Uncaught exceptions, fatal errors, and the DB-connection failure now produce a consistent response: the full error detail in debug mode, a clean 500 in production, and never an HTML page inside a non-HTML response. Detail goes to the log; nothing internal is shown to visitors in production.
Core changes:
- Error responder (core/security.php):
- Add setErrorOut(): recursion-guarded; skips non-HTML requests (go=1/2/3/4/5/asset/captcha/rss/xsl or headers already sent) with a status-only 500; debug shows the detail via setExit() (status 200, so nginx never intercepts it); production renders setError(500)
- set_exception_handler() now routes through setErrorOut() and logs the full trace; rendering is decoupled from security.error_log so a clean 500 page appears even with logging off
- register_shutdown_function() logs fatals (when enabled) and sets a 500 status without a heavy render (process state may be broken)
- setError() status map gains 503 Service Unavailable
- Database connection (core/classes/pdo.php):
- On PDOException, gate the detail by security.error: debug shows it (setExit), production renders setError(500); the detail is logged in both cases
Technical notes:
- App-emitted errors render the SLAED page with Cache-Control: no-store; status via http_response_code() (HTTP/2 safe)
- Debug detail is served as 200 so it survives nginx without fastcgi_intercept_errors off; the full stack trace is written to the log
- Behavior change: uncaught errors no longer fall through to raw PHP output; production no longer leaks DB internals to the page
Document that PHP-generated 404/403/503/500 must pass through (fastcgi_intercept_errors off) so SLAED's branded page and no-store headers reach the client, and separate app-emitted 5xx from infrastructure 5xx (502/504) that only nginx can answer.
Core changes:
- Performance guide (docs/PERFORMANCE.md):
- New "PHP error pages" subsection under the web-server configuration section
A DB-connection failure and the site-closed gate returned 200, which misleads crawlers and monitoring. They now carry the correct status, and the DB error detail is logged instead of shown to visitors.
Core changes:
- Database connection (core/classes/pdo.php):
- On PDOException, log the detail via Logger and render setError(500) instead of setExit() (was 200; also stops leaking the raw DB message to the page)
- Maintenance gate (index.php):
- Closed-site response now sends 503 Service Unavailable while keeping the _CLOSE_TEXT page
- Error helper (core/security.php):
- setError() status map gains 503 Service Unavailable
Technical notes:
- App-emitted 5xx render the SLAED page (status via http_response_code(), Cache-Control: no-store)
- captcha JSON 503 left as-is; infra 5xx (502/504) remain nginx's responsibility
Align the error page presentation with the removed auto-redirect.
Core changes:
- Error page (templates/lite/pages/message.html):
- Render "<title> - <sitename>" when a page title is set
- Localization (lang/*.php):
- _ERROR_PAGE now invites returning home or using search instead of announcing a redirect (de/en/fr/pl/ru/uk)
Missing content, out-of-range list pagination and access-restricted pages now emit proper 404/403 instead of redirecting or returning 200, so crawlers stop indexing soft-error pages. Error rendering is consolidated into one setError() helper.
Core changes:
- Error helper (core/security.php):
- Add setError(int $code): status via http_response_code(), conditional logging, standard error page
- Drop the meta-refresh auto-redirect from setExit() (soft-404 / WCAG 2.2.1 anti-pattern)
- Route the bootstrap $_GET['error'] handler through setError(), removing the 40-line $http status map
- Frontend modules (modules/*/index.php):
- view(): 404 when the item does not exist
- list/liste(): 404 when a page beyond the first yields no rows
- forum: 404 for out-of-range topic pages and unpublished topics, 403 when category read is denied
- broken()/loading(): 404 on invalid requests
- Module gates (index.php):
- view=1 / view=2 access denials now send 403
Technical notes:
- http_response_code() is HTTP/2-safe; error responses keep Cache-Control: no-store
- Backward compatible; php -l and phpstan clean
Core changes:
- News block (blocks/news.php):
- Initialize $content before the result loop to avoid an undefined variable
- Base styles (templates/lite/assets/css/base.css):
- Fieldset uses margin-top instead of an all-sides margin
Wrap the nickname/password inputs of the user-info block login form in <label> for implicit association, matching the block-login-form fix.
Core changes:
- block-user-info.html:
- Wrap nickname and password inputs in <label>
Remove horizontal scroll across phone, tablet and laptop widths in the lite theme and tidy the touched comments to the project style.
Core changes:
- Footer grid (theme.css):
- Mobile grid tracks use minmax(0, 1fr) and grid items get min-width:0 so content wraps instead of forcing the column wider than the viewport
- Header and side elements (theme.css):
- Login dropdown closed state is position:fixed on mobile so its off-screen box no longer widens the page; the JS-opened state still positions in view
- Demo-line version pane wraps on narrow screens; header version pane is hidden on mobile (duplicate of the demo-line and footer CTA)
- Remove the -30px bleed margins on the logo and header pane that pushed them past both viewport edges on laptops (<=1352px)
- Hide the fixed left-edge idea/feedback tabs on mobile (they overlapped the menu and blocked taps)
- Comments (theme.css):
- Single-line, no trailing period, ASCII per .rules/global.md
Benefits:
- scrollWidth == clientWidth from 320px to 1680px
- No clipped logo, button or footer text; no tap-blocking overlays on mobile
Reserve layout space for the logo, footer wordmark and footer flag, and give the block login/search inputs accessible names, cutting CLS and fixing the Lighthouse "image elements lack width/height" and "form elements must have labels" audits.
Core changes:
- Image dimensions (core/system.php, lite layouts):
- Add getImageBox() to resolve intrinsic [w,h] from an SVG viewBox or via getimagesize
- setHead() passes logo_w/logo_h so the configurable header logo gets a correct width/height
- home.html/app.html: width/height on the header logo, footer wordmark (355x110) and de flag (60x40)
- Form labels (lite fragments):
- block-login-form: wrap nickname/password inputs in <label> for implicit association
- block-search-form: add aria-label to the search input
Benefits:
- Lower CLS from dimensioned images
- Accessible names for login and search controls
Technical notes:
- Logo dimensions are computed server-side so any configured logo stays correct
Document the portable caching strategy for distributors on different servers, splitting the PHP-served bundle from server-served static files and giving ready Apache and nginx configurations.
Core changes:
- Performance reference (docs/PERFORMANCE.md):
- New section on static asset caching and compression
- nginx gzip/expires snippet and font-versioning caveat
- Admin editor help (admin/info/editor/ru.md):
- Caching/compression snippet for the .htaccess tab plus nginx note
Benefits:
- Clear per-server guidance for varied SLAED installations