Hello again, the current version of Automad is vulnerable to a stored xss.
To reproduce this, go to the dashboard as an authenticated user and change the title of a page as shown in the screenshot.

An attacker may be able to gain access to sensitive information such as cookies.

Pretty much what title says, the documentation is not quite beginner friendly and Multi Language support is something that a lot of people will look after. It would be nice to make a package that does that or include the multi lang support in your current themes. Along with a clear basic tutorial on how to create hierarchy for multi lingual sites. Current example is simply not clear enough as it does not explain how the dashboard works with variables, where to add them, how to use them etc. and it also [IMO falsely] assumes that everyone knows how to tinker with Automad's themes.

If it's not too hard to do please add it your feature backlog.

Thank you and keep up the great work!

Currently the template engine for this project (while cute) is severely gimped. I think that it should be dropped entirely and replaced with the likes of something proven and battle hardened, like Twig or at least Smarty.

This CMS has a huge potential, but the template engine is a huge setback. The core problems I see with it:

• syntax is extremely cumbersome (more so than any template engine I have used, at least)
• poor variable support (no arrays or objects?)
• lacking critical string and array manipulation functions
• control structures/functions/filters are poorly named

Hello again!

While transferring my site to the new block-based solution I noticed an effect I didn't realize before. I have the following situation multiple times (illustrated with example text, where one cell is one block):

--------------------------------------------------------------------------
| Dear ladies and gentlemen,                                             |
--------------------------------------------------------------------------
| Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam      |
| nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, |
| sed diam voluptua. At vero eos et accusam et justo duo dolores et ea   |
| rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem    |
| ipsum dolor sit amet.                                                  |
--------------------------------------------------------------------------
| Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam      |
| nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, |
| sed diam voluptua. At vero eos et accusam et justo duo dolores et ea   |
| rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem    |
| ipsum dolor sit amet.                                                  |
--------------------------------------------------------------------------

The intended solution (e.g. for a teaser) would surely be that the function not only returns this

--------------------------------------------------------------------------
| Dear ladies and gentlemen,                                             |
--------------------------------------------------------------------------

(as this return wouldn't be that informative ;) but

--------------------------------------------------------------------------
| Dear ladies and gentlemen,                                             |
--------------------------------------------------------------------------
| Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam      |
| nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, |
| sed diam voluptua. At vero eos et accusam et justo duo dolores et ea   |
| rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem    |
| ipsum dolor sit amet.                                                  |
--------------------------------------------------------------------------

(or even a user defined number of paragraphs). An optional argument the function specifying the number of paragraphs to be returned may be a good idea (in that case the name 'findFirstParagraph' would be of course misleading).

Do you think that would be a good idea?

update jQuery to latest please (2.x to 3.6+ version)

4 exploits on this version (latest automad!!!)

logs via html file:
towuk.ru-20220506T225832.zip

Hi!

I just encountered an issue with a little experimental projects I'm doing with Automad.

This site has a two-level navigation structure, in which the first-level entries that have children themselves point to the first child.

So if I have

Parent
--Child1
--Child2

the menu entry for Parent will point to the url for Child1. Which I can easily do with the redirect field.

But, when I then switch to Child 2, the template variable :currentPath is no longer aware that we are still within Parent.

I've solved this by patching Page.php to prefer origUrl (if present) for setting :current and :currentPath.

20211031-page-currentpath.diff.txt

Using latest Docker installation as of current date of posting, I can't update the user settings (i.e. change username, add email, change password, etc.)

Permissions denied:
/app/config/accounts.php

I really like the gallery functionality. It would be even better if it supports arrow keys (left and right) to move between the slides in the gallery. Do you plan adding this?

Hello,

I have a simple one page site but I'm missing edit buttons for most of my variables.

Hi,

For some reason I cannot login with the temporary user. Returns me back to the login page. Any suggestions ?

Fixed that and now :

2019/09/17 10:47:28 [error] 22399#22399: *4783 FastCGI sent in stderr: "PHP message: PHP Warning:  Invalid argument supplied for foreach() in /var/www/miniml.dev/public/automad/gui/themelist.php on line 103
PHP message: PHP Fatal error:  Call to undefined function Automad\Core\imagecreatefrompng() in /var/www/miniml.dev/public/automad/core/image.php on line 305" while reading response header from upstream

fix for second line was php-gd. However first I have no clue.

Hello
I have just one short question. Is it possible to run Automad without the cookie "Automad-1d0a6ada16979d3104bf3f7787a80f24"?
Best regards,
O.

