WordPress.org

This weeks guest was Andy Peatling of the BuddyPress.org Project. BuddyPress is a social networking plugin for WordPress which ads many of the features found on sites like Facebook to WordPress blogs in as few as 10 minutes. We discussed how BuddyPress came about, some of the ways it’s used, some tips on getting started, customizing it and most importantly the features it provides. In news, there were a few nice plugin releases/updates and as always quick update on the WordCamp schedule.

• PuSHPress: A PubSubHubbub Plugin For WordPress
• MySQL Profiler Plugin for WordPress
• WordCamp Schedule

The interview I did with Matt Mullenweg at WordCamp UK in Cardiff last year has finally made it on to WordPress.tv

In it,  Gurbir Singh of astrotalkuk interviews Matt and I.  We discuss the history of WordPress,  the open source philosophy behind it,  a little about our backgrounds, fame, and… astronomy.

Go watch the interview, it’s pretty cool.

Liane’s birthday dinner at the SLS Hotel in Los Angeles and a bar (name?) afterward.

After a good while (I can’t search my Twitter stream) on Chrome I’m switching back to Firefox as my primary browser, and actually uninstalled Chrome. Why? I was getting the “Oh snap” failure page all the time, even on Google’s own Youtube! The only support I was pointed to was this page, and when I followed the instructions there when I restarted Chrome everything was gone. The sentence “copy the relevant files from the “Backup User Data” folder to your new “User Data” folder.” is useless when you consider the folder has 50+ files to sort through and I wasn’t sure which one was causing my previous problems. So back to Firefox, and thanks to Xmarks all of my stuff is there. I’m also using this persona which is pretty sweet. The feature I missed most on Chrome was lame: the ability to click and hold a folder then release on a bookmark I wanted to open. On Chrome you have to click twice. It bugged me. Now back on Firefox I feel like the browser has a large head.

Toni Schneider, the CEO of Automattic, writes 5 reasons why your company should be distributed.

Comments form a very integral part of any blog to generate communication and spark discussions. As a WordPress blog user, managing comments and replying to them is very easy, however, what if you can manage and reply to comments from your desktop?

WP Comments Notifier is a open source application written in QT/C++ for Linux and Windows, which will allow you to manage new comments and reply to them from your desktop. In addition to that, it will also allow you to edit, spam or delete the comments.

This app will also display comments summary when you hover over the system tray icon and alert you whenever a new comment is posted to your blog. The app also works for WPMU blogs.

You can download the installer for Windows by visiting the app homepage and also find instructions on how to build the app from source on Linux machines.

Download WP Comments Notifier

Turquoise

The Turquoise Theme is a simple free WordPress Theme 980px wide with 3 Sidebars and an Option Page to populate the Footer. One Sidebar is on the right side optimized for Adsense 250px Ads. Two Sidebars are on top of the postings and below the Posting. Good for 468px Ads.

Greener Side

Smell the fresh cut grass and feel the butterflies flutter past your face… It’s summer year round with this eye-catching fixed width two-column design.

Wordsmith Blog

Two column, brown theme. Choose background colors, sidebar placement, and an optional adsense ready sidebar.

5 Music WordPress Themes

Share your music and videos, connect with fans, and let everyone know about your upcoming gigs with one of these music WordPress themes. Whether you’re a musician, DJ, or producer, one thing’s for sure — these widget-ready and Gravatar-enabled themes rock.

Okay, so in my post about Code Spelunking I mentioned about how working on a project can lead you to explore the code because you need to become more familiar with how the code works. But it can also lead you to explore the code to figure out why code doesn’t work. In this particular case, I spent many hours puzzling over why something didn’t work correctly, chasing down the root cause, and eventually finding a bug in the WordPress core. I documented the bug in Ticket #12394, provided a patch, and it was committed to core in Changeset [13561], which will be part of WordPress 3.0.

And how did I find this little buglet? As usual, it’s because I was doing something a little off the beaten track. I was working on some code which imports XML data into WordPress, on a scheduled basis (hourly, daily, weekly, etc). During testing, sometimes the images in the imported content would come through fine, and other times, they would be missing the src attribute, without which, there really isn’t an image, is there? So you’d view the post and there would be this big 300-pixel square hole with just the alt text where the image should have been.

