Q. What security-related changes have been made in 2.8?
A. We have made two:

1. A set of changes designed to prevent cross-site request forgery (XSF) attacks. These changes affect any function that tries to change a page via an HTTP GET, and can break code you have written. Please see the details in XSFRelatedChangesIn2.8.
2. A new restriction where only admin can save code to a page (e.g. add or edit any <jot:foo> tag or ${expression}). If a non-admin user edits a page with code on it and then saves the page, the code on that page will be stripped for that new version of the page.

Q. Will my wiki be subject to these two new security checks when upgraded to 2.8?
A. Yes. However if your wiki falls into either of the following two scenarios, both types of checking will be turned off to give you time to make any necessary changes:

1. you have a custom theme installed and selected
2. you have modified a non-configuration page under /System/ (e.g. /System/Pages/Search)

Q. How will these two new security measures affect me?
A. A couple of ways:

1. You might have custom code that stops working because it was written in a way that ultimately uses an HTTP GET to modify a page. Most "standard" JotSpot code will work without modification, but there are a few patterns that will require code modification on your part. Please see XSFRelatedChangesIn2.8 for more information.
2. If you rely on non-admin users being able to edit code pages, this will no longer work in 2.8. (Note: In 2.9 we are working on a new "coder" user right that will allow admin to explicitly delegate this ability to non-admin users.)

Q. I need time to adapt to these changes. Can you disable one or both of these security checks to give us time to adjust?
A. Yes, please email your request to support@jot.com and be sure include the name of your wiki.

Q. What happens to pages and page revisions that already contain code? Will they be affected?
A. All existing pages and revisions are unaffected -- the admin-only enforcement is for any new revision.

Q. How can we retrieve code that was mistakenly erased when a non-admin user edited a page?
A. Since all revisions are saved, you can log in as admin and revert to the last correct version. (I.e. click revision history, select the last good version, edit the page, and then save it.)

Q. Why did you make these changes now?
A. We are constantly improving and securing our service. To date all of our work has been behind the scenes. Unfortunately these two changes have potential impact on you. In general we make these changes as we become aware of them.