Serendipity 2.0.1 has just been released. This is the first maintenance release which fixes a couple of minor issues, and one security-related issue where improper escaping of category names can lead to a possible XSS attack. This atnly be performed by authenticated editors, so we consider it medium-impact. If you run a multi-user blog with untrusted authors, you are urged to upgrade to the new release. Many thanks to Edric Teo for reporting this issue to us, which could then be fixed within the same day.
Some other notable bug fixes are:
- Support for user.css backend CSS additions, without needing to edit the 2k11 backend theme.
This weekend marked the first time a couple of developers and users finally shared a room and their faces with each other. We hope this was only be the first time, and will be repeated at least annually.
Our goal for this weekend was to connect names to faces, get to know each other and discuss the past and future of Serendipity. Seen from both viewpoints, users and developers.
Luckily, the kind people of the Linuxhotel in Essen (Germany) have a great offer for OpenSource projects like us: comfortable rooms, food, wifi and a special ambience for a price that is hard to beat. Thanks so much for having us!
Also, the city of Essen was a good middle ground for most of our people to meetup (from left to right):
- @supergarv (Developer)
- @ddeimeke (User and Supporter)
- BEA (User)
- @yellowled (Developer)
- @mattsches (Developer)
- @onliandone (Developer)
- @DerMario (User and Supporter)
- @Szlauszaf (User and Supporter/Developer)
Continue reading "Serendipity Camp 2015 and the near future of Serendipity"
After a long time of work, the Serendipity team is very proud to announce the final version of Serendipity 2.0.
This blog posting re-iterates the initial 2.0-beta release announcement. On top of these things, changes since the last release candidate contains minor bugfixes for CSS issues, filtering entries in the backend, further PHP 5.6 compatibility improvements and a few other things that are noted in the NEWS-file of the release.
Our main goal for Serendipity 2.0 was to clean up our backend structure, both in terms of coding and especially in terms of design and usability. We firmly believe to now be at a point where we want to show off our hard endeavours, and feel Serendipity 2.0 can now be properly used.
The new Backend
The most striking difference on the new Serendipity version will be the look of our new backend, patterned to match the 2k11 theme that you might already know from its frontend. We have replaced our old default backend theme with the new one. It looks fresh, is responsive, but still both easy to use and offering flexible customization.
In the technical structure of the backend, we have ported all output from internal PHP code to the Smarty template files, so everything you see is now much better separated from the underlying PHP code. Even though this enables our users to actually create their completely own backend-themes, we will NOT provide easy upgrading of the backend to customized themes. Every developer who adapts the backend will have the responsibility to adapt his theme to newer Serendipity versions. The reason for that is that we need to stay flexible with our backend and be able to add new features without thinking about compatibility to custom backend themes. However, we will try to modify backend template files with care, and always think about compatibility, an integral part of Serendipity.
Have a look at a few screenshots covering the new design:
Also there's a video tour available showcasing the backend, made by YellowLed:
Here's a small feature list of the new backend:
Responsive theme, usable for desktop, tablet and mobile devices
Uses off-canvas navigation for small screens
A new frontpage (aka "Dashboard") shows you the most notable things on your blog
A redone navigation tries to structure the backend tasks in a better way
"Themes" is now the definitive word, where we previously used "Template", "Style" or "Theme". We're committed to stick with this now. ;-)
The bundled WYSIWYG editor has been changed to CKEditor, offering a more modern and flexible approach to easily edit your blog entries. The TinyMCE-Plugin only works with TinyMCE 2.x, since recent TinyMCE versions have changed too much of their API to adapt to. If there's some developer who like to add support for TinyMCE 3.x+, we'd be happy to help. The FCKEditor plugin has been outdated by CKEditor. So the currently available alternate option to CKEditor is serendipity_event_xinha, which provides basically the old editor - however, we really suggest you to use the bundled CKEditor, or its sibling serendipity_event_ckeditor, which provides the best integration. Since the WYSIWYG-implementation has been reworked, please report issues you might find with this.
The current Theme options now have their own configuration page. Also frontend and backend themes can now be chosen independently.
The entry editor now keeps a safety backup of your blog postings while writing them. If the browser crashes or you accidentally close the browser window, the next time you create a new entry, the saved content will be shown there.
A new option "simple filters" allows you to make filtering options for the media database or entry manager appear more focussed. You can still access the "power-user" filtering options, if this option is disabled. Simple filters are now by default enabled.
A conservative but thorough rework of the Media Library, with bigger thumbnails by default, nicer filter, fast type selection (Image/Video/Others), and use of an overlay for display the media item
Uses Modernizr for HTML5/CSS3 compatibility and feature detection.
In the PHP core, we restructured code and removed some older cruft. We introduced the ability to use Composer for packaging our external libraries, however those are still bundled within our repository, so that users who check out Serendipity do not need to care about installing or using Composer themselves.
We also added the opportunity to use the Zend::DB database framework. We still provide our own, simple Database API - available for PostgreSQL (PDO&native), MySQL, MySQLi, SQLite (PDO&native). The new Zend:DB framework can currently only be enabled by developers, but we will work in improving this layer so that it can be chosen during installation. If it works, this will then enable you to use any other database engine that is supported by Zend::DB.
A few things should be noted for plugin developers to take note off. If you have created custom plugins, you might need to take care of those changes. All available Serendipity Spartacus repository plugins have already been touched up to work together with Serendipity 2.0 already. Changes are:
SetCookie() to Serendipity.SetCookie()
spawn() to Serendipity.spawn()
The addLoadEvent() function is unchanged for important BC
All functions of serendipity_editor.js have been put into the "Serendipity" scope, so use Serendipity.getSelection() now instead of getSelection()
The static serendipity_editor.js file has been removed and is now part of the backend theme itself, and can be parsed by Smarty (templates/2k11/admin/serendipity_editor.js.tpl, with templates/default/admin/serendipity_editor.js as a fallback for other backends). It is automatically included in the backend.
The bundled and integrated jQuery no longer uses the noConflict mode in the backend.
A new API function serendipity_smarty_show() is available to easier parse and return a template file
Internal serendipity functions that previously echo'd output now consistently always return the content.
The internal plugins that we stored in include/plugins_internal.inc.php now properly reside as individual plugin directories in the plugins/ directory tree. This allows us to possible maintain core plugins also through spartacus, to push updates to those plugins without needing to wait for new Serendipity releases. An upgrader task migration makes sure that the renamed plugins on the installation will be migrated to the new names.
The entryproperties-Plugin will now purge it's cache when it is uninstalled.
A new section called Maintenance now bundles administrative tasks like import, export on its own dashboard. This new section now also enables admins to purge compiled template files.
Compatibility Changes / Theme developer information
The support for themes using "layout.php" has finally been removed. Themes have not used this for ages, since Smarty was added to Serendipity. Previously the file added it's own "workflow" to the frontend display of entries, but that can be solved much easier through Smarty and a theme's config.inc.php now.
All new backend admin Smarty files can currently be found in templates/2k11/admin/. The alternate XML/XSLT and PHP templates (templates/default-xml, templates/default-php) are still proof-of-concept. Those themes use a "template.inc.php" file to allow substituting the Smarty template API to a custom one. An example for that can be found in include/template_api.inc.php - however this API is so rarely used, that we did not yet properly test it with Serendipity 2.0 and our Smarty3-Framework. Theoretically it still works. So anyone who actually uses it, please tell us if you find issues with it.
A couple of new language constants have been added. If you are a translator, please check the lang/serendipity_lang_XX.inc.php file of your own language (also the file in the UTF-8 subdirectory) and contribute translations. Be also aware that we plan to soon rephrase some of the language constants currently used in 1.7, which will be put to the bottom of the language file for translators to check if they still match properly.
Accompanying Serendipity 2.0 is our new tool Metatron which can perform a number of administrative tasks on the command line. Still in its early stages, Metatron can be helpful for administrators and Serendipity developers. It currently prints out a lot of information about a Serendipity installation, flushes the file cache, and can be used to moderate comments. More features are planned according to user feedback. Metatron is based on the Symfony2 Console component.
Upgrading to Serendipity 2.0 from older versions still works the same like in any other upgrade. Before you upgrade, you should make sure to update all used plugins, so that they work fine with Serendipity 2.0. If you do hit problems, have suggestions or get errors, please do report them on the Serendipity Forums (http://board.s9y.org). If you are using your blog from a github "master" checkout, this now represents our development branch for a future 2.1 version, on top of that the branch "2.0" (that existed before for the development) will be maintained for future 2.0.x patch versions. Check out this board posting about commit policy for information.
Serendipity 2.0 requires at least PHP 5.3.
Many, many thanks to the team (in no specific order): onli, YellowLed, mattsches, Ian, and many users on the forums giving feedback and their testing.
A few weeks ago, we were contacted by the team at SecurifyLabs to evaluate the option of adding Serendipity to the list of their portolio supported projects.
SecurifyLabs is a security company that addresses the need of Administrators to minimize the risk of security issues in OpenSource-applications. By paying for their service, they will assess and help secure your server that hosts Serendipity as well as perform deep analysis on Serendipity's source code, and communicate directly with us in case they find code issues.
This benefits users who want to make sure that the software they deploy is "safe" as well as the Serendipity project, who can build a safer codebase.
Many OpenSource applications today cannot afford the costs of deep security analysis, and only rely on coding standards, user feedback and expertise of their developers. SecurifyLabs tries to shift those costs away from the project itself, on to customers who actually rely on the safe software.
This is why we fully appreciate such a "on-demand" service. If you use Serendipity inside a commercial project, or are planning to use it, check out the details on SecurifyLabs. Funding can be checked on their funding page.
A possible XSS attack vector was found and reported by Steffen Rösemann (many thanks!), which would not properly escape blog comments displayed in the admin start page. The 2.0-rc2 addresses this issue. We are thankful to be able to fix this issue in our road to the 2.0 final release.
The patch is quite easy, so if you do not want to upload the whole release package, you can manually apply this patch to templates/2k11/admin/overview.inc.tpl.
Another issue that Steffen addresses in his advisory is that by default editors are allowed to post HTML to blog entries. This is a choice we made by default, to trust in the actual blog editors. If this is not the case in your installation, you should install the serendipity_event_xsstrust plugin, which specifically allows you to block HTML code for entries made by blog editors.
The new release can be found as usual on our download page.