Merge branch 'release/1.5.6'

fix redirect_trailing_slash in a multi language page

.gitignore

@@ -42,3 +42,4 @@ tests/_output/*
 tests/_support/_generated/*
 tests/cache/*
 tests/error.log
+/system/templates/testing

CHANGELOG.md

@@ -1,38 +1,103 @@
-# v1.5.0-rc.1
-## 07/31/2018
+# v1.5.6
+## 12/14/2018
 
-1. [](#new)
-    * Added twig filters for casting values: `|string`, `|int`, `|bool`, `|float`, `|array`
 1. [](#improved)
-    * Added `MediaTrait::clearMediaCache()` to allow cache to be cleared
-    * Added `MediaTrait::getMediaCache()` to allow custom caching
-1. [](#bugfix)
-    * Made `|markdown` filter HTML safe
+    * Updated InitializeProcessor.php to use lang-safe redirect [#2268](https://github.com/getgrav/grav/pull/2268)
+    * Improved user serialization to use less memory in the session
 
-# v1.5.0-beta.2
-## 07/13/2018
+# v1.5.5
+## 11/12/2018
 
 1. [](#new)
-    * Made `ObjectCollection::matching()` criteria expressions to behave more like in Twig
-    * Criteria: Added support for `LENGTH()`, `LOWER()`, `UPPER()`, `LTRIM()`, `RTRIM()` and `TRIM()`
+    * Register theme prefixes as namespaces in Twig [#2210](https://github.com/getgrav/grav/pull/2210)
+1. [](#improved)
+    * Propogate error code between 400 and 600 for production sites [#2181](https://github.com/getgrav/grav/pull/2181)
 1. [](#bugfix)
-    * Fixed regression in 1.5.0-beta.1 blueprint extend and embed
+    * Remove hardcoded `302` when redirecting trailing slash [#2155](https://github.com/getgrav/grav/pull/2155)
 
-# v1.5.0-beta.1
-## 06/19/2018
+# v1.5.4
+## 11/05/2018
+
+1. [](#improved)
+    * Updated default page `index.md` with some consistency fixes [#2245](https://github.com/getgrav/grav/pull/2245)
+1. [](#bugfix)
+    * Fixed fatal error if calling `$session->invalidate()` when there's no active session
+    * Fixed typo in media.yaml for `webm` extension [#2220](https://github.com/getgrav/grav/pull/2220)
+    * Fixed markdown processing for telephone links [#2235](https://github.com/getgrav/grav/pull/2235)
+
+# v1.5.3
+## 10/08/2018
+
+1. [](#new)
+    * Added `Utils::getMimeByFilename()`, `Utils::getMimeByLocalFile()` and `Utils::checkFilename()` methods
+    * Added configurable dangerous upload extensions in `security.yaml`
+1. [](#improved)
+    * Updated vendor libraries to latest
+
+# v1.5.2
+## 10/01/2018
+
+1. [](#new)
+    * Added new `Security` class for Grav security functionality including XSS checks
+    * Added new `bin/grav security` command to scan for security issues
+    * Added new `xss()` Twig function to allow for XSS checks on strings and arrays
+    * Added `onHttpPostFilter` event to allow plugins to globally clean up XSS in the forms and tasks
+    * Added `Deprecated` tab to DebugBar to catch future incompatibilities with later Grav versions
+    * Added deprecation notices for features which will be removed in Grav 2.0
+1. [](#improved)
+    * Updated vendor libraries to latest
+1. [](#bugfix)
+    * Allow `$page->slug()` to be called before `$page->init()` without breaking the page
+    * Fix for `Page::translatedLanguages()` to use routes always [#2163](https://github.com/getgrav/grav/issues/2163)
+    * Fixed `nicetime()` twig function
+    * Allow twig tags `{% script %}`, `{% style %}` and `{% switch %}` to be placed outside of blocks
+    * Session expires in 30 mins independent from config settings [login#178](https://github.com/getgrav/grav-plugin-login/issues/178)
+
+# v1.5.1
+## 08/23/2018
+
+1. [](#new)
+    * Added static `Grav\Common\Yaml` class which should be used instead of `Symfony\Component\Yaml\Yaml`
+1. [](#improved)
+    * Updated deprecated Twig code so it works in both in Twig 1.34+ and Twig 2.4+
+    * Switched to new Grav Yaml class to support Native + Fallback YAML libraries
+1. [](#bugfix)
+    * Broken handling of user folder in Grav URI object [#2151](https://github.com/getgrav/grav/issues/2151)
+
+# v1.5.0
+## 08/17/2018
 
 1. [](#new)
     * Set minimum requirements to [PHP 5.6.4](https://getgrav.org/blog/raising-php-requirements-2018)
     * Updated Doctrine Collections to 1.4
     * Updated Symfony Components to 3.4 (with compatibility mode to fall back to Symfony YAML 2.8)
+    * Added `Uri::method()` to get current HTTP method (GET/POST etc)
+    * `FormatterInterface`: Added `getSupportedFileExtensions()` and `getDefaultFileExtension()` methods
+    * Added option to disable `SimpleCache` key validation
+    * Added support for multiple repo locations for `bin/grav install` command
+    * Added twig filters for casting values: `|string`, `|int`, `|bool`, `|float`, `|array`
+    * Made `ObjectCollection::matching()` criteria expressions to behave more like in Twig
+    * Criteria: Added support for `LENGTH()`, `LOWER()`, `UPPER()`, `LTRIM()`, `RTRIM()` and `TRIM()`
     * Added `Grav\Framework\File\Formatter` classes for encoding/decoding YAML, Markdown, JSON, INI and PHP serialized strings
     * Added `Grav\Framework\Session` class to replace `RocketTheme\Toolbox\Session\Session`
-    * Added `Grav\Common\Media` interfaces and trait; use those in `Page` and `Media` classes 
+    * Added `Grav\Common\Media` interfaces and trait; use those in `Page` and `Media` classes
     * Added `Grav\Common\Page` interface to allow custom page types in the future
     * Added setting to disable sessions from the site [#2013](https://github.com/getgrav/grav/issues/2013)
+    * Added new `strict_mode` settings in `system.yaml` for compatibility
 1. [](#improved)
+    * Improved `Utils::url()` to support query strings
+    * Display better exception message if Grav fails to initialize
+    * Added `muted` and `playsinline` support to videos [#2124](https://github.com/getgrav/grav/pull/2124)
+    * Added `MediaTrait::clearMediaCache()` to allow cache to be cleared
+    * Added `MediaTrait::getMediaCache()` to allow custom caching
     * Improved session handling, allow all session configuration options in `system.session.options`
 1. [](#bugfix)
+    * Fix broken form nonce logic [#2121](https://github.com/getgrav/grav/pull/2121)
+    * Fixed issue with uppercase extensions and fallback media URLs [#2133](https://github.com/getgrav/grav/issues/2133)
+    * Fixed theme inheritance issue with `camel-case` that includes numbers [#2134](https://github.com/getgrav/grav/issues/2134)
+    * Typo in demo typography page [#2136](https://github.com/getgrav/grav/pull/2136)
+    * Fix for incorrect plugin order in debugger panel
+    * Made `|markdown` filter HTML safe
     * Fixed bug in `ContentBlock` serialization
     * Fixed `Route::withQueryParam()` to accept array values
     * Fixed typo in truncate function [#1943](https://github.com/getgrav/grav/issues/1943)
@@ -56,7 +121,7 @@
 1. [](#bugfix)
     * Fix for modular page preview [#2066](https://github.com/getgrav/grav/issues/2066)
     * `Page::routeCanonical()` should be string not array [#2069](https://github.com/getgrav/grav/issues/2069)
-    
+
 # v1.4.6
 ## 06/20/2018
 
@@ -82,7 +147,7 @@
     * Fixed an issue with some users getting **2FA** prompt after upgrade [admin#1442](https://github.com/getgrav/grav-plugin-admin/issues/1442)
     * Do not crash when generating URLs with arrays as parameters [#2018](https://github.com/getgrav/grav/pull/2018)
     * Utils::truncateHTML removes whitespace when generating summaries [#2004](https://github.com/getgrav/grav/pull/2004)
-    
+
 # v1.4.4
 ## 05/11/2018
 
@@ -91,8 +156,8 @@
     * Added a new `Medium:thumbnailExists()` function [#1966](https://github.com/getgrav/grav/issues/1966)
     * Added `authorized` support for 2FA
 1. [](#improved)
-    * Added default configuration for images [#1979](https://github.com/getgrav/grav/pull/1979)  
-    * Added dedicated PHPUnit assertions [#1990](https://github.com/getgrav/grav/pull/1990)  
+    * Added default configuration for images [#1979](https://github.com/getgrav/grav/pull/1979)
+    * Added dedicated PHPUnit assertions [#1990](https://github.com/getgrav/grav/pull/1990)
 1. [](#bugfix)
     * Use `array_key_exists` instead of `in_array + array_keys` [#1991](https://github.com/getgrav/grav/pull/1991)
     * Fixed an issue with `custom_base_url` always causing 404 errors
@@ -118,13 +183,13 @@
     * Added new `|nicefilesize` Twig filter for pretty file (auto converts to bytes, kB, MB, GB, etc)
     * Added new `regex_filter()` Twig function to values in arrays
 1. [](#improved)
-    * Added bosnian to lang codes [#1917](https://github.com/getgrav/grav/issues/1917) 
-    * Improved Zip extraction error codes [#1922](https://github.com/getgrav/grav/issues/1922)  
+    * Added bosnian to lang codes [#1917](https://github.com/getgrav/grav/issues/1917)
+    * Improved Zip extraction error codes [#1922](https://github.com/getgrav/grav/issues/1922)
 1. [](#bugfix)
     * Fixed an issue with Markdown Video and Audio that broke after Parsedown 1.7.0 Security updates [#1924](https://github.com/getgrav/grav/issues/1924)
     * Fix for case-sensitive page metadata [admin#1370](https://github.com/getgrav/grav-plugin-admin/issues/1370)
     * Fixed missing composer requirements for the new `Grav\Framework\Uri` classes
-    * Added missing PSR-7 vendor library required for URI additions in Grav 1.4.0 
+    * Added missing PSR-7 vendor library required for URI additions in Grav 1.4.0
 
 # v1.4.1
 ## 03/11/2018

README.md

@@ -1,6 +1,6 @@
 # ![](https://avatars1.githubusercontent.com/u/8237355?v=2&s=50) Grav
 
-[![SensioLabsInsight](https://insight.sensiolabs.com/projects/cfd20465-d0f8-4a0a-8444-467f5b5f16ad/mini.png)](https://insight.sensiolabs.com/projects/cfd20465-d0f8-4a0a-8444-467f5b5f16ad) [![Slack](https://grav-chat.now.sh/badge.svg)](https://chat.getgrav.org) [![Build Status](https://travis-ci.org/getgrav/grav.svg?branch=develop)](https://travis-ci.org/getgrav/grav) [![OpenCollective](https://opencollective.com/grav/backers/badge.svg)](#backers) [![OpenCollective](https://opencollective.com/grav/sponsors/badge.svg)](#sponsors)
+[![SensioLabsInsight](https://insight.sensiolabs.com/projects/cfd20465-d0f8-4a0a-8444-467f5b5f16ad/mini.png)](https://insight.sensiolabs.com/projects/cfd20465-d0f8-4a0a-8444-467f5b5f16ad) [![Discord](https://img.shields.io/discord/501836936584101899.svg?logo=discord&colorB=728ADA&label=Discord%20Chat)](https://chat.getgrav.org) [![Build Status](https://travis-ci.org/getgrav/grav.svg?branch=develop)](https://travis-ci.org/getgrav/grav) [![OpenCollective](https://opencollective.com/grav/backers/badge.svg)](#backers) [![OpenCollective](https://opencollective.com/grav/sponsors/badge.svg)](#sponsors)
 
 Grav is a **Fast**, **Simple**, and **Flexible**, file-based Web-platform.  There is **Zero** installation required.  Just extract the ZIP archive, and you are already up and running.  It follows similar principles to other flat-file CMS platforms, but has a different design philosophy than most. Grav comes with a powerful **Package Management System** to allow for simple installation and upgrading of plugins and themes, as well as simple updating of Grav itself.
 
@@ -94,7 +94,7 @@ If you discover a possible security issue related to Grav or one of its plugins,
 * [Install](https://learn.getgrav.org/basics/installation) Grav in few seconds
 * Understand the [Configuration](https://learn.getgrav.org/basics/grav-configuration)
 * Take a peek at our available free [Skeletons](https://getgrav.org/downloads/skeletons)
-* If you have questions, jump on our [Slack Room](https://getgrav.org/slack)!
+* If you have questions, jump on our [Discord Chat Server](https://chat.getgrav.org)!
 * Have fun!
 
