I'm happy to announce the release of mojoPortal 2.3.0.4, available now on our download page.

Whats New?

RPX Instant Open ID Single Sign In Integration

Now you can allow users to easily register and sign in to your site with no new passwords using their existing account from Google, Yahoo, AOL, Microsoft,  Facebook, MySpace, Twitter and more. For complete details, see the RPX documentation here.

We've had support built in to mojoPortal for Open ID for a long time but this is much more user friendly, the user doesn't have to know anything about Open ID to use it. We still have suppport for standard Open ID authentication for those who would rather use it as is. In fact we also upgraded to the newer DotNetOpenAuth from the older DotNetOpenId (same project but they changed the name of the dll), and now it can work in Medium Trust environments, where previously, you have to remove the DotNetOpenId dll for Medium Trust to work. Of course the new RPX service also works fine in Medium Trust.

New Content Templates in the FCKeditor

You can now easily use a few UI widgets like the jQuery Accordion, jQuery Tabs, and YUI tabs right in the editor. There is a new toolbar item in the editor for choosing content templates, and we have pre-defined a few templates for these widgets.

In the near future we will also add the ability for you to create and edit your own templates.

TextArea Editor

For anyone who would rather use a plain text area for editing content rather thanone of our WYSIWYG editors, we now have a TextArea editor, thanks to a sponsorship from Felix Schudel. Since the WYSIWYG is much more friendly for most people, the TextArea editor is disabled by default, but it can be easily enabled by un-commenting it in the mojoEditor.config file.

WebStore Improvements

It is now possible to checkout without registration or sign in, if the order has no download products. So now people can buy me a beer without registering on this site ;-). There are also improvements to the offer administration, we added a new product picker dialog, and there is a new product site map for submitting to google and other search engines located at /yoursiteroot/WebStore/ProductSiteMap.ashx.

Blog Improvements

There is now an option in the blog to format the category list as a tag cloud. To use it you just enable the setting in the feature instance settings and then clear your browser cache to get the new css for the tag cloud. Soon we will be implementing categories/tags as a core system feature so it can be re-used by any feature and then we will replace the existing blog categories with the new system. This new category/tag system will then be used to easily add categories to the WebStore, EventCalendar Pro, and possibly other features. Note that if you have a custom skin, you will need to add this css for the tag cloud:

.tag-cloud { list-style-type:none; margin: 15px 0px 3px -30px;}
.tag-cloud li { display: inline; list-style-type:none; }
.tagcount { font-size: x-small;}
.tag-cloud .weight1 { font-size: 90%; }
.tag-cloud .weight2 { font-size: 110%; }
.tag-cloud .weight3 { font-size: 120%; }
.tag-cloud .weight4 { font-size: 130%; }
.tag-cloud .weight5 { font-size: 140%; }
.tag-cloud .weight6 { font-size: 150%; }
.tag-cloud .weight7 { font-size: 160%; }
.tag-cloud .weight8 { font-size: 180%; }
.tag-cloud .weight9 { font-size: 200%; }
.tag-cloud .weight10 { font-size: 210%; }

There have also been a number of minor enhancements and of course bug fixes for things reported in the forums since the last release.

Updated Releases For Event Calendar Pro and Form Wizard Pro

New minor release updates are available for customers who have purchased these features.  There were small changes made in these feature to correspond with changes in the core of mojoPortal. The Form Wizard also now uses the full editor toolbar for editing the form instructions and thank you message. Customers can download the updated versions from their purchase history and install them after upgrading to mojoPortal 2.3.0.4.

 Update 2009-05-22

Just updated to version 2.3.0.4.b to fix an issue where the breadcrumbs wrapper div was rendering on pages even if breadcrumbs were not enabled and this extra div could affect layout in some skin designs.

 I'm happy to announce the release of mojoPortal 2.3.0.1, available now on our download page.

What's New?

Content Versioning

Web Chat using Windows Live Messenger

New PlugNPay Payment Gateway in WebStore thanks to Voir Hillaire

New Skin - dcarter-bluedesert, based on dcarter-ticktockpro but modified and contributed by Sami Isamil Hassan

Various minor enhancements based on feedback and fixes for bugs reported in the forums since the last release.

