Release v0.8.17

Closes #254

.github/workflows/phplint.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: overtrue/phplint@7.4
+      - uses: overtrue/phplint@3.4.0
         with:
           path: .
           options: --exclude="system/libs/polyfill-mbstring/bootstrap80.php"

.gitignore

@@ -11,10 +11,12 @@ vendor
 
 # npm
 node_modules
+tools/ext
 
 # cypress
 cypress.env.json
 cypress/e2e/2-advanced-examples
+cypress/screenshots
 
 # created by release.sh
 releases

CHANGELOG.md

@@ -1,13 +1,50 @@
 # Changelog
 
+## [0.8.17 - 15.04.2024]
+
+### Added
+* TwigTypeCastingExtension (https://github.com/slawkens/myaac/commit/7181b988e9518320d57486670ca4e2d3b2fe1cfa)
+
+### Fixed
+* fix XSS in creatures.php (https://github.com/slawkens/myaac/commit/02eea950e4fd756e8d5c32e56181986d51f5ac70, @gesior)
+* don't allow redirect to external website (https://github.com/slawkens/myaac/commit/ef62b53cec5a479cc85aa15940ad9ebbcefde876)
+* change_info if account_country is disabled (https://github.com/slawkens/myaac/commit/62d3c198d567541a90900fe2d7ede070e7b1ff68)
+
+### Changed
+* use word-break: break-all in guilds description + character comment (https://github.com/slawkens/myaac/commit/191ad25eb2d4c1cec6f6668da7a345fec0ad2a7f)
+* set default status_ip to 127.0.0.1, most server are hosted locally anyway (https://github.com/slawkens/myaac/commit/2793c41655b47f7db295143a298ccda70f11462b)
+
+## [0.8.16 - 12.02.2024]
+
+### Fixed
+* broken installation
+* database and finish step warnings/errors (https://github.com/slawkens/myaac/pull/245, @danilopucci)
+* silently ignore if the hook does not exist
+
+## [0.8.15 - 09.12.2023]
+
+More security fixes, especially in bugtracker.
+
+## [0-8.14 - 27.11.2023]
+Security fixes.
+
+### Fixed
+* XSS vulnerability in bugtracker (https://github.com/slawkens/myaac/commit/83a91ec540072d319dd338abff45f8d5ebf48190)
+* XSS vulnerability in forum (https://github.com/slawkens/myaac/commit/d1bc63d07ad88a143358cacd2c417891eea74dcc + https://github.com/slawkens/myaac/commit/55dbade8d5280c5baed45e5f7ebc3613b8e9b9e8)
+* Session Fixation (https://github.com/slawkens/myaac/commit/483155cf4c1e3068aaee0d44541dfa61f6223379)
+* displaying ban info on account page (https://github.com/slawkens/myaac/commit/764db0c203d1826ffce3a5a78f83a97e56bd0685)
+
+### Changed
+* Clear some additional cache keys - like database cache (https://github.com/slawkens/myaac/commit/4327b66f915d06dce504211692173606b9ef3b4e)
+
 ## [0.8.13 - 16.09.2023]
 
 ### Added
-* latest client versions to config
-* patching from develop - twig context for hooks
+* latest client versions to config (https://github.com/slawkens/myaac/commit/765886f0c782807400c429577cde5e45bd7c308f)
+* patching from develop - twig context for hooks (https://github.com/slawkens/myaac/commit/f1670f4012cc7595433fe0b1937c1f9b15a60b07)
 
 ### Fixed
-* fixed XSS vulnerability in some pages
+* fixed XSS vulnerability in some pages (https://github.com/slawkens/myaac/commit/5c3b01aca4f3cfe8abc86b8ce48194b2da87b808)
 
 Nothing more or less!
 

