Remove the XML <![CDATA[ ]]> markers around the inlined logo's inner <style>. They are unnecessary in an HTML document (style content is already raw text) and were flagged by the HTML validator. The logo renders identically since the .fil* rules remain in the <style> block.
Route every web-server error code to the SLAED branded page and add a fully self-contained static fallback for 502/504, so visitors always get the themed error UI instead of a bare nginx/Apache page even when PHP is down. Several modules that silently fell back to the home page now return SEO-correct 404s.
Core changes:
- Static 502/504 fallback (error.html):
New self-contained page served by the web server when PHP is unavailable
- Inline CSS (theme rules), inline SVG logo and icons, no external file
- Inline JS sets the current year; 2026 is the no-JS fallback
- noindex; renders identically to the live branded error page
- ?error= contract and status reasons (core/security.php):
Whitelist ?error= codes 400 401 402 403 404 500 502 503 504
- Forged or unknown codes fall through and cannot emit arbitrary statuses
- Extend the setError() status-reason map (401, 402, 502, 504)
- SEO-correct 404s instead of soft home redirects:
- index.php: unknown, inactive or unservable module now setError(404)
- modules/changelog/index.php: out-of-range page now setError(404)
- Web-server wiring and documentation:
- .htaccess: ErrorDocument 502/504 to /error.html for Apache parity
docs/PERFORMANCE.md and admin/info/editor/ru.md: nginx/Apache recipes, fastcgi_intercept_errors off, the ?error= whitelist and the static page
- Error-page card styling (templates/lite/assets/css/theme.css):
- Adjust .sl-msg-search and .sl-msg-foot widths and spacing to fit the card
- Regression guard (tests/ErrorPageContractTest.php):
- Assert error.html is self-contained (no external CSS/JS/img) and branded
- Assert the ?error= whitelist is fully covered by setError() reasons
Benefits:
- Correct HTTP status on every error path, improving SEO and crawler signals
- Branded, no-store error UI even during a PHP-FPM outage
- One error-rendering contract shared by nginx and Apache
Technical notes:
- error.html is generated from the lite theme with only used rules and tokens
nginx still serves real 502/504 from the static file; 502/504 are whitelisted only so a manual ?error= still renders when PHP is alive
- No database or schema changes; backward compatible
Uncaught exceptions, fatal errors, and the DB-connection failure now produce a consistent response: the full error detail in debug mode, a clean 500 in production, and never an HTML page inside a non-HTML response. Detail goes to the log; nothing internal is shown to visitors in production.
Core changes:
- Error responder (core/security.php):
- Add setErrorOut(): recursion-guarded; skips non-HTML requests (go=1/2/3/4/5/asset/captcha/rss/xsl or headers already sent) with a status-only 500; debug shows the detail via setExit() (status 200, so nginx never intercepts it); production renders setError(500)
- set_exception_handler() now routes through setErrorOut() and logs the full trace; rendering is decoupled from security.error_log so a clean 500 page appears even with logging off
- register_shutdown_function() logs fatals (when enabled) and sets a 500 status without a heavy render (process state may be broken)
- setError() status map gains 503 Service Unavailable
- Database connection (core/classes/pdo.php):
- On PDOException, gate the detail by security.error: debug shows it (setExit), production renders setError(500); the detail is logged in both cases
Technical notes:
- App-emitted errors render the SLAED page with Cache-Control: no-store; status via http_response_code() (HTTP/2 safe)
- Debug detail is served as 200 so it survives nginx without fastcgi_intercept_errors off; the full stack trace is written to the log
- Behavior change: uncaught errors no longer fall through to raw PHP output; production no longer leaks DB internals to the page
Document that PHP-generated 404/403/503/500 must pass through (fastcgi_intercept_errors off) so SLAED's branded page and no-store headers reach the client, and separate app-emitted 5xx from infrastructure 5xx (502/504) that only nginx can answer.
Core changes:
- Performance guide (docs/PERFORMANCE.md):
- New "PHP error pages" subsection under the web-server configuration section
A DB-connection failure and the site-closed gate returned 200, which misleads crawlers and monitoring. They now carry the correct status, and the DB error detail is logged instead of shown to visitors.
Core changes:
- Database connection (core/classes/pdo.php):
- On PDOException, log the detail via Logger and render setError(500) instead of setExit() (was 200; also stops leaking the raw DB message to the page)
- Maintenance gate (index.php):
- Closed-site response now sends 503 Service Unavailable while keeping the _CLOSE_TEXT page
- Error helper (core/security.php):
- setError() status map gains 503 Service Unavailable
Technical notes:
- App-emitted 5xx render the SLAED page (status via http_response_code(), Cache-Control: no-store)
- captcha JSON 503 left as-is; infra 5xx (502/504) remain nginx's responsibility
Align the error page presentation with the removed auto-redirect.
Core changes:
- Error page (templates/lite/pages/message.html):
- Render "<title> - <sitename>" when a page title is set
- Localization (lang/*.php):
- _ERROR_PAGE now invites returning home or using search instead of announcing a redirect (de/en/fr/pl/ru/uk)
Missing content, out-of-range list pagination and access-restricted pages now emit proper 404/403 instead of redirecting or returning 200, so crawlers stop indexing soft-error pages. Error rendering is consolidated into one setError() helper.
Core changes:
- Error helper (core/security.php):
- Add setError(int $code): status via http_response_code(), conditional logging, standard error page
- Drop the meta-refresh auto-redirect from setExit() (soft-404 / WCAG 2.2.1 anti-pattern)
- Route the bootstrap $_GET['error'] handler through setError(), removing the 40-line $http status map
- Frontend modules (modules/*/index.php):
- view(): 404 when the item does not exist
- list/liste(): 404 when a page beyond the first yields no rows
- forum: 404 for out-of-range topic pages and unpublished topics, 403 when category read is denied
- broken()/loading(): 404 on invalid requests
- Module gates (index.php):
- view=1 / view=2 access denials now send 403
Technical notes:
- http_response_code() is HTTP/2-safe; error responses keep Cache-Control: no-store
- Backward compatible; php -l and phpstan clean
Core changes:
- News block (blocks/news.php):
- Initialize $content before the result loop to avoid an undefined variable
- Base styles (templates/lite/assets/css/base.css):
- Fieldset uses margin-top instead of an all-sides margin
Wrap the nickname/password inputs of the user-info block login form in <label> for implicit association, matching the block-login-form fix.
Core changes:
- block-user-info.html:
- Wrap nickname and password inputs in <label>
Remove horizontal scroll across phone, tablet and laptop widths in the lite theme and tidy the touched comments to the project style.
Core changes:
- Footer grid (theme.css):
- Mobile grid tracks use minmax(0, 1fr) and grid items get min-width:0 so content wraps instead of forcing the column wider than the viewport
- Header and side elements (theme.css):
- Login dropdown closed state is position:fixed on mobile so its off-screen box no longer widens the page; the JS-opened state still positions in view
- Demo-line version pane wraps on narrow screens; header version pane is hidden on mobile (duplicate of the demo-line and footer CTA)
- Remove the -30px bleed margins on the logo and header pane that pushed them past both viewport edges on laptops (<=1352px)
- Hide the fixed left-edge idea/feedback tabs on mobile (they overlapped the menu and blocked taps)
- Comments (theme.css):
- Single-line, no trailing period, ASCII per .rules/global.md
Benefits:
- scrollWidth == clientWidth from 320px to 1680px
- No clipped logo, button or footer text; no tap-blocking overlays on mobile