Zenphoto 1.5.8

    This is a bugfix and minor security release.


    • Setup will now display a warning note if you are not on an SSL (https) connection [acrylian|
    • Setup checks for some more native PHP extensions may be good to have since some may be required in the future [acrylian]
    • Setup now only lists issues and not passed checks. Everything is logged in the setup log now [acrylian]
    • Setup will now show some notices (e.g. existing robots.txt and others) instantly instead of hiding them first [acrylian]

    Zenphoto 1.5.8 is sadly not yet PHP 8 compatible. This will follow soon.


    • Updates PHPMailer library to fix several security issues [fretzl]
    • Fixes non properly sanitzied paths allowing possible access to directories above the installation itself which the user may not be authorized to. [acrylian – Thanks to sML|
    • In case you encounter an "unfixed security issue" on the internet and missed our separate post about it: https://www.zenphoto.org/news/why-not-every-security-issue-is-really-an-issue/. Also if you just disable the elFinder plugin the "issue" is disabled as well.
    • Reconfigure action changes:
      • Zenphoto will not autorun setup anymore if database credentials are not set correctly or missing in the config file. Since we cannot check for login status without database access this might expose install information to the outside world and offer setting MySQL credentials to anyone. Instead a  generic "configuration error" page will now be shown both on the front- and the backend. The debug log will have an entry about this and you need to edit the config file via FTP now. Setup will now only autorun if the config file is missing completely as we then have to "assume" this is a fresh install.
      • Better checks to avoid showing the reconfiguration on "minor install signature" changes on the frontend for non loggedin visitors and confusing them. The debuglog will have an entry about this instead. Loggedin users will still get to see it.


    • Cookie related  changes:
      • All native Zenphoto cookies have been renamed to use the prefix "zpcms_". So you will need to re-login. The reason is that for privacy concerns it is now clear where these cookies come from. Additionally to"zpcms_"  there  is a sub  prefix  for  certain  types:
        • Authentication related cookies start with "zpcms_auth_"
        • Administration related cookies start with "zpcms_admin_"
        • Search related cookies start with "zpcms_search_"
        • Setup related cookies start with "zpcms_setup_"
      • There are now several functions to print info about all native cookies you can use on your privacy page: getCookieInfoData(), getCookieInfoHTML() and printCookieInfo(). Additionally there is a content macro you can use on for example your privacy info page: [ COOKIEINFO ]
      • Note that this does not cover plugins that rely on additional external services like Google Maps or Matomo. Zenphoto's own cookies do not track, except of course the login cookies.
    • Fix forgotten proper default setting for db config mysql port [acrylian - Thanks to wongm]
    • Improve checks for duplicated user mail addresses and make the method checkUniqueMailAddress() properly return true if it is as the doc tells instead of false [acrylian]
    • Theme folder names now allow version numbers like "mytheme-v2.3" [acrylian]
    • Added missing semicolon to Content-Security-Policy [avicarmi]
    • Plugins may now set the following optional definitions [acrylian]:
      • $plugin_name: The optional name. If not defined the filename will be used, as before. 
      • $plugin_date: The date of the last update (yyyy-mm-dd format preferred).
      • $plugin_siteurl: A URL where users can find info and hopefully updates for the plugin, like a GitHub repository. This should not be used for the author website in general.
      • $plugin_disable: Currently this allows one ternary operator condition for e.g. a compatibility or dependency check. Since this might get a little inconvenient if you have more complex requirements this now allows an array of several ternary operators. These operators should return an explaination that is now peristently shown or false if everything is okay.
      • $plugin_notice: A notice message about special dependencies, requirements, using external sources, etc.
      • $plugin_deprecated A message about the plugin being deprecated or parts of it.
      • $plugin_description, $plugin_notice, $plugin_deprecated, $plugin_disable: These allow (one dimensional) array definitions instead of just one string for better readability of longer texts. Each array entry will be output as a single paragraph. This also allows using ternary operators (see $plugin_disable above).
    • Themes may now set the following optional themeinfo values [acrylian]:
      • $themeinfo['siteurl']: See $plugin_siteurl above.
      • $themeinfo['disable']: See $plugin_disable above.
      • $themeinfo['notice']: A message about special dependencies, requirements, using external sources, etc.
      • $themeinfo['deprecated'] A message about the theme being deprecated or parts of it
      • $themeinfo['desc'] , $themeinfo['notice'],$themeinfo['deprecated'], $themeinfo['disable'] :These allow (one dimensional) array definitions instead of just one string for better readability. Each array entry will be output as a single paragraph. This also allows using ternary operators (see $plugin_disable above).
    • Fix distorted thumb generation for non image items by using the actual dimensions of the sidecar thumbimage. Introduces new image class methods getThumbDimensions(), getThumbWidth() and getThumbHeight() for central handling via image objects and child classes textobject and video.[acrylian|
    • Deprecate template functions getRandomImages(), getRandomImagesAlbum(), printRandomImages() which actually only got "one" image and also just double functionality of the image_album_statisics plugin [acrylian]
    • Adds new filter hooks for RSS feeds to filter a single item: "feed_image",  "feed_album", "feed_news", "feed_page", "feed_comment" [acrylian]
    • All content images especially theme related (so not icons) now feature the new HTML attribute loading="lazy" by default for native browser lazyloading supported by most (very) modern browsers. [acrylian]
    • Fix session cookie and general cookies regarding SameSite (PHP 7.3+ only) [acrylian]
    • Comment RSS feeds for single items fixed [bic-ed, acrylian]
    • New filters for filtering attributes for all printImage* template functions [acrylian]
    • Sort direction fixed for search results and therefore also dynamic albums [acrylian]
    • Sorting of multi-lingual content like titles (these use an array structure) now supports locale aware sorting internally if the native PHP intl extension and its Collator class are available on the system. So for example titles with French accents or German umlauts are sorted correctly as you would expect them to if the locale of those languages is currently active. [acrylian]
    • Fix issue of some element attributes and especially id's being removed from text HTML content on the front end unwantedly [acrylian]


