Merge branch 'flatpressblog:master' into upstream/issue201
This commit is contained in:
Frank Hochmuth
GitHub
commit
89c2b149c6
13
CHANGELOG.md
13
CHANGELOG.md
@ -9,14 +9,16 @@
|
||||
- [README](https://github.com/flatpressblog/flatpress/blob/master/README.md): added "help and support" section
|
||||
|
||||
## Plugins
|
||||
- Gallery captions plugin added ([#108](https://github.com/flatpressblog/flatpress/issues/108))
|
||||
- PhotoSwipe plugin added ([#109](https://github.com/flatpressblog/flatpress/issues/109))
|
||||
- SEO Meta Tag Info plugin added ([#145](https://github.com/flatpressblog/flatpress/issues/145))
|
||||
- PhotoSwipe plugin added: Displays images and galleries with [PhotoSwipe](https://photoswipe.com/) ([#109](https://github.com/flatpressblog/flatpress/issues/109))
|
||||
- Gallery captions plugin added: Manages image captions for gallery images ([#108](https://github.com/flatpressblog/flatpress/issues/108))
|
||||
- SEO Meta Tag Info plugin added: Manages SEO meta tags ([#145](https://github.com/flatpressblog/flatpress/issues/145))
|
||||
- FlatPress Protect plugin added: Adds HTTP headers for hardening your blog ([#146](https://github.com/flatpressblog/flatpress/issues/146))
|
||||
- jQuery plugin: Updated jQuery (3.5.1 => 3.6.1) and jQueryUI (1.12.1 => 1.13.2)
|
||||
- Media Manager plugin shows 50 items per page, not 10
|
||||
- LastCommentsAdmin plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43))
|
||||
- Fixed errors on the Comment Center config page ([#90](https://github.com/flatpressblog/flatpress/issues/90))
|
||||
- Fixed PHP warnings in Akismet plugin ([#83](https://github.com/flatpressblog/flatpress/issues/83))
|
||||
- Comment Center plugin: Fixed errors on the config page ([#90](https://github.com/flatpressblog/flatpress/issues/90))
|
||||
- Comment Center plugin: Fixed error on sending mails with umlaut subjects ([#211](https://github.com/flatpressblog/flatpress/issues/211))
|
||||
- Akismet plugin: Fixed PHP warnings ([#83](https://github.com/flatpressblog/flatpress/issues/83))
|
||||
- BBCode plugin: Allows local video files ("attachs/video.mp4") and outputs valid HTML ([#192](https://github.com/flatpressblog/flatpress/issues/192))
|
||||
|
||||
## Themes
|
||||
@ -44,6 +46,7 @@
|
||||
- Logout redirects to home page again ([#119](https://github.com/flatpressblog/flatpress/issues/119))
|
||||
- Fixed disappearing non-Latin characters in page title ([#49](https://github.com/flatpressblog/flatpress/issues/49) and [#91](https://github.com/flatpressblog/flatpress/issues/91))
|
||||
- Worked around strftime() marked as deprecated as of PHP 8.1 ([#92](https://github.com/flatpressblog/flatpress/issues/92)) - thx @bohwaz
|
||||
- Comments: Fixed error on sending mails with umlaut subjects ([#209](https://github.com/flatpressblog/flatpress/issues/209))
|
||||
|
||||
## Security
|
||||
- Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags
|
||||
|
||||
@ -222,7 +222,8 @@ function commentform() {
|
||||
$fp_config ['general'] ['title']
|
||||
), $lang ['comments'] ['mail']);
|
||||
|
||||
@utils_mail($from_mail, "{$lang ['comments'] ['newcomment']} {$lang ['comments'] ['newcomment']} {$fp_config['general']['title']}", $mail);
|
||||
// for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 and splits the encrypted subject
|
||||
@utils_mail($from_mail, '=?utf-8?B?' . base64_encode($lang ['comments'] ['newcomment']) . '=?= =?utf-8?B?' . base64_encode($fp_config ['general'] ['title']) . '==?=', $mail);
|
||||
}
|
||||
|
||||
// if comment is valid, this redirect will clean the postdata
|
||||
|
||||
@ -124,6 +124,7 @@ $serverport = "false";
|
||||
// Unterstützung für Apache und IIS
|
||||
ini_set('session.cookie_secure', 1);
|
||||
ini_set('session.cookie_httponly', 1);
|
||||
ini_set('session.cookie_samesite', 'Lax');
|
||||
if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
|
||||
$serverport = "https://";
|
||||
} else {
|
||||
|
||||
@ -11,6 +11,6 @@ S pozdravem %blogtitle%
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Nový komentář k';
|
||||
$lang ['comments'] ['newcomment'] = 'Nový komentář k ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ Automatisch generiert von,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf';
|
||||
