What's new?

The general look and feel of FlatPress 1.4 hasn't changed too much compared to 1.3 - it's all the small details that were improved:

• With an updated Smarty template engine, FlatPress now supports PHP up to 8.4.
• We fixed quite a lot of bugs and possible security issues (thanks to all the reporters!).
• Numerous small enhancements made it into FlatPress, such as as freely choosable blog author name, the ability to change the Admin credentials more easily, or the removal of unwanted metadata from uploaded images.
• Since the PhotoSwipe plugin became the default for displaying images, the old LightBox plugin was removed - you still find it in our FlatPress Extras repository.
• The newly added GDPR Video embed plugin provides a simple two-click solution for GDPR-compliant embedding of YouTube, Facebook and Vimeo videos.
• We've added a Turkish translation, and improved other translations.

FlatPress 1.4 contains many other improvements, bugfixes and security fixes. See the detailed list below.

Installation

Download flatpress-1.4.zip and follow the easy installation steps documented on the FlatPress download page.

Update

To update from FlatPress 1.3 (or 1.3.1) to 1.4, please use the update package 13to14.zip.

Since FlatPress changes its way to store your authentication from 1.3 to 1.4, updating is not just copying files this time. ⚠️ You'll also have to re-run the setup. ⚠️

1. At first: Create a full backup of your blog. Don't skip that step, you'll need data from that backup in step 6. Also, this enables you to rollback your changes in case of errors.
2. Unzip the update package and transfer its contents to your server. Overwrite existing files.
3. Delete fp-content/%%setup.lock on your server.
4. Run the FlatPress setup by pointing to yourblog.com/setup.php. When asked for the admin user during setup, enter the user name, password, and email of your current admin user.
5. When the setup is done, log in with your admin user.
6. The setup set your configuration to default values (see the blog title, the theme etc.). Restore your config by copying the fp-content/config/ folder from your backup to the server. Overwrite existing files.
7. The setup created a new "Welcome" entry. You may simply delete it.
8. Finally, rebuild the index and the caches: Admin Area -> Maintain -> Rebuild index and Purge theme and templates cache

After updating as described, the FlatPress backend (Maintain -> Check for updates) displays "You have FlatPress version 1.4".

Detailed Changelog

General

• The fixed "Stats" panel has been converted into a plugin (#363)
• FlatPress anonymizes the IPv4 address of the visitor. IPv6 addresses are replaced by a hash. (#105)
• The determination of the time format has been made more robust

Changes

• Template engine:
• Smarty updated to version 4.5.5 with PHP 8.4 support (#376, #390)
• Login page:
• Instructs search engines not to index the page (#450)
• Admin area:
• Optional natural sorting for static pages (Hidden improvement suggestion from NHWS)
• The cache is automatically emptied when the theme or style is changed.
• Setting permissions via the maintenance panel now takes all FlatPress files and directories into account. A distinction is made between content, core and other. (#502)
• You can now change the admin password in the configuration menu or create another administrator (#516)
• Added support for the webp image format. (#611)

Bugfixes

• Contact form / comment function:
• Entering the website is now correct without http(s):// (#419)
• Compatibility to PHP with OPcache:
  • Positive feedback when the contact form or comment form has been sent correctly. (#420)
• Atom feed: Fixes parsing error (#429)
• Comment Atom feed: Fixed pharsing error if the commenter had not specified a website. (#508)
• Admin area:
• Charset dropdown selection instead of an input field (#340)
• The author entered in the configuration is now the author of the entries and static pages (#483)
• Compatibility to PHP with OPcache:
  • Changes in input fields and drop-down menus are immediately reflected in the configuration panel. (#213, #244)
  • Activating or deactivating plugins are immediately reflected in the plugin management panel. (#213, #244)
• OPcache is deactivated when the theme panel is called up so that newly activated themes or styles are displayed immediately. (#213, #244)
• The validation of the standard format for date and time has been extended to include some Japanese characters. (hidden hint from NHWS) (RC1) (#531)
• Theme or style thumbnails are displayed after permissions are restored (hidden hint from NHWS) (RC1) (#532)
• When deactivating the last widget under PHP 8.4, the penultimate widget is only displayed once (RC1) (#555)
• A defined HTML form and the id admin-{$panel}-{$subtab} is not output twice. (#613)

