Release v0.8.17

Update config.php
Fix XSS in creatures.php, thanks to @gesior
2025-09-14 12:33:35 +02:00 · 2024-05-18 21:39:50 +02:00 · 2024-05-15 22:20:31 +02:00 · 2024-05-15 22:15:36 +02:00 · 2024-05-15 22:07:46 +02:00 · 2024-04-15 21:55:02 +02:00
48 changed files with 473 additions and 197 deletions
--- a/.github/workflows/phplint.yml
+++ b/.github/workflows/phplint.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: overtrue/phplint@7.4
+      - uses: overtrue/phplint@3.4.0
        with:
          path: .
          options: --exclude="system/libs/polyfill-mbstring/bootstrap80.php"
--- a/.gitignore
+++ b/.gitignore
@@ -2,16 +2,21 @@ Thumbs.db
 .DS_Store
 .idea

+#
+/.htaccess
+
 # composer
 composer.lock
 vendor

 # npm
 node_modules
+tools/ext

 # cypress
 cypress.env.json
 cypress/e2e/2-advanced-examples
+cypress/screenshots

 # created by release.sh
 releases
@@ -32,6 +37,12 @@ images/guilds/*
 images/editor/*
 !images/editor/index.html

+# gallery images
+images/gallery/*
+!images/gallery/index.html
+!images/gallery/demon.jpg
+!images/gallery/demon_thumb.gif
+
 # cache
 system/cache/*
 !system/cache/index.html
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,73 @@
 # Changelog

+## [0.8.17 - 15.04.2024]
+
+### Added
+* TwigTypeCastingExtension (https://github.com/slawkens/myaac/commit/7181b988e9518320d57486670ca4e2d3b2fe1cfa)
+
+### Fixed
+* fix XSS in creatures.php (https://github.com/slawkens/myaac/commit/02eea950e4fd756e8d5c32e56181986d51f5ac70, @gesior)
+* don't allow redirect to external website (https://github.com/slawkens/myaac/commit/ef62b53cec5a479cc85aa15940ad9ebbcefde876)
+* change_info if account_country is disabled (https://github.com/slawkens/myaac/commit/62d3c198d567541a90900fe2d7ede070e7b1ff68)
+
+### Changed
+* use word-break: break-all in guilds description + character comment (https://github.com/slawkens/myaac/commit/191ad25eb2d4c1cec6f6668da7a345fec0ad2a7f)
+* set default status_ip to 127.0.0.1, most server are hosted locally anyway (https://github.com/slawkens/myaac/commit/2793c41655b47f7db295143a298ccda70f11462b)
+
+## [0.8.16 - 12.02.2024]
+
+### Fixed
+* broken installation
+* database and finish step warnings/errors (https://github.com/slawkens/myaac/pull/245, @danilopucci)
+* silently ignore if the hook does not exist
+
+## [0.8.15 - 09.12.2023]
+
+More security fixes, especially in bugtracker.
+
+## [0-8.14 - 27.11.2023]
+Security fixes.
+
+### Fixed
+* XSS vulnerability in bugtracker (https://github.com/slawkens/myaac/commit/83a91ec540072d319dd338abff45f8d5ebf48190)
+* XSS vulnerability in forum (https://github.com/slawkens/myaac/commit/d1bc63d07ad88a143358cacd2c417891eea74dcc + https://github.com/slawkens/myaac/commit/55dbade8d5280c5baed45e5f7ebc3613b8e9b9e8)
+* Session Fixation (https://github.com/slawkens/myaac/commit/483155cf4c1e3068aaee0d44541dfa61f6223379)
+* displaying ban info on account page (https://github.com/slawkens/myaac/commit/764db0c203d1826ffce3a5a78f83a97e56bd0685)
+
+### Changed
+* Clear some additional cache keys - like database cache (https://github.com/slawkens/myaac/commit/4327b66f915d06dce504211692173606b9ef3b4e)
+
+## [0.8.13 - 16.09.2023]
+
+### Added
+* latest client versions to config (https://github.com/slawkens/myaac/commit/765886f0c782807400c429577cde5e45bd7c308f)
+* patching from develop - twig context for hooks (https://github.com/slawkens/myaac/commit/f1670f4012cc7595433fe0b1937c1f9b15a60b07)
+
+### Fixed
+* fixed XSS vulnerability in some pages (https://github.com/slawkens/myaac/commit/5c3b01aca4f3cfe8abc86b8ce48194b2da87b808)
+
+Nothing more or less!
+
+## [0.8.12 - 07.08.2023]
+I've moved the repository back to my personal account. (Just so you know!)
+
+I will also try to add git commits pointed to each change, lets see if you like it or not - you can comment in discussion, that will be created just after releasing this version :)
+
+### Added
+* forum: better error messages (Suggested by @anyeor) (https://github.com/slawkens/myaac/commit/34725e0257684fe5fa43875cc3a8f587ba04642e)
+* more support for GesiorAAC classes, so some of them will work with MyAAC (https://github.com/slawkens/myaac/commit/a8172a518ff8939c4402349b16c064fcaf855d31)
+* word-break on forum thread & reply (Suggested by @anyeor) (https://github.com/slawkens/myaac/commit/ce4aed0f1719d2aadc749e5238e883e3c10e2686)
+
+### Fixed
+* not working pages/links from database, introduced in 0.8.10 (Thanks to OtLand user - https://otland.net/members/0lo.99657/ for report) (https://github.com/slawkens/myaac/commit/1e874c7027769bd09e772a1cdac75d7e37991256)
+* it was possible to create topic in board that was closed, ommiting the error check (Thanks to @anyeor for report) (https://github.com/slawkens/myaac/commit/0d52978d9fb99869500d35e7676f454ca5eaba14)
+* PHP 8.2 compatibility - removed deprecated functions utf8_encode & utf8_decode (https://github.com/slawkens/myaac/commit/a338fd967cdbcc89e86be4e6b66b2cad2ff23251)
+* guild description not being correctly shown (Reported by @anyeor)  (https://github.com/slawkens/myaac/commit/f2a3ec1185df64ad9084d4ff55790ae4a5b3e5fd, https://github.com/slawkens/myaac/commit/df321154f63d458a4bc7d83bac5e3447b67317a4)
+
+### Removed
+* Some old code for verifying messages length (Reported by @anyeor) (https://github.com/slawkens/myaac/commit/df48363ea4ced4350fd90ffddf57d464ba5afa8b)
+* some info about config failed to load, was never working (https://github.com/slawkens/myaac/commit/7a546e5a41036b0e9e926d337c6f2e3c41c591d2)
+
 ## [0.8.11 - 30.06.2023]

 ### Added
--- a/README.md
+++ b/README.md
@@ -1,24 +1,29 @@
 # [MyAAC](https://my-aac.org)

-[![Build Status Master](https://img.shields.io/travis/slawkens/myaac/master)](https://travis-ci.org/github/slawkens/myaac)
-[![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
-[![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
-[![PHP Versions](https://img.shields.io/travis/php-v/slawkens/myaac/master)](https://github.com/slawkens/myaac/blob/d8b3b4135827ee17e3c6d41f08a925e718c587ed/.travis.yml#L3)
-[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
-[![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
-
 MyAAC is a free and open-source Automatic Account Creator (AAC) written in PHP. It is a fork of the [Gesior](https://github.com/gesior/Gesior2012) project. It supports only MySQL databases.

