mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-27 10:30:29 +00:00
1 line
15 KiB
JSON
1 line
15 KiB
JSON
|
{"@context":["https://www.w3.org/ns/activitystreams","https://w3id.org/security/v1",{"Emoji":"toot:Emoji","Hashtag":"as:Hashtag","atomUri":"ostatus:atomUri","conversation":"ostatus:conversation","featured":"toot:featured","focalPoint":{"@container":"@list","@id":"toot:focalPoint"},"inReplyToAtomUri":"ostatus:inReplyToAtomUri","manuallyApprovesFollowers":"as:manuallyApprovesFollowers","movedTo":"as:movedTo","ostatus":"http://ostatus.org#","sensitive":"as:sensitive","toot":"http://joinmastodon.org/ns#"}],"attributedTo":["https://baptiste.gelez.xyz/@/BaptisteGelez"],"cc":[],"content":"<p>It has been one month since the last \"This Month in Plume\" article, so it is time for another edition of our monthly changelog!</p>\n<h2>Bug Fixes and Security</h2>\n<p>Let's start with the hidden, but still (very) important changes: bug fixes and security patches.</p>\n<p>First of all, <a href=\"/@/Trinity%20/\" title=\"Trinity \" rel=\"noopener noreferrer\">@Trinity </a> protected us against two major security flaws, called <em>XSS</em> and <em>CSRF</em>. The first one allows the attacker to run malicious code if you visit a Plume page where some of their personal data is present. The second one lets them post data with your Plume account by visiting one of their own website. It is two very common attack, and it is great we are now protected against them!</p>\n<p>The other big change in this area, is that we are now validating the data you are sending before doing anything with it. It means that, for instance, you will no longer be able to register with an empty username and to break everything.</p>\n<p>On the federation side, many issues were reported by <a href=\"/@/kaniini%20/\" title=\"kaniini \" rel=\"noopener noreferrer\">@kaniini </a> and <em>redmatrix</em> (respectively contributing to Pleroma and Hubzilla). By fixing some of them, we made it possible to <a href=\"https://baptiste.gelez.xyz/%7E/KaniiniTestBlog/current-status-of-plume-and-pleroma-federation/\" rel=\"noopener noreferrer\">federate Plume articles to Pleroma</a>!</p>\n<p><a href=\"/@/Trinity%20/\" title=\"Trinity \" rel=\"noopener noreferrer\">@Trinity </a> hopefully noticed that there was a bug in our password check code: we were not checking that your password was correct, but only that the verification process went without errors. Concretely, it means that you could login to any account with any password. I wrote this part of the code when I was still the only contributor to the project, so nobody could review my work. We will now be trying to check every change, especially when it deals with critical parts of Plume, to avoid similar issues in the future, and we I'm really sorry this happened (even if I think nobody exploited it).</p>\n<p><em>Zanfib</em> and <em>stephenburgess8</em> also commited some small bugfixes, improving the general experience.</p>\n<h2>New Features</h2>\n<p>Let's now talk about the features that we introduced during this month.</p>\n<p>One of the most easy to spot is the redesign of Plume, made by <a href=\"/@/Madeorsk.%20/\" title=\"Madeorsk. \" rel=\"noopener noreferrer\">@Madeorsk. </a> I personaly love what he did, it really improved the readability and gave Plume a bit more of identity than the previous design. And he is <a href=\"https://github.com/Plume-org/Plume/pull/104\" rel=\"noopener noreferrer\">still improving it</a>.</p>\n<p>We also enabled Mardown in comment, to let you write more structured and nicely formatted responses.</p>\n<p>As you may have noticed, I have used mentions in this post. Indeed, it is now possible to mention someone in your articles or in comments. It works exactly the same way as in other apps, and you should receive a notification if someone mentionned you.</p>\n<p>A dashboard to manage your blogs has also been introduced. In the future it may be used to manage your drafts, and eventually to show some statistics. The goal is to have a more specific homepage for authors.</p>\n<p>The federation with other ActivityPub softwares, like Mastodon or Pleroma is starting to work quite well, but the federation b
|