 # Exploring More
@@ -107,71 +107,12 @@ If you discover a possible security issue related to Grav or one of its plugins,
 # Backers
 Support Grav with a monthly donation to help us continue development. [[Become a backer](https://opencollective.com/grav#backer)]
 
-<a href="https://opencollective.com/grav/backer/0/website" target="_blank"><img src="https://opencollective.com/grav/backer/0/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/1/website" target="_blank"><img src="https://opencollective.com/grav/backer/1/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/2/website" target="_blank"><img src="https://opencollective.com/grav/backer/2/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/3/website" target="_blank"><img src="https://opencollective.com/grav/backer/3/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/4/website" target="_blank"><img src="https://opencollective.com/grav/backer/4/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/5/website" target="_blank"><img src="https://opencollective.com/grav/backer/5/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/6/website" target="_blank"><img src="https://opencollective.com/grav/backer/6/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/7/website" target="_blank"><img src="https://opencollective.com/grav/backer/7/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/8/website" target="_blank"><img src="https://opencollective.com/grav/backer/8/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/9/website" target="_blank"><img src="https://opencollective.com/grav/backer/9/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/10/website" target="_blank"><img src="https://opencollective.com/grav/backer/10/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/11/website" target="_blank"><img src="https://opencollective.com/grav/backer/11/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/12/website" target="_blank"><img src="https://opencollective.com/grav/backer/12/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/13/website" target="_blank"><img src="https://opencollective.com/grav/backer/13/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/14/website" target="_blank"><img src="https://opencollective.com/grav/backer/14/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/15/website" target="_blank"><img src="https://opencollective.com/grav/backer/15/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/16/website" target="_blank"><img src="https://opencollective.com/grav/backer/16/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/17/website" target="_blank"><img src="https://opencollective.com/grav/backer/17/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/18/website" target="_blank"><img src="https://opencollective.com/grav/backer/18/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/19/website" target="_blank"><img src="https://opencollective.com/grav/backer/19/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/20/website" target="_blank"><img src="https://opencollective.com/grav/backer/20/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/21/website" target="_blank"><img src="https://opencollective.com/grav/backer/21/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/22/website" target="_blank"><img src="https://opencollective.com/grav/backer/22/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/23/website" target="_blank"><img src="https://opencollective.com/grav/backer/23/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/24/website" target="_blank"><img src="https://opencollective.com/grav/backer/24/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/25/website" target="_blank"><img src="https://opencollective.com/grav/backer/25/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/26/website" target="_blank"><img src="https://opencollective.com/grav/backer/26/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/27/website" target="_blank"><img src="https://opencollective.com/grav/backer/27/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/28/website" target="_blank"><img src="https://opencollective.com/grav/backer/28/avatar.svg"></a>
-<a href="https://opencollective.com/grav/backer/29/website" target="_blank"><img src="https://opencollective.com/grav/backer/29/avatar.svg"></a>
-
+<img src="https://opencollective.com/grav/tiers/backers.svg?avatarHeight=36&width=600" />
 
 # Sponsors
 Become a sponsor and get your logo on our README on Github with a link to your site. [[Become a sponsor](https://opencollective.com/grav#sponsor)]
 
-<a href="https://opencollective.com/grav/sponsor/0/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/0/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/1/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/1/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/2/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/2/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/3/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/3/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/4/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/4/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/5/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/5/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/6/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/6/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/7/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/7/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/8/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/8/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/9/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/9/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/10/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/10/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/11/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/11/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/12/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/12/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/13/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/13/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/14/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/14/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/15/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/15/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/16/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/16/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/17/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/17/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/18/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/18/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/19/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/19/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/20/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/20/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/21/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/21/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/22/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/22/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/23/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/23/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/24/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/24/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/25/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/25/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/26/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/26/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/27/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/27/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/28/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/28/avatar.svg"></a>
-<a href="https://opencollective.com/grav/sponsor/29/website" target="_blank"><img src="https://opencollective.com/grav/sponsor/29/avatar.svg"></a>
+<img src="https://opencollective.com/grav/tiers/sponsors.svg?avatarHeight=36&width=600" />
 
 # License
 
@@ -183,7 +124,7 @@ See [LICENSE](LICENSE.txt)
 
 # Running Tests
 
-First install the dev dependencies by running `composer update` from the Grav root.  
-Then `composer test` will run the Unit Tests, which should be always executed successfully on any site.  
-Windows users should use the `composer test-windows` command.  
+First install the dev dependencies by running `composer update` from the Grav root.
+Then `composer test` will run the Unit Tests, which should be always executed successfully on any site.
+Windows users should use the `composer test-windows` command.
 You can also run a single unit test file, e.g. `composer test tests/unit/Grav/Common/AssetsTest.php`

bin/grav

@@ -41,5 +41,6 @@ $app->addCommands(array(
     new \Grav\Console\Cli\ClearCacheCommand(),
     new \Grav\Console\Cli\BackupCommand(),
     new \Grav\Console\Cli\NewProjectCommand(),
+    new \Grav\Console\Cli\SecurityCommand(),
 ));
 $app->run();

composer.json

@@ -32,6 +32,7 @@
         "ext-openssl": "*",
         "ext-curl": "*",
         "ext-zip": "*",
+        "ext-json": "*",
         "league/climate": "^3.2",
         "antoligy/dom-string-iterators": "^1.0",
         "miljar/php-exif": "^0.6.3",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "ec4860b0ab68318d0e4550d58b5c12b3",
+    "content-hash": "544658e69ae737e742e014c6c674cc70",
     "packages": [
         {
             "name": "antoligy/dom-string-iterators",
@@ -52,16 +52,16 @@
         },
         {
             "name": "composer/ca-bundle",
-            "version": "1.1.1",
+            "version": "1.1.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/composer/ca-bundle.git",
-                "reference": "d2c0a83b7533d6912e8d516756ebd34f893e9169"
+                "reference": "46afded9720f40b9dc63542af4e3e43a1177acb0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/composer/ca-bundle/zipball/d2c0a83b7533d6912e8d516756ebd34f893e9169",
-                "reference": "d2c0a83b7533d6912e8d516756ebd34f893e9169",
+                "url": "https://api.github.com/repos/composer/ca-bundle/zipball/46afded9720f40b9dc63542af4e3e43a1177acb0",
+                "reference": "46afded9720f40b9dc63542af4e3e43a1177acb0",
                 "shasum": ""
             },
             "require": {
@@ -104,7 +104,7 @@
                 "ssl",
                 "tls"
             ],
-            "time": "2018-03-29T19:57:20+00:00"
+            "time": "2018-08-08T08:57:40+00:00"
         },
         {
             "name": "doctrine/cache",
@@ -385,16 +385,16 @@
         },
         {
             "name": "filp/whoops",
-            "version": "2.2.0",
+            "version": "2.2.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/filp/whoops.git",
-                "reference": "181c4502d8f34db7aed7bfe88d4f87875b8e947a"
+                "reference": "e79cd403fb77fc8963a99ecc30e80ddd885b3311"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/filp/whoops/zipball/181c4502d8f34db7aed7bfe88d4f87875b8e947a",
-                "reference": "181c4502d8f34db7aed7bfe88d4f87875b8e947a",
+                "url": "https://api.github.com/repos/filp/whoops/zipball/e79cd403fb77fc8963a99ecc30e80ddd885b3311",
+                "reference": "e79cd403fb77fc8963a99ecc30e80ddd885b3311",
                 "shasum": ""
             },
             "require": {
@@ -413,7 +413,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "2.1-dev"
+                    "dev-master": "2.2-dev"
                 }
             },
             "autoload": {
@@ -442,7 +442,7 @@
                 "throwable",
                 "whoops"
             ],
-            "time": "2018-03-03T17:56:25+00:00"
+            "time": "2018-06-30T13:14:06+00:00"
         },
         {
             "name": "gregwar/cache",
@@ -1214,16 +1214,16 @@
         },
         {
             "name": "rockettheme/toolbox",
-            "version": "1.4.1",
+            "version": "1.4.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/rockettheme/toolbox.git",
-                "reference": "af25ff99af4b31a8ec897826a010985e23111a2e"
+                "reference": "93f5c3d5e173cee7419df20eed52711471abbc3e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/rockettheme/toolbox/zipball/af25ff99af4b31a8ec897826a010985e23111a2e",
-                "reference": "af25ff99af4b31a8ec897826a010985e23111a2e",
+                "url": "https://api.github.com/repos/rockettheme/toolbox/zipball/93f5c3d5e173cee7419df20eed52711471abbc3e",
+                "reference": "93f5c3d5e173cee7419df20eed52711471abbc3e",
                 "shasum": ""
             },
             "require": {
@@ -1259,7 +1259,7 @@
                 "php",
                 "rockettheme"
             ],
-            "time": "2018-06-20T18:26:39+00:00"
+            "time": "2018-08-08T18:03:32+00:00"
         },
         {
             "name": "seld/cli-prompt",
@@ -1311,16 +1311,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "e54f84c50e3b12972e7750edfc5ca84b2284c44e"
+                "reference": "3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/e54f84c50e3b12972e7750edfc5ca84b2284c44e",
-                "reference": "e54f84c50e3b12972e7750edfc5ca84b2284c44e",
+                "url": "https://api.github.com/repos/symfony/console/zipball/3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b",
+                "reference": "3b2b415d4c48fbefca7dc742aa0a0171bfae4e0b",
                 "shasum": ""
             },
             "require": {
@@ -1376,20 +1376,20 @@
             ],
             "description": "Symfony Console Component",
             "homepage": "https://symfony.com",
-            "time": "2018-07-10T14:02:11+00:00"
+            "time": "2018-10-02T16:33:53+00:00"
         },
         {
             "name": "symfony/debug",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/debug.git",
-                "reference": "0e3ca9cbde90fffec8038f4d4e16fd4046bbd018"
+                "reference": "0a612e9dfbd2ccce03eb174365f31ecdca930ff6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/debug/zipball/0e3ca9cbde90fffec8038f4d4e16fd4046bbd018",
-                "reference": "0e3ca9cbde90fffec8038f4d4e16fd4046bbd018",
+                "url": "https://api.github.com/repos/symfony/debug/zipball/0a612e9dfbd2ccce03eb174365f31ecdca930ff6",
+                "reference": "0a612e9dfbd2ccce03eb174365f31ecdca930ff6",
                 "shasum": ""
             },
             "require": {
@@ -1432,20 +1432,20 @@
             ],
             "description": "Symfony Debug Component",
             "homepage": "https://symfony.com",
-            "time": "2018-06-26T08:45:54+00:00"
+            "time": "2018-10-02T16:33:53+00:00"
         },
         {
             "name": "symfony/event-dispatcher",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/event-dispatcher.git",
-                "reference": "fdd5abcebd1061ec647089c6c41a07ed60af09f8"
+                "reference": "b2e1f19280c09a42dc64c0b72b80fe44dd6e88fb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/fdd5abcebd1061ec647089c6c41a07ed60af09f8",
-                "reference": "fdd5abcebd1061ec647089c6c41a07ed60af09f8",
+                "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/b2e1f19280c09a42dc64c0b72b80fe44dd6e88fb",
+                "reference": "b2e1f19280c09a42dc64c0b72b80fe44dd6e88fb",
                 "shasum": ""
             },
             "require": {
@@ -1495,29 +1495,32 @@
             ],
             "description": "Symfony EventDispatcher Component",
             "homepage": "https://symfony.com",
-            "time": "2018-04-06T07:35:25+00:00"
+            "time": "2018-07-26T09:06:28+00:00"
         },
         {
             "name": "symfony/polyfill-ctype",
-            "version": "v1.8.0",
+            "version": "v1.9.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-ctype.git",
-                "reference": "7cc359f1b7b80fc25ed7796be7d96adc9b354bae"
+                "reference": "e3d826245268269cd66f8326bd8bc066687b4a19"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/7cc359f1b7b80fc25ed7796be7d96adc9b354bae",
-                "reference": "7cc359f1b7b80fc25ed7796be7d96adc9b354bae",
+                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/e3d826245268269cd66f8326bd8bc066687b4a19",
+                "reference": "e3d826245268269cd66f8326bd8bc066687b4a19",
                 "shasum": ""
             },
             "require": {
                 "php": ">=5.3.3"
             },
+            "suggest": {
+                "ext-ctype": "For best performance"
+            },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.8-dev"
+                    "dev-master": "1.9-dev"
                 }
             },
             "autoload": {
@@ -1550,20 +1553,20 @@
                 "polyfill",
                 "portable"
             ],
-            "time": "2018-04-30T19:57:29+00:00"
+            "time": "2018-08-06T14:22:27+00:00"
         },
         {
             "name": "symfony/polyfill-iconv",
-            "version": "v1.8.0",
+            "version": "v1.9.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-iconv.git",
-                "reference": "7cb8436a814d5b0fcf292810ee26f8b0cb47584d"
+                "reference": "bcc0cd69185b8a5d8b4a5400c489ed3333bf9bb2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-iconv/zipball/7cb8436a814d5b0fcf292810ee26f8b0cb47584d",
-                "reference": "7cb8436a814d5b0fcf292810ee26f8b0cb47584d",
+                "url": "https://api.github.com/repos/symfony/polyfill-iconv/zipball/bcc0cd69185b8a5d8b4a5400c489ed3333bf9bb2",
+                "reference": "bcc0cd69185b8a5d8b4a5400c489ed3333bf9bb2",
                 "shasum": ""
             },
             "require": {
@@ -1575,7 +1578,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.8-dev"
+                    "dev-master": "1.9-dev"
                 }
             },
             "autoload": {
@@ -1609,20 +1612,20 @@
                 "portable",
                 "shim"
             ],
-            "time": "2018-04-26T10:06:28+00:00"
+            "time": "2018-08-06T14:22:27+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.8.0",
+            "version": "v1.9.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "3296adf6a6454a050679cde90f95350ad604b171"
+                "reference": "d0cd638f4634c16d8df4508e847f14e9e43168b8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/3296adf6a6454a050679cde90f95350ad604b171",
-                "reference": "3296adf6a6454a050679cde90f95350ad604b171",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/d0cd638f4634c16d8df4508e847f14e9e43168b8",
+                "reference": "d0cd638f4634c16d8df4508e847f14e9e43168b8",
                 "shasum": ""
             },
             "require": {
@@ -1634,7 +1637,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.8-dev"
+                    "dev-master": "1.9-dev"
                 }
             },
             "autoload": {
@@ -1668,20 +1671,20 @@
                 "portable",
                 "shim"
             ],
-            "time": "2018-04-26T10:06:28+00:00"
+            "time": "2018-08-06T14:22:27+00:00"
         },
         {
             "name": "symfony/var-dumper",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/var-dumper.git",
-                "reference": "c501f46bb1eaf4c8d65ba070ab65a1986da1cd7f"
+                "reference": "ff8ac19e97e5c7c3979236b584719a1190f84181"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/var-dumper/zipball/c501f46bb1eaf4c8d65ba070ab65a1986da1cd7f",
-                "reference": "c501f46bb1eaf4c8d65ba070ab65a1986da1cd7f",
+                "url": "https://api.github.com/repos/symfony/var-dumper/zipball/ff8ac19e97e5c7c3979236b584719a1190f84181",
+                "reference": "ff8ac19e97e5c7c3979236b584719a1190f84181",
                 "shasum": ""
             },
             "require": {
@@ -1737,20 +1740,20 @@
                 "debug",
                 "dump"
             ],
-            "time": "2018-07-09T08:21:26+00:00"
+            "time": "2018-10-02T16:33:53+00:00"
         },
         {
             "name": "symfony/yaml",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/yaml.git",
-                "reference": "c5010cc1692ce1fa328b1fb666961eb3d4a85bb0"
+                "reference": "640b6c27fed4066d64b64d5903a86043f4a4de7f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/yaml/zipball/c5010cc1692ce1fa328b1fb666961eb3d4a85bb0",
-                "reference": "c5010cc1692ce1fa328b1fb666961eb3d4a85bb0",
+                "url": "https://api.github.com/repos/symfony/yaml/zipball/640b6c27fed4066d64b64d5903a86043f4a4de7f",
+                "reference": "640b6c27fed4066d64b64d5903a86043f4a4de7f",
                 "shasum": ""
             },
             "require": {
@@ -1796,7 +1799,7 @@
             ],
             "description": "Symfony Yaml Component",
             "homepage": "https://symfony.com",
-            "time": "2018-05-03T23:18:14+00:00"
+            "time": "2018-10-02T16:33:53+00:00"
         },
         {
             "name": "twig/twig",
@@ -1927,22 +1930,23 @@
         },
         {
             "name": "codeception/codeception",
-            "version": "2.4.4",
+            "version": "2.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/Codeception/Codeception.git",
-                "reference": "2060fc1fe8ac2823ff3b8ece04616fc12aca968a"
+                "reference": "dee493561daf644134c95cf176fd2c25aff59ea9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/Codeception/Codeception/zipball/2060fc1fe8ac2823ff3b8ece04616fc12aca968a",
-                "reference": "2060fc1fe8ac2823ff3b8ece04616fc12aca968a",
+                "url": "https://api.github.com/repos/Codeception/Codeception/zipball/dee493561daf644134c95cf176fd2c25aff59ea9",
+                "reference": "dee493561daf644134c95cf176fd2c25aff59ea9",
                 "shasum": ""
             },
             "require": {
                 "behat/gherkin": "^4.4.0",
                 "codeception/phpunit-wrapper": "^6.0.9|^7.0.6",
                 "codeception/stub": "^2.0",
+                "ext-curl": "*",
                 "ext-json": "*",
                 "ext-mbstring": "*",
                 "facebook/webdriver": ">=1.1.3 <2.0",
@@ -1990,7 +1994,7 @@
             },
             "autoload": {
                 "psr-4": {
-                    "Codeception\\": "src\\Codeception",
+                    "Codeception\\": "src/Codeception",
                     "Codeception\\Extension\\": "ext"
                 }
             },
@@ -2014,7 +2018,7 @@
                 "functional testing",
                 "unit testing"
             ],
-            "time": "2018-07-16T08:14:50+00:00"
+            "time": "2018-09-24T09:33:01+00:00"
         },
         {
             "name": "codeception/phpunit-wrapper",
@@ -2520,16 +2524,16 @@
         },
         {
             "name": "phpspec/prophecy",
-            "version": "1.7.6",
+            "version": "1.8.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpspec/prophecy.git",
-                "reference": "33a7e3c4fda54e912ff6338c48823bd5c0f0b712"
+                "reference": "4ba436b55987b4bf311cb7c6ba82aa528aac0a06"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpspec/prophecy/zipball/33a7e3c4fda54e912ff6338c48823bd5c0f0b712",
-                "reference": "33a7e3c4fda54e912ff6338c48823bd5c0f0b712",
+                "url": "https://api.github.com/repos/phpspec/prophecy/zipball/4ba436b55987b4bf311cb7c6ba82aa528aac0a06",
+                "reference": "4ba436b55987b4bf311cb7c6ba82aa528aac0a06",
                 "shasum": ""
             },
             "require": {
@@ -2541,12 +2545,12 @@
             },
             "require-dev": {
                 "phpspec/phpspec": "^2.5|^3.2",
-                "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5"
+                "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1"
             },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.7.x-dev"
+                    "dev-master": "1.8.x-dev"
                 }
             },
             "autoload": {
@@ -2579,7 +2583,7 @@
                 "spy",
                 "stub"
             ],
-            "time": "2018-04-18T13:57:24+00:00"
+            "time": "2018-08-05T17:53:17+00:00"
         },
         {
             "name": "phpunit/php-code-coverage",
@@ -3331,16 +3335,16 @@
         },
         {
             "name": "symfony/browser-kit",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/browser-kit.git",
-                "reference": "840bb6f0d5b3701fd768b68adf7193c2d0f98f79"
+                "reference": "f6668d1a6182d5a8dec65a1c863a4c1d963816c0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/browser-kit/zipball/840bb6f0d5b3701fd768b68adf7193c2d0f98f79",
-                "reference": "840bb6f0d5b3701fd768b68adf7193c2d0f98f79",
+                "url": "https://api.github.com/repos/symfony/browser-kit/zipball/f6668d1a6182d5a8dec65a1c863a4c1d963816c0",
+                "reference": "f6668d1a6182d5a8dec65a1c863a4c1d963816c0",
                 "shasum": ""
             },
             "require": {
@@ -3384,20 +3388,20 @@
             ],
             "description": "Symfony BrowserKit Component",
             "homepage": "https://symfony.com",
-            "time": "2018-03-19T22:32:39+00:00"
+            "time": "2018-07-26T09:06:28+00:00"
         },
         {
             "name": "symfony/css-selector",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/css-selector.git",
-                "reference": "d2ce52290b648ae33b5301d09bc14ee378612914"
+                "reference": "3503415d4aafabc31cd08c3a4ebac7f43fde8feb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/css-selector/zipball/d2ce52290b648ae33b5301d09bc14ee378612914",
-                "reference": "d2ce52290b648ae33b5301d09bc14ee378612914",
+                "url": "https://api.github.com/repos/symfony/css-selector/zipball/3503415d4aafabc31cd08c3a4ebac7f43fde8feb",
+                "reference": "3503415d4aafabc31cd08c3a4ebac7f43fde8feb",
                 "shasum": ""
             },
             "require": {
@@ -3437,20 +3441,20 @@
             ],
             "description": "Symfony CssSelector Component",
             "homepage": "https://symfony.com",
-            "time": "2018-05-16T12:49:49+00:00"
+            "time": "2018-10-02T16:33:53+00:00"
         },
         {
             "name": "symfony/dom-crawler",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/dom-crawler.git",
-                "reference": "54c9e817b74c7be1840344bf4feaa7a7d02abfb8"
+                "reference": "c705bee03ade5b47c087807dd9ffaaec8dda2722"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/54c9e817b74c7be1840344bf4feaa7a7d02abfb8",
-                "reference": "54c9e817b74c7be1840344bf4feaa7a7d02abfb8",
+                "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/c705bee03ade5b47c087807dd9ffaaec8dda2722",
+                "reference": "c705bee03ade5b47c087807dd9ffaaec8dda2722",
                 "shasum": ""
             },
             "require": {
@@ -3494,20 +3498,20 @@
             ],
             "description": "Symfony DomCrawler Component",
             "homepage": "https://symfony.com",
-            "time": "2018-07-05T11:53:23+00:00"
+            "time": "2018-10-02T12:28:39+00:00"
         },
         {
             "name": "symfony/finder",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/finder.git",
-                "reference": "3a8c3de91d2b2c68cd2d665cf9d00f7ef9eaa394"
+                "reference": "54ba444dddc5bd5708a34bd095ea67c6eb54644d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/finder/zipball/3a8c3de91d2b2c68cd2d665cf9d00f7ef9eaa394",
-                "reference": "3a8c3de91d2b2c68cd2d665cf9d00f7ef9eaa394",
+                "url": "https://api.github.com/repos/symfony/finder/zipball/54ba444dddc5bd5708a34bd095ea67c6eb54644d",
+                "reference": "54ba444dddc5bd5708a34bd095ea67c6eb54644d",
                 "shasum": ""
             },
             "require": {
@@ -3543,20 +3547,20 @@
             ],
             "description": "Symfony Finder Component",
             "homepage": "https://symfony.com",
-            "time": "2018-06-19T20:52:10+00:00"
+            "time": "2018-10-03T08:46:40+00:00"
         },
         {
             "name": "symfony/process",
-            "version": "v3.4.13",
+            "version": "v3.4.17",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/process.git",
-                "reference": "f741672edfcfe3a2ea77569d419006f23281d909"
+                "reference": "1dc2977afa7d70f90f3fefbcd84152813558910e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/process/zipball/f741672edfcfe3a2ea77569d419006f23281d909",
-                "reference": "f741672edfcfe3a2ea77569d419006f23281d909",
+                "url": "https://api.github.com/repos/symfony/process/zipball/1dc2977afa7d70f90f3fefbcd84152813558910e",
+                "reference": "1dc2977afa7d70f90f3fefbcd84152813558910e",
                 "shasum": ""
             },
             "require": {
@@ -3592,7 +3596,7 @@
             ],
             "description": "Symfony Process Component",
             "homepage": "https://symfony.com",
-            "time": "2018-07-09T09:01:07+00:00"
+            "time": "2018-10-02T12:28:39+00:00"
         },
         {
             "name": "victorjonsson/markdowndocs",
@@ -3703,7 +3707,8 @@
         "ext-mbstring": "*",
         "ext-openssl": "*",
         "ext-curl": "*",
-        "ext-zip": "*"
+        "ext-zip": "*",
+        "ext-json": "*"
     },
     "platform-dev": [],
     "platform-overrides": {

