Time to upgrade - SCHLIX CMS v2.2.2 has been released (now compatible with PHP 7.3 and 7.4)

SCHLIX CMS v2.2.2 has been released and it is now compatible with PHP 7.3 and 7.4. With this change, SCHLIX CMS is now compatible with PHP 5.6, 7.0, 7.1, 7.2 and 7.3. Other notable changes include the newly included newspaper theme. The previously included company profile theme still exists. You can check the demo (frontend only) at Note to packagers: since it now comes with 3 sample data (newspaper, company profile, blank company profile), the parameter for automated installation has been changed. Please refer to the following article: If you have any questions, just head to the forum!

Newspaper CMS

6th revision for SCHLIX CMS v2.2.1 has been released

Today we've released the 6th revision for SCHLIX CMS v2.2.1. This should be the final release for 2019. Happy New Year 2020 and we'll catch up with you next year with new e-commerce extensions and other goodies.

List of all revisions for SCHLIX CMS v2.2.1-x:

  • Errata #6: Updated typo in the automated installer (not regular installer) for the email address input.
  • Errata #5: Updated Google Analytics block, fixed installer and site manager PHP version detection and backslash escape function, minor correction for gallery package name (comment only), HTML encoding issue for SCHLIX_SITE_NAME in the default theme.
  • Errata #4: Blog category may not appear on the backend during new item creation (Nov 12, 2019)
  • Errata #4: UI layout was incorrect for the password reset form, removed the inner row/column
  • Errata #4: File type check for media manager upload
  • Errata #4: Fixed zh-CN (simplified Chinese) translations
  • Errata #3: fixed layout where the treeview on the left has many items exceeding the browser's viewport. The left column has a scrollbar now and the tag has been changed to the default div. This actually caused an extra scrollbar to be displayed on Firefox and it is a known issue. Fixed blog primary category not being updated after the document has been saved.
  • Errata #2 - fixed Fontawesome 5 iconpicker that caused an icon to be generated when saving a menu item.

CVE-2019-11021 for older SCHLIX CMS v2.1.8-7 (November 2018)

In regards to CVE-2019-11021 for older SCHLIX CMS v2.1.8-7 (November 2018 - last year), which claimed that "admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Authenticated Unrestricted File Upload, leading to remote code execution.", the analysis needs to also mention that the user who can access admin area will require an elevated superuser permission (the user must belong to [Administrators]before he/she can upload the PHP file. We also allow uploading of zipped PHP scripts to install extensions, by the way, and it's still the case even in 2.2.x.

While inadvertently allowing a PHP file to be uploaded via Media Manager was an oversight, it still requires an admin permission. We think it's pretty rare for an administrator to exploit a bug on his/her own site to own his/her own site.

It's best for security researchers to contact us first to validate a vulnerability before publishing it. Regardless, we still thank for the effort.

For SCHLIX CMS users, simply click Settings - System Update to keep your system secure all the time. Also, subscribe to this RSS news feed for the latest news including security related advisories.

SCHLIX CMS v2.2.1 with Extension Gallery has been released

SCHLIX CMS v2.2.1 has been released with an integrated Extension Gallery (App Store) where you can download extension directly from the CMS without having to manually download it from our Extension Directory. We also now welcome publishers who'd like to publish their work to showcase their work and be linked from our website. The first phase, which lasts until end of December 2020, will be open for open source extensions, with commercial offering planned to be open in January 2021.

Other notable changes include:

  • Installation/removal of extension now requires administrator password
  • Automated installer bug fix - missed 1 parameter during config file generation
  • French translation bug fix
  • Font Awesome Free has been updated to v5.11.2
  • Change email and change password dialog under Users administration have been improved with better user interface
  • Inclusion of manual_upgrade.php for manual upgrade in a more restricted hosting environment or if the automated upgrade fails for any reason

Download it here.

CentOS 8 - compatible with SCHLIX CMS v2.2.x

CentOS 8 has just been released yesterday. We've tested it and the new SCHLIX CMS v2.2.x series works out of the box (including with the new MySQL 8.0) with only minimal changes to the default configuration. Check out the CentOS 8 LAMP server installation guide for SCHLIX CMS.

