Serendipity on Scaleway

Our core-developer onli has created a Serendipity-Bundle for the "Baremetal SSD cloud server" service Scaleway, which allows an easy deployment of Serendipity on those servers.

A (german) write up of this can be found in his blog article. Have fun using/testing this!

Serendipity 2.0.1 released

Serendipity 2.0.1 has just been released. This is the first maintenance release which fixes a couple of minor issues, and one security-related issue where improper escaping of category names can lead to a possible XSS attack. This atnly be performed by authenticated editors, so we consider it medium-impact. If you run a multi-user blog with untrusted authors, you are urged to upgrade to the new release. Many thanks to Edric Teo for reporting this issue to us, which could then be fixed within the same day.

Some other notable bug fixes are:

  • Report errors, if inclusion of JavaScript files may throw PHP errors to help in diagnosing an installation
  • Support for user.css backend CSS additions, without needing to edit the 2k11 backend theme.
  • Some JavaScript fixes for the backend, better theme fallback methods.

As usual the complete list of changes can be see in our docs/NEWS-file. Upgrading is simple as always: Download the release, unpack, upload, say hi to our upgrader, done.

Serendipity Camp 2015 and the near future of Serendipity

This weekend marked the first time a couple of developers and users finally shared a room and their faces with each other. We hope this was only be the first time, and will be repeated at least annually.

Our goal for this weekend was to connect names to faces, get to know each other and discuss the past and future of Serendipity. Seen from both viewpoints, users and developers.

Luckily, the kind people of the Linuxhotel in Essen (Germany) have a great offer for OpenSource projects like us: comfortable rooms, food, wifi and a special ambience for a price that is hard to beat. Thanks so much for having us!

Also, the city of Essen was a good middle ground for most of our people to meetup (from left to right):


Continue reading "Serendipity Camp 2015 and the near future of Serendipity"

Serendipity 2.0 released

After a long time of work, the Serendipity team is very proud to announce the final version of Serendipity 2.0.

This blog posting re-iterates the initial 2.0-beta release announcement. On top of these things, changes since the last release candidate contains minor bugfixes for CSS issues, filtering entries in the backend, further PHP 5.6 compatibility improvements and a few other things that are noted in the NEWS-file of the release.

Our main goal for Serendipity 2.0 was to clean up our backend structure, both in terms of coding and especially in terms of design and usability. We firmly believe to now be at a point where we want to show off our hard endeavours, and feel Serendipity 2.0 can now be properly used.

The new Backend

The most striking difference on the new Serendipity version will be the look of our new backend, patterned to match the 2k11 theme that you might already know from its frontend. We have replaced our old default backend theme with the new one. It looks fresh, is responsive, but still both easy to use and offering flexible customization.

In the technical structure of the backend, we have ported all output from internal PHP code to the Smarty template files, so everything you see is now much better separated from the underlying PHP code. Even though this enables our users to actually create their completely own backend-themes, we will NOT provide easy upgrading of the backend to customized themes. Every developer who adapts the backend will have the responsibility to adapt his theme to newer Serendipity versions. The reason for that is that we need to stay flexible with our backend and be able to add new features without thinking about compatibility to custom backend themes. However, we will try to modify backend template files with care, and always think about compatibility, an integral part of Serendipity.

Have a look at a few screenshots covering the new design:


Screenshot of Section: Plugins
Section: Plugins
Screenshot of Section: Comments
Section: Comments
Screenshot of Section: Dashboard
Section: Dashboard
Screenshot of Section: Entry-Editor
Section: Entry-Editor
Screenshot of Section: Media-DB
Section: Media-DB
Screenshot of Section: Themes
Section: Themes

Also there's a video tour available showcasing the backend, made by YellowLed:

Youtube Link

Here's a small feature list of the new backend:

  • Responsive theme, usable for desktop, tablet and mobile devices

  • Uses off-canvas navigation for small screens

  • A new frontpage (aka "Dashboard") shows you the most notable things on your blog

  • A redone navigation tries to structure the backend tasks in a better way

  • "Themes" is now the definitive word, where we previously used "Template", "Style" or "Theme". We're committed to stick with this now. ;-)