index.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * @package    Grav.Core
  *
@@ -7,6 +8,7 @@
  */
 
 namespace Grav;
+
 define('GRAV_PHP_MIN', '5.6.4');
 
 // Ensure vendor libraries exist
@@ -15,7 +17,7 @@ if (!is_file($autoload)) {
     die("Please run: <i>bin/grav install</i>");
 }
 
-if (PHP_SAPI == 'cli-server') {
+if (PHP_SAPI === 'cli-server') {
     if (!isset($_SERVER['PHP_CLI_ROUTER'])) {
        die("PHP webserver requires a router to run Grav, please use: <pre>php -S {$_SERVER['SERVER_NAME']}:{$_SERVER['SERVER_PORT']} system/router.php</pre>");
     }
@@ -29,7 +31,7 @@ if (version_compare($ver = PHP_VERSION, $req = GRAV_PHP_MIN, '<')) {
 }
 
 // Register the auto-loader.
-$loader = require_once $autoload;
+$loader = require $autoload;
 
 // Set timezone to default, falls back to system if php.ini not set
 date_default_timezone_set(@date_default_timezone_get());

system/blueprints/config/security.yaml

@@ -0,0 +1,99 @@
+title: PLUGIN_ADMIN.SECURITY
+
+form:
+    validation: loose
+    fields:
+
+        xss_section:
+            type: section
+            title: PLUGIN_ADMIN.XSS_SECURITY
+            underline: true
+
+        xss_whitelist:
+            type: selectize
+            size: large
+            label: PLUGIN_ADMIN.XSS_WHITELIST_PERMISSIONS
+            help: PLUGIN_ADMIN.XSS_WHITELIST_PERMISSIONS_HELP
+            placeholder: 'admin.super'
+            classes: fancy
+            validate:
+                type: commalist
+
+        xss_enabled.on_events:
+            type: toggle
+            label: PLUGIN_ADMIN.XSS_ON_EVENTS
+            highlight: 1
+            options:
+                1: PLUGIN_ADMIN.YES
+                0: PLUGIN_ADMIN.NO
+            default: true
+            validate:
+                type: bool
+
+        xss_enabled.invalid_protocols:
+            type: toggle
+            label: PLUGIN_ADMIN.XSS_INVALID_PROTOCOLS
+            highlight: 1
+            options:
+                1: PLUGIN_ADMIN.YES
+                0: PLUGIN_ADMIN.NO
+            default: true
+            validate:
+                type: bool
+
+        xss_enabled.moz_binding:
+            type: toggle
+            label: PLUGIN_ADMIN.XSS_MOZ_BINDINGS
+            highlight: 1
+            options:
+                1: PLUGIN_ADMIN.YES
+                0: PLUGIN_ADMIN.NO
+            default: true
+            validate:
+                type: bool
+
+        xss_enabled.html_inline_styles:
+            type: toggle
+            label: PLUGIN_ADMIN.XSS_HTML_INLINE_STYLES
+            highlight: 1
+            options:
+                1: PLUGIN_ADMIN.YES
+                0: PLUGIN_ADMIN.NO
+            default: true
+            validate:
+                type: bool
+
+        xss_enabled.dangerous_tags:
+            type: toggle
+            label: PLUGIN_ADMIN.XSS_DANGEROUS_TAGS
+            highlight: 1
+            options:
+                1: PLUGIN_ADMIN.YES
+                0: PLUGIN_ADMIN.NO
+            default: true
+            validate:
+                type: bool
+
+        xss_dangerous_tags:
+            type: selectize
+            size: large
+            label: PLUGIN_ADMIN.XSS_DANGEROUS_TAGS_LIST
+            classes: fancy
+            validate:
+                type: commalist
+
+        uploads_section:
+            type: section
+            title: PLUGIN_ADMIN.UPLOADS_SECURITY
+            underline: true
+
+
+        uploads_dangerous_extensions:
+            type: selectize
+            size: large
+            label: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS
+            help: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS_HELP
+            classes: fancy
+            validate:
+                type: commalist
+

system/blueprints/config/system.yaml

@@ -1218,3 +1218,27 @@ form:
                     placeholder: "e.g. http://yoursite.com/yourpath"
                     label: PLUGIN_ADMIN.CUSTOM_BASE_URL
                     help: PLUGIN_ADMIN.CUSTOM_BASE_URL_HELP
+
+                strict_mode.yaml_compat:
+                    type: toggle
+                    label: PLUGIN_ADMIN.STRICT_YAML_COMPAT
+                    highlight: 1
+                    default: 1
+                    help: PLUGIN_ADMIN.STRICT_YAML_COMPAT_HELP
+                    options:
+                        1: PLUGIN_ADMIN.YES
+                        0: PLUGIN_ADMIN.NO
+                    validate:
+                        type: bool
+
+                strict_mode.twig_compat:
+                    type: toggle
+                    label: PLUGIN_ADMIN.STRICT_TWIG_COMPAT
+                    highlight: 1
+                    default: 1
+                    help: PLUGIN_ADMIN.STRICT_TWIG_COMPAT_HELP
+                    options:
+                        1: PLUGIN_ADMIN.YES
+                        0: PLUGIN_ADMIN.NO
+                    validate:
+                        type: bool

