Release Notes


XP7 Update 14


  • When a new XP sandbox is created using Enonic CLI 2.8 (or newer) and a template is chosen, the applications bundled with the chosen template are automatically installed during the sandbox’s initial launch. This significantly streamlines the setup process, enabling developers to bypass the usual time-consuming application installation and dive straight into their work.

  • Welcome page (available at http://localhost:8080/ in SDK version) displays the list of configuration files with an option to quickly copy their paths to the clipboard, enabling developers to quickly open the configuration files for modification in the Terminal.

SDK Welcome page

XP7 Update 13

Earlier versions of Content Studio (before 5.0) are not compatible with Enonic XP 7.13.0 (and newer), so make sure to upgrade to Content Studio 5.0.0 or newer.

Java 17

  • XP now runs on Java 17 GraalVM based version - latest LTS version of Java.

Management API

Statistics API

  • A new healthcheck (health) and readiness (ready) endpoint has been added to the Statistics Endpoint.

Task API

  • A new taskId parameter has been added to the Task Controller.

  • Added ability to set custom task name when Submitting a task.

  • Task info returned by get and list now includes node - XP node name where the task runs.


  • Welcome page of the Enonic SDK has been greatly improved to show the main XP endpoints, a new section with installed applications and allow browsing existing content projects, sites and webapps. Admin section allows logging in as a guest, unless admin user has been created. You can open admin tools and webapps with one click, directly from this page. Content Projects and Sites can be open with one click in Content Studio, if it’s installed.

SDK Welcome page

SDK Welcome page projects

  • Login page in SDK has been slightly improved to emphasise the "Log in as Guest" action until an admin user is created.

SDK Login page

Other Changes

  • Widget Descriptor now supports localization of widget title and description.

  • Vacuum, Dump, Load, AuditLog-Cleanup and Reindex tasks can only run single instance at a time within a cluster.

  • Introduced Node Repo cache to improve performance of Node API. Can be configured in Repo config.

  • Robustness of scheduled jobs has been improved.

  • Various improvements to the TypeScript types.

  • Various bug fixes and performance improvements.

XP7 Update 12

Dashboard Widgets

New widget interface admin.dashboard can be used to create widgets for the Admin Dashboard. Read more about implementation details here.

Content Variants

  • Content Duplicate API was extended to support Content Variants, useful for A/B testing

  • Added name and parent to duplicate Java API

  • Added duplicate method to the JS lib-content and lib-node APIs

Site mapping for services

Site Mappings can now be used to customize the behavior of Image, Attachment and Component services Services.

Add apps to projects

Previously, custom content types required you to create a site, and link your app to the site before you could create them. Project Applications enable you to add apps directly to the project instead, and thus create custom content directly on the project root.

Also, controller mappings will now work on project level, which means you may also write custom previews without using sites.

Pages, fragments and page templates still require to be in the context of a site.

Other changes

  • Draft branch access was previously restricted through the use of virtual hosts solely. Direct access now requires an authorized user. Role-based access can be configured via draftBranchAllowedFor setting in the Portal configuration settings.

  • Support of arm64 (aarch64) used in Apple M1/M2 chips for instance, is no longer experimental. You may see a message WARN org.elasticsearch.bootstrap - JNA not found. native methods will be disabled. It does not affect XP operations and can be safely ignored.

  • Added modifyMedia method to the JS lib-content API

  • Content API audit-log no longer logs system.content.update events by default. This can be changed back by setting auditlog.filter = * in content config

  • Added possibility to delete indices before Restore by using force option

  • The standard 403 error page now has a handy Logout button

  • Various improvements to the TypeScript types

XP7 Update 11

TypeScript Core libraries

All JavaScript XP core libraries have been rewritten to TypeScript. TypeScript definitions are published on NPM

Learn how to include references to TS definitions in your project here.

Special thanks to Tom Arild Jakobsen at Item Consulting for his contribution to TypeScript support in XP.

Virtual Applications and No-code Schema

This feature is experimental. It’s still under development design but is available for users to test and provide feedback.
  • Virtual Applications can be used as an alternative to installed (real) ones. They are code-less and can only contribute to schema definitions.

