Skip to content

Software Development News: .NET, Java, PHP, Ruby, Agile, Databases, SOA, JavaScript, Open Source

Methods & Tools

Subscribe to Methods & Tools
if you are not afraid to read more than one page to be a smarter software developer, software tester or project manager!

The Dojo Toolkit - Announcements
Syndicate content
Unbeatable JavaScript Tools
Updated: 9 hours 3 min ago

Dojo Winter and Spring 2015 events

Mon, 02/16/2015 - 18:32

There are a number of Dojo events this winter and spring. Some of these events are still tentative, so we’ll add links once they are confirmed. We hope to meet you at one of these events. Let us know if there’s an event you would like to host in your area.

Dojo Community Day

A Dojo community day is planned, but the details are not yet available.

Conferences

Conferences we’re planning to attend and/or deliver talks.

Meetups
  • Hong Kong, March 20th
  • Atlanta, March 30th
  • Stockholm, April 16th
  • Stuttgart, April 24th
  • Oslo, May 11th
  • Copenhagen, May 14th
  • Dublin, May 15th
  • London, May 20th
  • Ottawa, June 3rd
Training Workshops

Let us know if you’re speaking at an event, and we’ll add you to our listings!

Categories: Open Source, RIA

Case study: Softeco Sismat (TELL ME Project, #2)

Fri, 12/26/2014 - 17:57

The large companies that use Dojo are widely known. This series features lesser known users of Dojo, and their stories. Eight months ago, we conducted a case study about the TELL ME project with Stefano Bianchi from Softeco Sismat, an ICT Italian company. Here we have followed with up Stefano to get an update on their progression from desktop web app to mobile with Dojo.

TELL ME Login

TELL ME Mobile UI – login

Q: How did you first learn about Dojo?

A: We were looking for a solid JavaScript framework to develop a prototype for a complex, desktop-like web user interface (UI) to support learning activities for blue collar workers at the workplace. We evaluated several different renown frameworks and we found references to Dojo in several JavaScript framework evaluation tables – we then decided to give it a chance considering its features and the positive feedback. The experience made during the technical activities (development, testing, debugging etc.) and the feedback gathered from both developers and end users confirmed the general good impression we initially got.

Q: Why did you choose Dojo?

A: At a very first glance, Dojo seemed like a robust JavaScript framework for client-based desktop-like applications, shipped with several interesting built-in features (plenty of ready to use components and widgets, such as e.g. the Store-based Tree widget and the rich chart & graphing library). Also, the documentation (and tutorials, in particular!) was rather rich and complete, providing an incremental guide for differentiated (novice, intermediate and expert) users. The Asynchronous Module Definition (AMD) and Object Oriented (OO) approach was also a plus. As for our previous expertise in Rich Internet Application (RIA) development, what really convinced us to adopt Dojo was the possibility to replicate on client-side the same desktop-like functionality that we previously deployed with a Java-based RIA frameworks on server-side. As the project we are participating in also addresses mobile devices, the Dojo Mobile toolkit represented a valuable asset for future development. This case study focuses in particular on the development of a Mobile UI that we designed and implemented to port on smartphones some RIA functionalities we developed for plain web desktop UI, in order to provide a pervasive training experience and allow launching native multimodal apps on Android devices.

Q: Were you previously using another toolkit?

A: In previous research projects, we extensively used several JavaScript libraries and frameworks – Prototype, Scriptaculous, jQuery, ExtJS to name a few. Working with Dojo represented for our Research & Innovation division a good opportunity to extend our expertise in JavaScript frameworks. All technical developments for the TELL ME learning content consumption UI (desktop and mobile) have been carried out with Dojo and Dojo Mobile from the very beginning.

Q: What does your application or service do?

A: The prototype we developed for the front-end user interface of the TELL ME (Technology-Enhanced Learning Livinglab for Manufacturing Environments) system includes several different widgets (“chunks” of HTML5/JavaScript/CSS code that can be used independently or assembled in a portal/desktop-like layout) that provide different learning-oriented functionality. The main aim is to allow a blue collar worker to express a learning need (e.g. “what do I need to learn/be trained/recap about?”) by e.g. selecting a set of predefined tags from several complementary domain taxonomies (i.e. trees of concepts describing activities, tools etc. in a given workplace) and to receive back a learning path (i.e. a list of learning-oriented activities) including different learning contents to be consumed in order to acquire or improve specific working skills. Each type of learning content (documents, videos, pictures, lessons etc.) should be then consumed/launched in a specific widget, with the possibility to also provide social feedback such as ratings and comments. After developing the TELL ME web UI, we started designing and implementing a porting of the main functionalities on mobile devices, to allow using the same REST WS back-end services and launch native apps on Android devices.

