Recent Posts

Pages: 1 [2] 3 4 ... 10

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by datahell on August 13, 2025, 09:29:59 »

The CSP option already exists in Elxis configuration since v5.5. However Elxis HTML was not ready for a strict CSP policy. In version 5.6 everything inline removed, even the js events.

Conversion example
Original HTML
<a href="javascript:void(null);" onclick="doSomething();">Do something</a>

New HTML:
<a href="#" id="dolink">Do something</a>

In PHP:
$eDoc->addNativeDocReady('doOnLoad();');

In javascript file:
function doOnLoad() {
document.getElementById('dolink').addEventListener('click', function(e) { e.preventDefault(); doSomething(); });
}

If you have many links executing the same js function it is recommended to use "data-" attributes. Example:

<a href="#" data-something="12">Do 12</a>
<a href="#" data-something="15">Do 15</a>
<a href="#" data-something="18">Do 18</a>

let dnlinks = document.querySelectorAll('a[data-something]');
if (dnlinks.length > 0) {
   for (let q=0; q<dnlinks.length; q++) {
   dnlinks[q].addEventListener('click', function(e) {
         let nid = this.getAttribute('data-something'); e.preventDefault(); doSomething(nid);
      });
   }
}

Elxis 4.x/5.x DEV / Re: Elxis 5.6: Inline events removal

« Last post by nikos on August 12, 2025, 20:47:42 »

Quote from: datahell on August 01, 2025, 21:35:49

... If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).

It means that in Elxis configuration will exist the option to enable the CSP policy or not?

Elxis 4.x/5.x DEV / Inline events, CSS and JS

« Last post by datahell on August 09, 2025, 20:08:24 »

All inline events, CSS and javascript removed. Even JQuery library modified in order to be compatible with strict CSP policies.

Recommended CSP policy for Elxis configuration (Elxis 5.6 or newer, make sure third party extensions are compatible):

default-src 'self'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'nonce-{nonce}'; style-src 'self' 'nonce-{nonce}'; img-src 'self' *.elxis.net data:;

Note: {nonce} get replaced automatically by elxisDocument with the corresponding value.

Elxis 4.x/5.x DEV / Elxis 5.6: Inline events removal

« Last post by datahell on August 01, 2025, 21:35:49 »

Inline javascript events get removed in order Elxis to work with strict CSP directives. Many files got modified for this purpose. Most probably not 100% of these events will be removed as they are too many. HTML and javascript get re-written. Even if some inline events get preserved these will not be of critical functionality and they will be removed on a later update.
Currently all frontend section and most of the backend has these inline events removed.

If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).

Γενικά Θέματα για το Elxis CMS / Re: Link άρθρου στο messenger

« Last post by evkarab on July 31, 2025, 07:49:54 »

https://forum.elxis.org/index.php?topic=9173.msg58222#msg58222

Γενικά Θέματα για το Elxis CMS / Link άρθρου στο messenger

« Last post by eliasbou on July 30, 2025, 20:26:52 »

Καλησπέρα. Στην προσπάθεια να στείλω ένα Link ενός άρθρου στο messenger για εικόνα μου εμφανίζει πάντα την ελληνική σημαία, αλλάζει αυτό.

Elxis 4.x/5.x DEV / DeepL API 403

« Last post by seadhna on July 15, 2025, 21:47:39 »

Hi there,
I was able to use DeepL API translation but it doesn't seem to be working anymore, I have tested on several Elxis installations on different hosts.
I get a 403 authentication error.
I have tried with valid FREE and PRO API keys, but the same error. Google translate and MyMemory are working.
I'm wondering if anyone else has had the same problem, maybe something has changed on the DeepL side?

General / Re: XML parameter types - attribute to allow HTML tags?

« Last post by seadhna on July 15, 2025, 21:44:43 »

Ok, I have used some jQuery

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by seadhna on July 15, 2025, 21:43:47 »

That's great about the module ID!

Elxis 4.x/5.x DEV / Elxis 5.6 - Password policy enforcement and brute-force attacks

« Last post by datahell on July 14, 2025, 19:46:48 »

Elxis 5.6 automatically enforces selected password expiration policy. When a user login and has not changed his password for the configured period then Elxis displays him a special page to change his password. The change of the password is required and the user cannot escape this procedure. Also the password must meet the configured complexity pattern. For this feature it was required to develop a new exit page (like 403, 404, etc) called pwchange.

Also in Elxis 5.6: If you try to login 3 times without success Elxis locks your account temporary for 5 minutes. This feature implemented to prevent brute-force attacks (required by security standards).

Pages: 1 [2] 3 4 ... 10