Posts in Category: Releases

mojoPortal Released

I'm happy to announce the release of mojoPortal available now on our download page.

This is primarily a bug fix release.

Fixed Issues

Fixed an issue in the WebStore where using EURO currency with PayPal the amounts returned from PayPal were not being correctly parsed.

Fixed a bug in CryptoHelper that was causing an error in some environments when encrypting or decrypting data.

Fixed missing titles on some edit pages that were a side effect of our refactoring of page titles to give more control over them in the last release.

Downgraded YUI from 2.7.0 to 2.6.0 when using the Google CDN, because of a bug in YUI 2.7.0 where an FCKeditor inside a YUI tab sometimes was not visible in IE.

Added required field validators in the Content Style Template editor because leaving the element blank could cause the FCKeditor to throw an error.

Implemented a Content Delete Handler provider system to make a more consistent way of deleting related content when a module instance is deleted. Previously some features were not cleaning out their data when a content instance was deleted.

Last release we introduced support for search results highlighting. This brought with it a possibility for an information disclosure if the user had view permissions on the page but not the module. In the past only the page title was shown so there was no disclosure of the content but with fragments of the actual content now being shown in search results we needed to store the module view permissions in the search index in order to be able to filter search results based on those roles in addition to page view roles. In order to get the view roles into your search index requires rebuilding the search index. In order to not break existing search indexes I had to keep the default to not filter by the module view roles otherwise since the roles are not in the exisiting index all search results would be filtered out. In a new installation the preferred settings are in user.config.sample so that new installations should always filter by module view roles. Those who upgrade and rebuild their search index should add this to their user.config file: <add key="SearchIncludeModuleRoleFilters" value="true" />
This issue only affects those who have content on a page filtered by module view roles in addition to page view roles and only if you are using search results highlighting.

There is a corresponding minor update release for Event Calendar Pro to make it write module permissions also to the search index for events. Customers can download the new version from their purchase history.

Fixed an issue where our App Keep Alive feature did not work in IIS 7 using Integrated Pipeline mode.

Fixed an issue in our SmartCombo dropdown when using Chinese characters.

Fixed an issue in the Image Gallery where the Greybox did not work if the caption had an apostrophy.

Fixed a similar issue in the blog where a script error would occur in IE in the blog if Odiogo was enabled and the blog title had an apostrophy.

Previously some skins had corner rounders surrounding the PageMenu control but if there were no child pages for the current page in the SiteMenu then the PageMenu would not be visible but the corner rounders would still be there. We solved this by moving the CornerRounders into the PageMenu control and out of the layout.master. This way if the menu is not visible neither are the corner rounders.

What Else?

We now force the use of a plain text editor in iPhone because none of the wysiwyg editors can work in iPhone due to the way they create png images of the page for zooming. So even though the editor rendered correctly because javascript is supported, there was no way to click in the editors. So now you can edit site content, make blog posts or anything you like using the iPhone though it does require knowledge of html.

Based on user feedback, I implemented additional CSS classes and and example skin showing how to layout forms with the labels above the form fields. Whereas most of the skins have the label on the left side of the input, andreasvicklund-02 now has forms with the labels above the inputs. Also I think now all the Cancel buttons have been changed to links which was also suggested as a usability improvement.

There was also a request to add a per instance unique CSS class on Html content instances so that it is easier when you want to style a particular content instance different that the others. I implemented this so that there is a wrapper div with class=modulex where x is the module id. This allows you to easily overrid ethe styles for particular instance. I did the same thing for blogs and links and a few other places.

Updated Italian resource files thanks to Diego Mora.


Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal Released

I'm very happy to announce the release of mojoPortal, available now on our download page.

What's New?

