• PHP version 8.2, 8.3 and 5.6 compatibility fixes. It's still compatible with PHP 7.x as well. Please note that while we try to maintain compatibility even with PHP 5.6 (which was released 10 years ago in 2014), may not be guaranteed to be v5.6 compatible next year.
• Fix for a low-risk SQL injection bug in the Configuration section. Thanks to devious.ch for reporting this. This is considered lower risk as it still requires an administrator privilege to execute it.
• JQuery - updated to v3.7.1
• PHPMailer - updated to v6.9.1

To upgrade your existing installation, simply click Settings - System Update.

1. You need an admin access and his proof of concept didn't demonstrate any unauthorized access to the Theme Manager within SCHLIX CMS.
2. If you write a piece of code in the theme's index.php (e.g. system($_GET['tristao']) ) and upload it, of course you can execute it. In any PHP-based CMS where PHP code is allowed in the theme, you can write anything you want, including system ("rm -rf /") and this is NOT AN ERROR and there is NO UNEXPECTED BEHAVIOUR. You can test this with other PHP-based CMS such as Wordpress, Joomla, or Drupal and the behaviour is identical and this is NOT a vulnerability. If you want to disable a certain PHP function deemed dangerous, do it with disable_functions in php.ini.
3. There is already a warning in the upload form that you should upload only from a trusted source. We're not responsible for any vulnerability caused by 3rd party plugins. See the second screenshot below.

Francisco's proof of concept, as described in https://github.com/tristao-marinho/CVE-2022-45544/blob/main/README.md and https://www.youtube.com/watch?v=_0X6AzXmhrU, is as follows:

1. Login with your account
2. Access the directory in url http://[examplewebsite].com/admin/app/core.thememanager
3. Download theme Superhero in https://www.schlix.com/extensions.releases/action/download/filename/theme_superhero-1.1.zip
4. Unzip theme_superhero-1.1.zip
5. Edit file in path superhero/themes/superhero/index.php, adding "system($_GET['tristao']);" on line three.
   • Our response: You can add any code here because it's a PHP script. You can execute system ("rm -rf /") or whatever and it will call the system(...) function unless you disable it via php.ini. 
     
     
6. Zip theme_superhero-1.1.zip
7. Click in "INSTALL A PACKAGE"
   • Our response: It prompts for the admin password again and there is a warning to upload files only from a trusted source and that we're not responsible for any security vulnerability caused by 3rd party plugins. This is why we put the warning here. People who have access to this are usually web developers who know what they're doing.
     
     
8. Upload theme_superhero-1.1.zip
9. Active theme superhero
10. Acess homepage index.php
    Our response: You are an admin of this website and you put an arbitrary code in the theme file, which is index.php, and you should be able to execute it. This behaviour is the same whether you use Wordpress, Drupal, Joomla, or SCHLIX CMS.
    

Not only the analysis is faulty and demonstrated a lack of due dilligence and programming knowledge on the so called "pentester" part, we weren't even contacted to verify his claim, which is usually the standard procedure for reporting a vulnerability. We have dealt with much more professional and knowledgable individuals in the past and we will acknowledge if there is a vulnerability, but Francisco's analysis for CVE-2022-45544 is completely faulty.

It's best for security researchers to contact us first to validate a vulnerability before publishing it.

• License has been changed to GPLv3
• Fixed a few PHP 8.1 compatibility issues
• JQuery, PHPMailer and HTMLPurifier have been updated to the latest version
• A few bug fixes

With the v2.2.6 release, the core SCHLIX content management system will be compatible with PHP from version 5.6 to 8.0. However, this may not always be the case with its add-ons (especially if it uses composer), which are not always developed in house.

There could a secondary compatibility release in February or March once we've completed further testing with the next release of PHP 8.0.x. The main issue for the current PHP version (8.0.0) is the incompatibility if the JIT is enabled (off by default). Please note that during our testing, we encountered segmentation fault as described in https://bugs.php.net/bug.php?id=80480. Other than this issue, everything else seems to works.

