Merge branch 'flatpressblog:master' into master

2023-03-05 14:26:59 +01:00 · 2023-03-05 14:26:59 +01:00 · bd08207b1e
commit bd08207b1e
parent a9db325e1f c19e64593e
16 changed files with 62 additions and 17 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,14 +9,16 @@
 - [README](https://github.com/flatpressblog/flatpress/blob/master/README.md): added "help and support" section
 ## Plugins
- Gallery captions plugin added ([#108](https://github.com/flatpressblog/flatpress/issues/108))
+- PhotoSwipe plugin added: Displays images and galleries with [PhotoSwipe](https://photoswipe.com/) ([#109](https://github.com/flatpressblog/flatpress/issues/109))
- PhotoSwipe plugin added ([#109](https://github.com/flatpressblog/flatpress/issues/109))
+- Gallery captions plugin added: Manages image captions for gallery images ([#108](https://github.com/flatpressblog/flatpress/issues/108))
- SEO Meta Tag Info plugin added ([#145](https://github.com/flatpressblog/flatpress/issues/145))
+- SEO Meta Tag Info plugin added: Manages SEO meta tags ([#145](https://github.com/flatpressblog/flatpress/issues/145))
 - FlatPress Protect plugin added: Adds HTTP headers for hardening your blog ([#146](https://github.com/flatpressblog/flatpress/issues/146))
 - jQuery plugin: Updated jQuery (3.5.1 => 3.6.1) and jQueryUI (1.12.1 => 1.13.2)
 - Media Manager plugin shows 50 items per page, not 10
 - LastCommentsAdmin plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43))
- Fixed errors on the Comment Center config page ([#90](https://github.com/flatpressblog/flatpress/issues/90))
+- Comment Center plugin: Fixed errors on the config page ([#90](https://github.com/flatpressblog/flatpress/issues/90))
- Fixed PHP warnings in Akismet plugin ([#83](https://github.com/flatpressblog/flatpress/issues/83))
+- Comment Center plugin: Fixed error on sending mails with umlaut subjects ([#211](https://github.com/flatpressblog/flatpress/issues/211))
 - Akismet plugin: Fixed PHP warnings ([#83](https://github.com/flatpressblog/flatpress/issues/83))
 - BBCode plugin: Allows local video files ("attachs/video.mp4") and outputs valid HTML ([#192](https://github.com/flatpressblog/flatpress/issues/192))
 ## Themes
@ -44,6 +46,7 @@
 - Logout redirects to home page again ([#119](https://github.com/flatpressblog/flatpress/issues/119))
 - Fixed disappearing non-Latin characters in page title ([#49](https://github.com/flatpressblog/flatpress/issues/49) and [#91](https://github.com/flatpressblog/flatpress/issues/91))
 - Worked around strftime() marked as deprecated as of PHP 8.1 ([#92](https://github.com/flatpressblog/flatpress/issues/92)) - thx @bohwaz
 - Comments: Fixed error on sending mails with umlaut subjects ([#209](https://github.com/flatpressblog/flatpress/issues/209))
 ## Security
 - Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags
--- a/comments.php
+++ b/comments.php
@ -222,7 +222,8 @@ function commentform() {
 					$fp_config ['general'] ['title']
 				), $lang ['comments'] ['mail']);
-				@utils_mail($from_mail, "{$lang ['comments'] ['newcomment']} {$lang ['comments'] ['newcomment']} {$fp_config['general']['title']}", $mail);
+				// for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 and splits the encrypted subject
 				@utils_mail($from_mail, '=?utf-8?B?' . base64_encode($lang ['comments'] ['newcomment']) . '=?= =?utf-8?B?' . base64_encode($fp_config ['general'] ['title']) . '==?=', $mail);
 			}
 			// if comment is valid, this redirect will clean the postdata
--- a/defaults.php
+++ b/defaults.php
@ -124,6 +124,7 @@ $serverport = "false";
 // Unterstützung für Apache und IIS
 ini_set('session.cookie_secure', 1);
 ini_set('session.cookie_httponly', 1);
 ini_set('session.cookie_samesite', 'Lax');
 if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
 	$serverport = "https://";
 } else {
--- a/fp-interface/lang/cs-cz/lang.comments.php
+++ b/fp-interface/lang/cs-cz/lang.comments.php
@ -11,6 +11,6 @@ S pozdravem %blogtitle%
 ';
-$lang ['comments'] ['newcomment'] = 'Nový komentář k';
+$lang ['comments'] ['newcomment'] = 'Nový komentář k ';
 ?>
--- a/fp-interface/lang/de-de/lang.comments.php
+++ b/fp-interface/lang/de-de/lang.comments.php
@ -16,6 +16,6 @@ Automatisch generiert von,
 ';
-$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf';
+$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf ';
 ?>
--- a/fp-interface/lang/el-gr/lang.comments.php
+++ b/fp-interface/lang/el-gr/lang.comments.php
@ -16,6 +16,6 @@ $lang ['comments'] ['mail'] = 'Αγαπητέ/η %toname%,
