Serendipity at SecurifyLabs

A few weeks ago, we were contacted by the team at SecurifyLabs to evaluate the option of adding Serendipity to the list of their portolio supported projects.

SecurifyLabs is a security company that addresses the need of Administrators to minimize the risk of security issues in OpenSource-applications. By paying for their service, they will assess and help secure your server that hosts Serendipity as well as perform deep analysis on Serendipity's source code, and communicate directly with us in case they find code issues.

This benefits users who want to make sure that the software they deploy is "safe" as well as the Serendipity project, who can build a safer codebase.

Many OpenSource applications today cannot afford the costs of deep security analysis, and only rely on coding standards, user feedback and expertise of their developers. SecurifyLabs tries to shift those costs away from the project itself, on to customers who actually rely on the safe software.

This is why we fully appreciate such a "on-demand" service. If you use Serendipity inside a commercial project, or are planning to use it, check out the details on SecurifyLabs. Funding can be checked on their funding page.

Serendipity 2.0-rc2 released

A possible XSS attack vector was found and reported by Steffen Rösemann (many thanks!), which would not properly escape blog comments displayed in the admin start page. The 2.0-rc2 addresses this issue. We are thankful to be able to fix this issue in our road to the 2.0 final release.

The patch is quite easy, so if you do not want to upload the whole release package, you can manually apply this patch to templates/2k11/admin/overview.inc.tpl.

Another issue that Steffen addresses in his advisory is that by default editors are allowed to post HTML to blog entries. This is a choice we made by default, to trust in the actual blog editors. If this is not the case in your installation, you should install the serendipity_event_xsstrust plugin, which specifically allows you to block HTML code for entries made by blog editors.

The new release can be found as usual on our download page.

Serendipity 2.0-rc1 release

The Serendipity Team is proud to get into the final run of releasing Serendipity 2.0. As outlined in this blog posting about the 2.0 changes we have put a lot of effort in this version: We created a whole new backend template, and made sure the whole Serendipity Backend is now powered by customizable Smarty templates. We have improved a lot of the JavaScript framework as well as the database layers.

Since the last official beta3 release we have worked on:

  • Fixing a recently discovered issue for Blogs running charsets other than UTF-8. When used in conjunction with PHP 5.4+ this can lead to the cutoff of any strings that contain special characters and being passed through htmlentities/htmlspecialchars/html_entity_decode. We have patched all plugins to deal with this, and have decided not to backport this issue to Serendipity 1.7.x - so if you are affected by this issue, upgrading to Serendipity 2.0 will be the preferred way of dealing with this.

  • Added SQLite 3 databaselayer for PHP 5.4+ versions.

  • Implement the ability for users to pick which kind of CKEDitor toolbar they want to use, plus the ability to customize the whole toolbar through an external JS-file.

  • Fixes for the media library with ImageMagick and File-Rename operations.

  • Improvements to installer checks.

For the full list of changes please see the docs/NEWS file of the release.

Download Serendipity 2.0-rc1 here

We feel confident that this will be the first and last release candidate before the Serendipity 2.0 final will be released, so this is a real good time to test this version. Remember to backup your files and database in case you upgrade an existing installation. Have fun, and please give us feedback on either the GitHub issue tracker, our forums or here in the blog.

Update for the XML-RPC Plugin

An issue has been reported to the CMS/Blog systems Drupal and Wordpress which allows for a Denial of Service (DOS) through invalid XML injection to the XML-RPC service.

Serendipity has uncoupled the XML-RPC possibilities into an external plugin a long time ago, so an update of the core Serendipity version is luckily not available. Only users who have installed serendipity_event_xmlrpc (through Spartacus, for example) are are actually also affected by this issue, since it uses default PHP XML parsing facilities.

We have applied the same patch to the parsing routines to detect this invalid XML (see Drupal commit) to version 1.53 of the mentioned plugin. Users who have enabled this plugins should either update or remove this plugin to prevent possible DOS attacks to their servers. This version will be available in Spartacus within 24 hours, or can be downloaded manually through github: Source Link.

If the update generates problems with your valid XML-RPC calls, please report them either on our forums or in the Serendipity issue tracker on GitHub. Thanks a lot also to Ian for bringing this issue to our attention, so that we were able to provide a quick fix as well.

Serendipity 2.0-beta3 release

The Serendipity Team has made good progress on the road to the 2.0 final release. We have tackled issues reported on our Github Issue-Tracker. There are still a few ones left open, especially still dealing with the CKEditor and plugins being adapted to the new look and feel of Serendipity 2.0's default theme. But we feel confident to have reached a stage where the current work is much more usable than beta2, so we urge users of that release to upgrade to beta3.