Q: How does your application use Dojo?

A: The whole mobile TELL ME UI has been developed from scratch with Dojo Mobile. The application (with Dojo core “has” module) “sniffes” the features of the device and forward to the desktop or mobile UI. The trainee/blue collar worker can then login and access the main page where several options are provided as a rounded list (“Search”, “To do”, “Expertise”) and a useful bottom navigation menu is included. The “Search” functionality in particular allows to browse a domain-related taxonomy where tags can be selected to launch searches on a remote Apache Lucene indexing server and retrieve a list of learning contents to consume, by launching native applications on the device. If the returned learning content has a specific proprietary MIME-TYPE, a dedicated Android app is automatically launched on selection, allowing the trainee to follow a step-by-step job card in a multimodal way (Text-to-Speech plus Speech Recognition features).

Q: Overall what is your user experience with Dojo?

A: Also Dojo Mobile generally confirmed the initial expectations: the good impression it gave at a first glance was confirmed by the technical results achieved by the prototype, which was developed without particular problems. Dojo Mobile required a short period of training but, after the experience with the base framework, the learning curve was not steep at all and the examples provided in the tutorials helped a lot in setting up working prototypes in a few days. We implemented a navigation tree to allow selecting the tags to launch the search and we will work in the next period on optimizing both usability and layout.

Q: What’s your favorite thing about Dojo?

A: Dojo architecture is truly inspiring when approaching Object Oriented (OO) JavaScript, and the rich set of examples provided help understanding how to make JavaScript code modular and reusable throughout the application – the whole approach is clear, clean and scalable. Reference documentation and tutorials are also a valuable resource. The design we followed for the implementation of the desktop UI was useful also for the mobile version as several JavaScript modules were easily reused allowing to link immediately the new presentation layer with the existing REST WS business layer.

Q: What are your future plans with Dojo?

A: After a first technical evaluation phase, where end-users tested the developed applications, we collected useful feedback to work on in the next months. In particular, we would like to make the desktop UI more responsive, and we are likely to start from a fully responsive framework (e.g. Bootstrap) to revamp the presentation layer while keeping Dojo modules and back-end services unaltered.

The templating mechanism still have to be completely understood and evaluated, and surely represent a direction to follow for further developments.

The prototype will be extended to include the complete logging of all learning experiences by mean of a dedicated Dojo-based logic connecting the UI to a Learning Record Store (LRS) as specified by the ADL specifications for the Experience API.

Furthermore, as the TELL ME project addresses also the use of advanced Human-Computer Interfaces (HCI), the Dojo-based UI will be ported as the HTML layer for an Augmented Reality (AR) application developed on the Unity 3D engine.

We moved to Dojo 1.10, but we are definitively eager to start playing with Dojo 2.0 as soon as possible!

TELL ME Mobile UI – main

TELL ME Mobile UI – main

TELL ME Mobile UI – user info

TELL ME Mobile UI – user info

TELL ME Mobile UI – taxonomy tree tag selection

TELL ME Mobile UI – taxonomy tree tag selection

TELL ME Mobile UI – search results

TELL ME Mobile UI – search results

TELL ME Mobile UI – seamless launch of Android app from web UI

TELL ME Mobile UI – seamless launch of Android app from web UI

TELL ME Technical Webinar

About TELL ME

TELL ME (Technology-Enhanced Learning Livinglab for Manufacturing Environments) is a research project co-funded by the European Commission to improve training in small and medium-sized manufacturing environments by using the latest technologies and insights. The aim is to bring innovative learning methods to manufacturers so they can better supply the needs of their markets, which include larger industries. TELL ME is a three-year project that started in November 2012 with a partnership of 14 leading organisations in academic research, technology and industry from Italy, the UK, Finland, Sweden, France, Germany, Spain and Portugal. It is a significant €8.3m R&D project, funded by the Consortium Partners and a €5.9m research grant from the European Commission under its FP7 Framework Programme.

