Changelogs

Content

• The Block Editor now supports h4, h5, and h6 headings by default. [#25660]
• On an export, users now have the option to exclude old versions of dotCMS content, outputting only live and working/draft versions. [#25510]

Enhancements & Adjustments

• Added a feature to map legacy SAML configuration IDs to site IDs, storing this as an App secret on a host, and using it to facilitate login URL routing. [#25636]

Fixes

• Downloading a starter from the back end is now a streamed process that begins as the assets are being incorporated into an archive. This prevents timeouts under certain administrative setups — such as running dotCMS behind a load balancer — and limits the danger of the destination container over-allocating space in the case of multiple requests. That's a mouthful, but two birds with one stone merits a yarn. [#23733]
• In the Job Scheduler, the default Site Search index is specified with (Default) appended to its alias. This caused the Job Scheduler to throw an error when adding a new reindex to the schedule, until that additional text was manually cleared. Well, that snag has been fixed. [#24176]
• The Copy URL button at the top of the page viewing mode interfaces now copies the whole URL, and not just the path. [#24683]
• Improved debouncing on undo/redo operations in the Block Editor; the number of undo or redo steps should now more or less conform to expectation. [#24716]
• NavTool's getNav method now returns only published links. [#24829]
• Mending conflicts with the Integrity Checker will no longer result in null values on contentlet_as_json database fields. [#25229]
• Pushing a newly created folder as a limited user with appropriate permissions no longer fails. [#25371]
• When performing a “Publish (all)” on its contents, a folder will no longer flop and bellyache to draw sympathy from the referee. [#25440]
• The Block Editor's hyperlink search feature now respects non-default languages. [#25567]
• Pagination has been restored to Content API calls with the /related path parameter. [#25666]
• Uploading multiple files will now respect the language filter when assigning the files a system language, instead of defaulting to English. [#25797]
• Creating a version of content in a second language no longer removes all related content from all language versions of that contentlet. [#25896]
• Content API and Elasticsearch queries now properly return metadata keywords. [#25618]
• Fixed an issue that would cause the Block Editor, on Chromium-based browsers, to represent content pasted from a Word document as an image rather than a sequence of blocks. [#25726]

Content

• The Page API now accepts a depth parameter, permitting access to related content through contentlets embedded on a Page. [#18123]

Enhancements & Adjustments

• Added new Show Preview button to the page viewing mode screens; you can now view a fully rendered preview of your changes in a new tab, outside of the context of the dotCMS back end. [#23948]

Fixes

• The presence or absence of a trailing slash in URLs no longer yields a different result, such as a 404 response code. [#23276]
• When changing the language of a piece of content, it will likewise alter its relationships to point to versions of subordinate contentlets in the same language, where available. [#24415]
• Corrected a Javascript console error preventing the contextual menu from functioning when right-clicking a role name in the Roles & Tools tool. [#24424]

  Note: If you are using a version affected by this bug, you can still use the operations of that menu through the + button's dropdown menu while the role is selected.

• Stopped Sites now correctly display on the Site Selector; only archived Sites are hidden. [#25120]
• Fixed an error preventing the display of a contentlet containing an empty Block Editor field. [#25121]
• Fixed Site Browser sorting; the default pattern is to show folders first, alphabetically, and then all other items in the current folder by descending modified date. [#25136]
• The presence of language query parameters was interfering with attempts to correctly render images when performing a static Push Publish. We've added a workaround to ensure all images render statically in a multilingual context. [#25217]
• Mending conflicts with the Integrity Checker will no longer result in null values on certain database fields. [#25224]
• WYSIWYG fields now accept images regardless of whether the content is in the default language; after all, even with language barriers, it's not hard to convey that you want to have your picture taken. [#25258]
• The sorting listener on Key/Value fields has been made field-discrete; this prevents a situation where sorting keys in a contentlet with multiple Key/Value fields could cause the two fields' data to combine. [#25402]
• The date-format mismatch identified in [#25008] had been fixed in API responses, but persisted in Velocity contexts; this fixes it there, too. [#25293]
• Added a user limitation to the admin panel's nav update event, to limit calls to the menu endpoint and prevent usability issues. [#25556]
• Specified tag_inode table column insert order on an upgrade task to prevent an issue when upgrading between 23.01 LTS patch releases. [#25720]
• OPTIONS requests to REST APIs no longer generate a 500 error status, and now return proper CORS headers. [#25775]

Dependencies, Components, Etc.

