Right, I have patched two different versions of Wizz RSS. Hopefully these versions are now vulnerability safe, but I’m not going to guarantee that! Version 3.1.0.5 is a for those who are still using Firefox 3.5.n, and version 3.2.0.0 is a beta for those who are using Firefox 3.6b1 or later.
Before installing either of these versions, please read the following, which applies to both of these patched versions: -
- I have made absolutely no attempt to address the namespacing issue, and I have no intention of addressing it either. The namespacing issue has absolutely no impact whatsoever on the vulnerability issue. A non-technical explanation of the namespacing issue for the non-technical types: Because Wizz RSS does not comply with the namespacing guidelines, it is possible that Wizz RSS code could interfere with the workings of Firefox or with the workings of other add-ons you have installed. This is not a new issue! Wizz RSS code has always been like this.
- I have implemented nsIScriptableUnescapeHTML.parseFragment() as recommended by Wladimir Palant. For the non-technical types, you can find out more about nsIScriptableUnescapeHTML.parseFragment() here.
- Because nsIScriptableUnescapeHTML.parseFragment() doesn’t seem to work as advertised by the Firefox “security experts,” I have also retained the “blacklist-based input sanitizing at its best” (Wladimir Palant’s sarcastic words) – as poo pooed by Jorge Villalobos. The fact that nsIScriptableUnescapeHTML.parseFragment() doesn’t seem to work as advertised is borne out by the fact that removal of the “blacklist-based input sanitizing at its best” (i.e. Sole reliance on nsIScriptableUnescapeHTML.parseFragment()), causes vulnerabilities that were fixed in 2007 to reappear. Please read http://wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/ for more details.
Hopefully, what I have done with the code will address the vulnerability issues for once and for all – But I sure ain’t no security expert, so I’m not going to guarantee that!
If you are using Firefox 3.5.n, you can install Wizz RSS 3.1.0.5 here Please note that I have not tested this distributable as I’m currently using Firefox 3.6b2, which I’m not going to uninstall. The fix in 3.1.0.5 is exactly the same as the fix in 3.2.0.0.
If you are using Firefox 3.6b1 or later, you can install Wizz RSS 3.2.0.0 here
Thank you; that installed without a hitch!
I’m glad we will be able to keep using WizzRSS.
Many, many thanks Mike. I’ve just installed the new extension and all appears to be good
However, when I tried to save my feeds to the server I got the message that the service is no longer available. No probs though, I’ve just done an OPML Export instead and will keep that as my backup.
WOOHOO, maybe there is a god after all!
Best Regards
Mike K
Thanks Mike!
Thanks for all your efforts. Much appreciated for a super add on.
Thanks for your great efforts Mike – the update installed Ok in my Firefox 3.5.5.
Keep up the good work
i want to set up new version
@beckham: Just click on the link, either 3.1.0.5 or 3.2.0.0, to install it.
Installed 3.1.0.5 OK and kept my current feeds intact. No problems yet
Thanks so much!
Don’t know if I risk too much, but version 3.1.0.5 installed smoothly under FF 3.0.15 – after modifying min version in the rdf.
Up too now working without any trouble, thx again!
@Karsten: You might find that things like drag ‘n drop don’t work. i.e. Moving feeds around the category/feed tree using drag ‘n drop, and also adding feeds by dropping them onto the category/feed tree.
When will the new version be available via the Add-ons “Find Updates” feature?
@Jon: Never
Help! Everything seemed ok but now my entire Wizz window (first 3.1 then same after upgrade to 3.2) is empty. Cannot import, cannot add feeds.. Sigh. Is this because Firefox folks blocked it? I hope not! Any hints on how to restart this welcome – very welcome!
Whoops sorry. Somehow the regular menu in the sidebar had disappeared (?) –The two bars I’m used to (Wizz RSS – found – saved, and the home, feed search etc bar were invisible, and a third menu I was unfamiliar with had appeared. Well, clearly my mistake, and all is well! Apologies; ignore the previous comment.
