Version 1.1.8 Basic Editor

.gitignore

@@ -1,12 +1,12 @@
 cache
-settings/settings.yaml
-settings/users
 plugins/admin
 plugins/demo
 plugins/disqus
 plugins/download
 plugins/finalwords
 plugins/version
+settings/settings.yaml
+settings/users
 system/vendor
 tests
 themes/monograf

cache/lastCache.txt

@@ -1 +1 @@
-1528305569
+1528305569

composer.lock

@@ -652,7 +652,7 @@
         },
         {
             "name": "symfony/event-dispatcher",
-            "version": "v3.4.10",
+            "version": "v3.4.11",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/event-dispatcher.git",
@@ -770,7 +770,7 @@
         },
         {
             "name": "symfony/yaml",
-            "version": "v2.8.40",
+            "version": "v2.8.41",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/yaml.git",

content/5_info/01-release-notes.md

@@ -2,6 +2,16 @@
 
 This is the version history with some release notes.
 
+## Version 1.1.7: Improved Session Management
+
+_Release date: 04.06.2018_
+
+**Please follow the instructions for minor updates** in the [documentation](/gettings-started/update). Please also update the Typemill theme.
+
+- URL to google sitemap is not displayed in settings.
+- Session Cookies are only set when authentication is required.
+- Added security headers for content security policy, refferers, strict transport.
+
 ## Version 1.1.6: Refactoring
 
 _Release date: 22.05.2018_

system/Controllers/Controller.php

@@ -26,12 +26,13 @@ abstract class Controller
 		
 		if($this->c->request->getUri()->getScheme() == 'https')
 		{
-			$response = $response->withAddedHeader('Strict-Transport-Security', 'max-age=63072000');			
+			$response = $response->withAddedHeader('Strict-Transport-Security', 'max-age=63072000');
 		}
 			
 		$response = $response->withAddedHeader('X-Content-Type-Options', 'nosniff');
 		$response = $response->withAddedHeader('X-Frame-Options', 'SAMEORIGIN');
 		$response = $response->withAddedHeader('X-XSS-Protection', '1;mode=block');
+		$response = $response->withAddedHeader('Referrer-Policy', 'no-referrer-when-downgrade');
 		
 		return $this->c->view->render($response, $route, $data);
 	}

system/Controllers/PageController.php

@@ -119,7 +119,7 @@ class PageController extends Controller
 		}
 		
 		$contentMD = $this->c->dispatcher->dispatch('onMarkdownLoaded', new OnMarkdownLoaded($contentMD))->getData();
-			
+				
 		/* initialize parsedown */
 		$parsedown 		= new ParsedownExtension();
 
@@ -133,16 +133,18 @@ class PageController extends Controller
 		/* parse markdown-content-array to content-string */
 		$contentHTML	= $parsedown->markup($contentArray);
 		$contentHTML 	= $this->c->dispatcher->dispatch('onHtmlLoaded', new OnHtmlLoaded($contentHTML))->getData();
+
+		/* extract the h1 headline*/
+		$contentParts	= explode("</h1>", $contentHTML);
+		$title			= isset($contentParts[0]) ? strip_tags($contentParts[0]) : $settings['title'];
+		
+		$contentHTML	=  isset($contentParts[1]) ? $contentParts[1] : $contentHTML;
 		
 		/* create excerpt from content */
 		$excerpt		= substr($contentHTML,0,500);
-		$excerpt		= explode("</h1>", $excerpt);
-		
-		/* extract title from excerpt */
-		$title			= isset($excerpt[0]) ? strip_tags($excerpt[0]) : $settings['title'];
 		
 		/* create description from excerpt */
-		$description	= isset($excerpt[1]) ? strip_tags($excerpt[1]) : false;
+		$description	= isset($excerpt) ? strip_tags($excerpt) : false;
 		if($description)
 		{
 			$description 	= trim(preg_replace('/\s+/', ' ', $description));
@@ -162,7 +164,7 @@ class PageController extends Controller
 				$firstImage = array('img_url' => $base_url . $img_url[1], 'img_alt' => $img_alt[1]);
 			}
 		}
-
+		
 		$route = empty($args) && $settings['startpage'] ? '/cover.twig' : '/index.twig';
 		
 		return $this->render($response, $route, array('navigation' => $structure, 'content' => $contentHTML, 'item' => $item, 'breadcrumb' => $breadcrumb, 'settings' => $settings, 'title' => $title, 'description' => $description, 'base_url' => $base_url, 'image' => $firstImage ));

system/Controllers/SettingsController.php

@@ -38,9 +38,17 @@ class SettingsController extends Controller
 		
 			if($newSettings)
 			{
-				$copyright 					= $this->getCopyright();
-				$newSettings['startpage'] 	= isset($newSettings['startpage']) ? true : false;
+				/* make sure only allowed fields are stored */
+				$newSettings = array(
+					'title' 	=> $newSettings['title'],
+					'author' 	=> $newSettings['author'],
+					'copyright' => $newSettings['copyright'],
+					'year'		=> $newSettings['year'],
+					'statpage' 	=> isset($newSettings['startpage']) ? true : false
+				);
 				
