your dev environment, you should clone this repository, build and run the SampleWebApp project (set up with any recipe) and enable the Orchard Core Commerce, Orchard Core Commerce Session Cart Storage, and the Orchard Core Commerce Settings Currency Selector features. From now on, you can start using the features by creating a new Product content type and adding the Product part to it, and so on. But you can run the built-in recipes (MultiCurrencyProduct, Order, and Product) to set up your content model just by a few clicks. Meaning you will have a Product content type with a Product Part and multiple Price Parts. Order content type with an Order Part, a shipping address, and a billing address. Product content type with a Product Part and a Price Part. And if you check out the recording below you will know how to create products like this one, where you can define the SKU(Stock Keeping Unit), the base price of the product, and you have the option to attach the built-in Boolean/Numeric/Text Product Attribute Fields that can help you to define the available sizes for the given T-shirt for example. News from the community Lombiq provides stewardship for Orchard Core Commerce You saw the current state of the Orchard Core Commerce module, and if you follow the news around Orchard and Orchard Core, you may notice that the project is moving a little slow because of the level of the contributions. We'd like to announce that Lombiq Technologies provides stewardship for the Orchard Core Commerce project. Bertrand, who initially founded the Orchard 1 and Orchard Core Commerce modules, reached out to us if we are interested in actively maintaining the project. We at Lombiq are really excited about this opportunity. We want to move this forward with proper planning and frequent contributions to the repository. On our side, Márk Bartha will be the project leader. A few seasoned Orchard developers are ready to implement features. But first, we want to hear your opinion about what you need first and most for the MVP. We'll put together a short survey to collect your ideas in an organized manner. Until then, feel free to comment and let us know your thoughts! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 248 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Fixing that content parts/fields were not showing up in preview when ContentCard is used, preventing Visual Studio Missing Components warning, adding UI for email proxy settings, and the Lombiq Orchard Visual Studio Extension now supports Visual Studio 2022! Check out our current post to read about the details! Orchard Core updates Add UI for email proxy settings A few weeks ago, we mentioned that from now you have the option to configure the proxy server and the proxy port number if you would like to set up the SMTP settings. And you must configure ProxyHost and ProxyPort if the SMTP server runs through a proxy server. But you don't have a UI for these until now! If you enable the Email feature and navigate to Configuration -> Settings -> Email, you will find the text boxes that you can use to set up the proxy hostname and proxy port number. Prevent Visual Studio Missing Components warning If you have installed Visual Studio Community 2022 (and don't forget: Orchard Core 1.3.0 release is removing support for netcoreapp3.1 and net5.0. Only net6.0 is supported, which is not supported in Visual Studio 2019), you didn't need to install any additional components. So, maybe we could just remove the .vsconfig file. But maybe still useful to keep it, so Jean-Thierry Kéchichian removed the Microsoft.NetCore.ComponentGroup.Web.2.1, Microsoft.VisualStudio.Component.TypeScript.3.5, and Microsoft.VisualStudio.Workload.NetCoreTools components that aren't included in the Visual Studio Community component directory documentation or marked as no more supported. Content parts/fields were not showing up in preview when ContentCard is used Let's say, you are trying to modify the BagPart to support a read-only scenario. Like if a user does not have permission to EditContent but has permission to ViewContent. In that case, the user should not be able to edit but should be able to view the data. Here are the steps to reproduce the behavior: Add content type A and attach BagPart to it that contains content type B. Make B securable to control who can edit and who can view it. Give the user read-only permission to B and Edit permission to A. At this point, you'll need to modify the BagPart.Edit.cshtml template to set the BuildEditor property to false when the user does not have the proper permission to edit. Finally, you'll need to render the ContentPreview shape on the ContentCard.Frame to display the ContentCard in a preview only. The expected behavior would be that the ContentCard to show up in the BagPart as it would in a preview screen. But it does not. The display the content cards correctly, the fix was to do a little modification in the ContentCard.cshtml file. News from the community Lombiq Orchard Visual Studio Extension now supports Visual Studio 2022 Lombiq Orchard Visual Studio Extension is a Visual Studio extension with many features and templates frequently used by Lombiq developers. It contains Orchard-related (including Orchard Core) as well as generic goodies. It contains several useful features like: Dependency Injector: When a class is opened in the editor, you can inject a dependency with this feature. Type the dependency name, hit Enter, and it will be injected. Orchard Error Log Watcher: Watches the Orchard error log (or any other error log) and lights up an icon when a new entry was logged. And wait, there's more! This feature also supports BlinkStick USB LED sticks that can blink or light up when an error happens. Check out this video for a demo of the whole feature. And from now, our Orchard Visual Studio Extension supports Visual Studio 2022! For more details, check out the Readme! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 244 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

