From c1dae9205f7236b1d556dc3681133a121153a3ef Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Sat, 25 Feb 2023 19:49:14 +0100 Subject: [PATCH 01/11] for non-ASCII characters in the e-mail header fixes #209 Email notification is now sent when a new comment has been left and when the subject in the email header contains umlauts. --- comments.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/comments.php b/comments.php index b461d07..9fb1653 100644 --- a/comments.php +++ b/comments.php @@ -222,7 +222,8 @@ function commentform() { $fp_config ['general'] ['title'] ), $lang ['comments'] ['mail']); - @utils_mail($from_mail, "{$lang ['comments'] ['newcomment']} {$lang ['comments'] ['newcomment']} {$fp_config['general']['title']}", $mail); + // for non-ASCII characters in the e-mail header, use RFC 1342 — Encodes data with MIME base64 + @utils_mail($from_mail, "=?utf-8?B?" . base64_encode($lang ['comments'] ['newcomment']) . "?= =?utf-8?B?" . base64_encode($fp_config ['general'] ['title']) . "?=", $mail); } // if comment is valid, this redirect will clean the postdata From 8f28e293e68fce760b2052f3d559d9369860ebcd Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Sun, 26 Feb 2023 04:36:34 +0100 Subject: [PATCH 02/11] Update comments.php Splits the encrypted subject. The encrypted subject should not be longer than 76 characters. --- comments.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/comments.php b/comments.php index 9fb1653..511e0e2 100644 --- a/comments.php +++ b/comments.php @@ -222,8 +222,8 @@ function commentform() { $fp_config ['general'] ['title'] ), $lang ['comments'] ['mail']); - // for non-ASCII characters in the e-mail header, use RFC 1342 — Encodes data with MIME base64 - @utils_mail($from_mail, "=?utf-8?B?" . base64_encode($lang ['comments'] ['newcomment']) . "?= =?utf-8?B?" . base64_encode($fp_config ['general'] ['title']) . "?=", $mail); + // for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 and splits the encrypted subject + @utils_mail($from_mail, "=?utf-8?B?" . base64_encode($lang ['comments'] ['newcomment']) . "=?= =?utf-8?B?" . base64_encode($fp_config ['general'] ['title']) . "==?=", $mail); } // if comment is valid, this redirect will clean the postdata From 3ad8a38183dc76d3e4285545d54576949e9f09e6 Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Sun, 26 Feb 2023 05:01:59 +0100 Subject: [PATCH 03/11] Spaces inserted Spaces inserted so that they can be encrypted in the e-mail header --- fp-interface/lang/cs-cz/lang.comments.php | 2 +- fp-interface/lang/de-de/lang.comments.php | 2 +- fp-interface/lang/el-gr/lang.comments.php | 2 +- fp-interface/lang/en-us/lang.comments.php | 2 +- fp-interface/lang/es-es/lang.comments.php | 2 +- fp-interface/lang/fr-fr/lang.comments.php | 2 +- fp-interface/lang/it-it/lang.comments.php | 2 +- fp-interface/lang/ja-jp/lang.comments.php | 2 +- fp-interface/lang/nl-nl/lang.comments.php | 2 +- fp-interface/lang/pt-br/lang.comments.php | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fp-interface/lang/cs-cz/lang.comments.php b/fp-interface/lang/cs-cz/lang.comments.php index 53ad92d..d687941 100644 --- a/fp-interface/lang/cs-cz/lang.comments.php +++ b/fp-interface/lang/cs-cz/lang.comments.php @@ -11,6 +11,6 @@ S pozdravem %blogtitle% '; -$lang ['comments'] ['newcomment'] = 'Nový komentář k'; +$lang ['comments'] ['newcomment'] = 'Nový komentář k '; ?> diff --git a/fp-interface/lang/de-de/lang.comments.php b/fp-interface/lang/de-de/lang.comments.php index aaec3f1..eed2a6f 100644 --- a/fp-interface/lang/de-de/lang.comments.php +++ b/fp-interface/lang/de-de/lang.comments.php @@ -16,6 +16,6 @@ Automatisch generiert von, '; -$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf'; +$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf '; ?> diff --git a/fp-interface/lang/el-gr/lang.comments.php b/fp-interface/lang/el-gr/lang.comments.php index 7838214..d15cc34 100644 --- a/fp-interface/lang/el-gr/lang.comments.php +++ b/fp-interface/lang/el-gr/lang.comments.php @@ -16,6 +16,6 @@ $lang ['comments'] ['mail'] = 'Αγαπητέ/η %toname%, '; -$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο'; +$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο '; ?> diff --git a/fp-interface/lang/en-us/lang.comments.php b/fp-interface/lang/en-us/lang.comments.php index 4c25b9f..e54ecb6 100644 --- a/fp-interface/lang/en-us/lang.comments.php +++ b/fp-interface/lang/en-us/lang.comments.php @@ -16,6 +16,6 @@ All the best, '; -$lang ['comments'] ['newcomment'] = 'New comment on'; +$lang ['comments'] ['newcomment'] = 'New comment on '; ?