FlatPress 1.4 "Notturno" - Release Candidate 1

This is the first release candidate 1 of FlatPress 1.4 "Notturno". If no further bugs are reported, this version will soon be released as the final version 1.4.

This is a release candidate. Although it's most likely what will become the final release, you may not want to use it on your productive blog yet.

What's new?

The general look and feel of FlatPress 1.4 hasn't changed too much compared to 1.3 - it's all the small details that were improved:

• With an updated Smarty template engine, FlatPress now supports PHP up to 8.4.
• We fixed quite a lot of bugs and possible security issues (thanks to all the reporters!).
• Numerous small enhancements made it into FlatPress, such as as freely choosable blog author name, the ability to change the Admin credentials more easily, or the removal of unwanted metadata from uploaded images.
• Since the PhotoSwipe plugin became the default for displaying images, the old LightBox plugin was removed - you still find it in our FlatPress Extras repository.
• The newly added GDPR Video embed plugin provides a simple two-click solution for GDPR-compliant embedding of YouTube, Facebook and Vimeo videos.

FlatPress 1.4 contains many other improvements, bugfixes and security fixes. See the detailed list below.

Please help testing

If you happen to find the time, please help us with the last test before the final release. Try a fresh installation, or update a testing copy of your existing blog (see instructions below).
Please report any bugs and glitches on the FlatPress support forum. Thank you!

Installation

Download flatpress-1.4.rc1.zip and follow the easy installation steps documented on the FlatPress download page.

Update

To update from 1.3 (or 1.3.1) to 1.4 RC1, please use the update package 13to14rc1.zip.
The 1.3.1 update instructions on the FlatPress download page work for 1.4 as well.
Please backup your whole FlatPress directory before applying the update.

Detailed Changelog

General

• The fixed "Stats" panel has been converted into a plugin (#363)
• FlatPress anonymizes the IPv4 address of the visitor. IPv6 addresses are replaced by a hash. (#105)
• The determination of the time format has been made more robust

Changes

• Template engine:
  • Smarty updated to version 4.5.5 with PHP 8.4 support (#376, #390)
• Login page:
  • Instructs search engines not to index the page (#450)
• Admin area:
  • Optional natural sorting for static pages (Hidden improvement suggestion from NHWS)
  • The cache is automatically emptied when the theme or style is changed.
  • Setting permissions via the maintenance panel now takes all FlatPress files and directories into account. A distinction is made between content, core and other. (#502)
  • You can now change the admin password in the configuration menu or create another administrator (#516)

Bugfixes

• Contact form / comment function:
  • Entering the website is now correct without http(s):// (#419)
  • Compatibility to PHP with OPcache:
    • Positive feedback when the contact form or comment form has been sent correctly. (#420)
• Atom feed: Fixes parsing error (#429)
• Comment Atom feed: Fixed pharsing error if the commenter had not specified a website. (#508)
• Admin area:
  • Charset dropdown selection instead of an input field (#340)
  • The author entered in the configuration is now the author of the entries and static pages (#483)
  • Compatibility to PHP with OPcache:
    • Changes in input fields and drop-down menus are immediately reflected in the configuration panel. (#213, #244)
    • Activating or deactivating plugins are immediately reflected in the plugin management panel. (#213, #244)
  • OPcache is deactivated when the theme panel is called up so that newly activated themes or styles are displayed immediately. (#213, #244)

Security

• The session-cookie are now somewhat more secure against CSRF attacks. (#481)
• BBcode, Cookiebanner and Emoticons plugin: removed unsafe href onclick HTML method (#422, #477)
• BBcode, PhotoSwipe and Emoticons plugin: Scripts equipped with a nonce to enable stricter CSP (#422, #477)
• Admin area login:
  • Allow admin login attempts only every 30 seconds to make brute force attacks more difficult. (#87)
  • The fp-user or fp-pass cookie is no longer set when logging in. Admin login and authentication via PHP sessions. (#488)
    _{When installing a release update package, previously saved login information becomes invalid due to the change from cookie authentication to session authentication! The user must be recreated by executing the setup - see FAQ.}
• Admin area:
  • PrettyURLs plugin: To edit the .htacces file directly, the FlatPress Protect plugin option must first be activated. (#379)
  • Upload panel: More resistant to RCE attacks and traversal attacks (#451, #114)
    • Upload of hidden files is no longer possible. (#486)
  • Delete entry and delete static page are now more secure against XSS and CSRF attacks (#220)
  • Plugin management now more secure against XSS attacks (#220)
  • Widget management: Scripts equipped with a nonce to enable stricter CSP (#422, #477)
  • XSS vulnerabilities in the configuration menu -> International settings closed. (#487, #340)
  • Logout after one hour if inactive. (#488)
  • XSS vulnerability in the editor for static pages fixed. (#490)
  • Fixed disclosure of Exif metadata when uploading images. (#492)
  • Prevention of symlink attacks by checking the path when setting file and directory permissions (#502)