We are thrilled to announce that Orchard Core 1.3.0 is now available! Check out this post to know everything about the latest release of Orchard Core! Now let's see the newest features and additions of the current release that we will continue next week too! Let's get started! Orchard Core updates Fix missing permission checks and encoding These are security fixes that are fixed with Orchard Core 1.3.0. In this case, the fix targets two major issues. The first is that some authorization checks were not done correctly for some controllers. Here you can see the changes of the AdminController of the Features module. The second change is in the SEO module. There were XSS issues in the module. They were not very critical issues because you have to reach the admin editor to do that, and when you define SEO things for the front-end, you might want to render an HTML. But now it's sanitized for XSS reasons. The properties in the SeoPart are now encoded, in a way that you can use the Shortcodes, but you can't type anything else. You can't write any HTML you want, just the ones that make sense. And there is one special case when you set up the Google Schema: now it's not outputting anything, it's just validating the JSON format that you have provided. And when you create custom Shortcodes now the usage of the Shortcode (which is just some documentation) is now also sanitized, such that you can't inject custom JavaScript code in the description of the Shortcodes and try to hack people on the same admin page. Update full-text search index documentation Orchard Core provides a Lucene module/feature that allows you to do a full-text search on your websites. It is possible to configure which text/data you want to index in the Content Type configuration by using Liquid. And the following guide is helping you with how to implement a website full-text search step by step. And now the page has been updated with the following section: if your content item is also a set of content items, then you need to call the full_text_aspect helper to include the content of the content item inside the full-text search index. Fix NRE with TaxonomyIndex The index runs while cloning a content item, right after an empty content item was created (so before the actual cloning). The fields are there, but all are null. Casting this to JObject fails, as null is a JValue. The solution is that you have to do the casting in another way by using the as keyword. News from the community Orchard Core 1.3.0 Orchard Core 1.3.0 is now available! If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the updated version of Orchard Core! There is a new page in the documentation with the breaking changes and the new features. Upgrade your solution to 1.3.0 now! Feel free to drop on the dedicated Gitter chat and ask questions! And don't forget: this release is removing support for netcoreapp3.1 and net5.0. Only net6.0 is supported. Updated Lombiq's Open-Source Orchard Core Extensions Lombiq's Open-Source Orchard Core Extensions is an Orchard Core CMS Visual Studio solution. It contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, like the Lombiq UI Testing Toolbox or the Training Demo module that guides you to become an Orchard Core developer. And from now, this solution with all the extensions inside is updated to Orchard Core v1.3.0 and .NET 6! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 241 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

Topics for the week are the new mail proxy support, documentation about how to use a local copy of Orchard Core source code as NuGet packages, and the published Lombiq projects on NuGet! Do you want to know more? Then check out our post now! Orchard Core updates Support Mail Proxy Let's say that your web hosting provider doesn't allow outbound connections by default (IONOS Windows Shared). In this case, all outbound connections should be sent through a proxy on this platform. You can configure it for HTTP(S) by adding this in the Startup.cs of the Orchard Core web app: HttpClient.DefaultProxy = new WebProxy("http://winproxy.server.lan:3128"); However, there was no way to configure this for SMTP connections. So there was an issue about not being able to send a mail with Orchard on this hosting provider. But from now you can configure the proxy server and the proxy port number by enabling the OrchardCore.Email module and using the SMTP Settings. The documentation is also updated with these new settings. Using a local copy of Orchard Core