Important Security Update For SyntaxHighlighter Evolved

If you use my popular SyntaxHighlighter Evolved WordPress plugin, please upgrade immediately. Ben Bidner discovered a security issue with the JavaScript highlighting library that my plugin uses. A couple of my Automattic co-workers and I worked with the author of that library to resolve the issue and the latest version of my plugin, 3.1.10, includes the fix.

Important Security Update For SyntaxHighlighter Evolved

If you use my SyntaxHighlighter Evolved WordPress plugin, please update ASAP. There’s a security issue with the Flash file that is used by version 2 of the highlighting library. This file is meant to be used for allowing one-click copying of the code to your clipboard (since normal copy/paste doesn’t work with it) but the file reportedly suffers from a cross-site scripting security issue.

Even if you use the better version 3 of the library (the default for my plugin), the file from version 2 of the library will still be included in the plugin’s files.

As a temporary fix, I have emptied out the file. This unfortunately means your visitors will not easily be able to copy any code you paste. I recommend switching to the superior version 3 via my plugin’s settings page. Code highlighted using the newer version can be selected and copied normally.

Feel free to leave any questions you have about this security issue on this post but please leave other general SyntaxHighlighter comments on the plugin’s homepage. Thanks.

SyntaxHighlighter v3.1.0 Released, Features Old Style Script Option

Not everyone was happy with the new highlighting package featured in SyntaxHighlighter v3.0.0 and using old versions of plugins is a bad idea (you miss out on features, bug fixes, etc.) so I’ve added the ability to toggle between v2 and v3 of Alex G’s SyntaxHighlighting package. I’ve also fixed a few bugs that were discovered post-release (such as HTML entities being broken in the Visual editor).

Everyone, including those who downgraded to v2.x of my plugin, should upgrade to v3.1.0 of my plugin.

One thing to note by the way: I would stay far, far away from TinyMCE (the Visual editor/tab) when blogging about code. It has the nasty little habit of attempting to “clean up” your code (namely HTML) for you and in the process with mess up your code. If you’re writing code, what are you doing using a WYSIWYG editor anyway? ;)

SyntaxHighlighter Evolved v3.0.0: What’s New

I finally found some time to work on my SyntaxHighlighter Evolved plugin and upgrade it use the latest version of Alex Gorbatchev’s highlighter.

What’s New

  • The new version of Alex G.’s script makes it easier to select and copy code. You can just drag your mouse to highlight and you will no longer get line numbers or you can double-click the code to highlight it all (in plain text to avoid getting the colors). Click off of the code to get it to go back to the colorized version.
  • You can specify a range of line numbers to highlight. Instead of having to do highlight="5,6,7,8,9,10,14" you can now just do highlight="5-10,14".
  • BuddyPress support.
  • A few new custom brushes (Clojure and the R language) and a Ukrainian translation.

Upgrade or download it now! :)

SyntaxHighlighter Evolved v2.3.0

I’ve released a new version of my SyntaxHighlighter Evolved plugin. It’s not a recode of the plugin, however it is a major overhaul of the plugin. It features an update to the highlighting package (with new languages and parameters) and other various things. Here’s the full changelog:

Version 2.3.0

Major overhaul, mainly to extend flexibility so that this plugin could be used on without actual code modification (only actions/filters are used instead to modify it).

  • Updated SyntaxHighlighter package to v2.1.364. Highlights of the changelog include:
    • ColdFusion brush (aliases: coldfusion, cf)
    • Erlang brush (aliases: erl, erlang)
    • Objective-C brush (aliases: objc, obj-c)
    • Eclipse theme
    • padlinenumbers parameter. Set it to false for no line number padding, true for automatic padding, or an integer (number) for forced padding.
    • rb alias for Ruby
  • Commenters can now use this plugin to post code.
  • Plugin’s shortcodes now work inside of the text widget again. Requires WordPress 2.9+ though.
  • Overhaul of the TinyMCE plugin that assists in keeping your code sound when switching editor views. Thanks to Andrew Ozz!
  • This plugin’s stylesheets are now dynamically loaded. If they aren’t needed, they aren’t loaded.
  • Lots of sanitization of shortcode attributes. Invalid keys/values are no longer used.
  • Chinese translation thanks to Hinker Liu. Will need updating for v2.3.0.
  • New filter to control what shortcodes are registered. Used by to trim down the number of them.
  • Saving of user’s settings is now done using register_setting() instead of manually handing $_POST. Yay!
  • By default, a post meta is used to mark posts as being encoded using the 2.x encoding format. This is bad for a site like You can use the new syntaxhighlighter_pre_getcodeformat filter to return 1 or 2 (based on say post_modified). See SyntaxHighlighter:get_code_format() for more details. Don’t forget to remove_action( 'save_post', array(&$SyntaxHighlighter, 'mark_as_encoded'), 10, 2 ); to stop the post meta from being added.
  • New syntaxhighlighter_precode filter to modify raw code before it’s highlighted.
  • New syntaxhighlighter_democode filter to modify example code on the settings page.

Plugin Update: SyntaxHighlighter Evolved v2.1.0

I’ve updated my SyntaxHighlighter Evolved plugin to v2.1.0. It incorporates changes made to Alex Gorbatchev’s script. Here are the relevant changes with my comments in italics:

  • Major speed improvement thanks to a patch by Jose Prado. SyntaxHighlighter now can render 4-5k lines in just a second or two (tested on a MacBook Pro 2.4GHz).
  • Added wrap-lines parameter option to disable line wrapping. See demo. (This can be accessed in my plugin via the “wraplines” parameter.)
  • Toolbar is now activated on mouse over.
  • Added ActionScript3 brush (thanks to Peter Atoria).
  • Added JavaFX brush (thank to Patrick Webster).
  • Added PowerShell brush (thanks to B.v.Zanten, Getronics)

An update notice should appear in your admin area soon.