Virtual application behavior can be configured in application config

Query DSL improvements

  • exists expression support

  • filter clause support in boolean query

Other improvements

  • Support content links with query parameters in HtmlArea

  • Various Vacuum performance and stability improvements

  • Migrate to OSGi Compendium 8

  • Query parameters are now supported for content URLs in HtmlArea

  • Content API verifies checksum for attachments and skips update if attachment is not changed

  • Support setting Workflow status on Media update

XP7 Update 10

Shared Map

Shared Map framework is now part of XP. Shared Map сan be used to share transient data between nodes in cluster and/or applications. Both JavaScript and Java APIs are available.

Other improvements

  • XP distro is now bundled with GraalVM Community Edition based JDK (v.22.1). JavaScript Engine is still Nashorn.

  • Introduced experimental support of arm64 (aarch64) based CPUs. (For instance, Apple M1 CPU)

  • Content related descriptors expose modifiedTime field to check for content schema changes.

XP7 Update 9

Query DSL

Query DSL can now be used instead of NoQL for content and node searches. It also supports boosting of any expressions. Sorting can also be done with Sort DSL syntax.


Default Content-Security-Policy (CSP) header is now applied for page preview. It improves Content Studio security but may introduce issues for pages which use inline scripts: inline scripts cannot be easily distinguished from XSS attacks and must be avoided. If you are experiencing problems with CSP header you can configure or disable it in Admin config. Controllers can provide their own CSP, if needed.

Attachment and Image Services now have a strict Content-Security-Policy header to mitigate possible XSS vulnerabilities. It can be configured in Portal config.

Default security headers

All http responses now have the following headers set:

X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

As before, they can be customized in header filter config or turned off completely. Controllers can override them, if needed.

Other improvements

  • Portal lib API can now construct websocket URIs with serviceUrl and url methods.

  • Testing API com.enonic.xp:testing now supports assertThrows method.

XP7 Update 8

Versions of Content Studio before 4.0.0 will not run on XP 7.8.0 or later.


  • Javascript API for creating and importing is now available as a new library called lib-export.

  • Content API has been extended with new constants and functions for archive and restore

  • Authentication API now allows verifying credentials without actual login

  • Context API now allows passing custom attributes in the Context object

  • Portal API now supports imageSizes parameter in processHtml function

Custom content validators

It’s now possible to implement custom content validators via Content Validators Java API. Custom error messages can be i18n-localised and will be displayed in Content Studio.

Other improvements

  • Service mapping and request matching in Vhosts has been greatly improved

  • Now possible to map controller or filter to the site itself.

  • Exports folder location is now configurable

  • Localization service now officially supports Java MessageFormat.

XP7 Update 7


Periodical (cron-like) and one-time Job Scheduler is now available.

  • Two jobs for periodical vacuum and audit-log cleanup were added. Preconfigured in Scheduler config.

  • New scheduler core library allows controlling jobs programmatically.

  • Management Endpoint was extended to be able to list currently scheduled jobs.

Audit-log cleanup

SameSite cookies

  • Added support for SameSite attribute for cookies.

  • Session cookie sets SameSite=Lax by default.

Content-type filtering

Other improvements

XP7 Update 6

Content Layers

Content Layers enable automatic replication of content across dependant repositories. This feature can be used to implement multi language sites. JavaScript API is also available.


VHost API is now made public. Enumerate VHosts configured for your XP instances to customize URL handling.

Management API for applications

  • Management Port got extended to be able to start, stop and uninstall an application.

  • The new SSE endpoint allows listing installed applications and listening to application status changes.

  • Application installation can now be verified with SHA512 checksum.

Distributable tasks

  • All Named Tasks are now cluster-aware and run on any XP node that can do it, not only where it was submitted.

  • Application allow/deny lists feature helps to fine-tune new High Availability behaviour.

Websocket API extensions

  • Websocket API is extended to get access to authentication info inside websocket handlers.

  • getGroupSize method counts number of participants in a specific websocket group.