> diff --git a/fp-interface/lang/es-es/lang.comments.php b/fp-interface/lang/es-es/lang.comments.php index d151203..21d4e4a 100644 --- a/fp-interface/lang/es-es/lang.comments.php +++ b/fp-interface/lang/es-es/lang.comments.php @@ -16,6 +16,6 @@ Todo lo mejor, '; -$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre'; +$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre '; ?> diff --git a/fp-interface/lang/fr-fr/lang.comments.php b/fp-interface/lang/fr-fr/lang.comments.php index b82c22a..d3eea62 100644 --- a/fp-interface/lang/fr-fr/lang.comments.php +++ b/fp-interface/lang/fr-fr/lang.comments.php @@ -16,6 +16,6 @@ Cordialement, '; -$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur'; +$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur '; ?> diff --git a/fp-interface/lang/it-it/lang.comments.php b/fp-interface/lang/it-it/lang.comments.php index 825f6ee..6990eb6 100644 --- a/fp-interface/lang/it-it/lang.comments.php +++ b/fp-interface/lang/it-it/lang.comments.php @@ -16,6 +16,6 @@ Saluti, '; -$lang ['comments'] ['newcomment'] = 'Nuovo commento su'; +$lang ['comments'] ['newcomment'] = 'Nuovo commento su '; ?> diff --git a/fp-interface/lang/ja-jp/lang.comments.php b/fp-interface/lang/ja-jp/lang.comments.php index e74b026..cc52838 100644 --- a/fp-interface/lang/ja-jp/lang.comments.php +++ b/fp-interface/lang/ja-jp/lang.comments.php @@ -19,6 +19,6 @@ $lang ['comments'] ['mail'] = '%toname% さま, '; -$lang ['comments'] ['newcomment'] = 'の新しいコメント'; +$lang ['comments'] ['newcomment'] = 'の新しいコメント '; ?> diff --git a/fp-interface/lang/nl-nl/lang.comments.php b/fp-interface/lang/nl-nl/lang.comments.php index 9a096aa..8297766 100644 --- a/fp-interface/lang/nl-nl/lang.comments.php +++ b/fp-interface/lang/nl-nl/lang.comments.php @@ -16,6 +16,6 @@ Groeten, '; -$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op'; +$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op '; ?> diff --git a/fp-interface/lang/pt-br/lang.comments.php b/fp-interface/lang/pt-br/lang.comments.php index 0fcbd7f..0bc86d4 100644 --- a/fp-interface/lang/pt-br/lang.comments.php +++ b/fp-interface/lang/pt-br/lang.comments.php @@ -17,6 +17,6 @@ Um abraço, '; -$lang ['comments'] ['newcomment'] = 'Novo comentário em'; +$lang ['comments'] ['newcomment'] = 'Novo comentário em '; ?> From e785ea184e3beae26d2d949257eae6a6b3d55fa9 Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Sun, 26 Feb 2023 13:40:42 +0100 Subject: [PATCH 04/11] Update plugin.commentcenter.php Fixes #211 An email notification is now sent when there is a new comment to approve and when the subject in the email header contains umlauts. --- fp-plugins/commentcenter/plugin.commentcenter.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fp-plugins/commentcenter/plugin.commentcenter.php b/fp-plugins/commentcenter/plugin.commentcenter.php index 9df6c0f..9813990 100644 --- a/fp-plugins/commentcenter/plugin.commentcenter.php +++ b/fp-plugins/commentcenter/plugin.commentcenter.php @@ -438,7 +438,8 @@ class plugin_commentcenter { $fp_config ['general'] ['title'] ), $text); - return @utils_mail($from_mail, $subject, $text); + // for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 + return @utils_mail($from_mail, "=?utf-8?B?" . base64_encode($subject) . "?=", $text); } } From 91cbfeeaebe50f42c21f2475d1000e6d9b0a15bf Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Mon, 27 Feb 2023 23:01:17 +0100 Subject: [PATCH 05/11] Update plugin.commentcenter.php little correction --- fp-plugins/commentcenter/plugin.commentcenter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fp-plugins/commentcenter/plugin.commentcenter.php b/fp-plugins/commentcenter/plugin.commentcenter.php index 9813990..966d4b1 100644 --- a/fp-plugins/commentcenter/plugin.commentcenter.php +++ b/fp-plugins/commentcenter/plugin.commentcenter.php @@ -439,7 +439,7 @@ class plugin_commentcenter { ), $text); // for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 - return @utils_mail($from_mail, "=?utf-8?B?" . base64_encode($subject) . "?=", $text); + return @utils_mail($from_mail, '=?utf-8?B?' . base64_encode($subject) . '?=', $text); } } From 296470bd7bb70629ccc6541993bf4aa8d704b231 Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Mon, 27 Feb 2023 23:03:59 +0100 Subject: [PATCH 06/11] Update comments.php little correction --- comments.