@Helma: Please see http://www.wizzrss.com/helpwiki/index.php/Wizz_RSS_Sidebar
It will explain where the tabs and the mini-toolbar went to.
Hello,
When I install “Wizz RSS 3.1.0.5″ Fire Fox send this message
“Impossible d’installer Wizz RSS News Reader 3.1.0.5, car il/elle n’est pas compatible avec Firefox 3.0.15.”
I’m using Firefox 3.015 version, somebody can tell me how to install this safe version of WizzRss
By the way, Thank you to the author of WizzRss, a very practice soft !
Patrick
Bordeaux – France
(sorry for my bad English but i improve it !)
@Patrick: Wizz RSS 3.1.0.5 will only install on Firefox 3.1b2 to 3.5.*
You can hack minVersion in install.rdf to get it to install on earlier versions of Firefox, but I really don’t recommend that you do that.
The best thing for you to do would be to upgrade to Firefox 3.5.
Thank you very much, Mike!
3.1.0.5 installed fine for me in 3.5.3 and seems to be working fine. My only issue is that every time I open FireFox it still opens the Wizz RSS warning page saying there are incompatibility and security issues. This must be something in the Wizz RSS code as a popup comes up saying Wizz opened a page, just like it normally would with a new version. Is there a way to stop this happening, since I’ve chosen to use this version?
Regards,
David
@David: Please read http://wizzrss.blat.co.za/2009/11/16/uninstall_page/
Hello Mike,
Thanks for sticking in and making a more secure and great working RSS reader for FF.
BTW: For me the warning page can be removed. I have been warned enough
Bas.
@Bas: It’s not you that I’m worried about.
Thank you, thank you, Mike!!!
A quick reminder for forgetful minds like mine: make an OPML backup before upgrading so you don’t loose your feeds
Chris.
Mike: Thanks -Somehow I must have selected found items, then clicked away the wizz-found-saved menu. But the timing made me think it had to be Firefox stepping in and killing my Wizz sidebar:-) Learned something new!
thanks~!
Just want to add my thanks to the list. Having tried a few alternatives in the past week, my relief to have Wizz back is considerable.
Any idea why, after installing the updated version, a set of feeds for a particular site (e.g., http://www.dpreview.com/feeds/forums/forum1006.xml) would no longer display feed contents in the browser window when clicked on in the preview pane? (I know that sounds convoluted.)
For that site, even though each of the individual feeds shows all its posted items in the preview pane of the sidebar, clicking on an entry takes me to the feed’s home instead of to the particular post. But, if I operate in preview mode and click on any particular feed in the normal browser window, it takes me to the appropriate web page.
Very strange, and never an issue before.
Thanks for the bugfix version, it is appreciated!
Henry
@Mike: From what I can see, the feed contains no descriptions for its items. i.e. All of the description tags are empty. Apart from having no descriptions, the feed seems to work just fine for me.
Mike, thanks for the reply. I know about the descirptions, but could you take a look at this example: http://forums.dpreview.com/forums/read.asp?forum=1018&message=33764375
When I click on the post title in the preview pane, it seems that Wizz is loading only “http://forums.dpreview.com/forums/read.asp?forum=1018″ — not the whole URL. When I view the feed home in the browser window, though, the entire URL is there.
I don’t know diddly about HTML, so I can’t tell if there is a problem with the feed or with Wizz. Just wanted you to know.
Thanks much.
Smooth install. Mike, Wizz RSS is great.
What can be done to help you along with fixing it?
Regards,
Jaap
@Mike: I’m with you now and see the same problem. Somewhere in my cobweb filled mind I seem to have very vague recollections of dealing with the same problem once before. The item URL is being truncated at the & (which is the HTML entity for an ampersand). I’ve coded a quick fix – Are you using Firefox 3.5 or 3.6?
Whew! I thought I had screwed up something on my end. Using 3.5.5 here. Do I need to update? Thanks.
@Mike: I’ve just uploaded a patched version of 3.1.0.5. Please reinstall it and see if the problem goes away.
Works perfectly now. Thanks so much!