First, congratulations on AutoMad. It is really clean and well designed package!

I have a question: it is possible somehow to disable the search functionality? I am creating a really simple web site that does not need it. I know that I can hide it via CSS on the places that it appears, but I was wondering if it is possible to disable it via settings somehow.

Config.php defines an "optional base protocol/domain combination for the sitemap.xml in case of being behind a proxy", AM_BASE_SITEMAP.

It's used here.

Feeds need the same thing, for the same reason.

I'm not a PHP developer, but I am a developer. If you like I could tackle this over the next week, using the same approach that Sitemap.php takes?

Let me know.

If the answer is "yes," would you like to create a similar config var with a similar purpose? Or, somehow, one?

Some localized chars in strings from tooltips in theme.json are shown as HTML entities in browser. For instance:

"tooltips": {
	"text_Naglowek": "Nagłówek"
}

is shown in dashboard as Nagłówek . This conversion is neither necessary nor consistent, as not all chars get converted - Ą, Ć, Ę, Ł, Ń, Ś, Ź, Ż remain unaffected.

1. Select a file
   

2. Delete the file
   

3. Try upload file > browse files > shows the delete modal again (upload via drag'n drop works though)
   

Deprecated: Optional parameter $email declared before required parameter $Messenger is implicitly treated as a required parameter in /automad/src/UI/Models/UserCollectionModel.php on line 89

displayed in dashboard - the same information somehow got dumped to accounts.php file.

When using Docker, RSS feed URL appears as:
http://automad-docker.local/feed

While it can be reachable by just accessing domain-name.com/feed, the links in the RSS feed all use automad-docker.local.

Sample:

<?xml version="1.0" encoding="UTF-8"?>
<rss 
version="2.0" 
xmlns:atom="http://www.w3.org/2005/Atom" 
xmlns:content="http://purl.org/rss/1.0/modules/content/"
>
	<channel>
		<title>Site Name</title>
		<link>http://automad-docker.local</link>
		<atom:link href="http://automad-docker.local/feed" rel="self" type="application/rss+xml" />
		<description>
			Hello, I'm Automad. 👋 You've have just finished my installation successfully! Now it's time to publish your stories and projects. Sign in to the dashboard to get started.
		</description>
		<generator>https://automad.org</generator>
		<lastBuildDate>Thu, 25 Nov 2021 21:51:47 +0000</lastBuildDate>
		
		<item>
			<title>Post 1</title>
			<link>http://automad-docker.local/post-1</link>
			<guid isPermaLink="true">http://automad-docker.local/post-1</guid>
			<pubDate>Thu, 25 Nov 2021 21:32:27 +0000</pubDate>
			<description>
				
			</description>
			<content:encoded><![CDATA[]]></content:encoded>
		</item>
		<item>
			<title>Post 2</title>
			<link>http://automad-docker.local/post-2</link>
			<guid isPermaLink="true">http://automad-docker.local/post-2</guid>
			<pubDate>Thu, 25 Nov 2021 21:42:31 +0000</pubDate>
			<description>
				
			</description>
			<content:encoded><![CDATA[]]></content:encoded>
		</item>
	</channel>
</rss>

Also, since I'm running it behind Nginx Proxy Manager, I'd like to be able to explicitly set the scheme to https on the links.

The mail block contains no secure way to protect the form from abuse by spam bots, as professional spam bots can recognize the most variants of honeypots.
I think it would be helpful to use some sort of user-changeable security question with answer (eg. 'In which city is the Eiffel Tower?', 'Paris') or capatcha.

The security question would be probably the better solution as it isn't third-party dependent (I already use a form with this functionality, but it's a template written before the introduction of blocks).

Hey 👋 , I'm a little unhappy with the password strength. Currently it is possible to create users with a single character password. This is unfortunately totally insecure and not best practice. I would recommend or suggest that the password:
Must be at least seven characters long.
Must contain both numeric and alphabetic characters.
Must be different from previous passwords.
Maybe you could also think about some kind of password expiry.

