Patching some bugfixes back to version 9.0:

 - We are no longer allowing .html files to be uploaded into the CMS.
 - You can no longer upload and attach SVGs to forum posts and replies.
 - Visitors can no longer upload SVGs to use as user avatars.
 - Added sanitisation for all SVGs that are uploaded, to protect against attackers
   embedding XSS attacks inside them.
 - The admin toolbar will now once again remember the tab you last clicked on if you
   reload the page.
 - Some tweaks and improvements to CRM integration in user forms.
 - Some tweaks and improvements to Mailchimp integration in user forms.
 - Added a warning on the diagnostics screen if the layouts cache directory is not
   writable. We'll now also send an email to the support address when a page cannot be
   displayed when this is missed.
 - Fixed a bug on the diagnostics screen, where the "directories" section was sometimes
   flagged with a warning, even when there was no warning.
 - Fixed a database error that could happen when trying to install Zenario using the
   installer.
 - Fixed a JavaScript error when trying to click on a translation in the "Translations of"
   panel in Organizer.

 - Fixed some bugs with tracking link click-throughs in newsletters.
 - Removed the "fullscreen: none" rule from our suggested .htaccess rules, as it was
   stopping the fullscreen plugin from working.
 - Fixed a bug where there was missed escaping when sending an etag from the server to
   the client.
 - Fixed a bug when using page caching, where the browser body class variable could be
   wrong when a page was served from the cache.
 - Fixed a bug where the preview in the skin editor would not update after making a 
   change.
 - Fixed a bug with admin permissions, where dependant admin permissions could be granted
   without also giving the permissions they depended on.
 - Fixed a bug where administrators with the "View user" permission could not see the 
   Users panel in Organizer if they didn't also have the "View administrator" permission.
 - Fixed a bug where an administrator could change the extension of a document by
   manipulating the inputs sent when editing its properties.
 - Fixed a bug where newer versions of the MySQL/Ubuntu command line tools would not work 
   with the backup tool in Zenario.

.htaccess

@@ -6,7 +6,7 @@ Options -Indexes
 
 <ifModule mod_headers.c>
 	Header setifempty Content-Security-Policy "default-src *; img-src * data:; script-src * 'unsafe-eval' 'unsafe-inline'; style-src * 'unsafe-inline'"
-	Header setifempty Feature-Policy "sync-xhr *; camera 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; speaker 'none';"
+	Header setifempty Feature-Policy "sync-xhr *; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; speaker 'none';"
 	Header setifempty Referrer-Policy strict-origin-when-cross-origin
 	Header setifempty X-Content-Type-Options nosniff
 	Header setifempty X-Frame-Options SAMEORIGIN

README.md

@@ -6,63 +6,71 @@
 What is Zenario?
 -------------------
 
-Zenario is a web-based **content management system** or CMS. It can be used for simple
-sites, with many "wysiwyg" features, but is really designed to run **extranet** sites,
-such as customer portals. It also has **multilingual** features built in from the core.
+Zenario is a web-based **content management system** (CMS). It can be used for simple
+sites, with many "wysiwyg" features for making regular web pages, news items, blogs and
+so on.
+
+It has powerful features for running **extranet** sites, such as customer portals,
+and online databases (e.g. of products, documents or vidoes). 
+
+It also has **multilingual** features built in from the core, so that a site can easily
+be set up to deliver content in in multiple languages.
 
 * Zenario's [Official website](https://zenar.io)
 
 What are the main features?
 ------------------------------
 
-* Free and **completely open source** code written in PHP
+* **Free, open source** code (BSD license) written in PHP
 
-* WYSIWYG tools for arranging page layouts and editing content
+* **WYSIWYG** tools for arranging page layouts and editing content
 
-* Version-controlled content, allowing pages to be previewed and a history to be stored
+* **Permissions system** for managing what administrators can do
+
+* **Page versioning system** allows pages to be created, previewed, and published, and a history 
+  to be stored
 
-* Intuitive tools for managing site navigation
+* **Drag and drop** tools for setting up and modifying site menu navigation
 
-* Support for blogs, news items, events, and other content types **(developers can
+* Support for documents, blogs, news items, events, and other content types, **(developers can
   create their own content types)**
 
-* Ability to create micro-sites
-
-* **Extranet** user and contact management; full set of user-side extranet features
-  (login, register etc.)
-
-* Powerful **Forms** feature, with which data can be captured and then emailed or
-  merged with a user's data
-
-* **Document management** through a familiar folder-like hierarchy, powerful tagging features
+* In-built **image optimisation** so that while full-size images are stored as JPG/PNG, client
+  is served with an optimised WebP image 
+
+* Includes the **Gridmaker** tool for creating responsive layout designs by drag and drop
 
-* Datasets, with which you can easily add fields to many types of data (Users/contacts,
-Documents, Countries etc.)
+* **Extranet** user and contact management; full set of extranet features (login, register etc.)
 
