Leaderboard

Wondering how to get that A+ rating on Mozilla Observatory? Now you can with ⭐⭐⭐MarkupContentSecurityPolicy⭐⭐⭐ Of course, MarkupContentSecurityPolicy does not guarantee an A+ rating, but it does help you implement a Content Security Policy for your ProcessWire website. Markup Content Security Policy Configure and implement a Content Security Policy for all front-end HTML pages. This module should only be used in production once it has been fully tested in development. Implementing a Content Security Policy on a site without testing will almost certainly break something! Overview Website Security Auditing Tools such as Mozilla Observatory will only return a high score if a Content Security Policy is implemented. It is therefore desirable to implement one. A common way of adding the Content-Security-Policy header would be to add it to the .htaccess file in the site's root directory. However, this means the policy would also cover the ProcessWire admin, and this limits the level of security policy you can add. The solution is to use the <meta> element to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">. MarkupContentSecurityPolicy places this element with your configured policy at the beginning of the <head> element on each HTML page of your site. There are some limitations to using the <meta> element: Not all directives are allowed. These include frame-ancestors, report-uri, and sandbox. The Content-Security-Policy-Report-Only header is not supported, so is not available for use by this module. Configuration To configure this module, go to Modules > Configure > MarkupContentSecurityPolicy. Directives The most commonly used directives are listed, with a field for each. The placeholder values given are examples, not suggestions, but they may provide a useful starting point. You will almost certainly need to use 'unsafe-inline' in the style-src directive as this is required by some modules (e.g. TextformatterVideoEmbed) or frameworks such as UIkit. Should you wish to add any other directives not listed, you can do so by adding them in Any other directives. Please refer to these links for more information on how to configure your policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy https://scotthelme.co.uk/content-security-policy-an-introduction/ https://developers.google.com/web/fundamentals/security/csp/ Violation Reporting Because the report-uri directive is not available, when Violation Reporting is enabled a script is added to the <head>which listens for a SecurityPolicyViolationEvent. This script is based on https://developer.mozilla.org/en-US/docs/Web/API/SecurityPolicyViolationEvent and POSTs the generated report to ?csp-violations=1. The module then logs the violation report to csp-violations. Unfortunately, most of the violations that are reported are false positives, and not actual attempts to violate the policy. These are most likely from browser extensions and are not easy to determine and filter. For this reason, there is no option for the report to be emailed when a policy is violated. Instead, you can specify an endpoint for the report to be sent to. This allows you to handle additional reporting in a way that meets your needs. For example, you may want to log all reports in a central location and send out an email once a day to an administrator notifying them of all sites with violations since the last email. Retrieving the Report To retrieve the report at your endpoint, the following can be used: $report = file_get_contents("php://input"); if(!empty($report)) { $report = json_decode($report, 1); if(isset($report) && is_array($report) && isset($report["documentURI"])) { // Do something } } Debug Mode When this is enabled, a range of information is logged to markup-content-security-policy. This is probably most useful when debugging a reporting endpoint. Additional .htaccess Rules To get an A+ score on Mozilla Observatory, besides using HTTPS and enabling the HSTS header, you can also place the following prior to ProcessWire's htaccess directives: Header set Content-Security-Policy "frame-ancestors 'self'" Header set Referrer-Policy "no-referrer-when-downgrade" Installation Download the zip file at Github or clone the repo into your site/modules directory. If you downloaded the zip file, extract it in your sites/modules directory. In your admin, go to Modules > Refresh, then Modules > New, then click on the Install button for this module. ProcessWire >= 3.0.123 is required to use this module.

Another quick update: rendered search feature is now visible at https://wireframe-framework.com/search/. Entire content area (between main menu and the footer) is rendered by the SearchEngine module. The rendered version (if bundled styles are used, which is optional) should look more or less like that on most sites – obviously site styles come into play, so it may be a bit off and require tweaking, but that's to be expected ? Pager is now included as well, but on this site you'd have to search for something silly like "co" to see it in action. The default limit is set to 20 results, and the site doesn't have that many pages to begin with. The styles are organised into "themes", which currently means any number of custom CSS and/or JS files, but I'll probably expand these to include custom config files as well sometime soon. This way it should be easy to create multiple built-in themes to select from (for different frameworks or whatever). The render feature is currently only available via the dev branch of the module. I'll test it a bit more before merging to master – probably tomorrow ?‍♂️

