Compatibility with previous releases
Version 3.3 is source and binary compatible with 3.2.
However, the default setting for permissions that determine which packages, classes and methods are accessible
to scripts has been reduced to a very narrow set. When migrating from previous version of JEXL, this may result
in breaking your application behavior ; this breaking change requires remediation in your code.
Despite the obvious inconvenience - our sincere apologies on the matter -, how much functional and semantic power is
accessible through scripts has a real impact on your application security and stability ; that potential risk requires
an informed review and conscious choice on your end.
To mitigate the change, you can revert to the previous behavior with one line of code
(see JexlPermissions,
JexlBuilder and
JexlScriptEngine ) or use this
opportunity to reduce exposure. Whether Files, URLs, networking, processes, class-loaders or reflection classes
or whether loops or side-effects are accessible are part of your choice to make.
What's new in 3.3:
JEXL 3.3 brings the ability to configure permissions on libraries in the manner pioneered
with the @NoJexl annotation on source code. This is achieved through a crude but light mechanism akin to
a security manager that controls what JEXL can introspect and thus expose to scripts.
Used in conjunction with options (JexlOptions) and features (JexlFeatures), the permissions (JexlPermissions)
allow fine-tuning the end-user freedom and scripting integration through syntactic and semantic sanitation.
JEXL 3.3 also adds some syntactic (ECMAScript) features (let, const, =>, for, ...) to further reduce
the skill set required to write scripts.
New Features in 3.3:
JEXL-392: |
Enable namespace declaration based on scripts |
JEXL-391: |
Improve in/=~ operator when arguments are arrays and collections |
JEXL-390: |
Pragmas should not be statements |
JEXL-389: |
Improve parsing timings |
JEXL-385: |
Support disabling fortran-style relational operators syntax |
JEXL-382: |
Simplify grammar and lexical state management |
JEXL-380: |
Multiple values per pragma key |
JEXL-379: |
Allow new to use class identifier |
JEXL-373: |
Add support for prefix/postfix increment/decrement operators |
JEXL-372: |
Add support for 'standard' for loop |
JEXL-369: |
Add 'let' and 'const' variable declarations |
JEXL-367: |
Named function and fat-arrow (=>) lambda syntax |
JEXL-366: |
Fail to evaluate string and number comparison |
JEXL-365: |
Lambda expressions |
JEXL-363: |
Allow retrieving captured variables in script |
JEXL-360: |
Add missing bitshift operators ( >>>, >>, <<) |
JEXL-359: |
Allow per-operator arithmetic handling of null arguments |
JEXL-357: |
Configure accessible packages/classes/methods/fields |
Bugs Fixed in 3.3:
JEXL-386: |
Non-inheritable permissions on interfaces are ignored in an inheritable sandbox |
JEXL-384: |
Improve control over JexlArithmetic null argument handling |
JEXL-378: |
Incremental operator and decremental operator do not honor the side-effect flag |
JEXL-376: |
Introspector captures methods on non-exported classes (modules, java9+) |
JEXL-375: |
Cannot access enums by their name when using sandbox |
JEXL-374: |
No exception if dereferencing null object using safe(false) and antish(false) |
JEXL-371: |
Override of a protected method with public visibility is not callable |
JEXL-370: |
Cannot check if variable is defined using ObjectContext if the value is null |
JEXL-368: |
Namespace functor resolution is not cached |
JEXL-364: |
Evaluator options not propagated in closures |
JEXL-362: |
JexlInfo position reporting is off |
JEXL-361: |
Null may be used as operand silently even in arithmetic strict(true) mode |
JEXL-354: |
#pragma does not handle negative integer or real literals |
JEXL-353: |
Documentation error for not-in/not-match operator |
|