Updated CHANGELOG.md (format)

* added command to change permissions of system/cache directory

.gitignore

@@ -1,2 +1,3 @@
 Thumbs.db
 .DS_Store
+.idea

CHANGELOG.md

@@ -1,4 +1,28 @@
-[0.7.9 - 13.01.2017]
+# Changelog
+
+## [0.7.10 - 03.03.2018]
+### Added:
+* new configurable: smtp_secure
+* robots.txt
+
+### Fixed:
+* editing an existing page that had php enabled
+* chrome bug on save (when editing page) ERR_BLOCKED_BY_XSS_AUDITOR
+* showing IP and Port in admin panel (#44, by miqueiaspenha)
+* deleting plugin showing "You don't have rights to delete"
+* some bug with PHPMailer not finding its language file
+* default accounts.vote value
+* saving some really high long ip addresses
+
+### Changed:
+* update config.highscores_ids_hidden on install when there are samples already in database
+* auto add z_polls table on install
+
+### Internal:
+* changed mb_strtolower functions to strtolower()
+* added new function: $hooks->exist($type)
+
+## [0.7.9 - 13.01.2018]
 	* removed 6mb of trash (some useless things)
 	* (fix) TFS 1.x not showing promoted vocations in highscores
 	* otserv 0.6.x: fixed some warning (on the characters page) and fatal mysql error (on the mango signature)
@@ -7,13 +31,13 @@
 	* changed highscores_groups_hidden to 3 (for TFS 1.x)
 	* updated background-artwork (tibiacom template) to the latest version, removed other ones
 
-[0.7.8 - 12.01.2017]
+## [0.7.8 - 12.01.2018]
 	* fixed installation error " call to undefined method OTS_DB_MySQL::hasColumn()"
 	* updated tinymce to the latest (4.7.4) version
 	* enabled emoticons plugin in tinymce :)
 	* some security fixes
 
-[0.7.7 - 08.01.2018]
+## [0.7.7 - 08.01.2018]
 	* important fix for servers with promotion column (caused player.vocation to be resetted when saving player, for example: on change name, accept invite to guild, leave guild)
 	* immediately reload config.lua when there's change in config.server_path detected
 	* added new forum option: "Enable HTML" (only for moderators)
@@ -32,14 +56,14 @@
 	* don't add extra <br/> to the TinyMCE news forum posts
 	* (internal) using $player->getVocationName() where possible instead of older method
 
-[0.7.6 - 05.01.2017]
+## [0.7.6 - 05.01.2017]
 	* fixed othire account creating/installation
 	* fixed table name players -> players_online
 	* fixed unexpected error logging about email fail
 	* added max_execution_time to the install finish step
 	* some small fix regarding highscores vocation box
 
-[0.7.5 - 04.01.2017]
+## [0.7.5 - 04.01.2017]
 	* fixed bug on othire with config.account_premium_days
 	* fixed bug on TFS 1.x when online_afk is enabled
 	* warning about leaving news page with changes
@@ -52,7 +76,7 @@
 	* fixed template path finding
 	* fixed displaying article_text when it was empty saved
 
-[0.7.4 - 24.12.2017]
+## [0.7.4 - 24.12.2017]
 	* fixed mysql fatal error on tibiacom template - top 5 box
 	* fixed displaying of level percent bar on tibian signature
 	* inform user about Twig cache failure on installation, instead of http 500 error
@@ -60,7 +84,7 @@
 	* remember client version select and usage stats checkbox in session on install
 	* automatically update highscores_ids_hidden for users who installed myaac before (migration)
 
-[0.7.3 - 18.12.2017]
+## [0.7.3 - 18.12.2017]
 	* auto generate myaac cache & session prefix on install to be unique across installations
 	* fixed hiding shop system menu on tibiacom template when disabled in config
 	* prevent adding duplicated newses with installation
@@ -75,7 +99,7 @@
 	* (internal) renamed installation step files to be in correct order
 	* added TODO file
 
-[0.7.1 - 13.12.2017]
+## [0.7.1 - 13.12.2017]
 	* added changelog menu item to kathrine template
 	* fixed some php short tag in changelogs page
 	* fixed guild change description back button
@@ -83,7 +107,7 @@
 	* changed some notice when version check is failed
 	* (internal) moved changelog to twig
 
