I'm happy to announce the release of mojoPortal 2.3.1.0 available now on our download page.

This is primarily a bug fix release.

Fixed Issues

Fixed an issue in the WebStore where using EURO currency with PayPal the amounts returned from PayPal were not being correctly parsed.

Fixed a bug in CryptoHelper that was causing an error in some environments when encrypting or decrypting data.

Fixed missing titles on some edit pages that were a side effect of our refactoring of page titles to give more control over them in the last release.

Downgraded YUI from 2.7.0 to 2.6.0 when using the Google CDN, because of a bug in YUI 2.7.0 where an FCKeditor inside a YUI tab sometimes was not visible in IE.

Added required field validators in the Content Style Template editor because leaving the element blank could cause the FCKeditor to throw an error.

Implemented a Content Delete Handler provider system to make a more consistent way of deleting related content when a module instance is deleted. Previously some features were not cleaning out their data when a content instance was deleted.

Last release we introduced support for search results highlighting. This brought with it a possibility for an information disclosure if the user had view permissions on the page but not the module. In the past only the page title was shown so there was no disclosure of the content but with fragments of the actual content now being shown in search results we needed to store the module view permissions in the search index in order to be able to filter search results based on those roles in addition to page view roles. In order to get the view roles into your search index requires rebuilding the search index. In order to not break existing search indexes I had to keep the default to not filter by the module view roles otherwise since the roles are not in the exisiting index all search results would be filtered out. In a new installation the preferred settings are in user.config.sample so that new installations should always filter by module view roles. Those who upgrade and rebuild their search index should add this to their user.config file: <add key="SearchIncludeModuleRoleFilters" value="true" />
This issue only affects those who have content on a page filtered by module view roles in addition to page view roles and only if you are using search results highlighting.

There is a corresponding minor update release for Event Calendar Pro to make it write module permissions also to the search index for events. Customers can download the new 0.0.1.5 version from their purchase history.

Fixed an issue where our App Keep Alive feature did not work in IIS 7 using Integrated Pipeline mode.

Fixed an issue in our SmartCombo dropdown when using Chinese characters.

Fixed an issue in the Image Gallery where the Greybox did not work if the caption had an apostrophy.

Fixed a similar issue in the blog where a script error would occur in IE in the blog if Odiogo was enabled and the blog title had an apostrophy.

Previously some skins had corner rounders surrounding the PageMenu control but if there were no child pages for the current page in the SiteMenu then the PageMenu would not be visible but the corner rounders would still be there. We solved this by moving the CornerRounders into the PageMenu control and out of the layout.master. This way if the menu is not visible neither are the corner rounders.

What Else?

We now force the use of a plain text editor in iPhone because none of the wysiwyg editors can work in iPhone due to the way they create png images of the page for zooming. So even though the editor rendered correctly because javascript is supported, there was no way to click in the editors. So now you can edit site content, make blog posts or anything you like using the iPhone though it does require knowledge of html.

Based on user feedback, I implemented additional CSS classes and and example skin showing how to layout forms with the labels above the form fields. Whereas most of the skins have the label on the left side of the input, andreasvicklund-02 now has forms with the labels above the inputs. Also I think now all the Cancel buttons have been changed to links which was also suggested as a usability improvement.

There was also a request to add a per instance unique CSS class on Html content instances so that it is easier when you want to style a particular content instance different that the others. I implemented this so that there is a wrapper div with class=modulex where x is the module id. This allows you to easily overrid ethe styles for particular instance. I did the same thing for blogs and links and a few other places.

Updated Italian resource files thanks to Diego Mora.

I'm very happy to announce the release of mojoPortal 2.3.0.8, available now on our download page.

What's New?

