Template changes in Movable Type 5.13, 5.07, and 4.38
As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version.
How to update your own theme ?
You need to update the JavaScript index template in your theme to make it compatible with 5.13, 5.07, and 4.38. If you have not customized the JavaScript index template, you can simply copy the JavaScript index template from Classic Blog theme bundled in 5.13, and replace the one in your theme.
The new JavaScript index template is exactly same in 5.13/5.07/4.38 and also same in the bundled themes. But it is incompatible with the earlier versions of Movable Type.
If you still see an error when commenting on your blog, please make sure that your comment form include sid parameter with input type="hidden".
<form method="post" action="<$mt:CGIPath$><$mt:CommentScript$>" name="comments_form" id="comments-form" onsubmit="return mtCommentOnSubmit(this)">
<input type="hidden" name="sid" value="" />
If your theme is based on Community Blog or Community Forum, you need to replace your global templates with the one bundled in 5.13.
Changes in JavaScript Index Template
JavaScript index templates in the bundled themes ( Class Website/Blog, Pico, Community Forum/Blog, Professional Website/Blog, Smart Blog) were updated.
- Updated in Movable Type 5.13, 5.07,and 4.38
- Require template refresh after upgrading.
- Updated:
- default_templates/javascript.mtml
- themes/classic_website/templates/javascript.mtml
- themes/classic_blog/templates/javascript.mtml
- themes/pico/templates/javascript.mtml
- addons/Community.pack/templates/global/javascript.mtml
- addons/Community.pack/templates/forum/javascript.mtml
- addons/Community.pack/templates/blog/javascript.mtml
- addons/Commercial.pack/templates/professional/blog/javascript.mtml
- addons/Commercial.pack/templates/professional/website/javascript.mtml
- smart_blog/templates/javascript.mtml
Background
The change fixes a vulnerability in the session management. The new session management requires the following steps to get session_id safely.
- User signs-in to Movable Type with the User ID and Password.
- Movable Type returns one time token as the hash fragment in the URL.
e.g. the hash fragment is 0123456789abcdef in the following URL.
http://blog.example.com/2011/10/my_post.html#_login_0123456789abcdef - Browser send a request to <$mt:CommentScript$>?__mode=userinfo with the one time token, and get a valid session_id
Changes for the authentication plugins
MT::Auth::handle_sign_in interface was changed. The handle_sign_in returned only a commenter object as the return value, but the new version returns commenter object AND a list of session object. If your plugin overrides handle_sign_in by inheriting MT::Auth class, you need to update the method to returns this new value. If not, Movable Type tries to maintain the compatibility by loading session object automatically, but this is not ideal from performance perspective.
Changes when using Transformer to include plugin template
You need to specify your plugin key with the component attribute.
<mt:Include name="PATH_TO_TEMPLATE_FILE" component="SamplePlugin">
Details
session_js was obsoleted, use userinfo instead
When processing sign-in with JavaScript, mode=session_js was obsoleted, and you need to use a new mode=userinfo instead. For example, this previous code should be replaced.
script.src = '<$mt:CGIPath$><$mt:CommentScript$>?__mode=session_js&blog_id=<$mt:BlogID$>&jsonp=' + cb + '&ts=' + ts;
With the new procedure, firstly, you need to get a user with mtGetUser()
var u = mtGetUser();
and then specify u.sid attribute to the mode=userinfo as following.
script.src = '<$mt:CGIPath$><$mt:CommentScript$>?__mode=userinfo&blog_id=<$mt:BlogID$>&jsonp=' + cb + '&ts=' + ts + '&sid=' + u.sid;
Updated JavaScript methods
Following methods were updated or added. Please refer to the new JavaScript index template for the changes.
- mtLoggedIn(ott)
- mtRefreshUserInfo(sid)
- mtSaveUserInfo (u)
- mtInitCommenter ()
- mtVerifySession(cb)
Other changes
Added the following snippet in mtinit().
<mt:IfBlog>
<mt:IfRegistrationAllowed>
mtInitCommenter();
</mt:IfRegistrationAllowed>
</mt:IfBlog>In mtSignInOnClick() method, mtFetchUser() was replaced by mtSignIn().
In mtCommentOnSubmit() method, mtFetchUser('mtCommentSessionVerify') was replaced by mtVerifySession('mtCommentSessionVerify').
In mtCommentSessionVerify(), mtFetchUser('mtSetUserOrLogin') was replaced by mtSignIn(). And var u = mtGetUser(); was replaced by the following snippet.
if ( app_user && app_user.verified ) {
In mtShowGreeting(), user_link variable was updated as following.
user_link = '<a href="<$mt:CGIPath$><$mt:CommentScript$>?__mode=edit_profile&blog_id=<mt:BlogID>&return_url=' + encodeURIComponent( location.href );
In mt:IfRegistrationAllowed, The following JavaScript was removed.
