Release v0.8.13

When someone inserts long word, is will break into multiple lines

.gitignore

@@ -2,6 +2,9 @@ Thumbs.db
 .DS_Store
 .idea
 
+#
+/.htaccess
+
 # composer
 composer.lock
 vendor
@@ -32,6 +35,12 @@ images/guilds/*
 images/editor/*
 !images/editor/index.html
 
+# gallery images
+images/gallery/*
+!images/gallery/index.html
+!images/gallery/demon.jpg
+!images/gallery/demon_thumb.gif
+
 # cache
 system/cache/*
 !system/cache/index.html

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## [0.8.13 - 16.09.2023]
+
+### Added
+* latest client versions to config
+* patching from develop - twig context for hooks
+
+### Fixed
+* fixed XSS vulnerability in some pages
+
+Nothing more or less!
+
+## [0.8.12 - 07.08.2023]
+I've moved the repository back to my personal account. (Just so you know!)
+
+I will also try to add git commits pointed to each change, lets see if you like it or not - you can comment in discussion, that will be created just after releasing this version :)
+
+### Added
+* forum: better error messages (Suggested by @anyeor) (https://github.com/slawkens/myaac/commit/34725e0257684fe5fa43875cc3a8f587ba04642e)
+* more support for GesiorAAC classes, so some of them will work with MyAAC (https://github.com/slawkens/myaac/commit/a8172a518ff8939c4402349b16c064fcaf855d31)
+* word-break on forum thread & reply (Suggested by @anyeor) (https://github.com/slawkens/myaac/commit/ce4aed0f1719d2aadc749e5238e883e3c10e2686)
+
+### Fixed
+* not working pages/links from database, introduced in 0.8.10 (Thanks to OtLand user - https://otland.net/members/0lo.99657/ for report) (https://github.com/slawkens/myaac/commit/1e874c7027769bd09e772a1cdac75d7e37991256)
+* it was possible to create topic in board that was closed, ommiting the error check (Thanks to @anyeor for report) (https://github.com/slawkens/myaac/commit/0d52978d9fb99869500d35e7676f454ca5eaba14)
+* PHP 8.2 compatibility - removed deprecated functions utf8_encode & utf8_decode (https://github.com/slawkens/myaac/commit/a338fd967cdbcc89e86be4e6b66b2cad2ff23251)
+* guild description not being correctly shown (Reported by @anyeor)  (https://github.com/slawkens/myaac/commit/f2a3ec1185df64ad9084d4ff55790ae4a5b3e5fd, https://github.com/slawkens/myaac/commit/df321154f63d458a4bc7d83bac5e3447b67317a4)
+
+### Removed
+* Some old code for verifying messages length (Reported by @anyeor) (https://github.com/slawkens/myaac/commit/df48363ea4ced4350fd90ffddf57d464ba5afa8b)
+* some info about config failed to load, was never working (https://github.com/slawkens/myaac/commit/7a546e5a41036b0e9e926d337c6f2e3c41c591d2)
+
 ## [0.8.11 - 30.06.2023]
 
 ### Added

README.md

@@ -1,16 +1,22 @@
 # [MyAAC](https://my-aac.org)
 
-[![Build Status Master](https://img.shields.io/travis/slawkens/myaac/master)](https://travis-ci.org/github/slawkens/myaac)
-[![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
-[![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
-[![PHP Versions](https://img.shields.io/travis/php-v/slawkens/myaac/master)](https://github.com/slawkens/myaac/blob/d8b3b4135827ee17e3c6d41f08a925e718c587ed/.travis.yml#L3)
-[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
-[![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
-
 MyAAC is a free and open-source Automatic Account Creator (AAC) written in PHP. It is a fork of the [Gesior](https://github.com/gesior/Gesior2012) project. It supports only MySQL databases.
 
