Articles and insights into the world of CMS.
I’ve said it before and I’ll say it again: never trust user input. This is one of the golden rules of security, yet when designing plugin APIs, we often tend to favour flexibility over restriction, which can get us into trouble if we are unaware of the data or endpoints we are exposing.
I recently sat down with Kyle Cotter, Author Experience Lead at Happy Cog, to hear about the process of building and launching Canary Media on Craft CMS. It turns out that the bridging of the discovery, design, development and DevOps phases is what stands out as the most intriguing thing about this project. And by the end of it, Kyle has me convinced that a successful project is one in which each phase receives the attention it needs, the tasks are rigorously prioritised and the features that make it into launch and those that don’t are, once decided, indisputable.
The most secure way of preventing secrets from being revealed is, well, not storing them at all. But assuming you need to access sensitive secrets in your PHP code, such as credentials to an online bank account, then storing them encrypted is much more secure than in plaintext.
Having spent a decent portion of my career building client sites, one thing that always struck me as dangerous was the unsustainable cycle that web agencies tend to fall into. Chasing the next big project, rather than producing the best quality work, often becomes the primary objective of stakeholders. Avoiding this trap is possible by focusing on “horizontal” growth and one way to do this is by leveraging plugins.
Every Craft site that allows public registration implicitly grants its users elevated privileges. Specifically, users have the ability to update all custom fields on their profile, as well as in any entries that they have permission to edit. If you use custom fields for “private” admin use only, then you may be leaving your site open to abuse.
Using software you trust is key to increasing your chances of keeping your site secure and lowering the chances of introducing a vulnerability. But how exactly do you know which software (and developers) are trustworthy and which are not?
Cybersecurity often feels like another world, yet in recent years it’s a topic that I’ve become mildly obsessed with. As web and software developers, security is an integral part of what we do, but for the most part it is self-contained in terms of the code that we work on directly. That has to change.
Sprig 1.1.0 adds new features as well as some important security improvements. Most notably, Sprig now uses htmx 0.4.0 and adds template variables to paginate element queries, push URLs into the history stack, redirect and refresh the browser, trigger client-side events and more securely add values to a request.
8 years ago today we revealed our first major redesign to the PutYourLightsOn brand. To my surprise, while taking a trip down memory lane, I realised that even though the web has really moved on since then, design really hasn’t that much.
In a recent redesign of the PutYourLightsOn website, we decided to start with a blank slate. It became an excellent opportunity to re-evaluate the state of web publishing tools in 2018 with the aim of utilising the best possible means to build a lightning-fast site that would still enable a great authoring experience.
From The Archives #
In just a few days I will find myself amongst my peers at the biggest ExpressionEngine event of the year, and I couldn’t be more excited about it. A lot has happened in the CMS world over the past year and I feel that the conference is a great way to come to terms with some of these changes and to “check in” with the community and with the team behind EE.
In the past couple of weeks I’ve spent more and more time playing with Craft, the new CMS by Pixel & Tonic. When I say playing with, I mean working with, but since it is proving to be such a joy to use, I feel that “playing” is a more appropriate word.
I had the pleasure of revealing Open API, my latest creation for ExpressionEngine, in my presentation at EEUK 2013. Open API is a front-end, http-based API for ExpressionEngine that provides authentication and CRUD (create/read/update/delete) functionality to content and data in the CMS.
2012 seems to have flown by rather quickly but it has been an action-packed year. We released three add-ons this year, two of which have been nominated for the devot-ee AcademEE Awards. We attended EECI Europe and I had the honour of speaking at EECI U.S.
I was lucky enough to go to both EECI’s this year, the European one in Leiden and the US one near Austin which happened last week. In fact I was invited to speak at the US one and felt very honoured to present to my fellow EE community members. I gave a talk on the developer’s track and it was a full house, standing room only!!
If like me you sell your ExpressionEngine add-ons on devot-ee then you are definitely familiar with the sales reports page. It gives a quick overview and tabular report of the selected month’s sales. But if you want to properly analyse your sales then you simply need to visualise them. I’ve written a small php script to do just that and frankly I’ve surprised myself with how insightful it is.
Responsive CP is an ExpressionEngine theme that I started working on over a year ago but that I only released to the public as a free add-on last week. You may have already noticed it in the various screenshots of our add-ons. The theme has two main goals – to provide a more professional looking control panel and to work well on desktop as well as mobile devices with small to medium screen sizes.