Other improvements

  • Serviced support

  • Improved 404 default page

  • Improved server log messages

  • New icon for media:content

  • System translated to Dutch

XP7 Update 5

Snapshot Restore latest option

latest option simplifies day-to-day snapshot/restore routines.

Meta-data in contentLib query results

_sort and _score calculated meta fields are exposed in contentLib query results. Now it is possible to know how content items were sorted.

Calculated distance in geoDistance aggregation

Another use of _sort calculated field is a geoDistance value. It calculates distance from provided coordinates to a geoPoint set in the content item.

Other improvements

  • New simpler default error page in production mode.

  • configuration value now does not have a strict default value and falls back to Elasticsearch/Hazelcast preference (usually value).

  • Snapshot-restore and system dump stability improvements.

XP7 Update 4

This version of Enonic XP is rather different from most others. There is no large feature set of noticeable changes, but rather a very important architectural change:

We have added Hazelcast to do events, tasks and sessions in the cluster. ElasticSearch is still there, but by using Hazelcast for these features, the cluster is more stable, and we now support Distributed Sessions.

Please read the upgrade notes in relation to backward compatibility.

Other improvements

In addition to the cluster freatures, AlwaysPreTouch has been enabled to avoid extra GC pauses on large installations.

XP7 Update 3

Please read the upgrade notes in relation to backward compatibility.

Content projects

XP now supports creating and working with content projects. Each project will create a separate repository, where content is isolated from the other projects. The repositories are named com.enonic.cms.<projectname>. Projects also introduce a simplified model in relation to permissions management and other default settings:

  • Set a default language for the project

  • Set default access mode (public, private or custom)

  • Give access to project via pre-defined roles (Owner, Editor, Author and Contributor)

  • Default content permissions are set via the pre-defined roles and access model

  • Projects can also be programmatically managed via the new project API.

To take advantage of projects, you must also upgrade to Content Studio v3.

For full backward compatibility, the default content repository (Default project) remains unchanged.

Compressed dump and load

Dumps can now be streamed directly to a compressed archive to use less disk space, and speed up the process. Loads can similarly load data directly from a compressed archive. We now recommend always using compression when performing dump and load.

For backward compatibility, using compression requres a setting a flag when using Enonic CLI.

Login without sessions

The updated auth API now supports request scoped logins, without having to manually modify the request context.

This is in particulary useful for handling modern stateful clients (i.e. using Java Web Tokens), meaning that a server session is no longer created when logging in. Getting rid of sessions provide more scalability and reliability from a server side perspective.

Details are available in the auth API documentation.

Selected improvements

The following improvements are also part of this release:

  • Color highlighting in console logs

  • Content API - Get content by version ID

  • Page template resolution is now faster - especially relevant for sites with many page templates

  • The default threshold to compress http content changed from 16 to 23 bytes

  • New Jetty http.threadpool configuration options are now available

  • Improved logging now include details that were previously missing

  • Improved peformance and stability for web sockets

  • Improved handling of StackOverflowError

XP7 Update 2

v7.2 is fully backward compatible with previous v7.x versions.

Audit Log

Any application can now store audit logs in a new common repository: "system.auditlog".

A core JS library Audit Library has been added to help you store and retrieve these audit logs

Content API - Audit Log

All successful state-changing operations, through the Content API, will create an audit log entry. In other words, all create/edit/publish/…​ in Content Studio or by using the content library will create an audit log entry This feature can be disabled by modifying the configuration file com.enonic.xp.content.cfg.

Node library - Get node by version

You can now retrieve an old version of a node by using the RepoConnection::get method.

Custom part icons

Part component now supports a custom icon which will be used instead of the default one in Content Studio - in the Page Component tree and dropdowns with part descriptors. Just place an icon (in either PNG or SVG format) with the same name as the descriptor schema into the same folder. For example, if part/folder is called mypart then part descriptor is called mypart.xml and the icon file should be called either mypart.svg or mypart.png.