 Official website: https://my-aac.org
 
+[![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/slawkens/myaac/cypress.yml)](https://github.com/slawkens/myaac/actions)
+[![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
+[![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
+[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
+[![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
+
+| Version    | Status                                    | Branch  | Requirements   |
+|:-----------|:------------------------------------------|:--------|:---------------|
+| **0.10.x** | **Active development**                    | develop | **PHP >= 8.0** |
+| 0.9.x      | Active support                            | 0.9     | PHP >= 7.2.5   |
+| 0.8.x      | Active support                            | master  | PHP >= 7.2.5   |
+| 0.7.x      | End Of Life                               | 0.7     | PHP >= 5.3.3   |
+
 ### Requirements
 
 	- PHP 7.2.5 or later
@@ -73,6 +79,12 @@ Look: [Contributing](https://github.com/otsoft/myaac/wiki/Contributing) in our w
 
 If you have a great idea or want contribute to the project - visit our website at https://www.my-aac.org
 
+## Project supported by JetBrains
+
+Many thanks to Jetbrains for kindly providing a license for me to work on this and other open-source projects.
+
+[![JetBrains](https://resources.jetbrains.com/storage/products/company/brand/logos/jb_beam.svg)](https://www.jetbrains.com/?from=https://github.com/slawkens)
+
 ### License
 
 This program and all associated files are released under the GNU Public License.  

admin/pages/accounts.php

@@ -426,7 +426,7 @@ else if ($id > 0 && isset($account) && $account->isLoaded()) {
 		<div class="box-body">
 			<form action="<?php echo $base; ?>" method="post">
 				<div class="input-group input-group-sm">
-					<input type="text" class="form-control" name="search_name" value="<?php echo $search_account; ?>"
+					<input type="text" class="form-control" name="search_name" value="<?php echo escapeHtml($search_account); ?>"
 						   maxlength="32" size="32">
 					<span class="input-group-btn">
                           <button type="submit" type="button" class="btn btn-info btn-flat">Search</button>

admin/pages/players.php

@@ -784,7 +784,7 @@ else if ($id > 0 && isset($player) && $player->isLoaded())
 			<div class="box-body">
 				<form action="<?php echo $base; ?>" method="post">
 					<div class="input-group input-group-sm">
-						<input type="text" class="form-control" name="search_name" value="<?php echo $search_name; ?>"
+						<input type="text" class="form-control" name="search_name" value="<?php echo escapeHtml($search_name); ?>"
 							   maxlength="32" size="32">
 						<span class="input-group-btn">
                           <button type="submit" type="button" class="btn btn-info btn-flat">Search</button>

common.php

@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');
 
 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.11');
+define('MYAAC_VERSION', '0.8.13');
 define('DATABASE_VERSION', 33);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));

index.php

@@ -167,7 +167,7 @@ else {
 }
 
 // handle ?fbclid=x, etc. (show news page)
-if (!$found && count($_GET) > 0 && !isset($_REQUEST['subtopic']) && !isset($_REQUEST['p'])) {
+if (!$found && count($_GET) > 0 && !isset($_REQUEST['subtopic']) && !isset($_REQUEST['p']) && !in_array($_SERVER['QUERY_STRING'], getDatabasePages())) {
 	$_REQUEST['p'] = $_REQUEST['subtopic'] = 'news';
 	$found = true;
 }

plugins/email-confirmed-reward/reward.php

@@ -4,12 +4,12 @@ defined('MYAAC') or die('Direct access not allowed!');
 $reward = config('account_mail_confirmed_reward');
 
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
-if ($reward['coins'] > 0 && $hasCoinsColumn) {
+if ($reward['coins'] > 0 && !$hasCoinsColumn) {
 	log_append('email_confirm_error.log', 'accounts.coins column does not exist.');
 }
 
 if (!isset($account) || !$account->isLoaded()) {
-	log_append('email_confirm_error.log', 'Account not loaded.');
+	//log_append('email_confirm_error.log', 'Account not loaded.');
 	return;
 }
 

system/clients.conf.php

@@ -99,4 +99,10 @@ $config['clients'] = [
 	1291,
 
 	1300,
+	1310,
+	1311,
+	1312,
+	1316,
+	1320,
+	1321,
 ];

system/compat/classes.php

@@ -9,7 +9,30 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
-class Player extends OTS_Player {}
+class Account extends OTS_Account {
-class Guild extends OTS_Guild {}
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
+
+class Player extends OTS_Player {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
+class Guild extends OTS_Guild {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
 class GuildRank extends OTS_GuildRank {}
 class House extends OTS_House {}

system/functions.php

@@ -923,8 +923,8 @@ function load_config_lua($filename)
 	$config_file = $filename;
 	if(!@file_exists($config_file))
 	{
-		log_append('error.log', '[load_config_file] Fatal error: Cannot load config.lua (' . $filename . '). Error: ' . print_r(error_get_last(), true));
+		log_append('error.log', '[load_config_file] Fatal error: Cannot load config.lua (' . $filename . ').');
-		throw new RuntimeException('ERROR: Cannot find ' . $filename . ' file. More info in system/logs/error.log');
+		throw new RuntimeException('ERROR: Cannot find ' . $filename . ' file.');
 	}
 