system/blueprints/pages/default.yaml

@@ -21,6 +21,9 @@ form:
           title: PLUGIN_ADMIN.CONTENT
 
           fields:
+            xss_check:
+              type: xss
+
             header.title:
               type: text
               autofocus: true

system/config/media.yaml

@@ -53,7 +53,7 @@ types:
     thumb: media/thumb-flv.png
     mime: video/x-flv
   webm:
-    type: file
+    type: video
     thumb: media/thumb-webm.png
     mime: video/webm
   ogv:

system/config/security.yaml

@@ -0,0 +1,31 @@
+xss_whitelist: [admin.super] # Whitelist of user access that should 'skip' XSS checking
+xss_enabled:
+    on_events: true
+    invalid_protocols: true
+    moz_binding: true
+    html_inline_styles: true
+    dangerous_tags: true
+xss_dangerous_tags:
+    - applet
+    - meta
+    - xml
+    - blink
+    - link
+    - style
+    - script
+    - embed
+    - object
+    - iframe
+    - frame
+    - frameset
+    - ilayer
+    - layer
+    - bgsound
+    - title
+    - base
+uploads_dangerous_extensions:
+    - php
+    - html
+    - htm
+    - js
+    - exe

system/defines.php

@@ -8,8 +8,8 @@
 
 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.5.0-rc.1');
-define('GRAV_TESTING', true);
+define('GRAV_VERSION', '1.5.6');
+define('GRAV_TESTING', false);
 define('DS', '/');
 
 if (!defined('GRAV_PHP_MIN')) {

system/languages/en.yaml

@@ -72,7 +72,6 @@ NICETIME:
     SEC: sec
     MIN: min
     HR: hr
-    DAY: day
     WK: wk
     MO: mo
     YR: yr
@@ -88,7 +87,6 @@ NICETIME:
     SEC_PLURAL: secs
     MIN_PLURAL: mins
     HR_PLURAL: hrs
-    DAY_PLURAL: days
     WK_PLURAL: wks
     MO_PLURAL: mos
     YR_PLURAL: yrs

system/languages/ja.yaml

@@ -30,7 +30,6 @@ NICETIME:
     SEC: 秒
     MIN: 分
     HR: 時
-    DAY: 日
     WK: 週
     MO: 月
     YR: 年
@@ -46,7 +45,6 @@ NICETIME:
     SEC_PLURAL: 秒
     MIN_PLURAL: 分
     HR_PLURAL: 時
-    DAY_PLURAL: 日
     WK_PLURAL: 週
     MO_PLURAL: 月
     YR_PLURAL: 年

system/src/Grav/Common/Config/Config.php

@@ -109,6 +109,8 @@ class Config extends Data
      */
     public function getLanguages()
     {
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use Grav::instance()[\'languages\'] instead', E_USER_DEPRECATED);
+
         return Grav::instance()['languages'];
     }
 }

system/src/Grav/Common/Config/Setup.php

@@ -262,18 +262,22 @@ class Setup extends Data
             );
         }
 
-        if (!$locator->findResource('environment://config', true)) {
-            // If environment does not have its own directory, remove it from the lookup.
-            $this->set('streams.schemes.environment.prefixes', ['config' => []]);
-            $this->initializeLocator($locator);
-        }
+        try {
+            if (!$locator->findResource('environment://config', true)) {
+                // If environment does not have its own directory, remove it from the lookup.
+                $this->set('streams.schemes.environment.prefixes', ['config' => []]);
+                $this->initializeLocator($locator);
+            }
 
-        // Create security.yaml if it doesn't exist.
-        $filename = $locator->findResource('config://security.yaml', true, true);
-        $file = YamlFile::instance($filename);
-        if (!$file->exists()) {
-            $file->save(['salt' => Utils::generateRandomString(14)]);
-            $file->free();
+            // Create security.yaml if it doesn't exist.
+            $filename = $locator->findResource('config://security.yaml', true, true);
+            $file = YamlFile::instance($filename);
+            if (!$file->exists()) {
+                $file->save(['salt' => Utils::generateRandomString(14)]);
+                $file->free();
+            }
+        } catch (\RuntimeException $e) {
+            throw new \RuntimeException(sprintf('Grav failed to initialize: %s', $e->getMessage()), 500, $e);
         }
     }
 }

system/src/Grav/Common/Data/Validation.php

@@ -10,8 +10,7 @@ namespace Grav\Common\Data;
 
 use Grav\Common\Grav;
 use Grav\Common\Utils;
-use Symfony\Component\Yaml\Exception\ParseException;
-use Symfony\Component\Yaml\Yaml;
+use Grav\Common\Yaml;
 use RocketTheme\Toolbox\Compat\Yaml\Yaml as FallbackYaml;
 
 class Validation
@@ -649,19 +648,8 @@ class Validation
             return $value;
         }
 
-        try {
-            return (array) Yaml::parse($value);
-        } catch (ParseException $e) {
-            // If YAML compatibility mode is set on, fall back to older YAML parser.
-            if (Grav::instance()['config']->get('system.strict_mode.yaml_compat', true)) {
-                try {
-                    return (array) FallbackYaml::parse($value);
-                } catch (ParseException $e2) {
-                }
-            }
+        return (array) Yaml::parse($value);
 
-            return $value;
-        }
     }
 
     /**

system/src/Grav/Common/Debugger.php

@@ -9,6 +9,7 @@
 namespace Grav\Common;
 
 use DebugBar\DataCollector\ConfigCollector;
+use DebugBar\DataCollector\MessagesCollector;
 use DebugBar\JavascriptRenderer;
 use DebugBar\StandardDebugBar;
 use Grav\Common\Config\Config;
@@ -31,6 +32,11 @@ class Debugger
 
     protected $timers = [];
 
+    /** @var string[] $deprecations */
+    protected $deprecations = [];
+
+    protected $errorHandler;
+
     /**
      * Debugger constructor.
      */
@@ -41,6 +47,9 @@ class Debugger
 
         $this->debugbar = new StandardDebugBar();
         $this->debugbar['time']->addMeasure('Loading', $this->debugbar['time']->getRequestStartTime(), microtime(true));
+
+        // Set deprecation collector.
+        $this->setErrorHandler();
     }
 
     /**
@@ -58,8 +67,14 @@ class Debugger
         $this->enabled = $this->config->get('system.debugger.enabled');
 
         if ($this->enabled()) {
+
+            $plugins_config = (array)$this->config->get('plugins');
+
+            ksort($plugins_config);
+
+
             $this->debugbar->addCollector(new ConfigCollector((array)$this->config->get('system'), 'Config'));
-            $this->debugbar->addCollector(new ConfigCollector((array)$this->config->get('plugins'), 'Plugins'));
+            $this->debugbar->addCollector(new ConfigCollector($plugins_config, 'Plugins'));
             $this->addMessage('Grav v' . GRAV_VERSION);
         }
 
@@ -122,9 +137,9 @@ class Debugger
         return $this;
     }
 
-    public function getCaller($ignore = 2)
+    public function getCaller($limit = 2)
     {
-        $trace = debug_backtrace(false, $ignore);
+        $trace = debug_backtrace(false, $limit);
 
         return array_pop($trace);
     }
@@ -171,6 +186,8 @@ class Debugger
                 return $this;
             }
 
+            $this->addDeprecations();
+
             echo $this->renderer->render();
         }
 
@@ -185,6 +202,7 @@ class Debugger
     public function sendDataInHeaders()
     {
         if ($this->enabled()) {
+            $this->addDeprecations();
             $this->debugbar->sendDataInHeaders();
         }
 
@@ -202,6 +220,7 @@ class Debugger
             return null;
         }
 
+        $this->addDeprecations();
         $this->timers = [];
 
         return $this->debugbar->getData();
@@ -273,4 +292,152 @@ class Debugger
 
         return $this;
     }
+
+    public function setErrorHandler()
+    {
+        $this->errorHandler = set_error_handler(
+            [$this, 'deprecatedErrorHandler']
+        );
+    }
+
+    /**
+     * @param int $errno
+     * @param string $errstr
+     * @param string $errfile
+     * @param int $errline
+     * @return bool
+     */
+    public function deprecatedErrorHandler($errno, $errstr, $errfile, $errline)
+    {
+        if ($errno !== E_USER_DEPRECATED) {
+            if ($this->errorHandler) {
+                return \call_user_func($this->errorHandler, $errno, $errstr, $errfile, $errline);
+            }
+
+            return true;
+        }
+
+        if (!$this->enabled()) {
+            return true;
+        }
+
+        $backtrace = debug_backtrace(false);
+
+        // Skip current call.
+        array_shift($backtrace);
+
+        // Skip vendor libraries and the method where error was triggered.
+        while ($current = array_shift($backtrace)) {
+            if (isset($current['file']) && strpos($current['file'], 'vendor') !== false) {
+                continue;
+            }
+            if (isset($current['function']) && ($current['function'] === 'user_error' || $current['function'] === 'trigger_error')) {
+                $current = array_shift($backtrace);
+            }
+
+            break;
+        }
+
+        // Add back last call.
+        array_unshift($backtrace, $current);
+
+        // Filter arguments.
+        foreach ($backtrace as &$current) {
+            if (isset($current['args'])) {
+                $args = [];
+                foreach ($current['args'] as $arg) {
+                    if (\is_string($arg)) {
+                        $args[] = "'" . $arg . "'";
+                    } elseif (\is_bool($arg)) {
+                        $args[] = $arg ? 'true' : 'false';
+                    } elseif (\is_scalar($arg)) {
+                        $args[] = $arg;
+                    } elseif (\is_object($arg)) {
+                        $args[] = get_class($arg) . ' $object';
+                    } elseif (\is_array($arg)) {
+                        $args[] = '$array';
+                    } else {
+                        $args[] = '$object';
+                    }
+                }
+                $current['args'] = $args;
+            }
+        }
+        unset($current);
+
+        $this->deprecations[] = [
+            'message' => $errstr,
+            'file' => $errfile,
+            'line' => $errline,
+            'trace' => $backtrace,
+        ];
+
+        // Do not pass forward.
+        return true;
+    }
+
+    protected function addDeprecations()
+    {
+        if (!$this->deprecations) {
+            return;
+        }
+
+        $collector = new MessagesCollector('deprecated');
+        $this->addCollector($collector);
+        $collector->addMessage('Your site is using following deprecated features:');
+
+        /** @var array $deprecated */
+        foreach ($this->deprecations as $deprecated) {
+            list($message, $scope) = $this->getDepracatedMessage($deprecated);
+
+            $collector->addMessage($message, $scope);
+        }
+    }
+
+    protected function getDepracatedMessage($deprecated)
+    {
+        $scope = 'unknown';
+        if (stripos($deprecated['message'], 'grav') !== false) {
+            $scope = 'grav';
+        } elseif (!isset($deprecated['file'])) {
+            $scope = 'unknown';
+        } elseif (stripos($deprecated['file'], 'twig') !== false) {
+            $scope = 'twig';
+        } elseif (stripos($deprecated['file'], 'yaml') !== false) {
+            $scope = 'yaml';
+        } elseif (stripos($deprecated['file'], 'vendor') !== false) {
+            $scope = 'vendor';
+        }
+
+        $trace = [];
+        foreach ($deprecated['trace'] as $current) {
+            $class = isset($current['class']) ? $current['class'] : '';
+            $type = isset($current['type']) ? $current['type'] : '';
+            $function = $this->getFunction($current);
+            if (isset($current['file'])) {
+                $current['file'] = str_replace(GRAV_ROOT . '/', '', $current['file']);
+            }
+
+            unset($current['class'], $current['type'], $current['function'], $current['args']);
+
+            $trace[] = ['call' => $class . $type . $function] + $current;
+        }
+
+        return [
+            [
+                'message' => $deprecated['message'],
+                'trace' => $trace
+            ],
+            $scope
+        ];
+    }
+
+    protected function getFunction($trace)
+    {
+        if (!isset($trace['function'])) {
+            return '';
+        }
+
+        return $trace['function'] . '(' . implode(', ', $trace['args']) . ')';
+    }
 }

system/src/Grav/Common/Errors/BareHandler.php

@@ -18,6 +18,13 @@ class BareHandler extends Handler
      */
     public function handle()
     {
+        $inspector = $this->getInspector();
+        $code = $inspector->getException()->getCode();
+        if ( ($code >= 400) && ($code < 600) )
+        {
+            $this->getRun()->sendHttpCode($code);    
+        }
+
         return Handler::QUIT;
     }
 

system/src/Grav/Common/Errors/Errors.php

@@ -74,5 +74,8 @@ class Errors
         }
 
         $whoops->register();
+
+        // Re-register deprecation handler.
+        $grav['debugger']->setErrorHandler();
     }
 }

system/src/Grav/Common/Errors/SimplePageHandler.php

@@ -35,6 +35,10 @@ class SimplePageHandler extends Handler
         $cssFile      = $this->getResource("error.css");
 
         $code = $inspector->getException()->getCode();
+        if ( ($code >= 400) && ($code < 600) )
+        {
+            $this->getRun()->sendHttpCode($code);    
+        }
         $message = $inspector->getException()->getMessage();
 
         if ($inspector->getException() instanceof \ErrorException) {

system/src/Grav/Common/File/CompiledFile.php

@@ -82,4 +82,28 @@ trait CompiledFile
 
         return parent::content($var);
     }
+
+    /**
+     * Serialize file.
+     */
+    public function __sleep()
+    {
+        return [
+            'filename',
+            'extension',
+            'raw',
+            'content',
+            'settings'
+        ];
+    }
+
+    /**
+     * Unserialize file.
+     */
+    public function __wakeup()
+    {
+        if (!isset(static::$instances[$this->filename])) {
+            static::$instances[$this->filename] = $this;
+        }
+    }
 }

system/src/Grav/Common/GPM/Licenses.php

@@ -114,7 +114,7 @@ class Licenses
 
     {
         if (!isset(self::$file)) {
-            $path = Grav::instance()['locator']->findResource('user://data') . '/licenses.yaml';;
+            $path = Grav::instance()['locator']->findResource('user://data') . '/licenses.yaml';
             if (!file_exists($path)) {
                 touch($path);
             }

system/src/Grav/Common/Grav.php

@@ -439,7 +439,7 @@ class Grav extends Container
         /** @var Config $config */
         $config = $this['config'];
 