Extension Gallery - a marketplace for web design agencies/freelance PHP developers

In mid-October, we will release a new SCHLIX CMS version 2.2.1-x with a new marketplace integration application called Extension Gallery. With the new Extension Gallery, website owner can easily install/uninstall extension without having to download a ZIP file manually from our current Extension Gallery. If you're a PHP web agency or a PHP freelance developer, you can submit a SCHLIX CMS plugin (application/block/macro) and get more exposure. It's free and this is a great opportunity to showcase your solutions. Both commercial and open source extensions are accepted.

The extension submission process is already open and we're hoping to get more developers to use SCHLIX CMS.

Sample screenshots:

SCHLIX Extension Gallery - Preview

SCHLIX Extension Gallery - Preview

Social Media Extensions

New 2.2.x series - SCHLIX CMS v2.2.0-1 has been released

SCHLIX CMS v2.2.0-1 has been released, marking the new v2.2.x series. It is considered a significant change from the previous v2.1.x series as many internals have been updated. The 2.2.x is a transitional release, ensuring backward compatibilities with earlier version of plugins developed for SCHLIX CMS.

Highlight of new features

Custom header image

Previously, designers had to rely on using either a macro or a custom code to insert an expanded banner/header image above the content. This was cumbersome as a slight change to the HTML code means that the content items need to be updated individually. In the new v2.2.x series, they can do it easily by simply choosing to upload a custom media header and any change to the HTML tag can simply be performed in the template itself. Please have a look at the code comments inside the newly included companyprofile theme.

Custom header banner image

The following is a screenshot of the editor page where you can easily change the header image. You can configure the width, height and quality from Settings - Custom Header.

Sample header image

To enable this feature in your own application, simply specify the following code in the constructor:

$this->has_versioning = true;

Spell Checker

We have added a spell checker functionality.

Spell Checker

It's still in BETA mode, so you will have to manually enable it from Settings - Editor Manager.

TinyMCE 4 Spell Checker

Custom Field

You can now specify a custom field to be used in many applications. This is useful when you need to add a field to a contact form, etc. We're currently still testing this feature and will enable this feature on other applications as well. Please note that all custom fields will have the xcf_ prefix in the actual database. In your view template, you can simply output it manually. For example:

<?php $custom_fields = $this->getItemCustomFields(); ?>
<?php foreach ($custom_fields as $cf): ?>
<?php $field_name = 'xcf_'.$cf['field_name']; $field_label = $cf['field_label'] ?>
<div class="contacts_info_label custom_field">
   <i class="fa fa-file"></i>
   <?= ___h($item[$field_name]); ?>

To enable this feature in your own application, simply specify the following code in your view.admin.template.php file:

<x-ui:schlix-explorer-menu-command data-schlix-command="custom-table-config" data-custom-table="gk_contact_items" fonticon="fas fa-terminal" label="<?= ___('Custom table fields: Contact') ?>" />

<x-ui:schlix-explorer-menu-command data-schlix-command="custom-table-config" data-custom-table="gk_contact_messages"  fonticon="fas fa-terminal" label="<?= ___('Custom table fields: Messages') ?>" />

Custom Field 1

Screenshot of the edit function:

Custom Field 2

Screenshot of backend editor with a custom field:

Custom Field 3


You can now extend an application functionality from another class (e.g. on the custom field function). Simply create a function with hook_ prefix and it will be executed.

Hook example

To create an application that calls a hook function, simply call \SCHLIX\cmsHooks::execute( ... ). We will write a documentation on this later.

X-UI tags

We have now switched to a framework-independent X-UI tag to future-proof our CMS. We used to heavily depend on Bootstrap 3, but as we realized

 <x-ui:schlix-multi-source-media-uploader data-field="url_media_file" name="image_file" id="image_file" data-dir-key="image_medium" accept="image/png, image/jpeg, image/gif" data-disable-option-existing-file="true" data-disable-option-none="true" data-allow-url-variable-dimension="true" data-preview-width="<?= $preview_width ?>" data-preview-height="<?= $preview_height ?>" />

Simple examples:

<x-ui:textbox id="meta_description" name="meta_description"  data-field="meta_description" label="<?= ___('Meta Description') ?>" />

<x-ui:schlix-tab id="tab_content" fonticon="far fa-file-alt" label="<?= ___('Content') ?>">
 Tab content

GDPR (Personal Data Request)

We have provided basic functionality for user data request. This application is disabled by default upon installation & upgrade.


