Dotclear

A new maintenance release which fixes one potential XSS vulnerability in comments's list and enforce media extension before upload^[1] (thanks to Tim Coen, Curesec Gmbh, for reporting them) and two other bugfixes.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

Some time after the 2.7.5 release, here it is, today, right on the Dotclear's 12th birthday, the 2.8 release which comes with a new companion, the proud Dotty^[1], our new mascot^[2] :

Dotty

This new version introduces a new mechanism to cope with module dependencies (plugins for this release and will be declined for themes soon), also includes the Breadcrumb plugin that some of you already use, updates the CKEditor editor and the jQuery library, and fixes lots of bugs et somes minor cosmetic issues.

The heritage/extension templating system has been applied to the legacy mustek templateset, in order to simplify the developpement of themes using it ; some new criteria and filters have been added for posts and comments (and spams) lists ; the tags and widgets are now lexically sorted for latin languages, and so on… We will give you some details about all of this in further posts here.

Important : If you have already installed the breadcrumb plugin, please uninstall it before doing this update.

Another point : we will drop the PHP 5.2 support and will require, at least, the PHP 5.3 version (which is already obsolete). Note that Dotclear has been tested with PHP versions 5.3 to 5.6.

Your dashboard should offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

A maintenance release with some bugfixes and improvements. Nice friday the 13th with “The Cat“!

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

A bugfix release in order to allow again normal user (not admin) to use the Dotclear Wiki editor.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

Woohoo!

TL;DR — There's a new WYSIWYG editor, and HTML5 all over. Update and enjoy :-)

It's now been thirteen months^[1] since 2.6 came out. It's now about time (at last!) to move on. Dotclear 2.7, being released today, is less spectacular than the previous version, with its updated administration graphics chart, but it brings forth significative changes for users (on the admin side) and its rendering (on the public side).

On the admin side

We have integrated (she typed, as if she had done any of that) a new editor, dcCKEditor, which is built, as you can imagine, on the CKEditor library. You will therefore find a more advanced editor (presentation-wise). The old editor is still here, and is now called dcLegacyEditor.

As several editors (two with this version) can be installed, you'll have to pick your favorite for each of the proposed syntaxes (wiki and XHTML, so far). Go and have a look at the "My Options" tab under "My Preferences", and check the "Edition" frame. You'll probably need to clear your browser's cache as well.

It's not all on the administration side, as we have also started to integrate, together with the switch to HTML5, the main ARIA Roles. (If, like the author of that note, you are wondering what ARIA Roles are, you can read this, which is the first link she decided to click on that topic. If you don't want to read, know that the first of those As stands for Accessibility and that accessibility is A Good Thing.)

On the rendering side

Well let's talk about HTML5 some more. We've implemented two sets of templates, upon which the basic themes are built. The first one is called "mustek" and corresponds to Dotclear's old default theme (that good old Blowup). The second one is called "currywurst" and corresponds to Dotclear's shiny new default theme, named... you guessed it, Berlin.

Both sets of templates and themes are now in HTML5 and include ARIA Roles. For those of you who use Dotclear's wiki syntax, do note that the XHTML code it produces is now HTML5 compatible.

You'll note that it is not any longer mandatory to copy the default theme repository when using an external repertory. You can also choose, in the blog's parameters, the jQuery version that must be loaded on the public side (both 1.4.2 and 1.11.1 are shipped with this version of Dotclear).

We certainly advise you, after having upgraded, to clear the templates' cache (see the Maintenance plugin), to ensure that your blog's rendering is up to date.

Moreover, new options have been added to let you tune your blog's appearance more finely. You can for instance deactivate widgets without needing to delete them. You can also define a number of notes to be displayed specific to the home page (and which can be different from that of the following pages).

Back to HTML5, now that audio files and videos will, as much as possible, be integrated to your notes with HTML5 tags (<audio> and <video>), degraded to Flash when supported.

Miscellaneous

A couple more things about this version:

• Drag'n'drop on the admin side on touch screens is now possible;
• You can activate protection against clickjacking in the blog settings;
• Comments preview is now optional (see Blog settings);
• Hidden folders (with a name starting with a dot) are now hidden in the media manager.

In addition, the CHANGELOG file at the root of your brand new installation will give you a more detailed list of all changes.

Conclusion

I'll hope you'll enjoy these changes! There's still a lot more work planned for future versions, including better accessibility (ARIA, Opquast good practices, ATAG...), an alternate template engine (Twig), a new media library...

To conclude I'll thank all those who contributed (in particular Franck, ahem, but also all the others we don't dare naming in case we forget someone), to development, to design, to testing, to ideas, to the wild cheering by delirious fa... ah no wait, I was just supposed to translate something along the lines of support and cheers. More wild cheering by delirious fans for Franck et al., Dotclear users! It's crucial to people who contribute to an open source project like Dotclear on their free time only.

To sum it up, we (well, mostly they, as far as I am concerned) did a lot of work!

Your dashboard should offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

You can now download Dotclear 2.6.3. This maintenance release includes fixes for two potential security defaults on XML-RPC authentification and on category ordering. Many thanks to Egidio Romano for his advices about them.

He also warned us on the possibility to send PHP scripts into the media folder and to get them executed from there. Dotclear cannot entirely protect against this kind of defect and you should ensure to not leave such files in your medias, or if it's necessary, to make sure that they are not executable. In order to do so, a few methods exist and rely essentially on the web host and the sofware used for the server.

For Apache in example, a .htaccess file located in the public folder and including the following directive allows to avoid the issue:

php_flag engine off

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

You can now download Dotclear 2.6.1. This maintenance release includes several fixes for bugs discovered since the 2.6 release and some cosmetic enhancements.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.