After update to 1.10.8 my instance is throwing

Fatal error: Uncaught TypeError: Automad\UI\InPage::injectTemporaryEditButton(): Argument #1 ($value) must be of type string, null given, called in /automad/src/Engine/Processors/ContentProcessor.php on line 269 and defined in /automad/src/UI/InPage.php:95 Stack trace: #0 /automad/src/Engine/Processors/ContentProcessor.php(269): Automad\UI\InPage->injectTemporaryEditButton() #1 [internal function]: Automad\Engine\Processors\ContentProcessor->Automad\Engine\Processors\{closure}() #2 /automad/src/Engine/Processors/ContentProcessor.php(200): preg_replace_callback() #3 /automad/src/Engine/Processors/TemplateProcessor.php(105): Automad\Engine\Processors\ContentProcessor->processVariables() #4 [internal function]: Automad\Engine\Processors\TemplateProcessor->Automad\Engine\Processors\{closure}() #5 /automad/src/Engine/Processors/TemplateProcessor.php(102): preg_replace_callback() #6 /automad/src/Engine/Processors/ContentProcessor.php(156): Automad\Engine\Processors\TemplateProcessor->process() #7 /automad/src/Engine/Processors/Features/ContextProcessor.php(124): Automad\Engine\Processors\ContentProcessor->processFileSnippet() #8 /automad/src/Engine/Processors/TemplateProcessor.php(109): Automad\Engine\Processors\Features\ContextProcessor->process() #9 [internal function]: Automad\Engine\Processors\TemplateProcessor->Automad\Engine\Processors\{closure}() #10 /automad/src/Engine/Processors/TemplateProcessor.php(102): preg_replace_callback() #11 /automad/src/Engine/Processors/Features/IncludeProcessor.php(69): Automad\Engine\Processors\TemplateProcessor->process() #12 /automad/src/Engine/Processors/TemplateProcessor.php(109): Automad\Engine\Processors\Features\IncludeProcessor->process() #13 [internal function]: Automad\Engine\Processors\TemplateProcessor->Automad\Engine\Processors\{closure}() #14 /automad/src/Engine/Processors/TemplateProcessor.php(102): preg_replace_callback() #15 /automad/src/Engine/View.php(125): Automad\Engine\Processors\TemplateProcessor->process() #16 /automad/src/App.php(167): Automad\Engine\View->render() #17 /automad/src/App.php(180): Automad\App->Automad\{closure}() #18 /automad/src/App.php(91): Automad\App->render() #19 /automad/init.php(40): Automad\App->__construct() #20 /index.php(4): require('...') #21 {main} thrown in /automad/src/UI/InPage.php on line 95

Apparently $value in ContentProcessor method processVariables becomes NULL sometimes and it causes problems down the stream. At this point I can't tell why the value becomes NULL, so for now I just monkeypatched it to become an empty string if it's NULL, just before the call to injectTemporaryEditButton() is made.

When I moved from my development machine to my production host, index.php files started appearing in the URLs.

Using Automad's excellent debugging capabilities, I tracked the problem down to here.

My host doesn't set a SERVER_SOFTWARE environment variable.

In fact, it turns out that using environment variables for such things is wrong.

I found an interesting 2016 thread here. The long and short of it is that Symfony was using getenv() for certain kinds of things, and no longer does. (To be clear: it no longer uses getenv() for server request vars; it does for other things not related to server request vars.) Laraval is the same.

It seems that the vars listed on the $_SERVER page should only be accessed through $_SERVER, and never through getenv()?

In the meantime, my workaround was to add this to index.php:

putenv('HTTP_HOST='.$_SERVER['HTTP_HOST']);
putenv('HTTP_X_FORWARDED_HOST='.$_SERVER['HTTP_X_FORWARDED_HOST']);
putenv('HTTP_X_FORWARDED_SERVER='.$_SERVER['HTTP_X_FORWARDED_SERVER']);
putenv('HTTPS='.$_SERVER['HTTPS']);
putenv('SERVER_NAME='.$_SERVER['SERVER_NAME']);
putenv('SERVER_SOFTWARE='.$_SERVER['SERVER_SOFTWARE']);
putenv('SCRIPT_NAME='.$_SERVER['SCRIPT_NAME']);

(I'm not suggesting that my workaround is a solution; in fact, as given that approach won't work in some environments. The point was to show you the list of server request vars that might be relevant to the issue.)

Hi,

I've installed automad on a raspberry pi zero. I can get to the home page. But getting 404 there and also when I click on Blocks and Section.

Now I'm a bit lost to what I'm missing.

Thanks

Would be nice if there could be an option to set text-align: right in the block editor. Right now it's only possible to set text-alignment to left or center (see image below).

Would be nice to add some roles to different users (edit access, admin role)

Hello there!

