Elxis 5.6 Oxylus focuses on strengthen security by improving existing security features or introducing new. 331 files were changed compared to Elxis 5.5. What lead the most changes in Elxis file system was the removal of inline CSS and Javascript, especially the inline events (onclick, onchange, onsubmit, etc). These events are now triggered on document load by using the elxisDocument::addNativeDocReady method. Elxis 5.6 can work perfect with a strict CSP policy. The administrator can enforce the new password policy option which controls users' password length, complexity and expiration date. Continue reading to get a full picture of Elxis 5.6 Oxylus.
Security related changes and additions
- Password policy configuration option. Minimum password length can be 8 or 12 characters. Password complexity can be selected between Normal and High. Password expiration date can be set to 3 months, 6 months, 12 months, or never.
- Enforce password expiration policy. When a user logs in and his password has expired then he cannot access anything in the CMS. Elxis shows his a special page instead in order to set a new password. This special page is the new exit page called pwchange. Note that Elxis will never send you a notification email saying that your password has expired. You will notice that after you login successfully. So, do not get tricked by emails sometimes spammers send notifying you that your password has expired.
- If a user fail to login 3 times within a 5 minutes time frame, then Elxis will lock that user account for 5 minutes. Every new unsuccessful login attempt will extend the lock time for an other 5 minutes.
- Removal of inline events in all Elxis extensions and libraries. This made mostly in order Elxis to work with strict CSP policies.
- Added sha256 integrity checksum html attribute in CSS and JS files. The value of the integrity attribute is calculated automatically by elxisDocument library for all local css/js files, even from third party extensions. This makes Elxis a little slower but nothing noticeable.
- crossorigin="anonymous" in linked CSS ans JS files.
- nonce html attribute in CSS and JS inline declarations. Nonce value can be get by using the elxisDocument::getNonce() method. Nonce value changes on every click.
- Added CSP nonce and {nonce} replacement for elxis config option. If in CSP option you set nonce-{nonce}, then the {nonce} string will be replaced automatically by the actual nonce value on runtime.
- SHA-256 integrity checksum is been calculated also for the CSS and JS minifier
- New method preAuthCheck for the elxisAuth library. Among others, it is used to check if the user trying to login is temporary blocked due to unsuccessful login attempts.
- Crypt helper: added sha256, sha384 and sha512 encryption algorithms.
- Plugin Contact: Added security token in contact form.
- Always set header X-Content-Type-Options: nosniff regardless the security level.
- x-frame-options = SAMEORIGIN by default.
Other changes and additions
- Introduce of Page generators for content Categories, Articles, Tags and Archive. For more about page generators click here.
- Provide an ID to all module DIV wrappers (id="moduleX")
- Added Czech language (not fully translated, any help is welcome)
- Update JQuery from v3.6.0 to v3.7.1
- ElxisForm library: Option to add html attributes in Yes/No checkboxes
- Database tables: DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
Fixes
- Messages helper: Fix GROUP BY issue when sql_mode=only_full_group_by
- Administration login: If a user try to login from wrong URL Elxis will redirect him to the correct one (with or without www, http or https).
- Component user: Added missing label for Country.
- Template Five: Fix possible XSS attack.
- Fix Google maps plugin.
Download