 Official website: https://my-aac.org

+[![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/slawkens/myaac/cypress.yml)](https://github.com/slawkens/myaac/actions)
+[![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
+[![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
+[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
+[![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
+
+| Version | Status                 | Branch  | Requirements   |
+|:--------|:-----------------------|:--------|:---------------|
+| **1.x** | **Active development** | develop | **PHP >= 8.1** |
+| 0.9.x   | Not developed anymore  | 0.9     | PHP >= 7.2.5   |
+| 0.8.x   | Active support         | master  | PHP >= 7.2.5   |
+| 0.7.x   | End Of Life            | 0.7     | PHP >= 5.3.3   |
+
 ### Requirements

-	- PHP 7.2.5 or later
 	- MySQL database
-	- PDO PHP Extension
-	- XML PHP Extension
-	- ZIP PHP Extension
-	- (optional) mod_rewrite to use friendly_urls
+	- PHP Extensions: pdo, xml, json
+	- (optional) apache2 mod_rewrite (to use friendly_urls)
+	- (optional) zip PHP Extension (to install plugins)
+	- (optional) gd PHP Extension (for generating signature images)

 ### Installation

@@ -42,7 +47,8 @@ Official website: https://my-aac.org

 ### Configuration

-Check *config.php* to get more informations.
+Check *config.php* to get more informations. (Notice: MyAAC 1.0+ doesn't use config.php anymore, it has been moved to Admin Panel - Settings page).
+
 Use *config.local.php* for your local configuration changes.

 ### Branches
@@ -73,6 +79,12 @@ Look: [Contributing](https://github.com/otsoft/myaac/wiki/Contributing) in our w

 If you have a great idea or want contribute to the project - visit our website at https://www.my-aac.org

+## Project supported by JetBrains
+
+Many thanks to Jetbrains for kindly providing a license for me to work on this and other open-source projects.
+
+[![JetBrains](https://resources.jetbrains.com/storage/products/company/brand/logos/jb_beam.svg)](https://www.jetbrains.com/?from=https://github.com/slawkens)
+
 ### License

 This program and all associated files are released under the GNU Public License.  
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.y   | :white_check_mark: |
+| 0.9.x   | :x:                |
+| 0.8.x   | :white_check_mark: |
+| < 0.7   | :x:                |
+
+## Reporting a Vulnerability
+
+If you found a security vulnerability, please write an email to security@my-aac.org
+
+All reports will be taken very seriously, and a fix will be posted as soon as possible.
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -426,7 +426,7 @@ else if ($id > 0 && isset($account) && $account->isLoaded()) {
 		<div class="box-body">
 			<form action="<?php echo $base; ?>" method="post">
 				<div class="input-group input-group-sm">
-					<input type="text" class="form-control" name="search_name" value="<?php echo $search_account; ?>"
+					<input type="text" class="form-control" name="search_name" value="<?php echo escapeHtml($search_account); ?>"
 						   maxlength="32" size="32">
 					<span class="input-group-btn">
                          <button type="submit" type="button" class="btn btn-info btn-flat">Search</button>
--- a/admin/pages/items.php
+++ b/admin/pages/items.php
@@ -10,8 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Load items.xml';

-require LIBS . 'items.php';
-require LIBS . 'weapons.php';
+require_once LIBS . 'items.php';
+require_once LIBS . 'weapons.php';

 $twig->display('admin.items.html.twig');

--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -784,7 +784,7 @@ else if ($id > 0 && isset($player) && $player->isLoaded())
 			<div class="box-body">
 				<form action="<?php echo $base; ?>" method="post">
 					<div class="input-group input-group-sm">
-						<input type="text" class="form-control" name="search_name" value="<?php echo $search_name; ?>"
+						<input type="text" class="form-control" name="search_name" value="<?php echo escapeHtml($search_name); ?>"
 							   maxlength="32" size="32">
 						<span class="input-group-btn">
                          <button type="submit" type="button" class="btn btn-info btn-flat">Search</button>
--- a/common.php
+++ b/common.php
@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');

 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.11');
+define('MYAAC_VERSION', '0.8.17');
 define('DATABASE_VERSION', 33);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));
@@ -100,6 +100,10 @@ for($i = 1; $i < $size; $i++)
 $basedir = str_replace(array('/admin', '/install', '/tools'), '', $basedir);
 define('BASE_DIR', $basedir);

+if (file_exists(BASE . 'config.local.php') && !defined('MYAAC_INSTALL')) {
+	require BASE . 'config.local.php';
+}
+
 if(!IS_CLI) {
 	if (isset($_SERVER['HTTP_HOST'][0])) {
 		$baseHost = $_SERVER['HTTP_HOST'];
@@ -116,7 +120,8 @@ if(!IS_CLI) {
 	define('ADMIN_URL', SERVER_URL . BASE_DIR . '/admin/');

 	//define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
-
+	if(@$config['env'] === 'dev') {
 		require SYSTEM . 'exception.php';
+	}
 }
 require SYSTEM . 'autoload.php';
--- a/config.php
+++ b/config.php
@@ -268,9 +268,9 @@ $config = array(

 	// status, took automatically from config file if empty
 	'status_enabled' => true, // you can disable status checking by settings this to "false"
-	'status_ip' => '',
+	'status_ip' => '127.0.0.1',
 	'status_port' => '',
-	'status_timeout' => 2, // how long to wait for the initial response from the server (default: 2 seconds)
+	'status_timeout' => 1.0, // how long to wait for the initial response from the server (default: 1 second)

 	// how often to connect to server and update status (default: every minute)
 	// if your status timeout in config.lua is bigger, that it will be used instead
--- a/images/gallery/index.html
+++ b/images/gallery/index.html
--- a/index.php
+++ b/index.php
@@ -167,7 +167,7 @@ else {
 }

 // handle ?fbclid=x, etc. (show news page)
-if (!$found && count($_GET) > 0 && !isset($_REQUEST['subtopic']) && !isset($_REQUEST['p'])) {
+if (!$found && count($_GET) > 0 && !isset($_REQUEST['subtopic']) && !isset($_REQUEST['p']) && !in_array($_SERVER['QUERY_STRING'], getDatabasePages())) {
 	$_REQUEST['p'] = $_REQUEST['subtopic'] = 'news';
 	$found = true;
 }
--- a/install/tools/5-database.php
+++ b/install/tools/5-database.php
@@ -11,8 +11,10 @@ $error = false;
 require BASE . 'install/includes/config.php';

 ini_set('max_execution_time', 300);
+
+@ob_end_flush();
 ob_implicit_flush();
-ob_end_flush();
+
 header('X-Accel-Buffering: no');

 if(!$error) {
--- a/install/tools/7-finish.php
+++ b/install/tools/7-finish.php
@@ -8,8 +8,10 @@ require BASE . 'install/includes/functions.php';
 require BASE . 'install/includes/locale.php';

 ini_set('max_execution_time', 300);
+
+@ob_end_flush();
 ob_implicit_flush();
-ob_end_flush();
+
 header('X-Accel-Buffering: no');

 if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {
--- a/nginx-sample.conf
+++ b/nginx-sample.conf
@@ -13,9 +13,16 @@ server {
 		return 404;
 	}

