Dotclear

A new version that deviates from our habits, since it is not published a 13, and ahead of schedule, since it was planned mid-February 2017. It also derogates with the habit of having a copious CHANGELOG (list of modifications / corrections).

Indeed, this version does not bring anything extraordinary except that it facilitates the use of Dotclear, and it corrects some bugs sometimes annoying on a daily basis:

• Easier access to plugin settings,
• A more advanced customization (text size, display or not of additional information, ...),
• Some additional attributes for theme developers / hackers,
• The webmentions which are added to the existing trackbacks and pingbacks,
• The Berlin theme is now based on the template set dotty, which exploits at best HTML5,
• ...

The general aspect of the administration also changes because the 2.11 uses the system font available on your machine rather than the usual Helvetica Neue. It also changes because it implements a font size that fits, between two thresholds, the space available on your screen. You can change the general font size in your preferences (3 settings are available).

Note that we have dropped the support of old browsers, especially old versions of Internet Explorer, up to version 9 included; It makes it possible to use a little more easily some innovations of CSS 3, in particular the flex system.

But I let you discover this at home, once you have made the awaited update!

PS: This version requires PHP 5.3 a minimum, but I advise you to use PHP 5.6 or even PHP 7 without waiting - the latter offers a speed gain very appreciable. It is quite possible that the next version of Dotclear requires a newer version than the already obsolete 5.3.

Some technical details for plugin developers and blog administrators:

Plugin settings

The new version 2.11 introduces a new system that allows to define and find the different places where a plugin may have settings.

Definitions

It is necessary to define in the file _define.php of the plugin an additional property, named settings and which is constructed in the following way:

'settings' => array (
    'self' => '',
    'blog' => '#params.id',
    'pref' => '#user-options.id'
)

The line with 'self' indicates that there are settings on the main page of the plugin (that is, for developers, in the index.php file).

The line with 'blog' indicates that there are settings in the blog settings, normally on the 'Settings' tab (#params is used for this) and at the first item id equal to the plugin id (you can for example position this id on the title element, h4 or h5, which precedes the options of the plugin).

The line with 'pref' indicates that there are settings in the user preferences, normally on the 'My options' tab (the #user-options is used for this) and at the first item id equal to the plugin id.

You can, and even must, specify only the lines that are relevant.

It is not obligatory to specify the id, in this case it is enough to simply specify the tab. It is also not necessary to specify the tab, in this case simply leave an empty string (").

The links will be displayed in the order in which they are defined in the 'settings' property.

Note: To this link list will be added first, if it exists, the link to the plugin's _config.php file.

Examples of definitions

Antispam plugin

'settings' => array (
    'self' => '',
    'blog' => '#params.antispam_params'
)

• self → access to main plugin settings on its own page (index.php)
• blog → access to secondary settings in blog settings

Tags plugin

'settings' => array (
    'pref' => '#user-options.tags_prefs'
)

• pref → access to keyword list format setting in user preferences

Maintenance plugin

'settings' => array (
    'self' => '#settings'
)

• self → access to the "Settings" tab of the plugin's own page (index.php)

Display

The setting URLs are displayed in two places:

• On the plugin management page, by unfolding the additional info (just click on the name of the plugin to get them)
• On each of the main pages of the plugins, provided you have the rights to access them

If you need more information on these technical developments, use the forum and/or development mailing list, or even the IRC channel #dotclear (irc.freenode.net) ...