+				$copyright 					= $this->getCopyright();
+								
 				$validate->settings($newSettings, $copyright, 'settings');
 			}
 			
@@ -572,7 +580,7 @@ class SettingsController extends Controller
 			"None"
 		);
 	}
-	
+		
 	private function getLanguages()
 	{
 		return array(

system/Routes/Web.php

@@ -54,7 +54,14 @@ foreach($routes as $pluginRoute)
 	$route	= $pluginRoute['route'];
 	$class	= $pluginRoute['class'];
 
-	$app->{$method}($route, $class);
+	if(isset($pluginRoute['name']))
+	{
+		$app->{$method}($route, $class)->setName($pluginRoute['name']);
+	}
+	else
+	{
+		$app->{$method}($route, $class);
+	}
 }
 
 $app->get('/[{params:.*}]', PageController::class . ':index')->setName('home');

system/Settings.php

@@ -26,7 +26,7 @@ class Settings
 		
 		return [
 			'determineRouteBeforeAppMiddleware' 	=> true,
-			'displayErrorDetails' 					=> true,
+			'displayErrorDetails' 					=> false,
 			'title'									=> 'TYPEMILL',
 			'author'								=> 'Unknown',
 			'copyright'								=> 'Copyright',
@@ -43,7 +43,7 @@ class Settings
 			'contentFolder'							=> 'content',
 			'cache'									=> true,
 			'cachePath'								=> $rootPath . 'cache',
-			'version'								=> '1.1.6',
+			'version'								=> '1.1.7',
 			'setup'									=> true,
 			'welcome'								=> true
 		];

system/system.php

@@ -103,15 +103,15 @@ $container['assets'] = function($c)
 * 	DECIDE FOR SESSION	*
 ************************/
 
-$session_segments = array('setup/', 'tm/');
+$session_segments = array('setup', 'tm/', '/setup', '/tm/');
 $path = $container['request']->getUri()->getPath();
 $container['flash'] = false;
 $container['csrf'] = false;
 
 foreach($session_segments as $segment)
-{
+{	
 	if(substr( $path, 0, strlen($segment) ) === $segment)
-	{
+	{		
 		/* start a session */
 		ini_set( 'session.cookie_httponly', 1 );
 		ini_set('session.use_strict_mode', 1);
@@ -140,8 +140,6 @@ foreach($session_segments as $segment)
 		{
 			return new \Slim\Flash\Messages();
 		};
-				
-		break;
 	}
 }
 

themes/typemill/chapter.twig

@@ -8,6 +8,8 @@
 
 	{% endif %}
 	
+	<h1>{{ title }}</h1>
+	
 	{{ content }}
 
 </div>

themes/typemill/css/style.css

@@ -204,10 +204,6 @@ header p{
 	font-size: 2.5em; 
 	font-weight: 700;
 }
-.cover .lead{
-	font-size: 0.9em;
-	text-transform: uppercase;
-}
 .cover .lead a, a.readMore{
 	display: inline-block;
 	min-width: 100px;

themes/typemill/page.twig

@@ -3,10 +3,12 @@
 	<h1>{{ item.name }}</h1>
 
 {% endif %}
+
+<h1>{{ title }}</h1>
 	
 {{ content }}
 
-{% if settings.themes.typemill.modified %}	
+{% if settings.themes.typemill.modified %}
 	<p><small>{{ settings.themes.typemill.modifiedText }}: {{ item.modified|date(settings.themes.typemill.modifiedFormat) }}</small></p>
 {% endif %}
 

themes/typemill/typemill.yaml

@@ -1,5 +1,5 @@
 name: Typemill Theme
-version: 1.0.7
+version: 1.0.8
 description: The standard theme for Typemill. Responsive, minimal and without any dependencies. It uses the system fonts Calibri and Helvetica. No JavaScript is used. 
 author: Sebastian Schürmanns
 homepage: http://typemill.net