Security

• The session-cookie are now somewhat more secure against CSRF attacks. (#481)
• BBcode, Cookiebanner and Emoticons plugin: removed unsafe href onclick HTML method (#422, #477)
• BBcode, PhotoSwipe and Emoticons plugin: Scripts equipped with a nonce to enable stricter CSP (#422, #477)
• E-mail function with header injection protection and rate limiting (#539)
• CSRF protection added for the comment function (#534)
• CSRF protection added for the contact form (#541)
• Blocking of SQL injection patterns in the comment function and in the contact form (#534) Many thanks to Laborix for testing
• Admin area login:
• Allow admin login attempts only every 30 seconds to make brute force attacks more difficult. (#87)
• CSRF protection added for the login page (#542)
• The fp-user or fp-pass cookie is no longer set when logging in. Admin login and authentication via PHP sessions. (#488)
  _{When installing a release update package, previously saved login information becomes invalid due to the change from cookie authentication to session authentication! The user must be recreated by executing the setup - see FAQ.}
• Admin area:
• PrettyURLs plugin: To edit the .htacces file directly, the FlatPress Protect plugin option must first be activated. (#379)
• Upload panel: More resistant to RCE attacks and traversal attacks (#451, #114)
  • Upload of hidden files is no longer possible. (#486)
• Delete entry and delete static page are now more secure against XSS and CSRF attacks (#220)
• Plugin management now more secure against XSS attacks (#220)
• Widget management: Scripts equipped with a nonce to enable stricter CSP (#422, #477)
• XSS vulnerabilities in the configuration menu -> International settings closed. (#487, #340)
• Logout after one hour if inactive. (#488)
• XSS vulnerability in the editor for static pages fixed. (#490)
• Fixed disclosure of Exif metadata when uploading images. (#492)
• Prevention of symlink attacks by checking the path when setting file and directory permissions (#502)
• Removed an XSS vulnerability in the category management panel. (#574)

Plugins

Additions

• GDPR Video embed: Simple two-click solution for GDPR-compliant embedding of YouTube, Facebook and Vimeo videos. (#260)

Reductions

• LightBox2 plugin (can still be obtained from the flatpress-extras repo) (#359)
• LastComments Admin plugin (can still be obtained from the flatpress-extras repo) (#559)

Changes

• SEO Meta Tag Info plugin: update to version 2.2.4
• Integration of Open Graph tags (#366)
• If an HTTP root directory is stored in the server configuration file and is not empty, a predefined robots.txt can be created and edited via the SEO panel in the admin area. (#427)
• FavIcon plugin: update to version 1.1.0
• Support for iOS Safari, Android Chrome, Windows 10 and Mac OS Safari added (#416, #428)
• BBcode plugin: update to version 1.9.0
• The editor toolbar can be deactivated again as in version 1.2.1 when using an alternative editor (e.g. Wysiwyg editor). (#436)
• BBcode toolbar, if BBcode for comments is allowed (#437)
• The fp-content/attachs directory is hidden if the file has been included with the URL tag (#443)
• The Commentcenter plugin has been given a lower priority so that other comment filters (e.g. qspam) can do their work first. (#449)
• PrettyURLs plugin: update to version 3.0.1
• To prevent accidental changes to the .htacces file, the creation or editing of this file must first be activated via the FlatPress Protect plugin (#477)
• FlatPress Protect plugin: update to version 1.1.0
• Insecure inline Java scripts are not executed by the visitor's browser by default. You can allow the execution of insecure Java code if, for example, a plugin contains a Java script that is not equipped with a nonce. (#477)
• It is also possible to enable/disable the htaccess edit field to create or edit the file in the PrettyURLs plugin without having to disable the FlatPress Protect plugin. (#477)
• The removal of metadata when uploading images can be deactivated for better image quality. (#492)
• Support plugin: update to version 1.1.0
• The file and directory permissions are read for some outputs before a write test is performed. This leads to a more reliable indication of whether a file is writable or not. (#502)
• LastComments plugin: update to version 1.1.1
• Generates an RSS and Atom feed that displays the latest comments. (#509)
• Output of comments in the widget without BBcode tags
• Feed plugin: update to version 1.0.1
• RSS image replaced with RSS icon (woff2) (#515)
• Media Manager plugin and Gallery captions: update to version 1.0.1
• Show image in a popup instead of in the same tab
• jQuery plugin: update to Version 2.2.1
• Updated jQuery and jQuery UI to their current versions
• Thumbnails plugin: update to version 1.1.0
• Added support for the webp image format. (#611)

