HB-Cumulus is a Flash-based tag cloud for Habari that displays your tag cloud in a rotating sphere just like the one shown here.
Security Vulnerabilities in HB-Cumulus 1.8 and Lower
This week an announcement was made on Seclist.org about a XSS and HTML Injection vulnerability in all the plugins that use the original tagcloud.swf from WP-Cumulus (which includes HB-Cumulus).
The XSS vulnerability was fixed a long long time ago in HB-Cumulus - 19 December 2009 - so if you are running HB-Cumulus 1.4 or earlier, you MUST upgrade.
The HTML Injection issue isn't really much of an issue and I go into details here as to why I don't believe this is a real issue to be concerned about. I have however modified the
tagcloud.swf that comes with HB-Cumulus 1.9 and later to mitigate this issue.
I've implemented all the functionality offered by WP-Cumulus 1.23 and a bit more. Functionality includes the ability to set...
- your own width and height
- your own foreground, background (or transparent) and highlight colours
- a rotation speed to suit your needs
- the keywords to exclude
- the number of keywords to display
- the minimum and maximum font sizes to use
... all within the Habari plugin configuration options. There is even a preview of the cloud within the configuration section so you can see your changes taking effect as you make your changes.
At this time, HB-Cumulus is the ONLY port of Roy's WP-Cumulus that is NOT vulnerable to the HTML Injection vulnerability detailed at http://seclists.org/fulldisclosure/2011/Sep/101 as I've fixed it.
Sadly, there is a limitation: non-latin characters may not show up. To quote Roy's own words on the WP-Cumulus FAQ page:
Because of the way Flash handles text, only Latin characters are supported in the current version. This is due to a limitation where in order to be able to animate text fields smoothly the glyphs need to be embedded in the movie.
You can however modify the flash code yourself by following Roy's instructions here. Unfortunately, I can't do this as I don't have the necessary tools to modify the flash files.
You may want to check the above post for other character sets that have already been created.
Apparently, Flash 10 introduces a new text-element type that may resolve the issue with non-embedded characters. As soon as Roy updates WP-Cumulus to support this, I'll update HB-Cumulus.
For Habari 0.7 and Trunk:
You can now also download and contribute to HB-Cumulus via GitHub.
Note: The cloud you see at the top of this page is running the above version on the latest SVN trunk build (which is later than 0.7.1).
- Download either the zip or tar.bz2 to your server
- Extract the contents to a temporary location (not strictly necessary, but just being safe)
- Move the
/path to habari/user/plugins/
- Refresh your plugins page, activate the plugin and configure it to suit your needs
That's it. You're ready to implement the cloud into your site.
The upgrade procedure is as per the installation procedure, but please ensure you de-activate the plugin first. This will ensure your current settings are merged with any new options that may be added with later releases and reduce the chances of encountering errors.
There are three ways you can use HB-Cumulus:
- Using Blocks
You can show the tag cloud in any area offered by your theme by adding the HB-Cumulus block to that area within the Theme configuration.
- Embed directly into any page or post:
You can show the cloud in any page or post by putting the following code into the post/page content:
<!-- hb-cumulus -->This tag is NOT case sensitive, so don't worry too much about the case or spacing. So long as you have all of the above characters in that order, it should display.
- Via the your theme files directly:
If your theme does not have support for blocks, you can show the cloud anywhere on your site within your theme files, for example in the sidebar using:
$theme->hbcumulus();This IS case sensitive, so you\'ll need to be sure you get it 100% correct.
There are a couple of things worth noting for reference purposes:
- Deactivating the plugin will remove your saved options from Habari.
- The following options are provided by default:
- Width: 500px *
- Height: 375px *
- Tag Colour: #FFFFFF - to ensure reliable behaviour, HB-Cumulus will only accept 6 character HTML colours *
- Second Colour: #FFFFFF (Optional) *
- Highlight Colour: #FFFFFF (Optional) *
- Background Colour: #333333 *
- Speed: 100 - percentage *
- Transparent: FALSE *
- Distribute Tags Evenly: FALSE *
- List of tags to hide:
- this can be a space or comma separated list
- Minimum Font Size: 8pt
- Maximum Font Size: 25pt
- Number of Tags to show: 30 - set to 0 or nothing to show all tags.
More information about the options marked with * can be found on the WP-Cumulus notes page.
- Hb-Cumulus will work with Habari 0.7 and later. It'll probably work with earlier releases too, but this is no longer supported.
- Habari has no concept or categories at the moment, so it'll only show tags. If and when Habari gets categories, I'll update the plugin to support categories too.
- Revert back to using a HB-Cumulus specific tagcloud.swf file as HB-Cumulus to resolve the mild HTML Injection vulnerability detailed at http://seclists.org/fulldisclosure/2011/Sep/101
- Updated help documentation to list all implementation methods
- Removed redundant code.
- Clear cache whenever an entry or tag is created, updated or deleted.
- Call the swfobject.js from Google's hosting if users choose this method to render the cloud.
- HB-Cumulus now downloads the tagcloud.swf file directly from the WP-Cumulus SVN repository so it doesn't need to be bundled anymore.
- Improved compatibility with new Habari 0.7 form configuration forms.
- Fixed calling a non-static method statically. This issue came to light due to a change in the underlying Vocabulary code in Habari.
- Added block support for the svn version
- Updated tagcloud.swf to that provided with WP-Cumulus 1.23
- Updated swfobject to version 2.2
- Improved HTML validity
- Updated code to compatible with new tags related functionality within Habari SVN code (aka 0.7 when it's released).
- Tidied up code a bit better and minimised swfobject.js
- Made compatible with Habari SVN code (aka 0.7 when it's released)
- Updated tagcloud.swf to that provided with WP-Cumulus 1.20, which includes the following relevant fixes: "Fixed the mouse pointer not changing to a hand when hovering tags." "Adds Turkish language support to the Flash movie."
- Updated tagcloud.swf to that provided with WP-Cumulus 1.1.8, which includes a change that... "Improves mouse detection in transparent mode"
- Also sorted out the documenting of the licensing of the various components
- Updated directory structure to better separate the 3rd party components and the HB-Cumulus code
- Tidied up code to adhere closer to the Habari coding standards
- Fixed bug in plugin de-activation that caused HB-Cumulus settings to be deleted when other plugins were de-activated.
- Initial release.
That's it folks. If you encounter any problems please log an issue on GitHub.