Search Engine Improvements

The mojoPortal search engine now supports filtering results by feature and results highlighting, as well as support for Open Search with automatic discovery. A number of changes were made to what we store in the search index, so to take advantage of the new features requires changing some config settings and rebuilding the search index which may or may not be trivial depending on the size and activity level of your site. For backward compatibility we have kept the default settings such that the exisiting search index should continue to work as it has, but to take advantage of the new features you should put this in your user.config for a new installation before doing a search or for an existing site you can add these settings to user.config and then rebuild the search index.

<add key="DisableSearchFeatureFilters" value="false" />
<add key="SearchUseBackwardCompatibilityMode" value="false" />
<add key="EnableSearchResultsHighlighting" value="true" />

SEO (Search Engine Optimization) Improvements

I did a lot of analysis using the new free IIS SEO Toolkit and made a number of small changes based on the results. Its now possible for you to control the default title format for pages and to use extensionless urls in IIS 7.

Content Template Editor

Now you can create and save custom content templates and they will show up in the FCKeditor.

Content Style Editor

Its now possible for you to create and save content style templates that appear in the Style dropdown list in FCKeditor.

Skin Improvements

We include about 30 good looking skins in mojoPortal, but a number of the skins were designed for 800x600 screen resolutions so even though they were good looking it seemed to me that some of them were not being used very much because they are too narrow. So I made most of the narrow skins wider. Also we needed good examples of suckerfish style menus. The mitchinson-earthy skin had something close but it did not work very well so I re-implemented it using the jQuery Superfish menu and I made the mitchinson-earthy-alt1 which uses a vertical superfish menu. So now I think we have a lot of skins that be can useful as a starting point for customization. There is also a new Preview/Browse link in the Administration Menu > Site Settings page to allow you to easily preview the available skins.

Other Updates

Upgraded to the newest version of NeatUpload and the newest version of the AjaxControlToolkit.

Upgrade Notes

Customers who have purchased Event Calendar Pro and/or Form Wizard Pro, will need to upgrade to new releases of those products which have corresponding changes partly due to the newer version of AjaxToolkit. You can download the latest version from your order history under the "My Account" link.

Be sure to read an understand the changes to the search index and consider rebuilding your search index. If you have a custom skin you will need to add a new css class that is used to highlight the search results, the included skins all have this new css class:

.searchterm { color:black; background-color:yellow; }




Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal Released

I'm happy to announce the release of mojoPortal, available now on our download page.

Whats New?

RPX Instant Open ID Single Sign In Integration

Now you can allow users to easily register and sign in to your site with no new passwords using their existing account from Google, Yahoo, AOL, Microsoft,  Facebook, MySpace, Twitter and more. For complete details, see the RPX documentation here.

screen shot of rpx sign in widget

We've had support built in to mojoPortal for Open ID for a long time but this is much more user friendly, the user doesn't have to know anything about Open ID to use it. We still have suppport for standard Open ID authentication for those who would rather use it as is. In fact we also upgraded to the newer DotNetOpenAuth from the older DotNetOpenId (same project but they changed the name of the dll), and now it can work in Medium Trust environments, where previously, you have to remove the DotNetOpenId dll for Medium Trust to work. Of course the new RPX service also works fine in Medium Trust.

New Content Templates in the FCKeditor

You can now easily use a few UI widgets like the jQuery Accordion, jQuery Tabs, and YUI tabs right in the editor. There is a new toolbar item in the editor for choosing content templates, and we have pre-defined a few templates for these widgets.

screen shot of jquery accordion

screen shot of jquery tabs

In the near future we will also add the ability for you to create and edit your own templates.

TextArea Editor

For anyone who would rather use a plain text area for editing content rather thanone of our WYSIWYG editors, we now have a TextArea editor, thanks to a sponsorship from Felix Schudel. Since the WYSIWYG is much more friendly for most people, the TextArea editor is disabled by default, but it can be easily enabled by un-commenting it in the mojoEditor.config file.

