POC

*/wp-admin/press-this.php/?ajax=video&s=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
*/wp-admin/press-this.php/?ajax=thickbox&i=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Patch

the latest patch #8320 (07/09/08 19:51:53) by Ryan

WP caption structure

<div style="width: 169px" class="wp-caption alignnone" id="attachment_14">
 <a rel="attachment wp-att-14" href="http://www.whatever.com/attachment/">
 <img width="159" height="300" class="size-medium wp-image-14" title="Lorem ipsum" alt="Lorem ipsum" src="http://www.whatever.com/image.png"/>
 </a>
 <p class="wp-caption-text">Lorem ipsum</p>
</div>

From the above HTML code the whole image content is wrap using a block elements "<div>".

The issue

If the below condition is met it will render the whole document invalid.

1. Image caption is placed inside a paragraph.
2. Wordpress wpautop (default filters) is enabled; wpautop will auto append <p> on raw text content.

Turn it off

Special Constant

Interestingly a simple caption shortcode has a user defined constant. It seem like WP developer has predict that their implementation is highly debatable.

Alternatively you have the options to hardcode the below Constant to disabled the “Auto Caption” features inside wp-config.php.

define('CAPTIONS_OFF',1); // disabled auto image caption

WP Caption shortcode filters

It has filters too, img_caption_shortcode. For advance WP user you can bind this hook to overwrite the default caption template.

Workaround

My workaround involved 1. removing the caption shortcode 2. make a new one. I did this because I don’t like the img_caption_shortcode filters as seem like too much of work.

1. First we recreate/replicate the caption shortcode functions. Named it nwp_caption_shortcode - new wp caption shortcode

   function nwp_caption_shortcode($attr, $content=null){	
   
   	if ( defined('CAPTIONS_OFF') ){
   		// no check for bool its literally meant off/ get off
   		return $content;
   	}
   
   	extract(shortcode_atts(array(
   		'id'	=> '',
   		'align'	=> 'alignnone',
   		'width'	=> '',
   		'caption' => ''
   	), $attr));
   
   	if ( 1 > (int) $width || empty($caption) ){
   		return $content;
   	}
   
   	if ( $id ) $id = 'id="' . $id . '" ';
   
   	$output = '<span ' . $id . 'class="wp-caption ' . $align . '" ';
   	$output .= 'style="width: ' . (10 + (int) $width) . 'px;display:block">';
   	$output .= $content;
   	$output .= '<dfn class="wp-caption-text">' . $caption . '</dfn></span>';
   
   	return apply_filters('nwp_caption_shortcode',$output);
   }
   

   The shortcode functions is pretty much the same, the only different is I used <span> to wrap the image content and <dfn> to hold the caption text.

2. Next create a function to unregister the default caption shortcode.

   function remove_caption_shortcode(){
   	foreach(array('wp_caption','caption') as $tag) {
   		remove_shortcode($tag);
   	}
   }
   

3. Lastly we register all this functions.

   if (version_compare($GLOBALS['wp_version'], '2.6', '>=')){
   	add_action('init','shortcode_init');
   }
   
   function shortcode_init(){
   	add_action('loop_start','remove_caption_shortcode',10);
   	add_action('loop_start','reg_shortcode',11);
   }
   
   function reg_shortcode(){
   	add_shortcode('caption','nwp_caption_shortcode');
   	add_shortcode('wp_caption','nwp_caption_shortcode');
   }

Download

2.6 Permalink Defect

[...] 404 error appears on all permalinks when blog uses following permalink structure; /index.php/%postname%/. Clicking any post headings will give 404 error. Also archives /index.php/2008/07/ will give 404 error [...]

This issue arise if you set WP permalink structure to “/index.php/%postname%/“.

Workaround

Add some values in for the category and tag bases (Admin > Settings > Permalinks). The words “category” and “tag” will do just fine. As long as they are not blank, this should work around the bug. ~Otto42

More info: WP support forum → [Fix] 2.6 Permalink issues with “index.php”.

Might be interest

Probably a WP 2.6.1 patch → #8566 (by Mark Jaquith)

I’m about to upgrade a site from Wordpress 2.3 to the latest version. I’ve previously been employing the page id in order to have page specific CSS, e.g., pages with either 0, 1 or 2 sidebars.