Hi @gebeer Just stumbled across this (I know my reply is a little late,) but it is totally possible to prevent your rest API endpoints from starting sessions by using the $config->sessionAllow; variable. If you define it to be a function that returns bool true or false, then it will be evaluated and the return value determines if the Session class constructor is allowed to start a new session. There's an example of it in the default wire/config.php file at line 245. Reproduced here... $config->sessionAllow = function($session) { // if there is a session cookie, a session is likely already in use so keep it going if($session->hasCookie()) return true; // if URL is an admin URL, allow session if(strpos($_SERVER['REQUEST_URI'], $session->config->urls->admin) === 0) return true; // otherwise disallow session return false; }; You just need to rewrite the function so it returns false for your API endpoint path. Make that change and add it to your site/config.php file, and I think that anything hitting your API endpoint directly will not have a session created for the connection. Hope that helps!

Hey folks! Took a couple of late nights, but managed to turn this old gist of mine into a proper module. The name is SearchEngine, and currently it provides support for indexing page contents (into a hidden textarea field created automatically), and also includes a helper feature ("Finder") for querying said contents. No fancy features like stemming here yet, but something along those lines might be added later if it seems useful (and if I find a decent implementation to integrate). Though the API and selector engine make it really easy to create site search pages, I pretty much always end up duplicating the same features from site to site. Also – since it takes a bit of extra time – it's tempting to skip over some accessibility related things, and leave features like text highlighting out. Overall I think it makes sense to bundle all that into a module, which can then be reused over and over again ? Note: markup generation is not yet built into the module, which is why the examples below use PageArray::render() method to produce a simple list of results. This will be added later on, as a part of the same module or a separate Markup module. There's also no fancy JS API or anything like that (yet). This is an early release, so be kind – I got the find feature working last night (or perhaps this morning), and some final tweaks and updates were made just an hour ago ? GitHub repository: https://github.com/teppokoivula/SearchEngine Modules directory: https://modules.processwire.com/modules/search-engine/ Demo: https://wireframe-framework.com/search/ Usage Install SearchEngine module. Note: the module will automatically create an index field install time, so be sure to define a custom field (via site config) before installation if you don't want it to be called "search_index". You can change the field name later as well, but you'll have to update the "index_field" option in site config or module settings (in Admin) after renaming it. Add the site search index field to templates you want to make searchable. Use selectors to query values in site search index. Note: you can use any operator for your selectors, you will likely find the '=' and '%=' operators most useful here. You can read more about selector operators from ProcessWire's documentation. Options By default the module will create a search index field called 'search_index' and store values from Page fields title, headline, summary, and body to said index field when a page is saved. You can modify this behaviour (field name and/or indexed page fields) either via the Module config screen in the PocessWire Admin, or by defining $config->SearchEngine array in your site config file or other applicable location: $config->SearchEngine = [ 'index_field' => 'search_index', 'indexed_fields' => [ 'title', 'headline', 'summary', 'body', ], 'prefixes' => [ 'link' => 'link:', ], 'find_args' => [ 'limit' => 25, 'sort' => 'sort', 'operator' => '%=', 'query_param' => null, 'selector_extra' => '', ], ]; You can access the search index field just like any other ProcessWire field with selectors: if ($q = $sanitizer->selectorValue($input->get->q)) { $results = $pages->find('search_index%=' . $query_string . ', limit=25'); echo $results->render(); echo $results->renderPager(); } Alternatively you can delegate the find operation to the SearchEngine module: $query = $modules->get('SearchEngine')->find($input->get->q); echo $query->resultsString; // alias for $query->results->render() echo $query->pager; // alias for $query->results->renderPager() Requirements ProcessWire >= 3.0.112 PHP >= 7.1.0 Note: later versions of the module may require Composer, or alternatively some additional features may require installing via Composer. This is still under consideration – so far there's nothing here that would really depend on it, but advanced features like stemming most likely would. Installing It's the usual thing: download or clone the SearchEngine directory into your /site/modules/ directory and install via Admin. Alternatively you can install SearchEngine with Composer by executing composer require teppokoivula/search-engine in your site directory.

Please let me know how you find it - this module is really just a result of looking into it the past two weeks to try and get an A+ on Mozilla Observatory (did it! ?) so I'd really appreciate any feedback!

Hi @bernhard cool to see that you needed this module for your case. About your question, I quote myself : That's not the first time this question is asked, I will make the Process module installed automatically on the next version (which should be ready for the end of august).