-        $uri_extension = $uri->extension();
+        $uri_extension = strtolower($uri->extension());
         $fallback_types = $config->get('system.media.allowed_fallback_types', null);
         $supported_types = $config->get('media.types');
 

system/src/Grav/Common/GravTrait.php

@@ -9,7 +9,7 @@
 namespace Grav\Common;
 
 /**
- * @deprecated 2.0
+ * @deprecated 1.4 Use Grav::instance() instead
  */
 trait GravTrait
 {
@@ -24,8 +24,7 @@ trait GravTrait
             self::$grav = Grav::instance();
         }
 
-        $caller = self::$grav['debugger']->getCaller();
-        self::$grav['debugger']->addMessage("Deprecated GravTrait used in {$caller['file']}", 'deprecated');
+        user_error(__TRAIT__ . ' is deprecated since Grav 1.4, use Grav::instance() instead', E_USER_DEPRECATED);
 
         return self::$grav;
     }

system/src/Grav/Common/Helpers/Excerpts.php

@@ -117,7 +117,7 @@ class Excerpts
      */
     public static function processLinkExcerpt($excerpt, Page $page, $type = 'link')
     {
-        $url = htmlspecialchars_decode(urldecode($excerpt['element']['attributes']['href']));
+        $url = htmlspecialchars_decode(rawurldecode($excerpt['element']['attributes']['href']));
 
         $url_parts = static::parseUrl($url);
 

system/src/Grav/Common/Inflector.php

@@ -190,10 +190,11 @@ class Inflector
     public function hyphenize($word)
     {
         $regex1 = preg_replace('/([A-Z]+)([A-Z][a-z])/', '\1-\2', $word);
-        $regex2 = preg_replace('/([a-zd])([A-Z])/', '\1-\2', $regex1);
-        $regex3 = preg_replace('/[^A-Z^a-z^0-9]+/', '-', $regex2);
+        $regex2 = preg_replace('/([a-z])([A-Z])/', '\1-\2', $regex1);
+        $regex3 = preg_replace('/([0-9])([A-Z])/', '\1-\2', $regex2);
+        $regex4 = preg_replace('/[^A-Z^a-z^0-9]+/', '-', $regex3);
 
-        return strtolower($regex3);
+        return strtolower($regex4);
     }
 
     /**

system/src/Grav/Common/Language/Language.php

@@ -181,7 +181,7 @@ class Language
                 $uri = preg_replace("/\\" . $matches[1] . '/', '', $uri, 1);
 
                 // Store in session if language is different.
-                if (isset($this->grav['session']) && $this->grav['session']->started()
+                if (isset($this->grav['session']) && $this->grav['session']->isStarted()
                     && $this->config->get('system.languages.session_store_active', true)
                     && $this->grav['session']->active_language != $this->active
                 ) {
@@ -189,7 +189,7 @@ class Language
                 }
             } else {
                 // Try getting language from the session, else no active.
-                if (isset($this->grav['session']) && $this->grav['session']->started()
+                if (isset($this->grav['session']) && $this->grav['session']->isStarted()
                     && $this->config->get('system.languages.session_store_active', true)) {
                     $this->active = $this->grav['session']->active_language ?: null;
                 }

system/src/Grav/Common/Page/Media.php

@@ -9,11 +9,11 @@
 namespace Grav\Common\Page;
 
 use Grav\Common\Grav;
+use Grav\Common\Yaml;
 use Grav\Common\Page\Medium\AbstractMedia;
 use Grav\Common\Page\Medium\GlobalMedia;
 use Grav\Common\Page\Medium\MediumFactory;
 use RocketTheme\Toolbox\File\File;
-use Symfony\Component\Yaml\Yaml;
 
 class Media extends AbstractMedia
 {

system/src/Grav/Common/Page/Medium/VideoMedium.php

@@ -94,6 +94,40 @@ class VideoMedium extends Medium
         return $this;
     }
 
+    /**
+     * Allows to set the playsinline attribute
+     *
+     * @param bool $status
+     * @return $this
+     */
+    public function playsinline($status = false)
+    {
+        if($status) {
+            $this->attributes['playsinline'] = true;
+        } else {
+            unset($this->attributes['playsinline']);
+        }
+
+        return $this;
+    }
+
+    /**
+     * Allows to set the muted attribute
+     *
+     * @param bool $status
+     * @return $this
+     */
+    public function muted($status = false)
+    {
+        if($status) {
+            $this->attributes['muted'] = true;
+        } else {
+            unset($this->attributes['muted']);
+        }
+
+        return $this;
+    }
+
     /**
      * Reset medium.
      *

system/src/Grav/Common/Page/Page.php

@@ -15,7 +15,6 @@ use Grav\Common\Data\Blueprint;
 use Grav\Common\File\CompiledYamlFile;
 use Grav\Common\Filesystem\Folder;
 use Grav\Common\Grav;
-use Grav\Common\Language\Language;
 use Grav\Common\Markdown\Parsedown;
 use Grav\Common\Markdown\ParsedownExtra;
 use Grav\Common\Page\Interfaces\PageInterface;
@@ -23,10 +22,9 @@ use Grav\Common\Media\Traits\MediaTrait;
 use Grav\Common\Taxonomy;
 use Grav\Common\Uri;
 use Grav\Common\Utils;
+use Grav\Common\Yaml;
 use RocketTheme\Toolbox\Event\Event;
 use RocketTheme\Toolbox\File\MarkdownFile;
-use Symfony\Component\Yaml\Exception\ParseException;
-use Symfony\Component\Yaml\Yaml;
 
 define('PAGE_ORDER_PREFIX_REGEX', '/^[0-9]+\./u');
 
@@ -139,7 +137,7 @@ class Page implements PageInterface
         $this->metadata();
         $this->url();
         $this->visible();
-        $this->modularTwig($this->slug[0] === '_');
+        $this->modularTwig(strpos($this->slug(), '_') === 0);
         $this->setPublishState();
         $this->published();
         $this->urlExtension();
@@ -197,7 +195,7 @@ class Page implements PageInterface
 
                 $route = isset($aPage->header()->routes['default']) ? $aPage->header()->routes['default'] : $aPage->rawRoute();
                 if (!$route) {
-                    $route = $aPage->slug();
+                    $route = $aPage->route();
                 }
 
                 if ($onlyPublished && !$aPage->published()) {
@@ -766,6 +764,8 @@ class Page implements PageInterface
 
         // pages.markdown_extra is deprecated, but still check it...
         if (!isset($defaults['extra']) && (isset($this->markdown_extra) || $config->get('system.pages.markdown_extra') !== null)) {
+            user_error('Configuration option \'system.pages.markdown_extra\' is deprecated since Grav 1.5, use \'system.pages.markdown.extra\' instead', E_USER_DEPRECATED);
+
             $defaults['extra'] = $this->markdown_extra ?: $config->get('system.pages.markdown_extra');
         }
 
@@ -1584,7 +1584,7 @@ class Page implements PageInterface
         }
 
         if (empty($this->slug)) {
-            $this->slug = $this->adjustRouteCase(preg_replace(PAGE_ORDER_PREFIX_REGEX, '', $this->folder));
+            $this->slug = $this->adjustRouteCase(preg_replace(PAGE_ORDER_PREFIX_REGEX, '', $this->folder)) ?: null;
         }
 
 

system/src/Grav/Common/Processors/InitializeProcessor.php

@@ -47,7 +47,7 @@ class InitializeProcessor extends ProcessorBase implements ProcessorInterface
         // Redirect pages with trailing slash if configured to do so.
         $path = $uri->path() ?: '/';
         if ($path !== '/' && $config->get('system.pages.redirect_trailing_slash', false) && Utils::endsWith($path, '/')) {
-            $this->container->redirect(rtrim($path, '/'), 302);
+            $this->container->redirectLangSafe(rtrim($path, '/'));
         }
 
         $this->container->setLocale();

system/src/Grav/Common/Security.php

@@ -0,0 +1,158 @@
+<?php
+/**
+ * @package    Grav.Common
+ *
+ * @copyright  Copyright (C) 2015 - 2018 Trilby Media, LLC. All rights reserved.
+ * @license    MIT License; see LICENSE file for details.
+ */
+
+namespace Grav\Common;
+
+class Security
+{
+
+    public static function detectXssFromPages($pages, callable $status = null)
+    {
+        $routes = $pages->routes();
+
+        // Remove duplicate for homepage
+        unset($routes['/']);
+
+        $list = [];
+
+//        // This needs Symfony 4.1 to work
+//        $status && $status([
+//            'type' => 'count',
+//            'steps' => count($routes),
+//        ]);
+
+        foreach ($routes as $path) {
+
+            $status && $status([
+                'type' => 'progress',
+            ]);
+
+            try {
+                $page = $pages->get($path);
+
+                // call the content to load/cache it
+                $header = (array) $page->header();
+                $content = $page->value('content');
+
+                $data = ['header' => $header, 'content' => $content];
+                $results = Security::detectXssFromArray($data);
+
+                if (!empty($results)) {
+                    $list[$page->filePathClean()] = $results;
+                }
+
+            } catch (\Exception $e) {
+                continue;
+            }
+        }
+
+        return $list;
+    }
+
+    /**
+     * @param array $array      Array such as $_POST or $_GET
+     * @param string $prefix    Prefix for returned values.
+     * @return array            Returns flatten list of potentially dangerous input values, such as 'data.content'.
+     */
+    public static function detectXssFromArray(array $array, $prefix = '')
+    {
+        $list = [];
+
+        foreach ($array as $key => $value) {
+            if (\is_array($value)) {
+                $list[] = static::detectXssFromArray($value, $prefix . $key . '.');
+            }
+            if ($result = static::detectXss($value)) {
+                $list[] = [$prefix . $key => $result];
+            }
+        }
+
+        if (!empty($list)) {
+            return array_merge(...$list);
+        }
+
+        return $list;
+    }
+
+    /**
+     * Determine if string potentially has a XSS attack. This simple function does not catch all XSS and it is likely to
+     * return false positives because of it tags all potentially dangerous HTML tags and attributes without looking into
+     * their content.
+     *
+     * @param string $string The string to run XSS detection logic on
+     * @return boolean|string       Type of XSS vector if the given `$string` may contain XSS, false otherwise.
+     *
+     * Copies the code from: https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php#L138
+     */
+    public static function detectXss($string)
+    {
+        // Skip any null or non string values
+        if (null === $string || !\is_string($string) || empty($string)) {
+            return false;
+        }
+
+        // Keep a copy of the original string before cleaning up
+        $orig = $string;
+
+        // URL decode
+        $string = urldecode($string);
+
+        // Convert Hexadecimals
+        $string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', function($m) {
+            return \chr(hexdec($m[2]));
+        }, $string);
+
+        // Clean up entities
+        $string = preg_replace('!(&#0+[0-9]+)!u','$1;', $string);
+
+        // Decode entities
+        $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
+
+        // Strip whitespace characters
+        $string = preg_replace('!\s!u','', $string);
+
+        $config = Grav::instance()['config'];
+
+        $dangerous_tags = $config->get('security.xss_dangerous_tags');
+        $dangerous_tags = array_map('preg_quote', array_map("trim", $dangerous_tags));
+
+        $enabled_rules = $config->get('security.xss_enabled');
+
+        // Set the patterns we'll test against
+        $patterns = [
+            // Match any attribute starting with "on" or xmlns
+            'on_events' => '#(<[^>]+[[a-z\x00-\x20\"\'\/])(\son|\sxmlns)[a-z].*=>?#iUu',
+
+            // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
+            'invalid_protocols' => '#((java|live|vb)script|mocha|feed|data):.*?#iUu',
+
+            // Match -moz-bindings
+            'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
+
+            // Match style attributes
+            'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
+
+            // Match potentially dangerous tags
+            'dangerous_tags' => '#</*(' . implode('|', $dangerous_tags ) . ')[^>]*>?#ui'
+        ];
+
+
+        // Iterate over rules and return label if fail
+        foreach ((array) $patterns as $name => $regex) {
+            if ($enabled_rules[$name] === true) {
+
+                if (preg_match($regex, $string) || preg_match($regex, $orig)) {
+                    return $name;
+                }
+
+            }
+        }
+
+        return false;
+    }
+}

system/src/Grav/Common/Service/SessionServiceProvider.php

@@ -91,7 +91,7 @@ class SessionServiceProvider implements ServiceProviderInterface
 
         // Define session message service.
         $container['messages'] = function ($c) {
-            if (!isset($c['session']) || !$c['session']->started()) {
+            if (!isset($c['session']) || !$c['session']->isStarted()) {
                 /** @var Debugger $debugger */
                 $debugger = $c['debugger'];
                 $debugger->addMessage('Inactive session: session messages may disappear', 'warming');

system/src/Grav/Common/Session.php

@@ -15,10 +15,12 @@ class Session extends \Grav\Framework\Session\Session
 
     /**
      * @return \Grav\Framework\Session\Session
-     * @deprecated 1.5
+     * @deprecated 1.5 Use getInstance() method instead
      */
     public static function instance()
     {
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getInstance() method instead', E_USER_DEPRECATED);
+
         return static::getInstance();
     }
 
@@ -51,10 +53,12 @@ class Session extends \Grav\Framework\Session\Session
      * Returns attributes.
      *
      * @return array Attributes
-     * @deprecated 1.5
+     * @deprecated 1.5 Use getAll() method instead
      */
     public function all()
     {
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getAll() method instead', E_USER_DEPRECATED);
+
         return $this->getAll();
     }
 
@@ -62,10 +66,12 @@ class Session extends \Grav\Framework\Session\Session
      * Checks if the session was started.
      *
      * @return Boolean
-     * @deprecated 1.5
+     * @deprecated 1.5 Use isStarted() method instead
      */
     public function started()
     {
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use isStarted() method instead', E_USER_DEPRECATED);
+
         return $this->isStarted();
     }
 

system/src/Grav/Common/Twig/Node/TwigNodeScript.php

@@ -8,13 +8,13 @@
 
 namespace Grav\Common\Twig\Node;
 