At first, I didn’t know why it worked only some of the time. Then I saw the pattern that when I ran the code “manually” via a “Run now” button in my options screen, the images worked. But when the code ran via WP-Cron, they didn’t. At first, I thought it was a timing issue, and that maybe when the cron action hooks fired, maybe there was some piece of WordPress functionality that wasn’t loaded yet. But shunting my execution hook to run at a later point didn’t fix anything.

Next, I decided that one key difference when running manually versus running from cron was me — I was logged in as an admin. And, in fact, after some debugging, I determined that there was no user context at all when running from cron. When I modified the code to run as myself, the image tags came through cleanly. Well, I didn’t want to hard-code the program to always run as me, so I added a user selector to the options so that the owner of the posts could be set.

But then when I started testing again, with users of various roles, the problem cropped up again. In particular, it worked great for a user with the Editor role, but not for the Author role. Digging a little deeper into the differences between the two roles, the thing that jumped out at me is that Editors (and Admins) have the “unfiltered_html” capability.

You see, normally, when you write a post, it is sent through a series of filters which take your free-form writing, and turn it into cleaner HTML. One of these filters is called ‘kses‘ (which stands for ‘kses strips evil scripts’). This filter is especially important on multi-author blogs where you might not be able to give 100% trust to the other authors. Otherwise, one of them would be able to (for instance) put javascript in a post which would steal the cookie information from another user who reads the post. So it is the job of kses to ensure that only “safe” HTML is kept. This would also keep you from embedding things like YouTube videos, Java applets, and other fun useful things. So users with the unfiltered_html capability set in their profiles are able to post without this filtering.

This certainly seemed like a likely culprit, except for one thing: even when post content is filtered through kses, the HTML img tag is not filtered out. And neither is the src attribute on an image. That is specifically supposed to be allowed. An image is a perfectly normal thing to have in a post. So why, oh why, was my src attribute being stripped?

I started looking very closely at the kses library. It’s a rather hairy bit of code, full of complex regular expressions and state-machine logic. But when reverse-engineering how the attribute-cleaning bits work, I noticed something in one of the regular expressions: it was hardcoded to expect a space between the end of an attribute and the closing of a tag. In other words, it expected an image tag to look something like this:

<img width='400' height='300' src='people.jpg' />

But, since my data was coming from an XML source, there was no extraneous space. My image tags looked like this:

<img width='400' height='300' src='people.jpg'/>

Notice the subtle difference? There is no space between the final single-quote around 'people.jpg' and the /> which closes the tag. And because of the way the match was being done, kses was throwing away any attribute that abutted the tag-close in that fashion.

The next question was: was this (technically) a bug, or was kses just being strict about some rules of formatting? A quick search turned up the Empty Elements section of the XHTML spec, which covers the syntax for empty tags like img, br, and hr. The examples given there do not include a space before the end of the elements. Furthermore, this section points to the HTML Compatibility Guidelines, which show that adding a space is for compatibility with older HTML browsers. So, since the XHTML spec does not require the space, and WordPress is supposed to render XHTML code, the behavior in kses was definitely a bug, and not just bad manners. I quickly worked up a patch, submitted it on Trac, and brought it to the attention of the core team.

Fortunately, the WordPress system of filters allows you to alter just about anything on the fly, so I was able to “trick” the system into thinking that the posting user selected in my plugin had the unfiltered_html capability, even when they really didn’t. This allowed me to work around the bug while my plugin is running.

This bug was pretty minor in the grand scheme of things. Probably not many people had ever run into it. But after hours of puzzling over those broken image tags, it felt darned good to find it, and — more importantly — squash it. And after the release of WordPress 3.0, nobody will have to scratch their heads over it again. Yay me!

Related posts:

1. WordPress Code Spelunking
2. WordPress Webhooks Plugin
3. Easy Gravatars 1.2

For the past 8 months I have been receiving requests to update the Notify Unconfirmed Subscribers plugin, since it stopped working for users. Frankly, I never really found the time to do it, but as the requests piled up, I decided to set some time aside and update the plugin.

So if you have been having problems with NUS, update to the latest version (1.3.0) and the issues should be solved. Do let me know if you have any problems with the latest update.

A few notes:

• Support for Old FeedBurner accounts has been dropped in v1.3.0, please upgrade your account to a Google account before using NUS.
• NUS will only work on sites with cUrl support.
• Support for additional languages coming in future versions.

Note: I have not used WP_Http as there are problems with fsock and other http methods, it only works for cUrl right now. However, the plugin does contain a file which uses WP_Http which will be used in future versions.