source code as NuGet packages There is a new page in the Orchard Core Documentation about how to use a local copy of Orchard Core source code as NuGet packages. In this new article, you can see how to create your own local NuGet feed from your local source code, how to publish to your NuGet feed, and how to update your project to use the newly created feed. News from the community Configure portable object localization in ASP.NET Core There was an ASP.NET Community Standup about localizing the .NET website. There was a topic on how the .NET websites have been localized using the Orchard Core localization package with PO files. Sébastien Ros did a demo about the package, explained how the localizer works, how to inject it, how to use the module, how to create a PO file, how to use pluralization, etc. If you would like to know more about localization and haven't seen that demo yet, check out the recording of that standup meeting here! And in the meantime, now there is a new article on the Microsoft Technical Documentation where you can read more about what is a PO file, how to configure PO file support in ASP.NET Core, or how to create a PO file with several useful examples. Open-source Lombiq projects now published on NuGet We have more than 160 open-source repositories under our GitHub organization, out of which more than 140 are somehow related to Orchard (including Orchard Core and 1.x). Up until now, if you wanted to utilize our projects in your own ones, you could only reference them as Git submodules or copy over the source files. Now, however, all the Orchard Core-related projects of ours, as well as several others, are available as NuGet packages! Check out our blog post to know more about our NuGet packages! Do you want to easily publish your projects to NuGet as well? You can build on what we've created for that: Take a look at our new GitHub Actions project that we developed with the help of Orchard community member Dean Marcussen. Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 238 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

This week you can read about hiding the "New" option from the admin UI if they are not authorized to edit, changing the content of the built-in recipes, and a demo about a UI testing PoC with the Lombiq UI Testing Toolbox! Are you interested in the details? Check out this post for more! Orchard Core updates Hide the "New" option if they are not authorized to edit If you have a list content type (e.g., Blog) with the contained type (Blog Post) and the user doesn't have Edit Blog Post permission, they still see the New Blog Post button on the Blog editor. Note, that the user has permission to edit the Blog. And it was a bug that could be reproduced by just following some simple steps: Create a Blog Post content type. Create a Blog content type with a ListPart containing the Blog Post type. Update the Moderator role: set Edit for Blog but don't set it to Blog Post. Create a test user and associate them with the Moderator role. Log in with the test user and create a Blog. Observe that the New Blog Post button appears on the top-right corner, but you'll get a 403 when you click on it. The solution was just to similarly to the Content list page authorize the user to edit the types so if they are not authorized to edit, then hide the New option. Remove FileContentDefinition from recipes Last December, the community decided to do not to enable the File Content Definition feature by default. And by doing that, the OrchardCore.Contents.FileContentDefinition usage was removed from the Agency and Blog recipes. It's only useful in specific cases, and most of the time you need to turn it off. The same issue is there with the Headless and Blank recipes. Especially for the Blank recipe, there is no reason to include anything apart from the bare bones. The solution was just to remove the OrchardCore.Contents.FileContentDefinition enables a step from the two recipes. Demos UI testing PoC with the Lombiq UI Testing Toolbox In this demo, we will talk about this particular pull request, which is about a proof of concept. Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it when we added some Orchard Core Features tests to it, and some weeks ago, you could read about the automated monkey testing feature of the toolbox. So, what about trying out this toolbox in Orchard itself, and let's see whether it works and whether it can be useful. Of course, we have Cypress tests in Orchard Core, so this will be something with the same goal - not necessarily useful, not necessarily wanted to add - it's a proof of concept. Let's see how it looks! If you check out the mentioned pull request, you will find a new OrchardCore.Tests.UI project which references the UI Testing Toolbox. It contains a couple of classes, the main point here is the BasicOrchardFeaturesTests one. As you can see, this contains two xUnit test methods. The first is just running the TestBasicOrchardFeaturesExceptRegistrationAsync method, which tests all the basic Orchard features except for registration with the Blog recipe. You can specify the recipe itself with several other options like enabling accessibility checks. The second test is a failing test that you can check out on the CI. It's a usual Dotnet