Not a developer? Go to MovableType.com

Documentation

Template changes in Movable Type 5.13, 5.07, and 4.38

As a result of security fixes in Movable Type 5.13, 5.06 and 4.38, some of the global templates and JavaScript template in each blog were updated. You need to refresh those templates to comment or to use Community features once you upgrade to Movable Type 5.13, 5.07, 4.38, or later version.

How to update your own theme ?

You need to update the JavaScript index template in your theme to make it compatible with 5.13, 5.07, and 4.38. If you have not customized the JavaScript index template, you can simply copy the JavaScript index template from Classic Blog theme bundled in 5.13, and replace the one in your theme.

The new JavaScript index template is exactly same in 5.13/5.07/4.38 and also same in the bundled themes. But it is incompatible with the earlier versions of Movable Type.

If you still see an error when commenting on your blog, please make sure that your comment form include sid parameter with input type=”hidden”.

<form method="post" action="<$mt:CGIPath$><$mt:CommentScript$>" name="comments_form" id="comments-form" onsubmit="return mtCommentOnSubmit(this)">
      <input type="hidden" name="sid" value="" />
  

If your theme is based on Community Blog or Community Forum, you need to replace your global templates with the one bundled in 5.13.

Changes in JavaScript Index Template

JavaScript index templates in the bundled themes ( Class Website/Blog, Pico, Community Forum/Blog, Professional Website/Blog, Smart Blog) were updated.

  • Updated in Movable Type 5.13, 5.07,and 4.38
  • Require template refresh after upgrading.
  • Updated:
    • defaulttemplates/javascript.mtml
    • themes/classicwebsite/templates/javascript.mtml
    • themes/classicblog/templates/javascript.mtml
    • themes/pico/templates/javascript.mtml
    • addons/Community.pack/templates/global/javascript.mtml
    • addons/Community.pack/templates/forum/javascript.mtml
    • addons/Community.pack/templates/blog/javascript.mtml
    • addons/Commercial.pack/templates/professional/blog/javascript.mtml
    • addons/Commercial.pack/templates/professional/website/javascript.mtml
    • smartblog/templates/javascript.mtml

Background

The change fixes a vulnerability in the session management. The new session management requires the following steps to get session_id safely.

  1. User signs-in to Movable Type with the User ID and Password.
  2. Movable Type returns one time token as the hash fragment in the URL.
    e.g. the hash fragment is 0123456789abcdef in the following URL.
    http://blog.example.com/2011/10/mypost.html#login0123456789abcdef
  3. Browser send a request to <$mt:CommentScript$>?mode=userinfo with the one time token, and get a valid sessionid

Changes for the authentication plugins

<p>MT::Auth::handle_sign_in interface was changed. The handle_sign_in returned only a commenter object as the return value, but the new version returns commenter object AND a list of session object. If your plugin overrides handle_sign_in by inheriting MT::Auth class, you need to update the method to returns this new value. If not, Movable Type tries to maintain the compatibility by loading session object automatically, but this is not ideal from performance perspective.</p>

<h3>Changes when using Transformer to include plugin template</h3>

<p>You need to specify your plugin key with the component attribute.</p>

<pre class="prettyprint"><code class="language-html">&lt;mt:Include name=&quot;PATH_TO_TEMPLATE_FILE&quot; component=&quot;SamplePlugin&quot;&gt;

Details

<div class="section" id="session_js">
<h4>session_js was obsoleted, use userinfo instead</h4>

<p>When processing sign-in with JavaScript, <strong>mode=session_js</strong> was obsoleted, and you need to use a new  <strong>mode=userinfo</strong> instead. For example, this previous code should be replaced.</p>

<pre class="prettyprint"><code class="language-js">script.src = '&lt;$mt:CGIPath$&gt;&lt;$mt:CommentScript$&gt;?__mode=session_js&amp;blog_id=&lt;$mt:BlogID$&gt;&amp;jsonp=' + cb + '&amp;ts=' + ts;
</code></pre>

<p>With the new procedure, firstly, you need to get a user with mtGetUser()</p>

<pre class="prettyprint"><code class="language-js">var u = mtGetUser();
</code></pre>