You will get a dashboard notice to update the plugin, if you don’t you can download Notify Unconfirmed Subscribers v1.3.0 from here.

So, day one of WordCamp Ireland draws to a close, there is a dinner tonight but the talks and sessions are over for the day.

I briefly helped John Handelaar during his talk on WordPress MU, but my main talk was on WP Super Cache. Thank you Hanni, Jane and Sheri for recording the talk. Hopefully it’ll be available online next week. In the meantime here’s the OpenOffice slides of my talk.

I must extend a big thank you to Sabrina Dent and Katherine Nolan for organising a great day and to the sponsors who made the weekend possible.

Looking forward to the dinner tonight, and the rest of the conference tomorrow.

Update! I’ve added a few photos from Day 2. I was shattered tired though as I was up until 1.30am chatting with Donnacha!

Update 2! Sabrina has written a thoughtful post about WordCamp Ireland. I for one had a great time there and so did everyone I spoke to. I totally agree with her about child minding facilities. My son Adam had a whale of a time, and is still talking about it. (and for an almost three year old, that’s a very good sign!)

Oh, more photos on Pix.ie!

Related Posts

• No related posts

A day in LA spent looking at Fort Street carpets and vintage furniture around town, and then SOHO House for the Montblanc / Harvey Weinstein pre-Oscars dinner and party. (Stopped taking photos once the actual party started, didn’t want to get kicked out .)

New Plugins

Wordpress External Cron

Allows you to setup a cron to fetch any page on the server

PuSHPress

This plugin adds PubSubHubbub ( PuSH ) support to your WordPress powered site. The main difference between this plugin and others is that it includes the hub features of PuSH, built right in. This means the updates will be sent directly from WordPress to your PuSH subscribers.

Block Bad Queries

Protect WordPress Against Malicious URL Requests

Image Space Media

The ISM plugin optimizes your Wordpress blog for Image Space Media’s in-image advertising technology. With the ISM plugin, Wordpress users can seamlessly integrate Image Space Media’s in-image advertising solution into their website and generate ad revenue.

Easily navigate pages on dashboard

Display a folder tree of your pages that is easy to expand and contract on your Dashboard. Designed for people that use Wordpress as a content management system.

MySQL Profiler

WordPress is extremely flexible. However, flexibility generally brings about the issue of performance. WP MySQL Profiler is a simple plugin that assists in improving performance of themes and plugins.

Updated Plugins

Easy Review Builder for WordPress

Create attractive star ratings for reviews. Supports multiple rating categories and an optional auto-calculated summary

Dynamic “To Top”

Adds an automatic and dynamic “To Top” button to easily scroll long pages back to the top.

The Harvard Gazette is now on WordPress, with a beautiful magazine-style design. There’s a whole meme/argument going around a few blogs and Twitter saying WordPress isn’t a CMS. Who cares what you call it, look at the amazing sites you can create. (And manage content on.) Who woulda thunk it. I thought WordPress was only good for “just a blog” — what are these Harvard gonzos doing? Fie! I say.

The Harvard Gazette, which is Harvard’s official newspaper, has recently relaunched their site, and is now powered by WordPress:

Highlighting faculty research, administrative staff, students, and events – this is a great example of a complete site that you can build with WordPress. Congrats to the team at Harvard for building such as great site.

It’s also exactly in sync with the feedback we are hearing from the publishing community. Many of you have shared with us your exciting plans to take advantage of the flexibility and power of WordPress to build your next-generation full sites on this platform. It’s going to make for a very exciting next few months !

[ visit Harvard Gazette ]

WordPress.com User Accounts now auto-login to IntenseDebate blogs no matter where they’re hosted, any website in the world. Connect services like Facebook’s and Twitter’s always require at the very least a click or two, and in worst case can be a full login and several bounces to the origin site, which increases the friction of commenting and can actually decrease the number of comments you get. (Oh noes!) This is much smoother, and faster. Previously this was only available if you actually hosted on WP.com, now it’s for any website, anywhere.

WP.com is now Pubsubhubbub-enabled, and the code we used to do that is now available as a plugin as well. It took me 30 seconds to add to this blog using the dashboard “add plugin” functionality and searching for “pushpress.” I love it when we’re able to do these simultaneous releases, it falls in line well with WP.com’s goal of all its useful code being available to everyone, for example the custom CSS release.

Light Folio

Light Folio is a clean clean and light theme with a combination black and white color.