Bugfixes

• BBcode plugin: update to version 1.9.0
• File or image selection possible after activating the option “Allow BBcode in comments” option (#391)
• BBcode create a valid simple URL (#442)
• Files and images are now sorted correctly alphabetically in the toolbar (#537)
• DateChanger plugin: Update to version 1.0.6
• Correct date format in the DateChanger toolbar for the languages Czech, English, Japanese and Russian. Hidden reported by NHWS. Many thanks for testing to WineMan from the support forum
• Calendar plugin: Update to version 1.2.0
• Two new functions which only output a “Next” or “Previous” link if there is at least one entry in the month. (#128)
• The “Next”, “Previous” and “Day” links now always contain a 4-digit year.
• The set language is now taken into account when determining the first day of the week. (#73)
• Links from single-digit months are now always two-digit.
• BlockParser plugin: Update to version 1.0.1
• Compatibility to PHP with OPcache:
  • The list of activated pages is displayed immediately after activation/deactivation. (#213, #244)
• PhotoSwipe plugin: update to version 2.0.4
• The overlay buttons are no longer displayed in the RSS and Atom feed. (#506)
• External images are displayed correctly. (#520)
• Correct grouping: Only images from the same gallery are taken into account.
• It is ensured that the overlay structure is always in the DOM. (#572)
• An image with an link can be created if the “Popup” parameter contains false. (#548)
  • Must be documented in the wiki
• After closing the overlay, the page remains accessible for screen readers. (#622)
• Media Manager plugin: update to version 1.0.1
• Files and directories are sorted numerically, alphabetically. (#537)
• SEO Meta Tag Info plugin: update to version 2.2.4
• The determination of the page URL now also works if FlatPress is operated behind a load balancer or reverse proxy.
• No hyphen after the blog title if there is no description for the entry
• Commentcenter plugin: update to version 1.1.3
• Deleting non-existent comments no longer leads to a fatal error (#593)

Security

• SEO Meta Tag Info plugin:
• Removed a cross-site scripting (XSS) vulnerability. (#491)
• Gallery captions plugin:
• Removed a cross-site scripting (XSS) vulnerability. (#574)

Setup

Bugfixes

• The setup now also recognizes the browser language when using Firefox

Themes

• The Leggero theme now also indicates that comment feeds can be subscribed to (#515)
• Invidual scrollbar for the Leggero v2 style
• The Leggero v2 style now supports UltraWide monitors (#476)

Bugfixes

• The link "Add comment" now leads to the comment form instead of jumping to top (#474)

Internationalization

• Reworked translations: Japanese (Thanks to NHWS)
• Month selection localized in the search form (#158)
• Administration area: Optional localization for the description of themes and styles (#453)
• Minor corrections to the Italian language pack. Grazie mille eagleman
• Turkish language package by oldmouseclick