Release v1.8.9

* Better name validation, like in the original game website

* Don't automatically ucfirst and strtolower the cases of the word
    * This allows for names like: Lord of Ring, Man of the Earth etc.
* Don't allow special characters like: -, [], '
* Don't allow one letter words
* Require at least one vowel per word
* Add notice about admin logged in

* Add trim, for future

Currently its stripped anyway in the init.php, but AI don't know it :P

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Implement AI recommended changes

* Update tools/validate.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Trim $name

* Update Validator.php

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

.github/workflows/phpstan.yml

@@ -25,7 +25,7 @@ jobs:
           coverage: "none"
           extensions: "intl, zip"
           ini-values: "memory_limit=-1"
-          php-version: "${{ matrix.php-version }}"
+          php-version: "${{ matrix.php-versions }}"
 
       - name: Get composer cache directory
         id: composer-cache

CHANGELOG-1.x.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## [1.8.9 - 06.04.2026]
+### Added
+* Settings: Possibility to add custom HTML for the head and body tags like Google Analytics code etc. (https://github.com/slawkens/myaac/commit/108e83806df5686a06826931ed5e243c19cbe130)
+* Add command: give-admin (https://github.com/slawkens/myaac/commit/9fa9ec746c4b344387a21f21886c2251319806fc)
+  * Usage: php aac give:admin slawkens@gmail.com
+    Parameter: account email, name or id
+  * It's admin for the website, not the GM for the game! For that, go into the admin panel and change the group manually
+* Add page load time to an Admin Panel footer (https://github.com/slawkens/myaac/commit/4ae2fdd0dfcd56697612395c14aecc2dfd33b1c3)
+
+### Changed
+* Better character name validation, like in the original game website (#356)
+* Install: don't suggest deleting of install folder - it's not required (https://github.com/slawkens/myaac/commit/5fcde4708a39255cf68edc8c43f2ac6597e2601d)
+
+## [1.8.8 - 31.01.2026]
+### Added
+* Change Comment: Add missing hooks - patched from 0.8 (https://github.com/slawkens/myaac/commit/a60a23b84f61d41d1503073b52e01e3120f6d92a)
+
+### Changed
+* Account Manage: Change the last login to the correct login time – Instead of just "now" (https://github.com/slawkens/myaac/commit/5b841682cdc473b38ef1a5edfcfe1a020802e286)
+* Twig: Extract renderInline(content, context) as a method to $twig (https://github.com/slawkens/myaac/commit/5e4806f891f8c88c37d45b89bbede23afc2fa37b)
+* Mail: Remove HTML tags from the email function (https://github.com/slawkens/myaac/commit/6661c78dac69c6aa498b9c79fe7da4fe0150e5c8)
+
+### Fixed
+* Forum: Fix XSS in board name (https://github.com/slawkens/myaac/commit/e52d9e486f5bf1dea867f59287f70aef3d538189, https://github.com/slawkens/myaac/commit/6db738a87c44b8d96919191ba5e661c32ab47457)
+* Forum: Fix edit_post, despite being an author, edit didn't work (https://github.com/slawkens/myaac/commit/e8b47429e8c607c2662a78b65415dfa772aa0e48)
+* Forum: Fix a player link in the forum thread being not clickable (When outfits are enabled) (https://github.com/slawkens/myaac/commit/f640ca636f34cd2dfc1fa8de6fdbed0674908b30)
+* Settings: Fix variable overlapping if the same var name as in core (https://github.com/slawkens/myaac/commit/c2415e9df3a5ffaf768f6f9668bdd38b5efd0771)
+* Settings: fix show_if for the selects (https://github.com/slawkens/myaac/commit/8dcbb66753914322706216cfd01436eb1478a5ce)
+
 ## [1.8.7 - 04.01.2026]
 
 ### Fixed

README.md

@@ -7,7 +7,7 @@ Official website: https://my-aac.org
 [![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/slawkens/myaac/cypress.yml)](https://github.com/slawkens/myaac/actions)
 [![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
 [![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
-[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
+[![MyAAC Discord](https://img.shields.io/discord/1468205461319848049)](https://discord.gg/aVagGPJt3g)
 [![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
 
 | Version | Status                 | Branch  | Requirements   |

admin/template/template.php

@@ -172,7 +172,8 @@
 			<div class="float-sm-right d-none d-sm-inline">
 				<span class="p-2 right badge badge-<?php echo((isset($status['online']) and $status['online']) ? 'success' : 'danger'); ?>"><?php echo $config['lua']['serverName'] ?></span>
 			</div>
-			<?php echo base64_decode('UG93ZXJlZCBieSA8YSBocmVmPSJodHRwOi8vbXktYWFjLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk15QUFDLjwvYT4='); ?>
+			<?= base64_decode('UG93ZXJlZCBieSA8YSBocmVmPSJodHRwOi8vbXktYWFjLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk15QUFDLjwvYT4='); ?>
+			<?= 'Load time: ' . round(microtime(true) - START_TIME, 4) . ' seconds.'; ?>
 		</footer>
 		<div id="sidebar-overlay"></div>
 	</div>

