Serendipity 2.1 - First Release Candidate

We are happy to announce the availibility of the first (and hopefully last) Release Candidate for Serendipity 2.1.

We feel comfortable with suggesting you to try out this release in productive environments (of course always make a backup of your database and files first).

Serendipity 2.1 focusses on:

  • Rewrites in some older legacy parts of the core (URL routing, template fallback chain, experimental internal caching) as well as PHP7 compatibility.
  • New bundled responsive themes "Timeline" and "Clean-Blog"
  • Improved usability of plugin upgrades by combining sidebar and event plugins and upgrading multiple plugins at once
  • Permission checks for the dashboard output and comments
  • Usability improvements to the media library, bulk moving support
  • New API wrapper for URL downloads that plugins can use (serendipity_request_url)
  • New Theme "Skeleton" (responsive, mobile first)
  • Improved preview iframe handling
  • Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors
  • (new for rc1) Ability to set a default posting category for an author
  • (new for rc1) Improved security checks against CSRF attacks (comment moderation, comment toggling
  • (new for rc1) Improved security for referrer redirection
  • (new for rc1) Improved security for local file hotlinking
  • (new for rc1) Fixed sorting media database by filename

Many thanks at this point (in no specific order) for Lee Sheldon Victor, cdxy, Edric Teo and Xu Yue for helping a lot in improving on security aspects of Serendipity.

You can download the release file and unzip it to your installation as usual on our Github release tracker.

Serendipity 2.0.3 released

Happy new Year! Serendipity 2.0.3 has just been released to address a XSS security issue found and reported by Onur Yilmaz and Robert Abela from Thanks a lot for contacting us and working with us to address the issue.

The issue only affects logged-in authors, where HTML can be inserted into the comment editing form when they click specially crafted links. Due to the required authentification we consider the issue of medium impact, but suggest everyone to perform the update.

We are currently still working on an improved presentation page and its documentation, as well as on the 2.1 branch of Serendipity - check out our current 2.1 changelog, if you are interested and willing to help testing!

Serendipity 2.0.2 Security Fix Release

Thanks to the report of Tim Coen (of Curesec GmbH) we were able to adress three security issues in the Serendipity Code.

The first issue was found because authenticed authors are allowed to upload files with extension .pht(ml), that can be executed for PHP code on Apache webserver configurations that use this suffix. If your blog allows upload access for untrusted authors, you should regard this issue as a critical risk.

The second issue is a missing escaping of comment approval tokens, when enabled in your blog which allows for possible SQL injection for data leak and DOS, and also an authenticated user must be tricked into clicking a specifically crafted URL to exploit this (medium risk).

The third issue is missing escaping of a commenting user's name by a javascript of the 2k11 theme (used by default) which is triggered when a user clicks on the "Reply" link (medium risk).

We have prepared two new releases for each of our currently maintained Serendipity version branches and suggest to update your Serendipity version:

  • 2.0.2 is the recommended release
  • 1.7.9 is the hotfix release for everyone not yet running Serendipity 2.x (you should!)

Check out the download locations for the release files.

Of course, everyone who is using our Github repository to checkout the Serendipity files will get the patches by pulling our 2.0 branch or the master (2.1.x) for our current development version.

Updating Serendipity is painless; upload/checkout the release files and go to the Administration suite where you can confirm the upgrade. Also, by using the auto-update plugin you can install the blog from within your administration suite once we are able to upload the release to our SourceForge repository (which is down right now).

We are happy to be able to coordinate this release with Tim and provide improved security for our users.

Serendipity 2.0.1 released

Serendipity 2.0.1 has just been released. This is the first maintenance release which fixes a couple of minor issues, and one security-related issue where improper escaping of category names can lead to a possible XSS attack. This atnly be performed by authenticated editors, so we consider it medium-impact. If you run a multi-user blog with untrusted authors, you are urged to upgrade to the new release. Many thanks to Edric Teo for reporting this issue to us, which could then be fixed within the same day.

Some other notable bug fixes are:

  • Report errors, if inclusion of JavaScript files may throw PHP errors to help in diagnosing an installation
  • Support for user.css backend CSS additions, without needing to edit the 2k11 backend theme.
  • Some JavaScript fixes for the backend, better theme fallback methods.

As usual the complete list of changes can be see in our docs/NEWS-file. Upgrading is simple as always: Download the release, unpack, upload, say hi to our upgrader, done.

Serendipity Camp 2015 and the near future of Serendipity

This weekend marked the first time a couple of developers and users finally shared a room and their faces with each other. We hope this was only be the first time, and will be repeated at least annually.

