From c3e7fce5e002c6508261dd42bda04a5400887b75 Mon Sep 17 00:00:00 2001
From: Sam <samerton@users.noreply.github.com>
Date: Wed, 8 Jan 2025 20:30:39 +0000
Subject: [PATCH] Release 2.1.3 (#3575)

* fix: purify custom field values before display

* fix: empty reset code is usable

* release: 2.1.3
---
 .github/ISSUE_TEMPLATE/bug-report.yml              |  4 ++--
 .github/SECURITY.md                                | 10 +++++-----
 CHANGELOG.md                                       | 13 ++++++++++++-
 LICENSE.txt                                        |  2 +-
 core/classes/DTO/UserProfileField.php              |  7 ++++++-
 core/classes/Database/DatabaseInitialiser.php      |  2 +-
 core/includes/updates/212.php                      |  8 ++++++++
 custom/panel_templates/Default/core/user.tpl       |  2 +-
 custom/panel_templates/Default/template.php        |  4 ++--
 custom/templates/DefaultRevamp/template.php        |  4 ++--
 modules/Cookie Consent/module.php                  |  4 ++--
 modules/Core/includes/endpoints/VerifyEndpoint.php |  2 +-
 modules/Core/module.php                            |  4 ++--
 modules/Core/pages/forgot_password.php             |  2 +-
 modules/Core/pages/panel/users_edit.php            |  2 +-
 modules/Discord Integration/module.php             |  4 ++--
 modules/Forum/module.php                           |  4 ++--
 modules/Forum/pages/forum/view_topic.php           | 13 ++++++++-----
 modules/Members/module.php                         |  4 ++--
 package.json                                       |  2 +-
 20 files changed, 62 insertions(+), 35 deletions(-)
 create mode 100644 core/includes/updates/212.php

diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml
index ad28534a97..3a43f444d4 100644
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -16,8 +16,8 @@ body:
       description: From StaffCP -> Overview
       options:
         - Development version
-        - 2.1.0
-        - < 2.1.0
+        - 2.1.3
+        - <= 2.1.2
     validations:
       required: true
 
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index cdf3e43ac9..e82aea7c67 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -8,13 +8,13 @@ The following NamelessMC releases are supported by the development team
 
 | Version   | Supported          |
 |-----------|--------------------|
-| 2.1.x     | :white_check_mark: |
-| <= 2.0.3  | :x:                |
+| 2.1.3     | :white_check_mark: |
+| <= 2.1.2  | :x:                |
 | <= 1.0.22 | :x:                |
 
 ## Reporting a Vulnerability
 
-Currently, the best place to report a vulnerability is either via email or Discord.
+Currently, the best place to report a vulnerability is on GitHub.
 
-- huntr.dev - https://huntr.dev/repos/namelessmc/nameless
-- Discord server: https://discord.gg/nameless -> Samerton#9433
+- GitHub - https://github.com/NamelessMC/Nameless/security/advisories/new
+- Discord server: https://discord.gg/nameless -> Samerton
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f367e0c19e..9ee130e7a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,19 @@
 # NamelessMC v2 Changelog
 
-## [Unreleased](https://github.com/NamelessMC/Nameless/compare/v2.1.2...develop)
+## [Unreleased](https://github.com/NamelessMC/Nameless/compare/v2.1.3...develop)
 > [Milestone](https://github.com/NamelessMC/Nameless/milestone/22)
 
+## [2.1.3](https://github.com/NamelessMC/Nameless/compare/v2.1.2...v2.1.3) - 2025-01-08
+### Added
+- No additions this release
+
+### Changed
+- No changes this release
+
+### Fixed
+- Purify custom fields before display
+- Fix empty reset code being usable
+
 ## [2.1.2](https://github.com/NamelessMC/Nameless/compare/v2.1.1...v2.1.2) - 2023-09-30
 ### Added
 - No additions this release
diff --git a/LICENSE.txt b/LICENSE.txt
index 75c73049a3..718c5f78d6 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright © 2014-2023 NamelessMC Contributors
+Copyright © 2014-2025 NamelessMC Contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/core/classes/DTO/UserProfileField.php b/core/classes/DTO/UserProfileField.php
index 3645e5bfbd..60c8f66e5c 100644
--- a/core/classes/DTO/UserProfileField.php
+++ b/core/classes/DTO/UserProfileField.php
@@ -4,7 +4,7 @@
  *
  * @package NamelessMC\DTO
  * @author Aberdeener
- * @version 2.0.0-pr13
+ * @version 2.1.3
  * @license MIT
  */
 class UserProfileField extends ProfileField {
@@ -20,6 +20,11 @@ public function __construct(object $row) {
         $this->upf_id = $row->upf_id;
     }
 
