Project Documentation

What's new in Tobago 2.0?

At July 21, 2014 the version 2.0.0 has been released. Here was a quick overview over the features and changes made in the last time to release this major revision.

Tobago 2.0.0 contains 184 entries in Jira and most of them are exclusive in this version.

Please take also a look at the Migration from Tobago 1.5 to 2.0 guide.


Date- and Time-Picker

  • Using jQuery UI Datepicker and TimePicker Addon
  • Faster — no server request
  • Better interactivity
  • Old Date-/TimePicker via tobago-config.xml

Draggable Popups

Input Suggest

  • New implementation
  • Sub-Tag tc:suggest
  • More configuration options


  • Icons
  • Toolbar buttons

File upload

  • Looks pretty now in every browser

Radio Buttons

  • Icons

New Features


  • Integration example in the demo of CKEditor™ and TinyMCE
  • Not included, because of incompatible licences or breaks CSP
  • Other possible, but many have disadvantages

Default Command for Sub-Forms

  • Dependent from the focused input, the default command will be selected
  • Markup to show the command to the user

Tree and Tree-Table

  • Big internal refactoring
  • Work internally now with the JSF UIData
  • Free model: DefaultMutableTreeNode is not required any longer, but you can implement javax.faces.model.DataModel
  • TreeTable
  • Infinite Trees possible
  • Selectors: sub-tree selection


  • Dynamic lists in f:selectItems need not glue code (JSF 2.0)
  • Redirect in navigation rules doesn't break layout size
  • Additional possibility to show paging arrows in sheet
  • Automatically create accesskey from underscore is know configurable


Content Security Policy

  • To prevent XSS
  • W3C Standard
  • Idea:
    • Don't execute any code inside the HTML file
      • No content in script tags
      • no onclick, nor on* etc.
    • Don't execute eval(script)
    • Don't apply CSS inside the HTML file
    • Define the sources of any resources
    • Strict separation of code and data
      • Keep the code in JavaScript Files
      • Put additional data in HTML5 data-* attributes
  • Browser support: all current, but IE 10 and 11 only "sandbox"
  • Activated by default, can be configured via tobago-config.xml
  • There is also a "report-only" mode for development

Content Security Policy and Tobago

  • All renderers and scripts are refactored to be compliant with CSP
  • Using application specific JavaScript in Tobago
    • script attribute in command tags is deprecated
    • Problem: when setting non of these attributes: action, script, link, Tobago will create a default action. This can't be changed without breaking compatibility.
    • Solution: omit="true"

Sanitize potentially malicious content (to prevent XSS)

  • tc:textarea, when it contains a tc:dataAttribute with name="html-editor"
  • tc:out, when escape="false"
  • Default implementation: JSoup whitelist scanning
  • Configurable via tobago-config.xml
  • Why? See OSWAP


  • Setting nosniff HTTP header (to prevent XSS)
  • Don't allow to be in a frame (to prevent Frame-Attacks)
  • Both are configurable via tobago-config.xml, default is secure

Internal Refactoring

  • Tree uses subclass of javax.faces.model.DataModel
  • Using Java APT generator
  • Using ' instead of " for HTML attributes (JSON friendly)
  • JavaScript logging via console (plus workaround for old browsers)
  • The theme-config.xml was merged with tobago-config.xml
  • Access the Tobago configuration via the TobagoContext
  • The TobagoConfig is immutable after initialization
  • Add the version of Tobago into the resource URLs to avoid caching problem after updates