Skip to content

Vaadin Flow Components V24.9.19

Choose a tag to compare

@vaadin-bot vaadin-bot released this 17 Jul 06:25
fda5dcf

Vaadin Flow Components 24.9.19

This is a release of the Java integration for Vaadin Components to be used from the Java server side with Vaadin Flow.

Changes in Flow Components from 24.9.18

Changes in All Components

  • Chore:
    • Increase Web-Component version

Changes in vaadin-charts-flow

  • New Features:
    • Validate navigation-related URL schemes (CP: 24.10) (#9709) (CP: 24.9). PR:9723

      This PR cherry-picks changes from the original PR #9709 to branch 24.9. --- #### Original PR description > This PR cherry-picks changes from the original PR #9447 to branch 24.10. > > Because URL scheme validation is disabled by default in 24.10 (DeploymentConfiguration#getUrlSafeSchemes() allows all schemes unless configured), and because some components differ from main, the backport was adapted: > > - Scope: BreadcrumbsItem does not exist in 24.10, so it is excluded. Charts (Credits, Exporting), Login (AbstractLogin#setAction) and SideNav (SideNavItem) are all validated. > - Javadoc: the @throws clauses reference {@link DeploymentConfiguration#getUrlSafeSchemes()}, since validation only rejects schemes that are not in the configured safe set (allow-all by default). This also adds the previously missing @throws on Credits#setHref and SideNavItem#setPath. > - Tests: converted to JUnit 4 (as used by these modules in 24.10) and mock VaadinService/DeploymentConfiguration to enable validation, since it is off by default. > > --- > > > ## Motivation > > > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. A javascript: (or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > > > ## Changes > > > > Validating setters added across the affected components, each with a matching setUnsafe* variant that bypasses validation: > > > > - SideNavItem.setPath / BreadcrumbsItem.setPath — navigation link. > > - Credits.setHref — clickable Highcharts credits link. > > - AbstractLogin.setAction — the form action attribute the browser POSTs to on submit. > > - Exporting.setUrl — Highcharts posts SVG to this URL as a form action for export fallback. > > - Exporting.setLibURL — concatenated into <script src="…"> to load offline-export dependencies at runtime. > > > > SideNavItem and BreadcrumbsItem constructors that take a String path validate transitively via setPath; their Javadoc now documents @throws IllegalArgumentException and explicit constructor tests cover the behaviour. > > > > Safe schemes are configured through the com.vaadin.safeUrlSchemes property and default to http, https, mailto, tel, ftp. > > > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated: javascript: cannot execute in <img src> / SVG <image> elements, and data: URLs are a legitimate, common use there. > > > > LoginFormTest and LoginOverlayTest already mock LoggerFactory to capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow's UrlUtil.isSafeUrl debug-logs a fallback notice, going through LoggerFactory.getLogger(UrlUtil.class) which returned null inside the broad mock. The mock now uses Mockito.CALLS_REAL_METHODS so unrelated lookups fall through to the real factory; the explicit LoginForm/Overlay.class stubs still take precedence. > > > > Part of vaadin/flow#24539 > > --- > > 🤖 Generated with Claude Code >

Changes in vaadin-login-flow

  • New Features:
    • Validate navigation-related URL schemes (CP: 24.10) (#9709) (CP: 24.9). PR:9723

      This PR cherry-picks changes from the original PR #9709 to branch 24.9. --- #### Original PR description > This PR cherry-picks changes from the original PR #9447 to branch 24.10. > > Because URL scheme validation is disabled by default in 24.10 (DeploymentConfiguration#getUrlSafeSchemes() allows all schemes unless configured), and because some components differ from main, the backport was adapted: > > - Scope: BreadcrumbsItem does not exist in 24.10, so it is excluded. Charts (Credits, Exporting), Login (AbstractLogin#setAction) and SideNav (SideNavItem) are all validated. > - Javadoc: the @throws clauses reference {@link DeploymentConfiguration#getUrlSafeSchemes()}, since validation only rejects schemes that are not in the configured safe set (allow-all by default). This also adds the previously missing @throws on Credits#setHref and SideNavItem#setPath. > - Tests: converted to JUnit 4 (as used by these modules in 24.10) and mock VaadinService/DeploymentConfiguration to enable validation, since it is off by default. > > --- > > > ## Motivation > > > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. A javascript: (or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > > > ## Changes > > > > Validating setters added across the affected components, each with a matching setUnsafe* variant that bypasses validation: > > > > - SideNavItem.setPath / BreadcrumbsItem.setPath — navigation link. > > - Credits.setHref — clickable Highcharts credits link. > > - AbstractLogin.setAction — the form action attribute the browser POSTs to on submit. > > - Exporting.setUrl — Highcharts posts SVG to this URL as a form action for export fallback. > > - Exporting.setLibURL — concatenated into <script src="…"> to load offline-export dependencies at runtime. > > > > SideNavItem and BreadcrumbsItem constructors that take a String path validate transitively via setPath; their Javadoc now documents @throws IllegalArgumentException and explicit constructor tests cover the behaviour. > > > > Safe schemes are configured through the com.vaadin.safeUrlSchemes property and default to http, https, mailto, tel, ftp. > > > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated: javascript: cannot execute in <img src> / SVG <image> elements, and data: URLs are a legitimate, common use there. > > > > LoginFormTest and LoginOverlayTest already mock LoggerFactory to capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow's UrlUtil.isSafeUrl debug-logs a fallback notice, going through LoggerFactory.getLogger(UrlUtil.class) which returned null inside the broad mock. The mock now uses Mockito.CALLS_REAL_METHODS so unrelated lookups fall through to the real factory; the explicit LoginForm/Overlay.class stubs still take precedence. > > > > Part of vaadin/flow#24539 > > --- > > 🤖 Generated with Claude Code >

