Release v0.8.14

Prevent session fixation
Fix XSS in forum
2025-09-14 12:33:35 +02:00 · 2023-11-27 23:31:45 +01:00 · 2023-11-27 23:16:51 +01:00 · 2023-11-27 22:58:24 +01:00 · 2023-11-27 22:58:00 +01:00 · 2023-11-27 20:28:43 +01:00
33 changed files with 310 additions and 134 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,9 @@ Thumbs.db
 .DS_Store
 .idea

+#
+/.htaccess
+
 # composer
 composer.lock
 vendor
@@ -32,6 +35,12 @@ images/guilds/*
 images/editor/*
 !images/editor/index.html

+# gallery images
+images/gallery/*
+!images/gallery/index.html
+!images/gallery/demon.jpg
+!images/gallery/demon_thumb.gif
+
 # cache
 system/cache/*
 !system/cache/index.html
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,48 @@
 # Changelog

+## [0-8.14 - 27.11.2023]
+Security fixes.
+
+### Fixed
+* XSS vulnerability in bugtracker (https://github.com/slawkens/myaac/commit/83a91ec540072d319dd338abff45f8d5ebf48190)
+* XSS vulnerability in forum (https://github.com/slawkens/myaac/commit/d1bc63d07ad88a143358cacd2c417891eea74dcc + https://github.com/slawkens/myaac/commit/55dbade8d5280c5baed45e5f7ebc3613b8e9b9e8)
+* Session Fixation (https://github.com/slawkens/myaac/commit/483155cf4c1e3068aaee0d44541dfa61f6223379)
+* displaying ban info on account page (https://github.com/slawkens/myaac/commit/764db0c203d1826ffce3a5a78f83a97e56bd0685)
+
+### Changed
+* Clear some additional cache keys - like database cache (https://github.com/slawkens/myaac/commit/4327b66f915d06dce504211692173606b9ef3b4e)
+
+## [0.8.13 - 16.09.2023]
+
+### Added
+* latest client versions to config (https://github.com/slawkens/myaac/commit/765886f0c782807400c429577cde5e45bd7c308f)
+* patching from develop - twig context for hooks (https://github.com/slawkens/myaac/commit/f1670f4012cc7595433fe0b1937c1f9b15a60b07)
+
+### Fixed
+* fixed XSS vulnerability in some pages (https://github.com/slawkens/myaac/commit/5c3b01aca4f3cfe8abc86b8ce48194b2da87b808)
+
+Nothing more or less!
+
+## [0.8.12 - 07.08.2023]
+I've moved the repository back to my personal account. (Just so you know!)
+
+I will also try to add git commits pointed to each change, lets see if you like it or not - you can comment in discussion, that will be created just after releasing this version :)
+
+### Added
+* forum: better error messages (Suggested by @anyeor) (https://github.com/slawkens/myaac/commit/34725e0257684fe5fa43875cc3a8f587ba04642e)
+* more support for GesiorAAC classes, so some of them will work with MyAAC (https://github.com/slawkens/myaac/commit/a8172a518ff8939c4402349b16c064fcaf855d31)
+* word-break on forum thread & reply (Suggested by @anyeor) (https://github.com/slawkens/myaac/commit/ce4aed0f1719d2aadc749e5238e883e3c10e2686)
+
+### Fixed
+* not working pages/links from database, introduced in 0.8.10 (Thanks to OtLand user - https://otland.net/members/0lo.99657/ for report) (https://github.com/slawkens/myaac/commit/1e874c7027769bd09e772a1cdac75d7e37991256)
+* it was possible to create topic in board that was closed, ommiting the error check (Thanks to @anyeor for report) (https://github.com/slawkens/myaac/commit/0d52978d9fb99869500d35e7676f454ca5eaba14)
+* PHP 8.2 compatibility - removed deprecated functions utf8_encode & utf8_decode (https://github.com/slawkens/myaac/commit/a338fd967cdbcc89e86be4e6b66b2cad2ff23251)
+* guild description not being correctly shown (Reported by @anyeor)  (https://github.com/slawkens/myaac/commit/f2a3ec1185df64ad9084d4ff55790ae4a5b3e5fd, https://github.com/slawkens/myaac/commit/df321154f63d458a4bc7d83bac5e3447b67317a4)
+
+### Removed
+* Some old code for verifying messages length (Reported by @anyeor) (https://github.com/slawkens/myaac/commit/df48363ea4ced4350fd90ffddf57d464ba5afa8b)
+* some info about config failed to load, was never working (https://github.com/slawkens/myaac/commit/7a546e5a41036b0e9e926d337c6f2e3c41c591d2)
+
 ## [0.8.11 - 30.06.2023]

