* add html encoding function
* html-encode dynamic values
important if the values contain special characters like '&<>"
(for example if $config['site_title'] is `AT&T` or `<AWESOMESERVER>`, the old code would generate invalid html, but this updated code will generate valid html.)
the powergamers page was vulnerable to XSS/javascript injection, this should fix it.
XSS screenshot: https://i.imgur.com/4rJuWqY.png
XSS POC:
<form action="https://<censored>/powergamers.php" method="POST">
<input type="hidden" name="days[]" value="3" />
<input type="hidden" name="days[]" value="1<script>alert("XSS running!");</script>" />
<input type="submit" value="click here to start xss" />
</form>
Security issue reported by @slawkens
All wifi traffic is broadcasted - this means that any nearby sniffing devices can read your traffic. If you're connecting to a page through HTTP over public/unencrypted wifi you can assume that whatever information you are sending and receiving is public - all it takes is an attacker nearby with an antenna to read all that in plaintext. To perform a true MITM by having traffic flow through them, attackers can use technologies like WiFi pineapples or aircrack-ng to force users to connect to their wifi network.
Connecting over cable internet is much harder to intercept/mitm because you're not broadcasting your traffic for the whole neighborhood. In order to compromise this network an attacker will have to gain access to it somehow - either through physical access to a network port, malware installed on a host machine or router, etc. When an attacker has access to a network they then have to exploit that access through attacks such as ARP poisoning or HSRP spoofing. These attacks just MITM traffic - anyone on the network can still sniff (read, but not change) traffic, but keep in mind HTTPS traffic is still encrypted and can't be read.
https://security.stackexchange.com/questions/153148/how-easy-it-is-to-actually-perform-mitm-attack-these-days
When storage_account_id is not configured in config.php and people want to try the character auction system
Give them an error message instead of a query crash. Telling them to edit config.php properly.
There is no need to create a separate configs for OTHIRE when establishing an SQL connection,
and is confusing for new users who are configurating their webserver.
* Update toponline.php site_title and type
Parse error: syntax error, unexpected 'site_title' (T_STRING), expecting ',' or ';' in C:\xampp\htdocs\znote\toponline.php on line 40
Notice: Undefined index: type in C:\xampp\htdocs\znote\toponline.php on line 10
* Add OTServers.eu voting
* Hide voting by default and use simple vote url if the user isn't logged in
* Fix indentation
* Convert to tabs
* Convert to tabs
* Preparing compatibility to OTHire
* Still working on compatibility to OTHire
* More compatibility
* More compatibility
Not tested yet
* Some fixes
- Fixed Account Creation.
- Fixed a problem that you can't load the website, that include that you can now recover your account number.
* More fixes
- Fixed character creation.
- Fixed login problem.
- Fixed displaying account number in My Account.
- Fixed displaying if you have premium days or not in My Account.
* More fixes
- Handle Kills/Deaths as TFS_03
* More fixes
- Fixed showing outfits in character profile
- Fixed displaying player houses in character profile
- Fixed displaying guilds
* Update init.php
* Prefix http or https if user hasn't explicitly set
Adding this because href prefixes the server's url if http:// or https:// is not provided.
* Fixed whitespace
* Info regarding using a stable version of PHPMailer instead of downloading master branch.
* Added info regarding using a stable version of PHPMailer instead of downloading master branch.
