New Features in WoltLab Suite 6.0: Other Improvements

Improved Security

With WoltLab Suite 6.0, we have implemented several security measures aimed at making the software itself more robust and preventing certain attack scenarios in advance. Of particular importance is the use of the “intl” library’s “SpoofChecker” when validating usernames to protect against homographic attacks. This prevents the mixing of character sets from different languages, which is used to create usernames that look confusingly similar to existing usernames. In addition, we added additional HTTP headers in the admin panel to prevent an attack on administrators using externally embedded sources, and we also suppress the transmission of the referrer when following links to prevent the unintentional disclosure of confidential URLs.

Less visible security measures include forcing encrypted connections when retrieving package server data to ensure the confidentiality and integrity of transmitted data. The package system now features an “audit log” in which all changes made to the system by packages are logged and thus remain traceable well after the changes were made.

Change of template modifiers to a fixed list of allowed functions

The last change concerns the use of template modifiers. This is a way for the template system to delegate certain tasks, such as converting text to uppercase, to existing PHP functions. With the exception of a few selected functions, all functions that PHP has to offer were available. Generally speaking, templates should not make use of any complicated logic, which is why the use of template modifiers apart from a few useful helper functions has always been questionable. The biggest problem, however, is that multilingual input fields are technically based on language variables, and language variables have access to all template functions, because language variables are technically implemented as templates.

An attacker with access to the admin panel with permission to customize templates, boxes, pages or multilingual input fields can potentially abuse them to execute almost any PHP function. However, when we designed the WoltLab Cloud we have put security and integrity first from the beginning and only allowed a limited selection of functions to be accessed - a concept that has more than proven itself over the past years. With WoltLab Suite 6.0, only a select subset of PHP functions are allowed to be called via template modifiers, and the previous divergent behavior of WoltLab Cloud thus becomes the standard.

Revised Summary of Reactions

The list of reactions below a content piece has been technically modernized and is now based on a Web Component. The structure in HTML has also been improved in terms of accessibility and additionally highlights the reaction given by oneself. For developers there is no need for adaptation, the changes were made in the template for the summary of reactions.

Other Improvements Briefly Presented

Unification of the subscribe function
The functionality and appearance of the subscribe functions have been aligned across apps.

Improved internationalization / localization
There is now the “locale” field, which allows numbers and times to be formatted in a country-specific way. This is especially interesting for people from Switzerland (1'000'000 for large numbers) and the UK (24 hour time format). In addition, UTC is now available as a time zone, for example for digital events in the calendar.

Standardization of wording
In various places, the user interface texts have been standardized.

Performance improvement
Various optimizations have been made to improve performance.

Easier access to CLI workers
The Update Ads page in the admin panel lists the necessary commands for execution via CLI.

Statistics for CAPTCHA questions
For CAPTCHA questions, the number of times a question was answered correctly or incorrectly is now recorded.

Support for WebP avatars
Uploading avatars in WebP format is now supported.

Events can be canceled after the fact
Calendar events can now be canceled after the time of the appointment.

Height upload limit for file uploads
For file uploads (e.g. to Filebase or Gallery), file sizes of over 2 GiB are now supported.

Flood-Control for vandalism in old posts
The flood control is now also used when editing posts to prevent a user from mass modifying old posts in a short time.

Twitter buttons changed to X
The buttons for sharing content on Twitter or logging in via Twitter have been updated.

Improved data import
Data import from another WoltLab Suite installation can now take over more content.

Better support for images in desktop notifications
In desktop notifications, the alt tag content of images is used for display.

Support for 4K images as avatars
Avatars can be uploaded as 4K variants.

Better readability of change history
The formatting of changes has been improved for better readability.

Warning for invisible participants when replying
Invisible participants now receive a warning when replying to a conversation that they are no longer invisible as a result of the reply.

Spotify media provider updated
The media provider for Spotify has been updated to the latest version.

Improved processing of animated WebP images
Animated images in WebP format are now processed correctly, allowing the creation of appropriate preview graphics.

Setting for blog article order
The administrator can now configure the order of blog articles.

Last posts box without cache
The recent posts box now determines the displayed topics live rather than with a 5-minute cache.

Recognition of URLs in texts improved
The algorithm for detecting URLs in texts has been revised and now works much more precisely.

Better detection of failed file uploads
If a file upload fails due to a web server-side limit, this is now correctly detected and reported to the user.

Mobile language selection improved
The mobile language selection now additionally displays the flag icons.

Revised breadcrumbs
The breadcrumbs have been completely revised technically.

Use of the meter tag
The meter tag is used, for example, to display the utilization of the conversation quota and provides better semantics.

Reset button in date selection revised
The button is now more accessible and can also be controlled by keyboard, for example.

Hiding of unnecessary language selection
The language selection for multilingual content is now automatically hidden if only one language is available for selection.

Placeholder for email address in newsletters
{$email} can be used as a placeholder in newsletters to display the e-mail address of the respective recipient.

Box display unified
The display of content boxes has been standardized.

Display of article buttons revised
The display of buttons in articles has been revised and aligned with the display from other areas.

Improved deletion of articles
In the confirmation dialog for articles, the title of the respective article is now displayed.

Presentation of review buttons revised
The display of buttons in reviews has been revised and aligned with the display from other areas.

Improved email notifications
The subject line of various notification emails has been adjusted to make them easier to understand.

Database name in system information
The system information on the start page of the admin panel now lists the name of the database used.

Printout of MFA backup codes improved
The view for printing MFA backup codes has been revised and made more user-friendly.

Embedded content widget revised
The embedded content widget has been completely redesigned to be more user-friendly and accessible.

Advanced search form improved
The advanced filters area now automatically unfolds when a filter is active.

Survey editing improved
When editing polls, you can now see if it is a public poll.

Individual icons for search results
Search results can now be provided with individual icons.

Simplified creation of cronjobs
Cronjobs can now be created using Expression.

Embedding of audio and video media
Embedding media of type audio or video now leads to the display of a corresponding audio or video player.

Better indication of activated debug mode
The admin panel now better indicates that debug mode is active.

Generic share button
A generic button for sharing the respective page has been introduced.

Improved tagged content page
When calling the page with a specific tag, the content for which results are available is now still offered for filtering.

Input for MFA codes improved
The input for MFA codes has been revised and made more user-friendly.

Improved tag suggestions for multilingual content
The suggestions for tags now fit better to the respective language.

Improved template copying
When copying templates, the first available template group is no longer selected.

Misleading “Full access” option removed
The “Full access” option often led to unnecessarily complicated configurations in the permissions.