• New constant SCHLIX_DEFAULT_CA_BUNDLE containing the path location /system/libs/data/ca-bundle/ca-bundle.pem, which is the most up-to-date certificate authority bundle file in the current release. This is necessary as the default file location varies among different operating systems. This is also needed for some of the shipping & payment plugins of Shoperatus.
• Support for Samesite Cookie = None for different browsers
• A more descriptive error for session timeout for AJAX requests
• Fixed: SMTP settings error when changing the SSL option in Site Manager
• Fixed: Initial menu base path settings
• Updated - CKEditor 4.11 to 4.15
• Updated - Bootstrap 4.3.1 to 4.5.2
• Updated - TinyMCE 4.9.2 to 4.9.8
• Updated - CodeMirror 5.25 to 5.57
• Updated - PHPMailer 6.1.4 to 6.1.7
• Updated - Fontawesome Free 5.11.2 to 5.15.1

Screenshot of the SMTP OAuth test:

To upgrade your existing installation, simply click Settings - System Update.

Unlike SCHLIX CMS, which source is pretty much open, Shoperatus is a closed source software. However, you can still edit and customize the view templates as with other SCHLIX CMS extensions we previously released. The platform itself is still open so that you will be able to create your own payment, shipping and other types of plugins. We will also publish documentation and training manual for this. Since this is the first day of the beta release, not much documentation is available yet, but we're working on it. Note that although Shoperatus is the generally available e-commerce extension, there has been another e-commerce extensions of SCHLIX CMS with slightly different purpose since 2018 but it's only available to commercial clients. You can see this on the demo/showcase screenshot of this website.

Some of the shipping plugins in the screenshots such as AsiaXpress, SpeedPost, IndiaPost and ThailandPost as well as a couple of payment plugins (Xendit - token and Moneris hosted tokenization) will only be available with a commercial license. Note - the free version of Xendit and Moneris hosted payment page are just as good for starters.

We will also release most commonly used shipping plugins such as Purolator, DHL, Fedex and USPS soon.

Expected timeline

• Between September 13 - 18, 2020: first beta release
• End of September/early October 2020: final release (as extension, fully usable)
• Mid-Late October 2020: additional shipping options: USPS (America), Fedex, DHL, UPS, Purolator, British Royal Mail will be available.
• December 2020/January 2021: automated refund, dashboard - integrated with our mapping server.
• 2021: gift card, store credit, subscription

Current features (frozen as of August 27)

• E-commerce catalog with multiple images (dynamic image size can be set in the config section).
  
  • One product can be assigned to multiple categories.
  • Product specifications (each sub-variant has a unique URL)
  • Product variance
  • CTO (Configure-to-order) product options
  • Each product can be optionally assigned a product type. You can assign only 1 product type per product. If you want to have multiple product types per product, use the category (folder) instead of product type sub-application.
  • Downloadable materials attached to product and/or product type (e.g. PDF warranty statements for all product).
• 127 tax rules for different countries, automatic setup
• Country, state/province, city database - this is different from most e-commerce as the city input is free-text.
• Discount - % or fixed.
• Coupon - must be attached to product for the initial release. We will enable store coupons later.
• Payment plugins (alphabetical order): Alipay, BluePay (CardConnect), Braintree, G2APay, Midtrans, Moneris, Paypal, Stripe, 2Checkout, Xendit. Offline payments are supported as well (bank cheque, wire transfer, Interac e-Transfer). Note: the available Moneris payments are for Canadian merchants only. We can build the US one as well if there's a request.
• Shipping plugins (alphabetical order): AsiaXpress, Australia Post, Flat Rate, GoSend, Hongkong Post, India Post, Malaysia Post, Pakistan Post, PHLPost, Postmen, RajaOngkir, Singapore Post, SpeedPost Singapore and Thailand Post
• All transactions are logged.
• Security: we test for basic XSS and SQL injection. XXE (XML injection) prevention is already built-in to SCHLIX CMS.
• Configurable email templates (must use SCHLIX CMS v2.2.4 or later)

Note: some of the payment & shipping plugins will be commercial release.

Caveats for the first version

• Reporting will be available in the next release. Information can already be extracted via SQL and we can build add-ons suitable to your needs.
• No gift card & loyalty point functionality yet - that will be done in 2021 if there's a request.

