We've certified the latest build of Model-Glue. This build addresses some outstanding issues and also adds in some enhancements. Download Model-Glue now.

We probably should have made this a 3.2 release, since there is so much stuff baked in... but we already had a plan for some big features for the 3.2 release. This means you get all this great new stuff for free. (you'll get 3.2 for free too, while supplies last :) )

If you want to know what changed in this release, look at The 3.1 Maintenance Release Candidate announcement for Model-Glue.

Big thanks to the Model-Glue team for outdoing themselves in terms of hard work and collaboration!

3.1 Maintenance Release Candidate

The release candidate for 3.1 is available now. This RC will be floated out in the wild until mid-next week. This gives you a chance to drop this RC into your codebase for a test drive. Barring any important issues, this is the version that we'll certify as the official and most current release. This release is particularly noteworthy for the quality of the code and the amount of fixes addressed. If you've been following this release, you know we've closed a huge number of issues. We'll list each item below so you will know what you are getting for your money. A few previously deferred items have been incorporated into this release, like

• Ticket #322 Controller cache API is missing
• Ticket #382 Messages not broadcast in correct order when format is used

Special thanks to Dennis Clark and Ezra Parker for finding the time to get these important updates into this release.

Closed on 2/23/2010

• Ticket #398 Railo : abstractRemotingService
• Ticket #406 several methods in EventContext missing output="false"

Closed on 2/21/2010

• Ticket #401 Enhance event.linkTo() to use variables from another scope
• Ticket #400 Remoting broke
• Ticket #404 Message listeners duplicated on startup

Closed on 2/14/2010

• Ticket #403 Tweak to boolean test in GenerationController
• Ticket #402 Add remoting integration test to buster sample
• Ticket #396 FORM not defined when calling executeEvent web service
• Ticket #382 Messages not broadcast in correct order when format is used
• Ticket #322 Controller cache API is missing
• Ticket #399 Space in CopyToScope() produces variables that are CF safe.

Closed on 2/7/2010

• Ticket #381 Support bean injection for helper components
• Ticket #397 Legacy applications using ChiliBeans not supported

Closed on 1/31/2010:

• Ticket #295 Transfer scaffolding - problem with composed objects with aliased properties
• Ticket #350 (Disable Model-Glue debug information for certain events)
• Ticket #355 Defining handler for predefined event overwrites builtin handler
• Ticket #364 no return value 'event' present in RemotingService.cfc->executeEvent()
• Ticket #365 OnRequestStart not broadcast when RemotingService->executeEvent() is called.
• Ticket #368 Errors during MG setup can 'ruin' an application
• Ticket #391 getInitialEventHandlerName() and getEventHandlerName() do not work in onRequestStart
• Ticket #395 ModelGlue.Bean.CommonBeans.Example: error in init

Closed on 1/30/2010:

• Ticket #376 generatedViewMapping setting not being appended to viewMappings

Closed on 1/26/2010:

• Ticket #340 Bind URL and event.linkto(), SES

Closed on 1/25/2010:

• Ticket #262 Add ability to detect infinite loop in modelglue.xml event handlers
• Ticket #390 LogRenderer doesn't output colors for USER or WARNING traceTypes

Closed on 1/24/2010:

• Ticket #379 Out-of-date information in readme.txt
• Ticket #383 Update Lighthouse Pro sample app from RIAForge
• Ticket #384 Mismatched controller path delimiters in sample apps
• Ticket #385 Case-sensitivity issues in usermanagement actionpack
• Ticket #386 OpenBD compatibility issue when missing event types
• Ticket #387 Values not passed to event when using Flash remoting

Closed on 1/20/2010:

• Ticket #315 Transfer Scaffolding inserts "wrong" ID name for related items component1

Closed on 1/16/2010:

• Ticket #292 (Ability to set default permission for the file generated by Model-Glue)
• Ticket #340 (Bind URL and event.linkto(), SES)

Closed on 1/15/2010:

• Ticket #90 (bug slips by CF, breaks on BD)
• Ticket #270 (An implementation of the =,:,| operators across the board)
• Ticket #284 (You should have)
• Ticket #283 (Typo)
• Ticket #304 (/include/value[@overwrite] does not default to true)
• Ticket #303 (/include/value[@overwrite] does not default to true)
• Ticket #308 (A request to the framework times out.)
• Ticket #309 (Scaffolding Error)
• Ticket #311 (addResult doesn't forward)
• Ticket #312 (ollectionBeanPopulator.cfc erroneously checked for the existance of the ...)
• Ticket #313 (Simple enhancement: create a beanmaker that logs what it finds)
• Ticket #351 (Error with SES URLs after upgrade to RC)
• Ticket #361 (buster example needs mapping to run from examples directory)
• Ticket #362 (Depreciated viewstate call in default app template)
• Ticket #374 (scaffold add id field to form hidden item generation)
• Ticket #372 (scaffold Display generation, is extra div tag at end of page)
• Ticket #371 (Rendering of Scaffold Edit is not nesting table within form or visa-versa)
• Ticket #375 (Include support for adding helper mappings via ModelGlue.xml)

Closed on 1/14/2010:

• Ticket #307 (ModelGlue.Core.Controller.RemoveFromCache should return void (patch ...)
• Ticket #317 (Trac server time is fast by 7ish hours)
• Ticket #342 (applicationtemplate build.properties has incorrect path)
• Ticket #354 (Obsolete ORM Config Instructions in Coldspring.xml)
• Ticket #378 (Disable trace logging when the debug config setting is "none")

Moved to 3.2:

• Ticket #358 Pre-Bootstrap Validator
• Ticket #366 Model-Glue config file builder smarter

Moved to experimental:

• Ticket #314 Error when using a xml custom event type not defined
• Ticket #373 event-handler types given format attribute

Please take this new Model-Glue release for a test drive and let us know how you find the new features.

The Model-Glue team will be at CF.Objective() 2010 for pre-conference training, We'll run a two day class based on rapid development with the Model Glue framework. If you want to bump up your Model Glue skills, you should come to this.

We'll cover:

• Skinning
• Data Input and Processing
• Request Formats
• Code Duplication, Helpers and UDF organization
• Advanced Model-Glue XML patterns
• Leveraging Model Glue with code generation
• Extending Model Glue
• Brand new, yet to be discussed Model Glue 3.2 features!

Register for Model Glue Training Here »

If this training isn't for you, perhaps you should consider one of the other pre-conference training courses. Some of the smartest and most talented folks have put forth training opportunities that shouldn't be missed.

List of Training Courses at CF.Objective()

• Building Secure CFML Applications (April 21) - Jason Dean and Pete Freitag
• Coldbox:100 Training (April 21) - Luis Majano
• Developing Applications with ColdFusion 9 Object Relational Mapping (ORM) (April 20-21) - Bob Silverberg and Mark Mandel
• Getting Started with Flex and AIR Development with the Flex SDK (April 21) - John Mason
• Mach-II and OOP from the Ground Up (April 20-21) - Kurt Weirsma, Peter Farrell and Matt Woodward
• Rapid Development with Model-Glue 3 (April 20-21) - Dan Wilson and Ezra Parker

3.1 Maintenance Release Beta

We've released the Maintenance release for 3.1. This release will be in beta for a short while (1-2 weeks) to give the community time to evaluate and comment. After an appropriate review time, we'll certify the build as the official and most current release.

This release is particularly noteworthy for the quality of the code and the amount of fixes addressed. Of special mention are Dennis Clark and Ezra Parker who collaborated on a very technical and important update to the way Model-Glue is initialized.

I'm pleased, as managing director of Model-Glue, to see a growing commitment to teamwork and creative problem solving. Model-Glue continues to evolve because of the many users who challenge the framework, and the many contributors who pitch in and make great things happen.

Change notes/Tickets

Here is a list of which issues/enhancements were addressed, in descending date order:

[More]

This post will serve to update the membership on the doings and transpiring of the Model-Glue team.

Staff Changes

Dan Skaggs and Dennis Clark have joined to Model-Glue development team. Both guys have already made contributions to the framework and will be an important part of our upcoming releases.

Trac and Bug Clean up

Ezra Parker and Dennis Clark have been working very hard to get the Trac site up to date and reconfigured for better release management. Dennis has brought some really timely and good ideas to the table which will help us stay organized.

