From e8b47429e8c607c2662a78b65415dfa772aa0e48 Mon Sep 17 00:00:00 2001 From: slawkens Date: Fri, 30 Jan 2026 22:23:57 +0100 Subject: [PATCH 1/6] Fix post_edit being an author, didn't worked --- system/pages/forum/edit_post.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/pages/forum/edit_post.php b/system/pages/forum/edit_post.php index b9f2890d..a97bb5d9 100644 --- a/system/pages/forum/edit_post.php +++ b/system/pages/forum/edit_post.php @@ -38,7 +38,7 @@ if(Forum::canPost($account_logged)) { $first_post = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`author_guid`, `" . FORUM_TABLE_PREFIX . "forum`.`author_aid`, `" . FORUM_TABLE_PREFIX . "forum`.`first_post`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_smile`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread['first_post']." LIMIT 1")->fetch(); echo 'Boards >> '.$sections[$thread['section']]['name'].' >> '.htmlspecialchars($first_post['post_topic']).' >> Edit post'; - if(Forum::hasAccess($thread['section'] && ($account_logged->getId() == $thread['author_aid'] || Forum::isModerator()))) { + if(Forum::hasAccess($thread['section']) && ($account_logged->getId() == $thread['author_aid'] || Forum::isModerator())) { $char_id = $post_topic = $text = $smile = $html = null; $players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll(); $saved = false; From c472d5e4733cdfc4dfc5cc246198a1fb2086af94 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 31 Jan 2026 10:21:00 +0100 Subject: [PATCH 2/6] Bump lodash from 4.17.21 to 4.17.23 (#350) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.17.23) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index af143d0e..4901f59f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1431,9 +1431,9 @@ } }, "node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "version": "4.17.23", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", + "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", "dev": true, "license": "MIT" }, From 6859b86f28e55faa962b7acca7d166517f8b8eb2 Mon Sep 17 00:00:00 2001 From: slawkens Date: Sat, 31 Jan 2026 11:23:33 +0100 Subject: [PATCH 3/6] Release v1.8.8 --- CHANGELOG-1.x.md | 15 +++++++++++++++ common.php | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-1.x.md b/CHANGELOG-1.x.md index 9713f965..9a4700a4 100644 --- a/CHANGELOG-1.x.md +++ b/CHANGELOG-1.x.md @@ -1,5 +1,20 @@ # Changelog +## [1.8.8 - 31.01.2026] +### Added +* Change Comment: Add missing hooks - patched from 0.8 (https://github.com/slawkens/myaac/commit/a60a23b84f61d41d1503073b52e01e3120f6d92a) +* +### Changed +* Account Manage: Change the last login to the correct login time – Instead of just "now" (https://github.com/slawkens/myaac/commit/5b841682cdc473b38ef1a5edfcfe1a020802e286) +* Twig: Extract renderInline(content, context) as a method to $twig (https://github.com/slawkens/myaac/commit/5e4806f891f8c88c37d45b89bbede23afc2fa37b) +* Mail: Remove HTML tags from the email function (https://github.com/slawkens/myaac/commit/6661c78dac69c6aa498b9c79fe7da4fe0150e5c8) + +### Fixed +* Forum: Fix edit_post, despite being an author, didn't work (https://github.com/slawkens/myaac/commit/e8b47429e8c607c2662a78b65415dfa772aa0e48) +* Forum: Fix a player link in the forum thread being not clickable (When outfits are enabled) (https://github.com/slawkens/myaac/commit/f640ca636f34cd2dfc1fa8de6fdbed0674908b30) +* Settings: Fix variable overlapping if the same var name as in core (https://github.com/slawkens/myaac/commit/c2415e9df3a5ffaf768f6f9668bdd38b5efd0771) +* Settings: fix show_if for the selects (https://github.com/slawkens/myaac/commit/8dcbb66753914322706216cfd01436eb1478a5ce) + ## [1.8.7 - 04.01.2026] ### Fixed diff --git a/common.php b/common.php index ff3e31ec..8f946c6e 100644 --- a/common.php +++ b/common.php @@ -26,7 +26,7 @@ if (version_compare(phpversion(), '8.1', '<')) die('PHP version 8.1 or higher is required.'); const MYAAC = true; -const MYAAC_VERSION = '1.8.7'; +const MYAAC_VERSION = '1.8.8'; const DATABASE_VERSION = 46; const TABLE_PREFIX = 'myaac_'; define('START_TIME', microtime(true)); From e52d9e486f5bf1dea867f59287f70aef3d538189 Mon Sep 17 00:00:00 2001 From: slawkens Date: Sat, 31 Jan 2026 11:34:24 +0100 Subject: [PATCH 4/6] Fix XSS in forum board name --- system/pages/forum/new_thread.php | 2 +- system/pages/forum/show_board.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/system/pages/forum/new_thread.php b/system/pages/forum/new_thread.php index 4f311977..2ed6fe81 100644 --- a/system/pages/forum/new_thread.php +++ b/system/pages/forum/new_thread.php @@ -34,7 +34,7 @@ if(Forum::canPost($account_logged)) { $players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll(); $section_id = $_REQUEST['section_id'] ?? null; if($section_id !== null) { - echo 'Boards >> ' . $sections[$section_id]['name'] . ' >> Post new thread
'; + echo 'Boards >> ' . escapeHtml($sections[$section_id]['name']) . ' >> Post new thread
'; if(isset($sections[$section_id]['name']) && Forum::hasAccess($section_id)) { if ($sections[$section_id]['closed'] && !Forum::isModerator()) diff --git a/system/pages/forum/show_board.php b/system/pages/forum/show_board.php index e899cc99..26b7b9d6 100644 --- a/system/pages/forum/show_board.php +++ b/system/pages/forum/show_board.php @@ -42,7 +42,7 @@ for($i = 0; $i < $threads_count['threads_count'] / setting('core.forum_threads_p $links_to_pages .= ''.($i + 1).' '; } -echo 'Boards >> '.$sections[$section_id]['name'].''; +echo 'Boards >> '.escapeHtml($sections[$section_id]['name']).''; if($logged && (!$sections[$section_id]['closed'] || Forum::isModerator())) { echo '