  • Additional 6 new languages (Georgian, Kazakh, Mongolian, Arabic, Hebrew, Persian) have been added.
  • You can now change the theme colour of the backend. This is useful especially if you need to open different SCHLIX CMS sites.
  • You can specify whether the frontend uses Bootstrap 3 or 4. We will also expand the functionality to include other CSS frameworks such as Bulma and Zurb Foundation.
  • If you need your site to be online but invisible to the search engine during the development, you can specify its visiblity as hidden and turn it back on when needed.

SCHLIX v2.2.x - global configuration

Backward incompatible changes

If you have installed an application and you have the following lines in the *.admin.class.php onModifyDataBeforeSaveItem or onModifyDataBeforeSaveCategory, please either comment it out or simply delete them. You have until the end of December 2021 before this backward compatibility is removed.

/* NO LONGER NEEDED AS OF 2.2.0 - please remove these lines completely or comment them out */
if ($datavalues['permission_read_everyone'])        
      $datavalues['permission_read'] = 'everyone';
      $datavalues['permission_read'] = serialize($datavalues['permission_read']);
 $datavalues['permission_write'] = serialize($datavalues['permission_write']);

Download and read the full change log now.

SCHLIX CMS v2.1.9-0 with a revamped admin interface

SCHLIX CMS v2.1.9-0 has been released. A couple of notable changes:

  • Revamped admin interface for better editing experience. Quite a few of our users have made a comment last year that the dark interface has made it harder to read and navigate on the backend. We've restored the original theme and provided a new styling as well. We will make the dark theme as a configurable option later.
  • Free map hosting for the Contacts application. If you are web design agency or even just a regular user who can't to pay hundreds of dollars of billing for Google Maps, we've replaced Google Maps with OpenStreetMap, hosted on our own tile server (, with CDN delivery to ensure fast browsing experience across different geographic regions. You don't need to enter Google Maps API key anymore in the Contacts application. Since this took quite some effort to implement, we've pushed back other features that we promised earlier. If you have any extensions that require mapping solution, you can use our server for free as long as your website is implemented with SCHLIX CMS and that the load requirement is reasonable.

SCHLIX CMS v2.1.9-0

If you have any questions, please post your question in the forum.

SCHLIX CMS v2.1.8-1 has been released

SCHLIX CMS v2.1.8-1 has been released. We have added a few new security features in this release. When you login to the backend, the system will perform the following checks:

  • Possible malicious users (only for sites with registration enabled) including their IP address.
  • Possible malicious files (e.g. PHP script uploaded to image folder)
  • List of all world writable files and directories

The system will then attempt to fix them automatically and the report can be downloaded from /web/[your-website-name]/data/private/quarantine. This folder is inaccessible from the user's browser and the content must be manually downloaded via SFTP or FTP.

Note - there's v2.1.8-2 release that fixed the false positives and System Updater user interface issue as the automated security check ran immediately after the upgrade and thus causing a JSON error. If you've upgraded to v2.1.8-1 and got an error message right after the upgrade, you can ignore that error.

SCHLIX CMS v2.1.8-0 has been released

SCHLIX CMS v2.1.8-0 has been released. This is a maintenance only release with the following changes:

  • Updated: JQuery 3.2.x to 3.3.1
  • Updated: Font Awesome 4.7 to 5.2.0 (free) with adblock compatiblity
  • Updated: TinyMCE 4.8.2
  • Updated: PHPMailer 6.0.5
  • Updated: Bootstrap 3 update (now compatible with JQuery 3.x). We're still working on Bootstrap 4 update
  • Fixed: Applications built derived from cmsApplication_Basic missing title during install
  • Fixed: Block instance configuration was being saved incorrectly if the title was not all in lowercase or contain non-ASCII characters
  • Fixed: Forgot password link on HTTPS website didn't display for the full URL
  • Fixed: Menu editor (backend) duplicate tree child item when clicking View a specific item/category
  • Fixed: Compatibilities with PHP 7.2
  • Enhancement: The method \SCHLIX\cmsPageOutput::HTMLHeader() can now be split into \SCHLIX\cmsPageOutput::HTMLHeaderNonScript() and \SCHLIX\cmsPageOutput::HTMLFooterScripts(). See the samplemagazine theme for more info

We realized that we're a bit behind in terms of the promised e-commerce implementation. Please note that the following is still in the works: Google Maps replacement, UTF8MB4 conversion (currently still using UTF8), GDPR and new Google Analytics tag.