test execution, so you get a test summary in the end. You can see what the test did, and you can find the exact reason why this test failed (because it's cannot find the element by the navbar ID on a given page). If you go to Summary and check out Artifacts, you can download a file that contains the whole dump of the application with screenshots, HTML output, the Orchard logs, everything that you may need for troubleshooting. And, of course, you can also execute the test from Visual Studio as usual. The next steps here would be to: Recreate the Cypress tests so we can see how it compares. Most possibly, this would be running TestBasicOrchardFeaturesExceptRegistrationAsync with all recipes. Using WebApplicationFactory directly instead of running the tested app with the Dotnet CLI would be useful. What's behind TestBasicOrchardFeaturesExceptRegistrationAsync would potentially need to be copied to be serious here, since if something changes in Orchard deliberately, it can fail. If you would like to know more about this PoC, head to YouTube for a recording! News from the community War in Ukraine and Lombiq War in Ukraine and Lombiq: How does it affect us at Lombiq and what we're doing to help: https://lombiq.com/blog/war-in-ukraine-and-lombiq Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 238 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this Orchard meeting!

New custom path for the ChangePasswordConfirmation, Fluid 2.2.14 with several fixes and improvements, Orchard Core on the ASP.NET Community Standup are the topics of this week. Check out this post for the details! Orchard Core updates Fix route ChangePasswordConfirmation The idea is that now there is a custom route for the ChangePasswordConfirmation instead of using the generic one. So, the action OrchardCore.Users.Controllers.ChangePasswordConfirmation() is now mapped to /ChangePasswordConfirmation, because that action was mapped to /OrchardCore.Users/ChangePasswordConfirmation. And the documentation of Orchard Core has been also updated with this new custom path. Fluid 2.2.14 Fluid 2.2.14 has been released with several fixes and improvements. Let's see some of the changes here! The first one is about displaying the source of an error message. Now, if there is a parser error, it will tell you the location of the error (line and column) but it will also show the line with the error. And this way it's easier to understand where the issue is. And if you have multiple templates, for instance, then you don't have to guess what template contains the error because you can see the error directly. Now FluidParserOptions can be configured by using Fluid.MvcViewEngine. This introduces a small set of further changes to support the recent work allowing for FunctionValues. Update to FluidViewParser constructor to pass FluidParserOptions argument. Update to sample projects to use the new constructor. The next improvement is to fix some keyword conflicts. Someone finds an issue in Orchard is that if you have a variable that is named emptyThing, the parser would find that you mean the empty keyword and will fail saying what is this Thing after the empty? And it's the same for blank, true and false. So, if you have variable names starting with empty, you can have them now, this is what this PR is fixing. And another one is to implement offset continue. Now you can assign a range directly to a variable with this version. Before you could not. The second thing is that you can do offset with the keyword continue. So, in this case, continue is a keyword and what happens is that it will do another loop starting from where the previous loop stopped. So here, if you say limit: 2, it will start from the 4th item. And you can also pass another limit if you want. So, here the idea is that we loop for three items in the array, and then we loop again for the rest and display all the items. News from the community ASP.NET Community Standup - PO (portable object) localization with Orchard Core There was an ASP.NET Community Standup about localizing the .NET website. The topics were how the .NET websites have been localized using the Orchard Core localization package with PO files. Sébastien Ros did a demo about the package, explained how the localizer works, how to inject it, how to use the module, how to create a PO file, how to use pluralization, etc. If you would like to know more about localization, check out the recording of that standup meeting here! DotNest Core is on Orchard Core 1.2.2 DotNest Core is a complete redevelopment of the DotNest platform, all on the latest version of Orchard Core. We've been running it with a couple of select few customers for a while now, and it's time to open it up a bit more. While you can't yet simply create an Orchard Core-based DotNest site, you can sign up for our limited beta here. You'll soon be able to get a fully functional, reliably hosted Orchard Core site on DotNest where you can build your personal website or something to showcase your Orchard skills with. And now the DotNest Core sites run on Orchard Core 1.2.2! Do you want to have a hassle-free Orchard site running in the cloud? Then sign up for the beta here! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 239 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