For example, if the url is http://site.com/page1, the page is styled with a combination of a template and CSS to specify the width of primary:

#page1 #primary {margin-left: 0;width: 890px; }

I’ve read in some other posts here that Wordpress 2.5 no longer uses this, and now the post ID is used instead [...] ~ hauntedtapedeck

Workaround

Basically, what we need is a unique CSS Selector for specific post & custom page inside the template.

1. First we create a function for our CSS selector and save it inside WP theme functions.php

   functions.php: get_post_selector_classname()

   function get_post_selector_classname()
   { global $wp_query;
   
    if (!is_object($wp_query) ) return;
   
    if ($wp_query->is_single || $wp_query->is_page) {	 
   
   	 $pid = $wp_query->post->ID;
   	 $post_type = $wp_query->post->post_type; 
   
   	 return 'wp-'.$post_type.' '.$post_type.'-'.$pid;
    }
   }
   

2. Next we call the get_post_selector_classname function inside the template. You can call this function anywhere inside your template but the best placement for the class selector is inside body tag (more weight for inheritance).

   header.php

   <body class="<?php echo get_post_selector_classname();?>">
   

Available CSS selector

The following CSS selector is available inside WP post single and page only.

• body.wp-page
• body.page-ID
• body.wp-post
• body.post-ID

CSS Example

styling “single page” post.

body.wp-single{background-color:#f6f6f6;}

styling a single page with post ID 69.

body.single-69{background-color:#f6f6f6;}

styling custom page with post ID 42.

body.page-42{background-color:#f6f6f6;}

styling all custom page.

body.wp-page{background-color:#f6f6f6;}

1. Blog header Advanced Customization

1. Upload any TTF fonts inside /themes/wp-istalker-%versions%-pb/public/fonts directory.
2. GD2 is enabled

2. Post layout avatar options

1. Enabled Avatar refer Admin > Settings > Discussion > Avatar Display

3. ICRA pics-ratings

1. Upload ICRA labels.rdf inside your wordpress blog root directory.

4. Post layout relative date options

1. Activated Dustan’s time since plugin

5. ClaimID delegate meta link options

1. Valid microID hash

6. XRDS

1. Activated WP Openid plugin.

7. Language alternate meta links

1. Activated Global Translator plugin.

8. Related post widget extra options

1. Activated “Related posts widget”.

9. A9 Open search auto-discovery

• Make sure there is no osd.xml in your wordpress blog root directory
• The theme public directory is writable /themes/wp-istalker-%versions%-pb/public/

10. APC template options

Premium versions only

• Enabled APC
• Defined WP_CACHE constant inside wp-config.php
• Upload APC object-cache.php inside /wp-content/ directory

11. Botnet Cloaking options

Premium versions only

• Install CrawlTrack within the same wordpress database

The error notices is a total garbage, its something I’m not familiar with.

What surprised me is not the actual javascript errors but because google gears files is register as default wordpress scripts and running in the background, loaded via wp_default_scripts action hook filters (ref: script-loader.php Line:195) and there is no possible way to disabled this script from being loaded without editing the main files.

Attachments

1. Firebug Console Debug

   

2. Firebug Console: Loaded object, DOM tree

   

This was tested on Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008062315 (Gentoo) Firefox/3.0 & Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15

More options

Google gears is a third party provider for wonderful client storage applications (Structured client-side storage) and by all meant not all end-user will be using this features (because some are really concern with their privacy).

IMHO its a good practice to have an options to disabled google gears (not running in the background) and should be handle like the XML-RPC settings in WP 2.6.

hope to see more clean version of wordpress for 2.6 release.

Related

• wordpress.com

wp-config & wp-load files

Most plugin depend on “absolute path” to wordpress system file (wp-config.php). So the problem is there.

Lester-chan (GaMerZ) has this to say regarding the new WordPress 2.6 constant change.

The constant only get loaded when you load WP. Plugins will have problem finding wp-config.php or wp-blog-header.php from the plugin file.

might be broken in WP 2.6

require_once('../../../wp-config.php');

Long story, short

Below is my workaround for quick plugin activation setup. Its not the best solution as it involved the dirty “write-permission”, it need improvement. If you intent to uses it, there is few preliminary step to be set first:- ↓

1. browse to your plugin dir
2. create a blank php file: constant.php
3. copy paste the below code save it as new file relative to the constant.php
4. create or set your .htaccess and add Options All -Indexes.

