Sometimes being lazy is a good thing. I was supposed to update my WordPress installation to version 2.1.1 last weekend, but I didn’t feel like checking what had changed exactly and if I needed the update. The short changelog said the update mostly consisted of small fixes and no critical stuff so I postponed.
Screenshot of WordPress website announcing 2.1.1 vunerability
It turns out the 2.1.1 update was quite critical after all:
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
It seems a cracker got access to a server that powers WordPress.org and was able to modify the download file.
More on this story at WordPress.org.
So I updated rekkerd.org to WordPress 2.1 today. After making some small modifications to code here and there all seemed to work just fine… Until I opened the site in Firefox…
It turns out WordPress 2.1 has some changes in the formatting code (formerly functions-formatting.php, now formatting.php in wp-includes) which do some nasty things in certain situations.
In my case I have images in posts that I wrap in a div container, kinda like:
<div><img src=etc /></div>
Now with the new formatting functions of WP 2.1 it somehow adds a paragraphs tag in the output. And it doesn’t even close it either. On rekkerd.org it resulted in something like this:
<div><p><img src=etc /></div>
Internet Explorer eats it and shows the site like normal, but Firefox shrinks the image to mini size. And of course the page won’t validate either.
I found a few mentions of this problem on the WordPress forum already, so I’m sure it’ll get fixed, but for now I just pasted the code from the old functions-formatting.php in the new formatting.php file and all seems well.
Let me know if you still find a problem.