Archive for the 'Unwakeable' Category

Unwakeable XSS Vulnerability

Published
by
Tyler
on September 3, 2007
in Internet, Noteworthy, PHP, Personal, Security, Unwakeable and WordPress
. Comments

It was brought to my attention a couple days ago that Unwakeable 1.2 contains a cross-site scripting (XSS) vulnerability in the search piece. To test to see if you’re vulnerable, search for this on your Unwakeable site:

<script>alert('XSS Vulnerability!');</script>

If you see a javascript popup after searching, you’re vulnerable to attack and should follow the steps below to fix the vulnerability in Unwakeable 1.2. I’ve already taken steps to fix this vulnerability in Unwakeable 2.0, which will be released shortly.

To fix your installation of Unwakeable 1.2 you need to edit three files: serchform.php, theloop.php, and header.php.

1. searchform.php

First, open searchform.php and change this piece on line 8:

<form method="get" id="searchform" action="<?php echo $_SERVER['PHP_SELF']; ?>">

to this:

<form method="get" id="searchform" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">

2. theloop.php

Next, open theloop.php and change this piece on line 42:

printf(__('Search Results for \\'%s\\'','k2_domain'), $s);

to this:

printf(__('Search Results for \\'%s\\'','k2_domain'), htmlspecialchars($s));

3. header.php

Finally, open header.php and change this code on line 6:

Search for <?php echo $s;

to this:

Search for <?php echo htmlspecialchars($s);

That’s it, once you’ve made those three changes you should no longer be vulnerable to this cross-site scripting attack. To make sure, just perform the search I mentioned above. It should no longer produce a javascript pop-up.

You can find out more about this vulnerability at blogsecurity.net. They have a tool called WordPress Scanner that will scan your WordPress installations for security problems.

Let me know if this fix doesn’t work for any of you.

Popularity: 18% [?]

Unwakeable and Vacation

Published
by
Tyler
on August 2, 2007
in Internet, PHP, Personal, Unwakeable and WordPress
. Comments

Ashley and I both managed to get a week off work for vacation this last week. We spent the week (7/21/2007 - 7/28/2007) in Northport, Michigan with the Davis family, that’s Ashley’s mothers side. I can’t even begin to explain how nice it was to have a week off work. We both had a great time in Michigan, except for the visit to Mackinac Island. I could not believe the number of people on that island, way too many for me to deal with.

We stayed the entire week at Northport Bay Retreat, a gigantic property that’s owned by Mike Anton (Anton & Co). Anton owns another property on Spider Lake, also in Michigan, that we’re hoping to get for the next reunion. We actually tried to get the Spider Lake location for this reunion but weren’t able to. The Spider Lake location is a much better fit for our group than the Northport Bay location, for multiple reasons that I won’t go in to here. Ash and I took a few pictures while in Michigan, but not nearly as many as I would have liked.

I did a little work on Unwakeable 2.0 while we were in Michigan. I’ve continued work on 2.0 since returning and have it very close to being ready for release. Unwakeable 2.0 will include some new styling options. For example, you can choose custom colors to use in the header and you can also customize sidebars. Unwakeable 2.0 includes the ability to choose from no sidebar, a single sidebar, or dual sidebars. Unwakeable 2.0 can also be set to fixed or flexible width. Flexible width will let Unwakeable adjust itself to fill most of the browser window.

I’ve also built sidebar modules for Gregarious, WP-PostRatings, and WP-PostViews. This will allow you to use those plugins in your dynamic sidebar provided you have the plugins installed and activated. Also, support for the LMB^Box Comment Quicktags plugin is included. All you have to do is download and activate the plugin and it will automatically start working with Unwakeable.

I expect I’ll be releasing Unwakeable 2.0 within 2 weeks, need to get some more testing done before releasing it to the wild though. Please note that Unwakeable 2.0 can only be used with WordPress 2.1 or later. If you’re using WordPress 2.0, Unwakeable will not work.

Popularity: 13% [?]

Unwakeable Status: Version Bump

Published
by
Tyler
on February 3, 2007
in Internet, PHP, Personal, Unwakeable and WordPress
. Comments

Just a quick heads up on what’s been going on with Unwakeable lately. On the top of my priority list is livesearch. Livesearch doesn’t work in Internet Explorer when certain plugins are in use, such as Share This from Alex King. This is caused by multiple prototype.js files being loaded.

The next version of Unwakeable will be 2.0. I’ve been saying 1.3 would be the next version but have since decided to make the bump up to 2.x. I chose to do this because I’m dropping support for WordPress 2.0.x and focusing on supporting WordPress 2.1 fully.

