Upgrading

Content Project root no longer returns 403. It now returns 404 instead. This may affect your availability if it relies on 403 status code.

Content Studio has to be upgraded to version 5+ to be compatible with XP 7.13. If you are using Content Studio 4.x with XP 7.13, you may experience disappearing layouts inside Page Editor.

Bundled JVM was upgraded to version 17. Our internal testing didn’t show any significant issues with this upgrade (except Nashorn engine removal), but we recommend testing your applications before upgrading to this version as always. Consult with JDK Migration Guide for more information about migrating from JDK 11 to JDK 17 in case you experience any issues.

When building applications it is recommended to specify options.release = 11 for compileJava task in Gradle build file to preserve compatibility with XP versions lower than 7.13. XP Gradle plugin com.enonic.xp.app version 3.4.0 does this automatically for you when systemVersion is set to 7.12.x or lower.

Ensure you are using the latest version of the Test Framework com.enonic.xp:testing in your Gradle project. For example, if your Test Framework dependency is defined as testImplementation "com.enonic.xp:testing:${xpVersion}" you might need to change it to testImplementation "com.enonic.xp:testing:7.13.0". Older versions may not work with JDK 17 and will cause tests to fail with java.lang.NoClassDefFoundError: jdk/nashorn/api/scripting/NashornScriptEngineFactory.

Usage of JDK 11 Nashorn engine is now deprecated and will be removed in future XP versions. Currently warning is issued for each usage: Class x.y.Z uses unsupported jdk.nashorn. Application may stop working in future XP versions. Applications must not use Nashorn engine directly, but instead use XP’s Javascript API.

base:media content type is now abstract - it can no longer be created directly. It was documented as abstract, but was not enforced in previous versions.

Content API no longer reads Page/Layout descriptors to determine regions for every fetched content. Regions are built from components array in content data. This changes the behaviour for regions with no component assigned. Rendering engine is now responsible for reconstructing unused regions from Page/Layout descriptors.

Server Distro Mac ARM64 bundles GraalVM 22.3.1 JDK 17 due to lack of GraalVM 22.3.2 image for Mac ARM64. Other distros are based on GraalVM 22.3.2 JDK 17

You need to reconfigure all Project level applications configured before version 7.12, if you have any. This is not a breaking change, as this feature was not announced in 7.11 and was not officially supported until 7.12.

Content API is now enforced to support only draft and master branches. Node API continues to support custom branches.

Content API does not allow to create/modify/delete content directly on master branch or to publish to any other branch than master.

Content PENDING_DELETE state is no longer in use. Content deletion no longer happens during unpublishing. Instead, content deletion forces content to be unpublished immediately.

Node state has been deprecated and is no longer in use, as it was only used for content’s PENDING_DELETE status.

Content API audit-log no longer logs system.content.update events by default. This can be changed back by setting auditlog.filter = * in content config.

draft branch is now restricted for unauthenticated access. By default, only system.admin.login role has access. Additional principles can be configured in portal config via draftBranchAllowedFor setting. Note that system.admin role always has access, regardless of the config.

Bundled GraalVM has been updated to version 22.3.1. Other JVM versions are not supported, although they may also work.

Virtual application schemas may now override schema present in any installed (real) application. To prevent virtual applications from overriding schemas use application config virtual.schema.override = false or disable virtual applications completely virtual.enabled = false

OSGi Compendium r8 is now provided as API dependency for Java Core API. (Component, Component Annotations and CM only) This may cause some compilation errors when XP application dependency version is bumped, but should not affect existing applications in runtime.

Default HTML now sets utf-8 charset encoding, if controller haven’t specified charset in Content-Type This may cause broken text on pages with page templates which specify content meta tag value other than utf-8. Make sure all your page templates use UTF-8. it is also recommended to use <meta charset="utf-8"> tag on all pages.

TypeScript imports. As of this version, all Enonic libraries are completely rewritten in TypeScript. If you have been using TypesScript in your application, it may no longer be compiling. Importing default exports are no longer supported, and depending on your build-setup and code, you may need to change your import statements. For example:

import nodeLib from '/lib/xp/node';

import * as nodeLib from '/lib/xp/node';

XP now bundles the GraalVM based JDK. We do not support running XP on other JDK except for the one bundled in the distro. Note that the default JavaScript Engine is still Nashorn.

Experimental support of arm64 (aarch64) based CPUs is added. You may see a WARNING message on XP startup java.lang.UnsatisfiedLinkError: Can’t load library …​. It does not affect XP operations and can be ignored.

Portal config now specifies default Content-Security-Policy for attachments and images. It is possible to configure the header via media.contentSecurityPolicy and media.contentSecurityPolicy.svg values. Empty value disables Content-Security-Policy for attachments and images. Default value is crafted to prevent common Persistent XSS attacks.