• Removing old Dojo resources from packaging. [#24840]
• Removing old jaxws libraries no longer in use. [#24843]

Enhancements & Adjustments

• Added a new $dotsecrets viewtool to pass sensitive data through Velocity. [#23175]

Fixes

• Fixed the retrieval of Personas via Lucene query; persona tags neither require, nor yield different results with, :persona appended to the tag name. [#22872]
• When using the tasks page's “hamburger” button (⋮) menu, the Publish action now fires directly — i.e., the expected behavior — instead of opening the Push Publish dialog. [#23395]
• The image editor's Download button is now once more hunky-dory. [#23924]
• Users with an ID length of more than 36 characters are no longer prevented from locking content. [#24133]
• Fixed a date-format mismatch between an old format used in some places and a new one in others. [#25008]
• Creating content in more than two successive languages without leaving the content editor no longer throws an error. [#24286]
• Folders no longer fail to push publish if they contain archived content. [#24705]
• For those who prefer Podman over Docker: File assets now upload properly to dotCMS containers managed via Podman. [#24937]
• Resolved an issue that caused content to push publish to a working (draft) state instead of a live state in the specific case where an alternate-language version of that same content exists in an archived state. (That sentence went through like eight drafts; you need to take a deep breath before summarizing a bug this particular.) [#25044]
• getResizeUri method now returns valid URLS for a resized binary image — no more double-slash shenanigans. [#25203]
• Fixed an issue preventing Templates from saving. [#25212]
• The Block Editor's content & asset search is no longer intimidated into silence by certain non-alphanumeric character inputs. Dash all you want; it won't flinch. [#25230]

Breaking Changes

• Fixed a permission error that prevented a user with a custom role with appropriate permissions from using Workflow API operations. While this will not change observed behaviors, permissions-based fixes are generally classed as breaking changes due to how they may affect the hypothetical user working around them. [#23199]

Content

• Added video blocks to the Block Editor. Import videos either from your dotCMS file system, from your local files, or elsewhere online, and situate them within your Block Editor field's content. These videos are stored as full dotAssets, and can be reused freely. Default video rendering settings live in dotVideo.vtl, alongside other rendering defaults in /velocity/static/storyblock/. [#23863] [#23436] [#24465]

Enhancements & Adjustments

• The Block Editor's image-block popup now includes a tab for uploading a local file. [#23237]
• The paragraph block has been removed from the configurable Allowed Blocks list, to better convey its inviolable “default block” status. [#23764]

Fixes

• Whitelisting a block on a Block Editor field will no longer result in error when adding images to that field. [#23920]
• Solved rendering issue with fields converted from WYSIWYG to Block Editor that contain code. [#24422] [#24230]
• Fixed issue that could potentially cause errors when push publishing a Block Editor field. [#24299]
• Solved rendering issue with fields converted from WYSIWYG to Block Editor that contain code. [#24422]
• Block Editor now no longer allows recursively adding a contentlet to itself, which could render the content unrecoverable. [#23846]
• WYSIWYG Editor no longer throws errors when inserting an image with a different default site language than the editor. [#24285]
• Removed a wide assortment of unnecessary cache invalidations when saving and/or updating content. This also counts as a performance optimization, though we shall list it as a fix for reasons of honor. [#24781]
• Restored behavior whereby the file browser dialog shows files in the default language as a fallback if they do not exist in the requested language. [#24444]
• Push publishing will now properly respect timezone selections made from the dialog in the Publishing Queue's Bundles tab. [#25037]