common.php

@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '8.1', '<')) die('PHP version 8.1 or higher is required.');
 
 const MYAAC = true;
-const MYAAC_VERSION = '1.8.7';
+const MYAAC_VERSION = '1.8.9';
 const DATABASE_VERSION = 46;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));

install/index.php

@@ -30,7 +30,7 @@ if(file_exists(CACHE . 'install.txt')) {
 	$install_status = unserialize(file_get_contents(CACHE . 'install.txt'));
 
 	if(!isset($_REQUEST['step'])) {
-		$step = isset($install_status['step']) ? $install_status['step'] : '';
+		$step = $install_status['step'] ?? '';
 	}
 }
 
@@ -53,7 +53,7 @@ if($step == 'finish' && (!isset($config['installed']) || !$config['installed']))
 
 // step verify
 $steps = array(1 => 'welcome', 2 => 'license', 3 => 'requirements', 4 => 'config', 5 => 'database', 6 => 'admin', 7 => 'finish');
-if(!in_array($step, $steps)) // check if step is valid
+if(!in_array($step, $steps)) // check if a step is valid
 	throw new RuntimeException('ERROR: Unknown step.');
 
 $install_status['step'] = $step;
@@ -61,7 +61,7 @@ $errors = array();
 
 if($step == 'database') {
 	foreach($_SESSION as $key => $value) {
-		if(strpos($key, 'var_') === false) {
+		if(!str_contains($key, 'var_')) {
 			continue;
 		}
 
@@ -182,7 +182,7 @@ $error = false;
 clearstatcache();
 if(is_writable(CACHE) && (MYAAC_OS != 'WINDOWS' || win_is_writable(CACHE))) {
 	if(!file_exists(BASE . 'install/ip.txt')) {
-		$content = warning('AAC installation is disabled. To enable it make file <b>ip.txt</b> in install/ directory and put there your IP.<br/>
+		$content = warning('AAC installation is disabled. To enable it make a file <b>ip.txt</b> in install/ directory and put there your IP.<br/>
 		Your IP is:<br /><b>' . get_browser_real_ip() . '</b>', true);
 	}
 	else {
@@ -198,7 +198,7 @@ if(is_writable(CACHE) && (MYAAC_OS != 'WINDOWS' || win_is_writable(CACHE))) {
 		if(!$allow)
 		{
 			$content = warning('In file <b>install/ip.txt</b> must be your IP!<br/>
-			In file is:<br /><b>' . nl2br($file_content) . '</b><br/>
+			In the file is:<br /><b>' . nl2br($file_content) . '</b><br/>
 			Your IP is:<br /><b>' . get_browser_real_ip() . '</b>', true);
 		}
 		else {

install/tools/7-finish.php

@@ -57,6 +57,8 @@ if ($db->hasTable('players')) {
 DataLoader::setLocale($locale);
 DataLoader::load();
 
+clearCache();
+
 // add menus entries
 require_once SYSTEM . 'migrations/17.php';
 $up();
@@ -105,6 +107,10 @@ if(file_exists(CACHE . 'install.txt')) {
 	unlink(CACHE . 'install.txt');
 }
 
+if(file_exists(BASE . 'install/ip.txt')) {
+	unlink(BASE . 'install/ip.txt');
+}
+
 $locale['step_finish_desc'] = str_replace('$ADMIN_PANEL$', generateLink(str_replace('tools/', '',ADMIN_URL), $locale['step_finish_admin_panel'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$HOMEPAGE$', generateLink(str_replace('tools/', '', BASE_URL), $locale['step_finish_homepage'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$LINK$', generateLink('https://my-aac.org', 'https://my-aac.org', true), $locale['step_finish_desc']);

package-lock.json

@@ -18,9 +18,9 @@
       }
     },
     "node_modules/@cypress/request": {
-      "version": "3.0.8",
-      "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.8.tgz",
-      "integrity": "sha512-h0NFgh1mJmm1nr4jCwkGHwKneVYKghUyWe6TMNrk0B9zsjAJxpg8C4/+BAcmLgCPa1vj1V8rNUaILl+zYRUWBQ==",
+      "version": "3.0.10",
+      "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.10.tgz",
+      "integrity": "sha512-hauBrOdvu08vOsagkZ/Aju5XuiZx6ldsLfByg1htFeldhex+PeMrYauANzFsMJeAA0+dyPLbDoX2OYuvVoLDkQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -30,14 +30,14 @@
         "combined-stream": "~1.0.6",
         "extend": "~3.0.2",
         "forever-agent": "~0.6.1",
-        "form-data": "~4.0.0",
+        "form-data": "~4.0.4",
         "http-signature": "~1.4.0",
         "is-typedarray": "~1.0.0",
         "isstream": "~0.1.2",
         "json-stringify-safe": "~5.0.1",
         "mime-types": "~2.1.19",
         "performance-now": "^2.1.0",
-        "qs": "6.14.0",
+        "qs": "~6.14.1",
         "safe-buffer": "^5.1.2",
         "tough-cookie": "^5.0.0",
         "tunnel-agent": "^0.6.0",
@@ -1431,9 +1431,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
       "dev": true,
       "license": "MIT"
     },
@@ -1743,9 +1743,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
-      "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+      "version": "6.14.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {

system/functions.php

@@ -21,7 +21,6 @@ use MyAAC\News;
 use MyAAC\Plugins;
 use MyAAC\Settings;
 use PHPMailer\PHPMailer\PHPMailer;
-use Twig\Loader\ArrayLoader as Twig_ArrayLoader;
 
 function message($message, $type, $return)
 {
@@ -516,7 +515,12 @@ function template_place_holder($type): string
 			$ret .= $debugBarRenderer->renderHead();
 		}
 	}
+	elseif ($type === 'head_end') {
+		$ret .= setting('core.html_head');
+	}
 	elseif ($type === 'body_start') {
+		$ret .= setting('core.html_body');
+
 		$ret .= $twig->render('browsehappy.html.twig');
 
 		if (admin()) {
@@ -527,6 +531,8 @@ function template_place_holder($type): string
 		}
 	}
 	elseif($type === 'body_end') {
+		$ret .= setting('core.html_footer');
+
 		$ret .= template_ga_code();
 		if (isset($debugBar)) {
 			$ret .= $debugBarRenderer->render();
@@ -878,11 +884,12 @@ function getWorldName($id)
  *
  * @param string $to Recipient email address.
  * @param string $subject Subject of the message.
- * @param string $body Message body in html format.
+ * @param string $body Message body in HTML format.
  * @param string $altBody Alternative message body, plain text.
  * @return bool PHPMailer status returned (success/failure).
+ * @throws \PHPMailer\PHPMailer\Exception
  */
-function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
+function _mail(string $to, string $subject, string $body, string $altBody = ''): bool
 {
 	global $mailer, $config;
 
@@ -900,12 +907,6 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->clearAllRecipients();
 	}
 
-	$signature_html = setting('core.mail_signature_html');
-	if($add_html_tags && isset($body[0]))
-		$tmp_body = '<html><head></head><body>' . $body . '<br/><br/>' . $signature_html . '</body></html>';
-	else
-		$tmp_body = $body . '<br/><br/>' . $signature_html;
-
 	$mailOption = setting('core.mail_option');
 	if($mailOption == MAIL_SMTP)
 	{
@@ -932,6 +933,9 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->isMail();
 	}
 
+	$signature_html = setting('core.mail_signature_html');
+	$tmp_body = $body . '<br/><br/>' . $signature_html;
+
 	$mailer->isHTML(isset($body[0]) > 0);
 	$mailer->From = setting('core.mail_address');
 	$mailer->Sender = setting('core.mail_address');
@@ -1381,17 +1385,7 @@ function getCustomPage($name, &$success): string
 			ob_end_clean();
 		}
 		else {
-			$oldLoader = $twig->getLoader();
-
-			$twig_loader_array = new Twig_ArrayLoader(array(
-				'content.html' => $page['body']
-			));
-
-			$twig->setLoader($twig_loader_array);
-
-			$content .= $twig->render('content.html');
-
-			$twig->setLoader($oldLoader);
+			$content .= $twig->renderInline($page['body']);
 		}
 	}
 

system/locale/de/install.php

@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Nicht geladen';
 $locale['loading_spinner'] = 'Bitte warten, installieren...';
 $locale['importing_spinner'] = 'Bitte warte, Daten werden importiert...';
 $locale['please_fill_all'] = 'Bitte füllen Sie alle Felder aus!';
-$locale['already_installed'] = 'MyAAC wurde bereits installiert. Bitte löschen <b>install/</b> Verzeichnis. Wenn Sie MyAAC neu installieren möchten, löschen Sie die Datei <strong>config.local.php</strong> aus dem Hauptverzeichnis und aktualisieren Sie die Seite.';
+$locale['already_installed'] = 'MyAAC wurde bereits installiert. Wenn Sie MyAAC neu installieren möchten, löschen Sie die Datei <strong>config.local.php</strong> aus dem Hauptverzeichnis und aktualisieren Sie die Seite.';
 
