Download Plikli

Download Plikli
Plikli 4.1.5


Plikli CMS 4.1.5 Changelog

Upgrade Instructions

Plikli CMS halted the upgrade of Pligg and Kliqqi versions. The upgrade will only process Plikli CMS versions 4.0.0 and 4.1.0

I tested the upgrade on localhost and live servers, using different instances of Plikli 4.1.0 and different database sizes.
Due to dropping old indexes and adding new ones, namely in the links table, which is normally very large, the upgrade script was timing out from the MySQL server.
The best solution was to detect the size of each table and run an automatic upgrade via the upgrade script on all the tables that are less than 50 MB in size. The script will give you the all the MySQL statements that you must manually run in phpmyadmin for the tables that are larger than 50 MB.


  • Plikli CMS is now fully compliant with PHP 7.2.18
  • Cumulative updates to functions and code modification to be fully compliant with PHP 7.
  • Introduced a new “Recommended Settings” page under the Manage section in the dashboard, to help Admins with the configuration of their site. It has 3 sections: “MUST CONFIGURE”, “RECOMMENDED CONFIGURATION” and “DID YOU KNOW?”
  • Substituted the deprecated each() function with current() and foreach()
  • Gradually applying the PHP PSR-1 PSR-2: Coding Style Guide.
  • Enhanced the login attempts code.
  • Synchronized all language files by removing all obsolete definitions and adding the new ones where missing. Removed the Turkmen language file, composer.json and composer.lock
  • Modified code to accurately get the MySQL Server and Client API versions.
  • Added more statistical data and information to the Statistics Widget.
  • Implemented a better function to accurately close HTML tags when the story content is truncated and replaced with Read More.
  • Fixed the tags insert process. When inserting tags, the tags cache table was truncated and rebuilt after every submit and after every article editing, even if the tags where not edited. It was too much strain on the server and takes a long time when importing feeds with a lot of articles.
  • Introduced a new setting / feature, SMTP to test the email sending on localhost, even with a fake email address and removed the usage of phpmailer4 and phpmailer5. Every email sending feature is using the full phpmailer library. In addition, the message will be printed on the page after it is sent. Note that this feature is for development on localhost only and only Admins can test it.
  • Introduced new setting “Use the new Story layout?” and added new Dashboard setting to allow Admins to choose the Story layout they want in Dashboard -> Template Settings. Note that a minor cosmetic was applied to the default bootstrap template to give a different look to toolbar and content section of the story.
  • Converted all tables and columns TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
  • Added a PRIMARY KEY to the total_story_views module.
  • populating the input text box with the accurate protocol (http / https) – Upload Module
  • added a caution explanation to the killspam feature
  • updated descriptions of allow draft, allow scheduled and Complete submission on Submit Step 2 to warn Admins that if Complete submission on Submit Step 2 is set to false, it will prevent allow draft and allow schedule features from working.


  • Upon submitting and editing stories, tags fields are stripped from any character that is not alphanumeric, underscore, hyphen and comma. However, I noticed that RSS import tags with an apostrophe which is causing an error in the query. I applied more filtering to remove the apostrophe because it is also removed in the search.
  • Fixed a minor issue that is not causing any problem, caught by John on the Plikli forum. title are not trimmed and a space at the end of the title was replaced by a hyphen.
  • Fixed the special characters appearing in the description. Reference
  • Fixed the “ALL” tags that appears in the tools bar under the story title. Reference
  • Fixed the approved IP entries in /logs/approvedips.log. The IP was written with a space at the end, and therefore the check for the IP in the approved IPs log was always returning false.
  • Fixed the code where notify author is checked when an article is edited. There were no code to process the multiple categories when this setting is set to true in Dashboard -> Settings -> Submit -> Allow multiple categories, therefore the code checking the equality of the categories, if modified is always returning false and included in the notification email, even though the categories were not modified!
  • Fixed the error types that was only displaying the last error. Now uploading avatar errors is an array and displays all relevant errors. Files affected: profile.php and user_navigation.tpl
  • fixed 2 bugs to accurately pull the language definition from both subscribe to comments module and Plikli language files.
  • Fixed the sidebar_saved module to eliminate some errors in loading Plikli language file, and added Chinese language file.
  • fixed some php warnings and notices. (This work is ongoing)

Installation / upgrade

  • added protocol detection to warn to install SSL Certificate before installing Plikli CMS
  • Updated all install/upgrade files for the new version.

Plikli CMS 4.1.0 Changelog


At Plikli CMS, we are striving to enhance the security and safety. We are constantly testing for vulnerabilities and immediately fixing any found issue!

The next Plikli CMS version will be released with PDO and prepared statements and a complete revamping of the hashing system.