  • The bundled WYSIWYG editor has been changed to CKEditor, offering a more modern and flexible approach to easily edit your blog entries. The TinyMCE-Plugin only works with TinyMCE 2.x, since recent TinyMCE versions have changed too much of their API to adapt to. If there's some developer who like to add support for TinyMCE 3.x+, we'd be happy to help. The FCKEditor plugin has been outdated by CKEditor. So the currently available alternate option to CKEditor is serendipity_event_xinha, which provides basically the old editor - however, we really suggest you to use the bundled CKEditor, or its sibling serendipity_event_ckeditor, which provides the best integration. Since the WYSIWYG-implementation has been reworked, please report issues you might find with this.

  • The current Theme options now have their own configuration page. Also frontend and backend themes can now be chosen independently.

  • The entry editor now keeps a safety backup of your blog postings while writing them. If the browser crashes or you accidentally close the browser window, the next time you create a new entry, the saved content will be shown there.

  • A new option "simple filters" allows you to make filtering options for the media database or entry manager appear more focussed. You can still access the "power-user" filtering options, if this option is disabled. Simple filters are now by default enabled.

  • A conservative but thorough rework of the Media Library, with bigger thumbnails by default, nicer filter, fast type selection (Image/Video/Others), and use of an overlay for display the media item

  • Uses Modernizr for HTML5/CSS3 compatibility and feature detection.

  • Uses jQuery libraries: AccessibleTabs, MagnificPopup, Sortable, Cookie, Autoscroll, syncHeight

Core changes

In the PHP core, we restructured code and removed some older cruft. We introduced the ability to use Composer for packaging our external libraries, however those are still bundled within our repository, so that users who check out Serendipity do not need to care about installing or using Composer themselves.

We also added the opportunity to use the Zend::DB database framework. We still provide our own, simple Database API - available for PostgreSQL (PDO&native), MySQL, MySQLi, SQLite (PDO&native). The new Zend:DB framework can currently only be enabled by developers, but we will work in improving this layer so that it can be chosen during installation. If it works, this will then enable you to use any other database engine that is supported by Zend::DB.

A few things should be noted for plugin developers to take note off. If you have created custom plugins, you might need to take care of those changes. All available Serendipity Spartacus repository plugins have already been touched up to work together with Serendipity 2.0 already. Changes are:

  • JavaScript functions offered by the backend have been renamed:

    • SetCookie() to Serendipity.SetCookie()

    • spawn() to Serendipity.spawn()

    • The addLoadEvent() function is unchanged for important BC

    • All functions of serendipity_editor.js have been put into the "Serendipity" scope, so use Serendipity.getSelection() now instead of getSelection()

  • The static serendipity_editor.js file has been removed and is now part of the backend theme itself, and can be parsed by Smarty (templates/2k11/admin/serendipity_editor.js.tpl, with templates/default/admin/serendipity_editor.js as a fallback for other backends). It is automatically included in the backend.

  • The bundled and integrated jQuery no longer uses the noConflict mode in the backend.

  • The $serendipity["eyecandy"] option for advanced javascript usage has been removed. JavaScript is now everywhere, but we always provide fallback usage - the backend should also still work (of course with reduced functionality) without JavaScript enabled. But come on, it's 2014.

  • A new API function serendipity_smarty_show() is available to easier parse and return a template file

  • Internal serendipity functions that previously echo'd output now consistently always return the content.

  • The internal plugins that we stored in include/plugins_internal.inc.php now properly reside as individual plugin directories in the plugins/ directory tree. This allows us to possible maintain core plugins also through spartacus, to push updates to those plugins without needing to wait for new Serendipity releases. An upgrader task migration makes sure that the renamed plugins on the installation will be migrated to the new names.

  • A new plugin API event hook "js" has been introduced, similar to the "css" hook it can provide plugins an easy way to inject their JavaScript to a central file.

  • Internal JavaScript has been adapted to make use of jQuery's ease of use and creates leaner and more readable code.

  • The entryproperties-Plugin will now purge it's cache when it is uninstalled.

