We are pleased to announce that RC2 version is now available! With more security and stability from ever.
Let’s see what have happened under the hood. Multiple major and minor fixes are made in this release. The most important change was applied to input filtering system to block almost all XSS attacks. Other fixes are consist of tweaking system performance, revising user interface, standardizing some code structures and fixing some functionality bugs.
According to changes made to input filtering system, we can now be hopeful to have a much more stable system in this release. So, this release could be the last RC release. Users are now more encouraged to use Arta in online environments with less concern.
Follow the post for more details about changes made and finding out what do we got from Open Source world.
Security, the first priority
A filtering system to clean malicious codes from HTML code was implemented on Arta before. It was working by removing tags mentioned in a blacklist. But, what about tag attributes? Unfortunately, the code was not flexible enough to take care of malicious codes placed on tag attributes, like
onclick and other potentially dangerous ones.
To ensure maximum security, we needed an algorithm which covers attribute filtering too. An algorithm to check every attribute of all tags inside the document to find blacklisted attributes (like event-related attributes and other high-risk ones) and remove them from the tag.
Open Source to the rescue!
Although Open Source is not only limited to computer software, I think it’s the most lovely phenomenon of the programming world! You are free; free to reuse or redistribute the code! Why should we reinvent the wheel over and over? It’s enough.
So, started to explore until I found a solution for the problem. A fork of a input filtering class by Daniel Morris, named JFilterInput on Joomla Platform. I added four new methods to ArtaFilterinput class, implementing HTML filtering with attribute cleaning as well, with the inspiration from JFilterInput class.
Okay, It’s finished! Thanks to the Joomla team.
Optimizing Installer interaction
Improved error displaying on the installer for a certain case to prevent people from getting more disappointed.
Some fixes and changes were made to default templates, including introduction of a new header logo for site template.
Some functionality related fixes were made in several components; Like language library, caching library, user management package, language translations package, WYSIWYG editor, etc.
With the changes made in this release, we will be more confident to use Arta on online environments; Although it should not be used on production sites since no updates will be released for non-stable releases.
Here is the change log of Arta v1.0.0rc2 :
- Ignored warnings which would occur when time limit is set on "safe_mode" enabled environments.
- Improved a vague error message on installer to be understandable.
- Corrected error reporting values in some places around project.
- Added a replacement for array_replace() function.
- Fixed some problems with error reporting for selecting a DB with invalid collation on system installation.
- Installer now warns users about problems which will be caused by using back button during installation wizard.
- Offline Message page and Error pages now have doctype of HTML5.
- Fixed a bug on ArtaRequest class.
- Just a little tweak to ArtaLanguage class.
- ArtaCache now only writes cached items if it's changed, to prevent possible conflicts.
- System now loads template after processing package. It prevents missing of template locations which will be added on package.
- Refactored ArtaFilterinput::is_email() to ArtaFilterinput::isEmail().
- Fixed some problems on users package on both clients.
- Forms now submit new values instead of old values when tinyMCE editor is set to off.
- Extension configure page now shows a message instead of breaking process and sending 404 error when no settings are available for the extension.
- Added a button which lets user to hide location labels on template test mode.
- Removed footer from admin default template "package" file.
- Fixed a problem on filtering language translation items on language package of administration panel.
- An important security update for blocking XSS attacks. Tweaked ArtaFilterinput class.
- Updated website address and "copyright" tags on file headers.
- Introduced new header image for site, modified site and admin templates a little.