🎉 The FlatPress project is celebrating its 20th anniversary! 🎂
As a little gift, we present you with the release FlatPress 1.5 "Stringendo". 🎁
What's new?
- Thanks to clever caching methods and some tweaks here and there, FlatPress is faster than ever - especially with huge numbers of entries and comments.
- With an updated Smarty template engine, FlatPress now supports PHP up to 8.5.
- Finally, FlatPress has a multi-file uploader, and the widget panel has been reworked.
- SEO of the PrettyURLs plugin has been improved.
- Basque translation was added.
- We fixed quite a lot of bugs and possible security issues (thanks to all the reporters!).
- Don't forget to check out the fresh new "Stringendo" style of the Leggero theme!
The new FlatPress version contains many other improvements, bugfixes and security fixes. See the detailed list below.
Installation
Download flatpress-1.5.zip and follow the easy installation steps documented on the FlatPress download page.
Update
Please backup your whole FlatPress directory before applying the update.
After updating, the FlatPress backend (Maintain -> Check for updates) displays "You have FlatPress version 1.5".
Update packages contain just the files that have changed since the previous version.
From 1.4 to 1.5
To update from FlatPress 1.4 (or 1.4.1) to 1.5, please use the update package 14to15.zip.
For detailled update instructions, please refer to chapter "From FlatPress 1.4 'Notturno'" of the upgrade guide.
From 1.3 to 1.5
To update from FlatPress 1.3 (or 1.3.1) to 1.5, please use the update package 13to15.zip.
You'll have to re-run the setup! For detailled update instructions, please refer to chapter "From FlatPress 1.3 'Andante'" of the upgrade guide.
Detailed Changelog
Changed requirements
- FlatPress 1.5 runs under PHP up to 8.5; minimum required PHP version increases to 7.2.
General
Security
- Detection of an HTTP/HTTPS connection
is_https() is significantly more reliable and less susceptible to spoofing. Improved detection for public proxies/CDNs, including Azure and Cloudflare. (#672)
- After completing the setup, hide setup entry points. If this is not possible, a warning will appear in the admin area. (#799)
- Reflected XSS and host-based URL poisoning / open redirect fixed. (#830, #831, #832, #833, #836)
Note: FlatPress is no longer accessible via HTTP and HTTPS, but only via the URL stored in the configuration. If HTTPS is stored in the configuration, HTTP requests are redirected to HTTPS.
- Hardening against splitting HTTP responses using CRLF injection. (#834)
Bugfixes
- Correct output when a historical character set encoding is set. (#670)
- If
$_SERVER ['HTTPS'] = off is set in the web server, an HTTP connection is now correctly recognized. (#671)
theme_style_exists() now returns '' if the style directory is missing. Previously, the theme root was returned incorrectly. (#678)- Fixes the display of orphaned widgets when a plugin has been deactivated and prevents duplicate or missing widget outputs, so that only widgets from active plugins are output. (#726)
- Fixes a PHP warning
expects parameter 3 to be integer, array given under PHP 7.2 when the admin logs out. (#774)
- A problem with setting file and directory permissions that occurred with shared web hosts has been fixed. Many thanks to @RainerBielefeld and Lubomír Ludvík.
- A missing multibyte extension no longer causes fatal errors when calling feeds. (#790)
Plugins
Changes
- Archives plugin: update to version 1.1.1
- Toggles in Themes, based on FlatMaas 2 by Drudo
- Added request-local and APCu caching. (#679)
- Newsletter plugin: update to version 1.7.3
- Unwanted requests and bots are now intercepted more effectively: Suspicious IP addresses are automatically added to a block list, which is cleaned daily.
- Email addresses are now checked much more thoroughly – including domain and server checks – to detect typos, invalid, or undeliverable addresses.
- An up-to-date list of disposable email domains is automatically downloaded from GitHub once a month and integrated, so that disposable addresses are rejected immediately and removed from the subscriber list.
- In addition, the plugin limits the number of login attempts per IP and sorts out incorrect addresses before they are sent, ensuring that the newsletter is reliably delivered only to valid recipients.
- Even more against race conditions
- Batch shipping shows shipping status (#649)
- The mail function covers most shared hosting restrictions, e.g. at milesweb.com (#784)
- FlatPress Protect plugin: update to version 1.2.1
- iFrames can only be embedded from the same domain, unless explicitly enabled.