-class TwigNodeScript extends \Twig_Node implements \Twig_NodeOutputInterface
+class TwigNodeScript extends \Twig_Node implements \Twig_NodeCaptureInterface
 {
     protected $tagName = 'script';
 
     /**
      * TwigNodeScript constructor.
-     * @param \Twig_NodeInterface|null $body
+     * @param \Twig_Node|null $body
      * @param \Twig_Node_Expression|null $file
      * @param \Twig_Node_Expression|null $group
      * @param \Twig_Node_Expression|null $priority
@@ -23,12 +23,12 @@ class TwigNodeScript extends \Twig_Node implements \Twig_NodeOutputInterface
      * @param string|null $tag
      */
     public function __construct(
-        \Twig_NodeInterface $body = null,
+        \Twig_Node $body = null,
         \Twig_Node_Expression $file = null,
         \Twig_Node_Expression $group = null,
         \Twig_Node_Expression $priority = null,
         \Twig_Node_Expression $attributes = null,
-        $lineno,
+        $lineno = 0,
         $tag = null
     )
     {

system/src/Grav/Common/Twig/Node/TwigNodeStyle.php

@@ -8,24 +8,24 @@
 
 namespace Grav\Common\Twig\Node;
 
-class TwigNodeStyle extends \Twig_Node implements \Twig_NodeOutputInterface
+class TwigNodeStyle extends \Twig_Node implements \Twig_NodeCaptureInterface
 {
     protected $tagName = 'style';
 
     /**
      * TwigNodeAssets constructor.
-     * @param \Twig_NodeInterface|null $body
+     * @param \Twig_Node|null $body
      * @param \Twig_Node_Expression|null $attributes
      * @param int $lineno
      * @param null $tag
      */
     public function __construct(
-        \Twig_NodeInterface $body = null,
+        \Twig_Node $body = null,
         \Twig_Node_Expression $file = null,
         \Twig_Node_Expression $group = null,
         \Twig_Node_Expression $priority = null,
         \Twig_Node_Expression $attributes = null,
-        $lineno,
+        $lineno = 0,
         $tag = null
     )
     {

system/src/Grav/Common/Twig/Node/TwigNodeSwitch.php

@@ -8,9 +8,15 @@
 
 namespace Grav\Common\Twig\Node;
 
-class TwigNodeSwitch extends \Twig_Node implements \Twig_NodeOutputInterface
+class TwigNodeSwitch extends \Twig_Node
 {
-    public function __construct(\Twig_NodeInterface $value, \Twig_NodeInterface $cases, \Twig_NodeInterface $default = null, $lineno, $tag = null)
+    public function __construct(
+        \Twig_Node $value,
+        \Twig_Node $cases,
+        \Twig_Node $default = null,
+        $lineno = 0,
+        $tag = null
+    )
     {
         parent::__construct(array('value' => $value, 'cases' => $cases, 'default' => $default), array(), $lineno, $tag);
     }

system/src/Grav/Common/Twig/Node/TwigNodeTryCatch.php

@@ -10,7 +10,12 @@ namespace Grav\Common\Twig\Node;
 
 class TwigNodeTryCatch extends \Twig_Node
 {
-    public function __construct(\Twig_NodeInterface $try, \Twig_NodeInterface $catch = null, $lineno, $tag = null)
+    public function __construct(
+        \Twig_Node $try,
+        \Twig_Node $catch = null,
+        $lineno = 0,
+        $tag = null
+    )
     {
         parent::__construct(array('try' => $try, 'catch' => $catch), array(), $lineno, $tag);
     }

system/src/Grav/Common/Twig/TokenParser/TwigTokenParserScript.php

@@ -27,7 +27,7 @@ class TwigTokenParserScript extends \Twig_TokenParser
      *
      * @param \Twig_Token $token A Twig_Token instance
      *
-     * @return \Twig_NodeInterface A Twig_NodeInterface instance
+     * @return \Twig_Node A Twig_Node instance
      */
     public function parse(\Twig_Token $token)
     {

system/src/Grav/Common/Twig/TokenParser/TwigTokenParserStyle.php

@@ -26,7 +26,7 @@ class TwigTokenParserStyle extends \Twig_TokenParser
      *
      * @param \Twig_Token $token A Twig_Token instance
      *
-     * @return \Twig_NodeInterface A Twig_NodeInterface instance
+     * @return \Twig_Node A Twig_Node instance
      */
     public function parse(\Twig_Token $token)
     {

system/src/Grav/Common/Twig/TokenParser/TwigTokenParserTryCatch.php

@@ -28,7 +28,7 @@ class TwigTokenParserTryCatch extends \Twig_TokenParser
      *
      * @param \Twig_Token $token A Twig_Token instance
      *
-     * @return \Twig_NodeInterface A Twig_NodeInterface instance
+     * @return \Twig_Node A Twig_Node instance
      */
     public function parse(\Twig_Token $token)
     {

system/src/Grav/Common/Twig/Twig.php

@@ -102,6 +102,28 @@ class Twig
 
             $this->loader = new \Twig_Loader_Filesystem($this->twig_paths);
 
+            // Register all other prefixes as namespaces in twig
+            foreach ($locator->getPaths('theme') as $prefix => $_) {
+                if ($prefix === '') {
+                    continue;
+                }
+
+                $twig_paths = [];
+
+                // handle language templates if available
+                if ($language->enabled()) {
+                    $lang_templates = $locator->findResource('theme://'.$prefix.'templates/' . ($active_language ? $active_language : $language->getDefault()));
+                    if ($lang_templates) {
+                        $twig_paths[] = $lang_templates;
+                    }
+                }
+
+                $twig_paths = array_merge($twig_paths, $locator->findResources('theme://'.$prefix.'templates'));
+
+                $namespace = trim($prefix, '/');
+                $this->loader->setPaths($twig_paths, $namespace);
+            }
+
             $this->grav->fireEvent('onTwigLoader');
 
             $this->loaderArray = new \Twig_Loader_Array([]);
@@ -115,9 +137,13 @@ class Twig
 
             if (!$config->get('system.strict_mode.twig_compat', true)) {
                 // Force autoescape on for all files if in strict mode.
-                $params['autoescape'] = true;
+                $params['autoescape'] = 'html';
             } elseif (!empty($this->autoescape)) {
-                $params['autoescape'] = $this->autoescape;
+                $params['autoescape'] = $this->autoescape ? 'html' : false;
+            }
+
+            if (empty($params['autoescape'])) {
+                user_error('Grav 2.0 will have Twig auto-escaping forced on (can be emulated by turning off \'system.strict_mode.twig_compat\' setting in your configuration)', E_USER_DEPRECATED);
             }
 
             $this->twig = new TwigEnvironment($loader_chain, $params);
@@ -125,10 +151,10 @@ class Twig
             if ($config->get('system.twig.undefined_functions')) {
                 $this->twig->registerUndefinedFunctionCallback(function ($name) {
                     if (function_exists($name)) {
-                        return new \Twig_Function_Function($name);
+                        return new \Twig_SimpleFunction($name, $name);
                     }
 
-                    return new \Twig_Function_Function(function () {
+                    return new \Twig_SimpleFunction($name, function () {
                     });
                 });
             }
@@ -136,10 +162,10 @@ class Twig
             if ($config->get('system.twig.undefined_filters')) {
                 $this->twig->registerUndefinedFilterCallback(function ($name) {
                     if (function_exists($name)) {
-                        return new \Twig_Filter_Function($name);
+                        return new \Twig_SimpleFilter($name, $name);
                     }
 
-                    return new \Twig_Filter_Function(function () {
+                    return new \Twig_SimpleFilter($name, function () {
                     });
                 });
             }
@@ -148,7 +174,7 @@ class Twig
 
             // set default date format if set in config
             if ($config->get('system.pages.dateformat.long')) {
-                $this->twig->getExtension('core')->setDateFormat($config->get('system.pages.dateformat.long'));
+                $this->twig->getExtension('Twig_Extension_Core')->setDateFormat($config->get('system.pages.dateformat.long'));
             }
             // enable the debug extension if required
             if ($config->get('system.twig.debug')) {
@@ -162,7 +188,7 @@ class Twig
             $pages = $this->grav['pages'];
 
             // Set some standard variables for twig
-            $this->twig_vars = $this->twig_vars + [
+            $this->twig_vars += [
                     'config'            => $config,
                     'system'            => $config->get('system'),
                     'theme'             => $config->get('theme'),
@@ -411,8 +437,14 @@ class Twig
      * Overrides the autoescape setting
      *
      * @param boolean $state
+     * @deprecated 1.5
      */
-    public function setAutoescape($state) {
+    public function setAutoescape($state)
+    {
+        if (!$state) {
+            user_error(__CLASS__ . '::' . __FUNCTION__ . '(false) is deprecated since Grav 1.5', E_USER_DEPRECATED);
+        }
+
         $this->autoescape = (bool) $state;
     }
 }

system/src/Grav/Common/Twig/TwigExtension.php

@@ -11,6 +11,7 @@ namespace Grav\Common\Twig;
 use Grav\Common\Grav;
 use Grav\Common\Page\Collection;
 use Grav\Common\Page\Media;
+use Grav\Common\Security;
 use Grav\Common\Twig\TokenParser\TwigTokenParserScript;
 use Grav\Common\Twig\TokenParser\TwigTokenParserStyle;
 use Grav\Common\Twig\TokenParser\TwigTokenParserSwitch;
@@ -18,11 +19,11 @@ use Grav\Common\Twig\TokenParser\TwigTokenParserTryCatch;
 use Grav\Common\Twig\TokenParser\TwigTokenParserMarkdown;
 use Grav\Common\User\User;
 use Grav\Common\Utils;
+use Grav\Common\Yaml;
 use Grav\Common\Markdown\Parsedown;
 use Grav\Common\Markdown\ParsedownExtra;
 use Grav\Common\Helpers\Base32;
 use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator;
-use Symfony\Component\Yaml\Yaml;
 
 class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsInterface
 {
@@ -105,9 +106,9 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn
 
             // Casting values
             new \Twig_SimpleFilter('string', [$this, 'stringFilter']),
-            new \Twig_SimpleFilter('int', [$this, 'intFilter'], ['is_safe' => true]),
+            new \Twig_SimpleFilter('int', [$this, 'intFilter'], ['is_safe' => ['all']]),
             new \Twig_SimpleFilter('bool', [$this, 'boolFilter']),
-            new \Twig_SimpleFilter('float', [$this, 'floatFilter'], ['is_safe' => true]),
+            new \Twig_SimpleFilter('float', [$this, 'floatFilter'], ['is_safe' => ['all']]),
             new \Twig_SimpleFilter('array', [$this, 'arrayFilter']),
         ];
     }
@@ -155,7 +156,8 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn
             new \Twig_SimpleFunction('read_file', [$this, 'readFileFunc']),
             new \Twig_SimpleFunction('nicenumber', [$this, 'niceNumberFunc']),
             new \Twig_SimpleFunction('nicefilesize', [$this, 'niceFilesizeFunc']),
-            new \Twig_SimpleFunction('nicetime', [$this, 'nicetimeFilter']),
+            new \Twig_SimpleFunction('nicetime', [$this, 'nicetimeFunc']),
+            new \Twig_SimpleFunction('xss', [$this, 'xssFunc']),
 
             // Translations
             new \Twig_simpleFunction('t', [$this, 'translate']),
@@ -530,6 +532,27 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn
             return "$difference $periods[$j] {$tense}";
     }
 
+    /**
+     * Allow quick check of a string for XSS Vulnerabilities
+     *
+     * @param $string
+     * @return bool|string|array
+     */
+    public function xssFunc($data)
+    {
+        if (is_array($data)) {
+            $results = Security::detectXssFromArray($data);
+        } else {
+            return Security::detectXss($data);
+        }
+
+        $results_parts = array_map(function($value, $key) {
+            return $key.': \''.$value . '\'';
+        }, array_values($results), array_keys($results));
+
+         return implode(', ', $results_parts);
+    }
+
     /**
      * @param $string
      *
@@ -1297,11 +1320,12 @@ class TwigExtension extends \Twig_Extension implements \Twig_Extension_GlobalsIn
      * Dump/Encode data into YAML format
      *
      * @param $data
+     * @param $inline integer number of levels of inline syntax
      * @return mixed
      */
-    public function yamlEncodeFilter($data)
+    public function yamlEncodeFilter($data, $inline = 10)
     {
-        return Yaml::dump($data, 10);
+        return Yaml::dump($data, $inline);
     }
 
     /**

system/src/Grav/Common/Uri.php

@@ -15,6 +15,7 @@ use Grav\Common\Page\Pages;
 use Grav\Framework\Route\RouteFactory;
 use Grav\Framework\Uri\UriFactory;
 use Grav\Framework\Uri\UriPartsFilter;
+use RocketTheme\Toolbox\Event\Event;
 
 class Uri
 {
@@ -371,6 +372,17 @@ class Uri
         return $this->extension;
     }
 
+    public function method()
+    {
+        $method = isset($_SERVER['REQUEST_METHOD']) ? strtoupper($_SERVER['REQUEST_METHOD']) : 'GET';
+
+        if ($method === 'POST' && isset($_SERVER['X-HTTP-METHOD-OVERRIDE'])) {
+            $method = strtoupper($_SERVER['X-HTTP-METHOD-OVERRIDE']);
+        }
+
+        return $method;
+    }
+
     /**
      * Return the scheme of the URI
      *
@@ -620,10 +632,9 @@ class Uri
         }
 
         return $ip;
-
     }
-    /**
 
+    /**
      * Returns current Uri.
      *
      * @return \Grav\Framework\Uri\Uri
@@ -870,7 +881,26 @@ class Uri
     public static function parseUrl($url)
     {
         $grav = Grav::instance();
-        $parts = parse_url($url);
+
+        $encodedUrl = preg_replace_callback(
+            '%[^:/@?&=#]+%usD',
+            function ($matches) { return rawurlencode($matches[0]); },
+            $url
+        );
+
+        $parts = parse_url($encodedUrl);
+
+        if (false === $parts) {
+            return false;
+        }
+
+        foreach($parts as $name => $value) {
+            $parts[$name] = rawurldecode($value);
+        }
+
+        if (!isset($parts['path'])) {
+            $parts['path'] = '';
+        }
 
         list($stripped_path, $params) = static::extractParams($parts['path'], $grav['config']->get('system.param_sep'));
 