 // welcome
 $locale['step_welcome'] = 'Willkommen';

system/locale/en/install.php

@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Not loaded';
 $locale['loading_spinner'] = 'Please wait, installing...';
 $locale['importing_spinner'] = 'Please wait, importing data...';
 $locale['please_fill_all'] = 'Please fill all inputs!';
-$locale['already_installed'] = 'MyAAC has been already installed. Please delete <b>install/</b> directory. If you want to reinstall MyAAC - please delete <strong>config.local.php</strong> file from the main directory and refresh the page.';
+$locale['already_installed'] = 'MyAAC has been already installed. If you want to reinstall MyAAC - please delete <strong>config.local.php</strong> file from the main directory and refresh the page.';
 
 // welcome
 $locale['step_welcome'] = 'Welcome';

system/locale/pl/install.php

@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Nie załadowane';
 $locale['loading_spinner'] = 'Proszę czekać, trwa instalacja...';
 $locale['importing_spinner'] = 'Proszę czekać, trwa importowanie danych...';
 $locale['please_fill_all'] = 'Proszę wypełnić wszystkie pola!';
-$locale['already_installed'] = 'MyAAC został już zainstalowany. Proszę usunąć katalog <b>install/</b>. Jeśli chcesz zainstalować MyAAC od nowa - proszę usuń plik <strong>config.local.php</strong> z katalogu głównego i odśwież stronę.';
+$locale['already_installed'] = 'MyAAC został już zainstalowany. Jeśli chcesz zainstalować MyAAC od nowa - proszę usuń plik <strong>config.local.php</strong> z katalogu głównego i odśwież stronę.';
 
 // welcome
 $locale['step_welcome'] = 'Witamy';

system/locale/pt_br/install.php

@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Não carregado';
 $locale['loading_spinner'] = 'Por favor aguarde, instalando...';
 $locale['importing_spinner'] = 'Por favor, aguarde, importando dados...';
 $locale['please_fill_all'] = 'Por favor, preencha todas as entradas!';
-$locale['already_installed'] = 'MyAAC já foi instalado. Por favor, apague o diretório <b> install/ <b/>. Se você quiser reinstalar o MyAAC - exclua o arquivo <strong> config.local.php </strong> do diretório principal e atualize a página.';
+$locale['already_installed'] = 'MyAAC já foi instalado. Se você quiser reinstalar o MyAAC - exclua o arquivo <strong> config.local.php </strong> do diretório principal e atualize a página.';
 
 // welcome
 $locale['step_welcome'] = 'Bem vindo';

system/locale/sv/install.php

@@ -18,7 +18,7 @@ $locale['loaded'] = 'Laddad';
 $locale['not_loaded'] = 'Inte Laddad';
 
 $locale['please_fill_all'] = 'Vänligen fyll i allt!';
-$locale['already_installed'] = 'MyAAC är redan installerat. Vänligen ta bort <b>install/<b/> mappen. Om du vill installera MyAAC igen - ta bort filen <strong>config.local.php</strong> från huvudkatalogen och uppdatera sidan.';
+$locale['already_installed'] = 'MyAAC är redan installerat. Om du vill installera MyAAC igen - ta bort filen <strong>config.local.php</strong> från huvudkatalogen och uppdatera sidan.';
 
 // welcome
 $locale['step_welcome'] = 'Välkommen';

system/pages/account/characters/change-comment.php

@@ -51,6 +51,8 @@ if($player_name != null) {
 						'description' => 'The character information has been changed.'
 					));
 					$show_form = false;
+
+					$hooks->trigger(HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_SUCCESS, ['player' => $player]);
 				}
 			}
 		} else {
@@ -70,9 +72,11 @@ if($show_form) {
 	}
 
 	if(isset($player) && $player) {
-		$twig->display('account.characters.change-comment.html.twig', array(
-			'player' => $player->toArray()
-		));
+		$_player = $player->toArray();
+		$_player['id'] = $player->id; // Hack, as it's somehow missing in the toArray() function
+
+		$twig->display('account.characters.change-comment.html.twig', [
+			'player' => $_player,
+		]);
 	}
 }
-?>

system/pages/account/create.php

@@ -160,7 +160,7 @@ if($save)
 	}
 
 	if(setting('core.account_create_character_create')) {
-		$character_name = isset($_POST['name']) ? stripslashes(ucwords(strtolower($_POST['name']))) : null;
+		$character_name = isset($_POST['name']) ? trim(stripslashes($_POST['name'])) : null;
 		$character_sex = isset($_POST['sex']) ? (int)$_POST['sex'] : null;
 		$character_vocation = isset($_POST['vocation']) ? (int)$_POST['vocation'] : null;
 		$character_town = isset($_POST['town']) ? (int)$_POST['town'] : null;