A tiny update to fix two minor security vulnerabilities and to allow some specific proxy/ssl server configuration.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

CHANGELOG of this release :

Dotclear 2.10.3 - 2016-11-01
===========================================================
* Security: Fix CVE-2016-7903: Password Reset Address Spoof — Thank's Hongkun Zeng for report
* Security: Fix CVE-2016-7902: Media Manager, unrestricted File Upload — Thank's Hongkun Zeng for report
* CSP: Cope with external sources used in editor's iframe to preview public external content
* Fix: Cope with post.post_position field during flat import
* Fix: Prevents precondition failed during currently activated theme update
* Fix: Remove unecessary header (cope by dotclear) in page plugin
* Fix: Let some proxies playing with standard http and https ports
* Fix: Let SSL runs through a proxy, it may be ok, sometimes
* 🐛 → Various bugs and typos fixed

A tiny update to fix a problem which prevents the backend for new installation from correctly displaying (updates are not concerned). A too strict application of the CSP (Content-Security-Policies) is the cause of it. It also demonstrates that this protection might be efficient!

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

We should celebrate the 13th anniversary of Dotclear today so here it is, the 2.10 release is available now and very soon on your dashboard^[1]!

The menu of this release (non exhaustive list, see CHANGELOG for further details) :

• Some vulnerabilities have been fixed
• Lot of bugs killed (some may still remain)
• A new template-set, named dotty, using as far as possible the new HTML5 semantic tags
• New options to customize and improve the use your Dotclear backend (favorites folders in media manager, optional columns for posts and pages lists, …)
• Implementation of the Content-Security-Policies for the backend, prelude to an implementation in public side (blogs) for the future 2.11 release^[2]
• New facilities and opportunities for plugins developers (they are detailed below)
• Some javascript libraries have been updated (CKEditor, Codemirror, …)

Not a revolution but developments for a more secure and robust application ; and finally, happy birthday Dotclear \o/

PS : This release requires PHP 5.3 at least but I would strongly advise you to switch to PHP 5.6 or PHP 7 without delay — this last one offers a very welcome increase in speed. Anyway, the next version of Dotclear might require a newer version than the already obsolete 5.3.

Some technical details for plugins (and themes) developers and for blogs administrators:

CSP, aka Content-Security-Policies

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

[ Wikipedia « Content Security Policy » ]

The parameters used (activation and directives) are available via the about:config module (System settings menu, see “system” part) ; these parameters are:

• csp_admin_on : activation/deactivation
• csp_admin_default : default-src CSP directive
• csp_admin_img : img-src CSP directive
• csp_admin_script : script-src CSP directive
• csp_admin_style : style-src CSP directive

A 3rd party plugin needing some external services may complete one or many of these directives using the behavior adminPageHTTPHeaderCSP which provides as parameter an key-indexed array. Each of these keys refers to the according CSP directive (see list above), its value giving the list of authorized sources (separated by space).

Example :

Imagine a plugin using the Google Maps API (for scripts), it should add the corresponding Google server by this way:

$core->addBehavior('adminPageHTTPHeaderCSP',array('myAdminBehaviors','adminPageHTTPHeaderCSP'));

class myAdminBehaviors
{
	public static function adminPageHTMLHead($csp)
	{
		if (isset($csp['script-src'])) {
			$csp['script-src'] .= ' maps.googleapis.com';
		} else {
			$csp['script-src'] = 'maps.googleapis.com';
		}
	}
}

Private folder /var

A new folder, named var, has been created with the 2.10 release of Dotclear. It is at the main level (as the cache folder is) and should be used for local storage that should normally not be set in cache folder. Note that this cache folder may be deleted at every moment without any negative consequences for the installation.

A new constant, DC_VAR, is available and may be customized in the config.php file in order to build paths. Two new functions are also available to retrieve URLs:

• dcPage::getVF() for an URL based on the backend root URL of the installation
• dcBlog::getVF() for a public URL (based on the public URL of the blog)

Plugin developers are encouraged to create their own directory within this directory /var to maintain a semblance of order.