README.md

@@ -10,21 +10,20 @@ Official website: https://my-aac.org
 [![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
 [![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
 
-| Version    | Status                                    | Branch  | Requirements   |
-|:-----------|:------------------------------------------|:--------|:---------------|
-| **0.10.x** | **Active development**                    | develop | **PHP >= 8.0** |
-| 0.9.x      | Active support                            | 0.9     | PHP >= 7.2.5   |
-| 0.8.x      | Active support                            | master  | PHP >= 7.2.5   |
-| 0.7.x      | End Of Life                               | 0.7     | PHP >= 5.3.3   |
+| Version | Status                 | Branch  | Requirements   |
+|:--------|:-----------------------|:--------|:---------------|
+| **1.x** | **Active development** | develop | **PHP >= 8.1** |
+| 0.9.x   | Not developed anymore  | 0.9     | PHP >= 7.2.5   |
+| 0.8.x   | Active support         | master  | PHP >= 7.2.5   |
+| 0.7.x   | End Of Life            | 0.7     | PHP >= 5.3.3   |
 
 ### Requirements
 
-	- PHP 7.2.5 or later
 	- MySQL database
-	- PDO PHP Extension
-	- XML PHP Extension
-	- ZIP PHP Extension
-	- (optional) mod_rewrite to use friendly_urls
+	- PHP Extensions: pdo, xml, json
+	- (optional) apache2 mod_rewrite (to use friendly_urls)
+	- (optional) zip PHP Extension (to install plugins)
+	- (optional) gd PHP Extension (for generating signature images)
 
 ### Installation
 
@@ -48,7 +47,8 @@ Official website: https://my-aac.org
 
 ### Configuration
 
-Check *config.php* to get more informations.
+Check *config.php* to get more informations. (Notice: MyAAC 1.0+ doesn't use config.php anymore, it has been moved to Admin Panel - Settings page).
+
 Use *config.local.php* for your local configuration changes.
 
 ### Branches

SECURITY.md

@@ -0,0 +1,16 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.y   | :white_check_mark: |
+| 0.9.x   | :x:                |
+| 0.8.x   | :white_check_mark: |
+| < 0.7   | :x:                |
+
+## Reporting a Vulnerability
+
+If you found a security vulnerability, please write an email to security@my-aac.org
+
+All reports will be taken very seriously, and a fix will be posted as soon as possible.

admin/pages/items.php

@@ -10,8 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Load items.xml';
 
-require LIBS . 'items.php';
-require LIBS . 'weapons.php';
+require_once LIBS . 'items.php';
+require_once LIBS . 'weapons.php';
 
 $twig->display('admin.items.html.twig');
 

common.php

@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');
 
 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.13');
+define('MYAAC_VERSION', '0.8.17');
 define('DATABASE_VERSION', 33);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));
@@ -100,6 +100,10 @@ for($i = 1; $i < $size; $i++)
 $basedir = str_replace(array('/admin', '/install', '/tools'), '', $basedir);
 define('BASE_DIR', $basedir);
 
+if (file_exists(BASE . 'config.local.php') && !defined('MYAAC_INSTALL')) {
+	require BASE . 'config.local.php';
+}
+
 if(!IS_CLI) {
 	if (isset($_SERVER['HTTP_HOST'][0])) {
 		$baseHost = $_SERVER['HTTP_HOST'];
@@ -116,7 +120,8 @@ if(!IS_CLI) {
 	define('ADMIN_URL', SERVER_URL . BASE_DIR . '/admin/');
 
 	//define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
-
-	require SYSTEM . 'exception.php';
+	if(@$config['env'] === 'dev') {
+		require SYSTEM . 'exception.php';
+	}
 }
 require SYSTEM . 'autoload.php';

config.php

@@ -268,9 +268,9 @@ $config = array(
 
 	// status, took automatically from config file if empty
 	'status_enabled' => true, // you can disable status checking by settings this to "false"
-	'status_ip' => '',
+	'status_ip' => '127.0.0.1',
 	'status_port' => '',
-	'status_timeout' => 2, // how long to wait for the initial response from the server (default: 2 seconds)
+	'status_timeout' => 1.0, // how long to wait for the initial response from the server (default: 1 second)
 
 	// how often to connect to server and update status (default: every minute)
 	// if your status timeout in config.lua is bigger, that it will be used instead
@@ -290,12 +290,12 @@ $config = array(
 	'footer_show_load_time' => true, // display load time of the page in the footer
 