If you use a regex to select an image, e.g. for imageTeaser in the various themes, and set them to a value that doesn't match any filename, imageTeaser falls back to the default selection regex (the first image I guess). In the most cases that seems to be an practical feature, e.g. if someone has a typo in the regex. This way it's ensured that a teaser image is selected.

BUT: If you have one ore more images in your page that are only for illustrational purposes (e.g. a statistic) and no photos (you may want to have as teaser), and those images (the illustrational…) should therefore not display as imageTeaser, the most obvious way would be to set the imageTeaser regex to something unmatching (e.g. a dash "-"), so no image should be selected. However, automad falls back and the unwanted image is used for the preview.

I see no other way to prevent automad from selecting those images as default image e.g. for imageTeaser.

What do you think about it?

See the attached video. I've just started adapting Automad for freelance projects and this can be quite irritating, especially for clients that are less tech-savvy.

This is on Automad v1.10.1 and PHP v7.4.26.

Hi, I've found a possible vulnerability in the login area in the current version of Automad's dashboard. The function automad-notify can be executed manually e.g. via the developer console. The problem is that the input is not sanitized and therefore any JavaScript code can be executed. Of course, this applies to all areas of the application where access to this function is possible. Enclosed a screenshot.

Best regards

The docs point to this StackOverflow answer when talking about the required directory and file permissions. Unfortunately it isn't very clear exactly which answer is being pointed to — and many of answers give terrible advice, e.g.:

chmod -R 0777  /opt/lampp/htdocs/

My preferred host says this about those permissions:

If you look online, you may find advice telling you to set all directories to 777 and all files to 666. This is terrible advice. Roughly translated it means "I don't understand Unix file permissions well enough to help you, but doing this will hide the problem for now, and I'll be long gone when this terrible advice I'm giving you lets hackers completely overwrite your site."

WordPress.org also has a long aside about the dangers of 0777.

If you're interested, I'd like to write up — or help you write up — better instructions for the docs.

What I'd like to do is have two or three scenarios, from most permissive to least. The most permissive might show how to set permissions correctly, but more broadly than needed. The least permissive might show how to set them so that, say, you can edit files, but you can't update through the web. The middle option would perhaps only set write permissions on the directories and files that actually need it. See this page from BoltCMS to get a sense of what I mean.

As far as updating through the web goes, I'll again point to something my preferred host says:

We strongly discourage members from making script files and key directories (like /home/public) writeable by the web user. This setting is used by some applications to enable self-updating over the web. We discourage that practice as well; if you can update your site over the web, so can someone else, and the site may look very different when they finish with it. We recommend using out-of-band methods to update site applications.

I know that most people wouldn't go this far, but I plan to use your command-line tool to do updates. The point of that, though, would be to avoid making things writable that don't need to be writeable for typical use. I could try figuring that out by trial and error, but it would be easier with your help. That's why I'm offering to help with the writing in return. :-)

Hi,

I'd like to add the possibility to rotate my images in the backend of Automad (probably aside the Cropping function)

I think that a flat rotation (i.e. the image itself, not with some extra CSS modification) is the fastest and simplest way to do so.

I can implement that feature myself, but I noticed that you refuse PR, so I hope that you'll like my request and implement it :)

Non-ASCII page name is not supported.

Maybe try the solution of DokuWiki, by encoding non-ASCII page names into URL or UTF-8?

Hi,

I want to avoid uploading my videos to YouTube or anything.

As far as HTML5 allow powerful tags to manage videos, is it possible to add a Block for my MP4 videos ? :)

After a fresh install of automad 1.10.0 i noticed, that the "Tutorial" templates looked different in the editor.
I tried to add a Pagelist but an error is thrown in the Javascrip Console.

I installed a fresh Version 1.9.4 in which this Problem does not occur. It looks how i think it should look.

Here is Automad's demo site. And here, for example, is the automad/package-lock.json file for that site.

Those are just text files, but .php files are also exposed. For example, if you constructed a URL to, say, automad/tests/Core/FileUtilsTest.php, the tests would (try to) run. (I didn't go looking for particularly problematic .php files.)

On Apache these issues can be resolved by tightening up the .htaccess file. For inspiration, here is the .htaccess file for Gravity, and here is the .htaccess file for Kirby — two flat-file CMSes. (Here is the .htaccess for ProcessWire. ProcessWire is a traditional CMS rather than flat-file, but the .htaccess file is carefully thought out and well commented.)

Tightening up the .htaccess file would be something of a quick fix. Even better — this is a "someday" thing! — would be to change the directory structure so that static files are clearly separated from non-static files.