Our goal for this weekend was to connect names to faces, get to know each other and discuss the past and future of Serendipity. Seen from both viewpoints, users and developers.

Luckily, the kind people of the Linuxhotel in Essen (Germany) have a great offer for OpenSource projects like us: comfortable rooms, food, wifi and a special ambience for a price that is hard to beat. Thanks so much for having us!

Also, the city of Essen was a good middle ground for most of our people to meetup (from left to right):

Continue reading "Serendipity Camp 2015 and the near future of Serendipity"

Serendipity 2.0 released

After a long time of work, the Serendipity team is very proud to announce the final version of Serendipity 2.0.

This blog posting re-iterates the initial 2.0-beta release announcement. On top of these things, changes since the last release candidate contains minor bugfixes for CSS issues, filtering entries in the backend, further PHP 5.6 compatibility improvements and a few other things that are noted in the NEWS-file of the release.

Our main goal for Serendipity 2.0 was to clean up our backend structure, both in terms of coding and especially in terms of design and usability. We firmly believe to now be at a point where we want to show off our hard endeavours, and feel Serendipity 2.0 can now be properly used.

The new Backend

The most striking difference on the new Serendipity version will be the look of our new backend, patterned to match the 2k11 theme that you might already know from its frontend. We have replaced our old default backend theme with the new one. It looks fresh, is responsive, but still both easy to use and offering flexible customization.

In the technical structure of the backend, we have ported all output from internal PHP code to the Smarty template files, so everything you see is now much better separated from the underlying PHP code. Even though this enables our users to actually create their completely own backend-themes, we will NOT provide easy upgrading of the backend to customized themes. Every developer who adapts the backend will have the responsibility to adapt his theme to newer Serendipity versions. The reason for that is that we need to stay flexible with our backend and be able to add new features without thinking about compatibility to custom backend themes. However, we will try to modify backend template files with care, and always think about compatibility, an integral part of Serendipity.

Have a look at a few screenshots covering the new design:

Screenshot of Section: Plugins
Section: Plugins
Screenshot of Section: Comments
Section: Comments
Screenshot of Section: Dashboard
Section: Dashboard
Screenshot of Section: Entry-Editor
Section: Entry-Editor
Screenshot of Section: Media-DB
Section: Media-DB
Screenshot of Section: Themes
Section: Themes

Also there's a video tour available showcasing the backend, made by YellowLed:

Youtube Link

Here's a small feature list of the new backend:

  • Responsive theme, usable for desktop, tablet and mobile devices

  • Uses off-canvas navigation for small screens

  • A new frontpage (aka "Dashboard") shows you the most notable things on your blog

  • A redone navigation tries to structure the backend tasks in a better way

  • "Themes" is now the definitive word, where we previously used "Template", "Style" or "Theme". We're committed to stick with this now. ;-)

  • The bundled WYSIWYG editor has been changed to CKEditor, offering a more modern and flexible approach to easily edit your blog entries. The TinyMCE-Plugin only works with TinyMCE 2.x, since recent TinyMCE versions have changed too much of their API to adapt to. If there's some developer who like to add support for TinyMCE 3.x+, we'd be happy to help. The FCKEditor plugin has been outdated by CKEditor. So the currently available alternate option to CKEditor is serendipity_event_xinha, which provides basically the old editor - however, we really suggest you to use the bundled CKEditor, or its sibling serendipity_event_ckeditor, which provides the best integration. Since the WYSIWYG-implementation has been reworked, please report issues you might find with this.

  • The current Theme options now have their own configuration page. Also frontend and backend themes can now be chosen independently.

  • The entry editor now keeps a safety backup of your blog postings while writing them. If the browser crashes or you accidentally close the browser window, the next time you create a new entry, the saved content will be shown there.

  • A new option "simple filters" allows you to make filtering options for the media database or entry manager appear more focussed. You can still access the "power-user" filtering options, if this option is disabled. Simple filters are now by default enabled.

  • A conservative but thorough rework of the Media Library, with bigger thumbnails by default, nicer filter, fast type selection (Image/Video/Others), and use of an overlay for display the media item

  • Uses Modernizr for HTML5/CSS3 compatibility and feature detection.

  • Uses jQuery libraries: AccessibleTabs, MagnificPopup, Sortable, Cookie, Autoscroll, syncHeight

Core changes

In the PHP core, we restructured code and removed some older cruft. We introduced the ability to use Composer for packaging our external libraries, however those are still bundled within our repository, so that users who check out Serendipity do not need to care about installing or using Composer themselves.