-	# block .htaccess
-	location ~ /\.ht {
+	location /vendor {
 		deny all;
+		return 404;
+	}
+
+	# block .htaccess, CHANGELOG.md, composer.json etc.
+	# this is to prevent finding software versions
+	location ~\.(ht|md|json|dist)$ {
+		deny all;
+		return 404;
 	}

 	# block git files and folders
@@ -25,7 +32,7 @@ server {
 	}

 	location / {
-		try_files $uri $uri/ /index.php;
+		try_files $uri $uri/ /index.php?$query_string;;
 	}

 	location ~ \.php$ {
--- a/plugins/email-confirmed-reward/reward.php
+++ b/plugins/email-confirmed-reward/reward.php
@@ -4,12 +4,12 @@ defined('MYAAC') or die('Direct access not allowed!');
 $reward = config('account_mail_confirmed_reward');

 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
-if ($reward['coins'] > 0 && $hasCoinsColumn) {
+if ($reward['coins'] > 0 && !$hasCoinsColumn) {
 	log_append('email_confirm_error.log', 'accounts.coins column does not exist.');
 }

 if (!isset($account) || !$account->isLoaded()) {
-	log_append('email_confirm_error.log', 'Account not loaded.');
+	//log_append('email_confirm_error.log', 'Account not loaded.');
 	return;
 }

--- a/system/clients.conf.php
+++ b/system/clients.conf.php
@@ -99,4 +99,10 @@ $config['clients'] = [
 	1291,

 	1300,
+	1310,
+	1311,
+	1312,
+	1316,
+	1320,
+	1321,
 ];
--- a/system/compat/classes.php
+++ b/system/compat/classes.php
@@ -9,7 +9,30 @@
 */
 defined('MYAAC') or die('Direct access not allowed!');

-class Player extends OTS_Player {}
-class Guild extends OTS_Guild {}
+class Account extends OTS_Account {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
+
+class Player extends OTS_Player {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
+class Guild extends OTS_Guild {
+	public function loadById($id) {
+		$this->load($id);
+	}
+	public function loadByName($name) {
+		$this->find($name);
+	}
+}
 class GuildRank extends OTS_GuildRank {}
 class House extends OTS_House {}
--- a/system/functions.php
+++ b/system/functions.php
@@ -923,8 +923,8 @@ function load_config_lua($filename)
 	$config_file = $filename;
 	if(!@file_exists($config_file))
 	{
-		log_append('error.log', '[load_config_file] Fatal error: Cannot load config.lua (' . $filename . '). Error: ' . print_r(error_get_last(), true));
-		throw new RuntimeException('ERROR: Cannot find ' . $filename . ' file. More info in system/logs/error.log');
+		log_append('error.log', '[load_config_file] Fatal error: Cannot load config.lua (' . $filename . ').');
+		throw new RuntimeException('ERROR: Cannot find ' . $filename . ' file.');
 	}

 	$result = array();
@@ -1146,9 +1146,30 @@ function clearCache()
 		if ($cache->fetch('failed_logins', $tmp))
 			$cache->delete('failed_logins');

-		global $template_name;
-		if ($cache->fetch('template_ini' . $template_name, $tmp))
-			$cache->delete('template_ini' . $template_name);
+		foreach (get_templates() as $template) {
+			if ($cache->fetch('template_ini_' . $template, $tmp)) {
+				$cache->delete('template_ini_' . $template);
+			}
+		}
+
+		if ($cache->fetch('template_menus', $tmp)) {
+			$cache->delete('template_menus');
+		}
+		if ($cache->fetch('database_tables', $tmp)) {
+			$cache->delete('database_tables');
+		}
+		if ($cache->fetch('database_columns', $tmp)) {
+			$cache->delete('database_columns');
+		}
+		if ($cache->fetch('database_checksum', $tmp)) {
+			$cache->delete('database_checksum');
+		}
+		if ($cache->fetch('hooks', $tmp)) {
+			$cache->delete('hooks');
+		}
+		if ($cache->fetch('last_kills', $tmp)) {
+			$cache->delete('last_kills');
+		}
 	}

 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);
@@ -1244,7 +1265,37 @@ function getCustomPage($page, &$success)
 }

 function escapeHtml($html) {
-	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+	return htmlspecialchars($html);
+}
+
+function displayErrorBoxWithBackButton($errors, $action = null) {
+	global $twig;
+	$twig->display('error_box.html.twig', ['errors' => $errors]);
+	$twig->display('account.back_button.html.twig', [
+		'action' => $action ?: getLink('')
+	]);
+}
+
+function getDatabasePages($withHidden = false): array
+{
+	global $db, $logged_access;
+
+	if (!isset($logged_access)) {
+		$logged_access = 1;
+	}
+
+	$pages = $db->query('SELECT `name` FROM ' . TABLE_PREFIX . 'pages WHERE ' . ($withHidden ? '' : '`hidden` != 1 AND ') . '`access` <= ' . $db->quote($logged_access));
+	$ret = [];
+
+	if ($pages->rowCount() < 1) {
+		return $ret;
+	}
+
+	foreach($pages->fetchAll() as $page) {
+		$ret[] = $page['name'];
+	}
+
+	return $ret;
 }

 // validator functions
--- a/system/libs/TwigTypeCastingExtension.php
+++ b/system/libs/TwigTypeCastingExtension.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MyAAC\Twig\Extension;
+
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFilter;
+
+final class TwigTypeCastingExtension extends AbstractExtension
+{
+	/** @return array<int, TwigFilter> */
+	public function getFilters(): array
+	{
+		return [
+			new TwigFilter('int', function ($value) {
+				return (int)$value;
+			}),
+			new TwigFilter('float', function ($value) {
+				return (float)$value;
+			}),
+			new TwigFilter('string', function ($value) {
+				return (string)$value;
+			}),
+			new TwigFilter('bool', function ($value) {
+				return (bool)$value;
+			}),
+			new TwigFilter('array', function (object $value) {
+				return (array)$value;
+			}),
+			new TwigFilter('object', function (array $value) {
+				return (object)$value;
+			}),
+		];
+	}
+}
--- a/system/libs/plugins.php
+++ b/system/libs/plugins.php
@@ -74,6 +74,10 @@ class Plugins {
 			if (isset($plugin['hooks'])) {
 				foreach ($plugin['hooks'] as $_name => $info) {
 					if (defined('HOOK_'. $info['type'])) {
+						if (strpos($info['type'], 'HOOK_') !== false) {
+							$info['type'] = str_replace('HOOK_', '', $info['type']);
+						}
+
 						$hook = constant('HOOK_'. $info['type']);
 						$hooks[] = ['name' => $_name, 'type' => $hook, 'file' => $info['file']];
 					} else {
--- a/system/libs/pot/OTS_ServerInfo.php
+++ b/system/libs/pot/OTS_ServerInfo.php
@@ -123,7 +123,7 @@ class OTS_ServerInfo
        {
            // loads respond XML
            $info = new OTS_InfoRespond();
-            if(!$info->loadXML( utf8_encode($status->getBuffer())))
+            if(!$info->loadXML( $status->getBuffer()))
 				return false;

            return $info;
--- a/system/login.php
+++ b/system/login.php
@@ -42,12 +42,6 @@ if(ACTION === 'logout' && !isset($_REQUEST['account_login'])) {