WebStore Improvements

It is now possible to checkout without registration or sign in, if the order has no download products. So now people can buy me a beer without registering on this site ;-). There are also improvements to the offer administration, we added a new product picker dialog, and there is a new product site map for submitting to google and other search engines located at /yoursiteroot/WebStore/ProductSiteMap.ashx.

Blog Improvements

There is now an option in the blog to format the category list as a tag cloud. To use it you just enable the setting in the feature instance settings and then clear your browser cache to get the new css for the tag cloud. Soon we will be implementing categories/tags as a core system feature so it can be re-used by any feature and then we will replace the existing blog categories with the new system. This new category/tag system will then be used to easily add categories to the WebStore, EventCalendar Pro, and possibly other features. Note that if you have a custom skin, you will need to add this css for the tag cloud:

.tag-cloud { list-style-type:none; margin: 15px 0px 3px -30px;}
.tag-cloud li { display: inline; list-style-type:none; }
.tagcount { font-size: x-small;}
.tag-cloud .weight1 { font-size: 90%; }
.tag-cloud .weight2 { font-size: 110%; }
.tag-cloud .weight3 { font-size: 120%; }
.tag-cloud .weight4 { font-size: 130%; }
.tag-cloud .weight5 { font-size: 140%; }
.tag-cloud .weight6 { font-size: 150%; }
.tag-cloud .weight7 { font-size: 160%; }
.tag-cloud .weight8 { font-size: 180%; }
.tag-cloud .weight9 { font-size: 200%; }
.tag-cloud .weight10 { font-size: 210%; }


There have also been a number of minor enhancements and of course bug fixes for things reported in the forums since the last release.

Updated Releases For Event Calendar Pro and Form Wizard Pro

New minor release updates are available for customers who have purchased these features.  There were small changes made in these feature to correspond with changes in the core of mojoPortal. The Form Wizard also now uses the full editor toolbar for editing the form instructions and thank you message. Customers can download the updated versions from their purchase history and install them after upgrading to mojoPortal

 Update 2009-05-22

Just updated to version to fix an issue where the breadcrumbs wrapper div was rendering on pages even if breadcrumbs were not enabled and this extra div could affect layout in some skin designs.

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal Released

 I'm happy to announce the release of mojoPortal, available now on our download page.

What's New?

Content Versioning

The Html Content and Blog features now support keeping a history of every edit (like a wiki). You can compare any historical version of the content to the current version and you can restore any version to the editor so that you can restore it as it is by saving it or modify it further then save it. Versioning can be enabled at the feature instance level or it can be enforced site wide from Site Settings or it can be enforced from Web.config. Site administrators and content administrators can delete history but no other roles are allowed to delete the history. The ContentHistory is built into the core so that it does not have to be re-implemented for each feature. Each feature does implement its own UI to show or restore the previous versions, but they leverage common business classes to store and retrieve their history. In the future we will implement versioning for product and offer descriptions in the WebStore, developers may also leverage this in their own features to keep version history for their own feature data. This is one more thing to mark off our Road Map as complete. Next up is a general Content Tagging/Category system that can be re-used across features, and a Content Comment system that can be re-used across features.

Web Chat using Windows Live Messenger

See my previous post for more information about the new Chat feature. This was not even on the roadmap but when I saw how easy it was to implement I decided to work on it. It was fun and it only took a few days. One of the things I like best about my job is that I can just decide to work on something for a few days because its fun.

New PlugNPay Payment Gateway in WebStore thanks to Voir Hillaire

New Skin - dcarter-bluedesert, based on dcarter-ticktockpro but modified and contributed by Sami Isamil Hassan

Various minor enhancements based on feedback and fixes for bugs reported in the forums since the last release.