We also added the opportunity to use the Zend::DB database framework. We still provide our own, simple Database API - available for PostgreSQL (PDO&native), MySQL, MySQLi, SQLite (PDO&native). The new Zend:DB framework can currently only be enabled by developers, but we will work in improving this layer so that it can be chosen during installation. If it works, this will then enable you to use any other database engine that is supported by Zend::DB.

A few things should be noted for plugin developers to take note off. If you have created custom plugins, you might need to take care of those changes. All available Serendipity Spartacus repository plugins have already been touched up to work together with Serendipity 2.0 already. Changes are:

  • JavaScript functions offered by the backend have been renamed:

    • SetCookie() to Serendipity.SetCookie()

    • spawn() to Serendipity.spawn()

    • The addLoadEvent() function is unchanged for important BC

    • All functions of serendipity_editor.js have been put into the "Serendipity" scope, so use Serendipity.getSelection() now instead of getSelection()

  • The static serendipity_editor.js file has been removed and is now part of the backend theme itself, and can be parsed by Smarty (templates/2k11/admin/serendipity_editor.js.tpl, with templates/default/admin/serendipity_editor.js as a fallback for other backends). It is automatically included in the backend.

  • The bundled and integrated jQuery no longer uses the noConflict mode in the backend.

  • The $serendipity["eyecandy"] option for advanced javascript usage has been removed. JavaScript is now everywhere, but we always provide fallback usage - the backend should also still work (of course with reduced functionality) without JavaScript enabled. But come on, it's 2014.

  • A new API function serendipity_smarty_show() is available to easier parse and return a template file

  • Internal serendipity functions that previously echo'd output now consistently always return the content.

  • The internal plugins that we stored in include/ now properly reside as individual plugin directories in the plugins/ directory tree. This allows us to possible maintain core plugins also through spartacus, to push updates to those plugins without needing to wait for new Serendipity releases. An upgrader task migration makes sure that the renamed plugins on the installation will be migrated to the new names.

  • A new plugin API event hook "js" has been introduced, similar to the "css" hook it can provide plugins an easy way to inject their JavaScript to a central file.

  • Internal JavaScript has been adapted to make use of jQuery's ease of use and creates leaner and more readable code.

  • The entryproperties-Plugin will now purge it's cache when it is uninstalled.

  • A new section called Maintenance now bundles administrative tasks like import, export on its own dashboard. This new section now also enables admins to purge compiled template files.

Compatibility Changes / Theme developer information

The support for themes using "layout.php" has finally been removed. Themes have not used this for ages, since Smarty was added to Serendipity. Previously the file added it's own "workflow" to the frontend display of entries, but that can be solved much easier through Smarty and a theme's now.

All new backend admin Smarty files can currently be found in templates/2k11/admin/. The alternate XML/XSLT and PHP templates (templates/default-xml, templates/default-php) are still proof-of-concept. Those themes use a "" file to allow substituting the Smarty template API to a custom one. An example for that can be found in include/ - however this API is so rarely used, that we did not yet properly test it with Serendipity 2.0 and our Smarty3-Framework. Theoretically it still works. So anyone who actually uses it, please tell us if you find issues with it.

A couple of new language constants have been added. If you are a translator, please check the lang/ file of your own language (also the file in the UTF-8 subdirectory) and contribute translations. Be also aware that we plan to soon rephrase some of the language constants currently used in 1.7, which will be put to the bottom of the language file for translators to check if they still match properly.


Accompanying Serendipity 2.0 is our new tool Metatron which can perform a number of administrative tasks on the command line. Still in its early stages, Metatron can be helpful for administrators and Serendipity developers. It currently prints out a lot of information about a Serendipity installation, flushes the file cache, and can be used to moderate comments. More features are planned according to user feedback. Metatron is based on the Symfony2 Console component.


Upgrading to Serendipity 2.0 from older versions still works the same like in any other upgrade. Before you upgrade, you should make sure to update all used plugins, so that they work fine with Serendipity 2.0. If you do hit problems, have suggestions or get errors, please do report them on the Serendipity Forums ( If you are using your blog from a github "master" checkout, this now represents our development branch for a future 2.1 version, on top of that the branch "2.0" (that existed before for the development) will be maintained for future 2.0.x patch versions. Check out this board posting about commit policy for information.

Serendipity 2.0 requires at least PHP 5.3.

Many, many thanks to the team (in no specific order): onli, YellowLed, mattsches, Ian, and many users on the forums giving feedback and their testing.