Header filter

It is now possible to specify default headers set for every HTTP response via header filter. Default headers can be configured in com.enonic.xp.web.header.cfg configuration file via headerConfig property. If no value is specified set X-Frame-Options: DENY,set X-XSS-Protection: 1; mode=block,set X-Content-Type-Options: nosniff is used. Empty value disables Header filter.

Cross site scripting prevention headers
headerConfig = set X-Frame-Options: SAMEORIGIN,set X-XSS-Protection: 1; mode=block,set X-Content-Type-Options: nosniff

XP7 Update 1

v7.1 is fully backward compatible with v7.0 and was released in parallel with Content Studio v2.1.

This update introduces new features and improvements as well as 28 bugfixes. The complete list of changes is available on Github.

Query highlighting

The storage and CMS API now provide out-of-the-box highlighting functionality.

By submitting a highlighter definition together with your query, you will in return get text fragments where relevant search strings are highlighted. This is especially useful when presenting search results to end users.

Sample query with hightlighter
  query: "fulltext('description', 'house garden big')",
  highlight: {
    properties: {
      "description": {
        fragmentSize: 15,
        numberOfFragments: 2
Sample result from above query
  "highlight": {
    "c4bb11f1-c6e2-4849-a665-28f612213984": {
      "description": [
        " <em>house</em> with <em>big</em>",
        " maintained <em>garden</em>."

Content Workflow

The Content API now introduces support for basic workflow capabilities. When creating or modifying content, workflow status may be specified. Currently the following statuses are available: IN_PROGRESS, READY,

The API will now prevent publishing of content unless it is in the workflow state READY.

For backward compatibility, if workflow state is not specified, it is equivalent to READY. Also, modifying content will keep the item’s existing workflow state.

Screenshot showing workflow state in Content Studio

Check out the content api for usage details

Customizable display name label

For an improved editorial experience, developers may now override the default <Display Name> text on a per content type basis. This helps make the content form more intuitive.

By adding the following line to your content type definition:

<display-name-label>Some cool text here</display-name-label>

Editors will see the following in content studio.

Screenshot showing what this looks like in Content Studio

Visit the Content Types documentation for more detail

Publishing message

The content API’s publish function now supports adding a message. This message is added to the "commit" entry that was added to the function with the release of XP7.

The publish message is builds on the commit functionality of the Node API.

Content studio enables you to see the publishing message from the version history widget.

Screenshot showing where to write the publish message from Content Studio

Selected improvements

Some of the improvements included in this release are:

  • New exists() function for both node and content API provides faster existence checks over using get()

  • Assets with .es extension are now served with the javascript MIME type

  • File names are now sanitised during upload to prevent use of illegal characters


Breaking changes XP 7 contains breaking changes. Follow the upgrade instructions carefully to secure a successful upgrade.

Enonic XP 7 takes a major leap in simplifying application development and making the platform leaner and more flexible.

The biggest highlights of XP 7 is not the core platform, but all the changes around it:

  • New documentation - The documentation you are reading was created from scratch for XP 7

  • Developer portal - All XP related developer resources and docs in one place

  • Enonic CLI - For managing XP development project, also replaces the toolbox shell script

  • Native distributions. The Java Virtual Machine is now bundled with XP

  • Content Studio - Is now available as an app to download from Enonic Market.

Developer portal

Screenshot of the new developer portal

In order for developers to better and more easily navigate the XP ecosystem, we created a dedicated portal. The portal contains

  • XP docs: The XP core platform documentation (which you are reading now)

  • Reference docs: For all XP related apps, starters, libraries and more that are built by Enonic.

  • Hands on guides: Practical how-to guides an tutorials, including the getting started page

Built with XP

The portal is naturally an XP app itself. The geeky fact is that all docs and most guides are written in Asciidoctor together with the actual product code.

When we commit, changes to the docs are automatically checked out, compiled and imported to XP as content. This optimize how developers produce content, while taking advantage of everything XP offers at the same time.

Screenshot of dev portal edited in Content Studio

We plan to release the core elements of the doc portal on the market in the future.