More progress moving away from ExtJs by implementing some .NET controls for YUI to replace the ones I previously built for ExtJs

New Experimental CKEditor

mojoPortal 2.2.9.6 is available now on our download page.

The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.

Description

The issue is a cross site scripting vulnerability. The cause of the problem was failure to sanitize a query string parameter that is used for previewing skins. We use a printer friendly skin to produce our printer friendly view using a simple parameter in the url like this skin=printerfriendly. It can also be used to preview any existing skin. Since the skin name is output into the page as part of the url for the css handler it needs to be sanitized to prevent manipulation. The new release sanitizes the input to remove any possibility for javascript being inserted into the page.

The vulnerability was reported by Aaron King who discovered it using the free version of Acunetix Web Vulnerability Scanner. The scanner identified an url that could be constructed that would inject javascript into the page and cause an alert message to be displayed in the page. While the demo exploit causes no harm, in theory other exploits are possible including the possibility of altering the content of the page or stealing a session cookie which could make it possible to take control of a user account. Note that actual malicious exploits have not been proven, but the ability to inject a javascript alert means more malicious exploits may be possible.

Mitigating Factors

In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.

What Versions are Vulnerable?

I’m pretty sure this vulnerability was introduced in version 2.2.7.7 when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.

Upgrade is Highly Recommended

Ugrading to mojoPortal 2.2.9.6 will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version 2.2.9.5, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.

Anything Else New This Release?

There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.

There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.

Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.

I'm happy to announce the release of mojoPortal 2.2.9.5, available now on the download page.

This release is primarily a bug fix release but it does have some new things.

Whats New?

A new option in Page Settings, "Show Home Crumb", adds a home link to the breadcrumbs when "Show Beadcrumbs" is enabled. Thanks to Damien White for help with this.

Added a setting to the blog to control whether google maps are displayed in Excerpt view. Previously they were displayed, but now they are not by default, but can be displayed if the setting is enabled.

Added a feature on the Member List page to allow Admins to lookup users by ip address

Implemented a Discount feature in WebStore that allows defining discount codes supporting percentage and dollar amount discounts with various rules. The user can apply the discount by entering the discount code on the cart page. The apply discount feature is only visible on the cart page if there are currently active discounts.

Forum Improvements: added an email icon to make it more obvious that you can subscribe to forum post notification emails. Added the forum description to the forum post page so that its easier for users to remember which forum they are in and what the forum description says. For example on this site it helps users remember to post certain details like OS, db platform, and version of mojoPortal when reporting bugs.

Bug Fixes

• Fixed bug in url re-writer where paths could be re-written incorrectly in folder based child sites if the folder name was a substring of a page name. 
• Fixed broken background image in css for one of the skins.
• Fixed broken image urls on MyPage when used in folder based sub sites.
• Fixed bug where an error would occur when removing users form roles under SQLite.
• Fixed broken folder image url in forum UserThreads.aspx.
• Fixed an issue with the css handler incorrectly resolving site id for folder based sites.
• Remove unused files as these cause errors when people try to use the release packages in Visual Studio. I still think people should use the source code for development not the release files but people keep trying to use release files so I'm trying to make that possible.
• Fixed a bug in the MS SQL install/upgrade scripts where one procedure was not compatible with SQL 2000.

Upgrade Notes

If you are upgrading from 2.2.9.2, you can skip uploading the /ClientScript folder as nothing has changed there.

I'm happy to announce the release of mojoPortal 2.2.9.2 available now on our download page.

Whats New?

Easy Woopra Integration

I mentioned Woopra in this previous post, its an awesome web analytics and real time traffic monitoring tool. Now its easy to use Woopra with your mojoPortal site. Just sign up for woopra and install their software on your home or office computer. Once they approve your site, you enable the script in mojoPortal from the Site Settings page as shown in this screen shot:

If you are using a custom skin, then you also need to add the woopra control to the layout.master file in your skin, just before the closing </form> tag like this:

<portal:Woopra ID="woopra11" runat="server" />
</form>

All the included skins in mojoPortal already have this. There was a long waiting period when I first signed up for woopra but lately people have been telling me they are getting approved within a few days of signing up for woopra. Its agreat service, I highly recommend it.

