Version @version@ built on @builddate@.

Release Notes for Vaadin Framework @version@

Overview of Vaadin @version@ Release

Vaadin @version@ is a maintenance release that includes a number of important bug fixes, as listed in the change log below.

For a list of enhancements in the last feature release, see Enhancements in Vaadin @version-minor@ and the Release Notes for Vaadin @version-minor@.0.

Security fixes in Vaadin Framework 7.1.11

Vaadin 7.1.11 fixes two security issues discovered during internal review.

Escaping of OptionGroup item icon URLs

The issue affects OptionGroup with item icons. Proper escaping of the src-attribute on the client side was not ensured when using icons for OptionGroup items. This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.

In order for an application to be vulnerable, user provided input must be used to form a URL used to display an icon for an OptionGroup item, when showing that Option Group to other users.
The vulnerability has been classified as moderate, due to it's limited application.

Escaping of URLs in Util.getAbsoluteUrl()

The client side Util.getAbsoluteUrl() did not ensure proper escaping of the given URL. This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.

The method is used internally by the framework in such a manner that it is unlikely this attack vector can be utilized in practice. However, third party components, or future use of the method, could make an attack viable.
The vulnerability has been classified as moderate, due to it's limited application.

Change log for Vaadin @version@

This release includes the following closed issues:

You can also view the list of the closed issues at the Vaadin developer's site. .

Enhancements in Vaadin @version-minor@

The @version-minor@ includes many major and minor enhancements. Below is a list of the most notable changes:

Tools have been updated for Vaadin @version-minor@ with the following changes:

For enchancements introduced in Vaadin 7, see the Release Notes for Vaadin 7.0.0.

Limitations

Vaadin Installation

Vaadin is a Java framework for building modern web applications that look great, perform well and make you and your users happy. Vaadin is available under the Apache License, Version 2.0 (see the license.html in the Vaadin ZIP or JAR package).

The easiest ways to install Vaadin are:

It is also available as a ZIP package downloadable from Vaadin Download page.

Package Contents

Inside the ZIP installation package you will find:

See the README.TXT in the installation package for detailed information about the package contents. Book of Vaadin (for Vaadin 7) gives more detailed instructions.

For server-side development, copy the vaadin-server , vaadin-client-compiled , vaadin-shared , and vaadin-themes from the main folder and the dependencies from the lib folder to the WEB-INF/lib folder of your Vaadin project. (The vaadin-client-compiled is necessary if you do not wish to compile the widget set by your own, which you need to do if you use almost any add-on components.)

Updates to the Packaging

Since Vaadin 7.2.0, the old vaadin-theme-compiler has been moved into a separate project and renamed to vaadin-sass-compiler. It is now included along with the other 3rd party dependencies in the ZIP package.

For pure client-side development, you only need the vaadin-client and vaadin-client-compiler JARs, which should be put to a non-deployed project library folder, such as lib . You also need them if you compile the widget set for any reason, such as using Vaadin add-ons, or create new server-side components integrated with client-side widgets.

Migrating from Vaadin 6

All Vaadin 6 applications need some changes when migrating to Vaadin 7. The most obvious changes are in the application/window API and require extending either UI or UI.LegacyApplication instead of Application. A detailed list of migration changes are given in the Vaadin 7 Migration Guide.

Any custom client-side widgets need to be ported to use the new client-server communication API, or the Vaadin 6 compatibility API.

Vaadin 6 add-ons (ones that contain widgets) do not work in Vaadin 7 - please check the add-ons in Vaadin Directory for Vaadin 7 support.

Vaadin @version@ Dependencies

When using Maven, Ivy, Gradle, or other dependency management system, all Vaadin dependencies are downloaded automatically. This is also the case when using the Vaadin Plugin for Eclipse.

The Vaadin ZIP installation package includes the dependencies in the lib subfolder. These need to be copied to the WEB-INF/lib folder of the web application that uses Vaadin.

The dependencies are listed in the Licensing description. Some are explicit dependencies packaged and distributed as separate JARs, while some are included inside other libraries.

Bean Validation

If you use the bean validation feature in Vaadin 7, you need a Bean Validation API implementation. You need to install the implementation JAR in the WEB-INF/lib directory of the web application that uses validation.

Upgrading to Vaadin @version-minor@

Upgrading the Eclipse Plugin

Vaadin 7 requires that you use a compatible version of the Vaadin Plugin for Eclipse. The stable version of the plugin is available from the http://vaadin.com/eclipse update site. Please see the section about updating the plugin in the Book of Vaadin and the installation instructions at the download site for more details.

You can also use the experimental Vaadin Plugin for Eclipse. Its update site is http://vaadin.com/eclipse/experimental .

General Upgrading Instructions

When upgrading from an earlier Vaadin version, you must:

Remember also to refresh the project in your IDE to ensure that the new version of everything is in use.

By using the " ?debug " URL parameter, you can verify that the version of the servlet, the theme, and the widget set all match.

Eclipse users should always check if there is a new version of the Eclipse Plug-in available. The Eclipse Plug-in can be used to update the Vaadin version in the project (Project properties » Vaadin).

Maven users should update the Vaadin dependency version in the pom.xml unless it is defined as LATEST . You must also ensure that the GWT dependency uses the correct version and recompile your project and your widget set.

Liferay and other portal users must install the Vaadin libraries in ROOT/WEB-INF/lib/ in the portal (and remove a possibly obsolete older vaadin.jar). Additionally, the contents of the vaadin-client-compiled and vaadin-themes must be extracted to the ROOT/html/VAADIN directory in the Liferay installation. If your portal uses custom widgets, install the latest version of Vaadin Control Panel for Liferay for easy widget set compilation - when it is available - the add-on is not compatible with Vaadin @version@ at the time of this Vaadin release.

Notes and Limitations for Google App Engine

The following instructions and limitations apply when you run a Vaadin application under the Google App Engine.

For other known problems, see open tickets at developer site dev.vaadin.com.

Supported Technologies

Vaadin 7 is compatible with Java 6 and newer. Vaadin 7 is especially supported on the following operating systems:

Vaadin 7 requires Java Servlet API 2.4 but also supports later versions and should work with any Java application server that conforms to the standard. The following application servers are supported:

Vaadin 7 supports the JSR-286 Portlet specification and all portals that implement the specification should work. The following portals are supported:

Vaadin also supports Google App Engine.

Vaadin supports the following desktop browsers:

Additionally, Vaadin supports the built-in browsers in the following mobile operating systems:

Vaadin SQL Container supports the following databases:

Vaadin on the Web