Sometime this weekend or next week (or maybe next week) WordPress development will feature freeze, meaning no more features will be added. And will be left with more or less some of the features that are expected in WordPress 3.4.
Ready. Steady. Go!
About a week ago I did a post on Tiny Projects Inspired by WordPress. Readers who actually visited the Code.WordPress Trac would have noticed a tool called servermattic, which is described modestly as “install files and applications to many servers according to their role“.
servermattic is a template configuration that allows for deployment of code and configurations across multiple servers – write once, deploy on many machines, update as much as you want with revisions.
Today’s been the craziest day I’ve had for quite a long long time. It’s 5AM and I still haven’t done my WordPress trunk roundup for this week. So hot cup of fresh tea ready (by the way, from today on you can hook me up with some tea to keep me going day and night :D), off we go!
Yesterday I wrote a post titled On WordPress Pingbacks. While writing this I came to several conclusions that resulted in some interesting experiments and results.
I was going to publish my results along with that post, however, I wanted to make sure that the WordPress Security mailinglist had nothing against my publishing such information. With no word from them (I guess I expected too much to be contacted back within 24 hours), I’ve decided to dedicate a whole article to the Pingback attack, its potential, its limitations and further considerations and concerns.
WordPress supports Pingbacks and these are enabled by default. Having noticed a missing pingback from one of my posts and having made sure that it wasn’t caught as spam or still pending, I decided to investigate a bit and try to resend it manually.
Armed with the Pingback specification, and the XML-RPC RFC, I was able to successfully have a request cURLed over.
curl "https://.../xmlrpc.php" --header "Content-Type: text/xml" --data "<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>https://.../</string></value></param><param><value><string>https://.../</string></value></param></params></methodCall>"
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>https://.source./</string></value>
</param>
<param>
<value><string>https://.target./</string></value>
</param>
</params>
</methodCall>
For which I got a nice response:
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<string>Pingback from https://.source./ to https://.target./ registered. Keep the web talking! :-)</string>
</value>
</param>
</params>
</methodResponse>
Mission accomplished, got the Pingback thorough, great! But what if…?
The process of escaping data an important one, since the lack of thereof can lead to XSS and other naughty and unexpected things, among the legit data that just breaks specific data formats.
Consider HTML attributes. Imagine you have the following simple code:
$image_src = get_uploaded_image_src(); // not any specific function echo '<img src="' . $image_src . '" />';
What if the uploaded image is called “Horizons” by LTJ Bukem.jpg? You end up with broken HTML: <img src=""Horizons" by LTJ Bukem.jpg" />… not to worry though, WordPress comes a dozen escape functions for taking care of all these sorts of things. However, with the myriad of escaping functions provided in WordPress, it is often times difficult to remember which is which and whether there is an escape function for a specific case.
WordPress development has inspired core developers to code up some interesting utilities, tools and toolchains to aid in the deployment and development processes. Like the notorious `bumpbot` (compresses scripts and styles, bumps their version numbers) and `potbot` (generates pot files), there other at least a dozen other tools that are not only useful, but open-source and available for download.
Ready to look into some of the most interesting ones?
Following Daniel Bachhuber – The Zen of WordPress Development talk, I’ve started to explore this magical ack tool, a replacement for the native grep.
ack can be downloaded from the official and quite modest website called BetterThanGrep.com. ack is also available in all sorts of software repositories, and can be named ack-grep instead (due to a naming conflict).
ack is written in Perl, while grep is written is C. So why the heck does ack appear to be faster? Here are some test with the latest WordPress package.
Last week’s edition of WordPress trunk news provided an overview of some of the major happenings in the very exciting Project Gandalf and the WordPress Theme API.
Here’s what happened in the WordPress trunk this past weekend and this week.