<p>and then specify u.sid attribute to the mode=userinfo as following.</p>

<pre class="prettyprint"><code class="language-js">script.src = '&lt;$mt:CGIPath$&gt;&lt;$mt:CommentScript$&gt;?__mode=userinfo&amp;blog_id=&lt;$mt:BlogID$&gt;&amp;jsonp=' + cb + '&amp;ts=' + ts + '&amp;sid=' + u.sid;
</code></pre>

Updated JavaScript methods

<p>Following methods were updated or added. Please refer to the new JavaScript index template for the changes.</p>

<ul>
  <li>mtLoggedIn(ott)</li>
  <li>mtRefreshUserInfo(sid)</li>
  <li>mtSaveUserInfo (u)</li>
  <li>mtInitCommenter ()</li>
  <li>mtVerifySession(cb)</li>
</ul>

<h4>Other changes</h4>

<p>Added the following snippet in mtinit().</p>
<pre class="prettyprint"><code class="language-html">&lt;mt:IfBlog&gt;

<mt:IfRegistrationAllowed> mtInitCommenter(); </mt:IfRegistrationAllowed> </mt:IfBlog>

<p>In mtSignInOnClick() method, mtFetchUser() was replaced by mtSignIn().</p>
<p>In mtCommentOnSubmit() method, mtFetchUser('mtCommentSessionVerify') was replaced by mtVerifySession('mtCommentSessionVerify').</p>
<p>In mtCommentSessionVerify(), mtFetchUser('mtSetUserOrLogin') was replaced by mtSignIn(). And var u = mtGetUser(); was replaced by the following snippet.</p>
<pre class="prettyprint"><code class="language-js">if ( app_user && app_user.verified ) {
</code></pre>

<p>In mtShowGreeting(), user_link variable was updated as following.</p>
<pre class="prettyprint"><code class="language-js">user_link = '&lt;a href=&quot;&lt;$mt:CGIPath$&gt;&lt;$mt:CommentScript$&gt;?__mode=edit_profile&amp;blog_id=&lt;mt:BlogID&gt;&amp;return_url=' + encodeURIComponent( location.href );
</code></pre>

<p>In mt:IfRegistrationAllowed, The following JavaScript was removed.</p>

<pre class="prettyprint"><code class="language-js">/***

* If request contains a ‘#login’ or ‘#logout’ hash, use this to * also delete the blog-side user cookie, since we’re coming back from * a login, logout or edit profile operation. / var clearCookie = ( window.location.hash && window.location.hash.match( /^#_log(in|out)/ ) ) ? true : false; if (clearCookie) { // clear any logged in state mtClearUser(); if (RegExp.$1 == ‘in’) mtFetchUser(); } else { <mt:Ignore> /** * Uncondition this call to fetch the current user state (if available) * from MT upon page load if no user cookie is already present. * This is okay if you have a private install, such as an Intranet; * not recommended for public web sites! */ </mt:Ignore> if ( is_preview && !user ) mtFetchUser(); }

<p>In mtSetCookie() and mtGetCookie(), use encodeURIComponent() instead of escape().</p>
<pre class="prettyprint"><code class="language-js">var curCookie = name + "=" + encodeURIComponent(value) +
</code></pre>

Changes in Classic Website/Blog and Pico theme

Comment Preview

  • Updated in Movable Type 5.13, 5.07,and 4.38
  • Blog Template Module
  • This update is mandatory.
  • themes/classicblog/templates/commentpreview.mtml
  • themes/classicwebsite/templates/commentpreview.mtml

<p>Added sid parameter with input type="hidden"</p>
<pre class="prettyprint"><code class="language-html">&lt;form method=&quot;post&quot; action=&quot;&lt;$mt:CGIPath$&gt;&lt;$mt:CommentScript$&gt;&quot; name=&quot;comments_form&quot; id=&quot;comments-form&quot; onsubmit=&quot;return mtCommentOnSubmit(this)&quot;&gt;
    &lt;input type=&quot;hidden&quot; name=&quot;sid&quot; value=&quot;&quot; /&gt;
</code></pre>

Changes in Community Solution

The following changes were made in the Community Solution bundled with Movable Type Pro/Enterprise/Advanced.