Documentation

We've worked pretty hard adding and filling out the Model-Glue Frequently Asked Questions. If you have a question or an answer that belongs here, let us know by either starting the question, and adding the answer if you know it (preferred), or sending it to the mailing list (less preferred but still appreciated)

Training

We've also worked pretty hard to get out a new training series to help with more advanced Model Glue topics. You can begin the self-led training series at your convenience

Instructor Led Training

In conjunction with CF.Objective(), the Model-Glue team is offering Rapid Development with Model-Glue 3 a full 2 days of hands on Model-Glue training. Classes are on April 20 - 21 in Minneapolis, MN. We'll accept the first 20 registrations, price: $800 for Early Rate, $900 Regular Rate. Register here or email the list if you have questions.

Upcoming 3.1.5 Maintenance Release

We've gotten a very good start on the 3.1.5 maintenance release. Here is a list of tickets that have been closed and are currently available in SVN:

Closed on 1/16/2010:

• Ticket #292 (Ability to set default permission for the file generated by Model-Glue)
• Ticket #340 (Bind URL and event.linkto(), SES)

Closed on 1/15/2010:

• Ticket #313 (Simple enhancement: create a beanmaker that logs what it finds)
• Ticket #90 (bug slips by CF, breaks on BD)
• Ticket #270 (An implementation of the =,:,| operators across the board)
• Ticket #284 (You should have)
• Ticket #283 (Typo)
• Ticket #304 (/include/value[@overwrite] does not default to true)
• Ticket #303 (/include/value[@overwrite] does not default to true)
• Ticket #308 (A request to the framework times out.)
• Ticket #309 (Scaffolding Error)
• Ticket #312 (ollectionBeanPopulator.cfc erroneously checked for the existance of the ...)
• Ticket #311 (addResult doesn't forward)
• Ticket #361 (buster example needs mapping to run from examples directory)
• Ticket #374 (scaffold add id field to form hidden item generation)
• Ticket #372 (scaffold Display generation, is extra </div> tag at end of page)
• Ticket #371 (Rendering of Scaffold Edit is not nesting table within form or visa-versa)
• Ticket #362 (Depreciated viewstate call in default app template)
• Ticket #351 (Error with SES URLs after upgrade to RC)
• Ticket #375 (Include support for adding helper mappings via ModelGlue.xml)

Closed on 1/14/2010:

• Ticket #354 (Obsolete ORM Config Instructions in Coldspring.xml)
• Ticket #342 (applicationtemplate build.properties has incorrect path)
• Ticket #350 (Disable Model-Glue debug information for certain events)
• Ticket #378 (Disable trace logging when the debug config setting is "none")
• Ticket #317 (Trac server time is fast by 7ish hours)
• Ticket #307 (ModelGlue.Core.Controller.RemoveFromCache should return void (patch ...)

Below is a list of tickets we are probably going to close before the 3.1.5 release. If you want to express your interest in us closing a particular ticket, send us an email on the list.

• Ticket #314 Error when using a xml custom event type not defined
• Ticket #379 Out-of-date information in readme.txt
• Ticket #315 Transfer Scaffolding inserts "wrong" ID name for related items component1
• Ticket #322 Controller cache API is missing
• Ticket #295 Transfer scaffolding - problem with composed objects with aliased properties
• Ticket #355 Defining handler for predefined event overwrites builtin handler
• Ticket #358 Pre-Bootstrap Validator
• Ticket #364 no return value 'event' present in RemotingService.cfc->executeEvent()
• Ticket #365 OnRequestStart not broadcast when RemotingService->executeEvent() is called.
• Ticket #366 Model-Glue config file builder smarter
• Ticket #368 Errors during MG setup can 'ruin' an application
• Ticket #373 event-handler types given format attribute
• Ticket #376 generatedViewMapping setting not being appended to viewMappings
• Ticket #262 Add ability to detect infinite loop in modelglue.xml event handlers
• Ticket #340 Bind URL and event.linkto(), SES

If you know of a bug with Model-Glue 3.1 and want us to work on it, Submit a new ticket! Even if you've already reported it on the mailing list, please make sure there is a ticket in the system so we can prioritize it and schedule the fix.

Happy Holidays from Model-Glue.

We've been hard at work building fun and exciting things for all of you. Our holiday gift to the Model-Glue community is a revamped Quickstart and a brand new online Hands On Model-Glue 3 Training course.

The training picks up after the Quickstart, so make sure you know all the material in the Quickstart before proceeding.