Custom wp config file

function my_plugin_write_config()
{
	$constant = get_defined_constants(true);
	$user_defined = $constant['user'];
	unset($constant);

	$constant = array();

	// assuming that all latest wordpress CONSTANT start with WP_
	$wp_constant_prefix = "/WP_/";

	foreach($user_defined as $k=>$v){
		if (preg_match($wp_constant_prefix,$k)){
			$constant[$k] = $v;
		}
	}

	unset($user_defined);

	$constant['ABSPATH'] = (strtr(realpath(ABSPATH), array("\\", DIRECTORY_SEPERATOR)));
	$constant['WPINC'] 	= WPINC;
	$constant['WP_VERSION'] = get_bloginfo('version');

	$constant = array_map('json_encode',$constant);

	$my_plugin_config_file 	= dirname(__FILE__).DIRECTORY_SEPARATOR.'constant.php';

	if (is_writeable($my_plugin_config_file))
	{
		$content = "<?php if(!defined('MY_PLUGIN_TOKEN')) die('42');\n";

		foreach($constant as $k=>$v){
			$content .= sprintf('define(\'CONST_%1s\', %2s);',strtoupper($k),$v)."\n";
		}

		unset($constant,$k,$v);

		$content .= "?>";	

		$fp = false;

		if ( ($fp = fopen($my_plugin_config_file,'w+') ) != false) {
			stream_set_blocking($fp, TRUE);
			stream_set_timeout($fp,5);
			stream_set_write_buffer($fp, 0);
			fwrite($fp, $content);
			fclose($fp);
		}		

		unset($content,$my_plugin_config_file,$fp);

	} else {
		add_action('admin_notices','my_plugin_notification');
	}
}

function my_plugin_notification()
{
?>	<div id="message" class="error">
	<h3><?php _e('ERR') ?> </h3>
		<p><a href="http://doc.myplugin.com"><? _e('RTFM!'); ?></a></p>
	</div>
<?php
}

register_activation_hook(__FILE__, 'my_plugin_write_config' );
add_action('update_option_siteurl','my_plugin_write_config');
add_action('update_option_home','my_plugin_write_config');

Basically this script will search all user defined constant that start with “WP_” prefix, plus additional wordpress constant. Then it will write all these constant to disk inside “constant.php” (once). It also runs after a WordPress option has been update (active when user update settings for home & siteurl, I add the extra action hook just for example).

Deprecated Functions

Out of all this issue I still think WordPress as one of the best “back-compat friendly” CMS. Most of the legacy functions & variables (since version 0.71 >= 2.5) is still available inside WordPress system (wp-includes/deprecated.php). Not sure how long it will stay there..

Might be interested

• What You Need To Know About WordPress 2.6
• 10 Things You Need to Know About WordPress 2.6
• What Plugin Coders Must Know About WordPress 2.6

PHP create_function()

The new variant from wordpress.net.in & qwetro.com used the “anonymous PHP create_function” to append their spam links on their victim blog. Below is quick patch to disabled the mischievous “create_function” injection on wp_head.

The below code will look for “�lambda_n” function inside wp_head wp_filters array and remove the action hook silently. I assume that any sane developer will never used this unstable PHP function.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

note: This method only disabled the spam link from showing on your blog header. it wont fixed your blog vulnerabilities. your blog still owned thought. Tips → http://wordpress.org/download/

Download

• Note: There is a file embedded within this post, please visit this post to download the file.

Related Articles

• Fixes wordpress.net.in Spam Footer Injection
• Roberto Galoppini’s, Wordpress Spam Injection: ‘Goro’ hacked my blog

Is plugin deactivated

Unfortunately, some WordPress theme out there has a “major pending headache” for plugin dependencies breakdown sydrome. Because of this un-friendly trends there is bound shit to happen when the specific plugin is not maintain properly or on certain case of a sudden WordPress upgrade render the plugin useless (this happen a lot when previous WP 2.3 release).

To make it worse some ignorant-end-user decide “not to” upgrade their WordPress blog because their favorites theme’s has this specific plugins that will only work with previous vulnerability WordPress version & thus the never ending quotes war begin.

Theme with Plugin dependencies

From the smashing lists of “10 Fresh, Elegant and Clean Wordpress Themes“ there is 3 out of 10 theme with plugins dependencies issue. These threesome is an experienced theme designer. How many wordpress theme with plugin dependencies is out there?