 ### Added
--- a/README.md
+++ b/README.md
@@ -1,16 +1,22 @@
 # [MyAAC](https://my-aac.org)

-[![Build Status Master](https://img.shields.io/travis/slawkens/myaac/master)](https://travis-ci.org/github/slawkens/myaac)
-[![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
-[![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
-[![PHP Versions](https://img.shields.io/travis/php-v/slawkens/myaac/master)](https://github.com/slawkens/myaac/blob/d8b3b4135827ee17e3c6d41f08a925e718c587ed/.travis.yml#L3)
-[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
-[![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
-
 MyAAC is a free and open-source Automatic Account Creator (AAC) written in PHP. It is a fork of the [Gesior](https://github.com/gesior/Gesior2012) project. It supports only MySQL databases.

 Official website: https://my-aac.org

+[![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/slawkens/myaac/cypress.yml)](https://github.com/slawkens/myaac/actions)
+[![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
+[![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
+[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
+[![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
+
+| Version    | Status                                    | Branch  | Requirements   |
+|:-----------|:------------------------------------------|:--------|:---------------|
+| **0.10.x** | **Active development**                    | develop | **PHP >= 8.0** |
+| 0.9.x      | Active support                            | 0.9     | PHP >= 7.2.5   |
+| 0.8.x      | Active support                            | master  | PHP >= 7.2.5   |
+| 0.7.x      | End Of Life                               | 0.7     | PHP >= 5.3.3   |
+
 ### Requirements

 	- PHP 7.2.5 or later
@@ -73,6 +79,12 @@ Look: [Contributing](https://github.com/otsoft/myaac/wiki/Contributing) in our w

 If you have a great idea or want contribute to the project - visit our website at https://www.my-aac.org

+## Project supported by JetBrains
+
+Many thanks to Jetbrains for kindly providing a license for me to work on this and other open-source projects.
+
+[![JetBrains](https://resources.jetbrains.com/storage/products/company/brand/logos/jb_beam.svg)](https://www.jetbrains.com/?from=https://github.com/slawkens)
+
 ### License

 This program and all associated files are released under the GNU Public License.  
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -426,7 +426,7 @@ else if ($id > 0 && isset($account) && $account->isLoaded()) {
 		<div class="box-body">
 			<form action="<?php echo $base; ?>" method="post">
 				<div class="input-group input-group-sm">
-					<input type="text" class="form-control" name="search_name" value="<?php echo $search_account; ?>"
+					<input type="text" class="form-control" name="search_name" value="<?php echo escapeHtml($search_account); ?>"
 						   maxlength="32" size="32">
 					<span class="input-group-btn">
                          <button type="submit" type="button" class="btn btn-info btn-flat">Search</button>
--- a/admin/pages/items.php
+++ b/admin/pages/items.php
@@ -10,8 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Load items.xml';

-require LIBS . 'items.php';
-require LIBS . 'weapons.php';
+require_once LIBS . 'items.php';
+require_once LIBS . 'weapons.php';

 $twig->display('admin.items.html.twig');

--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -784,7 +784,7 @@ else if ($id > 0 && isset($player) && $player->isLoaded())
 			<div class="box-body">
 				<form action="<?php echo $base; ?>" method="post">
 					<div class="input-group input-group-sm">
-						<input type="text" class="form-control" name="search_name" value="<?php echo $search_name; ?>"
+						<input type="text" class="form-control" name="search_name" value="<?php echo escapeHtml($search_name); ?>"
 							   maxlength="32" size="32">
 						<span class="input-group-btn">
                          <button type="submit" type="button" class="btn btn-info btn-flat">Search</button>
--- a/common.php
+++ b/common.php
@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');

 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.11');
+define('MYAAC_VERSION', '0.8.14');
 define('DATABASE_VERSION', 33);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));
--- a/images/gallery/index.html
+++ b/images/gallery/index.html
--- a/index.php
+++ b/index.php
@@ -167,7 +167,7 @@ else {
 }