-* **Gridmaker** tool for creating responsive or fixed-width designs using a grid-based design
+* Powerful **Forms** feature, with which data can be captured and then emailed, merged with a 
+  contact's data, or sent to a CRM
 
-* Ability to re-brand administrator interface
+* Data schemas for Users/contacts, Locations, Documents can be modified (adding fields) using
+  Zenario's **Datasets** feature
 
-* Search-engine optimised URLs and other SEO assistance
-
+* Many in-built **search-engine optimisation** features, such as XML sitemap, friendly URLs and more
 
 
 Learn Zenario
 --------------------------------------
 
-* Read our [User Guides](https://zenar.io/user-guides) to learn the basic functions
-
-* Watch our [videos](https://www.youtube.com/channel/UCjzvrpRHM_sUBpZn08BiXmg/videos)
-  to see Zenario in action
+* Watch our [videos](https://zenar.io/video-tutorials) to learn how to use Zenario.
 
 * Access the [Zenario documentation area](https://zenar.io/documentation-area) to get
-  technical help on the workings of the CMS 
+  technical help if you are a designer, or want to write your own modules.
 
 * Can't find what you're looking for? Ask us in the [forum](https://zenar.io/forums).
 
+
+About this repository
+---------------------
+
+This repository contains the latest publicly available version of Zenario. It is a copy of our private repository, with the "bleeding edge" version removed. We're currently not able to accept Pull requests into this repository.
+
+
 Download Zenario
 ---------------------
-* You can download a packaged version of Zenario in either zip, gzip or 7zip format at
-  [zenar.io/download-zenario](https://zenar.io/download-zenario)
+You can download a packaged version of Zenario in zip, gzip or 7zip format at
+  [zenar.io/download-zenario](https://zenar.io/download-zenario).
 
 

README_INSTALL.md

@@ -1,99 +1,5 @@
 Installing Zenario CMS
 ======================
 
-System Requirements
--------------------
+Please see [https://zenar.io/how-to-install-zenario](https://zenar.io/how-to-install-zenario).
 
-To run Zenario you will need a web server/hosted account with the following:
-
-*   Apache Server version 2.4.7 or later
-*   PHP version 7.2 or later (PHP 7.4 preferred)
-*   MySQL version 5.7 or later
-*   The GD, libCurl, libJPEG and libPNG libraries, and multibyte support in PHP
-*   Apache mod_rewrite support for .htaccess files (optional but highly recommended)
-*   Linux server (ideally, but may also work on Windows).
-
-Zenario sites will work with all modern, standards-compliant web browsers, however this is
-dependent on how a designer writes CSS and frameworks for the site. If compatibility with
-yet older browsers is required, this should be possible with careful design.
-
-
-In administration mode, Zenario will run on at least the following browsers:
-
-*   Windows with Chrome (stable channel) or equivalent
-*   Windows with Firefox (release channel)
-*   Windows with Microsoft Edge (latest version)
-*   Mac OSX with Chrome (stable channel) or equivalent
-*   Mac OSX with Firefox (release update channel)
-*   Mac OSX with Safari (latest version)
-
-We test on all of the above platforms. Administration mode may be usable on other
-operating systems and browsers, but this is not tested.
-
-
-Place the files on your server
-------------------------------
-
-You should download the `.zip` file, unzip it on your local machine, and then use a FTP
-program to upload the files to your server.
-
-Alternatively, if you have ssh access it's faster to download the `.tar.gz` file,
-upload it to your server and then unpack it by running:
-
-    tar xfz zenario-probusiness-9.0.54149.tar.gz
-
-
-If you want to run Zenario in the root of a domain (e.g. http://example.com/), you
-should place the files into your server's web directory (sometimes called the public HTML
-directory or the document root) .
-
-If you want to run Zenario from a subdirectory (e.g. http://example.com/cms/), you should
-create a subdirectory with the correct name inside your server's web directory and place
-the files in there.
-
-
-Create directories and set permissions
---------------------------------------
-
-You will need to create two directories:
-
-*   A backup/ directory
-*   A docstore/ directory
-
-These should not be publicly accessible, so you should create them outside of your web
-directory. Zenario will need to write files and folders to these directories, so you need
-to make them writable, e.g. on a UNIX/Linux server:
-
-    chmod 777 backup/
-    chmod 777 docstore/
-
-
-There are three directories in the CMS that you need to make writable:
-
-*   The cache/ directory
-*   The private/ directory
-*   The public/ directory
-
-E.g. on a UNIX/Linux server:
-
-    chmod 777 cache/
-    chmod 777 private/
-    chmod 777 public/
-
-
-You can optionally make the `zenario_siteconfig.php` file writable for a smoother install
-process.
-
-
-Run the installer
------------------
-
-To run the installer you need to visit your site using a browser - e.g. by going to
-http://example.com, or http://example.com/cms/ if you are running from a subdirectory.
-
-The installer will then take you through the installation process, during which you will
-need to enter:
-
-*   A name, username and password to connect to a database
-*   A name and an email address to create your first administrator account.
-*   An initial language for your site (you can add more languages later).

