Recent Posts

Pages: 1 ... 8 9 [10]

News and announcements / Elxis 5.6 Oxylus released!

« Last post by datahell on August 18, 2025, 20:55:45 »

Elxis 5.6 Oxylus released. You can download it from elxis.org.
In Elxis 5.6 (Oxylus) we have strengthen CMS security even more.
This is a quick change-log. Detailed presentation of Elxis 5.6 Oxylus will be available from elxis.org soon.

Security related

Password policy configuration option (chars length, complexity, expiration)
Enforce password expiration policy
New exit page "pwchange" (for expired password change)
Lock user account for 5 minutes after 3 unsucessfull login attempts
Crypt helper: added sha256, sha384 and sha512 encryption arlgorithm
Plugin Contact: Added security token
Always set header X-Content-Type-Options: nosniff regardless the security level
x-frame-options = SAMEORIGIN by default
sha256 integrity hash html attribute in CSS and JS files
nonce html attribute in CSS and JS files
crossorigin="anonymous" in CSS ans JS files
Added CSP nonce and {nonce} replacement for elxis config option
Minifier: Calculate CSP sha-256 checksums
Removal of inline events in all Elxis extensions and libraries
New method preAuthCheck for the elxisAuth library

Other

Page generators for content Categories, Articles, Tags and Archive
Provide an ID to all module DIV wrappers (id="moduleX")
Added Czech language
Update JQuery from v3.6.0 to v3.7.1
ElxisForm library: Option to add html attributes in Yes/No checkboxes
Database tables: DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci

Fixes

HTML helper: Fix unclosed tag
Messages helper: Fix GROUP BY issue when sql_mode=only_full_group_by
Administration login: Fix user trying to login from wrong URL
Component user: Add missing label for Country
Template Five: Fix possible XSS attack
Fix Google maps plugin

Language / Re: SOLVED Second language OFF and then ON

« Last post by Luca on August 17, 2025, 12:01:03 »

Quote

So, I've found out the reason because I've lost the translation.

I don't want this to happen

Language / Re: SOLVED Second language OFF and then ON

« Last post by datahell on August 17, 2025, 10:16:57 »

I will explain to you what may happened.

There is no delete button for translations. A translation gets deleted when the value is empty. When saving an article, or whatever, the translations system checks the strings that have been submitted for all languages. If the value for a language is empty, or not provided, it is marked for deletion.

en: Hello
el: Γειά
de: Hallo
it: Ciao

If you set de = "" (empty) then the corresponding translation will be deleted from the database.

Example
You have an article title in 4 languages, de, en, it, es
You unpublish Italian language (it)
You go and edit the article. As Italian is unpublished only values for de, en and es get proceeded (there is no "it"). Therefor the saved in database value for it is empty and so gets deleted.
When you re-enable Italian language and go to edit the same article you will see that there is no value for the "it".

If you lost many translations due to the above reason it means that you have the language set to OFF for a long time and in the meanwhile you edit many items.
This is absolutely normal behavior and this is how the translations system works. The deletion of empty/unused strings is in order to remove items from the database not needed any more.

Language / Re: SOLVED Second language OFF and then ON

« Last post by Luca on August 17, 2025, 08:28:29 »

Yes, indeed, also there's a warning about it, below the primary language setup

.

I can recall years ago when I "tested"

that. It really messed up everything and, moreover IS NOT easily recoverable

Back on
So, I've found out the reason because I've lost the translation. But
With the other languages switched off, shouldn't respective translations deserve to be protected in some way? On editing, you only actually have visible those active, ... If they are not in use this doesn't necessarily mean you don't want them any more...
OR, leaving visible on editing all the translations no matter if they are on or off, wouldn't prevent these kind of behavior?

Language / Re: SOLVED Second language OFF and then ON

« Last post by datahell on August 16, 2025, 21:59:00 »

Switching ON and OFF language does not affect translations saved in database. What can mess up things is changing the default language. This creates an inconsistency in translations table.

Language / SOLVED Second language OFF and then ON

« Last post by Luca on August 15, 2025, 07:51:07 »

SOLVED: I got WHY, thank you anyway for your attention:
Meanwhile the secondary language was disabled, I made some text modifications in the default language of those modules and articles, thus saving the respective secondary language part of them as BLANK, in the db!!! Stupid me.
------------------------------------

Hello everybody, I hope to find you well!

I am facing a curious behaviour, here.
For a matter of a/b testing the seo reflectings, I decided to temporarily limit my website to the default language (EN), disabling the secondary one (IT).
When I reverted back, enabling my second language again, I've found that some (not all) of the translations have been lost (gone) from the database.
Now, I really don't know if it happened in the moment I switched off or back on.
This affected some articles as well as some text modules, and I didn't expect this to happen at all...

Any clue, please?

Thanks so much!

Elxis Version   5.5
Revision number   2585
Codename   Hermes
Security level   High
Elxis defender   GF
PHP version 8.1.2-1ubuntu2.22

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by datahell on August 13, 2025, 09:42:16 »

If you want to write javascript inside html body use the nonce attribute. The value of nonce can be retrieved from elxisDocument::getNonce() method (requires Elxis 5.6 or newer).

Example

<script nonce="<?php echo $eDoc->getNonce(); ?>">
javascript code here
</script>

To check if you have Elxis 5.6:

if ($elxis->getVersion() >= 5.6) {
...
}

The nonce attribute tells the browser that this piece of inline code has not been injected to the content by third parties and it is safe to execute. The value of nonce is cryptographic secure and it changes on every click. Elxis put the nonce value on document headers when using a CSP policy.

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by datahell on August 13, 2025, 09:29:59 »

The CSP option already exists in Elxis configuration since v5.5. However Elxis HTML was not ready for a strict CSP policy. In version 5.6 everything inline removed, even the js events.

Conversion example
Original HTML
<a href="javascript:void(null);" onclick="doSomething();">Do something</a>

New HTML:
<a href="#" id="dolink">Do something</a>

In PHP:
$eDoc->addNativeDocReady('doOnLoad();');

In javascript file:
function doOnLoad() {
document.getElementById('dolink').addEventListener('click', function(e) { e.preventDefault(); doSomething(); });
}

If you have many links executing the same js function it is recommended to use "data-" attributes. Example:

<a href="#" data-something="12">Do 12</a>
<a href="#" data-something="15">Do 15</a>
<a href="#" data-something="18">Do 18</a>

let dnlinks = document.querySelectorAll('a[data-something]');
if (dnlinks.length > 0) {
   for (let q=0; q<dnlinks.length; q++) {
   dnlinks[q].addEventListener('click', function(e) {
         let nid = this.getAttribute('data-something'); e.preventDefault(); doSomething(nid);
      });
   }
}

Elxis 4.x/5.x DEV / Re: Elxis 5.6: Inline events removal

« Last post by nikos on August 12, 2025, 20:47:42 »

Quote from: datahell on August 01, 2025, 21:35:49

... If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).

It means that in Elxis configuration will exist the option to enable the CSP policy or not?

100

Elxis 4.x/5.x DEV / Inline events, CSS and JS

« Last post by datahell on August 09, 2025, 20:08:24 »

All inline events, CSS and javascript removed. Even JQuery library modified in order to be compatible with strict CSP policies.

Recommended CSP policy for Elxis configuration (Elxis 5.6 or newer, make sure third party extensions are compatible):

default-src 'self'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'nonce-{nonce}'; style-src 'self' 'nonce-{nonce}'; img-src 'self' *.elxis.net data:;

Note: {nonce} get replaced automatically by elxisDocument with the corresponding value.

Pages: 1 ... 8 9 [10]