-[0.7.0 - 20.11.2017]
+## [0.7.0 - 20.11.2017]
 	* moved template menus to database, they're now dynamically loaded
 	* added anonymous usage statistics reporting (only if user agrees, first usage report will be send after 7 days)
 	* you can edit them in Admin Panel under 'Menus' option
@@ -120,24 +144,24 @@
 	* (internal) renamed constant TICKET -> TICKER
 	* (internal) shortened message functions
 	
-[0.6.6 - 22.10.2017]
+## [0.6.6 - 22.10.2017]
 	* fixed some php fatal error on spells page
 	* changed spells.vocations field in db size to 300
 	* please reload your spells after this update!
 
-[0.6.5 - 21.10.2017]
+## [0.6.5 - 21.10.2017]
 	* fixed displaying custom pages
 	* fixed adding new group forum board
 	
-[0.6.4 - 20.10.2017]
+## [0.6.4 - 20.10.2017]
 	* reverted OTS_Account::getLastLogin() cause its used by tibia11-login plugin
 	
-[0.6.3 - 20.10.2017]
+## [0.6.3 - 20.10.2017]
 	* fixed creating account
 	* fixed viewing thread without being logged 
 	* fixed showing premium account status
 	
-[0.6.2 - 20.10.2017]
+## [0.6.2 - 20.10.2017]
 	* added forums for guilds and groups
 	* added nice looking menu for my account page in default template
 	* new command line tool: install_plugin.php - can be used to install plugins from command line. Usage: "php install_plugin.php path_to_file"
@@ -170,7 +194,7 @@
 	* (internal) new function: OTS_Guild::hasMember(OTS_Player $player)
 	* (internal) new function: Forum::hasAccess($board_id)
 	
-[0.6.1 - 17.10.2017]
+## [0.6.1 - 17.10.2017]
 	* fixed signatures loading
 	* new configurable: session_prefix, to allow more websites on one machine (must be unique for every website on your dedicated server!)
 	* better error handling for monsters and spells loader (save errors to system/logs/error.log)
@@ -180,7 +204,7 @@
 	* (internal) moved forum actions (pages) to forum/ directory
 	* (internal) moved forum.edit_post to twig templates
 
-[0.6.0 - 16.10.2017]
+## [0.6.0 - 16.10.2017]
 	* added faq management - add/edit/move/hide/delete from website
 	* new account.login view for tibiacom template
 	* monsters and spells are now being loaded at the installation of the AAC
@@ -203,7 +227,7 @@
 	* ajax requests returns now json instead of xml
 	* added 404 response when file is not found
 
-[0.5.1 - 11.10.2017]
+## [0.5.1 - 11.10.2017]
 	* fixed forum add/edit board
 	* new configurable: highscores_length, how much highscores to display
 	* fixed highscores links (ALL, previous and next page)
@@ -213,7 +237,7 @@
 	* check if plugin exist before uninstalling
 	* fixed some warning in OTS_Base_DB
 
-[0.5.0 - 10.10.2017]
+## [0.5.0 - 10.10.2017]
 	* moved .htaccess rules to plain php (index.php)
 	* updated tinymce to the latest (4.7.0) version, you can now embed code, for example youtube videos
 	* added option to uninstall plugin
@@ -232,7 +256,7 @@
 	* added new twig function getLink that convert link taking into account config.friendly_urls
 	* internalLayoutLink -> getLink
 
-[0.4.3 - 05.10.2017]
+## [0.4.3 - 05.10.2017]
 	* better config loader taken from latest gesior, you can now include files in your config by doing dofile('config.local.lua')
 	* fixed country detection in create account
 	* fixed showing of character deaths and frags
@@ -246,14 +270,14 @@
 	* added bugtracker to kathrine template
 	* added CREDITS file
 
-[0.4.2 - 14.09.2017]
+## [0.4.2 - 14.09.2017]
 	* updated version number
 
-[0.4.1 - 13.09.2017]
+## [0.4.1 - 13.09.2017]
 	* fixed log in to admin panel
 	* fixed File is not .zip plugin upload error
 
-[0.4.0 - 13.09.2017
+## [0.4.0 - 13.09.2017
 	* added option to add/edit/delete/hide/move forum boards
 	* moved some of HTML-in-PHP code to Twig templates
 	* added bug_report configurable which can enable/disable bug tracker
@@ -270,7 +294,7 @@
 	* some small improvements
 	* fixed some separators in kathrine template
 
