Recent Posts

Pages: 1 ... 8 9 [10]

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by datahell on August 13, 2025, 09:42:16 »

If you want to write javascript inside html body use the nonce attribute. The value of nonce can be retrieved from elxisDocument::getNonce() method (requires Elxis 5.6 or newer).

Example

<script nonce="<?php echo $eDoc->getNonce(); ?>">
javascript code here
</script>

To check if you have Elxis 5.6:

if ($elxis->getVersion() >= 5.6) {
...
}

The nonce attribute tells the browser that this piece of inline code has not been injected to the content by third parties and it is safe to execute. The value of nonce is cryptographic secure and it changes on every click. Elxis put the nonce value on document headers when using a CSP policy.

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by datahell on August 13, 2025, 09:29:59 »

The CSP option already exists in Elxis configuration since v5.5. However Elxis HTML was not ready for a strict CSP policy. In version 5.6 everything inline removed, even the js events.

Conversion example
Original HTML
<a href="javascript:void(null);" onclick="doSomething();">Do something</a>

New HTML:
<a href="#" id="dolink">Do something</a>

In PHP:
$eDoc->addNativeDocReady('doOnLoad();');

In javascript file:
function doOnLoad() {
document.getElementById('dolink').addEventListener('click', function(e) { e.preventDefault(); doSomething(); });
}

If you have many links executing the same js function it is recommended to use "data-" attributes. Example:

<a href="#" data-something="12">Do 12</a>
<a href="#" data-something="15">Do 15</a>
<a href="#" data-something="18">Do 18</a>

let dnlinks = document.querySelectorAll('a[data-something]');
if (dnlinks.length > 0) {
   for (let q=0; q<dnlinks.length; q++) {
   dnlinks[q].addEventListener('click', function(e) {
         let nid = this.getAttribute('data-something'); e.preventDefault(); doSomething(nid);
      });
   }
}

Elxis 4.x/5.x DEV / Re: Elxis 5.6: Inline events removal

« Last post by nikos on August 12, 2025, 20:47:42 »

Quote from: datahell on August 01, 2025, 21:35:49

... If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).

It means that in Elxis configuration will exist the option to enable the CSP policy or not?

Elxis 4.x/5.x DEV / Inline events, CSS and JS

« Last post by datahell on August 09, 2025, 20:08:24 »

All inline events, CSS and javascript removed. Even JQuery library modified in order to be compatible with strict CSP policies.

Recommended CSP policy for Elxis configuration (Elxis 5.6 or newer, make sure third party extensions are compatible):

default-src 'self'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'nonce-{nonce}'; style-src 'self' 'nonce-{nonce}'; img-src 'self' *.elxis.net data:;

Note: {nonce} get replaced automatically by elxisDocument with the corresponding value.

Elxis 4.x/5.x DEV / Elxis 5.6: Inline events removal

« Last post by datahell on August 01, 2025, 21:35:49 »

Inline javascript events get removed in order Elxis to work with strict CSP directives. Many files got modified for this purpose. Most probably not 100% of these events will be removed as they are too many. HTML and javascript get re-written. Even if some inline events get preserved these will not be of critical functionality and they will be removed on a later update.
Currently all frontend section and most of the backend has these inline events removed.

If CSP policy gets applied via Elxis configuration then all inline javascript, CSS and events stop working. This affects everything on the page, elxis build-in extensions, third-party extensions, html content from the editor, etc. This is why Elxis must be able to work under such strict security environment. If any problem arise then it will be on a third party extension (also require update).

Γενικά Θέματα για το Elxis CMS / Re: Link άρθρου στο messenger

« Last post by evkarab on July 31, 2025, 07:49:54 »

https://forum.elxis.org/index.php?topic=9173.msg58222#msg58222

Γενικά Θέματα για το Elxis CMS / Link άρθρου στο messenger

« Last post by eliasbou on July 30, 2025, 20:26:52 »

Καλησπέρα. Στην προσπάθεια να στείλω ένα Link ενός άρθρου στο messenger για εικόνα μου εμφανίζει πάντα την ελληνική σημαία, αλλάζει αυτό.

Elxis 4.x/5.x DEV / DeepL API 403

« Last post by seadhna on July 15, 2025, 21:47:39 »

Hi there,
I was able to use DeepL API translation but it doesn't seem to be working anymore, I have tested on several Elxis installations on different hosts.
I get a 403 authentication error.
I have tried with valid FREE and PRO API keys, but the same error. Google translate and MyMemory are working.
I'm wondering if anyone else has had the same problem, maybe something has changed on the DeepL side?

General / Re: XML parameter types - attribute to allow HTML tags?

« Last post by seadhna on July 15, 2025, 21:44:43 »

Ok, I have used some jQuery

100

Elxis 4.x/5.x DEV / Re: Upcoming Elxis 5.6 information

« Last post by seadhna on July 15, 2025, 21:43:47 »

That's great about the module ID!

Pages: 1 ... 8 9 [10]