This week in Orchard - 03/15/2019

Gábor Domonkos's avatar
This week in Orchard

Orchard 1.10.3 is here! Read our post about adding Guides to the documentation of Orchard Core, improving the liquid encoding, and many more!

On Orchard 1.x

Orchard 1.10.3 released

The latest version of Orchard 1.x has been released on Apr 27, 2017. Now it's time to present Orchard 1.10.3! Last week we wrote about the release notes of this version. The full release notes are available in GitHub, where you can also download the assets of Orchard 1.10.3.

On Orchard Core

Add Guides section to docs

A new section called Guides has been added to Orchard Core documentation. Whatever you're building, these guides are designed to get you productive as quickly as possible – using the latest Orchard Core project releases and techniques as recommended by the Orchard team. The goal is to provide getting started guides and tutorials for the developers using Orchard Core.

  • Getting Started Guides: Designed to be completed in 15-30 minutes, these guides provide quick, hands-on instructions for building the "Hello World" of any development task with Orchard Core. In most cases, the only prerequisites are a .NET SDK and a text editor.
  • Tutorials: Designed to be completed in 2-3 hours, these guides provide deeper, in-context explorations of enterprise application development topics, leaving you ready to implement real-world solutions.

There is only one getting started guide now in the Guides page, where you can read about how to run tasks on application startup from a module.

There isn't any tutorial right now, but we have two ideas to discuss in the future. One is about building a website from a Web Template, and the second one is about implementing a Self-Service Saas solution.

If you have any idea that you can add to the Guides section, don't hesitate to create one!

Fixing PluralFormNotFoundException

Let's say you set Russian as your default language. This language has more than two plural forms. If you go to the content items page, where we use pluralization for the DateTime, like N minutes ago, the current localization code will throw an exception if you ask for a value that is more than two:

H.Plural(time.minutes, "1 minute ago", "{0} minutes ago");

Because for this specific number, it would look for the third plural form, but there is none here.
The change is to use the latest plural form and log a warning, saying OK, I could not find a translation for this thing, but instead of failing, I will use the highest form and use the default language. It might be wrongly translated, but at least there will be no exception.

UI fixes for content picker

Now the content picker using flexbox to align content. Also, have a template to Vue component for adding the ability to translate noResult message.

Setting liquid encoding explicitly

Sébastien reviewed all the usage of liquid for every component and defined explicitly which encoding we need to use and where to not use the default from Orchard. For instance, the AliasPart is not encoded. When we generate the AliasPart we are not encoding anything. We store whatever is generated, if we want to encode something in the AliasPart, it's up to us to do that.

Let's edit a BlogPost content item, which has a Markdown editor! If we type some HTML in Markdown, it will be fine. What is encoded is just the parts that are injected. If we put an hr tag in the HTML encoded section

{{ "<hr />" }}

it will be encoded. If this value is coming from the outside, this will be safe, because it's HTML encoded. Therefore you cannot inject scripts or whatever because of that.

If you really want to inject some HTML, you can use the following syntax:

{{ "<hr />" | raw }}

In this case, you can see the injected hr. If you trust the source and know it has to be HTML, then you can use the "| raw".

There is also a tag for this that you can use in the following way:

{% raw %}
<h3>A title</h3>
{% endraw %}

In a workflow, if you inject something that is in Chinese or HTML encoded, the liquid template engine, in this case, was using the default encoding, which is HTML in Orchard. The workflow will create a content item with Chinese chars, which will then be encoded, so the JSON will contain HTML encoded values in their strings, which is wrong.

Now imagine a scenario, where the workflow is a webhook on a GET request, and when the webhook is hit, we create some content. The Create Content Task accepts some JavaScript or JSON. In this case, we returning an object, called DisplayText, by injecting the displayText property of the query string. This can be any string, so you could inject some custom text, that could contain double quotes to close the current expression and also pass the Author of the Article because here you can inject JSON as well.

Now we are using the JavaScript encoder for this parsing, what will happen is that whatever you type here will be JSON encoded, so if there is a double quote, it will be encoded.

Let's get the URL that lets us trigger this workflow by copying it from the Http Request Event. We know that this will accept a displayText property, so let's pass Foo%22bar, where %22 is a quote:


If we navigate to the list of content items, we will see our Article which has the Foo"bar title.

On Lombiq

Orchard Dojo Newsletter

Now we have 48 subscribers of the Lombiq's Orchard Dojo Newsletter! We have started this newsletter to inform the community around Orchard with the latest news about the platform. By subscribing to this newsletter, you will get an e-mail every time when a new post published to Orchard Dojo, including This week in Orchard of course.

Do you know of other Orchard enthusiasts who you think would like to read our weekly articles? Tell them to subscribe here!

If you are interested in more news around Orchard and the details of the topics above, don't forget to check out the recording of this week's Orchard meeting!

No Comments

Add a Comment