  • Redwine: Fixed SQL injection and XSS vulnerabilities:
    • We are grateful to netsparker who brought to our attention two SQL injection and three Cross-site Scripting vulnerabilities!
      All fixed!
  • New strong password hashing and verification, plus a more secure coockie
    • kshitij Kumar: Contributed the new strong password hashing and verification, plus a more secure cookie.
    • Redwine: added a backward compatibility to PHP version 5.4.
  • Redwine: Added rel=”noopener noreferrer” where target=”_blank” and rel=”nofollow noopener noreferrer” where target=”_blank” rel=”nofollow”.
  • Redwine: Enhanced the sanitizing and filtering of input fields.
  • Redwine: modified javascript to better control and sanitize the input on the submit and edit story pages.
  • Redwine: Added Feature, originally presented and implemented by Edric Teo. It uses Have I Been Pwned (HIBP) API to check if a password entered by a user has been pwned and therefore insecure. It is implemented throughout Plikli CMS where a password is required, Ie, Upon Plikli installation; user registration; user changing password; user requesting to recover password; Admin changing user’s password!
  • Redwine: Added a Notice on all
    1. Dashboard pages where a CSRF token is available to remind Admins that the page expires in X minutes after which they have to refresh the page before taking any action/modification on it.
    2. Profile and profile settings pages. Only the owner of the profile will see the notice.
    3. Group edit/avatar change pages. Only Group creator/admin, Site admin and Site Moderator will see the notice.
  • Redwine: Complete fix to the CSRF check and validation.
    1. Strengthening the token using more secure functions.
    2. Fixed the validation and expiry checks that were partly incorrect.
    3. Fixed the debug utility that was not working since Pligg early versions.
    4. Redwine: Added a checkpoint to prevent disabling the Admin, creator of the site.

Bugs fixed

  • Redwine: Corrected the error statement to display found errors on the registration form.
  • Redwine: Corrected the config_load file path and the history.go to go back to the compose message rather than the user profile.
  • Redwine: Fixed a bug to correctly show the follow/unfollow button depending on the user’s status.
  • Redwine: Fixed the regex that was not allowing a comma in the tags field.
  • Redwine: Fixed bug ‘function tags_insert_string’ call was typed over when adding code for the Draft and Scheduled articles. It is needed to insert the tags upon submitting/editing an article!
  • Redwine: config_load file were not correctly commented in Upload Module.
  • Redwine: bug caught by @kshitij Kumar. Footer in error and register pages was not loading the CMS language file. Traced the bug back to Pligg versions 2.
  • @kshitij Kumar: Fixed bug, user search button was not working.
  • Redwine: Fixed a bug in edit_submission_center.tpl that was showing the draft option when draft is not enabled in the dashboard.


  • Redwine: Updated all the install files for all the languages included with Plikli CMS.
  • Redwine: Accounting for MySQL Server version to correctly insert the proper value during the creation of the table and when altering the varchar for link_url column, during the upgrade.
  • Redwine: Added a detection to MySQL Client Server to display in the statistics Widget.
  • Redwine: Added a link, in the Dashboard Tools Widget, to review the Site’s Roles and Permissions for each user level.
  • Redwine: Enhanced the htaccess to correctly force www or https or both.
  • Redwine: Modified the message that displays at the top of the Modules page in Dashboard, to remind Admins to read the readme file before installing a module to check the requirements and how it works.
  • Redwine: Updated the CKEDITOR for Plikli CMS Module.
  • Redwine: Fixed footer alignment on mobile devices.
  • Redwine: Modified the code to show immediate validation message under the appropriate field on the registration page.
  • Redwine: Removed extra unnecessary code from the Live files.
  • Redwine: Prevented the register and login pages from loading if the user is already signed in!
  • Redwine: Fixed the total story views module:
    1. Added a column to total story views table `view_link_count` to hold the views count for each link_id
    2. Modified the module’s installation to check if module was previously installed, then it recreates the table with new structure and count.
    3. Modified the settings array from $upload_places to $story_view_places because of a conflict causing the modules settings in dashboard to not load the places or to load those from the upload module.
  • Redwine: Fixed many regex to be UTF-8 compatible.


Plikli CMS 4.0.0 Changelog

Security Vulnerabilities


  • Fixed a security issue in the password recovery. Issue discovered by Kshitij Kumar, a longtime contributor to the community! Hats off, Kumar!
  • Added more security to users requesting a forgotten password and validating it.
  • Fixed XSS and SQL injection vulnerabilities, discovered by Edric Teo. Hats off, Edric!

HTTPS Compliance

 Hats off to Mark Wakeling, a longtime contributor to the community, presented a complete solution to make the CMS fully compliant and working on SSL secure servers. It automatically detects if it HTTPS and if another than the default 80 port is used. His solution also fixed the solvemedia errors on https.