$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ $lang ['comments'] ['mail'] = 'Αγαπητέ/η %toname%,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο';
|
||||
$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ All the best,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'New comment on';
|
||||
$lang ['comments'] ['newcomment'] = 'New comment on ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ Todo lo mejor,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre';
|
||||
$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ Cordialement,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur';
|
||||
$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ Saluti,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Nuovo commento su';
|
||||
$lang ['comments'] ['newcomment'] = 'Nuovo commento su ';
|
||||
|
||||
?>
|
||||
|
||||
@ -19,6 +19,6 @@ $lang ['comments'] ['mail'] = '%toname% さま,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'の新しいコメント';
|
||||
$lang ['comments'] ['newcomment'] = 'の新しいコメント ';
|
||||
|
||||
?>
|
||||
|
||||
@ -16,6 +16,6 @@ Groeten,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op';
|
||||
$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op ';
|
||||
|
||||
?>
|
||||
|
||||
@ -17,6 +17,6 @@ Um abraço,
|
||||
|
||||
';
|
||||
|
||||
$lang ['comments'] ['newcomment'] = 'Novo comentário em';
|
||||
$lang ['comments'] ['newcomment'] = 'Novo comentário em ';
|
||||
|
||||
?>
|
||||
|
||||
@ -438,7 +438,8 @@ class plugin_commentcenter {
|
||||
$fp_config ['general'] ['title']
|
||||
), $text);
|
||||
|
||||
return @utils_mail($from_mail, $subject, $text);
|
||||
// for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64
|
||||
return @utils_mail($from_mail, '=?utf-8?B?' . base64_encode($subject) . '?=', $text);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
16
fp-plugins/fpprotect/doc_fpprotect.txt
Normal file
16
fp-plugins/fpprotect/doc_fpprotect.txt
Normal file
@ -0,0 +1,16 @@
|
||||
FlatPress Protect
|
||||
=================
|
||||
|
||||
Description
|
||||
-----------
|
||||
Protect your blog with additional fetures in the HTTP response header
|
||||
|
||||
* Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content.
|
||||
* Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
|
||||
* HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
|
||||
* The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
|
||||
* HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking.
|
||||
* The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests.
|
||||
|
||||
Here you can check the security of your Flatpress blog
|
||||
https://securityheaders.com/
|
||||
23
fp-plugins/fpprotect/plugin.fpprotect.php
Normal file
23
fp-plugins/fpprotect/plugin.fpprotect.php
Normal file
@ -0,0 +1,23 @@
|
||||
<?php
|
||||
/*
|
||||
* Plugin Name: FlatPress Protect
|
||||
* Plugin URI: http://www.flatpress.org/
|
||||
* Description: Protect your blog with additional fetures in the HTTP response header. <a href="./fp-plugins/fpprotect/doc_fpprotect.txt" title="More information" target="_blank">[More information]</a>
|
||||
* Author: FlatPress
|
||||
* Version: 1.0
|
||||
* Author URI: https://www.flatpress.org
|
||||
*/
|
||||
|
||||
// Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM
|
||||
header('Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
|
||||
header('X-Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
|
||||
header('X-WebKit-CSP: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
|
||||
// End of Content Security Policy rules
|
||||
header('Feature-Policy: interest-cohort \'none\'; autoplay \'self\'; camera \'self\'; fullscreen \'self\'; geolocation \'self\'; microphone \'self\'; payment \'none\';'); // Goodbye Feature Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
|
||||
header('Permissions-Policy: interest-cohort=(), autoplay=(self), camera=(self), fullscreen=(self), geolocation=(self), microphone=(self), payment=(),'); // Hello Permissions Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
|
||||
header('Referrer-Policy: strict-origin-when-cross-origin');
|
||||
header('Strict-Transport-Security: max-age=15552000; includeSubDomains');
|
||||
header('X-Permitted-Cross-Domain-Policies: none');
|
||||
header('X-Download-Options: noopen');
|
||||
?>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user