 	'npc' => array(),
-	
+
 	// character name blocked
 	'character_name_blocked' => array(
 		'prefix' => array(),
 		'names' => array(),
 		'words' => array(),
 	),
-	
+
 );

install/tools/5-database.php

@@ -11,8 +11,10 @@ $error = false;
 require BASE . 'install/includes/config.php';
 
 ini_set('max_execution_time', 300);
+
+@ob_end_flush();
 ob_implicit_flush();
-ob_end_flush();
+
 header('X-Accel-Buffering: no');
 
 if(!$error) {

install/tools/7-finish.php

@@ -8,8 +8,10 @@ require BASE . 'install/includes/functions.php';
 require BASE . 'install/includes/locale.php';
 
 ini_set('max_execution_time', 300);
+
+@ob_end_flush();
 ob_implicit_flush();
-ob_end_flush();
+
 header('X-Accel-Buffering: no');
 
 if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['saved'])) {

nginx-sample.conf

@@ -13,9 +13,16 @@ server {
 		return 404;
 	}
 
-	# block .htaccess
-	location ~ /\.ht {
+	location /vendor {
 		deny all;
+		return 404;
+	}
+
+	# block .htaccess, CHANGELOG.md, composer.json etc.
+	# this is to prevent finding software versions
+	location ~\.(ht|md|json|dist)$ {
+		deny all;
+		return 404;
 	}
 
 	# block git files and folders
@@ -25,7 +32,7 @@ server {
 	}
 
 	location / {
-		try_files $uri $uri/ /index.php;
+		try_files $uri $uri/ /index.php?$query_string;;
 	}
 
 	location ~ \.php$ {

system/functions.php

@@ -1146,9 +1146,30 @@ function clearCache()
 		if ($cache->fetch('failed_logins', $tmp))
 			$cache->delete('failed_logins');
 
-		global $template_name;
-		if ($cache->fetch('template_ini' . $template_name, $tmp))
-			$cache->delete('template_ini' . $template_name);
+		foreach (get_templates() as $template) {
+			if ($cache->fetch('template_ini_' . $template, $tmp)) {
+				$cache->delete('template_ini_' . $template);
+			}
+		}
+
+		if ($cache->fetch('template_menus', $tmp)) {
+			$cache->delete('template_menus');
+		}
+		if ($cache->fetch('database_tables', $tmp)) {
+			$cache->delete('database_tables');
+		}
+		if ($cache->fetch('database_columns', $tmp)) {
+			$cache->delete('database_columns');
+		}
+		if ($cache->fetch('database_checksum', $tmp)) {
+			$cache->delete('database_checksum');
+		}
+		if ($cache->fetch('hooks', $tmp)) {
+			$cache->delete('hooks');
+		}
+		if ($cache->fetch('last_kills', $tmp)) {
+			$cache->delete('last_kills');
+		}
 	}
 
 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);
@@ -1244,7 +1265,7 @@ function getCustomPage($page, &$success)
 }
 
 function escapeHtml($html) {
-	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+	return htmlspecialchars($html);
 }
 
 function displayErrorBoxWithBackButton($errors, $action = null) {

system/libs/TwigTypeCastingExtension.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MyAAC\Twig\Extension;
+
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFilter;
+
+final class TwigTypeCastingExtension extends AbstractExtension
+{
+	/** @return array<int, TwigFilter> */
+	public function getFilters(): array
+	{
+		return [
+			new TwigFilter('int', function ($value) {
+				return (int)$value;
+			}),
+			new TwigFilter('float', function ($value) {
+				return (float)$value;
+			}),
+			new TwigFilter('string', function ($value) {
+				return (string)$value;
+			}),
+			new TwigFilter('bool', function ($value) {
+				return (bool)$value;
+			}),
+			new TwigFilter('array', function (object $value) {
+				return (array)$value;
+			}),
+			new TwigFilter('object', function (array $value) {
+				return (object)$value;
+			}),
+		];
+	}
+}

system/login.php

@@ -42,12 +42,6 @@ if(ACTION === 'logout' && !isset($_REQUEST['account_login'])) {
 