-[0.3.0 - 28.08.2017]
+## [0.3.0 - 28.08.2017]
 	* added administration panel for screenshots management with auto thumbnail generator and image auto-resizing
 	* added Twig template engine and moved some html-in-php code to it
 	* automatically detect player country based on user location (IP) on create account
@@ -288,7 +312,7 @@
 	* moved news adding at installation from schema.sql to finish.php
 	* some optimizations
 
-[0.2.4 - 09.06.2017]
+## [0.2.4 - 09.06.2017]
 	* fixed invite to guild
 	* added id field on monsters, so you can delete them in phpmyadmin
 	* fixed adding some creatures with ' and "
@@ -297,7 +321,7 @@
 	* fixed typo loss_items => loss_containers
 	* more elegant way of showing message on reload creatures and spells
 
-[0.2.3 - 31.05.2017]
+## [0.2.3 - 31.05.2017]
 	* fixed guild management on OTHire 0.0.3
 	* set default skills to 10 when creating new character
 	* fixed displaying of "Create forum thread" in newses
@@ -309,15 +333,15 @@
 	* fixed Undefined variable (https://otland.net/threads/myaac-v0-0-1.251454/page-7#post-2444034)
 	* fixed Undefined offset (https://otland.net/threads/myaac-v0-0-1.251454/page-7#post-2444035)
 
-[0.2.2 - 22.05.2017]
+## [0.2.2 - 22.05.2017]
 	* added missing cache/signature directory
 	* fixed https://otland.net/threads/myaac-v0-0-1.251454/page-7#post-2443868
 
-[0.2.1 - 21.05.2017]
+## [0.2.1 - 21.05.2017]
 	* added Swedish translation by Sizaro
 	* fixed some bugs with installlation & characters & houses
 
-[0.2.0 - 21.05.2017]
+## [0.2.0 - 21.05.2017]
 	* added option to change character sex for premium points
 	* moved site_closed to database, now you can close your site through admin panel
 	* added option to admin panel: clear cache
@@ -337,10 +361,10 @@
 	* fixed movies unexpected comment
 	* added template_place_holder('center_top') to kathrine template
 
-[0.1.5 - 13.05.2017]
+## [0.1.5 - 13.05.2017]
 	* fixed bug with "Integrity constraint violation: 1048 Column 'ip' cannot be null"
 
-[0.1.4 - 13.05.2017]
+## [0.1.4 - 13.05.2017]
 	* added outfit shower, in characters, online, and highscores
 	* updated database to version 2
 	* fixed item images (now using item-images.ots.me host by default)
@@ -349,17 +373,17 @@
 	* removed some unused code from my old server
 	* added spells & monsters to kathrine template
 
-[0.1.3 - 11.05.2017]
+## [0.1.3 - 11.05.2017]
 	* this is just release to update version number
 
-[0.1.2 - 11.05.2017]
+## [0.1.2 - 11.05.2017]
 	* forgot to update CHANGELOG and MYAAC_VERSION
 
-[0.1.1 - 11.05.2017]
+## [0.1.1 - 11.05.2017]
 	* fixed updating myaac_config with database_version to 1
 	* fixed database updater
 
-[0.1.0 - 11.05.2017]
+## [0.1.0 - 11.05.2017]
 	* added new feature: change character name for premium points (disabled by default, you can enable it in config under account_change_character_name in config.php)
 	* added automatic database updater (data migrations)
 	* renamed events to hooks
@@ -383,13 +407,13 @@
 	* fixed signatures (many fixes)
 	* added missing gesior signature system
 
-[0.0.6 - 06.05.2017]
+## [0.0.6 - 06.05.2017]
 	* fixed bug while installing (https://otland.net/threads/myaac-v0-0-1.251454/page-3#post-2440543)
 	* fixed bug when creating character (not showing errors) (one more time)
 	* fixed support for TFS 0.2 series
 	* added FAQ link
 	
-[0.0.5 - 05.05.2017]
+## [0.0.5 - 05.05.2017]
 	* fixed bug when creating character (not showing errors)
 	* Fixed characters loading with names that has been created with other AAC
 	* fixed links to shop in default template
@@ -402,7 +426,7 @@
 	* fixes when $config['database_*'] is set
 	* added CHANGELOG
 