CleanTech

CleanTech is a clean, two column and elegant theme with support for threaded comments designed to focus your content.

Ultima

This is a 2-column, soft-colored, rounded theme that totally aims at content and nothing else.

WordPress MU 2.9.2 has just been released and is mostly a security and bugfix release based on WordPress 2.9.2. Grab it from the download page.

As well as the security fix mentioned above, this version also fixes a few bugs, makes the blog signup process much faster and adds a new “Global Terms” Site Admin page.

The “Global Terms” page is one I should have added years ago. Currently it’s fairly bare, but hopefully in future versions of WordPress it will be expanded. It allows the Site Admin to “fix” the terms (tags and categories) used in MU blogs. These terms are normally synced with the “sitecategories” table but sometimes they go astray. This can happen if you “import” a blog using PHPMyAdmin without going through the WordPress importer, or if a plugin manipulates the terms table directly.
WordPress MU forces the “slug” used by terms to be a sanitized version of the “name”, which isn’t the case in WordPress. This page can optionally rename the terms so they match the slug. It doesn’t do the opposite because that would break public facing URLs on the site. (I must extend a big thank you to Deanna for helping debug that page)

Enjoy!

Related Posts

• WordPress MU 2.7
• WordPress MU 2.6.1
• WordPress MU 2.8.1

PubSubHubbub, or PuSH, is now supported on all WordPress.com blogs. For those running sites using the WordPress.org software the PuSHPress plugin is available to do the same thing. The big difference in this plugin compared to the other PuSH WordPress plugins is that it includes a PuSH hub built in.

A little bit of PubSubHubbub background

Like rssCloud, PuSH adds a line to your feed to let clients know where they can send PuSH subscription requests. In the RSS2 feed this looks like:

<atom:link rel="hub" href="http://josephscott.org/?pushpress=hub">

and in Atom looks like:

<link rel="hub" href="http://josephscott.org/?pushpress=hub">

The href attribute contains the URL that subscribers can send requests to. Details on what that request looks like are in the PubSubHubbub Spec. The short version, it’s a simple HTTP POST call with some specific field names.

Here’s an example PHP subscription request asking that updates to http://example.com/feed/ be sent to http://example.com/push/ via the hub at http://example.com/?pushpress=hub

$curl = curl_init( );

curl_setopt( $curl, CURLOPT_URL, 'http://example.com/?pushpress=hub' );
curl_setopt( $curl, CURLOPT_POSTFIELDS, 'hub.callback=http://example.com/push/&hub.mode=subscribe&hub.secret=not-telling-you&hub.verify=sync&hub.topic=http://example.com/feed/&hub.verify_token=133t-$7r1n9' );
curl_setopt( $curl, CURLOPT_VERBOSE, 1 );
curl_setopt( $curl, CURLOPT_POST, 1 );

curl_exec( $curl );
print_r( curl_getinfo( $curl ) );
curl_close( $curl );

The hub at example.com will then send new content (in feed format) right after it’s published to URL provided in hub.callback.

Why the PuSHPress plugin?

I love that there are large, open PuSH hubs available for anyone to use. There’s a list at http://code.google.com/p/pubsubhubbub/wiki/Hubs. In PuSH since most of the hard work (figuring out what’s new in a feed and sending that out to subscribers) is done via the hub this is very handy and really great for testing.

I also think there’s a role for a readily available simple hub that anyone can put up and use, in this case built on top of WordPress. And by leveraging WordPress the hub part can be greatly simplified. The real bonus for users is choice, they can relay the updates through 3rd party hubs, or use the built in hub in PuSHPress.

It’s worth noting that PuSHPress has a WordPress filter on the array of hubs; pushpress_hubs. This allows other plugins to easily add to or replace the hubs mentioned in the feeds by PuSHPress.

To help keep things simple and limit potential abuse the PuSHPress plugin will only allow subscriptions for the RSS2 and Atom feeds of the WordPress blog that it is installed on.

My thanks to Brett Slatkin for helping test PuSHPress. His tests revealed a few bugs that were quickly addressed.

How fast?

When talking about these realtime-ish update features this question often comes up. Fair enough, I’d want to know too :-)

The PuSHPress plugin schedules pings to go out right away via the wp_schedule_single_event function in WordPress. I suspect for most people this will be quite fast. If your server is under tremendous load and really slow, then this will be really slow too, just like the rest of the server ;-)

On WordPress.com the details are a bit different. Instead of scheduling pings to be sent out with wp_schedule_single_event it adds them to our asynchronous jobs system ( more info available at http://code.trac.wordpress.org/ ). The jobs system is setup to do exactly these kinds of tasks really, really fast. Don’t be surprised if the ping shows up before you get a chance to finish the first Mississippi.

The future

So where is all this going? Who knows, but it is fun to watch! :-)

Further reading

If you have an interest in this area there are plenty of resources:

• PubSubHubbub project site
• Google Group
• Spec

The spec is a quick read and to the point, worth reading.

And there you have it, a little more in-depth discussion of PuSHPress.

Related posts:

1. RSSCloud For WordPress
2. rssCloud WordPress Plugin Update – 0.4.1
3. mod_ping, Maybe I Should Have Called It PubSubHubbub

This week Joost is joined by Jeff Chandler of the WordPress Tavern and Grant Griffiths of the Headway theme. They discussed all of the implications of themes and plugins being GPL or not, and why people would and in Joost’s opinion should choose to be GPL. Also some discussion came up about how theme and plugin authors should be credited.

There are times when I have wanted to install a plugin on my blog. The usual process included loading the admin dashboard and going to the install plugin page, or bookmarking the install plugin page and then navigating to it using that.

Now I also want to access another feature in the admin dashboard, so I go ahead and bookmark it. Bookmarking pages is definitely a good way to quickly jump to certain pages, however, it is not exactly productive.

That was until I came across an excellent bookmarklet, which will allow users to quickly access the the WordPress sidebar menu items with a single click. Once you drag and drop the bookmarklet to your browser bookmark bar, you can click on it to access the admin menu for a particular site. Take a look at the screenshot below to see it in action.

Once you click on the bookmarklet, a WordPress like menu will be displayed to you, you can hover over the menu to see the sub-menus and options available under the menu. Clicking on the link will take you directly to the admin page of the current site you are browsing.

I emphasized on the text above, as this is the only flaw I saw with the bookmarklet. It will only work for the site you are currently browsing and not a site you can choose it to work for. So technically you will have to browse to your own site before you can get this to work properly for you.

That aside, this is a really useful bookmarklet and will definitely come in pretty handy. Visit the link below to add the bookmarklet to your browser’s bookmark bar.

WordPress Admin Toolbar Bookmarklet [via @smashingmag]

Guardian: When using open source makes you an enemy of the state. “The US copyright lobby has long argued against open source software – now Indonesia’s in the firing line for encouraging the idea in government departments”

New Plugins

123 Flash Chat

123 Flash Chat WordPress Plugin can be used to create your own chat room in WordPress. It allows you to insert chat room to your sidebar, with either a lite chat client or a link to standard chat client in popup mod. And you can define the width and height of 123 Flash Chat as well as its skin & language. The chat room displays a “hosted by 123flashchat.com free of charge” message.

Asynchronous Widgets

Allows you to have any registered widget on your WordPress.org-powered site be loaded asynchronously via an AJAX call.

WP-Tabbity

Allows authors to create one or more tab groups containing one or more tabs, animated by the WordPress-included version of jQuery.

WP Function Reference

Provides a box on the dashboard with a list of the functions that are available for you to use in your Wordpress installation

Disable WordPress Updates

Disables the theme, plugin and core update checking, the related cronjobs and notification system.

Updated Plugins

SEO Ultimate

This all-in-one SEO plugin can handle titles, meta, noindex, canonical tags, 404 monitoring, linkboxes, robots.txt, and more. Version 1.6 can import data from All in One SEO Pack.

Bulk Delete

Bulk Delete WordPress Plugin which lets you to delete posts in bulk from selected categories or tags has been updated to version 0.7. The new version supports moving to trash instead of deleting and batch updates.

Rico Tabbed Menu

This is a simple plugin to create a tabbed menu in a post using Rico Ajax.

WP Google-buzz

Automatically displays Google Buzz button for every post. Google Buzz is shaping up to be an interesting new way to share content with your Gmail friends, so why not have a button for sharing blog posts/pages to the service.

Ozh’ Who Sees Ads

Who Sees Ads is an advanced ad management plugin that lets you decide who will see your ads, for instance Adsense, depending on user defined conditions. You can manage ads in your templates (eg sidebar.php) or within posts and pages.

Lightbox Plus

Lightbox Plus permits users to view larger versions of images from the current page and display simple slide shows, all in an overlay.