Migrating to MySQLI and replacing all Class Functions with Constructors

Thanks to Kshitij Kumar who contributed the migration from MySQL to MySQLI and replaced all Class Functions with Constructors!


Installation and Upgrade

  • Updated the installation and upgrade files for version 4.0.0
  • The upgrade system will upgrade:
    Pligg 1.2.2; 200rc1; 200rc2; 2.0.0; 2.0.1; 2.0.2; 2.0.3
    Kliqqi 3.0.0; 3.5.0; 3.5.2
  • Enhanced the pre-install check for required files and permissions. Admins don’t have to manually rename the required files and apply the correct CHMOD to files and directories; the troubleshooter will dynamically rename the files and fix all files and permissions.
  • Enhanced the troubleshooter for installation/upgrade; Provided an additional feature to select a language file and all the other 22 requirements are fixed by the script!


  • Integrated two new Draft and Scheduled features in Plikli CMS.
  • Fixed changing status to moderate in the submissions manage page.
  • Reordered some HTML that were incorrectly positioned and appear when HTML tags are not allowed.
  • Applied styling to the votes class in the the sidebar.


  • Modified the preg_match to better grab the content of the title tag because we encountered a couple of sites that use non-standard HTML coding by having many title tag on the page and title that is coded with hard return on many lines.
  • Added code to not link the title when description is empty.


  • Accurately display the search term in the breadcrumb.
  • Advanced Search, the search input box name was not included in the submitted search query; I added it! Also noticed that a “?” in the search term will break the search query and do not return any results. So, I stripped it before sending the query.
  • Advanced Search, to capture the checked radio buttons when there are many groups of radio buttons in the form we must capture each group name separately. I added the proper JavaScript for that.
  • Fixed the search Regular Expression to properly create the URL of the search for the term while in SEO URL method 2.


  • Added Smarty assign for the length of the comment to be able to provide the relevant warning in the error template file.
  • Modified code to allow HTML tags in comments.
  • Reordered some HTML that were incorrectly positioned and appear when HTML tags are not allowed.


  • Fixed the meta description, this condition applies when on the main page. The “PLIKLI_Visual_What_Is_PLIKLI_Text” contains HTML tag and htmelentities only converts the tags. We need to remove the tags from the description; I sanitized it.
  • Made the Twitter card and Open Graph compliant with the standard.
  • Fixed meta file to grab the default og:image.

Admin – Backup

  • Modified the Admin backup feature. The new process was tested on a 390 MB database successfully, and in less than 1 minute! The backup process will also correct the CHMOD to the backup directory in case it was not correctly set.

Admin – Permissions

  • Restricted moderators from changing the comment status where authors are Admins.
  • Restricted moderators from changing the story status where authors are Admins.
  • Added the case and action code for the level “moderated” that was missing in the Dashboard Manage Submissions.

User Avatar

  • Added check for the size of user uploaded avatar (set in dashboard). Issue suggested by Adam Burton.
  • Modified the user avatar dimensions to 32px instead of 16px in the story tools-bar, and corrected the font-size of many classes and elements that had 0.85em; this was incorrect because a < p > element set to 0.85em and its parent is also set to 0.85em will be rendered 85% of the parent , which will be 72% of the parent!


  • Modified some template and PHP files to accurately reflect the HTML tag id to add a label tag to improve accessibility.


  • Removed hard-coded sections and tabs titles and created Language definitions in the Language files.


  • Removed obsolete code related to masonry.
  • Added a tool-tip to explain the “discard” function used in the drop-down gear beside each article.

Bug Fixes

(all bugs reported on Kliqqi forum and some more)

  • Corrected the CHMOD values


  • Prevented the change password Form from loading if there was an error in the recovery.

SEO URL method 1 & 2

  • Made both URL method 1 and 2 consistent by setting the return to the root.


  • Fixed Wrong Markup on Categories.


  • Added a hook to check for Captcha errors because it was not checking when Captcha is not solved, users were returned to the registration page without knowing why.
  • Fixed Captcha error on submitting a story. It was bypassed.


  • Fixed user Avatar URL redirection when changing the user avatar. Now it works in both SEO URL method 1 and 2.


  • Fixed the create user in the dashboard. The Form was submitted with wrong or missing data and the Admin would not know what went wrong.


  • Modified the delete story PHP file to accurately return to the page or category or group after deleting a story, in SEO URL method 1 and 2.


  • Fixed the sidebar Statistics Widget that was not in sync with the data displayed in the widget in the Dashboard; it was including all users levels.


