So, I finally got a small breather and was able to get the images online. I'll worry about cleaning it up a bit later, but for now at least you can view them.

The entries are posted on the demo site. You can access the gallery here.

Thanks again to Jason Durham and Mark Aplet!

The Kalendar team has spent the day debating over entries to decide the winner of the Kalendar Design Contest. It has not been an easy decision, a lot of work went into the entries and we realize this. That being said, we ended up with a split decision!

Jason Durham's was chosen due to some unique concepts for the UI design, which we will certainly incorporate in all future versions of Kalendar as they "just make sense".

Mark Aplet's design was chosen due to it's clean and functional design. A very simplistic design, it offers a more Web 2.0 feel.

We would like to thank the entrants for the time and hard work they have put into the designs!

So, you might be thinking, how do we award one license to both winners? Well, it turns out that I have a new copy of ColdFusion 8 Standard that I am not utilizing, so I have donated this to the project for the second winner. We will contact the winners directly tomorrow to award their prizes. In the coming weeks you will see the new skins implemented and available. In the meantime I will make a gallery available on the demo site in the next couple of days.

Entries for the design contest are due by 11:59PM tonight, so be sure to get yours in!

I have received a few questions and wanted to clarify for folks why we are doing certain things in the contest:

1. PSD files: We are requesting PSD files because we are trying to standardize the skinning interface for Kalendar. We are familiar with working with PSD files and this will be the fastest and more efficient way for use to create the images and CSS required to implement the new UI. Also, many design programs will export to PSD format keeping all layers intact. We do not want to accept CSS/HTML formats because it would essentially require a lot of reverse engineering to fit the skin files into the Kalendar system's skinning interfaces.

2. What happens to your submission if it is not chosen? Well, the rules state that all entries become licensed under Apache 2.0. This is primarily because we do not want folks questioning what we plan to do with these files after the contest. ALL entries will become available as downloads via the demo site. All submissions will get credit, with a link to the designer's site. We will not modify the designs which did not win in any way, they will simply be provided as assets to the project for others to use if they want to create their own skins.

3. Deadline: The deadline states that all submissions must be received before Saturday October 13th at 12:00AM. This means you must have your submissions sent in by Friday, October 12th at 11:59:59PM to be eligible. However, we have considered extending this deadline to give you designer-types a little extra time to do a quality job. We will post on this soon, I am discussing it with the rest of the team.

Here's a case where the easiest thing is not always the best! In Kalendar, I used a method for throwing a message to the client. This was written hastily and never really thought out that well. Basically it consists of looking for a specific variable and using javascript to throw an alert with the contents of that variable.

Scott Pinkston was kind enough to inform us that this is indeed a cross-site scripting vulnerability. So here's a quick rundown of the bug, and a hotfix.

PLEASE NOTE: You should apply this hotfix to all versions of Kalendar. Additionally, it is recommended that you perform the update manually. The bleeding edge version in SVN is currently not stable. We do plan to change the way this messaging system works, but it may take a week or two to stabilize the version is SVN and apply the new system.

So here's how Scott explained it to me:

"As discussed, it appears the Kalendar might be susceptible to an XSS attack using the returnMessage variable.

Example:
http://{somedomain}/index.cfm?returnMessage=%22);document.write('%3Ch1%3ETest%3C/h1%3E');confirm('are%20you%20sure');alert(%22

It would require the attacker to have some knowledge of the system and  is pretty unlikely but better safe than sorry."

So basically, the system allows the returnMessage through the URL. The URL string is used as the message contents. Therefore, since the variable was not ignoring script, it would execute the script on the client side.

Now, here's a quick use case:

Joe Hacker places the following link on one of his phishing sites
http://{xyz.com}/index.cfm?returnMessage=some javascript here

Within the script Joe embeds some code that will execute when I click the link and the Kalendar site is loaded. That code looks for all cookies on the {xyz.com} domain and then executes an xmlHTTPRequest, sending the cookie data to his server. Now Joe Hacker has your cookie data and may be able to gain access to any sensitive data such as passwords, account IDs, session data. He may use this information to try to impersonate your session or directly log into your account.

Here is the hotfix:
Open application.cfc in the root of the Kalendar application. Notice the OnRequestEnd method contains the following code:

<cfif isDefined("returnMessage")>
    <script>alert("<cfoutput>#returnMessage#</cfoutput>")</script>   
</cfif>

Change this code to:

<cfif isDefined("returnMessage")>
    <script>alert("<cfoutput>#htmlEditFormat(returnMessage)#</cfoutput>")</script>       
</cfif>

By using the htmlEditFormat() function we are parsing all script and HTML into a string which cannot contain exectuable code. After you have completed this, repeat the process for the application.cfc in the admin folder.

The next release of Kalendar will not contain this vulnerability and a new, more elegant way to handle this will be introduced.

We would also want to thank Scott for doing the right thing and letting us know first. This gave us an opportunity to address the situation and release a proper announcement first. If you find  a security vulnerability, please let us know by sending an email using the contact form on the Kalendar project site.