-[0.0.3 - 03.05.2017]
+## [0.0.3 - 03.05.2017]
 	* Full support for OTHire 0.0.3
 	* added support for otservers that doesn't use account.name field, instead just account number will be used
 	* fixed encryption detection on TFS 0.3
@@ -413,7 +437,7 @@
 	* fixed installation errors
 	* fixed config.lua loading with some weird comments
 
-[0.0.2 - 02.05.2017]
+## [0.0.2 - 02.05.2017]
 	* updated forum links to use friendly_urls
 	* some more info will be shown when cannot connect to database
 	* show more error infos when creating character
@@ -424,7 +448,7 @@
 	* fixed support for gesior pages and templates
 	* added function OTS_Acount:getGroupId()
 
-[0.0.1 - 01.05.2017]
+## [0.0.1 - 01.05.2017]
 	This is first official release of MyAAC.
 	Features are listed here
 

README.md

@@ -5,7 +5,7 @@ Official website: https://my-aac.org
 
 ### REQUIREMENTS
 
-	- PHP 5.3.0 or later
+	- PHP 5.3.3 or later
 	- MySQL database
 	- PDO PHP Extension
 	- XML PHP Extension
@@ -28,6 +28,7 @@ Official website: https://my-aac.org
 			chmod 660 images/guilds
 			chmod 660 images/houses
 			chmod 660 images/gallery
+			chmod -R 770 system/cache
 
 	Visit http://your_domain/install (http://localhost/install) and follow instructions in the browser.
 

common.php

@@ -26,8 +26,8 @@
 session_start();
 
 define('MYAAC', true);
-define('MYAAC_VERSION', '0.7.9');
+define('MYAAC_VERSION', '0.7.10');
-define('DATABASE_VERSION', 21);
+define('DATABASE_VERSION', 22);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));
 define('MYAAC_OS', (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? 'WINDOWS' : (strtoupper(PHP_OS) == 'DARWIN' ? 'MAC' : 'LINUX'));

config.php

@@ -107,6 +107,7 @@ $config = array(
 	'smtp_auth' => true, // need authorization?
 	'smtp_user' => 'admin@example.org',
 	'smtp_pass' => '',
+	'smtp_secure' => '', // What kind of encryption to use on the SMTP connection. Options: '', 'ssl' or 'tls', use 'ssl' for gmail
 
 	// reCAPTCHA (prevent spam bots)
 	'recaptcha_enabled' => false, // enable recaptcha verification code

install/includes/schema.sql

@@ -1,7 +1,7 @@
 CREATE TABLE `myaac_account_actions`
 (
 	`account_id` INT(11) NOT NULL,
-	`ip` INT(11) NOT NULL DEFAULT 0,
+	`ip` INT(10) UNSIGNED NOT NULL DEFAULT 0,
 	`ipv6` BINARY(16) NOT NULL DEFAULT 0,
 	`date` INT(11) NOT NULL DEFAULT 0,
 	`action` VARCHAR(255) NOT NULL DEFAULT '',

install/steps/3-requirements.php

@@ -22,7 +22,7 @@ function version_check($name, $ok, $info = '', $warning = false)
 $failed = false;
 
 // start validating
-version_check($locale['step_requirements_php_version'], (PHP_VERSION_ID >= 50300), PHP_VERSION);
+version_check($locale['step_requirements_php_version'], (PHP_VERSION_ID >= 50303), PHP_VERSION);
 foreach(array('config.local.php', 'images/guilds', 'images/houses', 'images/gallery') as $value)
 {
 	$is_writable = is_writable(BASE . $value);

install/steps/7-finish.php

@@ -122,50 +122,34 @@ else {
 		$insert_into_players = "INSERT INTO `players` (`id`, `name`, `group_id`, `account_id`, `level`, `vocation`, `health`, `healthmax`, `experience`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`, `maglevel`, `mana`, `manamax`, `manaspent`, `soul`, `town_id`, `posx`, `posy`, `posz`, `conditions`, `cap`, `sex`, `lastlogin`, `lastip`, `save`, `lastlogout`, `balance`, `$deleted`, `created`, `hidden`, `comment`) VALUES ";
 		$success = true;
 