Enhancements & Adjustments

• Significantly shortened startup time by optimizing vanity URL loading procedures. [#23982]
• Image permits, which control the number of threads dotCMS's image editor can occupy at once, have been made more permissive through better use of caching. They are now less likely to cap out on routine operations, without compromising their intended purpose of easing system resource burdens. [#23807]
• Increased number of password hash iterations from 20,000 to 600,000, in line with current OWASP recommendations for a SHA256 algorithm. [#23915]
• Changed the way JSON Web Tokens are handled, removing an issuer check and replacing it with additional reliance on jwt_secret.dat. This makes possible the use of the same JWT tokens across multiple environments. [#24395]

Fixes

• Block Editor fields that had been converted from WYSIWYG fields save all changes correctly. [#24565]
• Image fields now filter properly according to user input. [#23449]
• Resolved errors resulting from blanking an existing date field or checking “Never” on an expiration date field. [#22667] [#22350]

  Note: Originally appeared in 23.01 agile; the issue was subsequently reopened and underwent a bit more work.

• Fixed issue preventing content with double quotes in its title from displaying properly in a Relationship field. [#23396]
• Leaving the “publishing” Date/time field blank on content preset for scheduled publishing, no longer causes that content to re-publish if unpublished. We determined this behavior was simply too silly. [#24344]
• Permissions tabs — appearing in folder properties, contentlets, templates, etc. — no longer fail to load. [#23889]
• Fixed an update task that absolutizes container paths: It erroneously added the site to the same path multiple times in certain situations. Well, not anymore. [#24436]
• Copying a folder that contains Pages with both live and draft versions will no longer result in an error; duplicate your folders fearlessly. [#24441]
• Created a background task to ensure the proper conversion of legacy content to the contentlet_as_JSON schema for those upgrading from years-old versions. [#24093]
• Fixed PostgreSQL error observed in upgrades from 22.03.4 LTS to 23.01.1 LTS. [#24380]
• Improved publishing procedures for environments with many locales and relationships, preventing slowdowns. This sounds like it should be under Enhancements, but those slowdowns could get pretty significant. So, here we are. [#24245]

dotCMS 23.01.1 is the official designation of dotCMS 23.01 as a long-term supported release.

Representing the vast sum of changes since 22.03 — ten months of wild-eyed development, birthing new features with prophetic zeal — this roundup is large enough that we'll soon be reorganizing the changelog layout to accommodate this and, indeed, others like it.

For the moment, you'll find the new patches to 23.01 in the first section; underneath that, a feature rollup covering everything new from 22.05 through 23.01.

Finally, for a more conversational look at the LTS-to-LTS changes, check out the announcement on our blog!

LTS Patch (Changes Over 23.01)

Enhancements & Adjustments

• You can now enable multiple user IDs to possess the same email address by setting the environment variable DOT_SAML_ALLOWUSERSWITHDIFFID_REPEATEDEMAIL to true. [#24138]
• S3Client can now be configured to interact with Simple Storage Service (S3) object stores other than Amazon S3. [#22151]

Fixes

• File Browser now properly displays multilingual content, not limited by the configured user-interface language. [#24358]
• Fixed File Browser display behavior; now displays Page and file assets in expected fasion. [#24272]
• Corrected the exclusion of two asset directories from back-end exports; both are now present and accounted for. [#23810]
• Resolved issue preventing latest upgrade for MSSQL database users. [#23761]
• Categories are no longer removed from content mass-imported via CSV file. [#23440]
• Language parameters update correctly when redirecting via Rule. [#24158]
• Widgets now correctly display in non-default languages on working (i.e., draft) versions of Pages. [#24059]
• Fixed issue preventing saving content in a secondary language while a working/draft version exists in the default language. [#23280]
• CSS files now push publish to S3 buckets without issue or compilation error. [#24351]
• Navigation no longer shows duplicate results — both requested and default languages — when requesting multilingual content in the non-default language. [#23890]

(Un)Breaking Changes

• The dotcache directive no longer caches objects declared with set directive within the block; caching of generic objects should be handled manually through the Dotcache viewtool. Note that this is a breaking change if upgrading from 23.01, which introduced the behavior, but not for any previous version — that is, it effectively unbreaks the change of agile 23.01. [#24075]

LTS-to-LTS Feature Rollup

Below are the key changes of note since the last LTS. For a lighter summary, see 23.01.1 LTS: The Upgrade to Upgrade To, on our blog.