system/pages/forum/edit_post.php

@@ -36,9 +36,9 @@ if(Forum::canPost($account_logged)) {
 	$thread = $db->query("SELECT `author_guid`, `author_aid`, `first_post`, `post_topic`, `post_date`, `post_text`, `post_smile`, `post_html`, `id`, `section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$post_id." LIMIT 1")->fetch();
 	if(isset($thread['id'])) {
 		$first_post = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`author_guid`, `" . FORUM_TABLE_PREFIX . "forum`.`author_aid`, `" . FORUM_TABLE_PREFIX . "forum`.`first_post`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_smile`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread['first_post']." LIMIT 1")->fetch();
-		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread['first_post']) . '">'.htmlspecialchars($first_post['post_topic']).'</a> >> <b>Edit post</b>';
+		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.escapeHtml($sections[$thread['section']]['name']).'</a> >> <a href="' . getForumThreadLink($thread['first_post']) . '">'.htmlspecialchars($first_post['post_topic']).'</a> >> <b>Edit post</b>';
 
-		if(Forum::hasAccess($thread['section'] && ($account_logged->getId() == $thread['author_aid'] || Forum::isModerator()))) {
+		if(Forum::hasAccess($thread['section']) && ($account_logged->getId() == $thread['author_aid'] || Forum::isModerator())) {
 			$char_id = $post_topic = $text = $smile = $html = null;
 			$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
 			$saved = false;

system/pages/forum/new_post.php

@@ -42,7 +42,7 @@ if(Forum::canPost($account_logged)) {
 	$thread = $db->query("SELECT `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $thread_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id." LIMIT 1")->fetch();
 
 	if(isset($thread['id']) && Forum::hasAccess($thread['section'])) {
-		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.htmlspecialchars($thread['post_topic']).'</a> >> <b>Post new reply</b><br /><h3>'.htmlspecialchars($thread['post_topic']).'</h3>';
+		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.escapeHtml($sections[$thread['section']]['name']).'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.htmlspecialchars($thread['post_topic']).'</a> >> <b>Post new reply</b><br /><h3>'.htmlspecialchars($thread['post_topic']).'</h3>';
 
 		$quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL;
 		$text = isset($_POST['text']) ? stripslashes(trim($_POST['text'])) : NULL;

system/pages/forum/new_thread.php

@@ -34,7 +34,7 @@ if(Forum::canPost($account_logged)) {
 	$players_from_account = $db->query('SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = '.(int) $account_logged->getId())->fetchAll();
 	$section_id = $_REQUEST['section_id'] ?? null;
 	if($section_id !== null) {
-		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($section_id) . '">' . $sections[$section_id]['name'] . '</a> >> <b>Post new thread</b><br />';
+		echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($section_id) . '">' . escapeHtml($sections[$section_id]['name']) . '</a> >> <b>Post new thread</b><br />';
 
 		if(isset($sections[$section_id]['name']) && Forum::hasAccess($section_id)) {
 			if ($sections[$section_id]['closed'] && !Forum::isModerator())

system/pages/forum/show_board.php

@@ -42,7 +42,7 @@ for($i = 0; $i < $threads_count['threads_count'] / setting('core.forum_threads_p
 		$links_to_pages .= '<b>'.($i + 1).' </b>';
 }
 
-echo '<a href="' . getLink('forum') . '">Boards</a> >> <b>'.$sections[$section_id]['name'].'</b>';
+echo '<a href="' . getLink('forum') . '">Boards</a> >> <b>'.escapeHtml($sections[$section_id]['name']).'</b>';
 
 if($logged && (!$sections[$section_id]['closed'] || Forum::isModerator())) {
 	echo '<br /><br />

system/pages/forum/show_thread.php

@@ -70,7 +70,7 @@ foreach($posts as &$post) {
 	}
 
 	$post['group'] = $groupName;
-	$post['player_link'] = getPlayerLink($player->getName());
+	$post['player_link'] = '<a href="' . getPlayerLink($player, false) . '" style="position: relative;">' . $player->getName() . '</a>';
 
 	$post['vocation'] = $player->getVocationName();
 

system/settings.php

@@ -156,7 +156,7 @@ return [
 		'footer' => [
 			'name' => 'Custom Text',
 			'type' => 'textarea',
-			'desc' => 'Text displayed in the footer.<br/>For example: <i>' . escapeHtml('<br/>') . 'Your Server &copy; 2023. All rights reserved.</i>',
+			'desc' => 'Text displayed in the footer.<br/>For example: <i>' . escapeHtml('<br/>') . 'Your Server &copy; ' . date("Y") . '. All rights reserved.</i>',
 			'default' => '',
 		],
 		'footer_load_time' => [
@@ -251,6 +251,28 @@ return [
 			'desc' => 'Allow MyAAC to report anonymous usage statistics to developers? The data is sent only once per 30 days and is fully confidential. It won\'t affect the performance of your website',
 			'default' => true,
 		],
+		[
+			'type' => 'section',
+			'title' => 'Custom HTML',
+		],
+		'html_head' => [
+			'name' => 'HTML Head',
+			'type' => 'textarea',
+			'desc' => escapeHtml('These scripts will be printed in the <head> section. Can be, for example, Google Analytics code.'),
+			'default' => '',
+		],
+		'html_body' => [
+			'name' => 'HTML Body',
+			'type' => 'textarea',
+			'desc' => escapeHtml('These scripts will be printed just below the opening <body> tag.'),
+			'default' => '',
+		],
+		'html_footer' => [
+			'name' => 'HTML Footer',
+			'type' => 'textarea',
+			'desc' => escapeHtml('These scripts will be printed above the closing </body> tag.'),
+			'default' => '',
+		],
 		[
 			'type' => 'category',
 			'title' => 'Game',