package.json

@@ -25,5 +25,5 @@
 		"vimeo-upload": "*",
 		"wowjs": "*"
 	},
-	"version": "9.0.54156"
+	"version": "9.0.55141"
 }

zenario/admin/db_install/local-INSERT.sql

@@ -157,12 +157,11 @@ INSERT INTO `[[DB_PREFIX]]plugin_settings` VALUES
  (5,'text',9,'Praesent nec lectus lorem. Nulla facilisi. Nam imperdiet sed dui in viverra.','synchronized_setting','text',NULL,0,'','remove',NULL),
  (6,'html',0,'<h2>Welcome to your new Zenario site!</h2>
 <p>Congratulations, you have just installed your new Zenario site.</p>
-<p>You may add another page by clicking "Menu" on the Admin Toolbar, then clicking a yellow icon with the "star" symbol. When you do this, you can create an HTML web page content item and a menu node linking to it.</p>
-<p>Content items will be visible to administrators only until published. Click on the "Publish" button to make them visible to regular site visitors.</p>
-<p>You will also need to make your site visible to visitors by enabling it in Organizer, in the <a href="zenario/admin/organizer.php#zenario__administration/panels/site_settings//site_disabled">Configuration -&gt; Site settings</a> section.</p>
+<p>You may add another page by clicking "New..." on the Admin Toolbar, then selecting what kind of content to create. Initially you may just see HTML pages but you can enable more Content Types by going into Organizer, <a href="organizer.php?#zenario__modules/panels/modules~-zenario_ctype">then Modules, and search for Content Type modules</a>.</p>
+<p>Pages (called "content items" in Zenario) will be created as drafts and visible to administrators only. Click on the "Publish" button to make them visible to regular site visitors.</p>
 <p>You can get support and downloads at <a href="https://zenar.io" target="_blank" rel="noopener">https://zenar.io</a>.</p>
 <p>We hope you enjoy using Zenario.</p>','version_controlled_content','translatable_html',NULL,0,'','remove',NULL),
- (7,'image',0,12,'synchronized_setting','text','file',12,'','remove',NULL),
+(7,'image',0,12,'synchronized_setting','text','file',12,'','remove',NULL),
  (7,'image_source',0,'_CUSTOM_IMAGE','synchronized_setting','text',NULL,0,'','remove',NULL),
  (7,'title',0,'Just a nice image','synchronized_setting','translatable_text',NULL,0,'','remove',NULL),
  (7,'text',0,'<p>This is another <em>Banner</em> plugin (we use them a lot for calls-to-action).</p>','synchronized_setting','translatable_html',NULL,0,'','remove',NULL),

zenario/admin/db_updates/latest_revision_no.inc.php

@@ -27,7 +27,7 @@
  */
 if (!defined('NOT_ACCESSED_DIRECTLY')) exit('This file may not be directly accessed');
 
-define('LATEST_REVISION_NO', 53604);	//N.b. 9.1 starts at revision #53700
+define('LATEST_REVISION_NO', 53605);	//N.b. 9.1 starts at revision #53700
 define('LATEST_BIG_CHANGE_REVISION_NO', 53604);
 define('INSTALLER_REVISION_NO', 53100);
 define('INSTALLER_DEFAULT_THEME', 'blackdog');
@@ -38,6 +38,6 @@
 define('ZENARIO_MAJOR_VERSION', '9');
 define('ZENARIO_MINOR_VERSION', '0');
 define('ZENARIO_IS_BUILD', true);
-define('ZENARIO_REVISION', '54156');
+define('ZENARIO_REVISION', '55141');
 
 define('TINYMCE_DIR', 'zenario/libs/manually_maintained/lgpl/tinymce_4_7_3/');

zenario/admin/db_updates/step_2_update_the_database_schema/content_tables.inc.php