Comment Form

  • Updated in Movable Type 5.13, 5.07,and 4.38
  • Blog Template Module
  • This update is mandatory.
  • addons/Community.pack/templates/blog/commentform.mtml

Added sid parameter with input type=”hidden”.

<form method="post" action="<$mt:CGIPath$><$mt:CommentScript$>" name="commentsform" id="comments-form" onsubmit="return mtCommentOnSubmit(this)">
     <input type="hidden" name="sid" value="" />
    

Profile

  • Updated in Movable Type 5.13, 5.07,and 4.38
  • Global Template
  • This update is mandatory.
  • addons/Community.pack/templates/global/profile_view.mtml

<p>In CommunityScript (mt-cp.cgi) , JSON method of relations_js mode was updated. The relations() function is placed in the Profile template and the third argument of the function was removed. Added this snippet at the top,</p>
<pre class="prettyprint"><code class="language-js">var u = mtGetUser();
</code></pre>

<p>and added the following snippet below header module include.</p>

<pre class="prettyprint"><code class="language-js">&lt;script type=&quot;text/javascript&quot;&gt;
// Need to clear these
mtCookieDomain = &quot;&quot;;
mtCookiePath   = &quot;&quot;;

</script>

<p>Edit Profile link condition was changed as following.</p>

<pre class="prettyprint"><code class="language-html">&lt;mt:IfLoggedIn element_id=&quot;edit_profile&quot;&gt;

<mt:If name="profileself"> <a id="editprofilelink" href="#"><_trans phrase="Edit Profile"></a> </mt:If>

Login Form

  • Updated in Movable Type 5.13, 5.07,and 4.38
  • Global Template
  • This update is mandatory.
  • addons/Community.pack/templates/global/login_form.mtml

<p>Added escape.</p>
<pre class="prettyprint"><code class="language-html">&lt;$mt:Var name=&quot;return_to&quot; encode_html=&quot;1&quot; /&gt;
</code></pre>

Profile Edit Form

  • Updated in Movable Type 5.13.
  • Global Template
  • This update is mandatory.
  • addons/Community.pack/templates/global/profileeditform.mtml

<p>Added a new validation script under pass_verify input field.</p>
<pre class="prettyprint"><code class="language-html">&lt;script type=&quot;text/javascript&quot;&gt;

/* <![CDATA[ / <$mt:PasswordValidation form="profile" password="pass" username="name"$> / ]]> */ </script>

<p>Updated the password input field as following.</p>
<pre class="prettyprint"><code class="language-html">&lt;mt:SetVarBlock name=&quot;field-content&quot;&gt;&lt;input type=&quot;password&quot; name=&quot;pass&quot; id=&quot;pass&quot; class=&quot;text password&quot; /&gt;&lt;/mt:SetVarBlock&gt;

<mt:SetVarBlock name="hint">(<$mt:PasswordValidationRule$>)</mt:SetVarBlock> <$mt:Include module="<trans phrase="Form Field">" id="pass" label="<trans phrase="New Password">" show_hint="1"$>

<p>Added a current password confirmation when changing the password.</p>

<pre class="prettyprint"><code class="language-html">&lt;mt:SetVarBlock name=&quot;field-content&quot;&gt;&lt;input type=&quot;password&quot; name=&quot;old_pass&quot; id=&quot;old_pass&quot; class=&quot;text password&quot; /&gt;&lt;/mt:SetVarBlock&gt;

<$mt:Include module="<trans phrase="Form Field">" id="old_pass" label="<trans phrase="Current Password">"$>

<p>Changed the URL in profile updated message.</p>
<pre class="prettyprint"><code class="language-html">&lt;__trans phrase=&quot;This profile has been updated.&quot;&gt;&lt;mt:If name=&quot;blog_id&quot;&gt; &lt;__trans phrase=&quot;Go &lt;a href=&quot;[_1]&quot;&gt;back to the previous page&lt;/a&gt; or &lt;a href=&quot;[_2]&quot;&gt;view your profile&lt;/a&gt;.&quot; params=&quot;&lt;mt:If name=&quot;saved&quot;&gt;&lt;$mt:Var name=&quot;return_to&quot; escape=&quot;html&quot; regex_replace=&quot;/#.*/&quot;,&quot;&quot;$&gt;#_refresh&lt;mt:Else&gt;&lt;$mt:Var name=&quot;return_to&quot; escape=&quot;html&quot;$&gt;&lt;/mt:if&gt;%%&lt;$mt:CGIPath$&gt;&lt;$mt:CommunityScript$&gt;?__mode=view&lt;mt:If name=&quot;blog_id&quot;&gt;&amp;blog_id=&lt;$mt:Var name=&quot;blog_id&quot;$&gt;&lt;/mt:If&gt;&quot;&gt;&lt;/mt:If&gt;
</code></pre>