Search Engine Improvements

The mojoPortal search engine now supports filtering results by feature and results highlighting, as well as support for Open Search with automatic discovery. A number of changes were made to what we store in the search index, so to take advantage of the new features requires changing some config settings and rebuilding the search index which may or may not be trivial depending on the size and activity level of your site. For backward compatibility we have kept the default settings such that the exisiting search index should continue to work as it has, but to take advantage of the new features you should put this in your user.config for a new installation before doing a search or for an existing site you can add these settings to user.config and then rebuild the search index.

<add key="DisableSearchFeatureFilters" value="false" />
<add key="SearchUseBackwardCompatibilityMode" value="false" />
<add key="EnableSearchResultsHighlighting" value="true" />

SEO (Search Engine Optimization) Improvements

I did a lot of analysis using the new free IIS SEO Toolkit and made a number of small changes based on the results. Its now possible for you to control the default title format for pages and to use extensionless urls in IIS 7.

Content Template Editor

Now you can create and save custom content templates and they will show up in the FCKeditor.

Content Style Editor

Its now possible for you to create and save content style templates that appear in the Style dropdown list in FCKeditor.

Skin Improvements

We include about 30 good looking skins in mojoPortal, but a number of the skins were designed for 800x600 screen resolutions so even though they were good looking it seemed to me that some of them were not being used very much because they are too narrow. So I made most of the narrow skins wider. Also we needed good examples of suckerfish style menus. The mitchinson-earthy skin had something close but it did not work very well so I re-implemented it using the jQuery Superfish menu and I made the mitchinson-earthy-alt1 which uses a vertical superfish menu. So now I think we have a lot of skins that be can useful as a starting point for customization. There is also a new Preview/Browse link in the Administration Menu > Site Settings page to allow you to easily preview the available skins.

Other Updates

Upgraded to the newest version of NeatUpload and the newest version of the AjaxControlToolkit.

Upgrade Notes

Customers who have purchased Event Calendar Pro and/or Form Wizard Pro, will need to upgrade to new releases of those products which have corresponding changes partly due to the newer version of AjaxToolkit. You can download the latest version from your order history under the "My Account" link.

Be sure to read an understand the changes to the search index and consider rebuilding your search index. If you have a custom skin you will need to add a new css class that is used to highlight the search results, the included skins all have this new css class:

.searchterm { color:black; background-color:yellow; }

I'm happy to announce the release of mojoPortal 2.3.0.4, available now on our download page.

Whats New?

RPX Instant Open ID Single Sign In Integration

Now you can allow users to easily register and sign in to your site with no new passwords using their existing account from Google, Yahoo, AOL, Microsoft,  Facebook, MySpace, Twitter and more. For complete details, see the RPX documentation here.

We've had support built in to mojoPortal for Open ID for a long time but this is much more user friendly, the user doesn't have to know anything about Open ID to use it. We still have suppport for standard Open ID authentication for those who would rather use it as is. In fact we also upgraded to the newer DotNetOpenAuth from the older DotNetOpenId (same project but they changed the name of the dll), and now it can work in Medium Trust environments, where previously, you have to remove the DotNetOpenId dll for Medium Trust to work. Of course the new RPX service also works fine in Medium Trust.

New Content Templates in the FCKeditor

You can now easily use a few UI widgets like the jQuery Accordion, jQuery Tabs, and YUI tabs right in the editor. There is a new toolbar item in the editor for choosing content templates, and we have pre-defined a few templates for these widgets.

In the near future we will also add the ability for you to create and edit your own templates.

TextArea Editor

For anyone who would rather use a plain text area for editing content rather thanone of our WYSIWYG editors, we now have a TextArea editor, thanks to a sponsorship from Felix Schudel. Since the WYSIWYG is much more friendly for most people, the TextArea editor is disabled by default, but it can be easily enabled by un-commenting it in the mojoEditor.config file.

WebStore Improvements

It is now possible to checkout without registration or sign in, if the order has no download products. So now people can buy me a beer without registering on this site ;-). There are also improvements to the offer administration, we added a new product picker dialog, and there is a new product site map for submitting to google and other search engines located at /yoursiteroot/WebStore/ProductSiteMap.ashx.