-		$highscores_ignored_ids = array();
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote('Rook Sample'));
 		if($query->rowCount() == 0) {
 			if(!query($insert_into_players . "(null, 'Rook Sample', 1, " . getSession('account') . ", 1, 0, 150, 150, 4200, 118, 114, 38, 57, 130, 0, 0, 0, 0, 100, 1, 1000, 1000, 7, '', 400, 1, 1255179613, 2453925456, 1, 1255179614, 0, 0, UNIX_TIMESTAMP(), 1, '');"))
 				$success = false;
-			else {
-				$highscores_ignored_ids[] = $db->lastInsertId();
-			}
 		}
 
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote('Sorcerer Sample'));
 		if($query->rowCount() == 0) {
 			if(!query($insert_into_players . "(null, 'Sorcerer Sample', 1, " . getSession('account') . ", 8, 1, 185, 185, 4200, 118, 114, 38, 57, 130, 0, 35, 35, 0, 100, 1, 1000, 1000, 7, '', 470, 1, 1255179571, 2453925456, 1, 1255179612, 0, 0, UNIX_TIMESTAMP(), 1, '');"))
 				$success = false;
-			else {
-				$highscores_ignored_ids[] = $db->lastInsertId();
-			}
 		}
 
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote('Druid Sample'));
 		if($query->rowCount() == 0) {
 			if(!query($insert_into_players . "(null, 'Druid Sample', 1, " . getSession('account') . ", 8, 2, 185, 185, 4200, 118, 114, 38, 57, 130, 0, 35, 35, 0, 100, 1, 1000, 1000, 7, '', 470, 1, 1255179655, 2453925456, 1, 1255179658, 0, 0, UNIX_TIMESTAMP(), 1, '');"))
 				$success = false;
-			else {
-				$highscores_ignored_ids[] = $db->lastInsertId();
-			}
 		}
 
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote('Paladin Sample'));
 		if($query->rowCount() == 0) {
 			if(!query($insert_into_players . "(null, 'Paladin Sample', 1, " . getSession('account') . ", 8, 3, 185, 185, 4200, 118, 114, 38, 57, 129, 0, 35, 35, 0, 100, 1, 1000, 1000, 7, '', 470, 1, 1255179854, 2453925456, 1, 1255179858, 0, 0, UNIX_TIMESTAMP(), 1, '');"))
 				$success = false;
-			else {
-				$highscores_ignored_ids[] = $db->lastInsertId();
-			}
 		}
 
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote('Knight Sample'));
 		if($query->rowCount() == 0) {
 			if(!query($insert_into_players . "(null, 'Knight Sample', 1, " . getSession('account') . ", 8, 4, 185, 185, 4200, 118, 114, 38, 57, 131, 0, 35, 35, 0, 100, 1, 1000, 1000, 7, '', 470, 1, 1255179620, 2453925456, 1, 1255179654, 0, 0, UNIX_TIMESTAMP(), 1, '');"))
 				$success = false;
-			else {
-				$highscores_ignored_ids[] = $db->lastInsertId();
-			}
 		}
 
 		if($success) {
@@ -193,20 +177,19 @@ else {
 			error(Spells::getLastError());
 		}
 
-		$content = PHP_EOL;
+		// update config.highscores_ids_hidden
-		$content .= '$config[\'highscores_ids_hidden\'] = array(' . implode(', ', $highscores_ignored_ids) . ');';
+		$database_migration_20 = true;
-		$content .= PHP_EOL;
+		require_once(SYSTEM . 'migrations/20.php');
-
+		$content = '';
-		$file = fopen(BASE . 'config.local.php', 'a+');
+		if(!databaseMigration20($content)) {
-		if($file) {
-			fwrite($file, $content);
-		}
-		else {
 			$locale['step_database_error_file'] = str_replace('$FILE$', '<b>' . BASE . 'config.local.php</b>', $locale['step_database_error_file']);
 			warning($locale['step_database_error_file'] . '<br/>
 						<textarea cols="70" rows="10">' . $content . '</textarea>');
 		}
 		