 			$logged = false;
 			unset($account_logged);
-
-			if(isset($_REQUEST['redirect']))
-			{
-				header('Location: ' . urldecode($_REQUEST['redirect']));
-				exit;
-			}
 		}
 	}
 }
@@ -94,6 +88,7 @@ else
 				&& (!isset($t) || $t['attempts'] < 5)
 				)
 			{
+				session_regenerate_id();
 				setSession('account', $account_logged->getId());
 				setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
 				if($remember_me) {
--- a/system/migrations/31.php
+++ b/system/migrations/31.php
@@ -1,18 +1,3 @@
 <?php

-if(!$db->hasColumn(TABLE_PREFIX . 'monsters', 'elements')) {
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `elements` TEXT NOT NULL AFTER `immunities`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `pushable` TINYINT(1) NOT NULL DEFAULT '0' AFTER `convinceable`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canpushitems` TINYINT(1) NOT NULL DEFAULT '0' AFTER `pushable`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canpushcreatures` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canpushitems`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canwalkonenergy` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canpushitems`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canwalkonpoison` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonenergy`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canwalkonfire` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonpoison`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `runonhealth` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonfire`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `hostile` TINYINT(1) NOT NULL DEFAULT '0' AFTER `runonhealth`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `attackable` TINYINT(1) NOT NULL DEFAULT '0' AFTER `hostile`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `rewardboss` TINYINT(1) NOT NULL DEFAULT '0' AFTER `attackable`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `defense` INT(11) NOT NULL DEFAULT '0' AFTER `rewardboss`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `armor` INT(11) NOT NULL DEFAULT '0' AFTER `defense`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `summons` TEXT NOT NULL AFTER `loot`;");
-}
+// removed, but kept for compatibility
--- a/system/pages/account/change_info.php
+++ b/system/pages/account/change_info.php
@@ -11,19 +11,28 @@
 defined('MYAAC') or die('Direct access not allowed!');

 $show_form = true;
-$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : NULL;
-$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : NULL;
-$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : NULL;
+$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : '';
+$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : '';
+$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : '';
 if(isset($_POST['changeinfosave']) && $_POST['changeinfosave'] == 1) {
-	if(!isset($config['countries'][$new_country]))
+	if(config('account_country') && !isset($config['countries'][$new_country])) {
 		$errors[] = 'Country is not correct.';
+	}

 	if(empty($errors)) {
 		//save data from form
 		$account_logged->setCustomField("rlname", $new_rlname);
 		$account_logged->setCustomField("location", $new_location);
 		$account_logged->setCustomField("country", $new_country);
-		$account_logged->logAction('Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b> and Country to <b>' . $config['countries'][$new_country] . '</b>.');
+
+		$log = 'Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b>';
+		if (config('account_country')) {
+			$log .= ' and Country to <b>' . $config['countries'][$new_country] . '</b>';
+		}
+		$log .= '.';
+		
+		$account_logged->logAction($log);
+
 		$twig->display('success.html.twig', array(
 			'title' => 'Public Information Changed',
 			'description' => 'Your public information has been changed.'
--- a/system/pages/accountmanagement.php
+++ b/system/pages/accountmanagement.php
@@ -52,9 +52,16 @@ $errors = array();
 	{
 		$redirect = urldecode($_REQUEST['redirect']);

+		// should never happen, unless hacker modify the URL
+		if (strpos($_REQUEST['redirect'], BASE_URL) === false) {
+			error('Fatal error: Cannot redirect outside the website.');
+			return;
+		}
+
 		$twig->display('account.redirect.html.twig', array(
 			'redirect' => $redirect
 		));
+
 		return;
 	}

--- a/system/pages/bugtracker.php
+++ b/system/pages/bugtracker.php
@@ -54,7 +54,7 @@ $showed = $post = $reply = false;
                    $value = '<span style="color: blue">[NEW ANSWER]</span>';

                echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                echo '<TR BGCOLOR="'.$light.'"><td><i><b>Posted by</b></i></td><td>';

                foreach($players as $player)
@@ -64,7 +64,7 @@ $showed = $post = $reply = false;

                echo '</td></tr>';
                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                echo '</TABLE>';

                $answers = $db->query('SELECT * FROM '.$db->tableName(TABLE_PREFIX . 'bugtracker').' where `account` = '.$_REQUEST['acc'].' and `id` = '.$_REQUEST['id'].' and `type` = 2 order by `reply`');
@@ -75,10 +75,10 @@ $showed = $post = $reply = false;
                    else
                        $who = '<span style="color: green">[PLAYER]</span>';

-                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
+                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
                    echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
                    echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
+                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
                    echo '</TABLE>';
                }
                if($bug[2]['status'] != 3)
@@ -137,7 +137,7 @@ $showed = $post = $reply = false;
                elseif($report['status'] == 1)
                    $value = '<span style="color: blue">[NEW ANSWER]</span>';

-                echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';

                $showed=true;
                $i++;
@@ -181,9 +181,9 @@ $showed = $post = $reply = false;
                    $value = '<span style="color: red">[CLOSED]</span>';

                echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                echo '</TABLE>';

                $answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -194,10 +194,10 @@ $showed = $post = $reply = false;
                    else
                        $who = '<span style="color: green">[YOU]</span>';

-                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
+                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
                    echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
                    echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
+                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
                    echo '</TABLE>';
                }
                if($bug[2]['status'] != 3)
@@ -274,7 +274,7 @@ $showed = $post = $reply = false;
                        $bgcolor = $light;
                    }

-                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';