@@ -1255,6 +1285,9 @@ class Uri
             } elseif (!empty($_POST)) {
                 $this->post = (array)$_POST;
             }
+
+            $event = new Event(['post' => &$this->post]);
+            Grav::instance()->fireEvent('onHttpPostFilter', $event);
         }
 
         if ($this->post && null !== $element) {
@@ -1307,11 +1340,6 @@ class Uri
         $scriptPath = str_replace('\\', '/', $_SERVER['PHP_SELF']);
         $rootPath = str_replace(' ', '%20', rtrim(substr($scriptPath, 0, strpos($scriptPath, 'index.php')), '/'));
 
-        // check if userdir in the path and workaround PHP bug with PHP_SELF
-        if (strpos($this->uri, '/~') !== false && strpos($scriptPath, '/~') === false) {
-            $rootPath = substr($this->uri, 0, strpos($this->uri, '/', 1)) . $rootPath;
-        }
-
         return $rootPath;
     }
 

system/src/Grav/Common/User/User.php

@@ -266,6 +266,8 @@ class User extends Data
      */
     public function authorise($action)
     {
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use authorize() method instead', E_USER_DEPRECATED);
+
         return $this->authorize($action);
     }
 
@@ -284,4 +286,29 @@ class User extends Data
 
         return 'https://www.gravatar.com/avatar/' . md5($this->email);
     }
+
+    /**
+     * Serialize user.
+     */
+    public function __sleep()
+    {
+        return [
+            'items',
+            'storage'
+        ];
+    }
+
+    /**
+     * Unserialize user.
+     */
+    public function __wakeup()
+    {
+        $this->gettersVariable = 'items';
+        $this->nestedSeparator = '.';
+
+        if (null === $this->blueprints) {
+            $blueprints = new Blueprints;
+            $this->blueprints = $blueprints->get('user/account');
+        }
+    }
 }

system/src/Grav/Common/Utils.php

@@ -45,8 +45,20 @@ abstract class Utils
             /** @var UniformResourceLocator $locator */
             $locator = Grav::instance()['locator'];
 
-            // Get relative path to the resource (or false if not found).
-            $resource = $locator->findResource($input, false);
+            $parts = Uri::parseUrl($input);
+
+            if ($parts) {
+                $resource = $locator->findResource("{$parts['scheme']}://{$parts['host']}{$parts['path']}", false);
+
+                if (isset($parts['query'])) {
+                    $resource = $resource . '?' . $parts['query'];
+                }
+            } else {
+                // Not a valid URL (can still be a stream).
+                $resource = $locator->findResource($input, false);
+            }
+
+
         } else {
             $resource = $input;
         }
@@ -466,6 +478,51 @@ abstract class Utils
         return $default;
     }
 
+    /**
+     * Return the mimetype based on filename
+     *
+     * @param string $filename Filename or path to file
+     * @param string $default default value
+     *
+     * @return string
+     */
+    public static function getMimeByFilename($filename, $default = 'application/octet-stream')
+    {
+        return static::getMimeByExtension(pathinfo($filename, PATHINFO_EXTENSION), $default);
+    }
+
+    /**
+     * Return the mimetype based on existing local file
+     *
+     * @param string $filename Path to the file
+     *
+     * @return string|bool
+     */
+    public static function getMimeByLocalFile($filename, $default = 'application/octet-stream')
+    {
+        $type = false;
+
+        // For local files we can detect type by the file content.
+        if (!stream_is_local($filename) || !file_exists($filename)) {
+            return false;
+        }
+
+        // Prefer using finfo if it exists.
+        if (\extension_loaded('fileinfo')) {
+            $finfo = finfo_open(FILEINFO_SYMLINK | FILEINFO_MIME_TYPE);
+            $type = finfo_file($finfo, $filename);
+            finfo_close($finfo);
+        } else {
+            // Fall back to use getimagesize() if it is available (not recommended, but better than nothing)
+            $info = @getimagesize($filename);
+            if ($info) {
+                $type = $info['mime'];
+            }
+        }
+
+        return $type ?: static::getMimeByFilename($filename, $default);
+    }
+
     /**
      * Return the mimetype based on filename extension
      *
@@ -508,6 +565,33 @@ abstract class Utils
         return $default;
     }
 
+    /**
+     * Returns true if filename is considered safe.
+     *
+     * @param string $filename
+     * @return bool
+     */
+    public static function checkFilename($filename)
+    {
+        $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []);
+        array_walk($dangerous_extensions, function(&$val) {
+            $val = '.' . $val;
+        });
+
+        $extension = '.' . pathinfo($filename, PATHINFO_EXTENSION);
+
+        return !(
+            // Empty filenames are not allowed.
+            !$filename
+            // Filename should not contain horizontal/vertical tabs, newlines, nils or back/forward slashes.
+            || strtr($filename, "\t\v\n\r\0\\/", '_______') !== $filename
+            // Filename should not start or end with dot or space.
+            || trim($filename, '. ') !== $filename
+            // Filename should not contain .php in it.
+            || static::contains($extension, $dangerous_extensions)
+        );
+    }
+
     /**
      * Normalize path by processing relative `.` and `..` syntax and merging path
      *
@@ -684,6 +768,8 @@ abstract class Utils
      */
     public static function resolve(array $array, $path, $default = null)
     {
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getDotNotation() method instead', E_USER_DEPRECATED);
+
         return static::getDotNotation($array, $path, $default);
     }
 
@@ -705,11 +791,11 @@ abstract class Utils
      * with reverse proxy setups.
      *
      * @param string $action
-     * @param bool   $plusOneTick if true, generates the token for the next tick (the next 12 hours)
+     * @param bool   $previousTick if true, generates the token for the previous tick (the previous 12 hours)
      *
      * @return string the nonce string
      */
-    private static function generateNonceString($action, $plusOneTick = false)
+    private static function generateNonceString($action, $previousTick = false)
     {
         $username = '';
         if (isset(Grav::instance()['user'])) {
@@ -720,29 +806,8 @@ abstract class Utils
         $token = session_id();
         $i = self::nonceTick();
 
-        if ($plusOneTick) {
-            $i++;
-        }
-
-        return ($i . '|' . $action . '|' . $username . '|' . $token . '|' . Grav::instance()['config']->get('security.salt'));
-    }
-
-    //Added in version 1.0.8 to ensure that existing nonces are not broken.
-    private static function generateNonceStringOldStyle($action, $plusOneTick = false)
-    {
-        if (isset(Grav::instance()['user'])) {
-            $user = Grav::instance()['user'];
-            $username = $user->username;
-            if (isset($_SERVER['REMOTE_ADDR'])) {
-                $username .= $_SERVER['REMOTE_ADDR'];
-            }
-        } else {
-            $username = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
-        }
-        $token = session_id();
-        $i = self::nonceTick();
-        if ($plusOneTick) {
-            $i++;
+        if ($previousTick) {
+            $i--;
         }
 
         return ($i . '|' . $action . '|' . $username . '|' . $token . '|' . Grav::instance()['config']->get('security.salt'));
@@ -768,33 +833,20 @@ abstract class Utils
      * action is the same for 12 hours.
      *
      * @param string $action      the action the nonce is tied to (e.g. save-user-admin or move-page-homepage)
-     * @param bool   $plusOneTick if true, generates the token for the next tick (the next 12 hours)
+     * @param bool   $previousTick if true, generates the token for the previous tick (the previous 12 hours)
      *
      * @return string the nonce
      */
-    public static function getNonce($action, $plusOneTick = false)
+    public static function getNonce($action, $previousTick = false)
     {
         // Don't regenerate this again if not needed
-        if (isset(static::$nonces[$action])) {
-            return static::$nonces[$action];
+        if (isset(static::$nonces[$action][$previousTick])) {
+            return static::$nonces[$action][$previousTick];
         }
-        $nonce = md5(self::generateNonceString($action, $plusOneTick));
-        static::$nonces[$action] = $nonce;
+        $nonce = md5(self::generateNonceString($action, $previousTick));
+        static::$nonces[$action][$previousTick] = $nonce;
 
-        return static::$nonces[$action];
-    }
-
-    //Added in version 1.0.8 to ensure that existing nonces are not broken.
-    public static function getNonceOldStyle($action, $plusOneTick = false)
-    {
-        // Don't regenerate this again if not needed
-        if (isset(static::$nonces[$action])) {
-            return static::$nonces[$action];
-        }
-        $nonce = md5(self::generateNonceStringOldStyle($action, $plusOneTick));
-        static::$nonces[$action] = $nonce;
-
-        return static::$nonces[$action];
+        return static::$nonces[$action][$previousTick];
     }
 
     /**
@@ -818,20 +870,8 @@ abstract class Utils
         }
 
         //Nonce generated 12-24 hours ago
-        $plusOneTick = true;
-        if ($nonce === self::getNonce($action, $plusOneTick)) {
-            return true;
-        }
-
-        //Added in version 1.0.8 to ensure that existing nonces are not broken.
-        //Nonce generated 0-12 hours ago
-        if ($nonce === self::getNonceOldStyle($action)) {
-            return true;
-        }
-
-        //Nonce generated 12-24 hours ago
-        $plusOneTick = true;
-        if ($nonce === self::getNonceOldStyle($action, $plusOneTick)) {
+        $previousTick = true;
+        if ($nonce === self::getNonce($action, $previousTick)) {
             return true;
         }
 

system/src/Grav/Common/Yaml.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * @package    Grav.Common
+ *
+ * @copyright  Copyright (C) 2015 - 2018 Trilby Media, LLC. All rights reserved.
+ * @license    MIT License; see LICENSE file for details.
+ */
+
+namespace Grav\Common;
+
+use Grav\Framework\File\Formatter\YamlFormatter;
+
+abstract class Yaml
+{
+    /** @var YamlFormatter */
+    private static $yaml;
+
+    public static function parse($data)
+    {
+        if (null === static::$yaml) {
+            static::init();
+        }
+
+        return static::$yaml->decode($data);
+    }
+
+    public static function dump($data, $inline = null, $indent = null)
+    {
+        if (null === static::$yaml) {
+            static::init();
+        }
+
+        return static::$yaml->encode($data, $inline, $indent);
+    }
+
+    private static function init()
+    {
+        $config = [
+            'inline' => 5,
+            'indent' => 2,
+            'native' => true,
+            'compat' => true
+        ];
+
+        static::$yaml = new YamlFormatter($config);
+    }
+}

system/src/Grav/Console/Cli/InstallCommand.php

@@ -77,11 +77,11 @@ class InstallCommand extends ConsoleCommand
         } else {
             $this->output->writeln('<red>ERROR</red> Missing .dependencies file in <cyan>user/</cyan> folder');
             if ($this->input->getArgument('destination')) {
-                $this->output->writeln('<yellow>HINT</yellow> <info>Are you trying to install a plugin or a theme? Make sure you use <cyan>bin/gpm install <something></cyan>, not <cyan>bin/grav install</cyan>. This command is only used to install Grav skeletons.');    
+                $this->output->writeln('<yellow>HINT</yellow> <info>Are you trying to install a plugin or a theme? Make sure you use <cyan>bin/gpm install <something></cyan>, not <cyan>bin/grav install</cyan>. This command is only used to install Grav skeletons.');
             } else {
-                $this->output->writeln('<yellow>HINT</yellow> <info>Are you trying to install Grav? Grav is already installed. You need to run this command only if you download a skeleton from GitHub directly.');    
+                $this->output->writeln('<yellow>HINT</yellow> <info>Are you trying to install Grav? Grav is already installed. You need to run this command only if you download a skeleton from GitHub directly.');
             }
-            
+
             return;
         }
 
@@ -156,10 +156,22 @@ class InstallCommand extends ConsoleCommand
 
         exec('cd ' . $this->destination);
         foreach ($this->config['links'] as $repo => $data) {
-            $from = $this->local_config[$data['scm'] . '_repos'] . $data['src'];
+            $repos = (array) $this->local_config[$data['scm'] . '_repos'];
+            $from = false;
             $to = $this->destination . $data['path'];
 