Admin config now specifies default Content-Security-Policy for page preview and inline mode (used by Content Studio). It is possible to configure the header via site.preview.contentSecurityPolicy value or go back to previous behavior by setting site.preview.contentSecurityPolicy to an empty value. Default value is crafted to prevent common Persistent XSS attacks in Content Studio.

Certain Security headers are now specified in header filter config by default. Default value is crafted to prevent Clickjacking attacks. It may prevent some pages to work properly if they, for instance, require to be loaded from an IFrame. You can customize default headers in header filter config headerConfig value to get back to previous behaviour.

Versions of Content Studio before 4.0.0 will not run on XP 7.8.0 or later.

params returned from HTTP Filter now replace original request params with the same names. There is no way to restore previous behavior.

Internal Admin Rest API was moved to respective applications. Any use of /admin/rest/* endpoints was for internal use only. It was never documented or supported for external use. We recommend implementing your own application with GraphQL/REST api as an alternative.

contentTypePatternMode configuration parameter has been moved to Content Studio configuration.

JaxRS API backend was updated to the next major release. We didn’t observe any incompatibilities, but if your application uses XP JaxRS API make sure you thoroughly test it.

Image Service now has memory usage constraints configured by memoryLimit parameter in Configuration Files / Image. This may cause 429 Too Many Requests HTTP responses for images, if they are not yet scaled at least once and put into disk cache.

XP 7.8 fixed a bug when lib-portal.getContent() would return a non-empty value in a context where no content should be returned, for example inside a responseProcessor or a service. If you didn’t have a proper check for non-empty content object returned by lib-portal.getContent(), you will have to fix your code. Please find an example of the fix below:

Session cookie specifies SameSite=Lax by default. It is similar to modern browsers default value except for "Lax + POST mitigation". You can revert to previous behavior by setting session.cookieSameSite = in Configuration Files / Jetty

Native Java primitive arrays are now converted to JavaScript arrays. You may have to adapt your application to the new behaviour if your code was using workarounds.

Image Service now limits maximum image size and number of filters applied. You can configure thresholds in Configuration Files / Image

Image Service has more eager validation of scale, filters, background and quality parameter values. Make sure the requests to Image Service use only correct/supported values.

Built-in Embed Macro now requires body part to be HTML escaped. In general, it should not cause issues because ContentStudio HTML editor always escapes macro body.

Content attachment file names can no longer contain suspicious characters. You can revert to previous behavior by setting attachments.allowUnsafeNames = true in Configuration Files / Content

Assets Service URL fingerprint part now uses application’s "build time" instead of application’s startup time. Make sure "build time" always changes for new versions of an application (this happens automatically if you use the standard xp build system)

Default Cache-Control headers for Assets Service and Portal Media Attachments have been changed. You can change default settings in Configuration Files / Portal

ResourceService no longer considers directories in jar as existing resources. If application code relies on checking directory existence in jar, consider checking existence of a file inside that directory instead.

Content integrity is verified during move operation, as it was done on create for page-template, template-folder and site built-in content types.

page-template content now accepts child content, but only fragment and media:*. Attachments are no longer redirected to the nearest template’s site.

input-type’s allow-content-type, x-data allow-content-types and newest content-type’s allow-child-content-type share the same pattern matching, that is stricter than before. You can switch back to legacy mode by setting contentTypePatternMode = LEGACY in Configuration Files / Admin for allow-content-type and allow-content-types, but it won’t affect allow-child-content-type pattern matching.

Named tasks do not necessarily execute on the node they were submitted on anymore. Instead, a random node capable to run a task is selected and task gets executed there. Make sure your named tasks do not require a specific node to be run on. Follow the Tasks / Distributable for more information.

XP does not proxy market.enonic.com requests anymore, meaning that browser should have access to https://market.enonic.com. URL can be changed in Configuration Files / Market.

Create the configuration files com.enonic.xp.hazelcast.cfg and com.enonic.xp.web.sessionstore.cfg and consider the values in them as described in Configuration Files / Hazelcast and Configuration Files / SessionStore.

Open port 5701 between the nodes in the network. This port is used by Hazelcast for internal communication in the cluster. An alternate port may be chosen by setting network.port. If using Docker, the port needs to be opened both in the network and in the docker-compose.yml container definition.

Evaluate the minimum required number of nodes in a cluster. system.hazelcast.initial.min.cluster.size is by default set to 2. During start-up, events, tasks and sessions will not be communicated between nodes in the cluster until the minimum number of nodes have signed in. For large clusters, this is an important setting. We recommend setting it to nodes/2 + 1, so for instance, in a cluster of six nodes, the value should be 4.

Distributed Sessions are off by default. Enable them by setting storeMode to replicated in the sessionStore config, if desired.