 // handle ?fbclid=x, etc. (show news page)
-if (!$found && count($_GET) > 0 && !isset($_REQUEST['subtopic']) && !isset($_REQUEST['p'])) {
+if (!$found && count($_GET) > 0 && !isset($_REQUEST['subtopic']) && !isset($_REQUEST['p']) && !in_array($_SERVER['QUERY_STRING'], getDatabasePages())) {
 	$_REQUEST['p'] = $_REQUEST['subtopic'] = 'news';
 	$found = true;
 }
--- a/nginx-sample.conf
+++ b/nginx-sample.conf
@@ -25,7 +25,7 @@ server {
 	}

 	location / {
-		try_files $uri $uri/ /index.php;
+		try_files $uri $uri/ /index.php?$query_string;;
 	}

 	location ~ \.php$ {
--- a/plugins/email-confirmed-reward/reward.php
+++ b/plugins/email-confirmed-reward/reward.php
@@ -4,12 +4,12 @@ defined('MYAAC') or die('Direct access not allowed!');
 $reward = config('account_mail_confirmed_reward');

 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
-if ($reward['coins'] > 0 && $hasCoinsColumn) {
+if ($reward['coins'] > 0 && !$hasCoinsColumn) {
 	log_append('email_confirm_error.log', 'accounts.coins column does not exist.');
 }

 if (!isset($account) || !$account->isLoaded()) {
-	log_append('email_confirm_error.log', 'Account not loaded.');
+	//log_append('email_confirm_error.log', 'Account not loaded.');
 	return;
 }

--- a/system/clients.conf.php
+++ b/system/clients.conf.php
@@ -99,4 +99,10 @@ $config['clients'] = [
 	1291,

 	1300,
+	1310,
+	1311,
+	1312,
+	1316,
+	1320,
+	1321,
 ];
--- a/system/compat/classes.php
+++ b/system/compat/classes.php
@@ -9,7 +9,30 @@
 */
 defined('MYAAC') or die('Direct access not allowed!');

-class Player extends OTS_Player {}
-class Guild extends OTS_Guild {}
+class Account extends OTS_Account {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
+
+class Player extends OTS_Player {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
+class Guild extends OTS_Guild {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
 class GuildRank extends OTS_GuildRank {}
 class House extends OTS_House {}
--- a/system/functions.php
+++ b/system/functions.php
@@ -923,8 +923,8 @@ function load_config_lua($filename)
 	$config_file = $filename;
 	if(!@file_exists($config_file))
 	{
-		log_append('error.log', '[load_config_file] Fatal error: Cannot load config.lua (' . $filename . '). Error: ' . print_r(error_get_last(), true));
-		throw new RuntimeException('ERROR: Cannot find ' . $filename . ' file. More info in system/logs/error.log');
+		log_append('error.log', '[load_config_file] Fatal error: Cannot load config.lua (' . $filename . ').');
+		throw new RuntimeException('ERROR: Cannot find ' . $filename . ' file.');
 	}

 	$result = array();
@@ -1146,9 +1146,30 @@ function clearCache()
 		if ($cache->fetch('failed_logins', $tmp))
 			$cache->delete('failed_logins');

-		global $template_name;
-		if ($cache->fetch('template_ini' . $template_name, $tmp))
-			$cache->delete('template_ini' . $template_name);
+		foreach (get_templates() as $template) {
+			if ($cache->fetch('template_ini_' . $template, $tmp)) {
+				$cache->delete('template_ini_' . $template);
+			}
+		}
+
+		if ($cache->fetch('template_menus', $tmp)) {
+			$cache->delete('template_menus');
+		}
+		if ($cache->fetch('database_tables', $tmp)) {
+			$cache->delete('database_tables');
+		}
+		if ($cache->fetch('database_columns', $tmp)) {
+			$cache->delete('database_columns');
+		}
+		if ($cache->fetch('database_checksum', $tmp)) {
+			$cache->delete('database_checksum');
+		}
+		if ($cache->fetch('hooks', $tmp)) {
+			$cache->delete('hooks');
+		}
+		if ($cache->fetch('last_kills', $tmp)) {
+			$cache->delete('last_kills');
+		}
 	}

 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);
@@ -1247,6 +1268,36 @@ function escapeHtml($html) {
 	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
 }

