HB-Cumulus is a Flash-based tag cloud for Habari that displays your tag cloud in a rotating sphere just like the one shown here.
This week an announcement was made on Seclist.org about a XSS and HTML Injection vulnerability in all the plugins that use the original tagcloud.swf from WP-Cumulus (which includes HB-Cumulus).
The XSS vulnerability was fixed a long long time ago in HB-Cumulus - 19 December 2009 - so if you are running HB-Cumulus 1.4 or earlier, you MUST upgrade.
The HTML Injection issue isn't really much of an issue and I go into details here as to why I don't believe this is a real issue to be concerned about. I have however modified the
tagcloud.swf that comes with HB-Cumulus 1.9 and later to mitigate this issue.
I've implemented all the functionality offered by WP-Cumulus 1.23 and a bit more. Functionality includes the ability to set...
... all within the Habari plugin configuration options. There is even a preview of the cloud within the configuration section so you can see your changes taking effect as you make your changes.
At this time, HB-Cumulus is the ONLY port of Roy's WP-Cumulus that is NOT vulnerable to the HTML Injection vulnerability detailed at http://seclists.org/fulldisclosure/2011/Sep/101 as I've fixed it.
Sadly, there is a limitation: non-latin characters may not show up. To quote Roy's own words on the WP-Cumulus FAQ page:
Because of the way Flash handles text, only Latin characters are supported in the current version. This is due to a limitation where in order to be able to animate text fields smoothly the glyphs need to be embedded in the movie.
You can however modify the flash code yourself by following Roy's instructions here. Unfortunately, I can't do this as I don't have the necessary tools to modify the flash files.
You may want to check the above post for other character sets that have already been created.
Apparently, Flash 10 introduces a new text-element type that may resolve the issue with non-embedded characters. As soon as Roy updates WP-Cumulus to support this, I'll update HB-Cumulus.
You can now also download and contribute to HB-Cumulus via GitHub.
Note: The cloud you see at the top of this page is running the above version on the latest SVN trunk build (which is later than 0.7.1).
/path to habari/user/plugins/
That's it. You're ready to implement the cloud into your site.
The upgrade procedure is as per the installation procedure, but please ensure you de-activate the plugin first. This will ensure your current settings are merged with any new options that may be added with later releases and reduce the chances of encountering errors.
There are three ways you can use HB-Cumulus:
<!-- hb-cumulus -->
This tag is NOT case sensitive, so don't worry too much about the case or spacing. So long as you have all of the above characters in that order, it should display.
This IS case sensitive, so you\'ll need to be sure you get it 100% correct.
There are a couple of things worth noting for reference purposes:
More information about the options marked with * can be found on the WP-Cumulus notes page.
That's it folks. If you encounter any problems please log an issue on GitHub.