Since Unwakeable 2.0 is a couple weeks out still, this will hopefully give everyone enough time to upgrade to WordPress 2.1. There shouldn’t be anything holding you back from upgrading at this point. As of right now, I’m taking out all the old WordPress 2.0.x functions and replacing them with the new functions found in WordPress 2.1. I really don’t want to try to support both versions of WordPress. Doing so could cause pages to load slowly due to all the checking I’d have to do for existing functions. So, as of right now, Unwakeable 2.0 will be WordPress 2.1 only!!

Also slated for Unwakeable 2.0 is additional support for more plugins. Unwakeable 2.0 will have support for the following plugins, in addition to those already supported:

  1. WPVideo
  2. Yet Another Photo Blog (YAPB)
  3. LMB^Box Comment Quicktags

I’ve retooled the various post styles that were introduced in Unwakeable 1.1. I’ve slimmed them down quite a bit and have included icons from Dropline Neu by Silvestre Herrera.

Also, I should have some additional options for Unwakeable. One additional option will be the number of related posts to show on the sidebar, as well as the number of recent posts to show on the sidebar. Also, I’d like to include an option to specify weather or not to use a fixed width , which is pixel based, or variable width, which is percentage based. This will give greater flexibility to bloggers who post large images frequently. I haven’t looked into how feasable this will be to do yet. Provided it’s not too difficult, this feature should be included in Unwakeable 2.0.

I’m still planning support for user defined color schemes in the options panel, although not in time for Unwakeable 2.0. I’m not quite sure how to go about displaying all these options in an efficient manner. It may be easier for me to just allow users to create custom style sheets that apply only to colors. Not really sure as of right now how I should exactly go about this. This how-to from Thomas looks pretty good, although little of it probably relates to WordPress 2.1.

So, there you have it. I’m really looking forward to releasing Unwakeable 2.0, it’s gonna be the best release yet. Again, I’d like to thank everyone who uses Unwakeable. Your kind words and feedback make every bit of time I put into Unwakeable very much worth it. Thank you all for your support. And as always, let me know if there’s any features you’d like to see or if you’d like support for a certain plugin.

Popularity: 12% [?]

Make Alex King’s Share This Plugin Play Nice With Unwakeable

Published
by
Tyler
on January 20, 2007
in Internet, Noteworthy, PHP, Personal, Unwakeable and WordPress
. Comments

Fixed. Unwakeable 2.0 will include this fix.

My Unwakeable WordPress theme doesn’t play nicely with Alex King’s Share This WordPress plugin. When Share This is being used, the livesearch feature of Unwakeable doesn’t work in Internet Explorer 6 or 7. I’m willing to bet K2 has the same issue. I know for a fact that Redoable had this problem at one point.

Livesearch breaks because prototype.js gets loaded twice, first by Unwakeable, then again by Share This. Now, Share This uses the prototype.js that will be included in WordPress 2.1, located at wp-includes/js/prototype.js. We use a custom prototype.js file for Unwakeable. The prototype.js file in Unwakeable will still provide all the functionality needed by Share This.

The prototype.js included in Unwakeable is located at wp-content/themes/unwakeable-1.2/js/prototype.js.php. It has a .php extension because there’s some PHP code at the top that needs processed before doing anything else. The PHP code tells the browser to cache the prototype.js file, it also sends correct content-type headers so the browser knows it’s dealing with a javascript file after all is said and done.

I’ve spent a few days thinking of possible solutions that could be implemented from within Unwakeable. That’s not possible though, unfortunately. Well, it is possible, but would require filtering all the HTML output by WordPress before it’s sent to the browser so we could strip out the prototype.js included by Share This. Doing something like that would probably result in a fairly dramatic decrease in performance, so it’s not an option.

Fortunately, it’s extremely easy to modify Share This to not load prototype.js. Here’s what you need to do:

  1. Open wp-content/plugins/share-this/share-this.php
  2. Go to line 352: 
    <script type="text/javascript" src="'.$wp.'/wp-includes/js/prototype.js"></script>
  3. Delete all of line 352 (code above) and you should be left with this on line 351 to line 354 
    print('
<script type="text/javascript" src="'.$url.'?akst_action=js"></script>
<link rel="stylesheet" type="text/css" href="'.$url.'?akst_action=css" />
');
  4. Save share-this.php and upload it to wp-content/plugins/share-this/

That’s all there is to do to stop Share This from loading prototype.js. It sorta sucks having to ignore the prototype.js that’s already included with WordPress 2.1. I will probably start working on making Unwakeable work with the prototype.js included in WordPress 2.1.

Does anyone know if it’s possible to determine if a javascript file has been loaded, from within javascript? I ask because I think Share This will still load a second prototype.js, even if I make Unwakeable work with prototype.js from WordPress 2.1 (the one used by Share This already).

I imagine Alex will come up with a method to determine if prototype.js has already been loaded. Unless javascript won’t allow identical .js files to be loaded, in which case determining if prototype.js has already been loaded would be pointless. If that’s the case then I should be good simply making Unwakeable work with prototype.js from WordPress 2.1.