My Apache skills are rusty, but if you like I can take a first crack at the required changes.

P.S. Automad is an incredibly impressive piece of work. So many good ideas, so much attention to detail.

Hi Marc,
fresh install Hero is hidden:

-Macbook Pro (Big Sur), Chrome

-Phone 12 Pro, Microsoft Edge

Cheers
Dirk

Add a user with name："><script>alert(document.cookie)</script>。


xss payload was embeded in config/accounts.php：

/gui/accounts.php：add() function without verify the user input！

I am using the latest Automad version with installed local XAMPP 7.4.26 / PHP 7.4.26 behind an http / https proxy for internet access.
Automad works so far, but switching to the individual areas (Dashboard, System settings) is extremely slow!
When accessing Packages, the error message "Packagist packages could not be loaded" (german: Pakete von Packagist konnte nicht geladen werden) appears after a while.
I discovered the problem in other discussions here and assume that it concerns access via cURL behind an internet proxy.
The query via XAMPP Shell and curl confirms my assumption: Access to packages.automad.org is suppressed.
(curl: (7) Failed to connen to packages.automad.orgport 443: Timed out)
In the other discussions, (local) SSL certificates are mentioned again and again:
But is there also the option of configuring an existing proxy (with authentication) for access from Automad to the Packages?

Hi @marcantondahmen!
Thank you for sharing this project, it looks very promising 👏 !
I'm just getting familiar with the system and during my tests, I found this little bug:

Pages / Page / "Data and Settings" form / Unused Variables / Remove (x)
The save icon in the top-right corner doesn't get active after removing a variable.

I just starting digging into your cms and though it takes a while to get into, it looks interesting.
I wonder why there is no authentification or API token? Is this secure? (Totally new to this)

And when turning on headless, I directly get the json file. So I would probably install automad in a subdir and then retrive the json file?!

After installation if I try to access /dashboard or any other page than the home page. The home page is rendered regardless of what link I visit. Basically, whatever link I click, the same home page is rendered. I simply cannot do anything. Example gif

I'm trying this on Debian 10, with Nginx as web-server. The configuration is very basic:

server {
	root /srv/www/webapp;
	index index.php index.html index.htm;
	server_name domain.com www.domain.com;
	location / {
		try_files $uri $uri/ /index.php$is_args$args;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php7.3-fpm.sock;
		include        fastcgi_params;
	}
	location ~ /(bin|config) {
		deny all;
	}
	location ~ /\.ht {
		deny all;
	}
}

There are no errors in error.log and access.log displays the usual.

Is there anything I'm missing in the setup process? I've tried both manual and composer methods.

I've chowned the files to www-data user:group. Do I need special permissions to a file or folder that I don't know of?

Hi, we deployed automad on a webserver of a very security conscious webhoster this week. He contacted me today and was very concerned that the system is trying to use "sudo" commands to gain access to the system. Usually this is related to hacking attempts according to him.

We tried looking through your code but could not find the source for this. According to his security logs, the problem occurs when someone is active in the dashboard. In his logs there is a POST request from /dashboard?ajax=autocomplete_search which triggers the mentioned "sudo" attempt. He has the theory, that some kind of malicious code is inside the javascript which triggers the POST. But since the JS is quite complex we are unable to verify easily.

Therefore we would like to ask you who knows the code best, if this is normal that automad is trying "sudo" commands on the server? We already tried deleting the whole installation and did a fresh install from your github repo and the problem persists. If this is not normal for automad then do you have an idea how this can happen?

Please help. Regards, Steffen

Hi,

I would like to request a feature to integrate Disqus for an easy comments feature for automad. While it is technically possible to integrate Disqus with the current features, there are a few drawbacks:

We need to place the following Disqus code:

<div id="disqus_thread"></div>
<script>
    /**
    *  RECOMMENDED CONFIGURATION VARIABLES: EDIT AND UNCOMMENT THE SECTION BELOW TO INSERT DYNAMIC VALUES FROM YOUR PLATFORM OR CMS.
    *  LEARN WHY DEFINING THESE VARIABLES IS IMPORTANT: https://disqus.com/admin/universalcode/#configuration-variables    */
    /*
    var disqus_config = function () {
    this.page.url = PAGE_URL;  // Replace PAGE_URL with your page's canonical URL variable
    this.page.identifier = PAGE_IDENTIFIER; // Replace PAGE_IDENTIFIER with your page's unique identifier variable
    };
    */
    (function() { // DON'T EDIT BELOW THIS LINE
    var d = document, s = d.createElement('script');
    s.src = 'https://your-disqus-site-name.disqus.com/embed.js';
    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>

From here we can see the limitations:

1. There seems to be no way of appending this to blog posts (for example), apart from placing it in the Item Footer field. But placing it there would most likely break your current theme, since the Disqus widget's width will extend to the footer's width rather than the article's width.
2. It would be great if we could have a post variable that we can use to get PAGE_URL, instead of just inputting it manually.
3. Same as 2, PAGE_IDENTIFIER can just be the post's slug, but a post variable feature would be great.