More progress moving away from ExtJs by implementing some .NET controls for YUI to replace the ones I previously built for ExtJs

Some of you may have checked out my Site Office UI prototype in the past. Its a separate plug in system than the main content system designed more for a consistent application user interface rather than for creative design like we use for the public facing web site via our skins. You can see the Site Office layout on this site or the demo site if you login and click the "Site Office" link at the top of the page, or you can look at the origianl layout demo for ExtJs here. I still have not implemented any real features for Site Office, but the plug in system itself works and I've even received emails from developers who have implemented their own plug features using it. I got kind of side tracked off of the Site Office idea partly because I had spent quite a bit of time implementing .NET wrapper cntrols around the ExtJs javascript to make it easy to use and then the ExtJs project changed their license to GPL which is not compatible with our CPL license, so I could no longer get upgrades of ExtJs and include them with mojoPortal. Since then we've been stuck on version 2.0.2 of ExtJs which was the last version they shipped under the LGPL (which was compatible). I had also used a little ExtJs in the Contact Form for the messaage list page. For a long time I've been thinking I really need to build new .NET wrapper controls with similar functionality but using the YUI javascript instead of ExtJs.
So again in the name of fun (because I like building .NET controls around javascript) I spent some time implementing some new controls with YUI to replace the ExtJs stuff I've been using. I have now removed the dependency on ExtJs from the Contact Form feature and I've got a good start on the layout framework to replace the current SiteOffice. I still have more work to do to finish, but the goal will be to eliminate all use of ExtJs in favor of YUI. The ExtJs javascript we include in mojoPortal is 6.36 MB, so it will reduce the size of our downloads once we no longer need to it. Anyway, you can see the work I've done so far on the YUI layout here, its very similar as you can see to the current Site Office layout with ExtJs. Once I get some more of the YUI things wrapped up so they are easy to use, I might even change the site administration area so that it uses this kind of layout instead of the site skin.

New Experimental CKEditor

Some of you may have noticed that the FCKeditor project has shifted gears from the next upgrade of FCKeditor to their next generation version named CKEditor. I think they are basically taking the good parts from the FCKeditor implementation but doing a new redesign of the implementation using things they have learned and new techniques that have emerged to improve the architecture. The CKEditor does not yet have image upload or server browsing so I have disabled it by default, but anyone who really wants to check it out can un-comment it in the mojoEditor.config file in the root of the web. It really looks just like the FCKeditor but does not have all the functionality yet, I just figured it was good to get started with it so we can be ready as they make imporvements.
So all of the above (other than the contributions from the community) is work I've done since the last release on March 24, less than 30 days ago, but in that time I've also made a substantial start on my next paid product Web Invoice Pro. It still has a ways to go before release though. Its one of those things where I started out with a very simple vision for it but it quickly changed to a more complex feature the more I thought about it after getting a few little pieces of it built. I needed to step away from it a little to think about it more and that is part of the reason I worked on some fun things as I got to a point where I was frustrated and needed to work on something that made me feel productive.
Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal Released

mojoPortal is available now on our download page.

The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.


The issue is a cross site scripting vulnerability. The cause of the problem was failure to sanitize a query string parameter that is used for previewing skins. We use a printer friendly skin to produce our printer friendly view using a simple parameter in the url like this skin=printerfriendly. It can also be used to preview any existing skin. Since the skin name is output into the page as part of the url for the css handler it needs to be sanitized to prevent manipulation. The new release sanitizes the input to remove any possibility for javascript being inserted into the page.

The vulnerability was reported by Aaron King who discovered it using the free version of Acunetix Web Vulnerability Scanner. The scanner identified an url that could be constructed that would inject javascript into the page and cause an alert message to be displayed in the page. While the demo exploit causes no harm, in theory other exploits are possible including the possibility of altering the content of the page or stealing a session cookie which could make it possible to take control of a user account. Note that actual malicious exploits have not been proven, but the ability to inject a javascript alert means more malicious exploits may be possible.

Mitigating Factors

In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.

What Versions are Vulnerable?

I’m pretty sure this vulnerability was introduced in version when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.

Upgrade is Highly Recommended

Ugrading to mojoPortal will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.

Anything Else New This Release?

There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.

There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.

Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.