+function displayErrorBoxWithBackButton($errors, $action = null) {
+	global $twig;
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+	$twig->display('account.back_button.html.twig', [
+		'action' => $action ?: getLink('')
+	]);
+}
+
+function getDatabasePages($withHidden = false): array
+{
+	global $db, $logged_access;
+
+	if (!isset($logged_access)) {
+		$logged_access = 1;
+	}
+
+	$pages = $db->query('SELECT `name` FROM ' . TABLE_PREFIX . 'pages WHERE ' . ($withHidden ? '' : '`hidden` != 1 AND ') . '`access` <= ' . $db->quote($logged_access));
+	$ret = [];
+
+	if ($pages->rowCount() < 1) {
+		return $ret;
+	}
+
+	foreach($pages->fetchAll() as $page) {
+		$ret[] = $page['name'];
+	}
+
+	return $ret;
+}
+
 // validator functions
 require_once LIBS . 'validator.php';
 require_once SYSTEM . 'compat/base.php';
--- a/system/libs/plugins.php
+++ b/system/libs/plugins.php
@@ -74,6 +74,10 @@ class Plugins {
 			if (isset($plugin['hooks'])) {
 				foreach ($plugin['hooks'] as $_name => $info) {
 					if (defined('HOOK_'. $info['type'])) {
+						if (strpos($info['type'], 'HOOK_') !== false) {
+							$info['type'] = str_replace('HOOK_', '', $info['type']);
+						}
+
 						$hook = constant('HOOK_'. $info['type']);
 						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
 					} else {
--- a/system/libs/pot/OTS_ServerInfo.php
+++ b/system/libs/pot/OTS_ServerInfo.php
@@ -123,7 +123,7 @@ class OTS_ServerInfo
        {
            // loads respond XML
            $info = new OTS_InfoRespond();
-            if(!$info->loadXML( utf8_encode($status->getBuffer())))
+            if(!$info->loadXML( $status->getBuffer()))
 				return false;

            return $info;
--- a/system/login.php
+++ b/system/login.php
@@ -94,6 +94,7 @@ else
 				&& (!isset($t) || $t['attempts'] < 5)
 				)
 			{
+				session_regenerate_id();
 				setSession('account', $account_logged->getId());
 				setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
 				if($remember_me) {
--- a/system/pages/bugtracker.php
+++ b/system/pages/bugtracker.php
@@ -181,9 +181,9 @@ $showed = $post = $reply = false;
                    $value = '<span style="color: red">[CLOSED]</span>';

                echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                echo '</TABLE>';

                $answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -274,7 +274,7 @@ $showed = $post = $reply = false;
                        $bgcolor = $light;
                    }

-                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';

                    $showed=true;
                }
--- a/system/pages/forum.php
+++ b/system/pages/forum.php
@@ -191,12 +191,13 @@ if(!$logged)
 }

 if(!ctype_alnum(str_replace(array('-', '_'), '', $action))) {
-	error('Error: Action contains illegal characters.');
+	$errors[] = 'Error: Action contains illegal characters.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
 else if(file_exists(PAGES . 'forum/' . $action . '.php')) {
 	require PAGES . 'forum/' . $action . '.php';
 }
 else {
-	error('This page does not exists.');
+	$errors[] = 'This page does not exists.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-?>
--- a/system/pages/forum/edit_post.php
+++ b/system/pages/forum/edit_post.php
@@ -14,7 +14,8 @@ if(Forum::canPost($account_logged))
 {
 	$post_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : false;
 	if(!$post_id) {
-		echo 'Please enter post id.';
+		$errors[] = 'Please enter post id.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}

@@ -35,24 +36,22 @@ if(Forum::canPost($account_logged))
 				$post_topic = stripslashes(trim($_REQUEST['topic']));
 				$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
 				$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
-				$lenght = 0;
-				for($i = 0; $i < strlen($post_topic); $i++)
-				{
-					if(ord($post_topic[$i]) >= 33 && ord($post_topic[$i]) <= 126)
-						$lenght++;
+
+				if (!superAdmin()) {
+					$html = 0;
 				}
-				if(($lenght < 1 || strlen($post_topic) > 60) && $thread['id'] == $thread['first_post'])
-					$errors[] = 'Too short or too long topic (short: '.$lenght.' long: '.strlen($post_topic).' letters). Minimum 1 letter, maximum 60 letters.';
-				$lenght = 0;
-				for($i = 0; $i < strlen($text); $i++)
-				{
-					if(ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-						$lenght++;
-				}
-				if($lenght < 1 || strlen($text) > 15000)
-					$errors[] = 'Too short or too long post (short: '.$lenght.' long: '.strlen($text).' letters). Minimum 1 letter, maximum 15000 letters.';
+
+				$length = strlen($post_topic);
+				if(($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
+					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";
+
+				$length = strlen($text);
+				if($length < 1 || $length > 15000)
+					$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";
+
 				if($char_id == 0)
 					$errors[] = 'Please select a character.';
+
 				if(empty($post_topic) && $thread['id'] == $thread['first_post'])
 					$errors[] = 'Thread topic can\'t be empty.';

