Vulnerability in Sandbox fixed

June 19, 2009 – 9:27 pm

Thanks to WordPress user anoncobard, a cross-site scripting vulnerability in prior Sandbox versions has been fixed. I ask all Sandbox users to download Sandbox 1.6.1 and upgrade.

In the Sandbox functions.php, the pagination variable in the sandbox_body_class() passed an unsanitized variable that could be exploited using XSS.

See line 128 in the file:

if ( ( ( $page = $wp_query->get('paged') ) || ( $page = $wp_query->get('page') ) ) && $page > 1 ) {

The variable $page is never validated before it is passed to the function and then to the page. By simply adding $page = intval($page); (thanks to Andy), we make sure what is passed is only a number (see the diff of the changes).

This has also been fixed for the Sandbox theme for WordPress.com accounts. Please note that there have been no reports the Sandbox theme being exploited, so we are glad that we were able to correct this weakness before it was announced.

Now get back to playing in your Sandbox.

By Scott | Posted in Development | Tagged , , , , , | Comments (3)

An ideal WordPress user

April 29, 2008 – 10:47 pm

What I really engaged me when I first started using WordPress was the sense of community. Relatively large, but close knit. Most people know who the big players are, who the new comers are, etc. Who’s making the hot themes and who made the themes that are starting to get a bit tired.

Enter Kirk. Kirk is exactly the person who I want downloading my themes. After downloading and playing with one of my themes (blog.txt to be specific), Kirk e-mails me requesting some support for some specific but discreet task. I help. I’m happy to.

Kirk files tickets on my theme project pages for things that are broken or could be enhanced. Some I accept, some I don’t. He takes both well. I hear from him now and again. A happy user.

Here’s what separates Kirk from most users. Kirk e-mails me wanting to know how to disable the generator link. For security, he says. Regardless of whether or not I think this improves the security of his blog, I help. I describe the problem and set him off in the right direction.

For this, I make him a simple plugin he can upload based directly on what Peter Westwood documented on his blog. Easy as pie. Took me ten minutes. I slap it into a PHP file and send it along to Kirk knowing he’ll take it from there.

But what Kirk does is, instead of being satisfied after his problem was solved, he shares his experience and provides the solution for others.

Community. Here, here.

By Scott | Posted in News | Tagged , , , | Comments (9)

Post-release theme fixes

April 2, 2008 – 12:09 pm

Once again, this is just another post letting everyone know that my themes, including Sandbox, have been updated. I hadn’t properly tested the new gallery short code in WordPress 2.5 and therefore my themes didn’t work too well with it, since the default gallery short code inserts a style element (as compared to attributes) within the body. Not good. The gallery short code is now handled properly by each theme.

There was another significant change. For single posts that are actually attachments, WordPress looks for a template file in the theme directory that makes the abbreviated mime-type. For JPEG image (image/jpeg), WordPress will look for a template file named image.php in the current theme directory.

If that file isn’t present, it then looks for attachment.php and then falls back on single.php. So each theme includes a new file, image.php. The general attachment file remains and was modified accordingly.

For Sandboxers, the relevant changesets from version 1.5 to the just-released version 1.5.2 are 247, 248, 249, 250, 251, 252, and 253. So now go on and enjoy new themes.

By Scott | Posted in Development | Tagged , , , , | Comments (5)

Everything updated. Again.

March 16, 2008 – 1:39 am

Ahead of the release of WordPress 2.5.x on Monday, March 17, 2008, I’m releasing updates to all my themes. I tested both the version 4.0 and 4.1 releases of my themes with WordPress 2.5 and none of them had any problems. But I thought this release was a good opportunity to do some housekeeping.

Barthelme, blog.txt, plaintxtBlog, Simplr, and veryplaintxt have been upgraded across the board to version 4.5. New features include gravatar support, i.e., get_avatar(), and prettifying theme options menus with the new WordPress 2.5 design scheme.

Most of the revisions are under the hood, so users are unlikely to notice any cosmetic differences. The theme options menus now each use wp_nonce_field() and filter content much aggressively than before. So users should rest easy that they are using secure and stable themes. I mean, these themes are each almost two years old.

The Sandbox has also received an update, which is necessary since its inclusion with the core has been pushed back (again) to WordPress 2.6. So be it. Anyhow, the Sandbox now has some improvements to its semantic classes, including new classes for parent and child pages.

As always, I encourage everyone to have a look, give them a spin, and feel free to come back with any comments, suggestions. Enjoy.

By Scott | Posted in News | Tagged , , , | Comments (9)

Trunk users beware

March 2, 2008 – 1:20 am

Half an hour ago I committed a number of WordPress 2.5-specific changes to the Sandbox SVN. And thanks to a much improved Google Code interface, you can see the changes for revision 226.

This means if you using the Sandbox /trunk/ with WordPress 2.3.x and you svn up, well, you’re going to get some errors. Apologies.

There are also a number of new classes for the body: body.page-parent, body.page-child. My favorite new class, though, is the new .untagged class for posts without tags.

So far WordPress hasn’t provided a good way to search for untagged posts. Well, add

.untagged {
   color: #F00;
}

and you’ll figure out quickly which posts are untagged. Crude, but fun.

I’m quite excited about the use of get_avatar and much richer hCards for commentators. You’ll now see the appropriate use of a.url for commentators with links and img.photo with avatars.

I also looked at how to best use the new is_front_page() function. There has always been a body.home class, so now I had to differentiate .home and, well, something else.

So right now we have is_front_page() producing body.home and is_home() producing body.blog. As the front page will be the, er, home page, and the home page will be the page with blog posts.

So chew on that sentence and then figure it out.

By Scott | Posted in Development | Tagged , , , , | Comments (1)