Serendipity 2.0-rc2 released

A possible XSS attack vector was found and reported by Steffen Rösemann (many thanks!), which would not properly escape blog comments displayed in the admin start page. The 2.0-rc2 addresses this issue. We are thankful to be able to fix this issue in our road to the 2.0 final release.

The patch is quite easy, so if you do not want to upload the whole release package, you can manually apply this patch to templates/2k11/admin/overview.inc.tpl.

Another issue that Steffen addresses in his advisory is that by default editors are allowed to post HTML to blog entries. This is a choice we made by default, to trust in the actual blog editors. If this is not the case in your installation, you should install the serendipity_event_xsstrust plugin, which specifically allows you to block HTML code for entries made by blog editors.

The new release can be found as usual on our download page.

Serendipity 2.0-rc1 release

The Serendipity Team is proud to get into the final run of releasing Serendipity 2.0. As outlined in this blog posting about the 2.0 changes we have put a lot of effort in this version: We created a whole new backend template, and made sure the whole Serendipity Backend is now powered by customizable Smarty templates. We have improved a lot of the JavaScript framework as well as the database layers.

Since the last official beta3 release we have worked on:

  • Fixing a recently discovered issue for Blogs running charsets other than UTF-8. When used in conjunction with PHP 5.4+ this can lead to the cutoff of any strings that contain special characters and being passed through htmlentities/htmlspecialchars/html_entity_decode. We have patched all plugins to deal with this, and have decided not to backport this issue to Serendipity 1.7.x - so if you are affected by this issue, upgrading to Serendipity 2.0 will be the preferred way of dealing with this.

  • Added SQLite 3 databaselayer for PHP 5.4+ versions.

  • Implement the ability for users to pick which kind of CKEDitor toolbar they want to use, plus the ability to customize the whole toolbar through an external JS-file.

  • Fixes for the media library with ImageMagick and File-Rename operations.

  • Improvements to installer checks.

For the full list of changes please see the docs/NEWS file of the release.

Download Serendipity 2.0-rc1 here

We feel confident that this will be the first and last release candidate before the Serendipity 2.0 final will be released, so this is a real good time to test this version. Remember to backup your files and database in case you upgrade an existing installation. Have fun, and please give us feedback on either the GitHub issue tracker, our forums or here in the blog.