* Skinning is now handled via the XTemplate PHP class. This means easier access to the HTML data for anyone interested in creating skins, plus separates it all from the database where it was stored previously. At the same time, all HTML data has been separated from the code logic. It's not quite MVC, but it's close enough for me.
* Akismet spam filter protection has been built in to the package and now covers user registrations and the email form in addition to comments.
* Comments are now possible in the image gallery and downloads area.
* Blog posting and comments now have emoticons available.
* User passwords are now hashed using SHA256 instead of MD5.
Changes for Sandbox 2.0.2
* SECURITY: Fixed a number of cross-site request forgery vulnerabilities.
* Typed in email address was not parsed correctly.
* There was no method for users to select an alternate skin.
* Made it possible to style the post titles where icons show.
The cross-site request forgery vulnerabilities are the major thrust for the 2.0.2 update, and it is extremely important that anyone using a previous version of Sandbox update to 2.0.2 in order to be protected from this problem.
"It is pointless to resist, my son." -- Darth Vader
"Resistance is futile." -- The Borg
"Mother's coming for me in the dragon ships. I don't like these itchy clothes, but I have to wear them or it frightens the fish." -- Thurindil
Well. I guess that's that then.
No, the installer doesn't do upgrades yet, because there's no need. No new SQL data has been done, and all you need to do is drop the updated PHP, .xtpl, and .css files over what you already have. Just don't wipe out your settings.php file
MVC = Model View Controller. It's a design method for building web apps. I'm not 100% solid on how it works, but it's supposed to be a full separation between the logic code, the database code, and the rendering code.
@Dwip: Probably because he commented on the actual download for it, and the download has the same name as the blog posting.
Ah, nice, so the installer really only has work to do if you're doing a clean install to begin with. Slick.
Oh man, I'd have never guessed that's what it meant.
Yes, Dwip, because I commented in both places and they both showed up on the recent comments list and it only looked like the same thread because they both had the same name but if you'd followed the respective links in the recent comments box they'd have taken you to different places.
* SECURITY: Potential remote file inclusion vulnerability has been addressed.
* Color BBCode tag should not have been greedy.
* Unable to create or edit Gallery folders due to tokens not being generated.
* Spam control page had a bogus link.
The security bug was good for a few laughs, because although it should have worked, it failed miserably to do anything other than generate a gang of fatal errors this morning.
The math based captcha hasn't even had a full day to be 100% sure but it passed initial self testing so what the hell. It's probably not all that great, but we'll see if the sea of spambots goes down now.
* SECURITY: Multiple remote vulnerabilities still existing in 2.0.3 have been corrected.
* Implemented a simple math based captcha to help screen out bots.
As many bots as I get hammering the place it should be a fairly solid result after an entire month.
I would think so too.
Also, for those keeping score, since the math captcha was implemented on July 6, not a single bot registration has managed to get through. The error on the profile page was irrelevant to that since they can't get there without having first registered. So far, so good, but only time can tell if this is truly effective or just a temporary roadblock.
Woohoo! Hey, even the old captcha method eventually proved only a temporary roadblock for spammers but it was still truly effective while it lasted (and it's still widely in use in most places, even google), I think you're just advancing the effort ahead of most places. Until we get to the point that every computer uses some form of biometric identification that spammers can't find a way around, we'll always only have temporary roadblocks so all we can do is to try to stay ahead of the spammers as best we can and you seem to be staying at the forefront of that effort.
Dear O Wise and Fearless Leader of the Alsheroki: some kind of optional comments or post+comments search would be handy.
Meanwhile, it appears I have just decided to search through 1300 comments or so looking for wherever it is I said that one thing.
That's dedication of the highest order to manually hunt 1300+ comments looking for something
He never did say he'd manually searched through 1300+ comments, but I'll bet I know which three threads he was searching to rack that level of count. It wasn't a comment to do with Oblivion, was it?
No attempt was made to contact at all, as per their policies. Fortunately the vulnerabilities listed in that posting are FIXED as of 2.0.4 so their advisory is wrong about it being unpatched.