@@ -104,11 +103,17 @@ if(Forum::canPost($account_logged))
 				));
 			}
 		}
-		else
-			echo '<br/>You are not an author of this post.';
+		else {
+			$errors[] = 'You are not an author of this post.';
+			displayErrorBoxWithBackButton($errors, getLink('forum'));
+		}
+	}
+	else {
+		$errors[] = "Post with ID $post_id doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 	}
-	else
-		echo "<br/>Post with ID " . $post_id . " doesn't exist.";
 }
-else
-	echo "<br/>Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+else {
+	$errors[] = "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
+}
--- a/system/pages/forum/move_thread.php
+++ b/system/pages/forum/move_thread.php
@@ -14,12 +14,13 @@ if(!Forum::isModerator()) {
 	echo 'You are not logged in or you are not moderator.';
 }

-$save = isset($_REQUEST['save']) ? (int)$_REQUEST['save'] == 1 : false;
+$save = isset($_REQUEST['save']) && (int)$_REQUEST['save'] == 1;
 if($save) {
 	$post_id = (int)$_REQUEST['id'];
 	$board = (int)$_REQUEST['section'];
 	if(!Forum::hasAccess($board)) {
-		echo "You don't have access to this board.";
+		$errors[] = "You don't have access to this board.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}

@@ -31,8 +32,10 @@ if($save) {
 			header('Location: ' . getForumBoardLink($nPost['section']));
 		}
 	}
-	else
-		echo 'Post with ID ' . $post_id . ' does not exist.';
+	else {
+		$errors[] = 'Post with ID ' . $post_id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
 }
 else {
 	$post_id = (int)$_REQUEST['id'];
@@ -58,7 +61,8 @@ else {
 			));
 		}
 	}
-	else
-		echo 'Post with ID ' . $post_id . ' does not exist.';
+	else {
+		$errors[] = 'Post with ID ' . $post_id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
 }
-?>
--- a/system/pages/forum/new_post.php
+++ b/system/pages/forum/new_post.php
@@ -15,21 +15,29 @@ if(Forum::canPost($account_logged))
 	$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
 	$thread_id = isset($_REQUEST['thread_id']) ? (int) $_REQUEST['thread_id'] : 0;
 	if($thread_id == 0) {
-		echo "Thread with this id doesn't exist.";
+		$errors[] = "Thread with this id doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}

-	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id." LIMIT 1")->fetch();
-	echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
+	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id." LIMIT 1")->fetch();
+
 	if(isset($thread['id']) && Forum::hasAccess($thread['section']))
 	{
+		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
+
 		$quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL;
 		$text = isset($_REQUEST['text']) ? stripslashes(trim($_REQUEST['text'])) : NULL;
-		$char_id = (int) (isset($_REQUEST['char_id']) ? $_REQUEST['char_id'] : 0);
+		$char_id = (int) ($_REQUEST['char_id'] ?? 0);
 		$post_topic = isset($_REQUEST['topic']) ? stripslashes(trim($_REQUEST['topic'])) : '';
 		$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 		$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
 		$saved = false;
+
+		if (!superAdmin()) {
+			$html = 0;
+		}
+		
 		if(isset($_REQUEST['quote']))
 		{
 			$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();
@@ -38,14 +46,10 @@ if(Forum::canPost($account_logged))
 		}
 		elseif(isset($_REQUEST['save']))
 		{
-			$lenght = 0;
-			for($i = 0; $i < strlen($text); $i++)
-			{
-				if(ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-					$lenght++;
-			}
-			if($lenght < 1 || strlen($text) > 15000)
-				$errors[] = 'Too short or too long post (short: '.$lenght.' long: '.strlen($text).' letters). Minimum 1 letter, maximum 15000 letters.';
+			$length = strlen($text);
+			if($length < 1 || strlen($text) > 15000)
+				$errors[] = 'Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.';
+
 			if($char_id == 0)
 				$errors[] = 'Please select a character.';

@@ -73,8 +77,8 @@ if(Forum::canPost($account_logged))
 			if(count($errors) == 0)
 			{
 				$saved = true;
-				Forum::add_post($thread['id'], $thread['section'], $account_logged->getId(), (int) $char_id, $text, $post_topic, $smile, $html, time(), $_SERVER['REMOTE_ADDR']);
-				$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `replies`=`replies`+1, `last_post`=".time()." WHERE `id` = ".(int) $thread_id);
+				Forum::add_post($thread['id'], $thread['section'], $account_logged->getId(), (int) $char_id, $text, $post_topic, $smile, $html);
+				$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `replies`=`replies`+1, `last_post`=".time()." WHERE `id` = ".$thread_id);
 				$post_page = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS posts_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`post_date` <= ".time()." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread['id'])->fetch();
 				$_page = (int) ceil($post_page['posts_count'] / $config['forum_threads_per_page']) - 1;
 				header('Location: ' . getForumThreadLink($thread_id, $_page));
@@ -110,10 +114,14 @@ if(Forum::canPost($account_logged))
 			));
 		}
 	}
-	else
-		echo "Thread with ID " . $thread_id . " doesn't exist.";
+	else {
+		$errors[] = "Thread with ID " . $thread_id . " doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
+}
+else {
+	$errors[] = "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-else
-	echo "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";

