Release Notes 5.3.6

This is a very modest bug fix release. Importantly, the bundled version of Prototype has been downgraded back to version 1.7, as the new version was causing a number of issues, especially under Internet Explorer.

The main improvement is security related; Tapestry will now integrate a hash-based message authentication code (HMAC) into serialized Java object data stored on the client (generally, this means the t:formdata hidden field used by the Form component).

When you first run your application under 5.3.6, you will see an alert and a console error concerning the HMAC configuration. You should update your application's configuration to set a unique, private value for the tapestry.hmac-passphrase configuration symbol.

And, as with any Tapestry upgrade, be sure to change your application's version number.

Bugs Fixed

  • [TAP5-986] - A request can fail with an NPE in some cases, when a Tapestry page is acting as the servlet container error page
  • [TAP5-1735] - Most packages lack package-level javadocs
  • [TAP5-1903] - Client-side exception when a Zone containing a Form with an Upload component is re-rendered
  • [TAP5-2008] - Serialized object data stored on the client should be HMAC signed and validated
  • [TAP5-2009] - Downgrade bundled Prototype version back to 1.7
  • [TAP5-2010] - Broken links in Javadoc pages

Improvements Made

  • [TAP5-1996] - Add Severity.SUCCESS enum for alerts