  • Fixed a bug (submitted by Kshitij Kumar) in the makeUrlFriendly function that was appending a number to the number of links with duplicate titles. In case one of the links, with duplicate title, was deleted, the function adds 1 to the count of duplicate titles and we might end up with a duplicate title again. Example:
    if about-draft-feature-2 is deleted and another link is submitted with the same title, the function finds that we have $n = 2 duplicate titles and returns a new title: about-draft-feature-$n+1 which means about-draft-feature-3. And we end up with duplicate titles again!
  • Escaped the link title in case it has an apostrophe or any other character that might generate an error in the MySQL query.
  • Modified quotations in queries.
  • Added a notice when URL is not required to submit to let users know that Editorial is set On.


  • Fixed a bug that was displaying an empty link when the user profile “Homepage” field is empty.


  • Chuckroast (work done after the release of kliqqi 3.5.2)
    Moved the modules wrappers to /templates/bootstrap/default_modes/ to make it easier and friendly for template developers making the sidebar modules uniform with the rest of the CSS. Affected modules:

    • sidebar_comments
    • sidebar_saved
    • sidebar_stats
    • sidebar_stories
    • sidebar_tag_cloud


  • Modified Admin Snippet module and introduced a new option where Admins can activate/deactivate a snippet without the need to deleting it if they don’t want to use it anymore!
  • Created an Extra Fields editor in the Dashboard; no manual file editing to use the Extra Fields anymore. (see also the work done in Config & Dashboard)
  • Removed the Field Validation Method and Field Validation Error Message, from Extra Fields, because the browser uses its own validation and message when a field is required. Tested in Chrome, Opera, Firefox, IE 11 and Edge!
  • Enhanced the links module to also embed Facebook and YouTube videos and audio and images URLs.
    • Reinstated the “nofollow” field to the Links module’s settings.
    • Added converter to images for URLs with .png, ,jpg, .jpeg, .gif
    • Added conversion to YouTube and Facebook video URLs to videos.
    • Added conversion to certain audio files extensions: MP3; OGG; WAV.
  • Fixed the XML Sitemap link to show in the left sidebar under modules; created templates folder to show the module’s settings link in the left sidebar of the dashboard.
  • Fixed Upload Module, where “upload_fileplace” was defaulting to tpl_plikli_story_who_voted_start. The default now is upload_story_list_custom. Explanation is provided in the label of this field “Where to embed story file list”, the default is “upload_story_list_custom”, which means it is not set.

New Modules

  • Total Story Views: captures the views when a story is viewed in full view, on the story page.Its settings include:
    Placement where you want the number of views displayed.
    Sidebar display ON/OFF and the number of story to display.
  • CKEditor: Modified to work with what HTML tags the Admins allows. It detects the allowed HTML and ONLY loads those.
  • Scheduled Posts feature and Module: Admins can activate/deactivate this feature from the Dashboard settings. This feature allows users to submit scheduled posts and the Module will posts them in due date.
  • Subscribe to Comments: users can now subscribe/unsubscribe to articles of interests.
    • Globally by setting this option on in their profile settings to subscribe/unsubscribe them to receive notification on all the stories they submit.
    • Individually subscribing to the stories of interest by clicking the subscribe/unsubscribe button placed above the comments form.
  • RSS Import: I fixed few things to make work and also added/corrected few processes to create a CRON job and make it work properly.


  • Modified the query to exclude members that are banned or flagged and inactive.
  • Accurately get what a group member can share. the modifications will only pull the groups where a group member can share a story that has not been shared by the user or any other group member; a story will not be shared twice to the same group.
  • Created get_group_shared_membered function to allow a group member who shared a story to unshare it. Group Admins also have the same privilege to unshare a story shared by group members.
  • Fixed the group avatar display that was not displaying unless refreshing the page and generating a CSRF error when refreshing.
  • Fixed the modal window not displaying the correct information upon uploading an avatar.
  • Added check for size of group uploaded avatar (set in dashboard). Issue suggested by Adam Burton

Config & Dasboard

  • Draft posts new settings in the Dashboard configuration.
  • Modified the submit template file based on the Draft settings in the Dashboard.
  • Scheduled Posts feature and Module.
  • Enable/Disable Registration.
  • Message to display when Registration is disabled.
  • Enable/Disable Submitting articles.
  • Message to display when submitting articles is disabled.
  • Enable/Disable Comments.
  • Message to display when Comments is disabled.
  • Maximum Avatar image size allowed to upload.
  • Allow Groups to upload own avatar.
  • Maximum Group Avatar image size allowed to upload.
  • rel=”nofollow”, true or false.
  • Maintenance mode from the Dashboard, under Location Installed settings.
  • Dashboard Editor to edit the Extra Fields file and activate the desired fields!
  • Removed the “Submit Summary Allow Edit” from the settings, because it is obsolete after implementing the “Read more” feature.