So what’s the point of having clean & elegant theme if it doesn’t properly work and throw “Fatal Error” when certain plugin is deactivated.

Similar issue

Before you asked why you need to write better plugin support read on the following articles at WTC.

• Plugin Deactivation Issues by Ronald Huereca
• If Plugin Deactivation Breaks Your Blog by Jeff Chandler Jeffro2pt0.

Introduction

This guide is intent for WordPress theme designer in hope to improve theme quality and avoid plugin dependencies.

Wordpress Hook

As this is a “quick guide” so I wont cover this broad topics. It might take sometimes to understand the concept still its worth the time. You can read it at WordPress Codex ↓

• http://codex.wordpress.org/Plugin_API

Avoid Plugin dependencies best practice guide

Lets assume you want to add Lester Chan advanced pagination plugin (Wp-pagenavi) in your theme.

Fallback function

1) First we created a default function for the page navigation links (the next & previous page links). Saved it inside functions.php in your theme folder /wp-content/themes/mytheme/.

functions.php

function wpi_post_link()
{
	next_posts_link(__('« Older Entries','mytheme-name'));
	echo ' ';
	previous_posts_link(__('Newer Entries »','mytheme-name'));
}

Tips: to avoid duplicated function name conflict, its a good practice to have your own unique prefix for function name , ( i.e., wpi_get_time, themename_foo )

HTML & Action Hook Placement

2)Next we add our pagination hook (wpi_pagination) inside index.php templates ( & similar templates files i.e., home.php, category.php, archive.php ) .

index.php

<!-- pagination -->
<div id="pagination" class="border clear-both">
<?php do_action('wpi_pagination');?>
</div>

Example using default (kubrick) wordpress theme index.php templates files.

(kubrick) index.php

<?php get_header(); ?>

	<div id="content" class="narrowcolumn">

	<?php if (have_posts()) : ?>

		<?php while (have_posts()) : the_post(); ?>

			<div class="post" id="post-<?php the_ID(); ?>">
				<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title_attribute(); ?>"><?php the_title(); ?></a></h2>
				<small><?php the_time('F jS, Y') ?> <!-- by <?php the_author() ?> --></small>

				<div class="entry">
					<?php the_content('Read the rest of this entry &raquo;'); ?>
				</div>

				<p class="postmetadata"><?php the_tags('Tags: ', ', ', '<br />'); ?> Posted in <?php the_category(', ') ?> | <?php edit_post_link('Edit', '', ' | '); ?> <?php comments_popup_link('No Comments &#187;', '1 Comment &#187;', '% Comments &#187;'); ?></p>
			</div>

		<?php endwhile; ?>

		<!-- pagination -->
		<div id="pagination" class="border clear-both">
		<?php do_action('wpi_pagination');?>
		</div>

	<?php else : ?>

		<h2 class="center">Not Found</h2>
		<p class="center">Sorry, but you are looking for something that isn't here.</p>
		<?php include (TEMPLATEPATH . "/searchform.php"); ?>

	<?php endif; ?>

	</div>

<?php get_sidebar(); ?>

<?php get_footer(); ?>

is plugin active (optional)

3) For earlier version of WordPress (version 2.3.x & below) you will need to add the following function.

functions.php

if (version_compare($GLOBALS['wp_version'], '2.5', 'lt'))
{
	function is_plugin_active($plugin_filename)
	{
		$plugins = get_option('active_plugins');

			if( !is_array($plugins) ) settype($plugins,'array');			

		return ( in_array($plugin_filename, $plugins) ) ;
	}
}

Register Action Hook

4) Open your wp-content/themes/mytheme/functions.php and add the below code.

functions.php

add_action('wpi_pagination',
		 ( is_plugin_active('wp-pagenavi/wp-pagenavi.php') ) ?
		 'wp_pagenavi' : 'wpi_post_link' );

Download example code

• Note: There is a file embedded within this post, please visit this post to download the file.

Conclusion

If you are one’s of those aspiring WP theme designer “do try” not to depend on third party plugins and avoid using the below phrase if possible

“requires the following plugins to work …”

A public release theme should be “clean from plugin dependencies” and let the end user decide what plugins they need and should have.

External Links

• WordPress Codex: Plugin API → Action Reference