@@ -1379,4 +1379,12 @@
 _sql
 
 
+//Remove any "HTML" files from the allowed file types table
+);	ze\dbAdm::revision( 53605
+, <<<_sql
+	DELETE FROM `[[DB_PREFIX]]document_types`
+	WHERE `type` IN ('htm', 'html', 'htt', 'mhtml', 'stm', 'xhtml')
+_sql
+
+
 );

zenario/admin/db_updates/step_3_populate_certain_tables/document_types.inc.php

@@ -97,9 +97,6 @@
 		('hqx', 'application/mac-binhex40', 0),
 		('hta', 'application/hta', 0),
 		('htc', 'text/x-component', 0),
-		('htm', 'text/html', 0),
-		('html', 'text/html', 0),
-		('htt', 'text/webviewhtml', 0),
 		('ico', 'image/x-icon', 0),
 		('ief', 'image/ief', 0),
 		('iii', 'application/x-iphone', 0),
@@ -124,7 +121,6 @@
 		('mdb', 'application/x-msaccess', 0),
 		('me', 'application/x-troff-me', 0),
 		('mht', 'message/rfc822', 0),
-		('mhtml', 'message/rfc822', 0),
 		('mid', 'audio/mid', 0),
 		('midi', 'audio/mid', 0),
 		('mny', 'application/x-msmoney', 0),
@@ -206,7 +202,6 @@
 		('src', 'application/x-wais-source', 0),
 		('sst', 'application/vnd.ms-pkicertstore', 0),
 		('stl', 'application/vnd.ms-pkistl', 0),
-		('stm', 'text/html', 0),
 		('sv4cpio', 'application/x-sv4cpio', 0),
 		('sv4crc', 'application/x-sv4crc', 0),
 		('svg', 'image/svg+xml', 0),
@@ -242,7 +237,6 @@
 		('wrz', 'x-world/x-vrml', 0),
 		('xaf', 'x-world/x-vrml', 0),
 		('xbm', 'image/x-xbitmap', 0),
-		('xhtml', 'application/xhtml+xml', 0),
 		('xla', 'application/vnd.ms-excel', 0),
 		('xlam', 'application/vnd.ms-excel.addin.macroEnabled.12', 0),
 		('xlc', 'application/vnd.ms-excel', 0),

zenario/admin/db_updates/step_4_migrate_the_data/content_tables.inc.php

@@ -761,31 +761,9 @@
 }
 //For Maximum Content File Size settings we need to update value from bytes to MB
 if (ze\dbAdm::needRevision(52220)) {
+	$filesizevalue = ze::setting('content_max_filesize', false);
+	$filesizeUnit = ze::setting('content_max_filesize_unit', false);
 
-	$filesizevalueArr = ze\row::get('site_settings', ['value','default_value'], ['name' => "content_max_filesize"]);
-	$filesizeUnit = ze\row::get('site_settings', 'value', ['name' => "content_max_filesize_unit"]);
-	$unitInsert = false;
-	if(isset($filesizevalueArr['value']) && $filesizevalueArr['value']){
-		if(!$filesizeUnit){
-			if  (ze\row::exists('site_settings', ['name' => "content_max_filesize_unit"])) {
-				$unitInsert = false;
-			} else {
-				$unitInsert = true;
-			}
-		} else {
-			$unitInsert = false;
-		}
-		$filesizevalue = $filesizevalueArr['value'];
-	}
-	else{
-		if (isset($filesizevalueArr['default_value']) && $filesizevalueArr['default_value']) {
-
-			$filesizevalue = $filesizevalueArr['default_value'];
-			$unitInsert = true;
-
-		}
-
-	}
 	if ($filesizevalue && !$filesizeUnit) {
 
 		if ($filesizevalue < 1000000) {
@@ -797,21 +775,15 @@
 			$fileValue = $convertArray[0];
 			$fileUnit = $convertArray[1];
 		}
-		if ($fileValue) {
-			ze\row::update('site_settings', ['value' => round($fileValue)], ['name' => "content_max_filesize"]);
-		}
-		if ($fileUnit) {
-			if($unitInsert){
-				ze\row::insert(
-								'site_settings',
-								['name' => 'content_max_filesize_unit', 'default_value' => 'MB', 'encrypted' => 0, 'secret' => 0, 'protect_from_database_restore' => 0,'value' => $fileUnit]	
-								);
-			}
-			else{
-				ze\row::update('site_settings', ['value' => $fileUnit], ['name' => "content_max_filesize_unit"]);
-			}
-		}
+
+		ze\site::setSetting('content_max_filesize', $filesizevalue);
+		ze\site::setSetting('content_max_filesize_unit', $filesizeUnit);
+
+	} elseif (!$filesizevalue) {
+		ze\site::setSetting('content_max_filesize', 20);
+		ze\site::setSetting('content_max_filesize_unit', 'MB');
 	}
+
 	ze\dbAdm::revision(52220);
 }
 

zenario/admin/grid_maker/ajax.php

@@ -22,7 +22,7 @@
 
 	//If a checksum was given, we can cache this file
 	if (!empty($_GET['checksum'])) {
-		$ETag = 'zenario-layout_thumbnail-'. $_SERVER['HTTP_HOST']. '-'. http_build_query($_GET);
+		$ETag = 'zenario-layout_thumbnail-'. $_SERVER['HTTP_HOST']. '-'. preg_replace('@[^\w\.-]@', '', http_build_query($_GET));
 		ze\cache::useBrowserCache($ETag);
 	}