It is helpful to actually go through the exercises, preferably typing each line out yourself. This will build muscle memory and help you learn the Model-Glue framework quicker. You can't be a professional football player by just reading books about football, can you?

Let us know what you think about the training, we want feedback of all kinds.

Let us also know if you have an idea for a new training section, we'll see if we can get it together for you.

Should you wish to submit a new training section, we'll be happy to use it.

Should you wish for more in depth training, contact us via the contact form and we can work something out with your team.

The entire Model-Glue team wishes you much success and happiness in 2010!

"Come to the edge, he said. They said: We are afraid. Come to the edge, he said. They came. He pushed them and they flew." Guillaume Apollinaire quotes

If you've been working on ColdFusion 9 for any length of time, you know how much faster and featureful the release is.

CF9 introduces a new ORM, called Hibernate, that will help you make data centric operations in record time. Bob Silverberg and Dennis Clark have put together support for Model-Glue and the new CF9 Hibernate ORM. Now, you can use Generic Database Messages and Scaffolding with the shiny new CF9 software!

A version of this is in version control right now. We are doing some final testing over the next few weeks before we push this out in the upcoming version 3.2, and if you want to take it for a test drive, drop us a line (or a comment below) and let us know, we'll get you a sneak copy of the new release for a test drive.

We've been busy working on a Model-Glue FAQ Section, check it out. We have our first few pieces of content up there and it is organized by topical section.

Model-Glue is a community project and we need you to help us identify topics and provide answers. So feel free to suggest any questions you would like to see in the FAQ. If you feel comfortable, you can add it to the FAQ along with the answer, if not, ping the Model-Glue mailing list and we'll get right on it.

A big thanks to Ezra Parker for setting this up for us...

I wanted to get some information about the 3.2 release. Security is all the rage these days, what with all the Cross Site Scripting and SQL Injection attacks. As Model-Glue is your front controller, it would be the natural place to do some protection.

John Mason wrote Portcullis, a library that handles scanning for XSS, SQL Injection and other important security input scanning features. I've just implemented it in a branch of Model-Glue and I'm thinking through how best to make it configurable in your applications. First, let's talk about what Portcullis/MG does.

XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by site owner. ( http://en.wikipedia.org/wiki/Cross-site_scripting )

Example

Say I have code allowing someone to upload profile description. If the user adds an image tag with javascript inside,this javascript will be executed in the browser context of any person viewing the profile. You can see an example below.

This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.

In this case, an alert will pop up, but we really are executing java script and can use many different attack vectors. Portcullis will scan the input and sanitize this.

Form Text: This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.
Post Portcullis: This is my profile.. &lt;IMG SRC="[INVALID]alert&##40;&##39;XSS&##39;&##41;&##59;"&gt;, isn't it nice.

So, you can see, Portcullis detected some sketchy input, sanitized it, and now it is rendered harmless when displayed in the browser.

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.[1] ( http://en.wikipedia.org/wiki/Sql_injection )

Example

This is a common one, even gaining it's own comic (http://xkcd.com/327/). Basically, the attacker tries to shove in some SQL into an input. Portcullis scans and sanitizes these sorts of attacks also.

a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

In this case, the user has crafted a special string so that when the input value is used in an SQL statement, several statements are sent to the database.

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE 't' = 't';

When Portcullis gets something like this, it sanitizes the dangerous input.

a';[Invalid] TABLE users; [Invalid] * FROM data WHERE 't' = 't

None of this will execute in an SQL engine, because it is no longer valid SQL. It is best practice to use CFQueryparam to help prevent SQL Injection, but Portcullis can help out too. Especially in cases where CFQueryparam isn't consistently applied.

Summary

So you can see there is a lot of value in using something like Portcullis to consistently protect and sanitize your inputs. What I've done is incorporate the project into Model-Glue and make it easy to use. Basically, if you want to protect everything, then you should be able to flip a switch in your ColdSpring.xml file. This will be good for some sites, and help out in a big way. However, we want to make sure we are adding maximum value and giving you, the Model-Glue users, the ability to use this in a flexible, and useful manner.

I'd like to see discussion on how this feature might be used, how folks would want to use it and any gotchas or pitfalls that you can see. Please use the comments, or the MG Mailing List for your questions and concerns.