This is a very modest bug fix release. Importantly, the bundled version of Prototype has been downgraded back to version 1.7, as the new version was causing a number of issues, especially under Internet Explorer.
The main improvement is security related; Tapestry will now integrate a hash-based message authentication code (HMAC) into serialized Java object data stored on the client (generally, this means the
t:formdata hidden field used by the Form component).
When you first run your application under 5.3.6, you will see an alert and a console error concerning the HMAC configuration. You should update your application's configuration to set a unique, private value for the tapestry.hmac-passphrase configuration symbol.
And, as with any Tapestry upgrade, be sure to change your application's version number.
- [TAP5-986] - A request can fail with an NPE in some cases, when a Tapestry page is acting as the servlet container error page
- [TAP5-1735] - Most packages lack package-level javadocs
- [TAP5-1903] - Client-side exception when a Zone containing a Form with an Upload component is re-rendered
- [TAP5-2008] - Serialized object data stored on the client should be HMAC signed and validated
- [TAP5-2009] - Downgrade bundled Prototype version back to 1.7
- [TAP5-2010] - Broken links in Javadoc pages
- [TAP5-1996] - Add Severity.SUCCESS enum for alerts