 			$logged = false;
 			unset($account_logged);
-
-			if(isset($_REQUEST['redirect']))
-			{
-				header('Location: ' . urldecode($_REQUEST['redirect']));
-				exit;
-			}
 		}
 	}
 }
@@ -94,6 +88,7 @@ else
 				&& (!isset($t) || $t['attempts'] < 5)
 				)
 			{
+				session_regenerate_id();
 				setSession('account', $account_logged->getId());
 				setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
 				if($remember_me) {

system/migrations/31.php

@@ -1,18 +1,3 @@
 <?php
 
-if(!$db->hasColumn(TABLE_PREFIX . 'monsters', 'elements')) {
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `elements` TEXT NOT NULL AFTER `immunities`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `pushable` TINYINT(1) NOT NULL DEFAULT '0' AFTER `convinceable`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canpushitems` TINYINT(1) NOT NULL DEFAULT '0' AFTER `pushable`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canpushcreatures` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canpushitems`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canwalkonenergy` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canpushitems`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canwalkonpoison` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonenergy`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `canwalkonfire` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonpoison`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `runonhealth` TINYINT(1) NOT NULL DEFAULT '0' AFTER `canwalkonfire`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `hostile` TINYINT(1) NOT NULL DEFAULT '0' AFTER `runonhealth`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `attackable` TINYINT(1) NOT NULL DEFAULT '0' AFTER `hostile`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `rewardboss` TINYINT(1) NOT NULL DEFAULT '0' AFTER `attackable`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `defense` INT(11) NOT NULL DEFAULT '0' AFTER `rewardboss`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `armor` INT(11) NOT NULL DEFAULT '0' AFTER `defense`;");
-	$db->exec("ALTER TABLE `" . TABLE_PREFIX . "monsters`  ADD `summons` TEXT NOT NULL AFTER `loot`;");
-}
+// removed, but kept for compatibility

system/pages/account/change_info.php

@@ -11,19 +11,28 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $show_form = true;
-$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : NULL;
-$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : NULL;
-$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : NULL;
+$new_rlname = isset($_POST['info_rlname']) ? htmlspecialchars(stripslashes($_POST['info_rlname'])) : '';
+$new_location = isset($_POST['info_location']) ? htmlspecialchars(stripslashes($_POST['info_location'])) : '';
+$new_country = isset($_POST['info_country']) ? htmlspecialchars(stripslashes($_POST['info_country'])) : '';
 if(isset($_POST['changeinfosave']) && $_POST['changeinfosave'] == 1) {
-	if(!isset($config['countries'][$new_country]))
+	if(config('account_country') && !isset($config['countries'][$new_country])) {
 		$errors[] = 'Country is not correct.';
+	}
 
 	if(empty($errors)) {
 		//save data from form
 		$account_logged->setCustomField("rlname", $new_rlname);
 		$account_logged->setCustomField("location", $new_location);
 		$account_logged->setCustomField("country", $new_country);
-		$account_logged->logAction('Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b> and Country to <b>' . $config['countries'][$new_country] . '</b>.');
+
+		$log = 'Changed Real Name to <b>' . $new_rlname . '</b>, Location to <b>' . $new_location . '</b>';
+		if (config('account_country')) {
+			$log .= ' and Country to <b>' . $config['countries'][$new_country] . '</b>';
+		}
+		$log .= '.';
+		
+		$account_logged->logAction($log);
+
 		$twig->display('success.html.twig', array(
 			'title' => 'Public Information Changed',
 			'description' => 'Your public information has been changed.'
@@ -59,4 +68,4 @@ if($show_form) {
 		'account_country' => isset($account_country) ? $account_country : ''
 	));
 }
-?>
+?>

system/pages/accountmanagement.php

@@ -52,9 +52,16 @@ $errors = array();
 	{
 		$redirect = urldecode($_REQUEST['redirect']);
 