 	$result = array();
@@ -1247,6 +1247,36 @@ function escapeHtml($html) {
 	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
 }
 
+function displayErrorBoxWithBackButton($errors, $action = null) {
+	global $twig;
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+	$twig->display('account.back_button.html.twig', [
+		'action' => $action ?: getLink('')
+	]);
+}
+
+function getDatabasePages($withHidden = false): array
+{
+	global $db, $logged_access;
+
+	if (!isset($logged_access)) {
+		$logged_access = 1;
+	}
+
+	$pages = $db->query('SELECT `name` FROM ' . TABLE_PREFIX . 'pages WHERE ' . ($withHidden ? '' : '`hidden` != 1 AND ') . '`access` <= ' . $db->quote($logged_access));
+	$ret = [];
+
+	if ($pages->rowCount() < 1) {
+		return $ret;
+	}
+
+	foreach($pages->fetchAll() as $page) {
+		$ret[] = $page['name'];
+	}
+
+	return $ret;
+}
+
 // validator functions
 require_once LIBS . 'validator.php';
 require_once SYSTEM . 'compat/base.php';

system/libs/plugins.php

@@ -74,6 +74,10 @@ class Plugins {
 			if (isset($plugin['hooks'])) {
 				foreach ($plugin['hooks'] as $_name => $info) {
 					if (defined('HOOK_'. $info['type'])) {
+						if (strpos($info['type'], 'HOOK_') !== false) {
+							$info['type'] = str_replace('HOOK_', '', $info['type']);
+						}
+
 						$hook = constant('HOOK_'. $info['type']);
 						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
 					} else {

system/libs/pot/OTS_ServerInfo.php

@@ -123,7 +123,7 @@ class OTS_ServerInfo
         {
             // loads respond XML
             $info = new OTS_InfoRespond();
-            if(!$info->loadXML( utf8_encode($status->getBuffer())))
+            if(!$info->loadXML( $status->getBuffer()))
 				return false;
 
             return $info;

system/pages/forum.php

@@ -191,12 +191,13 @@ if(!$logged)
 }
 
 if(!ctype_alnum(str_replace(array('-', '_'), '', $action))) {
-	error('Error: Action contains illegal characters.');
+	$errors[] = 'Error: Action contains illegal characters.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
 else if(file_exists(PAGES . 'forum/' . $action . '.php')) {
 	require PAGES . 'forum/' . $action . '.php';
 }
 else {
-	error('This page does not exists.');
+	$errors[] = 'This page does not exists.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-?>

system/pages/forum/edit_post.php

@@ -14,7 +14,8 @@ if(Forum::canPost($account_logged))
 {
 	$post_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : false;
 	if(!$post_id) {
-		echo 'Please enter post id.';
+		$errors[] = 'Please enter post id.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}
 
@@ -35,24 +36,18 @@ if(Forum::canPost($account_logged))
 				$post_topic = stripslashes(trim($_REQUEST['topic']));
 				$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
 				$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
-				$lenght = 0;
+
-				for($i = 0; $i < strlen($post_topic); $i++)
+				$length = strlen($post_topic);
-				{
+				if(($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
-					if(ord($post_topic[$i]) >= 33 && ord($post_topic[$i]) <= 126)
+					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";
-						$lenght++;
+
-				}
+				$length = strlen($text);
-				if(($lenght < 1 || strlen($post_topic) > 60) && $thread['id'] == $thread['first_post'])
+				if($length < 1 || $length > 15000)
-					$errors[] = 'Too short or too long topic (short: '.$lenght.' long: '.strlen($post_topic).' letters). Minimum 1 letter, maximum 60 letters.';
+					$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";
-				$lenght = 0;
+
-				for($i = 0; $i < strlen($text); $i++)
-				{
-					if(ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-						$lenght++;
-				}
-				if($lenght < 1 || strlen($text) > 15000)
-					$errors[] = 'Too short or too long post (short: '.$lenght.' long: '.strlen($text).' letters). Minimum 1 letter, maximum 15000 letters.';
 				if($char_id == 0)
 					$errors[] = 'Please select a character.';
+
 				if(empty($post_topic) && $thread['id'] == $thread['first_post'])
 					$errors[] = 'Thread topic can\'t be empty.';
 