                    $showed=true;
                }
--- a/system/pages/characters.php
+++ b/system/pages/characters.php
@@ -400,7 +400,7 @@ WHERE killers.death_id = '".$death['id']."' ORDER BY killers.final_hit DESC, kil
 			'rank' => isset($guild_name) ? $rank_of_player->getName() : null,
 			'link' => isset($guild_name) ? getGuildLink($guild_name) : null
 		),
-		'comment' => !empty($comment) ? wordwrap(nl2br($comment), 60, "<br/>", true) : null,
+		'comment' => !empty($comment) ? nl2br($comment) : null,
 		'skills' => isset($skills) ? $skills : null,
 		'quests_enabled' => $quests_enabled,
 		'quests' => isset($quests) ? $quests : null,
--- a/system/pages/creatures.php
+++ b/system/pages/creatures.php
@@ -157,7 +157,7 @@ if (empty($_REQUEST['creature'])) {
 		echo '</td></tr>';
 		echo '</TABLE>';
 	} else {
-		echo "Monster with name <b>" . $monster_name . "</b> doesn't exist.";
+		echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
 	}

 //back button
--- a/system/pages/forum.php
+++ b/system/pages/forum.php
@@ -191,12 +191,13 @@ if(!$logged)
 }

 if(!ctype_alnum(str_replace(array('-', '_'), '', $action))) {
-	error('Error: Action contains illegal characters.');
+	$errors[] = 'Error: Action contains illegal characters.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
 else if(file_exists(PAGES . 'forum/' . $action . '.php')) {
 	require PAGES . 'forum/' . $action . '.php';
 }
 else {
-	error('This page does not exists.');
+	$errors[] = 'This page does not exists.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-?>
--- a/system/pages/forum/edit_post.php
+++ b/system/pages/forum/edit_post.php
@@ -14,7 +14,8 @@ if(Forum::canPost($account_logged))
 {
 	$post_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : false;
 	if(!$post_id) {
-		echo 'Please enter post id.';
+		$errors[] = 'Please enter post id.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}

@@ -35,24 +36,22 @@ if(Forum::canPost($account_logged))
 				$post_topic = stripslashes(trim($_REQUEST['topic']));
 				$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
 				$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
-				$lenght = 0;
-				for($i = 0; $i < strlen($post_topic); $i++)
-				{
-					if(ord($post_topic[$i]) >= 33 && ord($post_topic[$i]) <= 126)
-						$lenght++;
+
+				if (!superAdmin()) {
+					$html = 0;
 				}
-				if(($lenght < 1 || strlen($post_topic) > 60) && $thread['id'] == $thread['first_post'])
-					$errors[] = 'Too short or too long topic (short: '.$lenght.' long: '.strlen($post_topic).' letters). Minimum 1 letter, maximum 60 letters.';
-				$lenght = 0;
-				for($i = 0; $i < strlen($text); $i++)
-				{
-					if(ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-						$lenght++;
-				}
-				if($lenght < 1 || strlen($text) > 15000)
-					$errors[] = 'Too short or too long post (short: '.$lenght.' long: '.strlen($text).' letters). Minimum 1 letter, maximum 15000 letters.';
+
+				$length = strlen($post_topic);
+				if(($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
+					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";
+
+				$length = strlen($text);
+				if($length < 1 || $length > 15000)
+					$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";
+
 				if($char_id == 0)
 					$errors[] = 'Please select a character.';
+
 				if(empty($post_topic) && $thread['id'] == $thread['first_post'])
 					$errors[] = 'Thread topic can\'t be empty.';

@@ -104,11 +103,17 @@ if(Forum::canPost($account_logged))
 				));
 			}
 		}
-		else
-			echo '<br/>You are not an author of this post.';
+		else {
+			$errors[] = 'You are not an author of this post.';
+			displayErrorBoxWithBackButton($errors, getLink('forum'));
+		}
+	}
+	else {
+		$errors[] = "Post with ID $post_id doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 	}
-	else
-		echo "<br/>Post with ID " . $post_id . " doesn't exist.";
 }
-else
-	echo "<br/>Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+else {
+	$errors[] = "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
+}
--- a/system/pages/forum/move_thread.php
+++ b/system/pages/forum/move_thread.php
@@ -14,12 +14,13 @@ if(!Forum::isModerator()) {
 	echo 'You are not logged in or you are not moderator.';
 }

-$save = isset($_REQUEST['save']) ? (int)$_REQUEST['save'] == 1 : false;
+$save = isset($_REQUEST['save']) && (int)$_REQUEST['save'] == 1;
 if($save) {
 	$post_id = (int)$_REQUEST['id'];
 	$board = (int)$_REQUEST['section'];
 	if(!Forum::hasAccess($board)) {
-		echo "You don't have access to this board.";
+		$errors[] = "You don't have access to this board.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}

@@ -31,8 +32,10 @@ if($save) {
 			header('Location: ' . getForumBoardLink($nPost['section']));
 		}
 	}
-	else
-		echo 'Post with ID ' . $post_id . ' does not exist.';
+	else {
+		$errors[] = 'Post with ID ' . $post_id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
 }
 else {
 	$post_id = (int)$_REQUEST['id'];
@@ -58,7 +61,8 @@ else {
 			));
 		}
 	}
-	else
-		echo 'Post with ID ' . $post_id . ' does not exist.';
+	else {
+		$errors[] = 'Post with ID ' . $post_id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
 }
-?>
--- a/system/pages/forum/new_post.php
+++ b/system/pages/forum/new_post.php
@@ -15,21 +15,29 @@ if(Forum::canPost($account_logged))
 	$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
 	$thread_id = isset($_REQUEST['thread_id']) ? (int) $_REQUEST['thread_id'] : 0;
 	if($thread_id == 0) {
-		echo "Thread with this id doesn't exist.";
+		$errors[] = "Thread with this id doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 		return;
 	}

-	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id." LIMIT 1")->fetch();
-	echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
+	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id." LIMIT 1")->fetch();
+
 	if(isset($thread['id']) && Forum::hasAccess($thread['section']))
 	{
+		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.$thread['post_topic'].'</a> >> <b>Post new reply</b><br /><h3>'.$thread['post_topic'].'</h3>';
+
 		$quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL;
 		$text = isset($_REQUEST['text']) ? stripslashes(trim($_REQUEST['text'])) : NULL;
-		$char_id = (int) (isset($_REQUEST['char_id']) ? $_REQUEST['char_id'] : 0);
+		$char_id = (int) ($_REQUEST['char_id'] ?? 0);
 		$post_topic = isset($_REQUEST['topic']) ? stripslashes(trim($_REQUEST['topic'])) : '';
 		$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 		$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
 		$saved = false;
+
+		if (!superAdmin()) {
+			$html = 0;
+		}
+		
 		if(isset($_REQUEST['quote']))
 		{
 			$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();
@@ -38,14 +46,10 @@ if(Forum::canPost($account_logged))
 		}
 		elseif(isset($_REQUEST['save']))
 		{
-			$lenght = 0;
-			for($i = 0; $i < strlen($text); $i++)
-			{
-				if(ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-					$lenght++;
-			}
-			if($lenght < 1 || strlen($text) > 15000)
-				$errors[] = 'Too short or too long post (short: '.$lenght.' long: '.strlen($text).' letters). Minimum 1 letter, maximum 15000 letters.';
+			$length = strlen($text);
+			if($length < 1 || strlen($text) > 15000)
+				$errors[] = 'Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.';
+
 			if($char_id == 0)
 				$errors[] = 'Please select a character.';