Content

• Added the new Block Editor field. [Many!]
  • Create and edit content as self-contained “blocks” stored as portable JSON, well suited to either headless or traditional use.
  • Choose from a variety of block types: paragraphs, headings, images, lists, tables, block quotes, and more.
  • Can contain and display contentlets created in dotCMS — with user-defined rendering, whitelisting, and automatic updating.
  • Fully editable inline in Edit Mode.
  • Transform WYSIWYG fields into Block Editor fields at the push of a button.
• Added ability to copy Content Types. [#21697]
• Removed limit on number of widgets or forms displayed in Content Selector popup. [#21811]
• Implemented storage of content info as JSON for MSSQL databases — as previously implemented for PostgreSQL. [#21219]
• A Push Remove Now action has been created to facilitate push-removal within a workflow. [#22021]
• Image paths can now be copied from Site Browser context (right-click) menus, using the new Copy Path item. [#22146]
• Introducing the new JSON Field, an easy way to store and access JSON data. [#22829]
• When performing a “shallow push” — i.e., Push Publishing with the “Only Selected Items” filter selected — tree entries are included in the push. This renders the behavior more intuitive in certain cases. [#18742]
• Unique fields on global Content Types can now be specified as unique globally or unique per site. This is handled via the uniquePerSite field variable, which defaults to false. [#21781] [#22250]
• Added ability to create a whitelist of acceptable keys for Key/Value fields. [#19562]
• It is now possible to retrieve parent content through a child contentlet's Relationship Field by using Lucene queries.[#22319]
• System content:
  • Certain System fields in certain Base Content Types have been rendered user-removable. [#15847]
  • Removed various system fields — tags, categories, relationships, constants, host, and folder — from the immutable JSON object storage in the database. Folder and host are passed in during the construction of a contentlet; the rest are loaded lazily. [#21858]
  • Moved the System Template and System Containers to velocity's static WEB-INF/velocity/application path. #21265