Thanks!

Thanks Stefano for telling us about your experience with Dojo. If you would like to share your experience with Dojo, please contact us.

Categories: Open Source, RIA

Dojo Security Advisory 2014-12-08

Tue, 12/09/2014 - 21:04
Introduction

Several XSS vulnerabilities have been discovered and fixed in the Dojo Toolkit.

Masato Kinugawa discovered a security flaw in the SWF component of the dojox/form/FileUploader widget that allows for cross-site scripting attacks on domains hosting the affected SWF.

After evaluating the disclosed vulnerability, similar additional XSS vulnerabilities were discovered by the Dojo Toolkit security team in other dojox components including dojox/av/FLAudio, dojox/av/FLVideo, and dojox/form/Uploader. A potential XSS vulnerability with a different attack vector was also discovered in dojox/embed/Flash.

Note that these vulnerabilities are isolated to the dojox package; if you publish only the dojo and/or dijit packages, you are not affected by this security advisory and do not need to take any action. We recommend that all users that publish the dojox package upgrade to the latest point release.

Vulnerable

Dojo Toolkit 1.2
Dojo Toolkit 1.3
Dojo Toolkit 1.4.5 and earlier
Dojo Toolkit 1.5.3 and earlier
Dojo Toolkit 1.6.2 and earlier
Dojo Toolkit 1.7.7 and earlier
Dojo Toolkit 1.8.8 and earlier
Dojo Toolkit 1.9.5 and earlier
Dojo Toolkit 1.10.2 and earlier

Patches

New versions of the Dojo Toolkit have been released containing fixes for the vulnerabilities listed in this security advisory:

1.4.6 (patch)
1.5.4 (patch)
1.6.3 (patch)
1.7.8 (patch)
1.8.9 (patch)
1.9.6 (patch)
1.10.3 (patch)

Dojo 1.3 and earlier are end-of-life products. Users running Dojo 1.3 and earlier are urged to upgrade immediately to a more recent version of the toolkit.

Workarounds

1. Delete the SWF files listed under “attack vector” below; and
2. Ensure all user input passed to dojox/embed/Flash is HTML escaped.

Attack vector

http://xxx/dojox/av/resources/audio.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?src=…?\"))-alert(1);}catch(e){}//

http://xxx/dojox/av/resources/video.swf?videoUrl=…?\"))-alert(1);}catch(e){}//

http://xxx/dojox/form/resources/fileuploader.swf?flashButton=%3A\"))-alert(1);}catch(e){}//%3B

http://xxx/dojox/form/resources/fileuploader.swf?id=\"))-alert(1);}catch(e){}//

http://xxx/dojox/form/resources/uploader.swf?id=\"))-alert(1);}catch(e){}//

Impact

Cross-site scripting.

CVSS Severity (2.0)

CVSS Base Score: 4.3
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Temporal Score: 3.2
CVSS Environmental Score: Not Defined
Modified Impact Subscore: Not Defined
Overall CVSS Score: 3.2

CVSS v2 Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Background

The Adobe Flash Player ExternalInterface API contains a known security issue where backslashes in strings passed to ExternalInterface.call are not correctly escaped by the Flash Player runtime. This enables arbitrary code to be executed if unsanitised user input is passed through ExternalInterface.call. Several SWF files inside the Dojo Toolkit passed unsanitised user data through ExternalInterface.call to console.log and dojo.publish, introducing a cross-site scripting vulnerability.

Additionally, JavaScript code in dojox/embed/Flash performs string building of HTML for injection to the page without ensuring special characters are properly encoded. This allowed arbitrary HTML to be injected onto a page that uses dojox/embed/Flash if unsanitised user input were passed to it.

Timeline

2014-12-03: Initial disclosure.
2014-12-04: Security team notified of issue.
2014-12-08: Patch released and initial announcement.
2014-12-09: Full announcement.

What can I do to prevent this from happening in the future?

There is currently a lot of crufty old code in dojox that is unmaintained or undermaintained. We need more developers that use Dojo and are interested in adopting some of this old code, or developers who want to help us finish Dojo 2 so that we can replace this old code with new code that follows modern best practices for Web development.

If you’re interested in lending a helping hand, please get in touch by posting on the mailing list or visiting us at #dojo on irc.freenode.net. Thanks!

Categories: Open Source, RIA