This is probably a perfect case for a custom textformatter. Those are invoked when the content of a textarea is rendered. Here's an example module that prepends a custom URL to all external links. You need to enter /my-redirect-link/?link= in the module's configuration after installation and configure the field in question to use TextformatterExternalRedirect. <?php namespace ProcessWire; /** * ProcessWire External Link Redirector Textformatter * * Prefixes the URL in each external link with a local URL that redirects to the * original URL after doing whatever it is that it needs to do. * * The URL to prepend is configured in this module's settings * (Backend: Modules -> Configure -> TextformatterExternalRedirect) * * It assumes that the prepended URL ends with a GET parameter and an equal sign, * so it urlencode()s the original URL. * * Example: * Link is <a href='https://processwire.com'> * Prepend URL: /myredirector/?link= * Textformatter generates: <a href='/myredirector/?link=https%3A%2F%2Fprocessire.com'> * */ class TextformatterExternalRedirect extends Textformatter implements ConfigurableModule { public static function getModuleInfo() { return array( 'title' => 'External Link Redirect', 'version' => '0.0.4', 'summary' => "Parses links in textareas and prepends a local redirector URL", ); } public function __construct() { parent::__construct(); $this->set("prependUrl", ""); } public function format(&$str) { $str = trim($str); if(!strlen($str)) return; if(!$this->prependUrl) return; $that = $this; $str = preg_replace_callback( '/(<a[^>]+href=)(["\'])([^"\']*)(\\2)/i', function($match) use($that) { // If link is not external, we return the original link if(!$that->isExternalLink($match[3])) return $match[0]; return $match[1] . $match[2] . $that->prependUrl . urlencode($match[3]) . $match[2]; }, $str ); } public function isExternalLink($url) { foreach($this->config->httpHosts as $hostname) { // If the target host is one of our own hostnames, // this link is not external. if(preg_match("~^https?://{$hostname}~i", $url))) return false; } // Otherwise, all http(s) links are definitely external // and get redirected. if(preg_match('~^https?://~i', $url))) return true; // No match, then we have a relative url (internal) or some other // scheme (e.g. mailto) that we don't redirect. return false; } public static function getModuleConfigInputfields($data) { $inputfields = new InputfieldWrapper(); $f = wire('modules')->get("InputfieldText"); $f->attr('id+name', 'prependUrl'); $f->label = __("URL to prepend", __FILE__); $f->description = __("This URL is prepended. It is assumed that it ends with a GET parameter to which the URL-encoded original link will be passed.", __FILE__); if(isset($data["prependUrl"])) $f->attr('value', $data["prependUrl"]); $inputfields->append($f); return $inputfields; } }

Ok, i compared the sourcecode of the "period containing" and the "non period containing" emails more closer. It seemed to be some "X-Spam" infos in the mail head that might be the problem. I also tried a nother "period containing" mailaddress without any problems.

It's true that this is a bit tedious – to say the least ? The indexer doesn't currently have stemming support or anything like that built-in, which means that it can only find exact matches. I'd love to include something more elegant, but I'd first need to find a solution that works reliably across multiple languages – at least German, Swedish, Finnish, and English, since those are the ones I personally need most, and that would probably cover a large part of the audience here. If such a feature does get added, it might also make sense to distribute it as a separate module (which wouldn't be particularly hard, really). By default the module uses "%=" selector, which I've personally preferred over "*=".This is partly because I actually want partial matches, but also because back in the days the "*=" selector didn't seem to work too well with Finnish content. This way I'm not constantly worrying about MySQL quirks, full-text stopwords, etc. Anyhow – I just experimented by changing the selector operator to "*=", and now the only hit is the "Why use Wireframe?" page, which has the word "battle-tested" on it. Default selector is configurable via site config, or you can pass custom selector in if you query results yourself, and that might actually be enough to resolve some issues already. Currently there are a lot of options that are only configurable via site config (code), but I'll probably add these (selectively) to the admin as well. It's just a lot easier to add them in code first ? (Edit: on a second thought I'm probably going to switch the default selector to "*=". Seems like it will be better for most users, and those who don't like it can always change it.) Finally, the description text shown on the search results page is pretty "dumb", currently defaulting to the value of the summary field. Obviously that won't do for sites that don't have this field, but it's there for most default profiles, so that seemed like a reasonable starting point. In my own projects I'd probably make that "meta_description|summary", since those fields will always be there, and they are pretty much exactly what a view like this needs. I'd love to create the summary from the index so that it can always (or nearly always at least) show a piece of text that matched (kind of like Google does), but since the index is essentially a whole lot of mismatched text stuck together, that would often look pretty awful. Google does these "custom excerpts" well – obviously – but even Relevanssi (which is the de facto search plugin for WP) struggles with this part and in many projects produces unreadable mess when the custom excerpt option is enabled. (Mainly because such a feature is a nightmare from a logical sense.) Awesome! ?