 $twig->display('forum.fullscreen.html.twig');
--- a/system/pages/forum/new_thread.php
+++ b/system/pages/forum/new_thread.php
@@ -13,7 +13,7 @@ defined('MYAAC') or die('Direct access not allowed!');
 if(Forum::canPost($account_logged))
 {
 	$players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll();
-	$section_id = isset($_REQUEST['section_id']) ? $_REQUEST['section_id'] : null;
+	$section_id = $_REQUEST['section_id'] ?? null;
 	if($section_id !== null) {
 		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($section_id) . '">' . $sections[$section_id]['name'] . '</a> >> <b>Post new thread</b><br />';
 		if(isset($sections[$section_id]['name']) && Forum::hasAccess($section_id)) {
@@ -26,24 +26,20 @@ if(Forum::canPost($account_logged))
 			$post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
 			$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 			$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
+
+			if (!superAdmin()) {
+				$html = 0;
+			}
+
 			$saved = false;
 			if (isset($_REQUEST['save'])) {
-				$errors = array();
+				$length = strlen($post_topic);
+				if ($length < 1 || $length > 60)
+					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";

-				$lenght = 0;
-				for ($i = 0; $i < strlen($post_topic); $i++) {
-					if (ord($post_topic[$i]) >= 33 && ord($post_topic[$i]) <= 126)
-						$lenght++;
-				}
-				if ($lenght < 1 || strlen($post_topic) > 60)
-					$errors[] = 'Too short or too long topic (short: ' . $lenght . ' long: ' . strlen($post_topic) . ' letters). Minimum 1 letter, maximum 60 letters.';
-				$lenght = 0;
-				for ($i = 0; $i < strlen($text); $i++) {
-					if (ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-						$lenght++;
-				}
-				if ($lenght < 1 || strlen($text) > 15000)
-					$errors[] = 'Too short or too long post (short: ' . $lenght . ' long: ' . strlen($text) . ' letters). Minimum 1 letter, maximum 15000 letters.';
+				$length = strlen($text);
+				if ($length < 1 || $length > 15000)
+					$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";

 				if ($char_id == 0)
 					$errors[] = 'Please select a character.';
@@ -93,11 +89,17 @@ if(Forum::canPost($account_logged))
 				));
 			}
 		}
-		else
-			echo 'Board with ID ' . $board_id . ' doesn\'t exist.';
+		else {
+			$errors[] = "Board with ID $section_id doesn't exist.";
+			displayErrorBoxWithBackButton($errors, getLink('forum'));
+		}
+	}
+	else {
+		$errors[] = 'Please enter section_id.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 	}
-	else
-		echo 'Please enter section_id.';
 }
-else
-	echo 'Your account is banned, deleted or you don\'t have any player with level '.$config['forum_level_required'].' on your account. You can\'t post.';
+else {
+	$errors[] = 'Your account is banned, deleted or you don\'t have any player with level '.$config['forum_level_required'].' on your account. You can\'t post.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
+}
--- a/system/pages/forum/remove_post.php
+++ b/system/pages/forum/remove_post.php
@@ -29,8 +29,12 @@ if(Forum::isModerator())
 			header('Location: ' . getForumThreadLink($post['first_post'], (int) $_page));
 		}
 	}
-	else
-		echo 'Post with ID ' . $id . ' does not exist.';
+	else {
+		$errors[] = 'Post with ID ' . $id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
+}
+else {
+	$errors[] = 'You are not logged in or you are not moderator.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-else
-	echo 'You are not logged in or you are not moderator.';
--- a/system/pages/forum/show_board.php
+++ b/system/pages/forum/show_board.php
@@ -14,12 +14,14 @@ $links_to_pages = '';
 $section_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : null;

 if($section_id == null || !isset($sections[$section_id])) {
-	echo "Board with this id does't exist.";
+	$errors[] = "Board with this id does't exist.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

 if(!Forum::hasAccess($section_id)) {
-	echo "You don't have access to this board.";
+	$errors[] = "You don't have access to this board.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