Enhancements & Adjustments

• Velocity improvements:
  • We've built a new Velocity Playground developer tool, allowing users to easily test and preview Velocity snippets before deployment. Debug with gusto — maybe even élan! [#23610]
  • Caches storing all Velocity macros now flush and refresh according to a more eager strategy, triggered either by flushing the Velocity2 cache manually via the System → Maintenance panel, or by editing any dot_velocity_macro.vtl file. [#22297]
  • Added a method to assign categories to content via Velocity, usable in a Workflow via Velocity script actionlet. [#23009]
  • It is now possible to read field variable key-value pairs from within Velocity, allowing evaluation at load time from your Velocity template files — and giving user-defined field variables more utility. [#22618]
  • Added new $dotcache Viewtool, a generic object cache, permits a wide assortment of highly convenient caching and storage behaviors! [#23037] [#23430] [#23431] [#23432] [#23575]
  • Added $dotContentMap, a built-in Velocity content object that lets you access content in a container without performing a pull.
• API improvements:
  • Added a new API Playground tool to the Dev Tools, built using Swagger. [#22298]
  • Refactored HostAPI: Improved caching and respect for permissions; now reliant on the database instead of ElasticSearch, and on variable names instead of Content Type names. [#21476]
  • Metadata for Binary Fields is now exposed through API responses. [#23552]
  • Push Publishing filters can now be added or updated via a REST API call. [#21823]
  • Added new API endpoints for creating, reading, updating, or deleting containers. [#21626]
  • Permissions operations now have REST API endpoints. [#22524]
  • New /api/v1/page/copyContent endpoint allows copying of content in the context of a page, duplicating the object and editing the tree entry. In other words, this is a “Save as Copy” method that allows content to be modified for a single page rather than all pages. [#23224]
    • Added in the same breath: New /api/v1/page/{pageIdentifier}/_deepcopy endpoint allows a “deep copy” of an entire page — copying both the page itself and all content contained therein.
• Edit Mode Anywhere changes:
  • Now works in AWS Amplify and other hosting platforms. [#21877]
  • No longer sends the page.rendered property on POST unless enabled in the app. [#21786]
  • URL Override plugin's functionality is now part of the core, available out of the box. [#21713]
• Logging:
  • The log viewer has been rebuilt for performance and reliability. [#23043] [#23042] [#22968] [#22978] [#23039]
  • Additional logging has been added to SAML operations. [#23048]
  • Pulled various log messages that are more on the “noise” than “signal” end. [#23757] [#22144] [#23781]
• User experience tweaks, simplifications, etc.:
  • Enter key now activates the primary action — e.g., Next, Submit, etc. — for all dialogs in the system. [#19158] [#22566]
  • Improved clickability when relating content — click anywhere in the list's rows to toggle!
  • Add custom content tools to traditional navigation through a simple menu option in the Content Type list, or through API calls. [#21797]
  • In the traditional interface, clicking on an entry in the Categories menu now provides a list of child categories, for improved navigation. [#23252]
  • Angular dropdown menus, such as the site selector, now allow for keyboard navigation. [#22835]
• Changed folder handling to enforce knowable & consistent folder ID behavior. [#21801]
• Replaced Vanity URL base content type's Site field with a Host Folder field. [#21889]
• The Multipart Web Interceptor plugin, which scans multipart or form requests that use PUT or POST to upload files, has been fully integrated into the core product. [#21854]
• Date and time fields have been modified in MSSQL databases to take into account time zones. [#21169]
• Versions of the same content across different languages can now display publishing dates distinct from one another. [#21518]
• Updated dot-binary-file web component to support the maxFileLength attribute. [#18019]
• Image filter scale has been mapped to the resize filter that replaced it, improving backwards compatibility. [#22463]
• Switched to using Tomcat's RemoteIpValve for DNS resolution. [#19569]
• Updated the Next.js starter: Upgraded to the latest Next.js version, and reviewed compliance with community guidelines. Read more about using dotCMS with Next.js on our blog. [#22992][#22994][#22995]
• Added an app that implements the prerender.io filter as a WebIntercepter and allows a user to configure prerender via Settings → Apps → dotCMS prerender App. [#20903]
• Now compatible with Husky. [#21857]
• Various performance improvements!
  • Optimized routines for bulk adjustment of permissions. [#19358]
  • Removed performance drag from supporting on-the-fly configuration changes via file watchers and other blocking patterns, which are unsuited to a containerized paradigm. [#21619]
  • Sped up the process of fetching a piece of content's categories via Velocity. You might say we've increased its Velocity. Stop frowning at me. [#22864]
  • Implemented lazy loading for workflow histories to improve load times for history-rich content. [#22068]
  • Tomcat no longer performs scans for Tag Library Descriptor files at startup, speeding up initialization. [#22716]
  • General library-driven improvements to paste behavior across a variety of fields and data types. [#22019]
  • Related content spanning multiple locales has been made more performant, shortening load times. [#22910]
  • Added DOT_IMAGE_GENERATION_SIMULTANEOUS_REQUESTS environment variable to limit the maximum number of threads image processing can consume. [#23384]

Visual Adjustments

• “Paper” layering styles (e.g., gaps and drop-shadows) removed from back end, reclaiming some space. [#23369]
• Significant cleanup operations and general improvements have been undertaken on the user interface for Containers. Error messages, toasts, layout elements, context menus, and more have received some TLC for a cleaner and smoother user experience. [#23141] [#23142] [#23143] [#23144] [#23146] [#23200]
• “Break lines, not layouts!” The field variable interface now handles lengthy keys and values more gracefully; long text now wraps to additional lines within invariant columns. This supersedes the old behavior of “plunging into chaos.” [#23119]
• Page titles now update to display the name of content being edited; multitab without fear! [#21701]
• Fixed cases of contextual menus cutting off at the bottom of their parent display pane. [#21979] [#23461]
• Replaced browser-native alert() message box after user account changes data in the My Account dialog. [#22276]
• When changing a password, verbose error message now displays when new password does not meet security requirements. [#22204]
• Fixed pagination errors on the UI site selector; now displays a maximum of 15 results at a time, with live text filtering of choices. [#22734]
• Slight adjustment to the styling of cards in the Apps section. [#23367]
• The read-only system container and system template are now more visually clear as to this status, with a greyed-out color scheme and contextual buttons removed. [#22216] [#22217]
• Pagination now displays properly when querying related content by REST API. [#22236]
• Updated labeling to more clearly distinguishing between a “key” and a “token” in the user interface — a subtle but “key” difference! [#23007]
• Push publishing queue displays all bundles, even when one or more fail to publish. [#23062]
• Removed extraneous descriptive text from dropdowns in Edit Mode. [#23406]
• Date and Date/Time fields now highlight the current date. [#23551]

Dependencies, Components, Etc.