Enonic CLI

The brand new Enonic Command Line Interface - "Enonic CLI" was also released at the same time as XP 7. It is versioned independently for more frequent updates. The CLI not only replaces the old toolbox script, it also introduces new and flexible ways of installing XP and managing projects and development environments.

Installing CLI, Enonic XP, building and deploying your first app can now be done with a few simple commands, as described in the getting started section of the developer portal

The CLI is available for Mac, Linux and Windows. For more information, check out the full documentation.

Native distributions

The biggest conceptual change to XP is that Java (the JVM) is no longer required in order to run XP. XP 7 ships with Java 11 embedded. As such, we now release native distributions of XP for the three major platforms, Mac, Windows and Linux. Expect future versions of XP to make more use of native capabilities and non-Java based functionality. As always, you will never have to worry about portability when writing XP apps.

There are several reasons for this move:

  • Developers no longer need to install or juggle with different versions of the JVM

  • Installation of XP is faster and sleeker than ever

  • We can take advantage of native/non-Java functionality when required

With this change, XP is now available in SDK and Server version. The SDK includes the full Java Development Kit, whereas the server edition uses a slimmed down version of the JVM, and may be further optimized for production use.

Content Studio is an app

Content Studio, the CMS editorial interface has been moved out of the XP core. It is now available as a separate application on Enonic Market

Content Studio can now be released more frequently than the XP core. Expect new versions of Content Studio to be released along with new features in the XP core.

For Content Studio release notes, check out the new documentation.


Even if Content Studio can be installed as a separate application, The XP core still ships with the content API and site engine that applications depend on.

Image styles

XP 7 introduces a new feature in the rich text editor called "Image styles". Image styles consist of both client side styling (css), and image service rendering specifications.

The rich text editor was previously limited to pre-defined and hard-coded styles, such as cinema (21:9) or square(1:1). Now, application developers may define custom styles that control both server side rendering aspect ratio, and specify classes to annotate the specific image.

Here we see an image using a style called old-photo, which adds the sephia effect to the image.

Projects prepared

Customers with many sites have requested better support for isolation of sites, and specific access rights to each. Our solution to create sites in different "projects", each project will be using its own repo. XP 7 (and Content Studio) does not yet fully implement this features, but prepares the foundation for supporting it.

You will notice this through the following change:

  • The default CMS repo is renamed from "cms-repo" to "com.enonic.cms.default".

  • New projects will be using the extension as project name, i.e. project "myproject" will use repo "com.enonic.cms.myproject"

  • The site engine URLs now contain project name - i.e. /site/<project>/<branch>/<content-path>

Editor references

References to images or other content in the rich text editor are now stored explicitly in the underlying node API. The publishing wizard will now identify and include these dependencies like all other references - no more missed items during publishing.

Stemmed content

Content flagged with a language is now automatically stemmed during indexing (trimming words to their root form for better hits). This is done using the standard Elasticsearch stemmer. This is achieved by adding a stemmed version of the _allText property, combined with a new query function.

Better page indexing

Pages, and their components are now indexed differently. Rather than just looking for text within a page, developers may now search for any configuration property, or metadata within a page.

As an example, one may now search the use of a specific part within a site.

XP Storage

The XP storage has been refactored for improved performance and disk usage.

Blobstore improvements

XP persists all data in so-called blobstore segments, one segment for each type of data to persist. XP 7 introduces new segments for indexconfig and permissions, enabling re-use of these across nodes, and node versions.

This reduces the use of disk space significantly.

Additionally, each repository now has it’s own root entry in the blobstore. This makes it possible to directly manage blobs associated with a single repository.

Version commits

XP automatically creates new versions for each modification of a node. Where XP 6 would persist all versions forever, XP 7 by default treats all versions as transient. This means that all versions that are not currently in a branch, may be garbage collected at any time in the future.

To prevent versions from being removed, one may also commit.

For the Content API specifically, publishing an item will automatically create a commit, effectively placing a stamp on the specific versions being published. Commits have id, committer, and optionally a commit message as meta data.

XP 7 does not yet implement the garbage collector that removes uncommitted versions, this will be part of an upcoming release.