Joomulus Updated
Joomulus has been updated and fixes a possible XSS attack vulnerability.
Please download the update now, and please ensure that all Tag URL’s you enter into the module parameters include http:// at the start, i.e. they should not begin with www.
How was Joomulus Vulnerable To Cross-Site Scripting?
Joomulus uses SWFObject.js to embed and pass flashvars, both Adobe and Google recommend and support this.
Flashvars are a way of communicating information from your HTML page to the nifty little Joomulus.swf. So PHP outputs your tags, and Javascript and passes them along to ActionScript, which gives you the animated Joomulus tag cloud. The Joomulus tags are passed as HTML links (the TAGs) to the Joomulus swf. If you really know your stuff you could pass along Javascript to your link in the form of a TAG.
You may not want to do this, but a malicious person could embed the swf from your site (lets call it site A) to another site (site B). Then they could manipulate the tags and url, NOT on your site but on site B. Then the user could possibly grab your session ID and access your Joomla site via this (theoretically – no instances of this have been reported in the wild to date).
This could all be fixed with a clever .htaccess file, to stop the swf loading on other domains. However, the most recent Joomulus wont activate links that don’t start with http. Which stops the execution of Javascript or Vbscript on site A and B. The tag will still get rendered (be viewable) but wont be click-able, thus stopping any script from executing. No sensitive information is passed to Joomulus, but it is still recommended to update. Also remember to use http:// for all your links (if you weren’t already).
For The Future
Chinese and Japanese language support is coming folks. Also a K2 version of Joomulus should be out in the next week. It’s already built and in use on a live site, but we want to run a few more tests before releasing it. The K2 prototype can be seen running on Wordwolf – and you can see it is pulling in the K2 content tags.
Roy Tanck has built a prototype for Wordpress that supports unicode and we have embedded this below.
NOTE: This is NOT the updated version we are releasing today – the updated version is a security update - stay tuned for new feature releases in April.
Joomulus with Japanese Character Support – Kana
Joomulus is updated! The flash Tag cloud for Joomla now includes improved styling! More languages! Full details and download link below the Japanese character demo.
If you LOVE Joomulus please show your appreciation by using the social bookmarking links at the bottom of this post. Or you can go ahead and DIGG right now! Or add it to your delicious bookmarks!
Updates include:
The mouse pointer displays as a hand when hovering over tags – as you would expect for a hyperlink.
X and Y scaling is fixed – you can get an elongated spread of tags by adjusting this value as seen in our Joomulus Demo.
Language/character sets included in this module are as follows:
- English/Basic Latin
- Greek/English
- Japanese – Kana
- Bulgarian/Russian/Serbian/English – Cyrillic Base
- Portuguese/Polish/English – Latin Extended Base
We plan to release Turkish, Chinese and a number of others very soon – time did not allow for this release – leave your comments and suggestions below.
Joomulus 2 – Now Handles Greek Characters – Other Languages Coming Soon
Hello All,
Joomulus has been updated to include the Greek character set.
It took some thinking to solve the multilingual option but now that we have worked this out we can provide additional languages/character sets as required (and time permits).
If you have a specific language or character set you want included in Joomulus then leave a comment below. We’ll consider a comment a vote and we’ll start updating the language character sets for the most popular requests first.
Download Joomulus free from our downloads area (must be registered).