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/comments.php b/comments.php index 511e0e2..405920f 100644 --- a/comments.php +++ b/comments.php @@ -223,7 +223,7 @@ function commentform() { ), $lang ['comments'] ['mail']); // for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 and splits the encrypted subject - @utils_mail($from_mail, "=?utf-8?B?" . base64_encode($lang ['comments'] ['newcomment']) . "=?= =?utf-8?B?" . base64_encode($fp_config ['general'] ['title']) . "==?=", $mail); + @utils_mail($from_mail, '=?utf-8?B?' . base64_encode($lang ['comments'] ['newcomment']) . '=?= =?utf-8?B?' . base64_encode($fp_config ['general'] ['title']) . '==?=', $mail); } // if comment is valid, this redirect will clean the postdata From 9837c7669250bae3412e22af486ec01c8c96da04 Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Wed, 1 Mar 2023 00:59:25 +0100 Subject: [PATCH 07/11] Hardens FlatPress via HTTP response header Fixes #146 Can be optionally activated by the FlatPress admin * Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content. * Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser. * HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. * The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks. * HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking. * The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests. --- defaults.php | 1 + fp-plugins/fpprotect/doc_fpprotect.txt | 16 ++++++++++++++++ fp-plugins/fpprotect/plugin.fpprotect.php | 23 +++++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 fp-plugins/fpprotect/doc_fpprotect.txt create mode 100644 fp-plugins/fpprotect/plugin.fpprotect.php diff --git a/defaults.php b/defaults.php index 35bb611..439c190 100755 --- a/defaults.php +++ b/defaults.php @@ -124,6 +124,7 @@ $serverport = "false"; // Unterstützung für Apache und IIS ini_set('session.cookie_secure', 1); ini_set('session.cookie_httponly', 1); +ini_set('session.cookie_samesite', 'Lax'); if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) { $serverport = "https://"; } else { diff --git a/fp-plugins/fpprotect/doc_fpprotect.txt b/fp-plugins/fpprotect/doc_fpprotect.txt new file mode 100644 index 0000000..7ffef12 --- /dev/null +++ b/fp-plugins/fpprotect/doc_fpprotect.txt @@ -0,0 +1,16 @@ +FlatPress Protect +================= + +Description +----------- +Protect your blog with additional fetures in the HTTP response header + + * Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content. + * Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser. + * HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. + * The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks. + * HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking. + * The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests. + +Here you can check the security of your Flatpress blog +https://securityheaders.com/ diff --git a/fp-plugins/fpprotect/plugin.fpprotect.php b/fp-plugins/fpprotect/plugin.fpprotect.php new file mode 100644 index 0000000..b30346b --- /dev/null +++ b/fp-plugins/fpprotect/plugin.fpprotect.php @@ -0,0 +1,23 @@ +[More information] + * Author: FlatPress + * Version: 1.0 + * Author URI: https://www.flatpress.org + */ + +// Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM +header('Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';'); +header('X-Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';'); +header('X-WebKit-CSP: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';'); +// End of Content Security Policy rules +header('Feature-Policy: interest-cohort \'none\'; autoplay \'self\'; camera \'self\'; fullscreen \'self\'; geolocation \'self\'; microphone \'self\'; payment \'none\';'); // Goodbye Feature Policy! // thx Nextcloud-Maps-App, github.com/nextcloud +header('Permissions-Policy: interest-cohort=(), autoplay=(self), camera=(self), fullscreen=(self), geolocation=(self), microphone=(self), payment=(),'); // Hello Permissions Policy! // thx Nextcloud-Maps-App, github.com/nextcloud +header('Referrer-Policy: strict-origin-when-cross-origin'); +header('Strict-Transport-Security: max-age=15552000; includeSubDomains'); +header('X-Permitted-Cross-Domain-Policies: none'); +header('X-Download-Options: noopen'); +?> + From cf7bba513def439e953114c84da4f922ad1d0cf8 Mon Sep 17 00:00:00 2001 From: azett Date: Sun, 5 Mar 2023 13:12:45 +0100 Subject: [PATCH 08/11] added FlatPress Protect plugin --- CHANGELOG.