Changes in vaadin-side-nav-flow

  • New Features:
    • Validate navigation-related URL schemes (CP: 24.10) (#9709) (CP: 24.9). PR:9723

      This PR cherry-picks changes from the original PR #9709 to branch 24.9. --- #### Original PR description > This PR cherry-picks changes from the original PR #9447 to branch 24.10. > > Because URL scheme validation is disabled by default in 24.10 (DeploymentConfiguration#getUrlSafeSchemes() allows all schemes unless configured), and because some components differ from main, the backport was adapted: > > - Scope: BreadcrumbsItem does not exist in 24.10, so it is excluded. Charts (Credits, Exporting), Login (AbstractLogin#setAction) and SideNav (SideNavItem) are all validated. > - Javadoc: the @throws clauses reference {@link DeploymentConfiguration#getUrlSafeSchemes()}, since validation only rejects schemes that are not in the configured safe set (allow-all by default). This also adds the previously missing @throws on Credits#setHref and SideNavItem#setPath. > - Tests: converted to JUnit 4 (as used by these modules in 24.10) and mock VaadinService/DeploymentConfiguration to enable validation, since it is off by default. > > --- > > > ## Motivation > > > > Mirror the Flow URL-scheme validation (vaadin/flow#24539) for the navigation, action and link sinks in flow-components. A javascript: (or other non-allow-listed) scheme on a value that the browser later treats as a link, form action or script source is a familiar XSS shape; rejecting it at the setter closes that path while leaving an explicit escape hatch for trusted, hard-coded URLs. > > > > ## Changes > > > > Validating setters added across the affected components, each with a matching setUnsafe* variant that bypasses validation: > > > > - SideNavItem.setPath / BreadcrumbsItem.setPath — navigation link. > > - Credits.setHref — clickable Highcharts credits link. > > - AbstractLogin.setAction — the form action attribute the browser POSTs to on submit. > > - Exporting.setUrl — Highcharts posts SVG to this URL as a form action for export fallback. > > - Exporting.setLibURL — concatenated into <script src="…"> to load offline-export dependencies at runtime. > > > > SideNavItem and BreadcrumbsItem constructors that take a String path validate transitively via setPath; their Javadoc now documents @throws IllegalArgumentException and explicit constructor tests cover the behaviour. > > > > Safe schemes are configured through the com.vaadin.safeUrlSchemes property and default to http, https, mailto, tel, ftp. > > > > Image, icon, SVG, Avatar, map tile and chart-resource URLs are intentionally not validated: javascript: cannot execute in <img src> / SVG <image> elements, and data: URLs are a legitimate, common use there. > > > > LoginFormTest and LoginOverlayTest already mock LoggerFactory to capture the existing "action attribute together with login listeners" warning. After merging Flow main, those tests started NPE-ing: Flow's UrlUtil.isSafeUrl debug-logs a fallback notice, going through LoggerFactory.getLogger(UrlUtil.class) which returned null inside the broad mock. The mock now uses Mockito.CALLS_REAL_METHODS so unrelated lookups fall through to the real factory; the explicit LoginForm/Overlay.class stubs still take precedence. > > > > Part of vaadin/flow#24539 > > --- > > 🤖 Generated with Claude Code >

Compatibility

  • This release use Web Components listed in Vaadin Platform 24.9.19
  • Tested with Vaadin Flow version 24.9.24