Here's what schtore looks like as of September 2020:

1. Catalog - product listing
   
   
   
2. Catalog - Images
   
   
   
3. Product Type - Options (CTO)
   
   
   
4. Product type - CTO option choice
   
   
   
5. Product - Options (CTO)
   
   
   
6. Config
   
   
   
7. Payment plugins
   
   
   
8. Shipping plugins
   

Stay tuned for more info! 😄

• Some icons on the toolbar now have been assigned colour so it's easier for the user to find which toolbar button to click.
• The datetime picker is now a lot more user friendly. Previously, the calendar would pop up automatically whenever the user clicks a datetime input. This behavious has now been changed to requiring the user to click the handle bar if the datetime picker needs to be used. With this behaviour change, it's easier for the user to type freely on the input box without the datetime picker getting in the way.
• There are various other internal changes as well and this will be  the minimum version required to run SCHLIX CMS e-commerce extension when we release it next month (we'll release the beta version in 2 weeks)

• Some highlights:
• Visual - menu appearance on the backend admin
• Composer packages can now be installed (comand line option has been removed). Please note that PHAR is required
• PHP 8.0 compatibility issue (str_contains, str_starts_with, str_ends_with)
• For developers:
  • cmsCurl and cmsXMLTool class. This is used to handle web service calls for the upcoming e-commerce extension, mostly for payment and shipping.
  • Javascript class ___$HTML and ___$INPUT to create html string tags programmatically. SCHLIX.Util.escapeHTML now has a shortcut ___h, similar to the PHP one.

It has been a little over 3 months since we last released v2.2.2-1 in late January and we finally had the chance to provide some news. First of all, we'd like to apologize for the slower responses for forum replies as well as commercial support between February until April. Even though all of our team members have already been working remotely since 2 years ago, the "new normal" still required some adjustments. COVID-19 took us by surpise and we were scrambling for alternative arrangements for many things, so work stopped for nearly 5 weeks and hence we delayed the release of our e-commerce extension (Schtore). Things are somewhat returning to almost normal now and our response time should be better now.

We realize that everyone is in this together and that there are others who experience even more hardship, so back in April we made a small donation of $2020.04 to Boyle Street Community Service, a non-profit organization for the homeless in the city of Edmonton. Homeless people are very vulnerable in this kind of situation and deserve our help.

Schtore

Schtore is our new e-commerce extension. It's quite massive (custom user-defined table fields, 127 tax rules for different countries (including EU), complete list of currencies and countries (down to the city level, user privacy features, etc). Initially, Schtore will contain the following payment plugins:

• Paypal Express (global)
• Braintree (global)
• Stripe (global)
• Alipay (China)
• Moneris (we've only tested the Canadian version, not the US version)
• Xendit (Indonesia) - as requested in the forum

Shipping plugins:

• Canada Post
• Postmen
• Rajaongkir

There's not that many shipping modules when we release it for the first time, but Postmen should cover most of it.

We may need a volunteer who's willing to test our the EU tax rules.

Please note that this is the temporary layout. It may change once we really release this for general public availability.

List of all revisions for SCHLIX CMS v2.2.1-x:

• Errata #6: Updated typo in the automated installer (not regular installer) for the email address input.
• Errata #5: Updated Google Analytics block, fixed installer and site manager PHP version detection and backslash escape function, minor correction for gallery package name (comment only), HTML encoding issue for SCHLIX_SITE_NAME in the default theme.
• Errata #4: Blog category may not appear on the backend during new item creation (Nov 12, 2019)
• Errata #4: UI layout was incorrect for the password reset form, removed the inner row/column
• Errata #4: File type check for media manager upload
• Errata #4: Fixed zh-CN (simplified Chinese) translations
• Errata #3: fixed layout where the treeview on the left has many items exceeding the browser's viewport. The left column has a scrollbar now and the tag has been changed to the default div. This actually caused an extra scrollbar to be displayed on Firefox and it is a known issue. Fixed blog primary category not being updated after the document has been saved.
• Errata #2 - fixed Fontawesome 5 iconpicker that caused an icon to be generated when saving a menu item.