@@ -90,5 +92,3 @@ if(isset($last_threads[0]))
 }
 else
 	echo '<h3>No threads in this board.</h3>';
-
-?>
--- a/system/pages/forum/show_thread.php
+++ b/system/pages/forum/show_thread.php
@@ -16,12 +16,14 @@ $_page = (int) (isset($_REQUEST['page']) ? $_REQUEST['page'] : 0);
 $thread_starter = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`first_post` AND `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` LIMIT 1")->fetch();

 if(empty($thread_starter['name'])) {
-	echo 'Thread with this ID does not exits.';
+	$errors[] = 'Thread with this ID does not exists.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

 if(!Forum::hasAccess($thread_starter['section'])) {
-	echo "You don't have access to view this thread.";
+	$errors[] = "You don't have access to view this thread.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

--- a/system/templates/forum.new_post.html.twig
+++ b/system/templates/forum.new_post.html.twig
@@ -54,7 +54,7 @@
 	</tr>
 	{% set i = 0 %}
 	{% for thread in threads %}
-	<tr bgcolor="{{ getStyle(i) }}"><td>{{ thread.name }}</td><td>{{ thread.post|raw }}</td></tr>
+	<tr bgcolor="{{ getStyle(i) }}"><td>{{ thread.name }}</td><td style="word-break: break-all">{{ thread.post|raw }}</td></tr>
 	{% set i = i + 1 %}
 	{% endfor %}
 </table>
--- a/system/templates/forum.show_thread.html.twig
+++ b/system/templates/forum.show_thread.html.twig
@@ -40,7 +40,7 @@ Page: {{ links_to_pages|raw }}<br/>
 				<br />Posts: {{ post.author_posts_count }}<br />
 			</span>
 		</td>
-		<td valign="top">{{ post.content|raw }} </td></tr>
+		<td valign="top" style="word-break: break-all">{{ post.content|raw }} </td></tr>
 		<tr bgcolor="{{ getStyle(i) }}">
 			<td>
 				<span style="font-size: 10px">{{ post.date|date('d.m.y H:i:s') }}
--- a/system/templates/guilds.view.html.twig
+++ b/system/templates/guilds.view.html.twig
@@ -49,8 +49,8 @@
                                                <tr>
                                                    <td>
                                                        <div id="GuildInformationContainer">
-                                                            {% if descriptions is not empty %}
-                                                                {{ description }}
+                                                            {% if description is not empty %}
+                                                                {{ description|raw }}
                                                                <br>
                                                                <br>
                                                            {% endif %}
--- a/system/twig.php
+++ b/system/twig.php
@@ -44,15 +44,16 @@ $function = new TwigFunction('getGuildLink', function ($s, $p) {
 });
 $twig->addFunction($function);

-$function = new TwigFunction('hook', function ($hook) {
+$function = new TwigFunction('hook', function ($context, $hook, array $params = []) {
 	global $hooks;

 	if(is_string($hook)) {
 		$hook = constant($hook);
 	}

-	$hooks->trigger($hook);
-});
+	$params['context'] = $context;
+	$hooks->trigger($hook, $params);
+}, ['needs_context' => true]);
 $twig->addFunction($function);

 $function = new TwigFunction('config', function ($key) {
--- a/templates/tibiacom/account.management.html.twig
+++ b/templates/tibiacom/account.management.html.twig
@@ -35,7 +35,7 @@
 			<td>
 				<img src="{{ template_path }}/images/content/headline-bracer-left.gif" />
 			</td>
-			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message }}<br/></td>
+			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message|raw }}<br/></td>
 			<td><img src="{{ template_path }}/images/content/headline-bracer-right.gif" /></td>
 		</tr>
 	</table>
--- a/templates/tibiacom/headline.php
+++ b/templates/tibiacom/headline.php
@@ -28,7 +28,7 @@ if(!@file_exists($page_file))

 	// set text
 	$font = getenv('GDFONTPATH') . DIRECTORY_SEPARATOR . 'martel.ttf';
-	imagettftext($image, 18, 0, 4, 20, imagecolorallocate($image, 240, 209, 164), $font, utf8_decode($_GET['t']));
+	imagettftext($image, 18, 0, 4, 20, imagecolorallocate($image, 240, 209, 164), $font, $_GET['t']);