The main changes of beta3 are:

  • Create a distinction of backend and frontend themes. They can now be chosen independently, and we have introduced theme compatibility to make it easy for developers to create their own backend theme by falling back on the default template files the new 2.0 theme provides.

  • The syndication plugin has been upgraded to provider clearer options, and moves several configuration items into the global serendipity configuration (like custom feed URL forwarding).

  • fixes bugs in thumbnail creation.


  • added optional toggle for users to either pick modal layers (i.e. for the media database) or popup windows

  • Use browser cache to store blog entries, so a browser crash lets you restore those. Replaces the now incompatible autosave plugin.

  • other issues that are mostly interesting to developers or interested people are listed in the docs/NEWS file of this release.

Please give us feedback on this new beta which can be downloaded at the Download-section. We will address the outstanding issues and put up a final release candidate before the actual 2.0 release.

Have fun and a nice summer :-)

Serendipity 2.0 beta release

After a long time of work, the Serendipity team is very proud to announce the first public beta version of Serendipity 2.0.

Our main goal for Serendipity 2.0 was to clean up our backend structure, both in terms of coding and especially in terms of design and usability. We firmly believe to now be at a point where we want to show off our hard endeavours, and feel Serendipity 2.0 can now be properly used.

The new Backend

The most striking difference on the new Serendipity version will be the look of our new backend, patterned to match the 2k11 theme that you might already know from its frontend. We have replaced our old default backend theme with the new one. It looks fresh, is responsive, but still both easy to use and offering flexible customization.

In the technical structure of the backend, we have ported all output from internal PHP code to the Smarty template files, so everything you see is now much better separated from the underlying PHP code. Even though this enables our users to actually create their completely own backend-themes, we will NOT provide easy upgrading of the backend to customized themes. Every developer who adapts the backend will have the responsibility to adapt his theme to newer Serendipity versions. The reason for that is that we need to stay flexible with our backend and be able to add new features without thinking about compatibility to custom backend themes. However, we will try to modify backend template files with care, and always think about compatibility, an integral part of Serendipity.

Have a look at a few screenshots covering the new design:


Screenshot of Section: Plugins
Section: Plugins
Screenshot of Section: Comments
Section: Comments
Screenshot of Section: Dashboard
Section: Dashboard
Screenshot of Section: Entry-Editor
Section: Entry-Editor
Screenshot of Section: Media-DB
Section: Media-DB
Screenshot of Section: Themes
Section: Themes

Also there's a video tour available showcasing the backend, made by YellowLed:

Youtube Link

Here's a small feature list of the new backend:

  • Responsive theme, usable for desktop, tablet and mobile devices

  • Uses off-canvas navigation for small screens

  • A new frontpage (aka "Dashboard") shows you the most notable things on your blog

  • A redone navigation tries to structure the backend tasks in a better way

  • "Themes" is now the definitive word, where we previously used "Template", "Style" or "Theme". We're committed to stick with this now. ;-)

  • The bundled WYSIWYG editor has been changed to CKEditor, offering a more modern and flexible approach to easily edit your blog entries. The TinyMCE-Plugin only works with TinyMCE 2.x, since recent TinyMCE versions have changed too much of their API to adapt to. If there's some developer who like to add support for TinyMCE 3.x+, we'd be happy to help. The FCKEditor plugin has been outdated by CKEditor. So the currently available alternate option to CKEditor is serendipity_event_xinha, which provides basically the old editor - however, we really suggest you to use the bundled CKEditor, or its sibling serendipity_event_ckeditor, which provides the best integration. Since the WYSIWYG-implementation has been reworked, please report issues you might find with this.

  • The current Theme options now have their own configuration page

  • A new option "simple filters" allows you to make filtering options for the media database or entry manager appear more focussed. You can still access the "power-user" filtering options, if this option is disabled. Simple filters are now by default enabled.

  • A conservative but thorough rework of the Media Library, with bigger thumbnails by default, nicer filter, fast type selection (Image/Video/Others), and use of an overlay for display the media item

  • Uses Modernizr for HTML5/CSS3 compatibility and feature detection.

  • Uses jQuery libraries: AccessibleTabs, MagnificPopup, Sortable, Cookie, Autoscroll, syncHeight

Core changes

In the PHP core, we restructured code and removed some older cruft. We introduced the ability to use Composer for packaging our external libraries, however those are still bundled within our repository, so that users who check out Serendipity do not need to care about installing or using Composer themselves.