-            if (file_exists($from)) {
+            foreach ($repos as $repo) {
+                $path = $repo . $data['src'];
+                if (file_exists($path)) {
+                    $from = $path;
+                    continue;
+                }
+            }
+
+            if (!$from) {
+                $this->output->writeln('<red>source for ' . $data['src'] . ' does not exists, skipping...</red>');
+                $this->output->writeln('');
+            } else {
                 if (!file_exists($to)) {
                     symlink($from, $to);
                     $this->output->writeln('<green>SUCCESS</green> symlinked <magenta>' . $data['src'] . '</magenta> -> <cyan>' . $data['path'] . '</cyan>');
@@ -168,11 +180,7 @@ class InstallCommand extends ConsoleCommand
                     $this->output->writeln('<red>destination: ' . $to . ' already exists, skipping...</red>');
                     $this->output->writeln('');
                 }
-            } else {
-                $this->output->writeln('<red>source: ' . $from . ' does not exists, skipping...</red>');
-                $this->output->writeln('');
             }
-
         }
     }
 }

system/src/Grav/Console/Cli/SecurityCommand.php

@@ -0,0 +1,113 @@
+<?php
+/**
+ * @package    Grav.Console
+ *
+ * @copyright  Copyright (C) 2015 - 2018 Trilby Media, LLC. All rights reserved.
+ * @license    MIT License; see LICENSE file for details.
+ */
+
+namespace Grav\Console\Cli;
+
+use Grav\Common\Grav;
+use Grav\Common\Security;
+use Grav\Console\ConsoleCommand;
+use Symfony\Component\Console\Helper\ProgressBar;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+class SecurityCommand extends ConsoleCommand
+{
+    /** @var ProgressBar $progress */
+    protected $progress;
+
+    /**
+     *
+     */
+    protected function configure()
+    {
+        $this
+            ->setName("security")
+            ->setDescription("Capable of running various Security checks")
+            ->setHelp('The <info>security</info> runs various security checks on your Grav site');
+
+        $this->source = getcwd();
+    }
+
+    /**
+     * @return int|null|void
+     */
+    protected function serve()
+    {
+
+
+        /** @var Grav $grav */
+        $grav = Grav::instance();
+
+        $grav['uri']->init();
+        $grav['config']->init();
+        $grav['debugger']->enabled(false);
+        $grav['streams'];
+        $grav['plugins']->init();
+        $grav['themes']->init();
+
+
+        $grav['twig']->init();
+        $grav['pages']->init();
+
+        $this->progress = new ProgressBar($this->output, (count($grav['pages']->routes()) - 1));
+        $this->progress->setFormat('Scanning <cyan>%current%</cyan> pages [<green>%bar%</green>] <white>%percent:3s%%</white> %elapsed:6s%');
+        $this->progress->setBarWidth(100);
+
+        $io = new SymfonyStyle($this->input, $this->output);
+        $io->title('Grav Security Check');
+
+        $output = Security::detectXssFromPages($grav['pages'], [$this, 'outputProgress']);
+
+        $io->newline(2);
+
+        if (!empty($output)) {
+
+            $counter = 1;
+            foreach ($output as $route => $results) {
+
+                $results_parts = array_map(function($value, $key) {
+                    return $key.': \''.$value . '\'';
+                }, array_values($results), array_keys($results));
+
+                $io->writeln($counter++ .' - <cyan>' . $route . '</cyan> → <red>' . implode(', ', $results_parts) . '</red>');
+            }
+
+            $io->error('Security Scan complete: ' . count($output) . ' potential XSS issues found...');
+
+        } else {
+            $io->success('Security Scan complete: No issues found...');
+        }
+
+        $io->newline(1);
+
+    }
+
+    /**
+     * @param $args
+     */
+    public function outputProgress($args)
+    {
+        switch ($args['type']) {
+            case 'count':
+                $steps = $args['steps'];
+                $freq = intval($steps > 100 ? round($steps / 100) : $steps);
+                $this->progress->setMaxSteps($steps);
+                $this->progress->setRedrawFrequency($freq);
+                break;
+            case 'progress':
+                if (isset($args['complete']) && $args['complete']) {
+                    $this->progress->finish();
+                } else {
+                    $this->progress->advance();
+                }
+                break;
+        }
+    }
+
+}
+

system/src/Grav/Console/Gpm/InstallCommand.php

@@ -444,18 +444,21 @@ class InstallCommand extends ConsoleCommand
     {
         $matches = $this->getGitRegexMatches($package);
 
-        foreach ($this->local_config as $path) {
+        foreach ($this->local_config as $paths) {
             if (Utils::endsWith($matches[2], '.git')) {
                 $repo_dir = preg_replace('/\.git$/', '', $matches[2]);
             } else {
                 $repo_dir = $matches[2];
             }
-
-            $from = rtrim($path, '/') . '/' . $repo_dir;
-
-            if (file_exists($from)) {
-                return $from;
+            
+            $paths = (array) $paths;
+            foreach ($paths as $repo) {
+                $path = rtrim($repo, '/') . '/' . $repo_dir;
+                if (file_exists($path)) {
+                    return $path;
+                }
             }
+
         }
 
         return false;

system/src/Grav/Framework/Cache/CacheTrait.php

@@ -16,21 +16,18 @@ use Grav\Framework\Cache\Exception\InvalidArgumentException;
  */
 trait CacheTrait
 {
-    /**
-     * @var string
-     */
+    /** @var string */
     private $namespace = '';
 
-    /**
-     * @var int|null
-     */
+    /** @var int|null */
     private $defaultLifetime = null;
 
-    /**
-     * @var \stdClass
-     */
+    /** @var \stdClass */
     private $miss;
 
+    /** @var bool */
+    private $validation = true;
+
     /**
      * Always call from constructor.
      *
@@ -45,6 +42,14 @@ trait CacheTrait
         $this->miss = new \stdClass;
     }
 
+    /**
+     * @param $validation
+     */
+    public function setValidation($validation)
+    {
+        $this->validation = (bool) $validation;
+    }
+
     /**
      * @return string
      */
@@ -307,6 +312,10 @@ trait CacheTrait
      */
     protected function validateKeys($keys)
     {
+        if (!$this->validation) {
+            return;
+        }
+
         foreach ($keys as $key) {
             $this->validateKey($key);
         }

system/src/Grav/Framework/File/Formatter/FormatterInterface.php

@@ -11,11 +11,20 @@ namespace Grav\Framework\File\Formatter;
 interface FormatterInterface
 {
     /**
-     * Get file extension with dot.
+     * Get default file extension from current formatter (with dot).
      *
-     * @return string
+     * Default file extension is the first defined extension.
+     *
+     * @return string File extension (can be empty).
      */
-    public function getFileExtension();
+    public function getDefaultFileExtension();
+
+    /**
+     * Get file extensions supported by current formatter (with dot).
+     *
+     * @return string[]
+     */
+    public function getSupportedFileExtensions();
 
     /**
      * Encode data into a string.

system/src/Grav/Framework/File/Formatter/IniFormatter.php

@@ -25,11 +25,31 @@ class IniFormatter implements FormatterInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @deprecated 1.5 Use $formatter->getDefaultFileExtension() instead.
      */
     public function getFileExtension()
     {
-        return $this->config['file_extension'];
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getDefaultFileExtension() method instead', E_USER_DEPRECATED);
+
+        return $this->getDefaultFileExtension();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getDefaultFileExtension()
+    {
+        $extensions = $this->getSupportedFileExtensions();
+
+        return (string) reset($extensions);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getSupportedFileExtensions()
+    {
+        return (array) $this->config['file_extension'];
     }
 
     /**

system/src/Grav/Framework/File/Formatter/JsonFormatter.php

@@ -23,11 +23,31 @@ class JsonFormatter implements FormatterInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @deprecated 1.5 Use $formatter->getDefaultFileExtension() instead.
      */
     public function getFileExtension()
     {
-        return $this->config['file_extension'];
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getDefaultFileExtension() method instead', E_USER_DEPRECATED);
+
+        return $this->getDefaultFileExtension();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getDefaultFileExtension()
+    {
+        $extensions = $this->getSupportedFileExtensions();
+
+        return (string) reset($extensions);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getSupportedFileExtensions()
+    {
+        return (array) $this->config['file_extension'];
     }
 
     /**

system/src/Grav/Framework/File/Formatter/MarkdownFormatter.php

@@ -29,11 +29,31 @@ class MarkdownFormatter implements FormatterInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @deprecated 1.5 Use $formatter->getDefaultFileExtension() instead.
      */
     public function getFileExtension()
     {
-        return $this->config['file_extension'];
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getDefaultFileExtension() method instead', E_USER_DEPRECATED);
+
+        return $this->getDefaultFileExtension();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getDefaultFileExtension()
+    {
+        $extensions = $this->getSupportedFileExtensions();
+
+        return (string) reset($extensions);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getSupportedFileExtensions()
+    {
+        return (array) $this->config['file_extension'];
     }
 
     /**

system/src/Grav/Framework/File/Formatter/SerializeFormatter.php

@@ -25,11 +25,31 @@ class SerializeFormatter implements FormatterInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @deprecated 1.5 Use $formatter->getDefaultFileExtension() instead.
      */
     public function getFileExtension()
     {
-        return $this->config['file_extension'];
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getDefaultFileExtension() method instead', E_USER_DEPRECATED);
+
+        return $this->getDefaultFileExtension();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getDefaultFileExtension()
+    {
+        $extensions = $this->getSupportedFileExtensions();
+
+        return (string) reset($extensions);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getSupportedFileExtensions()
+    {
+        return (array) $this->config['file_extension'];
     }
 
     /**

system/src/Grav/Framework/File/Formatter/YamlFormatter.php

@@ -30,23 +30,43 @@ class YamlFormatter implements FormatterInterface
     }
 
     /**
-     * {@inheritdoc}
+     * @deprecated 1.5 Use $formatter->getDefaultFileExtension() instead.
      */
     public function getFileExtension()
     {
-        return $this->config['file_extension'];
+        user_error(__CLASS__ . '::' . __FUNCTION__ . '() is deprecated since Grav 1.5, use getDefaultFileExtension() method instead', E_USER_DEPRECATED);
+
+        return $this->getDefaultFileExtension();
     }
 
     /**
      * {@inheritdoc}
      */
-    public function encode($data)
+    public function getDefaultFileExtension()
+    {
+        $extensions = $this->getSupportedFileExtensions();
+
+        return (string) reset($extensions);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getSupportedFileExtensions()
+    {
+        return (array) $this->config['file_extension'];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encode($data, $inline = null, $indent = null)
     {
         try {
             return (string) YamlParser::dump(
                 $data,
-                $this->config['inline'],
-                $this->config['indent'],
+                $inline ? (int) $inline : $this->config['inline'],
+                $indent ? (int) $indent : $this->config['indent'],
                 YamlParser::DUMP_EXCEPTION_ON_INVALID_TYPE
             );
         } catch (DumpException $e) {

system/src/Grav/Framework/Object/Base/ObjectTrait.php

@@ -118,7 +118,7 @@ trait ObjectTrait
      */
     public function serialize()
     {
-        return serialize($this->jsonSerialize());
+        return serialize($this->doSerialize());
     }
 
     /**
@@ -134,6 +134,14 @@ trait ObjectTrait
         $this->doUnserialize($data);
     }
 
+    /**
+     * @return array
+     */
+    protected function doSerialize()
+    {
+        return $this->jsonSerialize();
+    }
+
     /**
      * @param array $serialized
      */

system/src/Grav/Framework/Session/Session.php

@@ -14,6 +14,8 @@ namespace Grav\Framework\Session;
  */
 class Session implements SessionInterface
 {
+    protected $options;
+
     /**
      * @var bool
      */
@@ -182,7 +184,10 @@ class Session implements SessionInterface
             unset($_COOKIE[session_name()]);
         }
 
-        $options = $readonly ? ['read_and_close' => '1'] : [];
+        $options = $this->options;
+        if ($readonly) {
+            $options['read_and_close'] = '1';
+        }
 
         $success = @session_start($options);
         if (!$success) {
@@ -224,8 +229,10 @@ class Session implements SessionInterface
             $params['httponly']
         );
 
-        session_unset();
-        session_destroy();
+        if ($this->isSessionStarted()) {
+            session_unset();
+            session_destroy();
+        }
 
         $this->started = false;
 
@@ -335,6 +342,7 @@ class Session implements SessionInterface
             $value = (string)$value;
         }
 
+        $this->options[$key] = $value;
         ini_set($key, $value);
     }
 }

tests/unit/Grav/Common/UtilsTest.php

@@ -109,16 +109,16 @@ class UtilsTest extends \Codeception\TestCase\Test
         $this->assertEquals('engli' . '...', Utils::truncate('english', 5, true, " ", "..."));
         $this->assertEquals('english', Utils::truncate('english'));
         $this->assertEquals('This is a string to truncate', Utils::truncate('This is a string to truncate'));
-        $this->assertEquals('This ', Utils::truncate('This is a string to truncate', 3, true));
-        $this->assertEquals('<input ', Utils::truncate('<input type="file" id="file" multiple />', 6, true));
+        $this->assertEquals('This' . '&hellip;', Utils::truncate('This is a string to truncate', 3, true));
+        $this->assertEquals('<input' . '&hellip;', Utils::truncate('<input type="file" id="file" multiple />', 6, true));
 
     }
 
     public function testSafeTruncate()
     {
-        $this->assertEquals('This ', Utils::safeTruncate('This is a string to truncate', 1));
-        $this->assertEquals('This ', Utils::safeTruncate('This is a string to truncate', 4));
-        $this->assertEquals('This is ', Utils::safeTruncate('This is a string to truncate', 5));
+        $this->assertEquals('This' . '&hellip;', Utils::safeTruncate('This is a string to truncate', 1));
+        $this->assertEquals('This' . '&hellip;', Utils::safeTruncate('This is a string to truncate', 4));
+        $this->assertEquals('This is' . '&hellip;', Utils::safeTruncate('This is a string to truncate', 5));
     }
 
     public function testTruncateHtml()

user/pages/01.home/default.md

@@ -26,7 +26,7 @@ To edit this page, simply navigate to the folder you installed **Grav** into, an
 
 Creating a new page is a simple affair in **Grav**.  Simply follow these simple steps:
 
-1. Navigate to your pages folder: `user/pages/` and create a new folder.  In this example, we will use [explicit default ordering](http://learn.getgrav.org/content/content-pages) and call the folder `03.mypage`.
+1. Navigate to your pages folder: `user/pages/` and create a new folder.  In this example, we will use [explicit default ordering](http://learn.getgrav.org/content/content-pages) and call the folder `02.mypage`.
 2. Launch your text editor and paste in the following sample code:
 
         ---
@@ -36,7 +36,7 @@ Creating a new page is a simple affair in **Grav**.  Simply follow these simple
 
         This is the body of **my new page** and I can easily use _Markdown_ syntax here.
 
-3. Save this file in the `user/pages/03.mypage/` folder as `default.md`. This will tell **Grav** to render the page using the **default** template.
+3. Save this file in the `user/pages/02.mypage/` folder as `default.md`. This will tell **Grav** to render the page using the **default** template.
 4. That is it! Reload your browser to see your new page in the menu.
 
 ! NOTE: The page will automatically show up in the Menu after the "Home" menu item. If you wish to change the name that shows up in the Menu, simple add: `menu: My Page` between the dashes in the page content. This is called the YAML front matter, and it is where you configure page-specific options.

user/pages/02.typography/default.md

@@ -53,7 +53,7 @@ _Italic_ `_Italic_`
 
 Text<sup>Superscripted</sup> `<sup>`
 
-Text<sub>Subscxripted</sub> `<sub>`
+Text<sub>Subscripted</sub> `<sub>`
 
 <u>Underlined</u> `<u>`
 

webserver-configs/nginx.conf

@@ -30,7 +30,7 @@ server {
     ## Begin - PHP
     location ~ \.php$ {
         # Choose either a socket or TCP/IP address
-        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
         # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
         # fastcgi_pass 127.0.0.1:9000;