system/src/Commands/GiveAdminCommand.php

@@ -0,0 +1,50 @@
+<?php
+
+namespace MyAAC\Commands;
+
+use MyAAC\Plugins;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+class GiveAdminCommand extends Command
+{
+	protected function configure(): void
+	{
+		$this->setName('give:admin')
+			->setDescription('This command adds super admin privileges to selected user')
+			->addArgument('account', InputArgument::REQUIRED, 'Account E-Mail, name or id');
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int
+	{
+		require SYSTEM . 'init.php';
+
+		$io = new SymfonyStyle($input, $output);
+
+		$account = new \OTS_Account();
+
+		$accountParam = $input->getArgument('account');
+		if (str_contains($accountParam, '@')) {
+			$account->findByEMail($accountParam);
+		}
+		else {
+			if (USE_ACCOUNT_NAME || USE_ACCOUNT_NUMBER) {
+				$account->find($accountParam);
+			}
+			else {
+				$account->load($accountParam);
+			}
+		}
+
+		if (!$account->isLoaded()) {
+			$io->error('Cannot find account with supplied parameter: ' . $accountParam);
+			return self::FAILURE;
+		}
+
+		$account->setCustomField('web_flags', 3);
+		$io->success('Successfully added admin privileges to ' . $accountParam . ' (E-Mail: ' . $account->getEMail() . ')');
+		return self::SUCCESS;
+	}
+}

system/src/Models/AccountBan.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace MyAAC\Models;
+use Illuminate\Database\Eloquent\Model;
+
+class AccountBan extends Model {
+
+	protected $table = TABLE_PREFIX . 'account_bans';
+
+	public $timestamps = false;
+
+	protected $fillable = [
+		'account_id',
+		'reason', 'banned_at',
+		'expires_at', 'banned_by'
+	];
+
+}

system/src/Settings.php

@@ -122,6 +122,8 @@ class Settings implements \ArrayAccess
 	public static function display($plugin, $settings): array
 	{
 		$settingsDb = ModelsSettings::where('name', $plugin)->pluck('value', 'key')->toArray();
+
+		if ($plugin === 'core') {
 			$config = [];
 			require BASE . 'config.local.php';
 
@@ -136,6 +138,7 @@ class Settings implements \ArrayAccess
 					$settingsDb[$key] = (string)$value;
 				}
 			}
+		}
 
 		$javascript = '';
 		ob_start();

system/src/Twig/EnvironmentBridge.php

@@ -3,6 +3,7 @@
 namespace MyAAC\Twig;
 
 use Twig\Environment;
+use Twig\Loader\ArrayLoader as Twig_ArrayLoader;
 
 class EnvironmentBridge extends Environment
 {
@@ -25,4 +26,21 @@ class EnvironmentBridge extends Environment
 
 		return parent::render($name, $context);
 	}
+
+	public function renderInline($content, array $context = []): string
+	{
+		$oldLoader = $this->getLoader();
+
+		$twig_loader_array = new Twig_ArrayLoader(array(
+			'content.html' => $content
+		));
+
+		$this->setLoader($twig_loader_array);
+
+		$ret = $this->render('content.html', $context);
+
+		$this->setLoader($oldLoader);
+
+		return $ret;
+	}
 }

system/src/Validator.php

@@ -183,7 +183,7 @@ class Validator
 			return false;
 		}
 
-		// installer doesn't know config.php yet
+		// installer doesn't know settings yet
 		// that's why we need to ignore the nulls
 		if(defined('MYAAC_INSTALL')) {
 			$minLength = 4;
@@ -207,21 +207,15 @@ class Validator
 			return false;
 		}
 
-		if(strspn($name, "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM- [ ] '") != $length)
+		if(strspn($name, "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM ") != $length)
 		{
-			self::$lastError = "Invalid name format. Use only A-Z, spaces and '.";
+			self::$lastError = "This name contains invalid letters. Please use only A-Z, a-z and space!";
 			return false;
 		}
 
 		if(preg_match('/ {2,}/', $name))
 		{
-			self::$lastError = 'Invalid character name format. Use only A-Z and no double spaces.';
-			return false;
-		}
-
-		if(!preg_match("/[A-z ']/", $name))
-		{
-			self::$lastError = "Invalid name format. Use only A-Z, spaces and '.";
+			self::$lastError = 'Invalid character name format. Use only A-Z, a-z and no double spaces.';
 			return false;
 		}
 