@@ -104,11 +99,17 @@ if(Forum::canPost($account_logged))
 				));
 			}
 		}
-		else
+		else {
-			echo '<br/>You are not an author of this post.';
+			$errors[] = 'You are not an author of this post.';
+			displayErrorBoxWithBackButton($errors, getLink('forum'));
+		}
+	}
+	else {
+		$errors[] = "Post with ID $post_id doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 	}
-	else
-		echo "<br/>Post with ID " . $post_id . " doesn't exist.";
 }
-else
+else {
-	echo "<br/>Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	$errors[] = "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
+}

system/pages/forum/move_thread.php

@@ -14,12 +14,13 @@ if(!Forum::isModerator()) {
 	echo 'You are not logged in or you are not moderator.';
 }
 
-$save = isset($_REQUEST['save']) ? (int)$_REQUEST['save'] == 1 : false;
+$save = isset($_REQUEST['save']) && (int)$_REQUEST['save'] == 1;
 if($save) {
 	$post_id = (int)$_REQUEST['id'];
 	$board = (int)$_REQUEST['section'];
 	if(!Forum::hasAccess($board)) {
-		echo "You don't have access to this board.";
+		$errors[] = "You don't have access to this board.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}
 
@@ -31,8 +32,10 @@ if($save) {
 			header('Location: ' . getForumBoardLink($nPost['section']));
 		}
 	}
-	else
+	else {
-		echo 'Post with ID ' . $post_id . ' does not exist.';
+		$errors[] = 'Post with ID ' . $post_id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
 }
 else {
 	$post_id = (int)$_REQUEST['id'];
@@ -58,7 +61,8 @@ else {
 			));
 		}
 	}
-	else
+	else {
-		echo 'Post with ID ' . $post_id . ' does not exist.';
+		$errors[] = 'Post with ID ' . $post_id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
 }
-?>

system/pages/forum/new_post.php

@@ -15,17 +15,20 @@ if(Forum::canPost($account_logged))
 	$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
 	$thread_id = isset($_REQUEST['thread_id']) ? (int) $_REQUEST['thread_id'] : 0;
 	if($thread_id == 0) {
-		echo "Thread with this id doesn't exist.";
+		$errors[] = "Thread with this id doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}
 
-	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id." LIMIT 1")->fetch();
+	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id." LIMIT 1")->fetch();
-	echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
+
 	if(isset($thread['id']) && Forum::hasAccess($thread['section']))
 	{
+		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
+
 		$quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL;
 		$text = isset($_REQUEST['text']) ? stripslashes(trim($_REQUEST['text'])) : NULL;
-		$char_id = (int) (isset($_REQUEST['char_id']) ? $_REQUEST['char_id'] : 0);
+		$char_id = (int) ($_REQUEST['char_id'] ?? 0);
 		$post_topic = isset($_REQUEST['topic']) ? stripslashes(trim($_REQUEST['topic'])) : '';
 		$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 		$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
@@ -38,14 +41,10 @@ if(Forum::canPost($account_logged))
 		}
 		elseif(isset($_REQUEST['save']))
 		{
-			$lenght = 0;
+			$length = strlen($text);
-			for($i = 0; $i < strlen($text); $i++)
+			if($length < 1 || strlen($text) > 15000)
-			{
+				$errors[] = 'Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.';
-				if(ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
+
-					$lenght++;
-			}
-			if($lenght < 1 || strlen($text) > 15000)
-				$errors[] = 'Too short or too long post (short: '.$lenght.' long: '.strlen($text).' letters). Minimum 1 letter, maximum 15000 letters.';
 			if($char_id == 0)
 				$errors[] = 'Please select a character.';
 
