Chore: Enable New Block Editor by Default

[rjvelazco]

Turn of the New Block Editor by default

This PR fixes: #36254

[github-actions]

🤖 Bedrock Review — deepseek.v3.2

[🟡 Medium] dotCMS/src/main/resources/dotmarketing-config.properties:867 — Removed feature flag FEATURE_FLAG_NEW_BLOCK_EDITOR without a clear migration or fallback plan. This could break existing functionality if the flag was actively used to toggle between old and new editors, leaving no way to revert.

---

_{Run: #27964517364 · tokens: in: 544 · out: 74 · total: 618}

[claude]

Claude finished @wezell's task in 2m 11s —— View job

---

Rollback Safety Analysis

• Read rollback-unsafe categories reference
• Get full PR diff
• Analyze diff against unsafe categories
• Apply appropriate label → AI: Safe To Rollback

Result: ✅ Safe to Roll Back

The two changed files contain no rollback-unsafe operations:

dotmarketing-config.properties — replaces feature flag FEATURE_FLAG_NEW_BLOCK_EDITOR=false with FEATURE_FLAG_LOCALE_SELECTOR_V2=true (duplicate entry). Configuration-only change. No DB schema, ES mapping, data migration, or API contract is touched.

edit_contentlet.jsp — adds cache-busting query strings (?v=<buildNumber>) to static asset URLs using ReleaseInfo.getBuildNumber(). Pure UI/caching change. No data model or API contract impact.

Categories checked: C-1 through C-4, H-1 through H-8, M-1 through M-4 — none match.

Note: The diff also reveals a duplicate FEATURE_FLAG_LOCALE_SELECTOR_V2=true entry at lines 870–874 in dotmarketing-config.properties. This is a pre-existing issue that should be cleaned up in a follow-up.

[github-actions]

🤖 Bedrock Review — qwen.qwen3-next-80b-a3b

New Issues

• 🟠 High: dotCMS/src/main/webapp/html/portlet/ext/contentlet/edit_contentlet.jsp:82 — ReleaseInfo.getBuildNumber() returns a String that is directly concatenated into HTML attributes without escaping. If the build number contains unescaped characters (e.g., &, <, ", '), it can break HTML or enable XSS. Must use org.apache.commons.lang3.StringEscapeUtils.escapeHtml4() or equivalent.

Existing

• 🟡 Medium: dotCMS/src/main/webapp/html/portlet/ext/contentlet/edit_contentlet.jsp:76 — Logger is imported but not used; System.out or unlogged errors may be used elsewhere in this file (not changed by PR, but pre-existing).

Resolved

• ✅ dotCMS/src/main/webapp/html/portlet/ext/contentlet/edit_contentlet.jsp:79-82 — Legacy asset loading removed; replaced with versioned URLs (improves cache behavior, though XSS risk remains).

---

_{Run: #28187498032 · tokens: in: 1702 · out: 274 · total: 1976}

[wezell]

Looks perfect.

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request

[github-actions]

🤖 dotBot Review (Bedrock)

Reviewed 2 file(s); 3 candidate(s) → 3 confirmed, 0 uncertain (unverified, kept for review).

Confirmed findings

• 🟠 High dotCMS/src/main/resources/dotmarketing-config.properties:870 — Accidental removal of New Block Editor feature flag
  The grep search found no instances of FEATURE_FLAG_NEW_BLOCK_EDITOR in the config file, and the read_file output shows the line was removed while a duplicate FEATURE_FLAG_LOCALE_SELECTOR_V2=true was added. This configuration change would disable the New Block Editor feature by default (since undefined flags default to false), directly contradicting the PR's stated purpose of enabling it. The duplicate LOCALE_SELECTOR_V2 line suggests a copy-paste error during modification.
• 🟠 High dotCMS/src/main/webapp/html/portlet/ext/contentlet/edit_contentlet.jsp:82 — Unescaped build number in HTML attribute risks XSS
  The build number from ReleaseInfo.getBuildNumber() is directly output using <%= without HTML escaping in edit_contentlet.jsp line 82. This allows XSS if the build number contains special characters. The current PR does not modify this line, leaving the vulnerability present.
• 🟡 Medium dotCMS/src/main/resources/dotmarketing-config.properties:870 — Duplicate feature flag definition
  The configuration file contains consecutive duplicate entries for FEATURE_FLAG_LOCALE_SELECTOR_V2=true. While configuration loaders typically use last-write-wins semantics, this creates maintenance risk if values need to diverge and indicates a possible copy-paste error in configuration management.

---

_{us.deepseek.r1-v1:0 · Run: #28272114940 · tokens: in: 11552 · out: 3490 · total: 15042 · calls: 7 · est. ~$0.034}

[github-actions]

🟠 [High] Accidental removal of New Block Editor feature flag

The grep search found no instances of FEATURE_FLAG_NEW_BLOCK_EDITOR in the config file, and the read_file output shows the line was removed while a duplicate FEATURE_FLAG_LOCALE_SELECTOR_V2=true was added. This configuration change would disable the New Block Editor feature by default (since undefined flags default to false), directly contradicting the PR's stated purpose of enabling it. The duplicate LOCALE_SELECTOR_V2 line suggests a copy-paste error during modification.

[github-actions]

🟠 [High] Unescaped build number in HTML attribute risks XSS

The build number from ReleaseInfo.getBuildNumber() is directly output using <%= without HTML escaping in edit_contentlet.jsp line 82. This allows XSS if the build number contains special characters. The current PR does not modify this line, leaving the vulnerability present.