<p>Also changed the URL.</p>
<pre class="prettyprint"><code class="language-html">&lt;__trans phrase=&quot;Go &lt;a href=&quot;[_1]&quot;&gt;back to the previous page&lt;/a&gt; or &lt;a href=&quot;[_2]&quot;&gt;view your profile&lt;/a&gt;.&quot; params=&quot;&lt;mt:if name=&quot;saved&quot;&gt;&lt;$mt:Var name=&quot;return_to&quot; escape=&quot;html&quot; regex_replace=&quot;/#.*/&quot;,&quot;&quot;$&gt;#_refresh&lt;mt:else&gt;&lt;$mt:Var name=&quot;return_to&quot; escape=&quot;html&quot;&gt;&lt;/mt:if&gt;%%&lt;$mt:CGIPath$&gt;&lt;$mt:CommunityScript$&gt;?__mode=view&lt;mt:If name=&quot;blog_id&quot;&gt;&amp;blog_id=&lt;$mt:Var name=&quot;blog_id&quot;$&gt;&lt;/mt:If&gt;&quot;&gt;
</code></pre>

Register Form

  • Updated in Movable Type 5.13.
  • Global Template
  • This update is mandatory.
  • addons/Community.pack/templates/global/register_form.mtml

<p>Updated password input hint.</p>

<pre class="prettyprint"><code class="language-html">required=&quot;1&quot;

hint="<_trans phrase="Select a password for yourself."> (<$mt:PasswordValidationRule$>)" showhint="1"> <input type="password" name="password" id="password" class="text password" value="" />

<p>Added a new validation script above the captcha_fields input.</p>

<pre class="prettyprint"><code class="language-html">&lt;script type=&quot;text/javascript&quot;&gt;

/* <![CDATA[ / <$mt:PasswordValidation form="register" password="password" username="username"$> / ]]> */ </script>

Added name=”register” attribute to the form.

New Password Form

<ul>
  <li>Updated in Movable Type 5.13.</li>
  <li>Global Template</li>
  <li>This update is mandatory.</li>      
  <li>addons/Community.pack/templates/global/new_password.mtml</li>
</ul>

<p>Added id="password_reset_form" attribute to the form.</p>
<p>Added username hidden input field.</p>
<pre class="prettyprint"><code class="language-html">&lt;input type=&quot;hidden&quot; name=&quot;username&quot; id=&quot;username&quot; value=&quot;&lt;mt:var name=&quot;username&quot; escape=&quot;html&quot;&gt;&quot; /&gt;</code></pre>

<p>Added the following JavaScript snippet above the form.</p>

<pre class="prettyprint"><code class="language-html">&lt;script type=&quot;text/javascript&quot;&gt;

/* <![CDATA[ / <$mt:PasswordValidation form="password_reset_form" password="password" username="username"$> / ]]> */ </script>

<p>Added a input hint.</p>
<pre class="prettyprint"><code class="language-html">&lt;mtapp:setting
id=&quot;name&quot;
label=&quot;&lt;__trans phrase=&quot;New Password&quot;&gt;&quot;
hint=&quot;&lt;__trans phrase=&quot;Enter the new password.&quot;&gt; (&lt;$mt:PasswordValidationRule$&gt;)&quot;
show_hint=&quot;1&quot;
label_class=&quot;top-label&quot;&gt;
&lt;input type=&quot;password&quot; name=&quot;password&quot; id=&quot;password&quot; class=&quot;text password full&quot; value=&quot;&lt;mt:var name=&quot;password&quot; escape=&quot;html&quot; /&gt;