Blog Improvements

There is now an option in the blog to format the category list as a tag cloud. To use it you just enable the setting in the feature instance settings and then clear your browser cache to get the new css for the tag cloud. Soon we will be implementing categories/tags as a core system feature so it can be re-used by any feature and then we will replace the existing blog categories with the new system. This new category/tag system will then be used to easily add categories to the WebStore, EventCalendar Pro, and possibly other features. Note that if you have a custom skin, you will need to add this css for the tag cloud:

.tag-cloud { list-style-type:none; margin: 15px 0px 3px -30px;}
.tag-cloud li { display: inline; list-style-type:none; }
.tagcount { font-size: x-small;}
.tag-cloud .weight1 { font-size: 90%; }
.tag-cloud .weight2 { font-size: 110%; }
.tag-cloud .weight3 { font-size: 120%; }
.tag-cloud .weight4 { font-size: 130%; }
.tag-cloud .weight5 { font-size: 140%; }
.tag-cloud .weight6 { font-size: 150%; }
.tag-cloud .weight7 { font-size: 160%; }
.tag-cloud .weight8 { font-size: 180%; }
.tag-cloud .weight9 { font-size: 200%; }
.tag-cloud .weight10 { font-size: 210%; }

There have also been a number of minor enhancements and of course bug fixes for things reported in the forums since the last release.

Updated Releases For Event Calendar Pro and Form Wizard Pro

New minor release updates are available for customers who have purchased these features.  There were small changes made in these feature to correspond with changes in the core of mojoPortal. The Form Wizard also now uses the full editor toolbar for editing the form instructions and thank you message. Customers can download the updated versions from their purchase history and install them after upgrading to mojoPortal 2.3.0.4.

 Update 2009-05-22

Just updated to version 2.3.0.4.b to fix an issue where the breadcrumbs wrapper div was rendering on pages even if breadcrumbs were not enabled and this extra div could affect layout in some skin designs.

 I'm happy to announce the release of mojoPortal 2.3.0.1, available now on our download page.

What's New?

Content Versioning

Web Chat using Windows Live Messenger

New PlugNPay Payment Gateway in WebStore thanks to Voir Hillaire

New Skin - dcarter-bluedesert, based on dcarter-ticktockpro but modified and contributed by Sami Isamil Hassan

Various minor enhancements based on feedback and fixes for bugs reported in the forums since the last release.

More progress moving away from ExtJs by implementing some .NET controls for YUI to replace the ones I previously built for ExtJs

New Experimental CKEditor

mojoPortal 2.2.9.6 is available now on our download page.

The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.

Description

The issue is a cross site scripting vulnerability. The cause of the problem was failure to sanitize a query string parameter that is used for previewing skins. We use a printer friendly skin to produce our printer friendly view using a simple parameter in the url like this skin=printerfriendly. It can also be used to preview any existing skin. Since the skin name is output into the page as part of the url for the css handler it needs to be sanitized to prevent manipulation. The new release sanitizes the input to remove any possibility for javascript being inserted into the page.

The vulnerability was reported by Aaron King who discovered it using the free version of Acunetix Web Vulnerability Scanner. The scanner identified an url that could be constructed that would inject javascript into the page and cause an alert message to be displayed in the page. While the demo exploit causes no harm, in theory other exploits are possible including the possibility of altering the content of the page or stealing a session cookie which could make it possible to take control of a user account. Note that actual malicious exploits have not been proven, but the ability to inject a javascript alert means more malicious exploits may be possible.

Mitigating Factors

In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.

What Versions are Vulnerable?

I’m pretty sure this vulnerability was introduced in version 2.2.7.7 when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.

Upgrade is Highly Recommended

Ugrading to mojoPortal 2.2.9.6 will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version 2.2.9.5, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.

Anything Else New This Release?

There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.

There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.

Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.