+		// add z_polls tables
+		require_once(SYSTEM . 'migrations/22.php');
+
 		$locale['step_finish_desc'] = str_replace('$ADMIN_PANEL$', generateLink(ADMIN_URL, $locale['step_finish_admin_panel'], true), $locale['step_finish_desc']);
 		$locale['step_finish_desc'] = str_replace('$HOMEPAGE$', generateLink(BASE_URL, $locale['step_finish_homepage'], true), $locale['step_finish_desc']);
 		$locale['step_finish_desc'] = str_replace('$LINK$', generateLink('http://my-aac.org', 'http://my-aac.org', true), $locale['step_finish_desc']);

robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow:

system/functions.php

@@ -815,6 +815,7 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 	{
 		require(SYSTEM . 'libs/phpmailer/PHPMailerAutoload.php');
 		$mailer = new PHPMailer();
+		$mailer->setLanguage('en', LIBS . 'phpmailer/language/');
 	}
 
 	$signature_html = '';
@@ -834,6 +835,7 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->SMTPAuth = $config['smtp_auth'];
 		$mailer->Username = $config['smtp_user'];
 		$mailer->Password = $config['smtp_pass'];
+		$mailer->SMTPSecure = isset($config['smtp_secure']) ? $config['smtp_secure'] : '';
 	}
 	else
 		$mailer->IsMail();

system/hooks.php

@@ -42,12 +42,12 @@ class Hook
 			$ret = $tmp($params);
 		}*/
 		
-		global $db, $config, $template_path, $ots, $content;
+		global $db, $config, $template_path, $ots, $content, $twig;
 		if(file_exists(BASE . $this->_file)) {
-			require(BASE . $this->_file);
+			$ret = require(BASE . $this->_file);
 		}
 
-		return true;
+		return $ret === null || $ret == 1 || $ret;
 	}
 
 	public function name() {return $this->_name;}
@@ -71,12 +71,18 @@ class Hooks
 		if(isset(self::$_hooks[$type]))
 		{
 			foreach(self::$_hooks[$type] as $name => $hook)
-				$ret = $hook->execute($params);
+				if(!$hook->execute($params)) {
+					$ret = false;
+				}
 		}
 
 		return $ret;
 	}
 
+	public function exist($type) {
+		return isset(self::$_hooks[$type]);
+	}
+	
 	public function load()
 	{
 		global $db;

system/libs/plugins.php

@@ -194,8 +194,9 @@ class Plugins {
 							break;
 						}
 						
-						$file = BASE . $file;
+						$file = str_replace('\\', '/', BASE . $file);
-						if(!is_sub_dir($file, BASE) || realpath(dirname($file)) != dirname($file)) {
+						$realpath = str_replace('\\', '/', realpath(dirname($file)));
+						if(!is_sub_dir($file, BASE) || $realpath != dirname($file)) {
 							$success = false;
 							self::$error = "You don't have rights to delete: " . $file;
 							break;

system/migrations/20.php

@@ -1,39 +1,48 @@
 <?php
 
-$config_file = BASE . 'config.local.php';
+if(!isset($database_migration_20)) {
-if(!is_writable($config_file)) { // we can't do anything, just ignore
+	databaseMigration20();
-	return;
 }
 
-$content_of_file = trim(file_get_contents($config_file));
+function databaseMigration20(&$content = '') {
-if(strpos($content_of_file, 'highscores_ids_hidden') !== false) { // already present
+	global $db;
-	return;
-}
 
-$query = $db->query("SELECT `id` FROM `players` WHERE (`name` = " . $db->quote("Rook Sample") . " OR `name` = " . $db->quote("Sorcerer Sample") . " OR `name` = " . $db->quote("Druid Sample") . " OR `name` = " . $db->quote("Paladin Sample") . " OR `name` = " . $db->quote("Knight Sample") . ") ORDER BY `id`;");
+	$config_file = BASE . 'config.local.php';
+	if(!is_writable($config_file)) { // we can't do anything, just ignore
+		return false;
+	}
 
