YaWiki 0.21 beta released

This is a security-fix release; all users are strongly encouraged to upgrade to the new version. You can get it from yawiki.com. The change notes are:

* Security Fix: In the default template set, added a paranoid number of htmlspecialchars() to help prevent cross-site scripting attacks; it should only matter in the one specific template, but you never know.

* Schema Change: Added a column to yawiki_areas. Run the "docs/MIGRATE_020_021" SQL code against your database.

* Added file "changes.php" for quick change listings (thanks Del!)

* Area administrators can now clear page locks via the area_pages.php script (thanks Del!)

* The top-level navigation elements are now always populated, even for pages not on the AreaMap

* Added file "referrals.php" to show external referrals


And now for a few words spoken more from anger and frustration than from anything else:

I understand that there are bad guys ("black hats") out there who want to hijack sites and/or prove their m@d l33t ski11z at picking apart other people's software. Black hats don't give notice in advance that they are "testing" or "probing" a live site. Black hats don't give notice after-the-fact, either, unless it's for monetary gain.

Recently, some YaWiki-based sites, specifically those with open comments enabled, have come under attack by someone testing for cross-site scripting vulnerabilities. I'm pretty sure this person thinks he is a good guy, or a white hat, because most of the testing consists of variations on <test_xss> strings. However, he hasn't notified any of the site owners in advance that he is testing the site, and he certainly hasn't notified *me* of any possible flaws in the software. This places him squarely in the "black hat" category. White hats give advance notice; even better, white hats only test their own systems, not those belonging to other people (unless invited to do so).

The kicker is that I have reason to believe this person is a well-known PHP developer (at least in certain circles). If it is in fact this person, his behavior is at best profoundly unprofessional, and at worst unethical; he should be ostracized from the community until he apologizes for his actions.

Update: It's not who I thought, thank goodness; it would have been quite a blow. However, I have one other suspect; I hope it's not that person either, because it would be an even bigger blow. Regardless, the attacker should at least contact me and let me know what he's found.

Update: I think Pierre-Alain has somewhat missed my point in his blog entry about this. My contention is that, if you probe a site (that is not yours) in this way, you're not part of the solution, you're part of the problem. Black hats are under no obligation to provide notification to the subject of their "experiments" which is part of why they're bad guys. White hats obligate themselves to a higher standard; that's part of why they're good guys. Simple courtesy among community members is generally a good goal to aim for, and telling people what you're doing is part of that courtesy.

Are you stuck with a legacy PHP application? You should buy my book because it gives you a step-by-step guide to improving your codebase, all while keeping it running the whole time.