Serendipity – The official Serendipity blog

Christian Boltz notified us and provided a patch to fix the spartacus plugin properly being able to retrieve remote files. This became necessary when SourceForge.net changed their underlying structure.

If you are using Spartacus, you have several possibilities to fix this issue for you:

1: Manually download the updated plugin file plugins/ serendipity_event_spartacus/ serendipity_event_spartacus.php from here: serendipity_event_spartacus.php for Serendipity 1.6 / Development, serendipity_event_spartacus.php for Serendipity 1.5.

2: You can also simply configure your spartacus plugin and enable the use of Netmirror.org, or you can enter a custom mirror: http://php-blog.cvs.sourceforge.net/viewvc/php-blog/|http://netmirror.org/mirror/serendipity/

3: You can also simply edit your serendipity_event_spartacus.php file and replace all 2 occurences of the string *checkout* with viewvc.

Thanks to Christian for notifying us!

Thanks to Stefan Schurtz, who reported a XSS issue in the serendipity_event_freetag plugin (SSCHADV2011-004). The issue was fixed in version 3.22 of the plugin, you can fetch the update through Spartacus or download via Spartacus.s9y.org.

The bug was introduced in version 3.20 of the plugin. Users of the plugin should upgrade, as it allows malicious users to trick people into visiting a specially crafted link on your blog to steal cookie login information for example, if you click on such a link.

Even though the Disqus.com comment integration is easily integratable inside a serendipity template already, the need for a specific plugin was raised on the forums.

serendipity_event_disqus is now available on Spartacus and provides exactly this - a plug and play component to enable disqus comments on your blog, and it even allows you to only use this system for more recent blog entries, so that your old comments can be preserved.

Currently the plugin hides the Serendipity-internal comments and trackbacks through CSS. The plugin provides instructions on how to modify that, if you have a custom template.

Have fun using the plugin, and if you have issues or recommendations for it, feel free to discuss this on the Serendipity forums. :-)

The podcast plugin has recently been improved to offer a much more flexible configuration with custom player and HTML5 audio/video support. The flowplayer has been added as a new, more flexible flash-video player replacement.

You can now specify custom feed options, and the RSS podcast format should now be iTunes compatible., as well as the Flowplayer replacement for Flash-Videos. Also, custom feed options that you can add to the RSS-Feed (rss.php?podcast_format=XXX) allow you to filter the enclosures only to specific file extensions.

The update should be compatible to older versions so that you can simply use the new features. If you customized any of the player files, you can now do that much easier through the configuration; be sure to backup any files you might have changed before upgrading.

Please report any issues you might have with this updates on the forums!

It has come to our attention that the Cronjob-Plugin (serendipity_event_cronjob) has a bug that prevents it from properly detecting the next scheduled update time. This bug has been fixed in version 0.6, which should now be available through Spartacus and usual means.

If you use this plugin, this is a required update to ensure it's proper function. Thanks to Matthias2 from the forums for reporting this to us.

The Internet Explorer 9 has been released a few days ago. It's a great improvement over old versions, despite of one mayor breakage.

Usually, a web-browser requests a CSS URL with a variety of HTTP-headers. The "Accept" HTTP-Header instructs the remote server, which valid content-types it can handle. In the past, most web-browsers sent a "Accept: text/css; */*" header, which means they prefer "text/css", but would also interpret any other file types as CSS.

Now, the IE9 does no longer send */* as an accepted content-Type, thus it will now ONLY render stylesheets if they have the Content-Type "text/css". If that does not happen, IE9 complains with a "HTTP 406" error and refuses to parse/render the stylesheet.

That does not sound so bad yet, but many web-applications (including Serendipity) provide dynamic CSS stylesheets that hide behind a PHP file. Serendipity compiles this PHP through a file called "serendipity.css.php". If URL rewriting is enabled, to mask that PHP file, a RewriteRule is added that will accept "serendipity.css" and send it to the main serendipity index.php file, which in turn will include serendipity.css.php and deliver the appropriate output.

Now certain Apache setups use a module mod_negotiation that will detect "Hey- there's a file serendipity.css.php, but the browser requested serendipity.css. He surely must be mistaken, I better serve up this serendipity.css.php file instead". Sadly, it does so, BEFORE executung mod_rewrite that would "fix" this behaviour.

Finally - mod_negotiate would basically properly execute the PHP file and return valid CSS. But it does that by returning a Content-Type that matches the original negotiated request, which is "application/x-httpd-php". IE9 will receive this, and refuse to render the proper CSS, because it does not accept */*.

IMHO this is a very bad mixture of several components acting weird altogether. But the easiest place to fix this is inside IE9, to restore the "Accept" behaviour of all other major browsers, so that mod_negotiated sites will not break.

I have posted on a IE9 Team blog since it seems, Microsoft does not accept bug reports anywhere. If anybody knows of a proper place to get a hold of their team, please let us know.

FINALLY - WHAT YOU CAN DO IF THIS AFFECTS YOUR SERENDIPITY BLOG:

Edit your .htaccess file, and add the directive Options -Multiviews at the top of the file. As long as your server has the AllowOveride ability enabled for you (that's mostly the case, as soon as you are allowed to use mod_rewrite) you can remove the negotiation feature of Apache.

This change in the default .htaccess will also be part of upcoming Serendipity versions.

Clarification: This is not only IE9's fault, but rather a bad combination of multiple factors: One being that s9y has a .php file called the same way like a rewritten URL. One being that mod_negotiate does not pass a request through to mod_rewrite and fatally catches it before other means are not used up. And the last being that IE9 does not accept a fallback contenttype for CSS.

The reason why I think this should be considered a IE9 bug, is because the restrictive parsing stats against current plans to make the web as accessible as possible. XHTML actually failed in its restrictive, XML-based parsing (google mime-type application/x-html+xml) was stomped down in favor of a lax HTML5 parsing. Users should never be locked out of content, and that's why I think a fallback */* should not hurt. This allows for applications to overcome mod_negotiate and allows the browser to evaluate the final Content-Type, and not an intermediate negotiated one.