A new version of WordPress has been issued to fix a cross site scripting (XSS) vulnerability in post comments. All users are recommended to upgrade to this version.
This version, 0.7.1.1, is unfortunately not available from the normal locations. You can get it from http://zed1.com/wordpress-0.711/. That page explains several strategies for addressing this vulnerability.
While writing a critique of John Gruber’s misunderstanding of TrackBacks I stumbled across an article which said everything I was going to and decided to point you there instead.
Gruber’s current system has many flaws, including the fact that it’s arbitrarily ordered by popularity (why?) and every referrer that isn’t a permalink is going to be useless, if not tomorrow or next week then next month. For plain referrer tracking TrackBack isn’t the best, and that’s why WordPress also implements the PingBack specification, which can be thought of referrers on steroids for weblog communication, but is not widely supported at this time.
The best system I have seen so far was whatever Mark Pilgrim used when he was doing his accessibility series. It would, if I remember correctly, follow referrer links to check that the site was actually linking back, grab the context of the link (usually about a paragraph) and then find the permalink for that blog entry if one existed and link back to that. If someone were to create such a hack for WordPress I would certainly consider incorporating it with a release.
For those of you following the CVS tree closely, be warned some huge changes have just been commited by your truly.
b2config.php is gone! CVS will try to delete yours (it should fail if you have modified it). This is replaced with a very small amount of configuration in wp-config.php. A sample file is in cvs (no more over-writing your settings). The rest of the configuration is done on the all new option screens. All these options are now stored in the database. New stuff includes default settings (category, draft, etc.) for new posts.
Unless you really like living on the bleeding edge, you would do well to wait until I have written the upgrade script for all this stuff.
The button page is up and running, so grab one that suits you. If anyone feels inspired I would be interested to see some alternative ideas for the buttons, especially ones that don’t follow the Antipixel-style mold or make a creative use of the small space afforded. In return you get fame, fortune, and the cool fuzzy feeling of seeing your button on other sites when blog-surfing.
We’re very proud to announce the immediate availability of the 0.71 release of WordPress. Don’t let the small version bump fool you, this release is packed with new features. Without further ado:
- 300% speedup — We’re not kidding, this release will perform about three times (or more) faster than previous releases of WordPress and b2.
- Post status — Every post can now have three states of being: publish, draft, and private. Publish is just like it was before, drafts are stored in the database and display in a special place on your edit screen, and private entries are viewable only by the author. This allows a degree of flexibility in workflow, allowing different people to work on the same post.
- Comments status — Comments and pings can now be individually enabled or disabled on a per-post basis. The templates reflect this as well.
- Combined Trackbacks, Pingbacks, and Comments — They’re all comments anyway, and now they display as such. This means cleaner templates and less software cruft crowding your beautiful design.
- Security fixes — This release addresses a problem that could potentially allow SQL injection for users of MySQL 4 and above, as well as removes a vulnerable file. (If you overwrite your old installation, make sure to delete
- OPML import — Import links into the link manager from OPML format, including from blogrolling.
- ezSQL database functions — Using ezSQL has cleaned up the code quite a bit, sped it up a little, and will make it that much easier to add support for other databases beside MySQL in the future.
- Cleaner, smoother administration — We’ve polished up all the administration screens to be even faster and easier to use, particularly the Links Manager.
- Clean upgrades — Upgrading from b2 or a previous version of WordPress is a cinch, and we’re working on upgrade paths for users of other software.
- Links weblogs.com checking — When checking for updated links it is now looser in what it matches so miniscule differences in the URL won’t prevent it from updating.
- Bug fixes galore — Over twenty bugs have been smitten from the code.
So upgrade while it’s hot. What better way to spend a slow Monday?
For anybody interested, I’m just about done with lining up the data models behind Movable Type (2.64) and WordPress (0.71) to see how the import can work. The rest of it should be just going through the motions of moving the data. There are a couple of outstanding design decisions, like what to do about older versions of MT (i.e., how far is the import backwards-compatible?) and what to do about versions of MT on Berkeley DB (i.e., use MT upgrade scripts to move to MySQL or pull in the MT export format?). If you have thoughts, feel free to email me or open it up in the forums.
Also, while Matt and others much more versed in CSS might have better suggestions, I’m a fan of the tutorials at w3schools. It’s been easy for me to find what I’m looking for as a reference there.
This final beta fixes all known issues and then some. I’m running it on my own site and it’s great. Try it out and report any problems in the beta forums. Thanks!
The about section of the site has been completely revamped with a lot of new information. It should serve as a good introduction to what the WordPress project is about and where we hope to take it. Also new is the testimonials page where you can share your own WordPress testimonial. Please let us know what you think!
We’re very close to our .71 release, so please try out the beta to help iron out any issues.
I just put the finishing touches on Mike’s OPML import for WordPress Links. I’ll admit that personally I hadn’t moved over to using Links yet because I have about a hundred in the Blogrolling system I didn’t want to enter all over again. Luckily they make your blogroll available in a format called OPML (here’s an example of mine) that we can parse easily. All you have to do is choose a category you want the links in, enter the OPML URL, and go. It’s as easy as the rest of the WordPress experience. This will be available officially in the .71 release.