</mtapp:setting>

<p>Added escaping to password and password_again input form.</p>

<pre class="prettyprint"><code class="language-html">&lt;mt:var name=&quot;password&quot; escape=&quot;html&quot; /&gt;

<mt:var name="password_again" escape="html" />

Form Field

<ul>
  <li>Updated in Movable Type 5.13</li>
  <li>Global Template</li>
  <li>This update is optional.</li>
  <li>addons/Community.pack/templates/global/form_field.mtml</li>
</ul>

<p>Added hint under filed-content for the password validation.</p>

<pre class="prettyprint"><code class="language-html">&lt;$mt:Var name=&quot;field-content&quot;$&gt;

<$mt:If name="show_hint"$> <div class="hint"><$mt:Var name="hint"$></div> </mt:If>

Changes in Professional Website/Blog theme

<ul>
  <li>Updated in Movable Type 5.13, 5.07,and 4.38</li>
  <li>This update is optional.</li>
  <li>addons/Commercial.pack/templates/professional/blog/header.mtml<br />
    addons/Commercial.pack/templates/professional/website/header.mtml</li>
</ul>

<p>Removed a link to the admin CGI and the following JavaScript snippet.</p>
<pre class="prettyprint"><code class="language-js">var adminurl = '&lt;$mt:CGIPath$&gt;' + '&lt;$mt:AdminScript$&gt;';
</code></pre>

Changes in Pico theme

Comment Preview

  • Updated in Movable Type 5.13, 5.07,and 4.38
  • Blog Template Module
  • This update is mandatory.
  • themes/pico/templates/comment_preview.mtml

Added sid parameter with input type=”hidden”.

<pre class="prettyprint"><code class="language-html">&lt;form method=&quot;post&quot; action=&quot;&lt;$mt:CGIPath$&gt;&lt;$mt:CommentScript$&gt;&quot; name=&quot;comments_form&quot; id=&quot;comments-form&quot; onsubmit=&quot;return mtCommentOnSubmit(this)&quot;&gt;
    &lt;input type=&quot;hidden&quot; name=&quot;sid&quot; value=&quot;&quot; /&gt;
</code></pre>

Stylesheet

<ul>
  <li>Movable Type 5.13, 5.07</li>
  <li>This update is optional.</li>
  <li>themes/pico/templates/styles.mtml</li>
</ul>
<p>Replaced &lt;$MTStaticWebPath$&gt;support by &lt;$mt:SupportDirectoryURL$&gt;</p>

Changes in Smart Blog theme

Smart Blog is the Movable Type 5 theme optimized for PC, iPhone, iPad, and Android. You can download the latest version from the github.

If you have already installed this theme and wish to update to the latest release, you firstly need to delete the following folder in your Movable Type installation.

mt-static/support/themestatic/smartblog
  

And upload the following folder from the latest version of the theme.

SmartphoneOption-1.x/themes/smart_blog/static
  

jQuery Mobile was upgraded to the version 1.0, and following templates were modified for the minor bug fixes.

  • themes/smartblog/templates/styles.mtml
  • themes/smartblog/templates/commentform.mtml
  • themes/smartblog/templates/entrysummary.mtml
  • themes/smartblog/templates/htmlhead.mtml
  • themes/smartblog/templates/htmlheadmobile.mtml
  • themes/smartblog/templates/mainindex.mtml
  • themes/smartblog/templates/categoryentrylisting.mtml
  • themes/smartblog/templates/commentpreview.mtml
  • themes/smartblog/templates/commentresponse.mtml
  • themes/smartblog/templates/dynamicerror.mtml
  • themes/smartblog/templates/entry.mtml
  • themes/smartblog/templates/mainindex.mtml
  • themes/smartblog/templates/page.mtml
  • themes/smartblog/templates/search_results.mtml

JavaScript Index Template in Motion theme

  • In Movable Type 4.38
  • This update is mandatory.
  • plugins/Motion/templates/Motion/motion_js.mtml

Added sid parameter in postData within #comment-submit click event.

var postData = { static: staticVal, entryid: entryIdVal, parentid: parentIdVal, armor: armorVal, commentreply: replyVal, author: authorVal, email: emailVal, url: urlVal, text: textVal, captchacode: capthchaVal, token: tokenVal, sid: sidVal };
  

Back

Leave a Comment