@@ -73,8 +72,8 @@ if(Forum::canPost($account_logged))
 			if(count($errors) == 0)
 			{
 				$saved = true;
-				Forum::add_post($thread['id'], $thread['section'], $account_logged->getId(), (int) $char_id, $text, $post_topic, $smile, $html, time(), $_SERVER['REMOTE_ADDR']);
+				Forum::add_post($thread['id'], $thread['section'], $account_logged->getId(), (int) $char_id, $text, $post_topic, $smile, $html);
-				$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `replies`=`replies`+1, `last_post`=".time()." WHERE `id` = ".(int) $thread_id);
+				$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `replies`=`replies`+1, `last_post`=".time()." WHERE `id` = ".$thread_id);
 				$post_page = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS posts_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`post_date` <= ".time()." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread['id'])->fetch();
 				$_page = (int) ceil($post_page['posts_count'] / $config['forum_threads_per_page']) - 1;
 				header('Location: ' . getForumThreadLink($thread_id, $_page));
@@ -110,10 +109,14 @@ if(Forum::canPost($account_logged))
 			));
 		}
 	}
-	else
+	else {
-		echo "Thread with ID " . $thread_id . " doesn't exist.";
+		$errors[] = "Thread with ID " . $thread_id . " doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
+}
+else {
+	$errors[] = "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-else
-	echo "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
 
 $twig->display('forum.fullscreen.html.twig');

system/pages/forum/new_thread.php

@@ -13,7 +13,7 @@ defined('MYAAC') or die('Direct access not allowed!');
 if(Forum::canPost($account_logged))
 {
 	$players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll();
-	$section_id = isset($_REQUEST['section_id']) ? $_REQUEST['section_id'] : null;
+	$section_id = $_REQUEST['section_id'] ?? null;
 	if($section_id !== null) {
 		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($section_id) . '">' . $sections[$section_id]['name'] . '</a> >> <b>Post new thread</b><br />';
 		if(isset($sections[$section_id]['name']) && Forum::hasAccess($section_id)) {
@@ -28,22 +28,13 @@ if(Forum::canPost($account_logged))
 			$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
 			$saved = false;
 			if (isset($_REQUEST['save'])) {
-				$errors = array();
+				$length = strlen($post_topic);
+				if ($length < 1 || $length > 60)
+					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";
 
-				$lenght = 0;
+				$length = strlen($text);
-				for ($i = 0; $i < strlen($post_topic); $i++) {
+				if ($length < 1 || $length > 15000)
-					if (ord($post_topic[$i]) >= 33 && ord($post_topic[$i]) <= 126)
+					$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";
-						$lenght++;
-				}
-				if ($lenght < 1 || strlen($post_topic) > 60)
-					$errors[] = 'Too short or too long topic (short: ' . $lenght . ' long: ' . strlen($post_topic) . ' letters). Minimum 1 letter, maximum 60 letters.';
-				$lenght = 0;
-				for ($i = 0; $i < strlen($text); $i++) {
-					if (ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-						$lenght++;
-				}
-				if ($lenght < 1 || strlen($text) > 15000)
-					$errors[] = 'Too short or too long post (short: ' . $lenght . ' long: ' . strlen($text) . ' letters). Minimum 1 letter, maximum 15000 letters.';
 
 				if ($char_id == 0)
 					$errors[] = 'Please select a character.';
@@ -93,11 +84,17 @@ if(Forum::canPost($account_logged))
 				));
 			}
 		}
-		else
+		else {
-			echo 'Board with ID ' . $board_id . ' doesn\'t exist.';
+			$errors[] = "Board with ID $section_id doesn't exist.";
+			displayErrorBoxWithBackButton($errors, getLink('forum'));
+		}
+	}
+	else {
+		$errors[] = 'Please enter section_id.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 	}
-	else
-		echo 'Please enter section_id.';
 }
-else
+else {
-	echo 'Your account is banned, deleted or you don\'t have any player with level '.$config['forum_level_required'].' on your account. You can\'t post.';
+	$errors[] = 'Your account is banned, deleted or you don\'t have any player with level '.$config['forum_level_required'].' on your account. You can\'t post.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
+}

system/pages/forum/remove_post.php

@@ -29,8 +29,12 @@ if(Forum::isModerator())
 			header('Location: ' . getForumThreadLink($post['first_post'], (int) $_page));
 		}
 	}
-	else
+	else {
-		echo 'Post with ID ' . $id . ' does not exist.';
+		$errors[] = 'Post with ID ' . $id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
+}
+else {
+	$errors[] = 'You are not logged in or you are not moderator.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-else
-	echo 'You are not logged in or you are not moderator.';

system/pages/forum/show_board.php

@@ -14,12 +14,14 @@ $links_to_pages = '';
 $section_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : null;
 
 if($section_id == null || !isset($sections[$section_id])) {
-	echo "Board with this id does't exist.";
+	$errors[] = "Board with this id does't exist.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }
 
 if(!Forum::hasAccess($section_id)) {
-	echo "You don't have access to this board.";
+	$errors[] = "You don't have access to this board.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }
 