WebStore Improvements

We've added the ability to set the quantity when adding items to the cart from the product detail page and we've made it possible to update quantities directly on the cart. So previously if you wanted to buy me more than one beer, you had to add the beers to the cart one at a time, but now its very easy to be generous :-).

Last release we moved reporting out of WebStore and created a common set of reporting tables in the core so that the same reporting system can be used across ecommerce features. Since then we've begun fleshing out more reports, there are a number of new reports this release and even more to come later.

Miscellaneous

Japanese resource files thanks to Suzuki Teku, this brings us p to 18 languages!

A new setting in Page Settings for "Inlcude In Site Map", this was requested recently by a community member, we already had a setting for "Include In Menu" but that setting also excluded the page from the site map, so this new setting allows creating pages that don't appear in the menu but do appear in the site map.

Canonical Urls in the meta data, this is a new thing agreed upon by the big search engines so that if a page is available from more than one url the preferred url can be specified by a meta link with rel=canonical. This helps make sure the urls that is shown in search results is the correct one. In mojoPortal we haven't really had problems with this for content system pages because they generally only have one url, but in the past I would see some dupplicate warnings in google webmaster tools about my forum pages because the same page could be seen with query string paramters in different sequence and google would think they were duplicated pages when it was really the same page with just a variation in the sequence of parameters in the url. So the forums now specify the preferred url with the preferred sequence of parameters. We also add cononical urls to the main content pages but its really probably not much impact there since there hasn't been problems with duplicated pages with different urls.

One customer recently asked about being able to use separate read/write connection strings with MySql so they could use MySql replicatin as a scaling strategy. I don't know much about using this approach, it seems it could be problematic unless the replication is instantaneous. Nevertheless, I did the grunt work of going through all the MySql data classes and making it possible to use different connection strings for read and write operations. Bascially I made all the read methods get the read connection string and all the write methos use the write connection string. If you don't specify a write connection string in Web.config/user.config then it just uses the read connection string, so the logic is like this:

private static String GetReadConnectionString()
{
return ConfigurationManager.AppSettings["MySqlConnectionString"];

}

private static String GetWriteConnectionString()
{
if (ConfigurationManager.AppSettings["MySqlWriteConnectionString"] != null)
{
return ConfigurationManager.AppSettings["MySqlWriteConnectionString"];
}

return ConfigurationManager.AppSettings["MySqlConnectionString"];
}

So, if you want to use a different connection string for write operations just add a connection strng setting with the key MySqlWriteConnectionString. I'd be interested to hear back from anyone who does use this approach with MySql. I don't know if the same scaling strategy is commonly used for MS SQL, Postgre SQL or Firebird, but I could make the same changes for those data layers if people tell me it would be helpful.

Event Calendar Pro 0.0.1.3 Released

Coinciding with this new release of mojoPortal is a new release of Event Calendar Pro. It now uses the new commerce reporting system so ticket sales are reflected in commerce reports and user purchase history is consolidated in the My Account/User Profile page. Note also that previously there was a module setting for currency but this now uses the currency setting from Site Settings. Also fixed a bug on the event detail page where the correct currency was not always displayed. Existing customers can download the new version from their Order History under My Account. Because Event Calendar Pro depends on the new reporting system you must upgrade to mojoPortal 2.2.9.2 before upgrading to the new version of Event Calendar Pro.

Form Wizard Pro 0.0.0.4 Released

This is just a minor bug fix release of Form Wizard Pro. There was a bug in the data export where the submission date for the forms was not correct, all the rows were suing the submit date of the first row. This is now fixed. Existing customers can download the new version from their Order History under My Account.

Upgrade Notes for mojoPortal

If you are upgrading from mojoPortal 2.2.8.6, then you can skip uploading the /ClientScript folder as nothing in that folder has changed. Its a large folder so leaving it out can save a lot of upload time.