Plugins

Additions

• GDPR Video embed: Simple two-click solution for GDPR-compliant embedding of YouTube, Facebook and Vimeo videos. (#260)

Reductions

• LightBox2 plugin (can still be obtained from the flatpress-extras repo) (#359)

Changes

• SEO Meta Tag Info plugin: update to version 2.2.4
  • Integration of Open Graph tags (#366)
  • If an HTTP root directory is stored in the server configuration file and is not empty, a predefined robots.txt can be created and edited via the SEO panel in the admin area. (#427)
• FavIcon plugin: update to version 1.1.0
  • Support for iOS Safari, Android Chrome, Windows 10 and Mac OS Safari added (#416, #428)
• BBcode plugin: update to version 1.9.0
  • The editor toolbar can be deactivated again as in version 1.2.1 when using an alternative editor (e.g. Wysiwyg editor). (#436)
  • BBcode toolbar, if BBcode for comments is allowed (#437)
  • The fp-content/attachs directory is hidden if the file has been included with the URL tag (#443)
• The Commentcenter plugin has been given a lower priority so that other comment filters (e.g. qspam) can do their work first. (#449)
• PrettyURLs plugin: update to version 3.0.1
  • To prevent accidental changes to the .htacces file, the creation or editing of this file must first be activated via the FlatPress Protect plugin (#477)
• FlatPress Protect plugin: update to version 1.1.0
  • Insecure inline Java scripts are not executed by the visitor's browser by default. You can allow the execution of insecure Java code if, for example, a plugin contains a Java script that is not equipped with a nonce. (#477)
  • It is also possible to enable/disable the htaccess edit field to create or edit the file in the PrettyURLs plugin without having to disable the FlatPress Protect plugin. (#477)
  • The removal of metadata when uploading images can be deactivated for better image quality. (#492)
• Support plugin: update to version 1.1.0
  • The file and directory permissions are read for some outputs before a write test is performed. This leads to a more reliable indication of whether a file is writable or not. (#502)
• LastComments plugin: update to version 1.1.1
  • Generates an RSS and Atom feed that displays the latest comments. (#509)
  • Output of comments in the widget without BBcode tags
• Feed plugin: update to version 1.0.1
  • RSS image replaced with RSS icon (woff2) (#515)

Bugfixes

• BBcode plugin: update to version 1.9.0
  • File or image selection possible after activating the option “Allow BBcode in comments” option (#391)
  • BBcode create a valid simple URL (#442)
• DateChanger plugin: Update to version 1.0.6
  • Correct date format in the DateChanger toolbar for the languages Czech, English, Japanese and Russian. Hidden reported by NHWS. Many thanks for testing to WineMan from the support forum
• Calendar plugin: Update to version 1.2.0
  • Two new functions which only output a “Next” or “Previous” link if there is at least one entry in the month. (#128)
  • The “Next”, “Previous” and “Day” links now always contain a 4-digit year.
  • The set language is now taken into account when determining the first day of the week. (#73)
  • Links from single-digit months are now always two-digit.
• BlockParser plugin: Update to version 1.0.1
  • Compatibility to PHP with OPcache:
    • The list of activated pages is displayed immediately after activation/deactivation. (#213, #244)
• PhotoSwipe plugin: update to version 2.0.2
  • The overlay buttons are no longer displayed in the RSS and Atom feed. (#506)
  • External images are displayed correctly. (#520)

Security

• SEO Meta Tag Info plugin:
  • Removes the vulnerability Cross-Site Scripting (XSS) (#491)

Setup

Bugfixes

• The setup now also recognizes the browser language when using Firefox

Themes

• The Leggero theme now also indicates that comment feeds can be subscribed to (#515)
• Invidual scrollbar for the Leggero v2 style
• The Leggero v2 style now supports UltraWide monitors (#476)

Bugfixes

• The link "Add comment" now leads to the comment form instead of jumping to top (#474)

Internationalization

• Reworked translations: Japanese (Thanks to NHWS)
• Month selection localized in the search form (#158)
• Administration area: Optional localization for the description of themes and styles (#453)