Release 2.1.3 (#3575)

* fix: purify custom field values before display * fix: empty reset code is usable * release: 2.1.3
NamelessMC · Jan 8, 2025 · c3e7fce · c3e7fce
1 parent ca92628
commit c3e7fce
Show file tree

Hide file tree

Showing 20 changed files with 62 additions and 35 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -16,8 +16,8 @@ body:
       description: From StaffCP -> Overview
       options:
         - Development version
-        - 2.1.0
-        - < 2.1.0
+        - 2.1.3
+        - <= 2.1.2
     validations:
       required: true
 

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -8,13 +8,13 @@ The following NamelessMC releases are supported by the development team
 
 | Version   | Supported          |
 |-----------|--------------------|
-| 2.1.x     | :white_check_mark: |
-| <= 2.0.3  | :x:                |
+| 2.1.3     | :white_check_mark: |
+| <= 2.1.2  | :x:                |
 | <= 1.0.22 | :x:                |
 
 ## Reporting a Vulnerability
 
-Currently, the best place to report a vulnerability is either via email or Discord.
+Currently, the best place to report a vulnerability is on GitHub.
 
-- huntr.dev - https://huntr.dev/repos/namelessmc/nameless
-- Discord server: https://discord.gg/nameless -> Samerton#9433
+- GitHub - https://github.com/NamelessMC/Nameless/security/advisories/new
+- Discord server: https://discord.gg/nameless -> Samerton
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,19 @@
 # NamelessMC v2 Changelog
 
-## [Unreleased](https://github.com/NamelessMC/Nameless/compare/v2.1.2...develop)
+## [Unreleased](https://github.com/NamelessMC/Nameless/compare/v2.1.3...develop)
 > [Milestone](https://github.com/NamelessMC/Nameless/milestone/22)
 
+## [2.1.3](https://github.com/NamelessMC/Nameless/compare/v2.1.2...v2.1.3) - 2025-01-08
+### Added
+- No additions this release
+
+### Changed
+- No changes this release
+
+### Fixed
+- Purify custom fields before display
+- Fix empty reset code being usable
+
 ## [2.1.2](https://github.com/NamelessMC/Nameless/compare/v2.1.1...v2.1.2) - 2023-09-30
 ### Added
 - No additions this release

diff --git a/LICENSE.txt b/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright © 2014-2023 NamelessMC Contributors
+Copyright © 2014-2025 NamelessMC Contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/core/classes/DTO/UserProfileField.php b/core/classes/DTO/UserProfileField.php
@@ -4,7 +4,7 @@
  *
  * @package NamelessMC\DTO
  * @author Aberdeener
- * @version 2.0.0-pr13
+ * @version 2.1.3
  * @license MIT
  */
 class UserProfileField extends ProfileField {
@@ -20,6 +20,11 @@ public function __construct(object $row) {
         $this->upf_id = $row->upf_id;
     }
 
+    public function purifyValue(): ?string
+    {
+        // TODO: option for field to support HTML
+        return Output::getClean($this->value);
+    }
 
     public function updated() {
         return date(DATE_FORMAT, $this->updated);

diff --git a/core/classes/Database/DatabaseInitialiser.php b/core/classes/Database/DatabaseInitialiser.php
@@ -183,7 +183,7 @@ private function initialiseSettings(): void {
         Util::setSetting('recaptcha_type', 'Recaptcha3');
         Util::setSetting('recaptcha_login', '0');
         Util::setSetting('email_verification', '1');
-        Util::setSetting('nameless_version', '2.1.2');
+        Util::setSetting('nameless_version', '2.1.3');
         Util::setSetting('version_checked', date('U'));
         Util::setSetting('phpmailer', '0');
         Util::setSetting('user_avatars', '0');

diff --git a/core/includes/updates/212.php b/core/includes/updates/212.php
@@ -0,0 +1,8 @@
+<?php
+return new class extends UpgradeScript {
+    public function run(): void {
+        $this->runMigrations();
+
+        $this->setVersion('2.1.3');
+    }
+};
diff --git a/custom/panel_templates/Default/core/user.tpl b/custom/panel_templates/Default/core/user.tpl
@@ -154,7 +154,7 @@
                                                     </td>
                                                     <td>
                                                         {if $USER_PROFILE_FIELDS[$field->id]->value}
-                                                        {$USER_PROFILE_FIELDS[$field->id]->value}
+                                                        {$USER_PROFILE_FIELDS[$field->id]->purifyValue()}
                                                         {else}
                                                         <i>{$NOT_SET}</i>
                                                         {/if}

diff --git a/custom/panel_templates/Default/template.php b/custom/panel_templates/Default/template.php
@@ -24,8 +24,8 @@ public function __construct(Smarty $smarty, Language $language) {
 