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7d788d..6b04393 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,14 +9,15 @@ - [README](https://github.com/flatpressblog/flatpress/blob/master/README.md): added "help and support" section ## Plugins -- Gallery captions plugin added ([#108](https://github.com/flatpressblog/flatpress/issues/108)) -- PhotoSwipe plugin added ([#109](https://github.com/flatpressblog/flatpress/issues/109)) -- SEO Meta Tag Info plugin added ([#145](https://github.com/flatpressblog/flatpress/issues/145)) +- PhotoSwipe plugin added: Displays images and galleries with [PhotoSwipe](https://photoswipe.com/) ([#109](https://github.com/flatpressblog/flatpress/issues/109)) +- Gallery captions plugin added: Manages image captions for gallery images ([#108](https://github.com/flatpressblog/flatpress/issues/108)) +- SEO Meta Tag Info plugin added: Manages SEO meta tags ([#145](https://github.com/flatpressblog/flatpress/issues/145)) +- FlatPress Protect plugin added: Adds HTTP headers for hardening your blog ([#146](https://github.com/flatpressblog/flatpress/issues/146)) - jQuery plugin: Updated jQuery (3.5.1 => 3.6.1) and jQueryUI (1.12.1 => 1.13.2) - Media Manager plugin shows 50 items per page, not 10 - LastCommentsAdmin plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43)) -- Fixed errors on the Comment Center config page ([#90](https://github.com/flatpressblog/flatpress/issues/90)) -- Fixed PHP warnings in Akismet plugin ([#83](https://github.com/flatpressblog/flatpress/issues/83)) +- Comment Center plugin: Fixed errors on the config page ([#90](https://github.com/flatpressblog/flatpress/issues/90)) +- Akismet plugin: Fixed PHP warnings ([#83](https://github.com/flatpressblog/flatpress/issues/83)) - BBCode plugin: Allows local video files ("attachs/video.mp4") and outputs valid HTML ([#192](https://github.com/flatpressblog/flatpress/issues/192)) ## Themes From e1dffe67f03857b340be2ef4fd5e5ca6b9a253fc Mon Sep 17 00:00:00 2001 From: azett Date: Sun, 5 Mar 2023 13:23:46 +0100 Subject: [PATCH 09/11] added PR212 fix --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b04393..4e5108f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - Media Manager plugin shows 50 items per page, not 10 - LastCommentsAdmin plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43)) - Comment Center plugin: Fixed errors on the config page ([#90](https://github.com/flatpressblog/flatpress/issues/90)) +- Comment Center plugin: Fixed error on sending mails with umlaut subjects ([#208](https://github.com/flatpressblog/flatpress/issues/208)) - Akismet plugin: Fixed PHP warnings ([#83](https://github.com/flatpressblog/flatpress/issues/83)) - BBCode plugin: Allows local video files ("attachs/video.mp4") and outputs valid HTML ([#192](https://github.com/flatpressblog/flatpress/issues/192)) From a33a4c0dc0776fd871aaccc35730081d0983f4a1 Mon Sep 17 00:00:00 2001 From: azett Date: Sun, 5 Mar 2023 13:24:56 +0100 Subject: [PATCH 10/11] fixed issue number --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e5108f..9fbdf7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,7 @@ - Media Manager plugin shows 50 items per page, not 10 - LastCommentsAdmin plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43)) - Comment Center plugin: Fixed errors on the config page ([#90](https://github.com/flatpressblog/flatpress/issues/90)) -- Comment Center plugin: Fixed error on sending mails with umlaut subjects ([#208](https://github.com/flatpressblog/flatpress/issues/208)) +- Comment Center plugin: Fixed error on sending mails with umlaut subjects ([#211](https://github.com/flatpressblog/flatpress/issues/211)) - Akismet plugin: Fixed PHP warnings ([#83](https://github.com/flatpressblog/flatpress/issues/83)) - BBCode plugin: Allows local video files ("attachs/video.mp4") and outputs valid HTML ([#192](https://github.com/flatpressblog/flatpress/issues/192)) From c19e64593ee56c043428211127fb65ced2a00f3b Mon Sep 17 00:00:00 2001 From: azett Date: Sun, 5 Mar 2023 13:30:49 +0100 Subject: [PATCH 11/11] added #209 fix --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fbdf7a..d8bc171 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ - Logout redirects to home page again ([#119](https://github.com/flatpressblog/flatpress/issues/119)) - Fixed disappearing non-Latin characters in page title ([#49](https://github.com/flatpressblog/flatpress/issues/49) and [#91](https://github.com/flatpressblog/flatpress/issues/91)) - Worked around strftime() marked as deprecated as of PHP 8.1 ([#92](https://github.com/flatpressblog/flatpress/issues/92)) - thx @bohwaz +- Comments: Fixed error on sending mails with umlaut subjects ([#209](https://github.com/flatpressblog/flatpress/issues/209)) ## Security - Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags