• Old development thread can be found here: #21

User requests

- All done!

In progress or inactive

- [Plugin request] [1.0.0 released - additional requests made] Social networks block (development discussion: #42)

Short guidelines for tackling any of the requests

1. The solution to the possible improvements should be compact/small/smart and clean in terms of code.
2. Awesome solutions are rewarded with a honourable mention on the official WonderCMS website - https://wondercms.com/special-contributors and the WonderCMS download page https://wondercms.com/latest.

• If our donation fund isn't empty, we'll gladly reward you with a donation as a token of appreciation.

Finished improvements from previous roadmaps/requests

1. Clean(er) URL's (short problem description: spaces and special characters URL handling + saving to database and displaying them in menu)
Long problem description and example:
When an user enters "my new page" in their menu at their example.com domain, spaces aren't stripped and the URL is example.com/my new page. The solution would be to replace spaces with the "-" character so the URL would be example.com/my-new-page.
1a. But what about all other special characters? And what "URL" are we going to save in the database in those cases.
1b. Once we update WonderCMS with this feature, how do we handle the user page names in their database.js to avoid an upgrading mess?
1c. After all this, we still need to display pages in the menu exactly the user entered them.
EDIT: this looks promising: http://cubiq.org/the-perfect-php-clean-url-generator
**IN WORK: @wdj-ac has started working on this, contribute if you can: https://github.com/wdj-ac/wondercms/issues/ - DONE, thanks to @wdj-ac (Pascal Jordin)

2. Display all pages in the settings panel and additionally include some "hide from menu" functionality.
Problem: There's currently no "full list" of pages in the settings. A solution to this would be to view the database.js but that's definitely a hassle. We need a simple way to display all pages and a checkbox in the current page settings menu, that would enabe the user to hide the page from the menu.
**IN WORK: @wdj-ac has started working on this, contribute if you can: https://github.com/wdj-ac/wondercms/issues/ - DONE, thanks to @wdj-ac (Pascal Jordin)

3. Enable users to install plugins via the settings panel. (Almost done, test version in near the end)
3a. This should be an input text field, which would take a ZIP link (allowed only from github.com domain) and extract it to the users plugin folder.
3b. Enable users to update their plugin with a new ZIP link (if the plugin name is the same).
3c. Simple plugin list (list all plugins from plugins folder)
3d. Enable users to easily remove a plugin (from the plugin list, a small "X" would do and a confirm dialog).
3e. Same functionality for themes (we will probably need an extra field for this, possibly a check box to choose between installing a plugin or a theme to avoid two text fields).

[Plugin request] Simple blog functionality (development discussion: #44) - provided with a plugin with upcoming 3.0.0 release

[Theme discussion] Blog theme (development discussion: #55) - provided with a plugin with upcoming 3.0.0 release

Add special section on WonderCMS website for plugins and themes

Automate the process of reading themes/plugins from GitHub and display them on the WonderCMS website in a searchable and paginated way (numbered pages) possibly searchable by name). - will be partially provided with upcoming 3.0.0 release

8. Additional code review/optimisation.

[Plugin request] Multi language settings panel (development discussion: #40)

The file editinplace.php do not sanitize all the request and it is possible to execute a Cross-Site Scripting XSS attacks.

/wonder/js/editinplace.php?page=<script>alert(1)</script>

In the code, line 39, echo $_GET["page"];

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

When you fix the bug, please, can you include my name in the release notes when the bug will be corrected? Manuel Garcia Cardenas [email protected]

Regards,

Hello Team,

i found a vulnerability (stored cross site scripting) and already sent email to [email protected], this vulnerability is confirmed in last version of wondercms. and work with all modern browser. hope you can fix it asap.

Best Regards,

Right now, the system limits us in having the same layout on every page we create, and that kinda defeats the purpose of having the ability to add multiple pages, as these will all look the same.

It would be great if we could assign a different theme to each page.

For example, a developer could create a theme for the Homepage, and different themes for the other pages.
By default, each page would be created using the the main layout, which can be changed in the settings.

You cant name your sites "menu", "description", etc. because the files are in the same location as the config files...

Hello,
I wanted to know whether it would be possible to implement a language switcher for the admin interface.
A possible solution would be using i18njs. The work needed to realize this should not be that big because wCMS already relies on JSON database.
I'd love to hear your opinion.

Hello,
I found several issues which I could not resolve.

The first issue is the notification which says "New WonderCMS update available." When I click on "Update WonderCMS" the success message shoows up but the notification itself won't disappear.

The second one has to deal with the summernote plugin. The buttons of the editor don't have the same height. In the developer console I could not find any css class which overrides the default values for the buttons.

Hopefully someone can help me :)

Regards
AndiLeni

Exploit Title: Stored XSS vulnerability possible in settings page in WonderCMS (v2.0.3)
Date: 23-April-2017
Exploit Author: @C0deBr8kr
Software Link: https://www.wondercms.com/latest
Version: 2.0.3

Description:
XSS allows an attacker to run arbitrary scripts on the users browser.

Exploit POC:
Browser used: Chrome version 57.0.2987.133

1. Login as the admin user.
2. Go to the settings page.
3. Enter <script>alert('XSS in the Page Title');</script> in the "Page title" field.
4. Save the settings.
5. The script will get executed whenever the user navigates to the page containing the script (in this case - Home page).
6. Other fields like Page description, Main website title, Menu, Footer, Default Home page are all vulnerable to the same vulnerability of stored XSS.

References:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Screenshots:

1. Entering script into page title

2. Script executes on navigating to the Home page.

Impact: An attacker can execute arbitrary script on an unsuspecting user's browser.

Mitigation: Input should be properly validated before storing in the database and output from the database should also be properly encoded before displaying it to the user.

I've just done a first time install of 2.3.1 and get the following notices:

Notice: Undefined index: token in C:\xampp\htdocs\sde\index.php on line 407

Notice: Undefined index: token in C:\xampp\htdocs\sde\index.php on line 364

I've noticed that WonderCMS still uses jQuery 1.12.4 for compatibility with old browsers like IE 6-8.
I believe that's not the case anymore, as statistics show that older browsers have 0 usage.

So for security and performance reasons, with the release of WonderCMS 2.4.0, I think it would be better to switch to jQuery v3.2.1

Also, jquery.autosize & taboverride need an update.

Affected software: WonderCMS-2.5.2

Type of vulnerability: XSS (Stored)

URL: : https://www.wondercms.com

Discovered by: Breachlock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

Proof of concept:

Step1: Login to the wonder cms.
Step2: URL: http://localhost/WonderCMS-2.5.2/wondercms/
Visit the URL and make a new page title with the description using the malicious javascript.

Step3: Here as the xss got executed for new page title parameter.

Is there any posibility to use markdown instead of HTML?

I just tried WONDERcms which is supercalifragilisticexpialidocious - super easy - in usage.

But the usage of markdown would be a less better. Any chance to get this?

Hi Developers,

How can I display the contact form on a single page? I can paste the PHP code into theme.php, but the form will be displayed on all content pages.

For the contact I have a page "contact" and only there should the form be displayed.

How can I relay it?

Thanks in Advance.

Received the following error when simply loading the page, immediately after cloning current repo:

Warning: require(themes/reponsive-blue/theme.php): failed to open stream: 
No such file or directory in /home/cristoslc/www/wondercms.sites.cristoslc.com/public_html/index.php on line 90

See screenshot at http://snag.gy/KDVA7.jpg

Please note that I've found some errors during HTML Validation:
https://validator.w3.org/nu/?showsource=yes&showoutline=yes&showimagereport=yes&doc=https%3A%2F%2Fwww.wondercms.com%2Fdemo%2F

PS: A simple CMS such as WonderCMS, should get a PERFECT score in all areas. 😀
https://gtmetrix.com/reports/www.wondercms.com/9VivHY2V
https://developers.google.com/speed/pagespeed/insights/?url=https%3A%2F%2Fwww.wondercms.com%2Fdemo%2F&tab=mobile

The bugs below work only if an admin is logged and is tricked into pasting JavaScript code or uploading SVG's

WonderCMS comes with some security features and some responsibilities.

1. A logged-in user (admin) can execute JavaScript anywhere on their website.

• This has always been a WonderCMS feature.
• I personally don't consider this needs fixing, since a logged-in admin can do much more damage than just XSS attacks (including website defacement, malware distribution, cryptominers, ...)

2. A logged in user can upload a SVG (containing code other than an image, such as JavaScript).

• SVG's are generally not just images, they can also include code such as JavaScript, XML, these are awesome features of SVG's.
• Sanitizing SVG's would partially kill their functionality.
• If there are enough wishes for this action, the SVG uploading functionality can be completely removed from WonderCMS.
• If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?

3. Host header attack.

• This will not be considered a vulnerability until we see a live exploit of this (not local).
• Using the Burp Suite Tool to create/show a local attack is not enough, since there needs to be a way to exploit a WonderCMS installation (and not just locally attack one-self).

How to prevent self-attack vulnerabilities

• Avoid pasting random JavaScript code.
• Avoid uploading random SVG's.
  - Install themes and plugins only from wondercms.com

The list above is subject to change. All discussions are welcome.
Reporting the above issues/bugs/vulnerabilities will not include you in the WonderCMS reward system.

VIsit https://www.wondercms.com/demo/

You will get this error:

The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.

Visit any other page after that, and you will see this notification:

OS: Ubuntu 14.04
Browser: Firefox Quantum

Undefined index 'page' in line 92

Change to fix:
92 if (isset($_GET['page']) && $_GET['page'] == wCMS::get('config','login')) ........

Hi there, I'm a brand new user of your CMS. Just downloaded and set up a playground.

I got this error:

Deprecated: Non-static method wCMS::_updateOtherFiles() should not be called statically on line 37.

Changing line 13 to read:

public static function _updateOtherFiles() {

This appears to have fixed the problem without breaking anything else.

Hi there, I want to run wondercms using nginx on a local port 8080.
Port-forwarding is changing this port to std 80 again. But when I access index.php all links appear to be like this:

www.mycomain.com:8080:relative/link.html.

howto prevent wondercms to be using this port configured in my web server?

thx
Stefan

@robiso
I liked the demo very much, so installed on local machine to play around.

On windows machines admin url is malformed
Instead of http://localhost/works/wondercms/loginURL I get http://localhostd/Works/wondercms/loginURL

I believe even if my work was inside apache's htdocs, I will still see the drive letter

Windows Setup
Apache 2.4, PHP7 > in C drive
My works are under D:\works\work_sub_folder

My Solution

I replaced INC_ROOT in function url with this dirname($_SERVER['SCRIPT_NAME'])

public static function url($location = null) { return (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://').$_SERVER['HTTP_HOST'].str_replace($_SERVER['DOCUMENT_ROOT'], '', str_replace('\\', '/', INC_ROOT))."/{$location}"; }

Hi,

I think, that there should be some more points in the wiki Requirements part:

• Apache Module mod_rewrite
• PHP mbstring extension
• PHP curl extension

What do you think?

Hi Developers,

Can you help me maybe. After the last WonderCMS upgrade, my custom login URL will stop working.

A blank page is displayed and the password entry field is no longer displayed.

I have the CMS under Centos 7.4, in Apache, Plesk, on a subdomain.

What else can I do to remedy this?

Thanks in Advance.

It would be nice with this editor:
https://alex-d.github.io/Trumbowyg/

What do you think about ?

Short discussion description

• Since version 2.3.0, the built in WonderCMS file uploader accepts ANY file type, not just pictures.
• This brings great responsibility to the admin user. The admin user must NOT upload malicious files that could harm their own website.
• Some people have voiced their opinion that this is bad and that the user could harm himself by uploading any malicious files.

Below are arguments for and against this uploading any file type feature

Arguments to keep this feature (uploading any files)

• This is similar functionality to FTP/SSH uploading (no limits).
• Only the admin can upload files:
  • meaning if the admin wants to hurt his/her website, there are other channels to do self-harm than the simple file uploader.
• We've removed this limit to enable users to upload whatever extension they want.

Arguments to limit this feature to just uploading pictures

• User can not inflict harm to their website through the file uploader (but can still do this via FTP/SSH/other channels).
• If the user gets compromised, an attacker can upload whatever they want in their files directory.

How can the user be compromised?

• Sharing their password.
• Sharing their login URL, which could lead to password brute forcing.
  • It is very important to keep your login URL safe for cases like this.

What happens when an user in a shared environment gets compromised?

• Shared hosting plans usually have a protection in place, a protection that limits the user only to their account - so no further damager could be done (to other users on the same hosting plan):
  • the user inflicts damage only upon himself and his website (and no other users on the same shared hosting plan).

This thread is closed. NEW DISCUSSION THREAD: #41

Hello everyone. We need your help with improving WonderCMS.

Roadmap

1. Spread the word about WonderCMS.
2. Add special section on WonderCMS website for plugins and themes

• Automate the process of reading themes/plugins from GitHub and display them on the WonderCMS website in a searchable and paginated way (numbered pages).

3. Additional code review/optimisation

• WonderCMS index.php is around 550 lines of PHP long
  • WonderCMS runs on 51 functions

Finished improvements from roadmap

1. Clean(er) URL's (short problem description: spaces and special characters URL handling + saving to database and displaying them in menu)
Long problem description and example:
When an user enters "my new page" in their menu at their example.com domain, spaces aren't stripped and the URL is example.com/my new page. The solution would be to replace spaces with the "-" character so the URL would be example.com/my-new-page.
1a. But what about all other special characters? And what "URL" are we going to save in the database in those cases.
1b. Once we update WonderCMS with this feature, how do we handle the user page names in their database.js to avoid an upgrading mess?
1c. After all this, we still need to display pages in the menu exactly the user entered them.
EDIT: this looks promising: http://cubiq.org/the-perfect-php-clean-url-generator
**IN WORK: @wdj-ac has started working on this, contribute if you can: https://github.com/wdj-ac/wondercms/issues/ - DONE, thanks to @wdj-ac (Pascal Jordin)

2. Display all pages in the settings panel and additionally include some "hide from menu" functionality.
Problem: There's currently no "full list" of pages in the settings. A solution to this would be to view the database.js but that's definitely a hassle. We need a simple way to display all pages and a checkbox in the current page settings menu, that would enabe the user to hide the page from the menu.
**IN WORK: @wdj-ac has started working on this, contribute if you can: https://github.com/wdj-ac/wondercms/issues/ - DONE, thanks to @wdj-ac (Pascal Jordin)

3. Enable users to install plugins via the settings panel. (Almost done, test version in near the end)
3a. This should be an input text field, which would take a ZIP link (allowed only from github.com domain) and extract it to the users plugin folder.
3b. Enable users to update their plugin with a new ZIP link (if the plugin name is the same).
3c. Simple plugin list (list all plugins from plugins folder)
3d. Enable users to easily remove a plugin (from the plugin list, a small "X" would do and a confirm dialog).
3e. Same functionality for themes (we will probably need an extra field for this, possibly a check box to choose between installing a plugin or a theme to avoid two text fields).

The solution to the possible improvements should be small and clean in terms of code.

If you find an awesome solution, we will gladly list you and your website on wondercms.com/special-contributors and the official WonderCMS download page wondercms.com/latest. If our donation fund isn't empty, you're also rewarded with a donation.

By default, you can use HTML tags inside your blocks (like <b>, <table>, <div> and so on), and that goes fine until you are saving your block, and that block is starting from an HTML tag, that is represented as a block (let's say <div>).

If so, you can't edit your text anymore and will lose all your content after next saving. Since we are wrapping a text into <span> block (and <span> is inline element by default), <div> or <p> element will 'pop-out' of editable <span> tag.

The web site does not filter special characters, resulting in XSS

URL：https://www.wondercms.com/demo/

• Wonder cms: v-2.5.2
• PHP Version: 5.6.35
• Apache Version: 2.4.33
• Operating system: microsoft windows v10

Vulnerabilty name: cross site scripting.

Steps to reproduce:

1: go in settings->general->addpage.
2: In the content of page execute malicious javascript "><script>alert(1)</script> and save the page.
3: XSS payload will be reflected to the browser.

POC:
Type payload ">script>alert(1)</script>

Regards
RItesh Kumar

Discription:
Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker's page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrok.

Impact: Critical
Solution:
Where possible do not use users' input for URLs.
If you definitely need dynamic URLs, make a list of valid accepted URLs and do not accept other URLs.
Ensure that you only accept URLs which are located on accepted domains.
POC:

1. access the url http://127.0.0.1:880/wondercms-master/
2. edit Home parameter and add payload add as

Payload1:

Payload2:

Payload3:

Payload4:

3. observer the response and will get evil site loaded in side the frames.

kes.

Current version is 0.6 Beta

Hi,
Plugin Modern Setting runing on wcms version 2.4

Catchable fatal error: Object of class stdClass could not be converted to string in
plugins/_modern_settings/_modern_settings.php on line 180

Dear community, please cast your vote (1, 2, 3, 4)

1 (black ribbon)

2 (purple ribbon)

3 (black ribbon with space/astronaut background)

4 (purple ribbon with space/astronaut background)

Help us out: we need reviews/possible improvements on version 2.4.0: https://github.com/robiso/WonderCMS-testRepo/blob/master/index.php

Whats new:

• A more clear definition of public/private functions. We need reviews mostly on this.
• Corrected code logic in theme/plugin installer with an array check. Thanks to reddit user: Vekien
• Added hash_equals checks to prevent CSRF timing attacks. Thanks to reddit users: ayeshrajans, [Vekien](https://www.reddit.com/user/vekien.
• Prettified code fixes (PSR-2 - with a few minor exceptions), much easier to review the whole core (index.php).
• Added link to WonderCMS homepage in the Settings panel.
• Minor text changes to the Settings panel and error messages.
• CSS fix, removed bottom border on the settings panel links. The border was visible only when designing a new theme/template from scratch.
• Functions renamed (removed _) and re-sorted alphabetically for easier overview.

Note: Additional contents plugin will need to be updated with this release in late December.
Fun fact: WonderCMS consists of 46 functions.

Easier review

Below is 2.4.0 index.php with all changes in effect except for alphabetical re-order (for easier code review from new to old).
robiso/WonderCMS-testRepo@38cd183

Any other improvements are also welcome (for example, the deleteFileThemePluginAction function is possibly left out for improvement), all other optimizations are also welcome.

As always, contributors get a special thanks in the release notes on https://www.wondercms.com/whatsnew and in the community + GitHub release notes. The second we get something in the donations fund, we'll distribute the donations between those developers like we have in the past, please don't expect much as we (surprisingly) don't get much in donations.

A short list of people that are pending a donation reward for their contributions:

@xss @anolis @gakowalski @Alamantus @yassineaddi (some of you have been already rewarded, but I personally feel you deserve more for contributing to this project)

Hello!

Thank you for WonderCMS! It's very easy and very powerfull engine. Looks like a magic :)
I have an issue about WonderCMS at the Nginx environment. I can't to get access to loginURL or example page.
I try to use the recomendation from this page: https://github.com/robiso/wondercms/wiki/NGINX-server-config . But in PHP-FPM
Message in the Nginx logfile:
[23-Mar-2017 14:12:48 Asia/Singapore] PHP Notice: Undefined index: page in /var/vhosts/stty/www/index.php on line 91
Thank you!

[Plugin request] Social network(s) block

• Enable users to enter their social network links.
• Every time a social network link is filled, its displayed somewhere on the page (footer block or something similar).

What social networks should this plugin include?

• Open for discussion or chosen by plugin author(s).

Hi
I'm trying to make a CKeditor plugin, but am quite a newbie with JS.

My problem is with the blur+save staff in my hook-admin-richText.php file which for now looks like the folowing:

        var stopBlur = false;
        a.html("<textarea "+title+"name=\"textarea\" id=\""+ a.attr('id') +"_field\" class=\"editable\" contenteditable=\"true\">" + a.html() + "</textarea>");
        editor = a.find('textarea');
        editor.ckeditor({focus: function(){stopBlur=true;setTimeout(function(){stopBlur=false;},200);},blur: function(){setTimeout(function(){if(stopBlur)return;fieldSave(a.attr('id'),a.find('textarea.editor.getData()').html());},50)}});

        $('div.ckeditor').click(function(){
            stopBlur = true;
            setTimeout(function(){stopBlur = false;},200);
            a.find('div.ckeditor').focus();
        });
        a.find('div.ckeditor').focus();

Simple blog functionality

• One of the ways to display contents from other pages on one page would be (example) <?php echo wCMS::get('pages', 'about')->content; ?> for fetching the contents of the page about.

• Another way (posted by wdj) with additional display of titles, description

<?php if (wCMS::$currentPage == 'home'): ?> <!-- What page to display this on -->
        <div class="container marginTop20">
            <?php foreach ( wCMS::db()->pages as $pageName => $page ): ?> <!-- loop though all pages -->
            <div class="col-xs-12 col-md-4">
                <div><a href="<?=$pageName?>"><?=$page->title; ?></a></div>
	            <div><?=$page->description; ?></div>
                <a href="<?=$pageName?>">more...</a>
            </div>
            <?php endforeach; ?>
        </div>
<?php endif ?>

• This blog functionality should possibly involve a pagination option, so the users can choose how many posts they want to display on a specific page.
• Additional plus: a way to include only a snippet of the blog/page ("read more" link)
  • in a case where the user would set a limit on how many characters of the blog post/page would be shown - a "read more" link would be appear

Hi,

Newly made pages result in 403.
If there is any info you need from my setup?

Sorry, noticed your comment about keeping discussion on the forum too late.
Will open thread there.

[edit] Found one of the reasons why people might be getting a 403.
It is a conflict between virtual url and actual url. Making a menu item called 'gallery' shows as www.example.com/gallery/ (note the last slash) if there is a folder in the root called 'gallery' (or even 'gallery01'). The new menu item will be trying to open an actual folder.

[Plugin request] Insert PHP code

• Enable users to enter PHP code on any page via the editable areas or a new field generated by the plugin.

@robiso
in the menu bar at the top, if you have a pagename that ends with a questionmark then the highlighting doesn't work anymore.

my setup:
Server version: Apache/2.4.18 (Ubuntu)

example:
in the following example, if you click on "FRAGEN?" it will not highlight as it is supposed to do.

should be easy to reproduce and hopefully easy to solve.

kind regards
kroovy

I get this message when starting admin.
Now, my index file has '2.0.6'
and the file 'version' I have edited to have '2.0.6.'

But still I get 'Your WonderCMS version is out of date.'
Where is this problem coming from?

The message disappear when I have worked a while in the admin.

Hi Team,

Here the CMS is vulnerable to improper sanitization which leads to execution of javascript and HTML codes.
So, can be used maliciously

Here in the above image Page Title, Page Description and Page Keyword are vulnerable.

This is the POC image of a successful attack.

Contact form is unusable when you not skilled with PHP language.
When i change, theme, then loose my extended functionality, like above.

Wonder CMS 2.5.1 is prone to session fixation attack.
1.The Session Fixation attack fixes a session on the victim's browser, so the attack starts before the user logs in.
2.An attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier.
3.The attacker can access to the user's account through the active session
4.When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.
Let's see the session values before login

Session Values after Login:

Mitigation:
The application should always first invalidate the existing session ID before authenticating a user, and if the authentication is successful, provide another sessionID.

Hello
I found a vulnerability in wonder cms ,where i can report it?

Thanks

Hi Team,

I have found stored Cross-Site scripting on WonderCMS 2.4.0

In Index.php there is a function "uploadFileAction()"

It does not sanitize svg file and it is possible to execute a Cross-Site Scripting XSS attacks.

Already sent email to [email protected], and work with all modern browser. hope you can fix it asap.

When you fix the bug, please, can you include my name in the release notes when the bug will be corrected? Tanmay [email protected]

An implementation of permissions would be something cool, for instance, "editor" rank can create pages and edit pages but not access the security area of the admin panel or upload files/plugins and is unable to change the theme of the website.

This permissions system should be fairly easy to implement with PHP and i will perhaps attempt to implement this feature myself shortly. I think alongside this i will attempt to code and implement a basic blogging system which would in turn allow the user to not only run blogs on the CMS but also assign people to edit blog posts and pages, but not allow them full access to the sites functions.

• Thanks!

Screenshots:
Blog test i have made: http://prntscr.com/ia4sz5

When you change page visibility in GENERAL tab of settings window. User still can access this page via full known url. I recommend redirecting to 404 error page.

I had an old version of WonderCMS installed while testing the version 2.1.0, and was not prompted for an upgrade. I believe we need to use the Github API to accurately get the raw files rather than using raw.githubusercontent.com.

Here is a Stackoverflow article that makes me think this is so: https://stackoverflow.com/a/22314262

I don't know why it worked in the past and doesn't seem to be working now, but things change with APIs and file access pretty frequently with larger content hosting sites like Github, so maybe something changed recently?

I'll work on figuring the API out and get a pull request up to fix this as soon as I can.