While inadvertently allowing a PHP file to be uploaded via Media Manager was an oversight, it still requires an admin permission. We think it's pretty rare for an administrator to exploit a bug on his/her own site to own his/her own site.

It's best for security researchers to contact us first to validate a vulnerability before publishing it. Regardless, we still thank for the effort.

For SCHLIX CMS users, simply click Settings - System Update to keep your system secure all the time. Also, subscribe to this RSS news feed for the latest news including security related advisories.

Other notable changes include:

• Installation/removal of extension now requires administrator password
• Automated installer bug fix - missed 1 parameter during config file generation
• French translation bug fix
• Font Awesome Free has been updated to v5.11.2
• Change email and change password dialog under Users administration have been improved with better user interface
• Inclusion of manual_upgrade.php for manual upgrade in a more restricted hosting environment or if the automated upgrade fails for any reason

Download it here.

The extension submission process is already open and we're hoping to get more developers to use SCHLIX CMS.

Sample screenshots:

Highlight of new features

Custom header image

Previously, designers had to rely on using either a macro or a custom code to insert an expanded banner/header image above the content. This was cumbersome as a slight change to the HTML code means that the content items need to be updated individually. In the new v2.2.x series, they can do it easily by simply choosing to upload a custom media header and any change to the HTML tag can simply be performed in the template itself. Please have a look at the code comments inside the newly included companyprofile theme.

The following is a screenshot of the editor page where you can easily change the header image. You can configure the width, height and quality from Settings - Custom Header.

To enable this feature in your own application, simply specify the following code in the constructor:

$this->has_versioning = true;

Spell Checker

We have added a spell checker functionality.

It's still in BETA mode, so you will have to manually enable it from Settings - Editor Manager.

Custom Field

You can now specify a custom field to be used in many applications. This is useful when you need to add a field to a contact form, etc. We're currently still testing this feature and will enable this feature on other applications as well. Please note that all custom fields will have the xcf_ prefix in the actual database. In your view template, you can simply output it manually. For example:

<?php $custom_fields = $this->getItemCustomFields(); ?>
<?php foreach ($custom_fields as $cf): ?>
<?php $field_name = 'xcf_'.$cf['field_name']; $field_label = $cf['field_label'] ?>
<div class="contacts_info_label custom_field">
   <i class="fa fa-file"></i>
   <?= ___h($item[$field_name]); ?>
</div>

To enable this feature in your own application, simply specify the following code in your view.admin.template.php file:

<x-ui:schlix-explorer-menu-command data-schlix-command="custom-table-config" data-custom-table="gk_contact_items" fonticon="fas fa-terminal" label="<?= ___('Custom table fields: Contact') ?>" />

<x-ui:schlix-explorer-menu-command data-schlix-command="custom-table-config" data-custom-table="gk_contact_messages"  fonticon="fas fa-terminal" label="<?= ___('Custom table fields: Messages') ?>" />

Screenshot of the edit function:

Screenshot of backend editor with a custom field:

Hooks

You can now extend an application functionality from another class (e.g. on the custom field function). Simply create a function with hook_ prefix and it will be executed.

To create an application that calls a hook function, simply call \SCHLIX\cmsHooks::execute( ... ). We will write a documentation on this later.

X-UI tags

We have now switched to a framework-independent X-UI tag to future-proof our CMS. We used to heavily depend on Bootstrap 3, but as we realized

 <x-ui:schlix-multi-source-media-uploader data-field="url_media_file" name="image_file" id="image_file" data-dir-key="image_medium" accept="image/png, image/jpeg, image/gif" data-disable-option-existing-file="true" data-disable-option-none="true" data-allow-url-variable-dimension="true" data-preview-width="<?= $preview_width ?>" data-preview-height="<?= $preview_height ?>" />

Simple examples:

<x-ui:textbox id="meta_description" name="meta_description"  data-field="meta_description" label="<?= ___('Meta Description') ?>" />

<x-ui:schlix-tab-container>
<x-ui:schlix-tab id="tab_content" fonticon="far fa-file-alt" label="<?= ___('Content') ?>">
 Tab content
</x-ui:schlix-tab>
</x-ui:schlix-tab-container>

GDPR (Personal Data Request)

We have provided basic functionality for user data request. This application is disabled by default upon installation & upgrade.