/***
* If request contains a '#_login' or '#_logout' hash, use this to
* also delete the blog-side user cookie, since we're coming back from
* a login, logout or edit profile operation.
*/
var clearCookie = ( window.location.hash && window.location.hash.match( /^#_log(in|out)/ ) ) ? true : false;
if (clearCookie) {
// clear any logged in state
mtClearUser();
if (RegExp.$1 == 'in')
mtFetchUser();
} else {
<mt:Ignore>
/***
* Uncondition this call to fetch the current user state (if available)
* from MT upon page load if no user cookie is already present.
* This is okay if you have a private install, such as an Intranet;
* not recommended for public web sites!
*/
</mt:Ignore>
if ( is_preview && !user )
mtFetchUser();
}
In mtSetCookie() and mtGetCookie(), use encodeURIComponent() instead of escape().
var curCookie = name + "=" + encodeURIComponent(value) +
Changes in Classic Website/Blog and Pico theme
Comment Preview
- Updated in Movable Type 5.13, 5.07,and 4.38
- Blog Template Module
- This update is mandatory.
- themes/classic_blog/templates/comment_preview.mtml
- themes/classic_website/templates/comment_preview.mtml
Added sid parameter with input type="hidden"
<form method="post" action="<$mt:CGIPath$><$mt:CommentScript$>" name="comments_form" id="comments-form" onsubmit="return mtCommentOnSubmit(this)">
<input type="hidden" name="sid" value="" />
Changes in Community Solution
The following changes were made in the Community Solution bundled with Movable Type Pro/Enterprise/Advanced.
Comment Form
- Updated in Movable Type 5.13, 5.07,and 4.38
- Blog Template Module
- This update is mandatory.
- addons/Community.pack/templates/blog/comment_form.mtml
Added sid parameter with input type="hidden".
<form method="post" action="<$mt:CGIPath$><$mt:CommentScript$>" name="comments_form" id="comments-form" onsubmit="return mtCommentOnSubmit(this)">
<input type="hidden" name="sid" value="" />
Profile
- Updated in Movable Type 5.13, 5.07,and 4.38
- Global Template
- This update is mandatory.
- addons/Community.pack/templates/global/profile_view.mtml
In CommunityScript (mt-cp.cgi) , JSON method of relations_js mode was updated. The relations() function is placed in the Profile template and the third argument of the function was removed. Added this snippet at the top,
var u = mtGetUser();
and added the following snippet below header module include.
<script type="text/javascript">
// Need to clear these
mtCookieDomain = "";
mtCookiePath = "";
</script>
Edit Profile link condition was changed as following.
<mt:IfLoggedIn element_id="edit_profile">
<mt:If name="profile_self">
<a id="edit_profile_link" href="#"><__trans phrase="Edit Profile"></a>
</mt:If>
Login Form
- Updated in Movable Type 5.13, 5.07,and 4.38
- Global Template
- This update is mandatory.
- addons/Community.pack/templates/global/login_form.mtml
Added escape.
<$mt:Var name="return_to" encode_html="1" />
Profile Edit Form
- Updated in Movable Type 5.13.
- Global Template
- This update is mandatory.
- addons/Community.pack/templates/global/profile_edit_form.mtml
Added a new validation script under pass_verify input field.
<script type="text/javascript">
/* <![CDATA[ */
<$mt:PasswordValidation form="profile" password="pass" username="name"$>
/* ]]> */
</script>
Updated the password input field as following.
<mt:SetVarBlock name="field-content"><input type="password" name="pass" id="pass" class="text password" /></mt:SetVarBlock>
<mt:SetVarBlock name="hint">(<$mt:PasswordValidationRule$>)</mt:SetVarBlock>
<$mt:Include module="<__trans phrase="Form Field">" id="pass" label="<__trans phrase="New Password">" show_hint="1"$>
Added a current password confirmation when changing the password.
<mt:SetVarBlock name="field-content"><input type="password" name="old_pass" id="old_pass" class="text password" /></mt:SetVarBlock>
<$mt:Include module="<__trans phrase="Form Field">" id="old_pass" label="<__trans phrase="Current Password">"$>Changed the URL in profile updated message.
<__trans phrase="This profile has been updated."><mt:If name="blog_id"> <__trans phrase="Go <a href="[_1]">back to the previous page</a> or <a href="[_2]">view your profile</a>." params="<mt:If name="saved"><$mt:Var name="return_to" escape="html" regex_replace="/#.*/",""$>#_refresh<mt:Else><$mt:Var name="return_to" escape="html"$></mt:if>%%<$mt:CGIPath$><$mt:CommunityScript$>?__mode=view<mt:If name="blog_id">&blog_id=<$mt:Var name="blog_id"$></mt:If>"></mt:If>
Also changed the URL.