@@ -73,8 +77,8 @@ if(Forum::canPost($account_logged))
 			if(count($errors) == 0)
 			{
 				$saved = true;
-				Forum::add_post($thread['id'], $thread['section'], $account_logged->getId(), (int) $char_id, $text, $post_topic, $smile, $html, time(), $_SERVER['REMOTE_ADDR']);
-				$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `replies`=`replies`+1, `last_post`=".time()." WHERE `id` = ".(int) $thread_id);
+				Forum::add_post($thread['id'], $thread['section'], $account_logged->getId(), (int) $char_id, $text, $post_topic, $smile, $html);
+				$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `replies`=`replies`+1, `last_post`=".time()." WHERE `id` = ".$thread_id);
 				$post_page = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS posts_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`post_date` <= ".time()." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread['id'])->fetch();
 				$_page = (int) ceil($post_page['posts_count'] / $config['forum_threads_per_page']) - 1;
 				header('Location: ' . getForumThreadLink($thread_id, $_page));
@@ -110,10 +114,14 @@ if(Forum::canPost($account_logged))
 			));
 		}
 	}
-	else
-		echo "Thread with ID " . $thread_id . " doesn't exist.";
+	else {
+		$errors[] = "Thread with ID " . $thread_id . " doesn't exist.";
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
+}
+else {
+	$errors[] = "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-else
-	echo "Your account is banned, deleted or you don't have any player with level " . $config['forum_level_required'] . " on your account. You can't post.";

 $twig->display('forum.fullscreen.html.twig');
--- a/system/pages/forum/new_thread.php
+++ b/system/pages/forum/new_thread.php
@@ -13,7 +13,7 @@ defined('MYAAC') or die('Direct access not allowed!');
 if(Forum::canPost($account_logged))
 {
 	$players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll();
-	$section_id = isset($_REQUEST['section_id']) ? $_REQUEST['section_id'] : null;
+	$section_id = $_REQUEST['section_id'] ?? null;
 	if($section_id !== null) {
 		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($section_id) . '">' . $sections[$section_id]['name'] . '</a> >> <b>Post new thread</b><br />';
 		if(isset($sections[$section_id]['name']) && Forum::hasAccess($section_id)) {
@@ -26,24 +26,20 @@ if(Forum::canPost($account_logged))
 			$post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
 			$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 			$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
+
+			if (!superAdmin()) {
+				$html = 0;
+			}
+
 			$saved = false;
 			if (isset($_REQUEST['save'])) {
-				$errors = array();
+				$length = strlen($post_topic);
+				if ($length < 1 || $length > 60)
+					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";

-				$lenght = 0;
-				for ($i = 0; $i < strlen($post_topic); $i++) {
-					if (ord($post_topic[$i]) >= 33 && ord($post_topic[$i]) <= 126)
-						$lenght++;
-				}
-				if ($lenght < 1 || strlen($post_topic) > 60)
-					$errors[] = 'Too short or too long topic (short: ' . $lenght . ' long: ' . strlen($post_topic) . ' letters). Minimum 1 letter, maximum 60 letters.';
-				$lenght = 0;
-				for ($i = 0; $i < strlen($text); $i++) {
-					if (ord($text[$i]) >= 33 && ord($text[$i]) <= 126)
-						$lenght++;
-				}
-				if ($lenght < 1 || strlen($text) > 15000)
-					$errors[] = 'Too short or too long post (short: ' . $lenght . ' long: ' . strlen($text) . ' letters). Minimum 1 letter, maximum 15000 letters.';
+				$length = strlen($text);
+				if ($length < 1 || $length > 15000)
+					$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";

 				if ($char_id == 0)
 					$errors[] = 'Please select a character.';
@@ -93,11 +89,17 @@ if(Forum::canPost($account_logged))
 				));
 			}
 		}
-		else
-			echo 'Board with ID ' . $board_id . ' doesn\'t exist.';
+		else {
+			$errors[] = "Board with ID $section_id doesn't exist.";
+			displayErrorBoxWithBackButton($errors, getLink('forum'));
+		}
+	}
+	else {
+		$errors[] = 'Please enter section_id.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
 	}
-	else
-		echo 'Please enter section_id.';
 }
-else
-	echo 'Your account is banned, deleted or you don\'t have any player with level '.$config['forum_level_required'].' on your account. You can\'t post.';
+else {
+	$errors[] = 'Your account is banned, deleted or you don\'t have any player with level '.$config['forum_level_required'].' on your account. You can\'t post.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
+}
--- a/system/pages/forum/remove_post.php
+++ b/system/pages/forum/remove_post.php
@@ -29,8 +29,12 @@ if(Forum::isModerator())
 			header('Location: ' . getForumThreadLink($post['first_post'], (int) $_page));
 		}
 	}
-	else
-		echo 'Post with ID ' . $id . ' does not exist.';
+	else {
+		$errors[] = 'Post with ID ' . $id . ' does not exist.';
+		displayErrorBoxWithBackButton($errors, getLink('forum'));
+	}
+}
+else {
+	$errors[] = 'You are not logged in or you are not moderator.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 }
-else
-	echo 'You are not logged in or you are not moderator.';
--- a/system/pages/forum/show_board.php
+++ b/system/pages/forum/show_board.php
@@ -14,12 +14,14 @@ $links_to_pages = '';
 $section_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : null;

 if($section_id == null || !isset($sections[$section_id])) {
-	echo "Board with this id does't exist.";
+	$errors[] = "Board with this id does't exist.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

 if(!Forum::hasAccess($section_id)) {
-	echo "You don't have access to this board.";
+	$errors[] = "You don't have access to this board.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

@@ -90,5 +92,3 @@ if(isset($last_threads[0]))
 }
 else
 	echo '<h3>No threads in this board.</h3>';
-
-?>
--- a/system/pages/forum/show_thread.php
+++ b/system/pages/forum/show_thread.php
@@ -16,12 +16,14 @@ $_page = (int) (isset($_REQUEST['page']) ? $_REQUEST['page'] : 0);
 $thread_starter = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`first_post` AND `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` LIMIT 1")->fetch();

 if(empty($thread_starter['name'])) {
-	echo 'Thread with this ID does not exits.';
+	$errors[] = 'Thread with this ID does not exists.';
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

 if(!Forum::hasAccess($thread_starter['section'])) {
-	echo "You don't have access to view this thread.";
+	$errors[] = "You don't have access to view this thread.";
+	displayErrorBoxWithBackButton($errors, getLink('forum'));
 	return;
 }

--- a/system/pages/guilds/list_of_guilds.php
+++ b/system/pages/guilds/list_of_guilds.php
@@ -25,7 +25,7 @@ if(count($guilds_list) > 0)
        $description = $guild->getCustomField('description');
        $description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
        if ($count < $config['guild_description_lines_limit'])
-            $description = wordwrap(nl2br($description), 60, "<br />", true);
+	        $description = nl2br($description);