From 6db738a87c44b8d96919191ba5e661c32ab47457 Mon Sep 17 00:00:00 2001 From: slawkens Date: Sat, 31 Jan 2026 11:40:58 +0100 Subject: [PATCH 5/6] Forum: Fix XSS in board name --- system/pages/forum/edit_post.php | 2 +- system/pages/forum/new_post.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/system/pages/forum/edit_post.php b/system/pages/forum/edit_post.php index a97bb5d9..6eff5804 100644 --- a/system/pages/forum/edit_post.php +++ b/system/pages/forum/edit_post.php @@ -36,7 +36,7 @@ if(Forum::canPost($account_logged)) { $thread = $db->query("SELECT `author_guid`, `author_aid`, `first_post`, `post_topic`, `post_date`, `post_text`, `post_smile`, `post_html`, `id`, `section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$post_id." LIMIT 1")->fetch(); if(isset($thread['id'])) { $first_post = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`author_guid`, `" . FORUM_TABLE_PREFIX . "forum`.`author_aid`, `" . FORUM_TABLE_PREFIX . "forum`.`first_post`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_smile`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread['first_post']." LIMIT 1")->fetch(); - echo 'Boards >> '.$sections[$thread['section']]['name'].' >> '.htmlspecialchars($first_post['post_topic']).' >> Edit post'; + echo 'Boards >> '.escapeHtml($sections[$thread['section']]['name']).' >> '.htmlspecialchars($first_post['post_topic']).' >> Edit post'; if(Forum::hasAccess($thread['section']) && ($account_logged->getId() == $thread['author_aid'] || Forum::isModerator())) { $char_id = $post_topic = $text = $smile = $html = null; diff --git a/system/pages/forum/new_post.php b/system/pages/forum/new_post.php index 71bc3417..a06183e8 100644 --- a/system/pages/forum/new_post.php +++ b/system/pages/forum/new_post.php @@ -42,7 +42,7 @@ if(Forum::canPost($account_logged)) { $thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id." LIMIT 1")->fetch(); if(isset($thread['id']) && Forum::hasAccess($thread['section'])) { - echo 'Boards >> '.$sections[$thread['section']]['name'].' >> '.htmlspecialchars($thread['post_topic']).' >> Post new reply

'.htmlspecialchars($thread['post_topic']).'

'; + echo 'Boards >> '.escapeHtml($sections[$thread['section']]['name']).' >> '.htmlspecialchars($thread['post_topic']).' >> Post new reply

'.htmlspecialchars($thread['post_topic']).'

'; $quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL; $text = isset($_POST['text']) ? stripslashes(trim($_POST['text'])) : NULL; From e33e86053da32b5448ef302c543f293702fd7068 Mon Sep 17 00:00:00 2001 From: slawkens Date: Sat, 31 Jan 2026 11:42:40 +0100 Subject: [PATCH 6/6] Update CHANGELOG-1.x.md --- CHANGELOG-1.x.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-1.x.md b/CHANGELOG-1.x.md index 9a4700a4..768abb73 100644 --- a/CHANGELOG-1.x.md +++ b/CHANGELOG-1.x.md @@ -10,7 +10,8 @@ * Mail: Remove HTML tags from the email function (https://github.com/slawkens/myaac/commit/6661c78dac69c6aa498b9c79fe7da4fe0150e5c8) ### Fixed -* Forum: Fix edit_post, despite being an author, didn't work (https://github.com/slawkens/myaac/commit/e8b47429e8c607c2662a78b65415dfa772aa0e48) +* Forum: Fix XSS in board name (https://github.com/slawkens/myaac/commit/e52d9e486f5bf1dea867f59287f70aef3d538189, https://github.com/slawkens/myaac/commit/6db738a87c44b8d96919191ba5e661c32ab47457) +* Forum: Fix edit_post, despite being an author, edit didn't work (https://github.com/slawkens/myaac/commit/e8b47429e8c607c2662a78b65415dfa772aa0e48) * Forum: Fix a player link in the forum thread being not clickable (When outfits are enabled) (https://github.com/slawkens/myaac/commit/f640ca636f34cd2dfc1fa8de6fdbed0674908b30) * Settings: Fix variable overlapping if the same var name as in core (https://github.com/slawkens/myaac/commit/c2415e9df3a5ffaf768f6f9668bdd38b5efd0771) * Settings: fix show_if for the selects (https://github.com/slawkens/myaac/commit/8dcbb66753914322706216cfd01436eb1478a5ce)