+		// should never happen, unless hacker modify the URL
+		if (strpos($_REQUEST['redirect'], BASE_URL) === false) {
+			error('Fatal error: Cannot redirect outside the website.');
+			return;
+		}
+
 		$twig->display('account.redirect.html.twig', array(
 			'redirect' => $redirect
 		));
+
 		return;
 	}
 

system/pages/bugtracker.php

@@ -54,7 +54,7 @@ $showed = $post = $reply = false;
                     $value = '<span style="color: blue">[NEW ANSWER]</span>';
 
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td><i><b>Posted by</b></i></td><td>';
 
                 foreach($players as $player)
@@ -64,7 +64,7 @@ $showed = $post = $reply = false;
 
                 echo '</td></tr>';
                 echo '<TR BGCOLOR="'.$dark.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
 
                 $answers = $db->query('SELECT * FROM '.$db->tableName(TABLE_PREFIX . 'bugtracker').' where `account` = '.$_REQUEST['acc'].' and `id` = '.$_REQUEST['id'].' and `type` = 2 order by `reply`');
@@ -75,10 +75,10 @@ $showed = $post = $reply = false;
                     else
                         $who = '<span style="color: green">[PLAYER]</span>';
 
-                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
+                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
                     echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
                     echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
+                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
                     echo '</TABLE>';
                 }
                 if($bug[2]['status'] != 3)
@@ -137,7 +137,7 @@ $showed = $post = $reply = false;
                 elseif($report['status'] == 1)
                     $value = '<span style="color: blue">[NEW ANSWER]</span>';
 
-                echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
 
                 $showed=true;
                 $i++;
@@ -181,9 +181,9 @@ $showed = $post = $reply = false;
                     $value = '<span style="color: red">[CLOSED]</span>';
 
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
 
                 $answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -194,10 +194,10 @@ $showed = $post = $reply = false;
                     else
                         $who = '<span style="color: green">[YOU]</span>';
 
-                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
+                    echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
                     echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
                     echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
+                    echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
                     echo '</TABLE>';
                 }
                 if($bug[2]['status'] != 3)
@@ -274,7 +274,7 @@ $showed = $post = $reply = false;
                         $bgcolor = $light;
                     }
 
-                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
 
                     $showed=true;
                 }

system/pages/characters.php

@@ -400,7 +400,7 @@ WHERE killers.death_id = '".$death['id']."' ORDER BY killers.final_hit DESC, kil
 			'rank' => isset($guild_name) ? $rank_of_player->getName() : null,
 			'link' => isset($guild_name) ? getGuildLink($guild_name) : null
 		),
-		'comment' => !empty($comment) ? wordwrap(nl2br($comment), 60, "<br/>", true) : null,
+		'comment' => !empty($comment) ? nl2br($comment) : null,
 		'skills' => isset($skills) ? $skills : null,
 		'quests_enabled' => $quests_enabled,
 		'quests' => isset($quests) ? $quests : null,

system/pages/creatures.php

@@ -157,7 +157,7 @@ if (empty($_REQUEST['creature'])) {
 		echo '</td></tr>';
 		echo '</TABLE>';
 	} else {
-		echo "Monster with name <b>" . $monster_name . "</b> doesn't exist.";
+		echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
 	}
 
 //back button

system/pages/forum/edit_post.php

@@ -37,6 +37,10 @@ if(Forum::canPost($account_logged))
 				$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
 				$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
 
+				if (!superAdmin()) {
+					$html = 0;
+				}
+
 				$length = strlen($post_topic);
 				if(($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
 					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";

system/pages/forum/new_post.php

@@ -33,6 +33,11 @@ if(Forum::canPost($account_logged))
 		$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 		$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
 		$saved = false;
+
+		if (!superAdmin()) {
+			$html = 0;
+		}
+		
 		if(isset($_REQUEST['quote']))
 		{
 			$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();

system/pages/forum/new_thread.php

@@ -26,6 +26,11 @@ if(Forum::canPost($account_logged))
 			$post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
 			$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 			$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
+
+			if (!superAdmin()) {
+				$html = 0;
+			}
+
 			$saved = false;
 			if (isset($_REQUEST['save'])) {
 				$length = strlen($post_topic);

system/pages/guilds/list_of_guilds.php

@@ -25,7 +25,7 @@ if(count($guilds_list) > 0)
         $description = $guild->getCustomField('description');
         $description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
         if ($count < $config['guild_description_lines_limit'])
-            $description = wordwrap(nl2br($description), 60, "<br />", true);
+	        $description = nl2br($description);
 