After receiving a warning about security vulnerabilities in Wizz RSS at Firefox 3.5.5 startup, I clicked on the link to this website and installed version 3.1.0.5 which according to Addons management is the version that is installed, but every time I startup firefox I still get the warning about security vulnerabilities and the link to this site to install the patched version. Given that I have the patched version installed why am I still getting this warning?
@Steve: The warning is a global thing. It isn’t dependent on the version you are using. Even Wizz RSS Lite users will get the message. As long as you have upgraded to 3.1.0.5 or 3.2.0.0, you can ignore the message. The reason why I continue to display the message is explained here – http://wizzrss.blat.co.za/2009/11/16/uninstall_page/
I understand you Mike, but the nag tab is beyond annoying
Can you please, please, please, pretty please give those of us who made an educated decision to keep WizzRSS a way to get rid of it, please please, please, pretty please and for the sake of our sanity!
Thanks Mike, I can live with the warning now that I understand the reasoning behind still producing it.
@Max: For the sake of my sanity, just hang-in there for a few more days. Once I’m sure that even the “smart” ones (You know the ones I mean? Those who think they are too smart to read the information I push in their faces) have seen the message, I’ll turn it off.
@Mike
Thanks for the reply!
Oh yes I know which ones you mean.
And now that I know that you’ll eventually be turning it off, I’ll quit whining.
Thanks so much for letting WizzRSS live. It is much more appreciated than you might think.
P.S.: I am no longer as fond of the Mozilla people as I used to be, now that I have read your story.
Huge crashes !
I dont understand yet what’s the cause since i updated the version to the last one !
I hope that is not Wizz fault !
@silvio: I haven’t seen any strange behavior. I also hope that it isn’t Wizz’s fault.
FWIW, I have not seen any instability at all using FF 3.5.5, although it does seem to take a bit longer to load feeds once they’re clicked on. Nothing major, though.
Thanks for the feedback Mike. I’m using FF 3.6b4 and I haven’t seen any instability either. The longer load time is probably being caused by all elements being pushed through nsIScriptableUnescapeHTML.parseFragment()
Thanks, Mike, for your work!!
It’s still suddenly crashes !
Even the one at my office that is installed on a portable version of Firefox !!
What’s interesting is that i have Firefox+Wizz for more than 1 year, i think ! The problem came short after i installed this patched version, that’s why i think here can be the problem !
For now every time it crashes (i didn’t see this huge crashes in my entire user history for more than 3 years of firefox) i keep send’em crash reports but still no answers !
Why when i open Firefox is opening a tab telling me that i need to uninstall my Wizz ! Why ? I just patched !!?
To get more insight i have the following add-ons:
All-in-One Sidebar – (also at my Office)
Download Helper
FoxClocks – (also at my Office)
Greasemonkey
MinimizeToTray – (also at my Office)
SpeedDial
StumbleUpon
TorrentFinderToolbar
WebDeveloper
WebMail Notifier – (also at my Office)
Wizz RSS – (also at my Office)
XMarks – (also at my Office)
It remain for me to uninstall-reinstall the Firefox (clean instal) and step by step install the add-ons … But it will be a fuccing borring job !
@silvio: I fully understand your reluctance to do a clean re-install, unfortunately, sometimes it is the only way to get rid of the Firefox funnies.
Major version updates, especially those that include changes to Places (Which is just about all of them), have never done a very good job of migrating the Places data cleanly. I’m not sure about this, but I suspect that this results in corrupt data in the Places database, which probably causes many of the Firefox funnies. There is probably a way to clean-up the Places database, but I have no idea how to do it – apart from deleting the whole thing, which more-or-less amounts to the same thing as a clean re-install.
I really tried to migrate to Google Reader, but after a few hours, I gave up, and I am back. Decided the irritation was too much for minor risk avoidance. Would a user-appeal to AMO do any good?