-$highscores_ignored_ids = array();
+	$content_of_file = trim(file_get_contents($config_file));
-if($query->rowCount() > 0) {
+	if(strpos($content_of_file, 'highscores_ids_hidden') !== false) { // already present
+		return true;
+	}
+
+	$query = $db->query("SELECT `id` FROM `players` WHERE (`name` = " . $db->quote("Rook Sample") . " OR `name` = " . $db->quote("Sorcerer Sample") . " OR `name` = " . $db->quote("Druid Sample") . " OR `name` = " . $db->quote("Paladin Sample") . " OR `name` = " . $db->quote("Knight Sample") . " OR `name` = " . $db->quote("Account Manager") . ") ORDER BY `id`;");
+
+	$highscores_ignored_ids = array();
+	if($query->rowCount() > 0) {
 		foreach($query->fetchAll() as $result)
 			$highscores_ignored_ids[] = $result['id'];
-}
+	}
-else {
+	else {
 		$highscores_ignored_ids[] = 0;
-}
+	}
 
-$php_on_end = substr($content_of_file, -2, 2) == '?>';
+	$php_on_end = substr($content_of_file, -2, 2) == '?>';
-$content = PHP_EOL;
+	$content = PHP_EOL;
-if($php_on_end) {
+	if($php_on_end) {
 		$content .= '<?php';
-}
+	}
 
-$content .= PHP_EOL;
+	$content .= PHP_EOL;
-$content .= '$config[\'highscores_ids_hidden\'] = array(' . implode(', ', $highscores_ignored_ids) . ');';
+	$content .= '$config[\'highscores_ids_hidden\'] = array(' . implode(', ', $highscores_ignored_ids) . ');';
-$content .= PHP_EOL;
+	$content .= PHP_EOL;
 
-if($php_on_end) {
+	if($php_on_end) {
 		$content .= '?>';
-}
+	}
 
-file_put_contents($config_file, $content, FILE_APPEND);
+	file_put_contents($config_file, $content, FILE_APPEND);
+	return true;
+}
 ?>

system/migrations/22.php

@@ -0,0 +1,29 @@
+<?php
+
+if(!tableExist('z_polls'))
+	$db->query('
+CREATE TABLE `z_polls` (
+  `id` int(11) NOT NULL auto_increment,
+  `question` varchar(255) NOT NULL,
+  `description` varchar(255) NOT NULL,
+  `end` int(11) NOT NULL DEFAULT 0,
+  `start` int(11) NOT NULL DEFAULT 0,
+  `answers` int(11) NOT NULL DEFAULT 0,
+  `votes_all` int(11) NOT NULL DEFAULT 0,
+  PRIMARY KEY  (`id`)
+) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;');
+
+if(!tableExist('z_polls_answers'))
+$db->query('
+	CREATE TABLE `z_polls_answers` (
+  `poll_id` int(11) NOT NULL,
+  `answer_id` int(11) NOT NULL,
+  `answer` varchar(255) NOT NULL,
+  `votes` int(11) NOT NULL DEFAULT 0
+) ENGINE=MyISAM DEFAULT CHARSET=latin1;');
+
+if(!fieldExist('vote', 'accounts'))
+	$db->query('ALTER TABLE `accounts` ADD `vote` INT( 11 ) DEFAULT 0 NOT NULL ;');
+else {
+	$db->query('ALTER TABLE `accounts` MODIFY `vote` INT( 11 ) DEFAULT 0 NOT NULL ;');
+}

system/pages/admin/pages.php

@@ -16,6 +16,8 @@ if(!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin())
 	return;
 }
 
+header('X-XSS-Protection:0');
+
 $name = $p_title = '';
 $groups = new OTS_Groups_List();
 

system/pages/creatures.php

@@ -170,7 +170,7 @@ if(isset($monster['name']))
 	echo '</TABLE></td><td align=left>
 	<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=40%>
 	<tr><td align=left>';
-	$monster['gfx_name'] = trim(mb_strtolower($monster['name'])).".gif";
+	$monster['gfx_name'] = trim(strtolower($monster['name'])).".gif";
 	if(!file_exists('images/monsters/'.$monster['gfx_name'])) {
 		$gfx_name =  str_replace(" ", "", $monster['gfx_name']);
 		if(file_exists('images/monsters/' . $gfx_name))

system/pages/polls.php

@@ -13,31 +13,6 @@ $title = 'Polls';
 