You have a lot of weird invisible characters in your code - this happens sometimes when you copy-and-paste from forums. Luckily, good text editors / IDEs spot such stuff and give warnings. I cleaned up your code and attached it here (together with two minor hints re: code) kalimati.zip

The way markup generation is currently implemented can be seen in the dev branch at the GitHub repository – it's pretty easy to grasp by taking a look at the render settings in the SearchEngine.module.php file: https://github.com/teppokoivula/SearchEngine/blob/dev/SearchEngine.module.php#L70:L124. Instead of defining big chunks of markup in one go, I've tried to make the rendering "atomic" enough to allow for pretty much any kind of modification. Technically a framework-specific version could mean just alternative 'classes' and 'templates' arrays, and of course whatever custom styles might be needed. Not sure if I got your point right, though, so please let me know if this seems very different to what you were thinking ?

One last update for the day: master branch of the module is now at 0.5.0. This includes both the rendering features mentioned above, and a slightly more polished theming feature, where each theme can declare custom markup, styles, scripts, strings, etc. More details in the README file.

Hi flydev, just needed to use this module and didn't find that button until i found that I need to install the process module. In one of your screencasts there was the "event trigger" dropdown which is not there any more in newer versions. Why is the process module not installed on installation? I was looking under "setup" before installing the process module and there was of course no duplicator page until i found out that I had to install the process module manually. Maybe you could also add a hint on the duplicator config screen? Thx for you module!

and here

Lots of infos here: https://processwire.com/blog/posts/composer-google-calendars-and-processwire/

Quick update on this module: got a bunch of rendering features almost ready to ship. Still need to add paging support and may add a "fast mode" that always returns default markup (not sure how important that would really be, it's just an idea I've been tinkering with), but that's just about it. I'll probably bundle the (optional) styles – and later scripts – with the module, just to provide a decent-looking default state right out of the box (for actual use or testing). Also, I'm thinking of adding a "load more" alternative to paging, but that'll probably be a later addition. Somewhat off-topic, but I've been going back and forth with BEM: sometimes I love it, but often it just complicates things and makes both CSS and markup hard to maintain. Nevertheless, in a project like this it's just brilliant! By declaring search form, results list, and a single result as separate components, I can quite easily style them individually, not worry too much about messing with site markup in general, and it's also really easy to override just s specific part of the default styles in site-specific styles. Anyway, currently the ("full", i.e. a form and a results list) rendered state looks like this:

I've been in Minnesota all week for a family reunion and only a few minutes at the computer every day, so I don't have a core update or anything worthwhile to write about this week. But now I'm headed back home so will be back to a regular schedule next week. Hope that you have a great weekend!

A sneak preview of a new page builder concept that I'm close to completing. I'll write more about this in coming weeks, but this video demonstrates a lot of unique things going on:

@tires - that error should be fixed in the latest version - not sure if that helps your issue with deletion of the email / duplicate copies of page creation though.

When I create a form with FormBuilder, is there a way to stop it from showing the vertical scroll bar on the right side of the form page??? For example look at this page. http://www.cji.edu/registration/reg-lemd/?course_name=Effective Report Writing&course_date=December 6, 2017 Why does it even have a scroll bar?

Yes they do, however 3) with output buffering resulted in: scf_enquirytype: 1 scf_name: Szabesz Date: 2017-05-14 09:18:47 and I did not get my message. However, simple include works for me as expected. Here it is for reference if anyone is interested in getting the title of a selected Select Options Fieldtype: <?php namespace ProcessWire; // as per https://processwire.com/api/modules/select-options-fieldtype/#manipulating-options-on-a-page-from-the-api // scf_enquirytype is a Select Options Fieldtype $field = $fields->get('scf_enquirytype'); $all_options = $field->type->getOptions($field); // $enquirytype stores the ID of the option selected $enquirytype = $input->post->scf_enquirytype * 1; $emailMessage = $enquirytype . "\n\n"; // WireArray is 0 indexed, while Select Options Fieldtype starts at 1, we account for this: $emailMessage .= $all_options->eq($enquirytype - 1)->title . "\n"; BTW, thanks for the file_get_contents explanation, I've never used it instead on include, today I've learnt a few things again