Vaadin Flow Components V24.10.8
Vaadin Flow Components 24.10.8
This is a release of the Java integration for Vaadin Components to be used from the Java server side with Vaadin Flow.
Changes in Flow Components from 24.10.7
Changes in vaadin-charts-flow
- New Features:
-
⧉ Validate navigation-related URL schemes (CP: 24.10). PR:9709
This PR cherry-picks changes from the original PR #9447 to branch 24.10. Because URL scheme validation is disabled by default in 24.10 (
DeploymentConfiguration#getUrlSafeSchemes()allows all schemes unless configured), and because some components differ frommain, the backport was adapted: - Scope:BreadcrumbsItemdoes not exist in 24.10, so it is excluded. Charts (Credits,Exporting), Login (AbstractLogin#setAction) and SideNav (SideNavItem) are all validated. - Javadoc: the@throwsclauses reference{@link DeploymentConfiguration#getUrlSafeSchemes()}, since validation only rejects schemes that are not in the configured safe set (allow-all by default). This also adds the previously missing@throwsonCredits#setHrefandSideNavItem#setPath. - Tests: converted to JUnit 4 (as used by these modules in 24.10) and mockVaadinService/DeploymentConfigurationto enable validation, since it is off by default. --- > ## Motivation > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. Ajavascript:(or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > ## Changes > > Validating setters added across the affected components, each with a matchingsetUnsafe*variant that bypasses validation: > > -SideNavItem.setPath/BreadcrumbsItem.setPath— navigation link. > -Credits.setHref— clickable Highcharts credits link. > -AbstractLogin.setAction— the formactionattribute the browser POSTs to on submit. > -Exporting.setUrl— Highcharts posts SVG to this URL as a form action for export fallback. > -Exporting.setLibURL— concatenated into<script src="…">to load offline-export dependencies at runtime. > >SideNavItemandBreadcrumbsItemconstructors that take aString pathvalidate transitively viasetPath; their Javadoc now documents@throws IllegalArgumentExceptionand explicit constructor tests cover the behaviour. > > Safe schemes are configured through thecom.vaadin.safeUrlSchemesproperty and default tohttp,https,mailto,tel,ftp. > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated:javascript:cannot execute in<img src>/ SVG<image>elements, anddata:URLs are a legitimate, common use there. > >LoginFormTestandLoginOverlayTestalready mockLoggerFactoryto capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow'sUrlUtil.isSafeUrldebug-logs a fallback notice, going throughLoggerFactory.getLogger(UrlUtil.class)which returnednullinside the broad mock. The mock now usesMockito.CALLS_REAL_METHODSso unrelated lookups fall through to the real factory; the explicitLoginForm/Overlay.classstubs still take precedence. > > Part of vaadin/flow#24539 --- 🤖 Generated with Claude Code
-
Changes in vaadin-login-flow
- New Features:
-
⧉ Validate navigation-related URL schemes (CP: 24.10). PR:9709
This PR cherry-picks changes from the original PR #9447 to branch 24.10. Because URL scheme validation is disabled by default in 24.10 (
DeploymentConfiguration#getUrlSafeSchemes()allows all schemes unless configured), and because some components differ frommain, the backport was adapted: - Scope:BreadcrumbsItemdoes not exist in 24.10, so it is excluded. Charts (Credits,Exporting), Login (AbstractLogin#setAction) and SideNav (SideNavItem) are all validated. - Javadoc: the@throwsclauses reference{@link DeploymentConfiguration#getUrlSafeSchemes()}, since validation only rejects schemes that are not in the configured safe set (allow-all by default). This also adds the previously missing@throwsonCredits#setHrefandSideNavItem#setPath. - Tests: converted to JUnit 4 (as used by these modules in 24.10) and mockVaadinService/DeploymentConfigurationto enable validation, since it is off by default. --- > ## Motivation > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. Ajavascript:(or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > ## Changes > > Validating setters added across the affected components, each with a matchingsetUnsafe*variant that bypasses validation: > > -SideNavItem.setPath/BreadcrumbsItem.setPath— navigation link. > -Credits.setHref— clickable Highcharts credits link. > -AbstractLogin.setAction— the formactionattribute the browser POSTs to on submit. > -Exporting.setUrl— Highcharts posts SVG to this URL as a form action for export fallback. > -Exporting.setLibURL— concatenated into<script src="…">to load offline-export dependencies at runtime. > >SideNavItemandBreadcrumbsItemconstructors that take aString pathvalidate transitively viasetPath; their Javadoc now documents@throws IllegalArgumentExceptionand explicit constructor tests cover the behaviour. > > Safe schemes are configured through thecom.vaadin.safeUrlSchemesproperty and default tohttp,https,mailto,tel,ftp. > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated:javascript:cannot execute in<img src>/ SVG<image>elements, anddata:URLs are a legitimate, common use there. > >LoginFormTestandLoginOverlayTestalready mockLoggerFactoryto capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow'sUrlUtil.isSafeUrldebug-logs a fallback notice, going throughLoggerFactory.getLogger(UrlUtil.class)which returnednullinside the broad mock. The mock now usesMockito.CALLS_REAL_METHODSso unrelated lookups fall through to the real factory; the explicitLoginForm/Overlay.classstubs still take precedence. > > Part of vaadin/flow#24539 --- 🤖 Generated with Claude Code
-
Changes in vaadin-side-nav-flow
- New Features:
-
