Over the past couple of weeks you might have seen a few new releases of Photonic come through. Most of these changes (versions 2.76, 2.77, 2.78 and 2.79) were done with the WordPress Plugins team and focused on aspects of security hardening, updating scripts and changing a few things with the overall approach for the plugin.
In the process, I have been making several security improvements, culling some obsolete scripts from the plugin, and improving things along the way:
- Security Fixes
I have made a slew of security improvements. These cover:
- A lot more sanitizing of inputs and escaping of outputs
current_user_canchecks to prevent unauthorized updates
- Using transients instead of options for short-lived tokens
- Removed Scripts
Three scripts have been removed from the plugin because their authors retired them or have not provided any updates to them for several years:
- Fancybox1 – This was the original cool-looking lightbox, which was retired, and then superseded by Fancybox2 (not GPL-compatible), Fancybox3, and now Fancybox4 (again, not GPL-compatible). Fancybox1 received its last update in November 2010. If you were using Fancybox, you should see your site automatically switched to Fancybox3.
- Magnific Popup – This was last updated by the developer in February 2016. If you were using it, you should see your site automatically switched over to Venobox.
- PrettyPhoto – Officially this was last updated in May 2015, but I think the developer stopped working on it long before that. There was an XSS vulnerability reported in this script in 2015, which was patched. Prior to that the developer made a licensing change in 2012. If you were using this script, you should see it replaced by Spotlight.
You can still use the older scripts by following the instructions here, but given that the script authors have not maintained them, I strongly recommend against it.
- Updated Scripts
I updated BigPicture, Fancybox3, Featherlight, GLightbox, Lightcase, LightGallery, PhotoSwipe, Splide, Strip and Swipebox to their latest versions. Note that though I list Fancybox3 and PhotoSwipe, those are different from Fancybox4 and PhotoSwipe v5 respectively, which are total rewrites of the originals. I will release support for those as separate scripts in a later release.
- New Lightboxes
Of course, when I remove one lightbox, I have to add another! I have introduced support for a pretty slick-looking lightbox, Venobox.
- Related Bug Fixes
The security updates, along with trying to align the code to the recommendations from WordPress Code Sniffer (WPCS) meant that in some cases I went overboard with putting in some controls. E.g. For the technically inclined, some WPCS recommendations suggested using
==… which in turn broke code that had been working for years. Some other escaping / sanitizing checks introduced “\” characters in the output. I have been fixing such issues along the way and have hopefully got most of them sorted out.
Over the next few weeks I will also add support for PhotoSwipe5 and Fancybox4, as written above. Note that Fancybox4 is not a GPL-compatible script, so I cannot bundle it with Photonic. However, you will be able to use it via the non-bundled option.
Please let me know of your feedback.