Orchard Core 1.2.2 is now available that addresses some other security issues. Check out this post to know the content of this release of Orchard Core and to see the latest features of the framework! Orchard Core updates Media search indexing The idea here was to allow to search for content in files. Last summer, you could see a demo in this This week in Orchard post that shows a feature that provides a simple implementation to index media for search. More precisely, it indexes media files related to content items, so said content items will turn up in search when one of their media files matches the search query. And now this feature is merged to the main branch of Orchard Core! Check out the updated documentation to know more! Remove multiple compilation paths on MediaTokenService From the next minor version, Orchard Core will only build with .NET 6.0, so we can remove all the things from the code that do not target .NET 6.0 specifically. This time the ParseQuery method of the MediaTokenService got simpler because now we don't need to use the slower version, we can use the fast version with structs now. Add response to SmtpResult When you send an SMTP request, the response can be read, and now you can do whatever you want with the response. We already know if it failed or not from the SmtpResult, but now there is even more information in the Response. News from the community Orchard Core 1.2.2 release Orchard Core 1.2.1 has been released a few days after the 1.2.0 one, and here comes 1.2.2 to address some other security issues. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! Don't forget that 1.2.x is the latest minor version of Orchard Core that can be built by .NET Core 3.1 and .NET 5. If you take the main branch, it will only build with .NET 6.0, and the upcoming versions will be only shipped with .NET 6.0. .NET 6.0 is an LTS and shipped for many months now with some security updates already. It will also make the local builds with Visual Studio faster, the CI is faster because it doesn't have to build everything three times and run the tests three times. Now let's see the fix that is in this release! If you have a Link Field, you can provide a URL to that field, and the URL is now sanitized. Before this change, you could pass some JavaScript in the URL. With that what we are doing is checking the link that we are generating is sanitized. This issue was also in the Menu Item Link Field and also in the HTML Menu Item Link Field, so everywhere where we pass a link. Another fix was in the AuditTrailContentController.cs to be consistent with the other fixes. Error messages can't contain HTML and the issue that the _notifier.WarningAsync is asking for a LocalizedHtmlString. Why is it asking for a LocalizedHtmlString? It's because WarningAsync expects a LocalizedString using H[""]. In this case, the goal was to render an error message as a notification. But the error message is a string. So the developer decided to wrap the error message into a LocalizedHtmlString and pass it. And by doing that we say this is a safe string, this is already encoded, so it can be used in a view. This is what the H[""] does. So, everything here is safe. So, it can be passed as a LocalizedHtmlString. We are lucky that the error message is safe because internally it's a static string. But we don't do that, because it could be like some other developers will copy this code without understanding that this is safe or not. So, let's assume that it's not safe, and you shouldn't pass it as a LocalizedHtmlString, because that will prevent the notifier from encoding the result. The fix here is to pass the error message as an argument and because it's passed as an argument it will be encoded. So, this is how we pass a LocalizedHtmlString to a notifier from an unknown string safely. We can just pass it as an argument. And if you would like to know more about the fixed security issues, don't forget to check out this recording on YouTube! Looking for some useful Orchard Core extensions that can help improve your Orchard Core 1.2.2 application faster and easier? Here's a bundle solution of all of Lombiq's open-source Orchard Core extensions (modules and themes). Clone and try them out now! This is an Orchard Core CMS Visual Studio solution that contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries. And we have also updated the solution to use Orchard Core 1.2.2! Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 240 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

