Jahia Statuspage.io group_work

Highlights

• Hardens the Statuspage.io pageId input/output path against JavaScript injection in the rendered widget.
• Brings the admin configuration UI into WCAG 2.1 AA compliance (contrast, focus, live regions, programmatic labeling).
• Fixes a regression that prevented administrators from clearing pageId, plus a broken label/input association in the config panel.

Changes

Fixes

• Security: validate Statuspage.io pageId to prevent JS injection (bd6c6ce)
  • Enforce DNS-subdomain-label format ([a-z0-9-], 1-63 chars) in StatuspageIoConfigServiceImpl.updatePageId so attacker-controlled values cannot be persisted and later interpolated into an iframe URL or inline <script> string literal.
  • In statuspageIoWidget.jsp, re-validate the stored pageId character-by-character before injecting it into the inline script, and validate event.origin in the postMessage listener (parity with banner.js).
• Allow empty pageId and fix label association (cf538ca)
  • Permit empty pageId in updatePageId so admins can clear the configuration without tripping the DNS-label regex; null still throws.
  • Rename the input id to statuspageio-pageId-input so the <label>'s htmlFor targets the inner <input> rather than the MUI wrapper.
• WCAG 2.1 AA fixes per audit (883516e, follow-up to ecf4f33)
  • CRIT-1: Replace dynamic-role live region with two always-in-DOM regions (role=status + role=alert) so assistive tech never sees role mutations.
  • CRIT-2: Remove setSaveStatus(null) race from handleSave; use a saveAttempt counter as the live-region key to force re-announcement on repeated saves.
  • MAJ-1: Darken text color #5c6370 -> #4f5660 for AA contrast.
  • MAJ-2: Link color #00a0e3 -> #0072b1 for AA contrast on light backgrounds.
  • MAJ-3: Add :focus-visible outline rule (2px solid #0072b1, offset 2px).
  • MAJ-4: Convert px font sizes to rem (13px->0.8125rem, 25px->1.5625rem); replace line-height:85px with unitless 1.4.
  • MAJ-5: Add aria-label fallback to Page ID input for programmatic labeling.
  • MAJ-6: Add required + aria-required=true to Page ID input.
  • MAJ-7: Add useEffect to update document.title on mount.
  • MAJ-8: Banner dismissFrame: move focus to document.body before hiding; set display:none after the 1s transition to fully remove from the a11y tree.

Full Changelog: 1_0_0...1_0_1

How it works

On initialization, the module fetches the current page ID via GraphQL and registers a callback with the Jahia UI Extender registry (target jahiaApp-init:60). That callback creates a fixed-position iframe pointing to https://<pageId>.statuspage.io/embed/frame and appends it to the document body. The iframe communicates with the host page via postMessage to show or dismiss itself depending on the current status.

The same logic is available as a website component through the jnt:statuspageIoWidget nodetype and its JSP view, which reads the pageId property set on the node and injects the iframe directly into the rendered page.

Requirements

• Jahia 8.2.2.1 or later
• Jahia modules: graphql-dxm-provider

Configuration

The Statuspage.io page ID is stored in the OSGi configuration PID org.jahia.community.statuspageio.

Default configuration file (META-INF/configurations/org.jahia.community.statuspageio.cfg):

pageId=

To override it at runtime, edit or create the file on the Jahia server:

<karaf-home>/etc/org.jahia.community.statuspageio.cfg

The change takes effect immediately without redeploying the module.

The page ID can also be updated through the GraphQL mutation (see GraphQL API) or through the Administration panel.

GraphQL API

The module extends the Jahia GraphQL API with a query and a mutation.

Query — retrieve the current configuration:

query {
  statuspageIo {
    pageId
  }
}

Mutation — update the page ID (requires admin permission):

mutation {
  updateStatuspageIoConfig(pageId: "newPageId")
}

Administration panel

A configuration panel is available in the Jahia administration under Configuration → Statuspage.io Configuration. It allows administrators to view and update the page ID through a form backed by the GraphQL mutation above.

A Jahia module that embeds the Jahia status page widget in two ways:

• Back office — injected automatically into the Jahia administration interface via the UI Extender registry
• Website — available as a draggable jnt:statuspageIoWidget component that editors can drop onto any page in jContent

The Statuspage.io page ID is configurable at runtime through an OSGi configuration, a GraphQL API, and a dedicated administration panel.

MIT License

Copyright (c) 2026 - present Florent BOURASSÉ

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.