 	// header mime type
 	header('Content-type: image/gif');
--- a/templates/tibiacom/index.php
+++ b/templates/tibiacom/index.php
@@ -21,7 +21,7 @@ if(isset($config['boxes']))
 		<?php
 			if(PAGE !== 'news') {
 				if(strpos(URI, 'subtopic=') !== false) {
-					$tmp = $_REQUEST['subtopic'];
+					$tmp = escapeHtml($_REQUEST['subtopic']);
 					if($tmp === 'accountmanagement') {
 						$tmp = 'accountmanage';
 					}
Author	SHA1	Message	Date
slawkens	11b11dd3ee	Release v0.8.14	2023-11-27 23:31:45 +01:00
slawkens	483155cf4c	Prevent session fixation	2023-11-27 23:16:51 +01:00
slawkens	55dbade8d5	Fix XSS in forum	2023-11-27 22:58:24 +01:00
slawkens	d1bc63d07a	Fix forum XSS	2023-11-27 22:58:00 +01:00
slawkens	83a91ec540	Fix XSS in bugtracker.php	2023-11-27 20:28:43 +01:00
slawkens	7b43c972dd	Fix missing query_string in nginx sample config Causes missing parameters in $_GET query	2023-11-25 16:34:57 +01:00
slawkens	3fdf1d3f44	require_once is better	2023-11-05 20:13:31 +01:00
slawkens	764db0c203	Fix display ban info on account page https://otland.net/threads/myacc-bans-display-problem.286825/	2023-11-02 22:06:07 +01:00
slawkens	538076bc45	My fault	2023-09-26 22:00:45 +02:00
slawkens	4327b66f91	Clear some additional cache keys	2023-09-26 20:45:50 +02:00
slawkens	3f27724569	Update common.php	2023-09-16 10:46:17 +02:00
slawkens	9c0c2bbece	Update CHANGELOG.md	2023-09-16 10:45:54 +02:00
slawkens	946144016b	Release v0.8.13	2023-09-16 10:35:10 +02:00
slawkens	5c3b01aca4	Fix XSS vulnerability	2023-09-16 10:31:33 +02:00
slawkens	50983a2b85	Fix error log when coins column does not exist	2023-09-14 16:29:31 +02:00
slawkens	765886f0c7	Add latest clients versions	2023-08-31 14:20:49 +02:00
slawkens	8ea78a5852	thanks @elsongabriel, seems str_contains is not available in php 7	2023-08-25 20:45:45 +02:00
slawkens	063cbab93e	Allow hooks to be prefixed with HOOK_	2023-08-23 12:00:03 +02:00
slawkens	f1670f4012	Patching from develop - twig context for hooks	2023-08-21 12:25:53 +02:00
slawkens	6fcf0f7117	Ignore gallery	2023-08-21 12:21:24 +02:00
slawkens	7a07763625	Update README.md	2023-08-11 22:21:54 +02:00
slawkens	8d2172a649	Added JetBrains logo + notice, thanks for support!	2023-08-11 22:17:17 +02:00
slawkens	b8f65207b6	Add version support table + fix badges	2023-08-11 22:11:29 +02:00
slawkens	ea675afe86	Start 0.8.13-dev	2023-08-07 22:53:02 +02:00
slawkens	cc1cebf359	Update CHANGELOG & release v0.8.12	2023-08-07 22:14:47 +02:00
slawkens	1e874c7027	Fixed not working links from database, introduced in 0.8.10	2023-08-07 21:45:56 +02:00
slawkens	a338fd967c	Removed deprecated functions: utf8_encode & decode	2023-08-05 19:58:52 +02:00
slawkens	8796ff7e72	Remove whitespaces	2023-08-05 19:58:20 +02:00
slawkens	a8172a518f	Add some functions to compatibility layer of gesioraac	2023-08-05 19:58:04 +02:00
slawkens	559c2c7bd2	Add .htaccess to .gitignore	2023-08-05 11:57:15 +02:00
slawkens	7a546e5a41	There is no more info. That never worked.	2023-07-29 07:26:03 +02:00
slawkens	5f7a9154b7	Thanks @anyeor for previous fix	2023-07-11 11:17:18 +02:00
slawkens	0d52978d9f	Fix: cannot create topic on this board (check wasn't working)	2023-07-11 11:15:58 +02:00
slawkens	df48363ea4	Shorten some forum code about length	2023-07-07 17:15:13 +02:00
slawkens	34725e0257	Forum: better error messages (Suggested by @anyeor)	2023-07-07 14:34:26 +02:00
slawkens	df321154f6	Fix guild description on guilds page	2023-07-02 13:47:32 +02:00
slawkens	f2a3ec1185	Fix guild description not shown	2023-06-30 19:53:16 +02:00
slawkens	ce4aed0f17	Add word-break on forum thread & reply When someone inserts long word, is will break into multiple lines	2023-06-30 19:32:47 +02:00
slawkens	d0c82f6fb0	Start 0.8.12-dev	2023-06-30 19:13:38 +02:00