- If the GDPR Video embed plugin is active, YouTube, Vimeo, and Facebook videos can still be embedded. (#778)
- It is now possible to change the idle timeout for admin sessions. (#693)
- The upload of SVG files can be allowed. (#771)
- BBCode plugin: update to version 2.0.0
- Memoization and optional APCu caches added (#680)
- Font button added (#689)
- BBcode toolbar gallery selection added (#714)
- Stats plugin to Storage plugin:
- The stats plugin has been renamed as part of the modernization and can be found in the uploader submenu (#363)
- Free/used web space is displayed.
- The storage space used by images and files is displayed.
- APCu support has been added for optimal performance
- The 10 most commented posts are only displayed if the Postviews plugin is active
- A slightly more modern, responsive design
- Media Manager plugin: update to version 2.0.0 (#685)
- Preview images on mouseover (#732)
- The folder icon now indicates whether the gallery or a single image in the directory is used in entries or not
- Performance:
- (initial call, root view): Entry scan reduced from 2× to 1×
- No entry reads for subsequent calls.
- PrettyURLs plugin: update to version 3.0.2
- Added request-local and APCu caching. (#690)
- A green hook indicates the best automatically determined mode.
- Modes that are not supported by the web server are grayed out.
- If Pretty is saved in the configuration but is not supported, downgrade to one of the remaining modes.
- Pretty URLs for static pages and feed URLs.
- Pretty URLs for the RSS and Atom feeds of the LastComment plugin.
- Mixed-mode URLs are redirected to the correct URL to improve search engine rankings.
- Calendar plugin: update to version 1.2.1
- Optional APCu support with file fallback added (#694)
- Emoticons plugin: update to version 1.1.3
- New filter that converts Markdown emoticons in entry titles and static page titles to utf-8 emoticons. (#781)
- PhotoSwipe plugin update to version 2.0.5
- Outputting galleries to RSS feeds is possible again (#809)
Bugfixes
- Newsletter plugin: update to version 1.7.3
- Fixes "Invalid CSRF token" when the widget is visible in the admin area footer.
- Seo Metatag Info plugin: update to version 2.2.5
- Fixed: Theme without style causes PHP warning
- Preview image is reliably displayed in social media posts (#841)
- Support plugin: update to version 1.1.1
- Fixed: Theme without style causes PHP warning
- mbstring query for Smarty 5 added
- Media Manager plugin: update to version 2.0.0
- Fix Media Manager usage detection for images in subfolders and galleries. (#547)
- When entering a gallery name, spaces are converted to underscores for later processing. (#837)
- PrettyURLs plugin: update to version 3.0.2
- Unified 301 canonical redirect for plain
?entry=<id> and plain ?x=entry:<id>. (#104)
- Unified 301 canonical redirect for plain
?page=<id>, ?page<n>and x=feed:<rss2|atom>. (#93)
- Unified 301 canonical redirect for plain
?x=cat:<n>. (#709)
- Fixes Deprecated:
strpos(): Passing null to parameter #1 ($haystack) of type string.
- Calendar plugin: update to version 1.2.1
- The link "Previous month with entries" now also works if there are no entries in the previous month.
- GDPR Video embed: update to version 1.1.1
- An issue in the French and Italian language files that prevented the JS from loading has been fixed. Thank you for reporting the issue to macadoum from the support forum.
- QuickSpamFilter plugin update to version 3.5.2
- Set default bad words are now visible to the admin
- In addition to
[url and href, generic URLs are now also blocked by default. Thank you for reporting the issue to macadoum from the support forum.
- BBCode plugin update to version 2.0.0
- Sorted/unsorted lists are displayed correctly in comments. (#762)
- No encoding of HTML entities within the BBCode code tag. (#822)
- FavIcon plugin update to version 1.1.1
- Optional FlatPress app installation for Android/iOS from shared web hosts stabilized. (#788)
- PhotoSwipe plugin update to version 2.0.5
- Performance violation after opening the overlay in Chrome-based browsers fixed. (#794)
getimagesize() is no longer called for external images. (#796)- No double cleansing in image title. (#802)
- Gallery captions plugin update to version 1.02
- The & character is displayed correctly in the image title. (#802)
Themes
Changes
- Added edit button comment admin controls
- Leggero theme:
- If a SEO metatag description of the post is available, it will be displayed as an introduction to the post. @wjar forum entry
- Modern, responsive style with an energetic "Stringendo" accent palette added (#810)
- Description of the theme and styles revised
- No ghost buttons if
{nextpage} and {prevpage} are empty. (#821)
Bugfixes
- Leggero theme:
- After a fresh installation, the correct time format is now displayed instead of the default format
%b %e, %Y. (#662)
Internationalization
