cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

Change in Composer and Mashup builder functionality for ThingWorx 9.0

Walter_Haydock
7-Bedrock

Change in Composer and Mashup builder functionality for ThingWorx 9.0

Hi everyone,

 

As part of a wide-ranging product review for the 9.0 release of ThingWorx, PTC has decided to remove a range of functionality due both to limited market adoption and a continuing effort to harden the security of the ThingWorx platform. Thus, for ThingWorx 9.0, PTC will be removing the following capabilities:

 

• The ability to use rich text in the Composer “Documentation” field (existing rich text will be displayed as raw HTML);
• The ability to use rich text in blogs and wikis in Mashup Builder (existing rich text will be displayed as raw HTML);
• The ability to edit HTML text in mashup builder. ThingWorx users will still be able to employ a service to import HTML content if desired.

 

Please prepare for these coming changes as appropriate. Thanks!

7 REPLIES 7

Hi Walter,

 

  • Composer "Documentation" Rich Text -> we can live with it, but it's a downfeature for developers and hard to make it well readable when you have complex objects where you need to explain it right. If you see it as documentation for developers, we can pair with GitHub documentation where you have Rich Text editing features and this doesn't makes it more unsafe but a lot more useful.
  • Rich text in blogs and wikis in Mashup Builder  -> Ok for Composer side. But what about Blogs and wikis Runtime? this is an essential feature on runtime side.
  • Edit HTML text in mashup builder -> We don't prefill much on the composer side, but shouldn't be a big deal.

 

Anyway, where is the security problem? A developer with browser developer tools can do almost anything on the browser side, no need to have HTML Rich Text edition feature to break the security.

 

Thanks for the update on the future plans,

Best Regards

Carles Coll

Hi Carles. For the 9.0 release, we have eliminated the rich text functionality of blogs and wikis at runtime due to the aforementioned security concerns. An internal analysis led us to this course of action, but unfortunately, I can't get into details on this public forum.

Hi Walter,

 

Then which it's the solution for us? as we widely use it as aforementioned:

 

  • Blogs -> To discuss about Things, we attach fotos to the blogs entries, we use rich text in order to make points and highlight things (As I'm correctly doing here on the PTC Community)
  • Wikis ->
    • In order to add knowledge to Things, and plain text it's a poor knowledge tool.
    • In order to add help on our platform, where we attach photos and also add sections (H1, H2,...)

If it's not on TW 9.0, then we won't be able to upgrade, you should provide a path or something, for our customers will be a downgrade/downfeature and they won't accept it.

 

Thanks in advance, we can provide you and development / product team a demo of our platform to see what feature you are killing. We already did on the past, still I never had success but I can keep trying, as @Aanjan  , @mhollenbach and @aressler  know...

 

Carles Coll

Hi Carles - unfortunately this isn't functionality we are planning to continue providing in ThingWorx. We wanted to give potentially impacted users a heads up in advance through this post.

We found in the upgrade from 8.3.8 to 8.3.10 that some changes, such as editing the HTML text and changes in how certain elements (span) are handled, were already made to the HTML Text Editor which is restricting us from upgrading to the new patch release. I'd recommend PTC provides a method for customers that do not have security concerns a way to still use the existing HTML Text Editor widget.

Walter

Do you have a markup language, perhaps like github's markup? Please excuse if I am missing the point.  https://guides.github.com/features/mastering-markdown/

 

Agreed about security. You would be doing this to make XSS and CSRF attacks more difficult?

Thanks -- Rick

Rick - thanks for the note. ThingWorx does not have an equivalent to the GitHub markup language. Unfortunately, I can’t comment directly on what type of security risks we are trying to counteract. 

Top Tags