Still showing an older “experimental”(?) version on AMO. Probably should have that one removed to prevent confusion. But I guess it is not easy to stumble on.
https://addons.mozilla.org/en-US/firefox/addons/policy/0/424/21428
Some humorous information with regard to AMO – It might serve to lighten the mood
I was on #AMO on IRC one night, trying to get an answer to some-or-other question. As usual, the people on #AMO were about as responsive as a dead dog. Another add-on developer joined the channel and when I saw that he received the same treatment as everyone else, I started exchanging light-hearted banter with him. Something he said made me laugh like crazy, but unfortunately it was very very true. He said, “AMO is like pouring a bucket of ice water over a hot blooded programmer.”
Mike, There is no way I will uninstall Wizz RSS. The concept of being without it is just… I don’t know, it just doesn’t click. Wizz RSS is just so natural to me. That is it.
Hey, Mike.
Sorry to bother you with a question given what you’ve been going through, but is there any resolution for me if my links appear to be gone from the backup server? Tried to do an opml export and a restore. The latter says no longer available which wouldn’t be a problem, but the opml file is empty.
Any thoughts or am I out of luck.
Very sorry to hear about all the FF problems. Potentially a loss of a great app.
Thanks, much.
@Roy: Don’t worry, all of your saved feeds are safe ‘n sound on the Wizz server. In a few days time (Once most of the hoo haa has died down), I’ll reactivate access to the saved feeds. In the meantime, if you need the stuff you’ve saved to the Wizz server, email me your username. I’ll get your stuff out of the database and email it to you.
Thanks for the update Mike. It is working for me under Linux and Windows. After having looked again for another feed reader that would work for me I have again concluded that WizzRSS is the most usable feedreader available. I particularly like the easy access to enclosures as well as text. Your situation caused me to take a look at Chrome. I would be glad to see WizzRSS for Chrome.
Thanks again.
@Francis L: At this point in time I think it’s pretty much impossible to develop a half decent feed reader for Google Chrome. I’ve been using the C# version of Wizz RSS that ties into Internet Explorer.
Thank you, Mike. I’m in no hurry.
Please email me the instructions telling me how to uninstall this file and I will do it.
@Roby: All Firefox add-ons, as far as I’m aware, uninstall in exactly the same way. If you need details on how to uninstall an add-on, please see http://www.wizzrss.com/helpwiki/index.php/Uninstalling_Wizz_RSS
Installed without a hitch in Firefox 3.5.5. Thank goodness as I was getting fed up trying alternatives that were all rubbish arrrgggghhhh….
Any chance you’re working on a Chrome version of Wizz? Now that Chrome has extensions, Wizz is pretty much the only thing keeping me with Firefox.
@Mike: I have had a quick look at extensions for Chrome. From what I’ve seen, Chrome’s support for extensions is pretty rudimentary – It doesn’t even have support for a sidebar – although, I understand that future versions of Chrome will provide extended support for extensions. So I guess I’ll just wait and see what happens with Chrome.
I know I am being annoying, but so is the nag page from WizzRSS.
Is there any hope of it ever going away?
Old nag pages used to no longer appear when WizzRSS was updated to the latest version, why is this one?
@Max: I’m not 100% that this will work, but try it (I’d need to dig into the code to confirm that it’ll work). On the Firefox about:config page, look for a pref called WizzRSSLastCheck and change its value to something like 2260396000000 (I changed the first digit from 1 to 2). This should stop Wizz RSS checking if it should display the Welcome page.
The reason the Welcome page is still being displayed is because I coded a change on the server side to return a random number every time Wizz RSS checks. The uninstall message has been displaying for almost a month, and, believe it or not, some people are only taking notice of it now.
A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script: chrome://wizzrss/content/toolbar.js:736
I keep getting this error with WizzRSS 3.2
@Jeff: Try this – On the Found Items tab, click the Clear Watch List cache button. i.e. The red X.
I like wizz rss and I upgraded and I want to keep it, but the damn annoying ‘please uninstall wizz rss’ page pops up EVERY time I start the browser and now I am really very close to uninstall the thing – please let me know if this stupid page opening can be stopped.
mike
@mike: Please see my comment directed @Max, above. I’m not 100% sure that it’ll work, but it should… I think.