 /* Polls System By Averatec from pervera.pl & otland.net */
 
-if(!tableExist('z_polls'))
-	$db->query('
-CREATE TABLE `z_polls` (
-  `id` int(11) NOT NULL auto_increment,
-  `question` varchar(255) NOT NULL,
-  `description` varchar(255) NOT NULL,
-  `end` int(11) NOT NULL DEFAULT 0,
-  `start` int(11) NOT NULL DEFAULT 0,
-  `answers` int(11) NOT NULL DEFAULT 0,
-  `votes_all` int(11) NOT NULL DEFAULT 0,
-  PRIMARY KEY  (`id`)
-) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;');
-
-if(!tableExist('z_polls_answers'))
-$db->query('
-	CREATE TABLE `z_polls_answers` (
-  `poll_id` int(11) NOT NULL,
-  `answer_id` int(11) NOT NULL,
-  `answer` varchar(255) NOT NULL,
-  `votes` int(11) NOT NULL DEFAULT 0
-) ENGINE=MyISAM DEFAULT CHARSET=latin1;');
-
-if(!fieldExist('vote', 'accounts'))
-	$db->query('ALTER TABLE `accounts` ADD `vote` INT( 11 ) NOT NULL ;');
-
 function getColorByPercent($percent)
 {
 	if($percent < 15)

system/templates/account.management.html.twig

@@ -84,6 +84,7 @@
 			</div>
 		<br/><br/>
 		{% endif %}
+		<a name="General+Information"></a>
 		<h2>General Information</h2>
 		<table width="100%">
 			<tr style="background-color: {{ config.lightborder }};" >
@@ -118,6 +119,7 @@
 			{% endautoescape %}
 		</table>
 		<br/>
+		<a name="Public+Information"></a>
 		<h2>Public Information</h2>
 		<table width="100%">
 			<tr style="background-color: {{ config.lightborder }};" >
@@ -133,6 +135,7 @@
 			<input type="submit" value="Change Info" />
 		</form>
 		<br/>
+		<a name="Account+Logs" ></a>
 		<h2>Action Log</h2>
 		<table>
 			<tr bgcolor="{{ config.vdarkborder }}" class="white">
@@ -151,6 +154,7 @@
 			{% endautoescape %}
 		</table>
 		<br/>
+		<a name="Characters" ></a>
 		<h2>Character list: {{ players|length }} characters.</h2>
 		<table>
 			<tr bgcolor="{{ config.vdarkborder }}" class="white">

system/templates/admin.dashboard.html.twig

@@ -35,7 +35,7 @@
 	{% if status.online %}
 	<p class="success" style="width: 150px; text-align: center;">Status: Online<br/>
 		{{ status.uptimeReadable }}, {{ status.players }}/{{ status.playersMax }}<br/>
-		{{ status.lua.ip }} : {{ status.lua.loginPort }}
+		{{ config.lua.ip }} : {{ config.lua.loginPort }}
 		<br/><br/><u><a id="more-button" href="#"></a></u>
 
 		<span id="status-more">

system/templates/admin.pages.form.html.twig

@@ -19,7 +19,12 @@
 					</tr>
 					<tr>
 						<td>PHP:</td>
-						<td><input type="checkbox" id="php" name="php" title="Check if page should be executed as PHP" value="1"{% if php %} checked="true"{% endif %}{% if action == 'edit' %} disabled{% endif %}/></td>
+						<td>
+							<input type="checkbox" id="php" name="php" title="Check if page should be executed as PHP" value="1"{% if php %} checked="true"{% endif %}{% if action == 'edit' %} disabled{% endif %}/>
+							{% if action == 'edit' %}
+								<input type="hidden" name="php" value="{% if php %}1{% else %}0{% endif %}"/>
+							{% endif %}
+						</td>
 					</tr>
 					<tr>
 						<td>Content:</td>

system/templates/online.html.twig

@@ -14,7 +14,7 @@
 					{% set players_count = players|length %}
 					{% set afk = players_count - status.players %}
 					{% if afk < 0 %}
-						{% set players = players + afk|abs %}
+						{% set players_count = players_count + afk|abs %}
 						{% set afk = 0 %}
 					{% endif %}
 					Currently there are <b>{{ status.players }}</b> active and <b>{{ afk }}</b> AFK players.<br/>

templates/tibiacom/index.php

@@ -442,6 +442,6 @@ foreach($config['menu_categories'] as $id => $cat) {
 function logo_monster()
 {
 	global $config;
-	return str_replace(" ", "", trim(mb_strtolower($config['logo_monster'])));
+	return str_replace(" ", "", trim(strtolower($config['logo_monster'])));
 }
 ?>