• JSON handling: Removed GSON in favor of Jackson. [#21641]
• Updated ProseMirror, TipTap, and Tomcat. [#22058] [#21849]
• The version of Java used in docker images has been updated. [#22426] [#22852]
• Upgraded Nx and Angular. [#22337]
• Updated Dojo. [#22132] (Note: Also listed under Breaking Changes.)
  • Smoke-tested Dojo update. [#22885]
• Moved from Libsass to Dart Sass for SASS/CSS compilation. [#22196]
• Tomcat native library location has been fixed for Apple M1 contexts. [#22893]
• Updated GNU General Public License text. [#23352]
• PDFBox library updated to 2.0.27. [#23384-comment]
• Stabilized internal Tomcat path to prevent breaking changes on minor-version updates. [#23407]
• Removed unused jsass and Apache commons text libraries, to avoid flags associated with the text4shell vulnerability. Although dotCMS was never susceptible to said vulnerability, we thought it best to avoid even the suggestion of it. [#23475]
• Upgraded the PostgreSQL JDBC driver. As with the previous bullet point, this resolves a vulnerability that did not strictly affect dotCMS. [#23531]
• We've carved npm out of the front-end build process and wrapped the latter in a Maven module, as a first step toward using Maven for the full build. [#23556]
• ⚠️ MSSQL database support is deprecated ⚠️; 23.01 will be the last LTS major version to support MSSQL.

Plugins

• Improved OSGi plugin loading in server-cluster context. [#21882]
• Fixed error preventing OSGi plugin undeployment. [#21879]
• Fixed ability to upload multiple OSGi assets at once. [#21685]
• Fragments now only load when forced. On uploading, dotCMS reads the Export-Package from the fragment manifest, adds this to the OSGi-extras file, then moves the fragment to the undeployed folder and restarts the OSGi framework. This prevents interference with other plugins and allows OSGI to be cleanly started. [#22055]
• Created new OSGi system framework for loading system bundles — minimal, speedy, and stable. [#22184]
• Override plugin now starts correctly in certain prior versions. [#22043]

Development Improvements

• Migrated Actions to monorepo. [#21761]
• Improved test times. [#22495]
• Consolidated build jobs. [#21755]
• Migrated Postman tests to GitHub Actions. [#21758]
• Resolved vulnerabilities and identified by SonarQube. [#23405]
• Updated GitHub Actions code in response to command deprecations. [#23332]
• Update tasks have been updated and backported, improving maintenance of future LTS releases. [#22916]

Breaking Changes

• Replaced repackaged JSON-handling classes with more tractable code. [#22118]
• Updated several default configuration values, such as disallowing HTTP by default. [#22006]
• Removed unnecessary Spring jars for better parsimony and tidiness. [#21944]
• Initial admin password is now an automatically generated, non-guessable password recorded in the logs. Setting the configuration option INITIAL_ADMIN_PASSWORD can allow for overriding the generated password with a preset one. [#21916]
• Moved to using Gradle 7.3.3 in the build scripts. [#21684]
• AspectJ has been removed. Instead, Bytebuddy is now inited at runtime and rewrites the bytecode to weave the annotations into the classes. Additionally, ByteBuddy does not need to be included as a java agent. [#21684]
• By default, dotCMS no longer follows redirects when accessing remote URLs programmatically. This change is configurable, and can be reversed by setting the REMOTE_CALL_ALLOW_REDIRECTS property to true. [#22512]
• Updated Dojo. [#22132]
• Removed unused MySQL and Oracle drivers; users relying on either of these will need to provide their own drivers in their plugins. [#23531-comment]