        $guildName = $guild->getName();
        $guilds[] = array('name' => $guildName, 'logo' => $guild_logo, 'link' => getGuildLink($guildName, false), 'description' => $description);
--- a/system/pages/guilds/show.php
+++ b/system/pages/guilds/show.php
@@ -83,7 +83,7 @@ if(empty($guild_logo) || !file_exists('images/guilds/' . $guild_logo))
 $description = $guild->getCustomField('description');
 $description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
 if($count < $config['guild_description_lines_limit'])
-    $description = wordwrap(nl2br($description), 60, "<br />", true);
+	$description = nl2br($description);
 //$description = $description_with_lines;

 $guild_owner = $guild->getOwner();
--- a/system/templates/characters.html.twig
+++ b/system/templates/characters.html.twig
@@ -142,7 +142,7 @@
 			{% set rows = rows + 1 %}
 			<tr bgcolor="{{ getStyle(rows) }}">
 				<td valign="top">Comment:</td>
-				<td>{{ comment|raw }}</td>
+				<td style="word-break: break-all">{{ comment|raw }}</td>
 			</tr>
 			{% endif %}

--- a/system/templates/forum.new_post.html.twig
+++ b/system/templates/forum.new_post.html.twig
@@ -54,7 +54,7 @@
 	</tr>
 	{% set i = 0 %}
 	{% for thread in threads %}
-	<tr bgcolor="{{ getStyle(i) }}"><td>{{ thread.name }}</td><td>{{ thread.post|raw }}</td></tr>
+	<tr bgcolor="{{ getStyle(i) }}"><td>{{ thread.name }}</td><td style="word-break: break-all">{{ thread.post|raw }}</td></tr>
 	{% set i = i + 1 %}
 	{% endfor %}
 </table>
--- a/system/templates/forum.show_thread.html.twig
+++ b/system/templates/forum.show_thread.html.twig
@@ -40,7 +40,7 @@ Page: {{ links_to_pages|raw }}<br/>
 				<br />Posts: {{ post.author_posts_count }}<br />
 			</span>
 		</td>
-		<td valign="top">{{ post.content|raw }} </td></tr>
+		<td valign="top" style="word-break: break-all">{{ post.content|raw }} </td></tr>
 		<tr bgcolor="{{ getStyle(i) }}">
 			<td>
 				<span style="font-size: 10px">{{ post.date|date('d.m.y H:i:s') }}
--- a/system/templates/guilds.list.html.twig
+++ b/system/templates/guilds.list.html.twig
@@ -44,7 +44,7 @@
                                                                    <img src="images/guilds/{{ guild.logo }}" width="64" height="64">
                                                                </td>

-                                                                <td>
+                                                                <td style="word-break: break-all">
                                                                    <span{% if guild.description is not empty %} valign="top"{% endif %}>
                                                                        <b>{{ guild.name }}</b>{% if isAdmin %}<a href="?subtopic=guilds&action=delete_by_admin&guild={{ guild.name }}"> - Delete this guild (for ADMIN only!)</a>{% endif %}
                                                                    </span>
--- a/system/templates/guilds.view.html.twig
+++ b/system/templates/guilds.view.html.twig
@@ -47,10 +47,10 @@
                                            <table style="width:100%;">
                                                <tbody>
                                                <tr>
-                                                    <td>
+                                                    <td style="word-break: break-all">
                                                        <div id="GuildInformationContainer">
-                                                            {% if descriptions is not empty %}
-                                                                {{ description }}
+                                                            {% if description is not empty %}
+                                                                {{ description|raw }}
                                                                <br>
                                                                <br>
                                                            {% endif %}
--- a/system/twig.php
+++ b/system/twig.php
@@ -24,6 +24,9 @@ if($dev_mode) {
 }
 unset($dev_mode);

+require LIBS . 'TwigTypeCastingExtension.php';
+$twig->addExtension(new MyAAC\Twig\Extension\TwigTypeCastingExtension());
+
 $function = new TwigFunction('getStyle', function ($i) {
 	return getStyle($i);
 });
@@ -44,15 +47,23 @@ $function = new TwigFunction('getGuildLink', function ($s, $p) {
 });
 $twig->addFunction($function);

-$function = new TwigFunction('hook', function ($hook) {
+$function = new TwigFunction('hook', function ($context, $hook, array $params = []) {
 	global $hooks;

 	if(is_string($hook)) {
+		if (defined($hook)) {
 			$hook = constant($hook);
 		}
+		else {
+			// plugin/template has a hook that this version of myaac does not support
+			// just silently return
+			return;
+		}
+	}

-	$hooks->trigger($hook);
-});
+	$params['context'] = $context;
+	$hooks->trigger($hook, $params);
+}, ['needs_context' => true]);
 $twig->addFunction($function);

 $function = new TwigFunction('config', function ($key) {
--- a/templates/tibiacom/account.management.html.twig
+++ b/templates/tibiacom/account.management.html.twig
@@ -35,7 +35,7 @@
 			<td>
 				<img src="{{ template_path }}/images/content/headline-bracer-left.gif" />
 			</td>
-			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message }}<br/></td>
+			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message|raw }}<br/></td>
 			<td><img src="{{ template_path }}/images/content/headline-bracer-right.gif" /></td>
 		</tr>
 	</table>
--- a/templates/tibiacom/headline.php
+++ b/templates/tibiacom/headline.php
@@ -28,7 +28,7 @@ if(!@file_exists($page_file))

 	// set text
 	$font = getenv('GDFONTPATH') . DIRECTORY_SEPARATOR . 'martel.ttf';
-	imagettftext($image, 18, 0, 4, 20, imagecolorallocate($image, 240, 209, 164), $font, utf8_decode($_GET['t']));
+	imagettftext($image, 18, 0, 4, 20, imagecolorallocate($image, 240, 209, 164), $font, $_GET['t']);