             parent::__construct(
                 'Default',  // Template name
-                '2.1.2',  // Template version
-                '2.1.2',  // Nameless version template is made for
+                '2.1.3',  // Template version
+                '2.1.3',  // Nameless version template is made for
                 '<a href="https://coldfiredzn.com" target="_blank">Coldfire</a>'  // Author, you can use HTML here
             );
 

diff --git a/custom/templates/DefaultRevamp/template.php b/custom/templates/DefaultRevamp/template.php
@@ -25,8 +25,8 @@ class DefaultRevamp_Template extends TemplateBase {
     public function __construct($cache, $smarty, $language, $user, $pages) {
         $template = [
             'name' => 'DefaultRevamp',
-            'version' => '2.1.2',
-            'nl_version' => '2.1.2',
+            'version' => '2.1.3',
+            'nl_version' => '2.1.3',
             'author' => '<a href="https://xemah.com/" target="_blank">Xemah</a>',
         ];
 

diff --git a/modules/Cookie Consent/module.php b/modules/Cookie Consent/module.php
@@ -20,8 +20,8 @@ public function __construct(Language $language, Language $cookie_language, Pages
 
         $name = 'Cookie Consent';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 

diff --git a/modules/Core/includes/endpoints/VerifyEndpoint.php b/modules/Core/includes/endpoints/VerifyEndpoint.php
@@ -28,7 +28,7 @@ public function execute(Nameless2API $api, User $user): void {
 
         $user->update([
             'active' => true,
-            'reset_code' => ''
+            'reset_code' => null,
         ]);
 
         EventHandler::executeEvent(new UserValidatedEvent(

diff --git a/modules/Core/module.php b/modules/Core/module.php
@@ -21,8 +21,8 @@ public function __construct(Language $language, Pages $pages, User $user, Naviga
 
         $name = 'Core';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 

diff --git a/modules/Core/pages/forgot_password.php b/modules/Core/pages/forgot_password.php
@@ -19,7 +19,7 @@
     Redirect::to(URL::build('/'));
 }
 
-if (!isset($_GET['c'])) {
+if (empty($_GET['c'])) {
     // Enter email address form
     if (Input::exists()) {
         if (Token::check()) {

diff --git a/modules/Core/pages/panel/users_edit.php b/modules/Core/pages/panel/users_edit.php
@@ -41,7 +41,7 @@
             if ($user_query->active == 0) {
                 $view_user->update([
                     'active' => true,
-                    'reset_code' => ''
+                    'reset_code' => null,
                 ]);
 
                 EventHandler::executeEvent(new UserValidatedEvent(

diff --git a/modules/Discord Integration/module.php b/modules/Discord Integration/module.php
@@ -9,8 +9,8 @@ public function __construct(Language $language, Pages $pages, Endpoints $endpoin
 
         $name = 'Discord Integration';
         $author = '<a href="https://tadhg.sh" target="_blank" rel="nofollow noopener">Aberdeener</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 

diff --git a/modules/Forum/module.php b/modules/Forum/module.php
@@ -20,8 +20,8 @@ public function __construct(Language $language, Language $forum_language, Pages
 
         $name = 'Forum';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 

diff --git a/modules/Forum/pages/forum/view_topic.php b/modules/Forum/pages/forum/view_topic.php
@@ -615,13 +615,16 @@
     }
 
     // Profile fields
-    $fields = $post_creator->getProfileFields(false, true);
+    $fields = array_map(
+        fn($field): object => (object) ['name' => Output::getClean($field->name), 'value' => $field->purifyValue()],
+        $post_creator->getProfileFields(false, true)
+    );
 
     // User integrations
     $user_integrations = [];
     foreach ($post_creator->getIntegrations() as $key => $integrationUser) {
         if ($integrationUser->data()->username != null && $integrationUser->data()->show_publicly) {
-            $fields[] = [
+            $fields[] = (object) [
                 'name' => Output::getClean($key),
                 'value' => Output::getClean($integrationUser->data()->username)
             ];
@@ -635,9 +638,9 @@
 
     $forum_placeholders = $post_creator->getForumPlaceholders();
     foreach ($forum_placeholders as $forum_placeholder) {
-        $fields[] = [
-            'name' => $forum_placeholder->friendly_name,
-            'value' => $forum_placeholder->value
+        $fields[] = (object) [
+            'name' => Output::getClean($forum_placeholder->friendly_name),
+            'value' => Output::getClean($forum_placeholder->value),
         ];
     }
 

diff --git a/modules/Members/module.php b/modules/Members/module.php
@@ -20,8 +20,8 @@ public function __construct(Language $language, Language $members_language, Page
 
         $name = 'Members';
         $author = '<a href="https://tadhg.sh" target="_blank" rel="nofollow noopener">Aberdeener</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nameless",
-  "version": "2.1.2",
+  "version": "2.1.3",
   "repository": "https://github.com/NamelessMC/Nameless",
   "license": "MIT",
   "private": true,