⧉ Validate navigation-related URL schemes (CP: 24.10). PR:9709
This PR cherry-picks changes from the original PR #9447 to branch 24.10. Because URL scheme validation is disabled by default in 24.10 (
DeploymentConfiguration#getUrlSafeSchemes()allows all schemes unless configured), and because some components differ frommain, the backport was adapted: - Scope:BreadcrumbsItemdoes not exist in 24.10, so it is excluded. Charts (Credits,Exporting), Login (AbstractLogin#setAction) and SideNav (SideNavItem) are all validated. - Javadoc: the@throwsclauses reference{@link DeploymentConfiguration#getUrlSafeSchemes()}, since validation only rejects schemes that are not in the configured safe set (allow-all by default). This also adds the previously missing@throwsonCredits#setHrefandSideNavItem#setPath. - Tests: converted to JUnit 4 (as used by these modules in 24.10) and mockVaadinService/DeploymentConfigurationto enable validation, since it is off by default. --- > ## Motivation > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. Ajavascript:(or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > ## Changes > > Validating setters added across the affected components, each with a matchingsetUnsafe*variant that bypasses validation: > > -SideNavItem.setPath/BreadcrumbsItem.setPath— navigation link. > -Credits.setHref— clickable Highcharts credits link. > -AbstractLogin.setAction— the formactionattribute the browser POSTs to on submit. > -Exporting.setUrl— Highcharts posts SVG to this URL as a form action for export fallback. > -Exporting.setLibURL— concatenated into<script src="…">to load offline-export dependencies at runtime. > >SideNavItemandBreadcrumbsItemconstructors that take aString pathvalidate transitively viasetPath; their Javadoc now documents@throws IllegalArgumentExceptionand explicit constructor tests cover the behaviour. > > Safe schemes are configured through thecom.vaadin.safeUrlSchemesproperty and default tohttp,https,mailto,tel,ftp. > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated:javascript:cannot execute in<img src>/ SVG<image>elements, anddata:URLs are a legitimate, common use there. > >LoginFormTestandLoginOverlayTestalready mockLoggerFactoryto capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow'sUrlUtil.isSafeUrldebug-logs a fallback notice, going throughLoggerFactory.getLogger(UrlUtil.class)which returnednullinside the broad mock. The mock now usesMockito.CALLS_REAL_METHODSso unrelated lookups fall through to the real factory; the explicitLoginForm/Overlay.classstubs still take precedence. > > Part of vaadin/flow#24539 --- 🤖 Generated with Claude Code
-
Changes in vaadin-spreadsheet-flow
- Fixes:
-
⧉ Defer Spreadsheet.selectCellRange until sheet widget layout is ready (#9381) (CP: 24.10). PR:9487
This PR cherry-picks changes from the original PR #9381 to branch 24.10. --- > > Follow-up to #9333. When a Spreadsheet inside a closed Dialog is opened, Flow > flushes the property writes and the
setSelectedCellAndRangeRPC in the same > task. The api receives the call before the deferred init scheduled in >SheetWidget.resetFromModelhas run — soSheetWidget.getRowHeightreads an > uninitializeddefinedRowHeightsand throws > >> Uncaught TypeError: Cannot read properties of undefined (reading 'length') >> > That throw drops the selection and trips the*_noErrors/*_noConsoleErrors> console-log assertions. > > #9333's connector-side guard masked this by probingdefinedRowHeights> through the api's private GWT fields — names that only survive >-Dgwt.style=pretty(local/dev). CI compiles the GWT client with >-Dgwt.style=OBF, where those private names are renamed andapi.spreadsheetWidget> isundefined. The guard itself then threw, producing the same SEVERE log and > the same ~20 spreadsheet IT failures on the cherry-pick PRs. > > > Move the layout-readiness handling into the widget that owns the operation: > > -SheetWidget.isLoaded()(package-private) — exposes the already-existing >loadedflag that flips at the end ofresetFromModel's deferred command. > -SpreadsheetWidget.selectCellRange— if!sheetWidget.isLoaded(), store the > latest args andScheduler.scheduleDeferred(this::applyPendingSelectCellRange). > The deferred re-checks, applies, or re-schedules. Latest-wins (rapid successive > calls collapse to the final selection). Bounded at 100 hops as a safety net; > in the typical case the layout init has already been scheduled before us, so > GWT's FIFO scheduler resolves us in 0–1 hops. > -vaadin-spreadsheet.js—setSelectedCellAndRangegoes back to a one-liner > (this._flush(); this.api.setSelectedCellAndRange(...args)). No try/catch, > no pending state, no constants. > > OnlyselectCellRangeis deferred — it's the only RPC that touches row/column > metrics. Other RPCs (cellsUpdated, popup ops, etc.) don't need this and > didn't fail in the original CI runs. > > > Reproduce locally by compiling the client with-Dgwt.style=OBF(matching CI) > and running the merged ITs in production mode: > >> mvn clean install -DskipTests -Dgwt.style=OBF \ > -pl vaadin-spreadsheet-flow-parent/vaadin-spreadsheet-flow-client,vaadin-spreadsheet-flow-parent/vaadin-spreadsheet-flow > node scripts/mergeITs.js spreadsheet > mvn verify -Drun-it -pl integration-tests -Dvaadin.productionMode=true \ > -Dit.test='NavigationIT,SpreadsheetDialogIT' -DskipUnitTests >> > - With this PR → NavigationIT 26/0, SpreadsheetDialogIT 1/0. > - Reverting only the GWT-side change → SpreadsheetDialogIT fails with the > underlyingCannot read properties of undefined (reading 'length')in >FlowClient-…js— the actualdefinedRowHeightsNPE. > > Follow-up to #9333. > > --- > > 🤖 Generated with Claude Code
-