    • Default order of theme and plugin options is now the order of the option definition array instead of forced numerical order, unless order is defined specifially [acrylian]
    • Disable or notice messages on the admin plugins (and theme) page are not hidden behind a clickable icon and always shown now. Important info was too easily to be missed [acrylian]
    • Fixes issue with redirections from the license acceptance page on new installs [iliarostovtsev]
    • User accounts now can store the "lastvisit" if the related options are enabled (default). Also all dates stored for account creation, current login, last previous logon, last password change and last visit are now listed additionally to the already listed last change info. [acrylian]
    • Fix GDPR user data export not correctly exporting user account data. [acrylian]
    • Sorting images and articles search results by title now works properly again [acrylian]
    • The default allowed tags have been extended with more tags (elements) and attributes now include the lang attribute [fretzl, acrylian]
    • Some layout changes to themes and plugins admin pages listing some additional info like author(s), date and siteurl [acrylian]
    • There are now Individual "use_side" (width/height/longest/shortest) option settings for uncropped default thumbs that in function follow those of default sized images [acrylian]
    • User accounts now can store the "lastvisit" if the related options are enabled (default). Also all dates stored for account creation, current login, last previous logon, last password change and last visit are now additionally listed to the already listed last change info. [acrylian]
    • Uncropped thumbs on admin image edit and images sorting tabs for an overall better impression of the images while managing them, [acrylian]
    • The zoom button on image edit pages has been removed. The thumb itself triggers zooming instead of doubling the thumb crop button from the sidebar. [acrylian]
    • The thumbcrop button on image edit pages is now properly hidden if thumb cropping is inactive. [acrylian]
    • Fix image and album bulk actions failing after processing the first item if using the filter for custom actions [acrylian]
    • Adds new admin filter hook "bulk_actions_message" to return a meaningful message after processing custom registered image or album bulk actions instead of just the registered function/method handling the action [acrylian]
    • Fix protect_full_image option values to not contain spaces and be strictly lowercase. Running setup should cover the changes. Also the option text has been clarified what the modes actually mean. [acrylian, fretzl]
      • "Unprotected" =>"unprotected"
      • "Protected view" => "protected"
      • "Download" => "download"
      • "No access" => "no-access"
    • New site and image copyright options. These are  primarily  used internally by the  html_meta_tags  plugin but can also be used on themes or plugins. There  are  no  template  functions so you have use  the  Gallery and Image class  methods instead which also provide some internal fallbacks. See the functions documentation [acrylian - Thanks to JesseHC]:
      • Site copyright notice – use  $galleryobject->getCopyrightNotice();
      • Site copyright rightsholder – use $galleryobject->getCopyrightRightsholder();
      • Site copyright url –  use $galleryobject-->getCopyrightURL()
      • Image copyright notice – use  $imageobject->getCopyrightNotice();
      • Image copyright rightsholder – use  $imageobject->getCopyrightRightsholder();
      • Image copyright url –  use  $imageobject->getCopyrightURL();
    • General speed improvements for album list dropdown selectors used for move/copy and others especially for site with lots (thousands) of albums (although a little less accurate lists regarding sortorder), consistent sublevel indicator, removal of background styles most browsers don't support anyway. [acrylian, fretzl - Thanks to richardb]