 

So, tonight it hit me why I think you, as a CF developer, should be interested in Kalendar!

As you know, I am the author of Kalendar. Now, some of you reading this may be well skilled with frameworks and CF-OOP. But there are those of you who aren't. Or, like me, are on the cusp of CF-OOP and maybe even examining frameworks. Like some of you, I started implementing CFCs maybe two years ago. I know how to use static CFCs (as Kalendar shows). I understand the concept of OOP (or so I think).

But Kalendar is really a basic application. Most of you seem to be able to figure out how to implement it, even though I am quickly finding out how bad my docs are. It's something that has taken many years (eight!) to perfect and still needs a lot of work. I see how OOP can make many of these things better, but NOW I have the assistance of team members who have these skills to help me along the path to making Kalendar a truly reliable and scalable application. As I learn from these folks on how to make a better Kalendar, so can you.

Kalendar 1.0 will launch soon. You will see some of the influence in this launch of all the new team members. I think if you hang along for the ride you will, like me, see how to convert an already good application into something that is truly Enterprise ready. I am more excited about Kalendar now than ever because now it has become a real learning opportunity for me.

Many, many exciting things are happening with the Kalendar project. With the new team it has quickly gained momentum. One of the newest additions is the new demo site at a new URL, www.cfkalendar.com. This demo site shows Kalendar in a real-world type environment. Now, I have been working with Kalendar for many years, but even still I got Kalendar integrated and the entire site done in just over 6 hours today.

We will still be tweaking the demo site a bit over the next few weeks. We have added a small number of ads, more tastefully placed than the previous demo site, to help cover the costs of hosting and other expenses the project incurs.

I'd love to hear your feedback on the new demo site. Also, i have yet to fully test it in all browsers, so if you see anything weird please give me a shout.

Also, a quick reminder. There are 2 weeks left of the contest. Get your entries in!

Matt is joining the team to help us push forward the development of an OO-based Kalendar. After the 1.0 final release Dan, Matt and I will be planning out the next release of Kalendar which will be fully OO. Part of this effort will be to build a release of Kalendar that can be fully unit-tested and a lot more stable. Additionally, we are hoping to build in support for a number of frameworks over time (and yes, Mark, we may even add in support for Transfer ;)).

Matt will be the final developer to the team, rounding us out with three CF developers and a content/copy editor (Lola Lee Beno).

I am still hoping to get a good designer on the team as we will need to have someone with those skills  to assist us in designing new skins, icons and a logo. If you are interested, you should be very fluent with XHTML and CSS and have mad design skills. If this is you head over to the Kalendar group and give us a shout.

Got UI design skills? Adobe (thanks guys!) has been kind enough to donate a copy of ColdFusion 8 Standard as the prize for the person who comes up with the best interface for Kalendar.

There are a few requirements so please read them carefully:

1. All entries must be received before October 13, 2007 12:00AM. Entries submitted on or after this date will not be eligible.
2. Designs must be delivered in a PSD files, with all layers intact so it can be dissected
3. You must provide design for the following
   • Each Kalendar view, as show on the demo site (day, week, week as list, month, month condensed). There are 5 views, so please verify you have designed these views.
     
   • The admin screens, which can be accessed on the demo site via the "admin link. There are 3 screens (add/edit form, category manager, file import)
4. You must provide a design guideline which outlines the colors and fonts utilized
5. All buttons and form elements must be designed
6. The tooltips, which appear when your mouse hovers over an event must also be design
7. You must send your files as a ZIP archive.
8. Email your entires to kalendardesign at g mail dotcom
9. You acknowledge that your entry becomes property of the Kalendar project and will be licensed under the Apache 2.0 license.

It is not necessary to provide XHTML or CSS templates. However, if you would like to provide these we would be very appreciative. If you do provide these the XHTML and CSS must be able to be validated.

It is also not necessary to provide a skin design for the Rich Text Editor in the admin (the description field), however you may do so if you like.

A Winner will be chosen on Monday, October 15th. Winners will be notified via email. All entries will be posted publicly for all to view and the designers will be given credit for their work. The winner and winning entry will also appear on this blog.

Here's the post I know you've been sitting all day by you're keyboard eagerly awaiting. Since I know you  have your legs crossed like a little girl because you didn't want to go to the bathroom, I am going to relieve you of your misery (actually I did you a favor, because we all know the ecstasy you experience when you finally get to go after waiting that long)!

So as you may have noticed, in the right column of this blog there is a new Google Groups icon. This links to the new Kalendar collaboration site. This site will contain all the Kalendar documentation, files (except project files), and discussions about the project. If you would like to discuss Kalendar, such as installation help or suggested functionality discussions,  I urge you to use this resource as your main resource.

Secondly, there is a Kalendar chatroom. We are located on the DalNet IRC server in #kalendar. We are busy, working folks, so if we don't get to your questions or comments right away please be patient. We will respond. If you need to know how to get on IRC please refer to DalNet's Help files.

Lastly, if you need live support please call Dan Wilson at ... you didn't seriously think i would give out Dan's number did you?