@@ -90,5 +92,3 @@ if(isset($last_threads[0]))
 }
 else
 	echo '<h3>No threads in this board.</h3>';
-
-?>

system/pages/forum/show_thread.php

@@ -16,12 +16,14 @@ $_page = (int) (isset($_REQUEST['page']) ? $_REQUEST['page'] : 0);
 $thread_starter = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`first_post` AND `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` LIMIT 1")->fetch();
 
 if(empty($thread_starter['name'])) {
-	echo 'Thread with this ID does not exits.';
+	$errors[] = 'Thread with this ID does not exists.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }
 
 if(!Forum::hasAccess($thread_starter['section'])) {
-	echo "You don't have access to view this thread.";
+	$errors[] = "You don't have access to view this thread.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }
 

system/templates/forum.new_post.html.twig

@@ -54,7 +54,7 @@
 	</tr>
 	{% set i = 0 %}
 	{% for thread in threads %}
-	<tr bgcolor="{{ getStyle(i) }}"><td>{{ thread.name }}</td><td>{{ thread.post|raw }}</td></tr>
+	<tr bgcolor="{{ getStyle(i) }}"><td>{{ thread.name }}</td><td style="word-break: break-all">{{ thread.post|raw }}</td></tr>
 	{% set i = i + 1 %}
 	{% endfor %}
 </table>

system/templates/forum.show_thread.html.twig

@@ -40,7 +40,7 @@ Page: {{ links_to_pages|raw }}<br/>
 				<br />Posts: {{ post.author_posts_count }}<br />
 			</span>
 		</td>
-		<td valign="top">{{ post.content|raw }} </td></tr>
+		<td valign="top" style="word-break: break-all">{{ post.content|raw }} </td></tr>
 		<tr bgcolor="{{ getStyle(i) }}">
 			<td>
 				<span style="font-size: 10px">{{ post.date|date('d.m.y H:i:s') }}

system/templates/guilds.view.html.twig

@@ -49,8 +49,8 @@
                                                 <tr>
                                                     <td>
                                                         <div id="GuildInformationContainer">
-                                                            {% if descriptions is not empty %}
+                                                            {% if description is not empty %}
-                                                                {{ description }}
+                                                                {{ description|raw }}
                                                                 <br>
                                                                 <br>
                                                             {% endif %}

system/twig.php

@@ -44,15 +44,16 @@ $function = new TwigFunction('getGuildLink', function ($s, $p) {
 });
 $twig->addFunction($function);
 
-$function = new TwigFunction('hook', function ($hook) {
+$function = new TwigFunction('hook', function ($context, $hook, array $params = []) {
 	global $hooks;
 
 	if(is_string($hook)) {
 		$hook = constant($hook);
 	}
 
-	$hooks->trigger($hook);
+	$params['context'] = $context;
-});
+	$hooks->trigger($hook, $params);
+}, ['needs_context' => true]);
 $twig->addFunction($function);
 
 $function = new TwigFunction('config', function ($key) {

templates/tibiacom/headline.php

@@ -28,7 +28,7 @@ if(!@file_exists($page_file))
 
 	// set text
 	$font = getenv('GDFONTPATH') . DIRECTORY_SEPARATOR . 'martel.ttf';
-	imagettftext($image, 18, 0, 4, 20, imagecolorallocate($image, 240, 209, 164), $font, utf8_decode($_GET['t']));
+	imagettftext($image, 18, 0, 4, 20, imagecolorallocate($image, 240, 209, 164), $font, $_GET['t']);
 
 	// header mime type
 	header('Content-type: image/gif');

templates/tibiacom/index.php

@@ -21,7 +21,7 @@ if(isset($config['boxes']))
 		<?php
 			if(PAGE !== 'news') {
 				if(strpos(URI, 'subtopic=') !== false) {
-					$tmp = $_REQUEST['subtopic'];
+					$tmp = escapeHtml($_REQUEST['subtopic']);
 					if($tmp === 'accountmanagement') {
 						$tmp = 'accountmanage';
 					}