Serendipity – Entries from August 2005

The MoveableType importer has been enhanced to also support importing comments and trackbacks, and has a generally more flexible approach at parsing, which I have verified working with MoveableType 3.17. Support for that was committed to the 0.9 trunk today. You can also use it in conjunction with Serendipty 0.8.x by downloading moveabletype.inc.php and storing that in your include/admin/importers/ directory, overwriting the old importer.

A question: Is there a need for importing the MT-MySQL database? This would also make it possible to import authors and categories and generally be easier to handle than the current mt.dat file import. On the other hand, the current importer does the job and maybe the MT-MySQL storage method isn't that common?

Atom 1.0 support has just been committed to the 0.9 SVN trunk of Serendipity, and (at least for me) fully validates on the feedvalidator.org.

There's good and bad news.

The bad news are:

• A possible Cross-Site Scripting injection has been reported by Ilia Alshanetsky (thank you!), that allows commenting users to inject special markup into your entry.
• Another bug has been found in the handling of received comments. It was possible to receive comments for non-existing entries and thus allowed for mails being sent to the owner of the blog and injecting headers to that E-Mail. Ultimately this could lead to your server being used for sending specially crafted emails.

The good news are:

• Serendipity 0.8.3 has been released, which fixes this bug.
• The upgrade once again is very easy: Download the release, unpack the files to your webspace (overwriting old files, but keeping your personal plugins/templates/media files), open your blog administration and click on "Perform update". Always be sure to make a backup of your old files and database tables first and make sure that the files serendipity_config_local.inc.php and .htaccess are writable for your PHP/webserver user. If you have made manual changes to any of the bundled files, we suggest you to connect to our CVS or SVN repositories and make a diff of your changes.
• The XSS only allows for a reduced set of malicious exploits to occur. And as most of you authors possibly check the comments of your users on your blog, you would spot easily if a user is posting you "bad code".
• The current generation of "advanced web scanners", which scan HTML pages for XSS attacks does not find any more XSS loopholes on the pages produced by Serendipity.

The even better news are that also new features are introduced:

• We used this opportunity of a new release to backport some more (minor) bugfixes of the upcoming 0.9 release and updated our bundled libraries.
• Full korean language support with translation of almost all plugins, thanks to Wesley Hwang-Chung.
• New template hooks to allow plugins (serendipity_event_pagenugget) to output header/footer HTML nuggets.
• New configuration directive to configure the used Blog e-mail address for sending comments.

We are very sorry for the inconvenience this may cause to you. We are desperately trying to deliver all of our users a blog application as secure and feature-loaded as possible, but since we all are failing humans there are always errors that slip through. In every project, be it OpenSource or Commercial. We take it as a chance and opportunity, to fix bugs and issues reported to us and improve Serendipity to be the most stable blogging system available. This year has brought many XSS vulnerabilities and has raised the overall attention of code quality, which we feel is a good thing for every project.

Please also note that we are working hard on the current 0.9 version of Serendipity. This introdudes flexible and granular privilege control, custom permalinks, per-category templating, UTF-8 languages and much much more. Read our ChangeLog for more information and check out the nightly snapshot in our download area. Feedback, as always, is appreciated.

In the end, have fun with Serendipity! :-)

Download link: Serendipity 0.8.3

On behalf of the Serendipity Team,
Garvin

A user on the forums asked how to build a tabbed category list. Following the principle of "there's more than one way to do it" I answered with a few different approaches how to solve that within Serendipity.

Let me say, that it can be achieved easily with little effort, thanks to the Smarty templating and the plugin API. You can even display a tabbed output of staticpages (see another forum post), since they assign $staticpage_XXX variables to the Smarty scope which you can check on in your index.tpl template. As well, building a function to fetch a list of staticpages (like the sidebar plugin for the staticpages does) could be integrated to not have any static HTML waste your templates. :)

Now, for the final question: Who is willing to contribute a tab-based category template, now that everything can be done in a template without modifying any core code or even requiring a plugin? :-)

Users living on the bleeding edge now have one more feature to choose from. The snapshot from today's 0.9 SVN will contain new event hooks for the media upload facility.

The Imageselector Plus ("Extended options for media manager") plugin can now access those hooks to display a form to immediately blog a new image.

You can select the image (or URL) to add, and then enter the title of your blog entry and some descriptive text, as well as the target size of the uploaded image. The image is then automatically posted to your blog entry without further actions.

But the best thing is yet to come: It supports the embedding of a "quickblog.tpl" smarty file where you can fully access the template for which additional information is displayed for your image. The plugin reads the EXIF file data of your image so that you can display the focal and other file settings (copyright, photo date, ...). The plugin dynamically loads this quickblog.tpl file so that anytime you modify it, also old entry will be updated/affected.

Currently the quickblog.tpl is more a skeleton which you need to fill with proper EXIF data. I will try to find reasonable defaults and make a better standard template file then. Meanwhile, have fun with the plugin. :-)