@@ -230,17 +224,23 @@ class Validator
 
 	/**
 	 * Validate new character name.
-	 * Name lenght must be 3-25 chars
+	 * Name length must be 3-25 chars
 	 *
 	 * @param  string $name Name to check
 	 * @return bool Is name valid?
 	 */
 	public static function newCharacterName($name)
 	{
-		global $db, $config;
+		global $db;
 
+		$name = trim($name);
 		$name_lower = strtolower($name);
 
+		if(strlen($name) < 1) {
+			self::$lastError = 'Please enter a name.';
+			return false;
+		}
+
 		$first_words_blocked = array_merge(["'", '-'], setting('core.create_character_name_blocked_prefix'));
 		foreach($first_words_blocked as $word) {
 			if($word == substr($name_lower, 0, strlen($word))) {
@@ -249,11 +249,6 @@ class Validator
 			}
 		}
 
-		if(str_ends_with($name_lower, "'") || str_ends_with($name_lower, "-")) {
-			self::$lastError = 'Your name contains illegal characters.';
-			return false;
-		}
-
 		if(substr($name_lower, 1, 1) == ' ') {
 			self::$lastError = 'Your name contains illegal space.';
 			return false;
@@ -265,11 +260,36 @@ class Validator
 		}
 
 		if(preg_match('/ {2,}/', $name)) {
-			self::$lastError = 'Invalid character name format. Use only A-Z and numbers 0-9 and no double spaces.';
+			self::$lastError = 'Invalid character name format. Use only A-Z and no double spaces.';
 			return false;
 		}
 
-		if(strtolower($config['lua']['serverName']) == $name_lower) {
+		if (substr($name[0], 0, 1) !== strtoupper(substr($name[0], 0, 1))) {
+			self::$lastError = 'The first letter of a name has to be a capital letter.';
+			return false;
+		}
+
+		foreach (explode(' ', $name) as $word) {
+			$wordCut = substr($word, 1, strlen($word));
+			$hasUpperCase = preg_match('/[A-Z]/', $wordCut);
+			if ($hasUpperCase) {
+				self::$lastError = 'In names capital letters are only allowed at the beginning of a word.';
+				return false;
+			}
+
+			if (strlen($word) == 1) {
+				self::$lastError = 'This name contains a word with only one letter. Please use more than one letter for each word.';
+				return false;
+			}
+
+			$hasVowel = preg_match('/[aeiouAEIOU]/', $word);
+			if (!$hasVowel) {
+				self::$lastError = 'This name contains a word without vowels. Please choose another name.';
+				return false;
+			}
+		}
+
+		if(strtolower(configLua('serverName')) == $name_lower) {
 			self::$lastError = 'Your name cannot be same as server name.';
 			return false;
 		}

system/src/global.php

@@ -28,6 +28,10 @@ define('HOOK_CHARACTERS_AFTER_CHARACTERS', ++$i);
 define('HOOK_LOGIN', ++$i);
 define('HOOK_LOGIN_ATTEMPT', ++$i);
 define('HOOK_LOGOUT', ++$i);
+define('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_SUCCESS', ++$i);
+define('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_NAME', ++$i);
+define('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_HIDE_ACCOUNT', ++$i);
+define('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_COMMENT', ++$i);
 define('HOOK_ACCOUNT_CHANGE_PASSWORD_AFTER_OLD_PASSWORD', ++$i);
 define('HOOK_ACCOUNT_CHANGE_PASSWORD_AFTER_NEW_PASSWORD', ++$i);
 define('HOOK_ACCOUNT_CHANGE_PASSWORD_POST', ++$i);

system/templates/account.characters.change-comment.html.twig

@@ -33,6 +33,7 @@ If you do not want to specify a certain field, just leave it blank.<br/><br/>
 													<td class="LabelV">Name:</td>
 													<td style="width:80%;" >{{ player.name }}</td>
 												</tr>
+												{{ hook('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_NAME') }}
 												<tr>
 													<td class="LabelV" >Hide Account:</td>
 													<td>
@@ -42,6 +43,7 @@ If you do not want to specify a certain field, just leave it blank.<br/><br/>
 														{% if player.group_id > 1 %} (you will be also hidden on the Team page!){% endif %}
 													</td>
 												</tr>
+												{{ hook('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_HIDE_ACCOUNT') }}
 											</table>
 										</div>
 									</div>
@@ -65,6 +67,7 @@ If you do not want to specify a certain field, just leave it blank.<br/><br/>
 													<td class="LabelV" ><span>Comment:</span></td>
 													<td style="width:80%;"><textarea name="comment" rows="10" cols="50" wrap="virtual">{{ player.comment|raw }}</textarea><br>[max. length: 2000 chars, 50 lines (ENTERs)]</td>
 												</tr>
+												{{ hook('HOOK_ACCOUNT_CHARACTERS_CHANGE_COMMENT_AFTER_COMMENT') }}
 											</table>
 										</div>
 									</div>