Sorry for the scattered thoughts, this has really been bugging me lately. Anyway, you should be able to make your livesearch work with Share This in Internet Explorer now. This probably applies to most K2 based WordPress themes, but I’m not sure.

Popularity: 10% [?]

WordPress 2.1 Beta 2

Published
by
Tyler
on January 13, 2007
in Internet, Personal, Unwakeable and WordPress
. Comments

I decided to make the early upgrade to WordPress 2.1. I just pulled down the latest version of beta 2 via subversion. Pretty much everything is working great so far. Out of all the plugins I use, only the Flickr RSS plugin caused problems. It refused to load anything, preventing anything below it to load. So, I promptly disabled it and everything was totally normal. I may dig into it later on tonight.

Also, I’m pleased to say that Unwakeable 1.2 works nicely with WordPress 2.1 beta 2.

I’m not gonna go into details on the changes in WordPress 2.1. Lorelle has already taken the time to put together a nice list of features we’ll see in WordPress 2.1. All thanks to Ryan Boren for blogging up a storm on what will be found in WordPress 2.1.

I’d like to thank all the WordPress developers for all their hard work. As usual, it’s very apparent the WordPress developers have put a great amount of work in WordPress 2.1. I’m really looking forward to the release of 2.1, Beta 2 has been great so far.

Popularity: 5% [?]

WordPress Theme: Unwakeable 1.2

Published
by
Tyler
on January 7, 2007
in Internet, Noteworthy, PHP, Personal, Unwakeable and WordPress
. 54 Comments

Unwakeable 1.2 is out! You can download it or you can visit the Unwakeable page for some more details. You may also be interested in the ChangeLog, although I’ll go over a number of the changes in this post.

Probably the most notable change is the separate options for Unwakeable in the wp_options table. Let me explain a little bit. Basically, I’ve renamed the options to be unwakeable specific. Previously, Unwakeable would pick up options already set in K2 or it would just set the default values, still with the K2 names. So, if you’re upgrading to Unwakeable 1.2 from an earlier version, you’ll want to click the “Copy Options” button from the Unwakeable Options page. Clicking that button will take the options you had set in previous versions and will update them to work with Unwakeable 1.2. You can also copy your options from K2 to Unwakeable 1.2 with this button. If you’re installing Unwakeable for the first time, this probably doesn’t apply to you.

Now, if you’d rather not copy your old options over, that’s OK. You can just go into the Unwakeable Options page and set the options as you normally would. If this scares you, don’t worry, you can’t really break anything by not copying options over. Really, you can’t break anything even if you do want to copy your previous options over. If you have any questions, just get in touch with me.

I’ve also added support for two more plugins, Landing Sites and Gregarious. Gregarious is a replacement for the Digg This Reloaded plugin, which is now dead. Unwakeable 1.2 still has support for the Digg Integrator plugin also. I suggeset you use Gregarious if you want Digg buttons on your pages. It makes use of the new Digg API where Digg Integrator loads Digg buttons in an iframe, not the ideal way to display Digg buttons these days.

Now, you may be wondering why I built in support for Gregarious. Gregarious has a feature called auto-append that will automatically place a Digg button on your page. However, that feature isn’t enabled by default. And, there’s no option to place the Digg button in the sidebar with the auto-append feature. So, I added some code that will detect if auto-append is enabled. If auto-append is enabled, the Digg button isn’t displayed on the sidebar. However, if auto-append isn’t enabled, the Digg button will be displayed in the sidebar. That way you still have the option of displaying the Digg button in your sidebar, even if you use Gregarious.

Also, I’ve made a small fix to the CSS that should get rid of the few pixels of whitespace that were showing in the header, between the black and gray sections. The black in the header is now flush with the right side of the page. You can see what it looked like previously in this image. And you can see it fixed in this image (or right here on this blog). I’d like to thank Jason for pointing out that whitespace.

Is there anything you guys would like to see in the next version of Unwakeable? Could be anything from support for a plugin to design changes. Anything? Anybody?

Enjoy this new version and let me know if you have any problems getting Unwakeable functioning properly. I will provide almost unlimited support for people having issues with Unwakeable. Although, I won’t always be able to support Unwakeable if you’ve made numerous changes to the CSS or PHP for your site.

And lastly, a big “thank you” to everyone who is using Unwakeable. I never anticipated that this theme would become so popular. At my last rough count, there’s about 300 blogs using Unwakeable, I expected maybe 20. :) Thanks again everyone for your support! It’s now far past my bed time…

Popularity: 18% [?]

cheap xbox 360 games - buy from zavvi
cheap xbox 360 games - zavvi

mobile phones - Web Design - Loans - Credit Card - Car Insurance - Internet Marketing
Mobile Phone - Bike Insurance - Landlords Insurance - Search Engine Marketing - Mobile Phone


people-charming