         $guildName = $guild->getName();
         $guilds[] = array('name' => $guildName, 'logo' => $guild_logo, 'link' => getGuildLink($guildName, false), 'description' => $description);
@@ -36,4 +36,4 @@ $twig->display('guilds.list.html.twig', array(
     'guilds' => $guilds,
     'logged' => isset($logged) ? $logged : false,
     'isAdmin' => admin(),
-));
+));

system/pages/guilds/show.php

@@ -83,7 +83,7 @@ if(empty($guild_logo) || !file_exists('images/guilds/' . $guild_logo))
 $description = $guild->getCustomField('description');
 $description_with_lines = str_replace(array("\r\n", "\n", "\r"), '<br />', $description, $count);
 if($count < $config['guild_description_lines_limit'])
-    $description = wordwrap(nl2br($description), 60, "<br />", true);
+	$description = nl2br($description);
 //$description = $description_with_lines;
 
 $guild_owner = $guild->getOwner();
@@ -159,4 +159,4 @@ $twig->display('guilds.view.html.twig', array(
     'invited_list' => $invited_list,
     'show_accept_invite' => $show_accept_invite,
     'useGuildNick' => $useGuildNick
-));
+));

system/templates/characters.html.twig

@@ -142,7 +142,7 @@
 			{% set rows = rows + 1 %}
 			<tr bgcolor="{{ getStyle(rows) }}">
 				<td valign="top">Comment:</td>
-				<td>{{ comment|raw }}</td>
+				<td style="word-break: break-all">{{ comment|raw }}</td>
 			</tr>
 			{% endif %}
 

system/templates/guilds.list.html.twig

@@ -44,7 +44,7 @@
                                                                     <img src="images/guilds/{{ guild.logo }}" width="64" height="64">
                                                                 </td>
 
-                                                                <td>
+                                                                <td style="word-break: break-all">
                                                                     <span{% if guild.description is not empty %} valign="top"{% endif %}>
                                                                         <b>{{ guild.name }}</b>{% if isAdmin %}<a href="?subtopic=guilds&action=delete_by_admin&guild={{ guild.name }}"> - Delete this guild (for ADMIN only!)</a>{% endif %}
                                                                     </span>

system/templates/guilds.view.html.twig

@@ -47,7 +47,7 @@
                                             <table style="width:100%;">
                                                 <tbody>
                                                 <tr>
-                                                    <td>
+                                                    <td style="word-break: break-all">
                                                         <div id="GuildInformationContainer">
                                                             {% if description is not empty %}
                                                                 {{ description|raw }}

system/twig.php

@@ -24,6 +24,9 @@ if($dev_mode) {
 }
 unset($dev_mode);
 
+require LIBS . 'TwigTypeCastingExtension.php';
+$twig->addExtension(new MyAAC\Twig\Extension\TwigTypeCastingExtension());
+
 $function = new TwigFunction('getStyle', function ($i) {
 	return getStyle($i);
 });
@@ -48,7 +51,14 @@ $function = new TwigFunction('hook', function ($context, $hook, array $params =
 	global $hooks;
 
 	if(is_string($hook)) {
-		$hook = constant($hook);
+		if (defined($hook)) {
+			$hook = constant($hook);
+		}
+		else {
+			// plugin/template has a hook that this version of myaac does not support
+			// just silently return
+			return;
+		}
 	}
 
 	$params['context'] = $context;

templates/tibiacom/account.management.html.twig

@@ -35,7 +35,7 @@
 			<td>
 				<img src="{{ template_path }}/images/content/headline-bracer-left.gif" />
 			</td>
-			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message }}<br/></td>
+			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message|raw }}<br/></td>
 			<td><img src="{{ template_path }}/images/content/headline-bracer-right.gif" /></td>
 		</tr>
 	</table>