Orchard Core 1.2.1 is now available to fix some security issues. Check out this post to know the content of this release of Orchard Core and to see the latest features of the framework! Orchard Core updates Remove exists check for blobs Instead of querying the blob, if it exists any time, we just try to get it, and maybe the server will return with a BlobNotFound error. This way, if it's there, we prevent one external network communication to check if it's there before asking for it. So, we just ask for it, and then if it fails, it fails. It's a pretty common issue with Blob Storage because of its high latency you need to do as few communications as you can. Starting background tasks without waiting for initialized tenants You can have a scenario where you would like Orchard itself to starts its background tasks without the need of a request for each one of the tenants. Until now, you need to make a request to as parent tenant and to every child tenant to be sure background tasks of each tenant start to run. So, by default background tasks are waiting for their shell to be lazily built on a first matching request. From now, you have a ShellWarmup bool option in the appsettings.json that allows you to eagerly build shells just before executing their first background task. News from the community Orchard Core 1.2.1 release Orchard Core 1.2.0 has been released on the 6th of January. But after a few days, a vulnerability security issue has been filed. That's the reason why the community had to create a new Orchard Core 1.2.1 release, to fix that security issue. You can update to the new version as usual. If you open up nuget.org and search for the OrchardCore.Application.Cms.Targets package, you will find the newest released version of Orchard Core! But let's see the fix that is in this release! It's not critical in the way that only users that are authenticated and have access to the dashboard can do things. Looking at the security issue and then how to not have them anymore. These are XSS issues, which means you can inject custom JavaScript in a page that could be triggered automatically, and then if you inject some fancy JavaScript you can force a user to submit queries and on this site, you could extract secrets or have them do things they don't want to do on the site. We encode everything we output. This means if the thing you output contains some JavaScript, it will be encoded, which means it will be rendered and not the JavaScript itself to be executed. In this case here, what was happening is that the translation was called on a variable, but we can't translate it. When we call T[], the IHtmlLocalizer will lookup for this text. If it finds this text in the translations, it will render the translation, otherwise, it will render the text as-is. That's why we always pass the English versions, such that if it doesn't find a localization, it will render this text in English. So, we don't have to create the translation for English, we just use that key that we passed. But the T[""] can contain HTML. And that's how we do to translate notifications, links, and stuff like this. And because it can contain HTML, the @ before that will just render it as is. So, whatever is passed there, it will be rendered as-is and not encoded. If we put some HTML or JavaScript inside that, this will be rendered as is and not encoded. What happened there is that when we do any string, like @T["Add widget"] is fine because we know this is a static string to generate. So, we know what we are rendering. But when we do it in a variable like @T[item.value], it can contain anything. And we don't know what it contains. And if it's user inputted, then there can be bad issues. So, we should never translate a user inputted value like this. This is an encoding issue over a bug. This is a list of SelectListItem, which itself contain a localized string instantiated value. There is no reason to use a localized string here. We use localized string as a type when we know that the property needs to be a localized string and should be a sign with a call to T for instance. This piece of code from the DashboardController is just to list the display name of the content type and the technical name of the content type. It's just a list of content types to allow you to create a new content item based on the type. The first solution is to don't translate variables. We have the design and started the PR for dynamic content translations, which is supposed to fix that, to provide a solution to be able to translate content types, permissions, and all the things that are user inputted and dynamic in the database (not static text). We should either not translate dynamic variables or use the new localization PR. The second option is to explicitly encode it for just this vulnerability. In this case, it's not breaking anyone, and it's secure because here, we explicitly translate the encoded value of the display name. So, it would break people who have spaces in their content type display name, because now they have to translate Foo content&nbps;type not Foo content type. .NET Foundation Most Active Community Projects 2021 Shaun Walker shared this image on Twitter that contains the most active community projects based on the number of pull requests, the number of commits, and the number of new contributors. As you can see, Orchard has 1507 pull requests in 2021, which is great. Orchard has 1291 commits, which is weird. Why do we have more pull requests than commits? Do we really close that many pull requests? We have some mini PRs created by Dependabot. And we haven't talked about which projects are using squash and merge and which projects aren't. But it's still a nice thing to be able to see Orchard in the top 10! :) Orchard Dojo Newsletter Lombiq's Orchard Dojo Newsletter has 238 subscribers! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course. Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here! If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!