  • A new section called Maintenance now bundles administrative tasks like import, export on its own dashboard. This new section now also enables admins to purge compiled template files.

Compatibility Changes / Theme developer information

The support for themes using "layout.php" has finally been removed. Themes have not used this for ages, since Smarty was added to Serendipity. Previously the file added it's own "workflow" to the frontend display of entries, but that can be solved much easier through Smarty and a theme's config.inc.php now.

All new backend admin Smarty files can currently be found in templates/2k11/admin/. The alternate XML/XSLT and PHP templates (templates/default-xml, templates/default-php) are still proof-of-concept. Those themes use a "template.inc.php" file to allow substituting the Smarty template API to a custom one. An example for that can be found in include/template_api.inc.php - however this API is so rarely used, that we did not yet properly test it with Serendipity 2.0 and our Smarty3-Framework. Theoretically it still works. So anyone who actually uses it, please tell us if you find issues with it.

A couple of new language constants have been added. If you are a translator, please check the lang/serendipity_lang_XX.inc.php file of your own language (also the file in the UTF-8 subdirectory) and contribute translations. Be also aware that we plan to soon rephrase some of the language constants currently used in 1.7, which will be put to the bottom of the language file for translators to check if they still match properly.

Metatron

Accompanying Serendipity 2.0 is our new tool Metatron which can perform a number of administrative tasks on the command line. Still in its early stages, Metatron can be helpful for administrators and Serendipity developers. It currently prints out a lot of information about a Serendipity installation, flushes the file cache, and can be used to moderate comments. More features are planned according to user feedback. Metatron is based on the Symfony2 Console component.

Upgrading

Upgrading to Serendipity 2.0 from older versions still works the same like in any other upgrade. Before you upgrade, you should make sure to update all used plugins, so that they work fine with Serendipity 2.0. If you do hit problems, have suggestions or get errors, please do report them on the Serendipity Forums (http://board.s9y.org). If you are using your blog from a github "master" checkout, this now represents our development branch for a future 2.1 version, on top of that the branch "2.0" (that existed before for the development) will be maintained for future 2.0.x patch versions. Check out this board posting about commit policy for information.

Serendipity 2.0 requires at least PHP 5.3.


Many, many thanks to the team (in no specific order): onli, YellowLed, mattsches, Ian, and many users on the forums giving feedback and their testing.

Serendipity at SecurifyLabs

A few weeks ago, we were contacted by the team at SecurifyLabs to evaluate the option of adding Serendipity to the list of their portolio supported projects.

SecurifyLabs is a security company that addresses the need of Administrators to minimize the risk of security issues in OpenSource-applications. By paying for their service, they will assess and help secure your server that hosts Serendipity as well as perform deep analysis on Serendipity's source code, and communicate directly with us in case they find code issues.

This benefits users who want to make sure that the software they deploy is "safe" as well as the Serendipity project, who can build a safer codebase.

Many OpenSource applications today cannot afford the costs of deep security analysis, and only rely on coding standards, user feedback and expertise of their developers. SecurifyLabs tries to shift those costs away from the project itself, on to customers who actually rely on the safe software.

This is why we fully appreciate such a "on-demand" service. If you use Serendipity inside a commercial project, or are planning to use it, check out the details on SecurifyLabs. Funding can be checked on their funding page.

Serendipity 2.0-rc2 released

A possible XSS attack vector was found and reported by Steffen Rösemann (many thanks!), which would not properly escape blog comments displayed in the admin start page. The 2.0-rc2 addresses this issue. We are thankful to be able to fix this issue in our road to the 2.0 final release.

The patch is quite easy, so if you do not want to upload the whole release package, you can manually apply this patch to templates/2k11/admin/overview.inc.tpl.

Another issue that Steffen addresses in his advisory is that by default editors are allowed to post HTML to blog entries. This is a choice we made by default, to trust in the actual blog editors. If this is not the case in your installation, you should install the serendipity_event_xsstrust plugin, which specifically allows you to block HTML code for entries made by blog editors.

The new release can be found as usual on our download page.