Today's update (7601a42) brings with it the following changes:
Security issues
- A new template function called
explain()
was added, used to dump the contents of variables used in templates with proper color and indentation. The use of Dumper.dump()
caused sensitive data to be made available. The old Dumper.dump()
method will still work, but restricted attribute values will be trimmed, just like explain()
does.
Performance improvements
- All HTTP request handlers and backend cron jobs now has a timeout value. The default timeout for a request handlers is now 2 minutes. The developer resource that lists request handlers now also includes information about the timeout for each handler. This should ensure that runaway processes no longer cause worker process resource starvation.
- When PORTFOLIO.create_search_form() is executed, it will no longer perform the XmlHttpRequest call if the DOM element it should be rendered into is not present.
New features
- It's now possible to compile SASS stylesheets into CSS on the fly. A new menu item for creating a SASS stylesheet has been added. Text files with the extension .sass or .scss will be detected as SASS/SCSS stylesheets during upload. The libsass C++ engine is used for the compilation.
@import
statements are supported, and resolve relative to the object that is being rendered. The prefix _
and the extension (.sass/.scss) is automatically appended if not specified to support the same behavior as the Ruby implementation.
- The
resolve_path()
template function is finally available. It works just like the resolve_path request handler, and must start with a container identifier. They both just verify permission on the final object/container in the path, just like before.
- The
current_site
template function can now be used. Some of the other site_XXX template variables are now redundant. Using current_site.container_data.resolve_path("path/to/file")
is a good way of getting access to content below the site root without resorting to hard-coded container identifiers.
- It's now possible to start and stop timers during template rendering. This allows more detailed timing information about page rendering to be displayed as an HTML comment at the end of the page if the
enable_timing_report
configuration variable is set. The report will also include how much time is spent in each template function, each template and the total time spent on generating the HTML.
Enhancements
- Added new parameter render_mode to the
embed()
template function. You can set the value to either inline
, raw
or the default empty value. Inline mode will render the JavaScript and CSS inside the HTML instead of linking to external file (which is the default). Using the raw response mode is practical if you want to use a page object to bundle all CSS or JavaScript into a single HTTP request.
- When a stylesheet is viewed directly instead of embedded, the actual CSS text is now rendered, so it is easier to know what you're working with.
- Stylesheet objects are no longer forced to text/css mimetype regardless of which mimetype was set. It is now only used as a default.
- The e-portal single-sign-on and push message handling now use the standard timeout feature, giving more consistency.
- Improved code layout in
read
request handler, enabling proper filename when downloading content in more situations.
- The generic error pages which are shown when the application doesn't respond properly have been improved. The language should be more user-friendly.
Bugfixes
- Fix an internal server error when trying to upload a zero-length file. Now it shows the correct error message.
- An unhandled exception when generating thumbnails is now handled, returning a proper error message instead.
- Browsers have changed behavior with how they handle strong ETag cache validation tokens. Browsers now return a weak validator token even though we send a strong one. Ignore the weak ETag classifier so HTTP 304 NOT MODIFIED responses are generated when they should.
- The word occured was consistently mistyped. Now it has been changed to the correct occurred in all strings.
Feature removals / deprecations
- The
page_timer
template function no longer returns the timer value for the entire page. It now returns a timer instance you can use to start, stop and report timing information. This changes the API, so documentation has been updated to match the new behavior.
- The request.filename local template variable was not used anywhere and was removed.