Sorry Mike
I intended to report back on your instructions, but didn’t get around to it until now.
this indeed gets rid of the nag screen, thank you very much for that!
All the best to you and happy holidays.
@Max: Thanks for the feedback.
@mike: There you go. Confirmation that it will indeed work.
Hi Mike,
I tested your WizzRSSLastCheck workaround (ie changing the first digit from 1 to 2) to avoid the “please uninstall wizz rss” page.
However, my change gets overwritten every time I restart my Firefox and the page pops. Is that normal?
I’m using Firefox 3.5.6 and Wizz RSS 3.1.0.5.
Thanks in advance.
@Max, mike and chris: Please see http://wizzrss.blat.co.za/2009/12/16/steps-to-stop-the-nag-page-from-displaying/ for instructions that stop the nag page from displaying.
The instructions at http://wizzrss.blat.co.za/2009/12/16/steps-to-stop-the-nag-page-from-displaying/ seem to work but are extremely complicated. Could you possibly release a version 3.1.0.6 or 3.2.0.1 that would accomplish the same thing? Keep up the good work.
I can’t tell you how pleased I am that you’ve done this – I’ve used several RSS reader, but NONE of them compare to the ease of use of Wizz. Many thanks Mike (and don’t let the b******ds wear y’down!).
Is this a problem on an Mac also?
Anyone have instructions on how to remove the WizzRSSLastCheck thingy?
@Johnnie: It is a universal problem.
Please see http://wizzrss.blat.co.za/2009/12/16/steps-to-stop-the-nag-page-from-displaying/ for steps on how to stop the nag page from displaying.
@Mike: It doesn’t say on how to fix on Snow Leopard.
@Johnnie: The “fix” should be exactly the same for Snow Leopard. Just the path to wizzrss.jar will be different. Wherever your Firefox profile is, in that folder you should find extensions{D5EDC062-A372-4936-B782-BD611DD18D86}chrome – That is where you’ll find wizzrss.jar
Votre traduction est lamentable!!!Ce qui la rend souvent incompréhensible….
JMBW
Ecoute boissenin
Mike est de l’Afrique du Sud et au moins il a fait l’effort de traduire.
Au lieu de gueuler ici, il vaidrait mieux si tu demanderais quelqu’un qui connait l’Anglais a te traduire.
WizzRSS est pas seulement gratuit mais un effort tout a fait volontaire. Efin, parce que evidemment tu ne connais pas des autres lagues non plus, tu n’as absolument pas de droit de te plaindre ici.
C’est hallucinant comme les francophones peuvent etre arrogant et ingrat, mais malheureusement tres bien connu.
Thanx Mike, I have tried a kot of news readers this one is the best!
So glad that I’ve found the fixes!! Started using Sage for a while – no where near as good as Wizz – and felt there was missing something from life!
Keep it up – and don’t leg those noggins grind you down!
@lyrabee: Don’t worry about it too much. Within the next day or two I plan to start a buy-a-nag-free-version-of-Wizz-RSS “campaign.”
I was planning to turn the nag page off, but on 2nd thoughts decided it might serve as a good incentive to raise a bit of money which will go towards covering the costs of running the Wizz RSS server.
The “purchase price” of the nag-free-version will be you wish to donate. If you’ve already made a donation, you should receive your nag-free-version via email within the next day or two.
*big hug*
))
Thanks a lot for your work and the frankness on your pages & actions
Version 3.2.0.0 is not compatible with FF 3.5.7, so my browser reports….
@Pierre: 3.2.0.0 is only for Firefox 3.6. Please install 3.1.0.5 for Firefox 3.5.
Yes, I read it (too late / tongue in cheek / bite). Anyway, THANKS!
Any hope of a “Vulnerability Safe” lite version (for FF 3.6)? I miss not having so many options…
@Collin: Sorry, Wizz RSS Lite is dead. You’ll just have to use the full version.
Thanks Mike,
WizzRSS is excellent. Like a few others here, I tried Sage for a while and InfoRSS, but Wizz beats them hands-down!