    • zenpage: Fix empty link for newsOnIndex() [bic-e]

    New plugins

    • lazyload: Plugin to provide JS image lazyloading as fallback for older browsers and to the now included native browser lazyloading via the new loading attribute [acrylian|


    • cacheManager:
      • Allow caching of images in a dynamic album from its admin panel and remove the useless button for cache cleaning [bic-ed]
      • Fixes bug ignoring all album sublevels past the first [acrylian - Thanks to JesseHC]
    • class-textobject / class-video: Sidecar thumb generation fixed by using the actual thumb image dimensions instead of the non-image file [acrylian]
    • class-video: Update getID3 to 1.9.20 [fretzl]
    • comment_form:
      • The RSS subscription link is now not shown if comments are closed [acrylian, Thanks to bic-ed]
      • If the plugin is disabled, no comment releated interfaces like checkbox or bulk action options are listed [acrylian]
    • cookieconsent: Now supports the complicance modes "opt-in" and "out-out". It also now supports the revokable option if a visitor changes its mind. Note that the plugin does not block or delete cookies itself as that cannot safely be done for cookies set by third parties. Therefore it is now an option to add scripts that only should be executed on consent. So if you for example use privacy related scripts like Google Analytics you need to add the script there to comply with e.g. the GDPR [acrylian]
    • elFinder: Update to 2.1.57 [acrylian]
    • html_meta_tags: Implements internal usages of the site and image copyright options [acrylian - Thanks to JesseHC]
    • image_album_statistics:
      • Support for missing standard image html filters has been added [acrylian]
      • All print*Album() and print*Image() functions have been deprecated. These were only wrappers for the base printImageStatistic() and printAlbumStatistic() functions anyway which now should be used with appropriate settings instead [acrylian]
      • New function getPictureOfTheDay() to retain only unique functionaltiy provided by deprecated randomImages() and randomImagesAlbbum() tempalte functions [acrylian]
    • GoogleMaps: Geo-coordinates are now generally validated to be in the actual range [acrylian]
    • matomo:
      • If option is set to require consent it includes new Matomo 3.14+. method for cookie consent. Requires the usage of the content macro on your site's privacy page. Compatible with Matomo 4+ [acrylian]
      • Fix issue with admin tracking option [acrylian – Thanks to tiltX]
    • mergedRSS: Fix issue with non properly encoded titles and decriptions breaking the feed [acrylian]
    • openstreetmap:
      • Leaflet 1.7.1 Update [vincent3569]
      • Geo-coordinates are now generally validated to be in the actual range [acrylian]
    • PHPMailer: Update to 6.4.1 [fretzl]
    • print_album_menu: Assigns the active class to list item instead of the link to be consistent with all other menu types [acrylian]
    • security-logger: Fix privacy issue ignoring the IP anonymisation option [acrylian]
    • sitemap-extended: The licences URL option was incorrectly defined as multilingual and therefore caused wrong output if you used the Google image extension option. You need to re-save this option to fix it [acrylian – Thanks to JesseHC]
    • slideshow2: Fix small bug regarding getting theme based custom CSS [michael-selig]
    • zenpage:
      • Category/pages menu (more exact the base printNestedMenu() function) assigns the active class to list item instead of the link to be consistent with all other menu types [acrylian]
      • Fix default sortorder for newly created Zenpage pages and categories via the backend so they don't kill nested sortorders anymore. Pages table sort_order field gets a null default value to align with others. [acrylian - Thanks to ralf-kerhoff]
      • Rename name Zenpage classes internal properties $sortorder and $page_sortorder to $sorttype and $page_sorttype to reflect what they refer to actually. NOTE these are protected internal properties so there are no deprecations. [acrylian]
      • Zenpage::getAllCategories(), getZenpageStatistics(), printZenpageStatistics(): Parameter $sortdirection respectivley $sortdir changed from string ('asc'/'desc') to boolean (true for descending (default), false for ascending) to be consistent with general boolean parameter usages for sortdirection. A deprecation notice will be triggered. [acrylian]
      • Zenpage::getPages() now properly sorts by title [acrylian|


    • Dutch [fretzl]
    • French [vincent3569]
    • German [acrylian]
    • Italian [bic-ed]
    • Slovak [tangorn]
    • Spanish [guirala]
    • Argentinian Spanish [guirala]

    For questions and comments please use the forum or discuss on the social networks.

    Related items