 ';
-$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο';
+$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο ';
 ?>
--- a/fp-interface/lang/en-us/lang.comments.php
+++ b/fp-interface/lang/en-us/lang.comments.php
@ -16,6 +16,6 @@ All the best,
 ';
-$lang ['comments'] ['newcomment'] = 'New comment on';
+$lang ['comments'] ['newcomment'] = 'New comment on ';
 ?>
--- a/fp-interface/lang/es-es/lang.comments.php
+++ b/fp-interface/lang/es-es/lang.comments.php
@ -16,6 +16,6 @@ Todo lo mejor,
 ';
-$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre';
+$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre ';
 ?>
--- a/fp-interface/lang/fr-fr/lang.comments.php
+++ b/fp-interface/lang/fr-fr/lang.comments.php
@ -16,6 +16,6 @@ Cordialement,
 ';
-$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur';
+$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur ';
 ?>
--- a/fp-interface/lang/it-it/lang.comments.php
+++ b/fp-interface/lang/it-it/lang.comments.php
@ -16,6 +16,6 @@ Saluti,
 ';
-$lang ['comments'] ['newcomment'] = 'Nuovo commento su';
+$lang ['comments'] ['newcomment'] = 'Nuovo commento su ';
 ?>
--- a/fp-interface/lang/ja-jp/lang.comments.php
+++ b/fp-interface/lang/ja-jp/lang.comments.php
@ -19,6 +19,6 @@ $lang ['comments'] ['mail'] = '%toname% さま,
 ';
-$lang ['comments'] ['newcomment'] = 'の新しいコメント';
+$lang ['comments'] ['newcomment'] = 'の新しいコメント ';
 ?>
--- a/fp-interface/lang/nl-nl/lang.comments.php
+++ b/fp-interface/lang/nl-nl/lang.comments.php
@ -16,6 +16,6 @@ Groeten,
 ';
-$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op';
+$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op ';
 ?>
--- a/fp-interface/lang/pt-br/lang.comments.php
+++ b/fp-interface/lang/pt-br/lang.comments.php
@ -17,6 +17,6 @@ Um abraço,
 ';
-$lang ['comments'] ['newcomment'] = 'Novo comentário em';
+$lang ['comments'] ['newcomment'] = 'Novo comentário em ';
 ?>
--- a/fp-plugins/commentcenter/plugin.commentcenter.php
+++ b/fp-plugins/commentcenter/plugin.commentcenter.php
@ -438,7 +438,8 @@ class plugin_commentcenter {
 			$fp_config ['general'] ['title']
 		), $text);
-		return @utils_mail($from_mail, $subject, $text);
+		// for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64
 		return @utils_mail($from_mail, '=?utf-8?B?' . base64_encode($subject) . '?=', $text);
 	}
 }
--- a/fp-plugins/fpprotect/doc_fpprotect.txt
+++ b/fp-plugins/fpprotect/doc_fpprotect.txt
@ -0,0 +1,16 @@
 FlatPress Protect
 =================
 Description
 -----------
 Protect your blog with additional fetures in the HTTP response header
 * Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content.
 * Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
 * HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
 * The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
 * HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking.
 * The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests.
 Here you can check the security of your Flatpress blog
 https://securityheaders.com/
--- a/fp-plugins/fpprotect/plugin.fpprotect.php
+++ b/fp-plugins/fpprotect/plugin.fpprotect.php
@ -0,0 +1,23 @@
 <?php
 /*
 * Plugin Name: FlatPress Protect
 * Plugin URI: http://www.flatpress.org/
 * Description: Protect your blog with additional fetures in the HTTP response header. <a href="./fp-plugins/fpprotect/doc_fpprotect.txt" title="More information" target="_blank">[More information]</a>
 * Author: FlatPress
 * Version: 1.0
 * Author URI: https://www.flatpress.org
 */
 // Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM
 header('Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
 header('X-Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
 header('X-WebKit-CSP: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
 // End of Content Security Policy rules
 header('Feature-Policy: interest-cohort \'none\'; autoplay \'self\'; camera \'self\'; fullscreen \'self\'; geolocation \'self\'; microphone \'self\'; payment \'none\';'); // Goodbye Feature Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
 header('Permissions-Policy: interest-cohort=(), autoplay=(self), camera=(self), fullscreen=(self), geolocation=(self), microphone=(self), payment=(),'); // Hello Permissions Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
 header('Referrer-Policy: strict-origin-when-cross-origin');
 header('Strict-Transport-Security: max-age=15552000; includeSubDomains');
 header('X-Permitted-Cross-Domain-Policies: none');
 header('X-Download-Options: noopen');
 ?>