<__trans phrase="Go <a href="[_1]">back to the previous page</a> or <a href="[_2]">view your profile</a>." params="<mt:if name="saved"><$mt:Var name="return_to" escape="html" regex_replace="/#.*/",""$>#_refresh<mt:else><$mt:Var name="return_to" escape="html"></mt:if>%%<$mt:CGIPath$><$mt:CommunityScript$>?__mode=view<mt:If name="blog_id">&blog_id=<$mt:Var name="blog_id"$></mt:If>">
Register Form
- Updated in Movable Type 5.13.
- Global Template
- This update is mandatory.
- addons/Community.pack/templates/global/register_form.mtml
Updated password input hint.
required="1"
hint="<__trans phrase="Select a password for yourself."> (<$mt:PasswordValidationRule$>)"
show_hint="1">
<input type="password" name="password" id="password" class="text password" value="" />
Added a new validation script above the captcha_fields input.
<script type="text/javascript">
/* <![CDATA[ */
<$mt:PasswordValidation form="register" password="password" username="username"$>
/* ]]> */
</script>
Added name="register" attribute to the form.
New Password Form
- Updated in Movable Type 5.13.
- Global Template
- This update is mandatory.
- addons/Community.pack/templates/global/new_password.mtml
Added id="password_reset_form" attribute to the form.
Added username hidden input field.
<input type="hidden" name="username" id="username" value="<mt:var name="username" escape="html">" />Added the following JavaScript snippet above the form.
<script type="text/javascript">
/* <![CDATA[ */
<$mt:PasswordValidation form="password_reset_form" password="password" username="username"$>
/* ]]> */
</script>
Added a input hint.
<mtapp:setting
id="name"
label="<__trans phrase="New Password">"
hint="<__trans phrase="Enter the new password."> (<$mt:PasswordValidationRule$>)"
show_hint="1"
label_class="top-label">
<input type="password" name="password" id="password" class="text password full" value="<mt:var name="password" escape="html" />
</mtapp:setting>Added escaping to password and password_again input form.
<mt:var name="password" escape="html" />
<mt:var name="password_again" escape="html" />
Form Field
- Updated in Movable Type 5.13
- Global Template
- This update is optional.
- addons/Community.pack/templates/global/form_field.mtml
Added hint under filed-content for the password validation.
<$mt:Var name="field-content"$>
<$mt:If name="show_hint"$>
<div class="hint"><$mt:Var name="hint"$></div>
</mt:If>
Changes in Professional Website/Blog theme
Header
- Updated in Movable Type 5.13, 5.07,and 4.38
- This update is optional.
- addons/Commercial.pack/templates/professional/blog/header.mtml
addons/Commercial.pack/templates/professional/website/header.mtml
Removed a link to the admin CGI and the following JavaScript snippet.
var adminurl = '<$mt:CGIPath$>' + '<$mt:AdminScript$>';
Changes in Pico theme
Comment Preview
- Updated in Movable Type 5.13, 5.07,and 4.38
- Blog Template Module
- This update is mandatory.
- themes/pico/templates/comment_preview.mtml
Added sid parameter with input type="hidden".
<form method="post" action="<$mt:CGIPath$><$mt:CommentScript$>" name="comments_form" id="comments-form" onsubmit="return mtCommentOnSubmit(this)">
<input type="hidden" name="sid" value="" />
Changes in Smart Blog theme
Smart Blog is the Movable Type 5 theme optimized for PC, iPhone, iPad, and Android. You can download the latest version from the github.
If you have already installed this theme and wish to update to the latest release, you firstly need to delete the following folder in your Movable Type installation.
mt-static/support/theme_static/smart_blog
And upload the following folder from the latest version of the theme.
SmartphoneOption-1.x/themes/smart_blog/static
jQuery Mobile was upgraded to the version 1.0, and following templates were modified for the minor bug fixes.
- themes/smart_blog/templates/styles.mtml
- themes/smart_blog/templates/comment_form.mtml
- themes/smart_blog/templates/entry_summary.mtml
- themes/smart_blog/templates/html_head.mtml
- themes/smart_blog/templates/html_head_mobile.mtml
- themes/smart_blog/templates/main_index.mtml
- themes/smart_blog/templates/category_entry_listing.mtml
- themes/smart_blog/templates/comment_preview.mtml
- themes/smart_blog/templates/comment_response.mtml
- themes/smart_blog/templates/dynamic_error.mtml
- themes/smart_blog/templates/entry.mtml
- themes/smart_blog/templates/main_index.mtml
- themes/smart_blog/templates/page.mtml
- themes/smart_blog/templates/search_results.mtml
JavaScript Index Template in Motion theme
- In Movable Type 4.38
- This update is mandatory.
- plugins/Motion/templates/Motion/motion_js.mtml
Added sid parameter in postData within #comment-submit click event.
var postData = { static: staticVal, entry_id: entryIdVal, parent_id: parentIdVal, armor: armorVal, comment_reply: replyVal, author: authorVal, email: emailVal, url: urlVal, text: textVal, captcha_code: capthchaVal, token: tokenVal, sid: sidVal };