Code highlighting with Codemirror

The Codemirror library, used by the theme editor, is now available (in the backend) for every plugin. Two functions are available to load and run this library :

• dcPage::jsLoadCodeMirror() for loading
• dcPage::jsRunCodeMirror() for running

Example for CSS code :

# Get interface setting
$core->auth->user_prefs->addWorkspace('interface');
$user_ui_colorsyntax = $core->auth->user_prefs->interface->colorsyntax;
$user_ui_colorsyntax_theme = $core->auth->user_prefs->interface->colorsyntax_theme;

# in <head>
if ($user_ui_colorsyntax) {
	echo dcPage::jsLoadCodeMirror($user_ui_colorsyntax_theme,false,array('css'));
}

# in <body>
if ($user_ui_colorsyntax) {
	echo dcPage::jsRunCodeMirror('editor_css','css_content','css',$user_ui_colorsyntax_theme);
}

Turning on (or off) syntax highlighting and choosing the theme to use (among the forty+ proposed) are in "My Preferences", "My options" tab.

If you need more information about the technical stuff, use the forum and/or the development mailing-list, or also the #dotclear IRC channel (irc.freenode.net) where some of us sometimes hang…

My lambs, it's time to update, the new 2.9 version awaits you!

Fédor Balanovitch (coming out of the bus, almost) — Zazie in the metro, R. Queneau

On the menu of this version essentially what make life a little easier for those who spend time on the side of the administration of their(s) blog(s). A search and last visited folders available in the media manager, better sorted menus and lists some more filterable, some welcome updates for the javascript libraries used^[1].

And then we also need to make Dotclear run properly with the new version 7 of PHP, quite impressive release in terms of speed gain, and you will note in passing that the minimum required version of PHP 5.3, as it is had announced at the time of the release of the release of the version 2.8^[2].

A lot of bugs were eradicated, a few new opportunities have been implemented for developers of plugins and theme designers, and finally a more robust application for everyone.

The future version 2.10 will be mainly focused on two aspects. First an "overhaul" of JavaScript scripts used in the administration od Dotclear, as we have some old stuff in our "collection", and second, a "soft" migration to more HTML5 / CSS3 templates and themes side. But tell us if you'd prefer something else!

The updated proposal of your installation should appear on your dashboard today or tomorrow (depending on the settings of your accommodation) and a patch is available to developers preferring to apply this method.

A new maintenance release which fixes one potential XSS vulnerabilities (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from JPCERT/CC) and two other bugfixes.

Your dashboard should also offer you to upgrade your installation today or tomorrow (depending on your settings). There's also a patch for the developers who prefer this method.

I have been into open source pretty much since the first time I encountered the idea.

As a user, of course—who's to say no to free (as in beer) software? With forums where you can contact the developers to ask for help or new features? And the possiblity, for a programmer (like myself), to tweak here and add there and make it do exactly what you want? Even before I started considering the meaning of free as in

For years, however, I felt a bit uncomfortable. Taking was good, but what about giving back? My own fixes were often too hacky and personal to be shared with others. And what about all the non-technical people I was trying to convert to the cause? What could they contribute?

And then I met the Dotclear community.

I was on another continent. Blogging to keep in touch with the homeland, one way or the other. That's how I started using the software. Little by little, I also started exchanging with the contributors. Pouring over the documentation; asking for help in the forums; and, more and more, reading their blogs. Soon enough, this had become much more than a piece of software; this was a group of pals, thrown together into an adventure. An adventure I wanted a part of.

I started by the proud "powered by Dotclear" footers on my webite(s). If I could make only one person switch blogging engines, or decide for Dotclear when starting their own blog, that would already be a big deal.

And then I realized Dotclear was also an association. To which you can donate money.

Since then, I have moved back closer to the headquarters, first on the other side of the Rhine, now on the same side of the Seine. I have started contributing a bit more directly (mostly by translating blog posts once in a blue moon, but hey, I'm part of the team).

But still, if you like Dotclear, and that you want to contribute, there's no need to have the skills, time and desire to become a core dev. You can start by becoming a Dotclear member, and donating to the association.

Don't hesitate!

For full disclosure, I should also add that this is the kind of attitude that leads you to wanting to meet other Dotclearians, and from then on to picnics, crepes, beers, and fits of laughter.