 	// header mime type
 	header('Content-type: image/gif');
--- a/templates/tibiacom/index.php
+++ b/templates/tibiacom/index.php
@@ -21,7 +21,7 @@ if(isset($config['boxes']))
 		<?php
 			if(PAGE !== 'news') {
 				if(strpos(URI, 'subtopic=') !== false) {
-					$tmp = $_REQUEST['subtopic'];
+					$tmp = escapeHtml($_REQUEST['subtopic']);
 					if($tmp === 'accountmanagement') {
 						$tmp = 'accountmanage';
 					}
Author	SHA1	Message	Date
slawkens	016138ab55	Release v0.8.17	2024-05-18 21:39:50 +02:00
slawkens	77efb80a12	Update config.php	2024-05-15 22:20:31 +02:00
slawkens	02eea950e4	Fix XSS in creatures.php, thanks to @gesior Closes #254	2024-05-15 22:15:36 +02:00
slawkens	2793c41655	Set default status_ip, most server are hosted locally anyway	2024-05-15 22:07:46 +02:00
slawkens	62d3c198d5	Fix change_info if account_country is disabled	2024-04-15 21:55:02 +02:00
slawkens	ef62b53cec	Don't allow redirect to external website	2024-04-08 19:05:42 +02:00
slawkens	7181b988e9	Add TwigTypeCastingExtension Useful for casting variables in Twig	2024-04-08 07:35:48 +02:00
slawkens	8b0b123f42	deny vendor, composer.json, changelog.md etc. in nginx config sample	2024-04-06 19:51:57 +02:00
slawkens	f98332c698	Update .gitignore	2024-02-18 12:01:22 +01:00
slawkens	b1660bf27a	Update README.md [skip ci]	2024-02-17 09:06:54 +01:00
slawkens	191ad25eb2	Use word-break: break-all in guilds description + character comment	2024-02-16 20:39:40 +01:00
slawkens	7469be6efb	Fix date	2024-02-12 21:48:50 +01:00
slawkens	47a3bfd265	Release v0.8.16	2024-02-12 21:48:17 +01:00
slawkens	5ae0be2323	Revert "Fix installation" This reverts commit `9c318f9012`.	2024-02-12 21:43:55 +01:00
slawkens	42154d55a0	Fix broken installation I introduced in 0.8.15	2024-02-12 21:39:04 +01:00
slawkens	9dcc08ee6e	Seems that this is better solution to the #245 (output buffering) This works for both, when output_buffering is enabled, and disabled	2024-01-30 19:20:18 +01:00
slawkens	ba537b42bb	Remove 31.php migration -> was for develop branch	2024-01-30 18:23:20 +01:00
slawkens	9c318f9012	Fix installation	2024-01-28 11:11:51 +01:00
Danilo Pucci	a88103a956	- adding check before flush buffer (#245 )	2024-01-01 23:31:26 +01:00
slawkens	e26e6f3a1c	Silently ignore if the hook does not exist	2023-12-28 19:12:47 +01:00
Slawomir Boczek	08d67a07e0	Create SECURITY.md	2023-12-15 20:56:06 +01:00
slawkens	6e9a89cb2e	Update common.php	2023-12-14 16:34:44 +01:00
slawkens	e3aa3d4031	Release v 0.8.15	2023-12-09 00:14:16 +01:00
slawkens	156a68f8bd	Update phplint.yml	2023-12-09 00:11:01 +01:00
slawkens	6a28da5d33	Update phplint.yml	2023-12-09 00:04:20 +01:00
slawkens	ee32384dca	Seems there was more XSS in bugtracker	2023-12-08 23:45:13 +01:00
slawkens	19afd73e8a	This is better	2023-11-29 15:48:03 +01:00
slawkens	eead6a2975	Fix exception showing	2023-11-28 17:11:04 +01:00
slawkens	11b11dd3ee	Release v0.8.14	2023-11-27 23:31:45 +01:00
slawkens	483155cf4c	Prevent session fixation	2023-11-27 23:16:51 +01:00
slawkens	55dbade8d5	Fix XSS in forum	2023-11-27 22:58:24 +01:00
slawkens	d1bc63d07a	Fix forum XSS	2023-11-27 22:58:00 +01:00
slawkens	83a91ec540	Fix XSS in bugtracker.php	2023-11-27 20:28:43 +01:00
slawkens	7b43c972dd	Fix missing query_string in nginx sample config Causes missing parameters in $_GET query	2023-11-25 16:34:57 +01:00
slawkens	3fdf1d3f44	require_once is better	2023-11-05 20:13:31 +01:00
slawkens	764db0c203	Fix display ban info on account page https://otland.net/threads/myacc-bans-display-problem.286825/	2023-11-02 22:06:07 +01:00
slawkens	538076bc45	My fault	2023-09-26 22:00:45 +02:00
slawkens	4327b66f91	Clear some additional cache keys	2023-09-26 20:45:50 +02:00
slawkens	3f27724569	Update common.php	2023-09-16 10:46:17 +02:00
slawkens	9c0c2bbece	Update CHANGELOG.md	2023-09-16 10:45:54 +02:00
slawkens	946144016b	Release v0.8.13	2023-09-16 10:35:10 +02:00
slawkens	5c3b01aca4	Fix XSS vulnerability	2023-09-16 10:31:33 +02:00
slawkens	50983a2b85	Fix error log when coins column does not exist	2023-09-14 16:29:31 +02:00
slawkens	765886f0c7	Add latest clients versions	2023-08-31 14:20:49 +02:00
slawkens	8ea78a5852	thanks @elsongabriel, seems str_contains is not available in php 7	2023-08-25 20:45:45 +02:00
slawkens	063cbab93e	Allow hooks to be prefixed with HOOK_	2023-08-23 12:00:03 +02:00
slawkens	f1670f4012	Patching from develop - twig context for hooks	2023-08-21 12:25:53 +02:00
slawkens	6fcf0f7117	Ignore gallery	2023-08-21 12:21:24 +02:00
slawkens	7a07763625	Update README.md	2023-08-11 22:21:54 +02:00
slawkens	8d2172a649	Added JetBrains logo + notice, thanks for support!	2023-08-11 22:17:17 +02:00
slawkens	b8f65207b6	Add version support table + fix badges	2023-08-11 22:11:29 +02:00
slawkens	ea675afe86	Start 0.8.13-dev	2023-08-07 22:53:02 +02:00
slawkens	cc1cebf359	Update CHANGELOG & release v0.8.12	2023-08-07 22:14:47 +02:00
slawkens	1e874c7027	Fixed not working links from database, introduced in 0.8.10	2023-08-07 21:45:56 +02:00
slawkens	a338fd967c	Removed deprecated functions: utf8_encode & decode	2023-08-05 19:58:52 +02:00
slawkens	8796ff7e72	Remove whitespaces	2023-08-05 19:58:20 +02:00
slawkens	a8172a518f	Add some functions to compatibility layer of gesioraac	2023-08-05 19:58:04 +02:00
slawkens	559c2c7bd2	Add .htaccess to .gitignore	2023-08-05 11:57:15 +02:00
slawkens	7a546e5a41	There is no more info. That never worked.	2023-07-29 07:26:03 +02:00
slawkens	5f7a9154b7	Thanks @anyeor for previous fix	2023-07-11 11:17:18 +02:00
slawkens	0d52978d9f	Fix: cannot create topic on this board (check wasn't working)	2023-07-11 11:15:58 +02:00
slawkens	df48363ea4	Shorten some forum code about length	2023-07-07 17:15:13 +02:00
slawkens	34725e0257	Forum: better error messages (Suggested by @anyeor)	2023-07-07 14:34:26 +02:00
slawkens	df321154f6	Fix guild description on guilds page	2023-07-02 13:47:32 +02:00
slawkens	f2a3ec1185	Fix guild description not shown	2023-06-30 19:53:16 +02:00
slawkens	ce4aed0f17	Add word-break on forum thread & reply When someone inserts long word, is will break into multiple lines	2023-06-30 19:32:47 +02:00
slawkens	d0c82f6fb0	Start 0.8.12-dev	2023-06-30 19:13:38 +02:00