system/templates/account.management.html.twig

@@ -114,7 +114,7 @@
 			</tr>
 			<tr style="background-color: {{ config.darkborder }};" >
 				<td>Last Login:</td>
-				<td>{{ "now"|date("j F Y, G:i:s") }}</td>
+				<td>{{ account_logged.getCustomField('web_lastlogin')|date("j F Y, G:i:s") }}</td>
 			</tr>
 			{% autoescape false %}
 			<tr style="background-color: {{ config.lightborder }};" >

system/templates/admin.settings.html.twig

@@ -37,21 +37,31 @@
 {% for key, value in settings %}
 	{% if value.show_if is defined %}
 		$(function () {
-			$('input[name="settings[{{ value.show_if[0] }}]"]').change(function () {
+			{% set inputType = 'input' %}
+
+			{% if settings[value.show_if[0]]['type'] == 'options' %}
+				{% set inputType = 'select' %}
+			{% endif %}
+
+			$('{{ inputType }}[name="settings[{{ value.show_if[0] }}]"]').change(function () {
 				performChecks_{{ key }}(this);
 			});
 
 			{% if settings[value.show_if[0]]['type'] == 'boolean' %}
 			performChecks_{{ key }}('input[name="settings[{{ value.show_if[0] }}]"]:checked');
 			{% else %}
-			performChecks_{{ key }}('input[name="settings[{{ value.show_if[0] }}]"]');
+			performChecks_{{ key }}('{{ inputType }}[name="settings[{{ value.show_if[0] }}]"]');
 			{% endif %}
 		});
 
 		function performChecks_{{ key }}(el)
 		{
 			let success = false;
+
 			let thisVal = $(el).val();
+			{% if settings[value.show_if[0]]['type'] == 'options' %}
+			thisVal = $(el).find(":selected").val();
+			{% endif %}
 
 			let operator = '{{ value.show_if[1]|raw }}';
 			if (operator === '>') {

templates/kathrine/news.html.twig

@@ -2,9 +2,9 @@
 	<div class="NewsHeadline">
 		<div class="NewsHeadlineBackground" style="background-image:url({{template_path }}/images/news/newsheadline_background.gif)">
 			<img src="{{ constant('BASE_URL') }}images/news/icon_{{ icon }}.gif" class="NewsHeadlineIcon" />
-			<div class="NewsHeadlineDate">{{ date|date(config.news_date_format) }} - </div>
+			<div class="NewsHeadlineDate">{{ date|date(setting('core.news_date_format')) }} - </div>
 			<div class="NewsHeadlineText">{{ title }}</div>
-			{% if author is not empty %}
+			{% if setting('core.news_author') and author is not empty %}
 			<div class="NewsHeadlineAuthor"><b>Author: </b><i>{{ author }}</i></div>
 			{% endif %}
 		</div>

templates/tibiacom/account.management.html.twig

@@ -151,7 +151,7 @@
 						</tr>
 						<tr style="background-color: {{ config.darkborder }};" >
 							<td class="LabelV" >Last Login:</td>
-							<td>{{ "now"|date("j F Y, G:i:s") }}</td>
+							<td>{{ account_logged.getCustomField('web_lastlogin')|date("j F Y, G:i:s") }}</td>
 						</tr>
 						{% autoescape false %}
 						<tr style="background-color: {{ config.lightborder }};">

tools/validate.php

@@ -63,10 +63,7 @@ else if(isset($_GET['email']))
 }
 else if(isset($_GET['name']))
 {
-	$name = $_GET['name'];
-	if(!admin()) {
-		$name = strtolower(stripslashes($name));
-	}
+	$name = trim(stripslashes($_GET['name']));
 
 	if(!Validator::characterName($name)) {
 		error_(Validator::getLastError());
@@ -81,7 +78,12 @@ else if(isset($_GET['name']))
 		error_($errors['name']);
 	}
 
-	success_('Good. Your name will be:<br /><b>' . (admin() ? $name : ucwords($name)) . '</b>');
+	$extraText = '';
+	if (admin()) {
+		$extraText = "<br/>Note: You are logged in as admin, so you can create almost any name without rules.";
+	}
+
+	success_("Good. Your name will be:<br /><b>$name</b>$extraText");
 }
 else if(isset($_GET['password']) && isset($_GET['password_confirm'])) {
 	$password = $_GET['password'];