Anyway, I'm enjoying automad so far!

I really like the clean/straightforward GUI of Automad, however, there's one thing I cannot get used to:

Currently, a Page has 2 tabs: "Data and Settings" and "Uploaded Files".

IMHO the most important part of the page, the "Content" should deserve a separate tab. Now it needs too much scrolling and often hard to see through the tons of information, especially when multiple sections are expanded/opened.

Once "Data and Settings" are configured well (after creating a page), users only want to change (see or mess with) content. I think...

What's your opinion?

Very little development guide

i need create new theme and 2 language on website

Hullo, Automad noob here.

When setting up for the first time (via composer create-project) I found I was unable to access anything except the homepage. Following links to /dashboard or to demo content such as /work/a-project-page had no effect, they just caused the homepage to reload.

On doing some debugging I noticed that, regardless of the actual URL path, AM_REQUEST was being set to (string) '/', which explains the behaviour I was seeing. From there I took a look at Automad\Core\Request::page() and I think the problem is in the order of operations. The way it works reads to me like this:

• If the query string is used to contain the path, that is processed first.
• Otherwise, it looks at different $_SERVER values to discover the path.

In the second of those cases, it will check if PATHINFO is set first and will use that value, otherwise it looks at ORIG_PATH_INFO and so on. The problem for me was that PATHINFO was set, but to an empty string. REQUEST_URI was also set, and that is where the path string was living. Hopefully that all makes sense so far.

Of course, others may not see this problem: a lot depends on how things outside of Automad (ie, at Nginx or Apache level) are configured. However, it seems like it would be a shame to let this potentially stop others from using and experiencing Automad as it seems like a great tool. I was curious on your thoughts on this ... would you be open to considering either of the following approaches?

• Prioritizing REQUEST_URI above PATHINFO (on the basis that the latter is a bit of an edge-case scenario these days)?
• Or, keeping the existing order but changing the logic so that instead of testing if PATHINFO, ORIG_PATH_INFO, REQUEST_URI, ... are set it tests if they are non-empty.

Most of the vulns I'm able to find are XSS in one shape or another.
Wisest course of action would be to bundle jquery >3.5.0 with automad.

(1) https://security.snyk.io/vuln/SNYK-JS-JQUERY-567880
(2) https://security.snyk.io/vuln/SNYK-JS-JQUERY-565129
(3) https://security.snyk.io/vuln/npm:jquery:20150627

There are two main approaches to giving the web server access to files. I'm not sure the details are relevant. What is, I think, is this. While trying them out, I kept losing control of the files Automad was creating.

I tracked it down to this:

		// PERMISSIONS
		self::set('AM_PERM_DIR', 0755);
		self::set('AM_PERM_FILE', 0644);

Automad is using too-restrictive permissions.

The good news — very good news! — is that I was able to change the defaults by adding them to my config.php. (One quirk: config.php uses JSON syntax, and JSON doesn't support octal notation; I had to convert the permissions to decimal. That feels... very strange.)

The odd thing is that Automad also sets the umask. I don't think that's right? I think the right thing is a) setting "maximum" permissions and then b) combining them with the user's umask. Without changing the user's umask. That way the user effectively chooses the permissions.

If you take a look at Symfony, you can see that they always use 0777 for directories and 0666 for files, so I think that's right. But if you like I can go looking for further (and more definitive) evidence.

It might be nice, instead of manually editing/adding a page prefix for ordering, if that is handled behind the scenes, and not shown in the page tree. (The index field would probably still be needed to keep track of page order).

Adding a new page would add the page to the bottom of the tree (auto increment the highest index)

Consider adding a type of theme var where the presentation is a list of theme-defined values. I could give some examples, but in fact Automad already uses such a thing in some of its block configurations!

By now there is the caption field for images. I managed to add a ".webp type" via the config.josn. Now how would I add, for example an alt tag field for that file?