Elxis CMS Forum
Support => Elxis 4.x/5.x DEV => Topic started by: datahell on March 10, 2025, 21:44:21
-
Page generators in Elxis 5.6
A feature that will be available in upcoming Elxis 5.6 are the Page Generators. A Page generator is a custom block of code that generates the HTML of the page instead of the built-in component (actually the HTML of component's viewer). This allows us to achieve 100% customization of the pages layout and style. Page Generators are optional parts of a template. For now, page generators are available in component Content for:
- Category pages
- Articles
- Tags page
- Archive page
On each category/article you can select (or not) a page generator (if available on your template). Category "A"may have a totally different style of category "B", while category "C" might have the Elxis default style.
If you have a template named "supercool" Page Generators should be added here: templates/supercool/generators/
Page generators are php files and have special naming depending on their type. For instance page generators for categories must start with "category_". For articles with "article_" and for tags and archive the name is standard (content_tags and content_archive respectively).
Here are sample generators for template "supercool".
templates/supercool/generators/category_Blog.php
templates/supercool/generators/category_Blog2.php
templates/supercool/generators/category_List.php
templates/supercool/generators/article_presentation.php
templates/supercool/generators/article_tourism.php
templates/supercool/generators/content_tags.php
templates/supercool/generators/content_archive.php
When you edit a category you can select as generator: Component Content (Elxis default), Blog, Blog2 or List. If you change the template and the selected generator does not exist in the new template the page will be generated by component Content (fallback process).
More information after the release of Elxis 5.6
-
wow wow wowww 8) waiting for this datahell ;D customization at top level
-
Sounds great!
-
New passwords policy
Elxis 5.6 has a more strict user's password policy. This is done in order to meet highest security standards. If you perform an update from a previous version then the policy will apply to new created user accounts, not to the existing ones. However, if you go to change your password then the new password must meet the new password policy.
A password, in order to be accepted must:
- Have a minimum length of 12 characters
- Have at least 2 lowercase characters
- Have at least 2 uppercase characters
- Have at least 2 digits
- Have at least 2 symbols
This password is invalid (it contains only 1 symbol):
4RTrd57@E1o0p
This password is invalid (it has a length of 9 characters):
4RTr@a6!d
This password is valid:
4RTr@a6!dD34
-
Finally, Elxis password policy became a configuration option including password complexity (normal/high) and expiration.
Available options:
Normal - Never expires
Normal - Expires in 3 months
Normal - Expires in 6 months
Normal - Expires in 12 months
High - Never expires
High - Expires in 3 months
High - Expires in 6 months
High - Expires in 12 months
Elxis 5.6 focuses a lot on strengthen security in order to meet highest security standards.
-
Elxis 5.6 request: Not sure if this is possible, but it would be useful to be able to give a module an ID in parameters, similar to how we can already apply classes.
e.g. for pages with internal anchor links, to enable internal navigation via anchor link to a module that appears on the page.
-
Done. All modules in Elxis 5.6 have now an ID declared in their wrapper DIV element.
Example:
<div class="module" id="moduleX">
...
</div>
Where X is the module ID. So you can create links like href="#module14"
Attention: If you include the same module twice in the same page (eg in 2 module positions) you will end with duplicated IDs in the same page which is an HTML error.
-
Elxis 5.6 automatically enforces selected password expiration policy. When a user login and has not changed his password for the configured period then Elxis displays him a special page to change his password. The change of the password is required and the user cannot escape this procedure. Also the password must meet the configured complexity pattern. For this feature it was required to develop a new exit page (like 403, 404, etc) called pwchange.
Also in Elxis 5.6: If you try to login 3 times without success Elxis locks your account temporary for 5 minutes. This feature implemented to prevent brute-force attacks (required by security standards).
-
That's great about the module ID!
-
Inline javascript events get removed in order Elxis to work with strict CSP directives. Many files got modified for this purpose. Most probably not 100% of these events will be removed as they are too many. HTML and javascript get re-written. Even if some inline events get preserved these will not be of critical functionality and they will be removed on a later update.
Currently all frontend section and most of the backend has these inline events removed.
If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).
-
All inline events, CSS and javascript removed. Even JQuery library modified in order to be compatible with strict CSP policies.
Recommended CSP policy for Elxis configuration (Elxis 5.6 or newer, make sure third party extensions are compatible):
default-src 'self'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'nonce-{nonce}'; style-src 'self' 'nonce-{nonce}'; img-src 'self' *.elxis.net data:;
Note: {nonce} get replaced automatically by elxisDocument with the corresponding value.
-
... If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).
It means that in Elxis configuration will exist the option to enable the CSP policy or not?
-
The CSP option already exists in Elxis configuration since v5.5. However Elxis HTML was not ready for a strict CSP policy. In version 5.6 everything inline removed, even the js events.
Conversion example
Original HTML
<a href="javascript:void(null);" onclick="doSomething();">Do something</a>
New HTML:
<a href="#" id="dolink">Do something</a>
In PHP:
$eDoc->addNativeDocReady('doOnLoad();');
In javascript file:
function doOnLoad() {
document.getElementById('dolink').addEventListener('click', function(e) { e.preventDefault(); doSomething(); });
}
If you have many links executing the same js function it is recommended to use "data-" attributes. Example:
<a href="#" data-something="12">Do 12</a>
<a href="#" data-something="15">Do 15</a>
<a href="#" data-something="18">Do 18</a>
let dnlinks = document.querySelectorAll('a[data-something]');
if (dnlinks.length > 0) {
for (let q=0; q<dnlinks.length; q++) {
dnlinks[q].addEventListener('click', function(e) {
let nid = this.getAttribute('data-something'); e.preventDefault(); doSomething(nid);
});
}
}
-
If you want to write javascript inside html body use the nonce attribute. The value of nonce can be retrieved from elxisDocument::getNonce() method (requires Elxis 5.6 or newer).
Example
<script nonce="<?php echo $eDoc->getNonce(); ?>">
javascript code here
</script>
To check if you have Elxis 5.6:
if ($elxis->getVersion() >= 5.6) {
...
}
The nonce attribute tells the browser that this piece of inline code has not been injected to the content by third parties and it is safe to execute. The value of nonce is cryptographic secure and it changes on every click. Elxis put the nonce value on document headers when using a CSP policy.