Vaadin Flow Components V23.6.11
Vaadin Flow Components 23.6.11
This is a release of the Java integration for Vaadin Components to be used from the Java server side with Vaadin Flow.
Changes in Flow Components from 23.6.10
Changes in vaadin-charts-flow
- New Features:
-
⧉ Validate navigation-related URL schemes (CP: 23.6). PR:9706
This PR cherry-picks changes from the original PR #9447 to branch 23.6. Because URL scheme validation is disabled by default in 23.6 (see vaadin/flow#24942), and because some components differ from
main, the backport was adapted: - Scope reduced to existing components:SideNavItem,BreadcrumbsItemandLoginOverlayTestdo not exist in 23.6, so only the Charts (Credits,Exporting) and Login (AbstractLogin#setAction) sinks are validated here. - Javadoc: the@throwsclauses reference{@link DeploymentConfiguration#getUrlSafeSchemes()}, matching the Flow 23.6 wording, since validation only rejects schemes that are not in the configured safe set (allow-all by default). -AbstractLogin#setAction: kept 23.6's simple property-setting behavior (the default-login-listener handling frommaindoes not exist here) plus the new validation andsetUnsafeAction. - Tests: converted to JUnit 4 (as used by these modules in 23.6) and mockVaadinService/DeploymentConfigurationto enable validation, since it is off by default.mockito-inlinewas added to the Charts and Login test dependencies for static mocking. --- > ## Motivation > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. Ajavascript:(or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > ## Changes > > Validating setters added across the affected components, each with a matchingsetUnsafe*variant that bypasses validation: > > -SideNavItem.setPath/BreadcrumbsItem.setPath— navigation link. > -Credits.setHref— clickable Highcharts credits link. > -AbstractLogin.setAction— the formactionattribute the browser POSTs to on submit. > -Exporting.setUrl— Highcharts posts SVG to this URL as a form action for export fallback. > -Exporting.setLibURL— concatenated into<script src="…">to load offline-export dependencies at runtime. > >SideNavItemandBreadcrumbsItemconstructors that take aString pathvalidate transitively viasetPath; their Javadoc now documents@throws IllegalArgumentExceptionand explicit constructor tests cover the behaviour. > > Safe schemes are configured through thecom.vaadin.safeUrlSchemesproperty and default tohttp,https,mailto,tel,ftp. > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated:javascript:cannot execute in<img src>/ SVG<image>elements, anddata:URLs are a legitimate, common use there. > >LoginFormTestandLoginOverlayTestalready mockLoggerFactoryto capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow'sUrlUtil.isSafeUrldebug-logs a fallback notice, going throughLoggerFactory.getLogger(UrlUtil.class)which returnednullinside the broad mock. The mock now usesMockito.CALLS_REAL_METHODSso unrelated lookups fall through to the real factory; the explicitLoginForm/Overlay.classstubs still take precedence. > > Part of vaadin/flow#24539 --- 🤖 Generated with Claude Code
-
Changes in vaadin-login-flow
- New Features:
-
⧉ Validate navigation-related URL schemes (CP: 23.6). PR:9706
This PR cherry-picks changes from the original PR #9447 to branch 23.6. Because URL scheme validation is disabled by default in 23.6 (see vaadin/flow#24942), and because some components differ from
main, the backport was adapted: - Scope reduced to existing components:SideNavItem,BreadcrumbsItemandLoginOverlayTestdo not exist in 23.6, so only the Charts (Credits,Exporting) and Login (AbstractLogin#setAction) sinks are validated here. - Javadoc: the@throwsclauses reference{@link DeploymentConfiguration#getUrlSafeSchemes()}, matching the Flow 23.6 wording, since validation only rejects schemes that are not in the configured safe set (allow-all by default). -AbstractLogin#setAction: kept 23.6's simple property-setting behavior (the default-login-listener handling frommaindoes not exist here) plus the new validation andsetUnsafeAction. - Tests: converted to JUnit 4 (as used by these modules in 23.6) and mockVaadinService/DeploymentConfigurationto enable validation, since it is off by default.mockito-inlinewas added to the Charts and Login test dependencies for static mocking. --- > ## Motivation > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. Ajavascript:(or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > ## Changes > > Validating setters added across the affected components, each with a matchingsetUnsafe*variant that bypasses validation: > > -SideNavItem.setPath/BreadcrumbsItem.setPath— navigation link. > -Credits.setHref— clickable Highcharts credits link. > -AbstractLogin.setAction— the formactionattribute the browser POSTs to on submit. > -Exporting.setUrl— Highcharts posts SVG to this URL as a form action for export fallback. > -Exporting.setLibURL— concatenated into<script src="…">to load offline-export dependencies at runtime. > >SideNavItemandBreadcrumbsItemconstructors that take aString pathvalidate transitively viasetPath; their Javadoc now documents@throws IllegalArgumentExceptionand explicit constructor tests cover the behaviour. > > Safe schemes are configured through thecom.vaadin.safeUrlSchemesproperty and default tohttp,https,mailto,tel,ftp. > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated:javascript:cannot execute in<img src>/ SVG<image>elements, anddata:URLs are a legitimate, common use there. > >LoginFormTestandLoginOverlayTestalready mockLoggerFactoryto capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow'sUrlUtil.isSafeUrldebug-logs a fallback notice, going throughLoggerFactory.getLogger(UrlUtil.class)which returnednullinside the broad mock. The mock now usesMockito.CALLS_REAL_METHODSso unrelated lookups fall through to the real factory; the explicitLoginForm/Overlay.classstubs still take precedence. > > Part of vaadin/flow#24539 --- 🤖 Generated with Claude Code
-