Fixes#146
Can be optionally activated by the FlatPress admin
* Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content.
* Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
* HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
* The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
* HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking.
* The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests.
Updated calls to current Smarty API (register_function()/register_modifier()/register_block() -> registerPlugin(); assign_by_ref() -> assignByRef()).
Fixed file includes in templates with quotes.
Removed SmartyValidate.class.php includes.
Still work in progress as some errors still appear!
Please visit his website http://www.aadmm.org/fp-patch/ and read patch-description.txt to learn more about the details of the patch.
I adapted the patch slighty: It now does not just add a __construct() function to the existing class-named one, instead it replaces it completely. Therefore, some parent::__construct() calls had to be changed, too.
(you can change the name of the file from defaults.php);
as salt is based on the path on the server, if you had to move to another directory or to another server, then you wouldn't be able to login anymore and you had to reinstall, now this shouldn't be needed anymore; moreover as this is now safe in a file we can add additional security by
* concatenating the default paths+random blog id to another random number, which is not written anywhere else
* changing the contents with your very own salt string: then re-run setup and overwrite your old user: the hashsalt won't be overwritten (this needs testing)