We also added the opportunity to use the Zend::DB database framework. We still provide our own, simple Database API - available for PostgreSQL (PDO&native), MySQL, MySQLi, SQLite (PDO&native). The new Zend:DB framework can currently only be enabled by developers, but we will work in improving this layer so that it can be chosen during installation. If it works, this will then enable you to use any other database engine that is supported by Zend::DB.

A few things should be noted for plugin developers to take note off. If you have created custom plugins, you might need to take care of those changes. All available Serendipity Spartacus repository plugins have already been touched up to work together with Serendipity 2.0 already. Changes are:

  • JavaScript functions offered by the backend have been renamed:

    • SetCookie() to Serendipity.SetCookie()

    • spawn() to Serendipity.spawn()

    • The addLoadEvent() function is unchanged for important BC

    • All functions of serendipity_editor.js have been put into the "Serendipity" scope, so use Serendipity.getSelection() now instead of getSelection()

  • The static serendipity_editor.js file has been removed and is now part of the backend theme itself, and can be parsed by Smarty (templates/2k11/admin/serendipity_editor.js.tpl, with templates/default/admin/serendipity_editor.js as a fallback for other backends). It is automatically included in the backend.

  • The bundled and integrated jQuery no longer uses the noConflict mode in the backend.

  • The $serendipity["eyecandy"] option for advanced javascript usage has been removed. JavaScript is now everywhere, but we always provide fallback usage - the backend should also still work (of course with reduced functionality) without JavaScript enabled. But come on, it's 2014.

  • A new API function serendipity_smarty_show() is available to easier parse and return a template file

  • Internal serendipity functions that previously echo'd output now consistently always return the content.

  • The internal plugins that we stored in include/plugins_internal.inc.php now properly reside as individual plugin directories in the plugins/ directory tree. This allows us to possible maintain core plugins also through spartacus, to push updates to those plugins without needing to wait for new Serendipity releases. An upgrader task migration makes sure that the renamed plugins on the installation will be migrated to the new names.

  • A new plugin API event hook "js" has been introduced, similar to the "css" hook it can provide plugins an easy way to inject their JavaScript to a central file.

  • Internal JavaScript has been adapted to make use of jQuery's ease of use and creates leaner and more readable code.

  • The entryproperties-Plugin will now purge it's cache when it is uninstalled.

  • A new section called Maintenance now bundles administrative tasks like import, export on its own dashboard. This new section now also enables admins to purge compiled template files.

Compatibility Changes / Theme developer information

The support for themes using "layout.php" has finally been removed. Themes have not used this for ages, since Smarty was added to Serendipity. Previously the file added it's own "workflow" to the frontend display of entries, but that can be solved much easier through Smarty and a theme's config.inc.php now.

All new backend admin Smarty files can currently be found in templates/2k11/admin/. The alternate XML/XSLT and PHP templates (templates/default-xml, templates/default-php) are still proof-of-concept. Those themes use a "template.inc.php" file to allow substituting the Smarty template API to a custom one. An example for that can be found in include/template_api.inc.php - however this API is so rarely used, that we did not yet properly test it with Serendipity 2.0 and our Smarty3-Framework. Theoretically it still works. So anyone who actually uses it, please tell us if you find issues with it.

A couple of new language constants have been added. If you are a translator, please check the lang/serendipity_lang_XX.inc.php file of your own language (also the file in the UTF-8 subdirectory) and contribute translations. Be also aware that we plan to soon rephrase some of the language constants currently used in 1.7, which will be put to the bottom of the language file for translators to check if they still match properly.

Metatron

Accompanying Serendipity 2.0 is our new tool Metatron which can perform a number of administrative tasks on the command line. Still in its early stages, Metatron can be helpful for administrators and Serendipity developers. It currently prints out a lot of information about a Serendipity installation, flushes the file cache, and can be used to moderate comments. More features are planned according to user feedback. Metatron is based on the Symfony2 Console component.

User Feedback

We would love for our users to now test our beta candidate. At this point we are very open to user feedback - but we are quite confident that we already provide you with a great updated experience of Serendipity. At this early point of the beta, you should probably only upgrade your productive Serendipity installations to the new version if you know what you are doing and are able to downgrade. Better set up a clone/copy of your blog, or a new experimental blog to test Serendipity 2.0.

Upgrading to Serendipity 2.0 from older versions still works the same like in any other upgrade. Before you upgrade, you should make sure to update all used plugins, so that they work fine with Serendipity 2.0. If you do hit problems, have suggestions or get errors, please do report them on the Serendipity Forums (http://board.s9y.org).


Many, many thanks to the team (in no specific order): onli, YellowLed, mattsches, Ian, and many users on the forums giving feedback and their testing.