Configuration

• Additional 6 new languages (Georgian, Kazakh, Mongolian, Arabic, Hebrew, Persian) have been added.
• You can now change the theme colour of the backend. This is useful especially if you need to open different SCHLIX CMS sites.
• You can specify whether the frontend uses Bootstrap 3 or 4. We will also expand the functionality to include other CSS frameworks such as Bulma and Zurb Foundation.
• If you need your site to be online but invisible to the search engine during the development, you can specify its visiblity as hidden and turn it back on when needed.

Backward incompatible changes

If you have installed an application and you have the following lines in the *.admin.class.php onModifyDataBeforeSaveItem or onModifyDataBeforeSaveCategory, please either comment it out or simply delete them. You have until the end of December 2021 before this backward compatibility is removed.

/* NO LONGER NEEDED AS OF 2.2.0 - please remove these lines completely or comment them out */
if ($datavalues['permission_read_everyone'])        
      $datavalues['permission_read'] = 'everyone';
      $datavalues['permission_read'] = serialize($datavalues['permission_read']);
 $datavalues['permission_write'] = serialize($datavalues['permission_write']);

Download and read the full change log now.

• Revamped admin interface for better editing experience. Quite a few of our users have made a comment last year that the dark interface has made it harder to read and navigate on the backend. We've restored the original theme and provided a new styling as well. We will make the dark theme as a configurable option later.
• Free map hosting for the Contacts application. If you are web design agency or even just a regular user who can't to pay hundreds of dollars of billing for Google Maps, we've replaced Google Maps with OpenStreetMap, hosted on our own tile server (map.schlix.website), with CDN delivery to ensure fast browsing experience across different geographic regions. You don't need to enter Google Maps API key anymore in the Contacts application. Since this took quite some effort to implement, we've pushed back other features that we promised earlier. If you have any extensions that require mapping solution, you can use our server for free as long as your website is implemented with SCHLIX CMS and that the load requirement is reasonable.

If you have any questions, please post your question in the forum.

• Possible malicious users (only for sites with registration enabled) including their IP address.
• Possible malicious files (e.g. PHP script uploaded to image folder)
• List of all world writable files and directories

The system will then attempt to fix them automatically and the report can be downloaded from /web/[your-website-name]/data/private/quarantine. This folder is inaccessible from the user's browser and the content must be manually downloaded via SFTP or FTP.

Note - there's v2.1.8-2 release that fixed the false positives and System Updater user interface issue as the automated security check ran immediately after the upgrade and thus causing a JSON error. If you've upgraded to v2.1.8-1 and got an error message right after the upgrade, you can ignore that error.

• Updated: JQuery 3.2.x to 3.3.1
• Updated: Font Awesome 4.7 to 5.2.0 (free) with adblock compatiblity
• Updated: TinyMCE 4.8.2
• Updated: PHPMailer 6.0.5
• Updated: Bootstrap 3 update (now compatible with JQuery 3.x). We're still working on Bootstrap 4 update
• Fixed: Applications built derived from cmsApplication_Basic missing title during install
• Fixed: Block instance configuration was being saved incorrectly if the title was not all in lowercase or contain non-ASCII characters
• Fixed: Forgot password link on HTTPS website didn't display for the full URL
• Fixed: Menu editor (backend) duplicate tree child item when clicking View a specific item/category
• Fixed: Compatibilities with PHP 7.2
• Enhancement: The method \SCHLIX\cmsPageOutput::HTMLHeader() can now be split into \SCHLIX\cmsPageOutput::HTMLHeaderNonScript() and \SCHLIX\cmsPageOutput::HTMLFooterScripts(). See the samplemagazine theme for more info

We realized that we're a bit behind in terms of the promised e-commerce implementation. Please note that the following is still in the works: Google Maps replacement, UTF8MB4 conversion (currently still using UTF8), GDPR and new Google Analytics tag.