+    public function purifyValue(): ?string
+    {
+        // TODO: option for field to support HTML
+        return Output::getClean($this->value);
+    }
 
     public function updated() {
         return date(DATE_FORMAT, $this->updated);
diff --git a/core/classes/Database/DatabaseInitialiser.php b/core/classes/Database/DatabaseInitialiser.php
index fff95658fc..f09492b3f6 100644
--- a/core/classes/Database/DatabaseInitialiser.php
+++ b/core/classes/Database/DatabaseInitialiser.php
@@ -183,7 +183,7 @@ private function initialiseSettings(): void {
         Util::setSetting('recaptcha_type', 'Recaptcha3');
         Util::setSetting('recaptcha_login', '0');
         Util::setSetting('email_verification', '1');
-        Util::setSetting('nameless_version', '2.1.2');
+        Util::setSetting('nameless_version', '2.1.3');
         Util::setSetting('version_checked', date('U'));
         Util::setSetting('phpmailer', '0');
         Util::setSetting('user_avatars', '0');
diff --git a/core/includes/updates/212.php b/core/includes/updates/212.php
new file mode 100644
index 0000000000..fd3fc7e82a
--- /dev/null
+++ b/core/includes/updates/212.php
@@ -0,0 +1,8 @@
+<?php
+return new class extends UpgradeScript {
+    public function run(): void {
+        $this->runMigrations();
+
+        $this->setVersion('2.1.3');
+    }
+};
diff --git a/custom/panel_templates/Default/core/user.tpl b/custom/panel_templates/Default/core/user.tpl
index 328292ff1a..f687f23bf2 100644
--- a/custom/panel_templates/Default/core/user.tpl
+++ b/custom/panel_templates/Default/core/user.tpl
@@ -154,7 +154,7 @@
                                                     </td>
                                                     <td>
                                                         {if $USER_PROFILE_FIELDS[$field->id]->value}
-                                                        {$USER_PROFILE_FIELDS[$field->id]->value}
+                                                        {$USER_PROFILE_FIELDS[$field->id]->purifyValue()}
                                                         {else}
                                                         <i>{$NOT_SET}</i>
                                                         {/if}
diff --git a/custom/panel_templates/Default/template.php b/custom/panel_templates/Default/template.php
index c558b3c9da..9b02e771e0 100644
--- a/custom/panel_templates/Default/template.php
+++ b/custom/panel_templates/Default/template.php
@@ -24,8 +24,8 @@ public function __construct(Smarty $smarty, Language $language) {
 
             parent::__construct(
                 'Default',  // Template name
-                '2.1.2',  // Template version
-                '2.1.2',  // Nameless version template is made for
+                '2.1.3',  // Template version
+                '2.1.3',  // Nameless version template is made for
                 '<a href="https://coldfiredzn.com" target="_blank">Coldfire</a>'  // Author, you can use HTML here
             );
 
diff --git a/custom/templates/DefaultRevamp/template.php b/custom/templates/DefaultRevamp/template.php
index 8db2862b1d..6c0b7e0569 100755
--- a/custom/templates/DefaultRevamp/template.php
+++ b/custom/templates/DefaultRevamp/template.php
@@ -25,8 +25,8 @@ class DefaultRevamp_Template extends TemplateBase {
     public function __construct($cache, $smarty, $language, $user, $pages) {
         $template = [
             'name' => 'DefaultRevamp',
-            'version' => '2.1.2',
-            'nl_version' => '2.1.2',
+            'version' => '2.1.3',
+            'nl_version' => '2.1.3',
             'author' => '<a href="https://xemah.com/" target="_blank">Xemah</a>',
         ];
 
diff --git a/modules/Cookie Consent/module.php b/modules/Cookie Consent/module.php
index 877db29b4d..104aabd602 100644
--- a/modules/Cookie Consent/module.php	
+++ b/modules/Cookie Consent/module.php	
@@ -20,8 +20,8 @@ public function __construct(Language $language, Language $cookie_language, Pages
 
         $name = 'Cookie Consent';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Core/includes/endpoints/VerifyEndpoint.php b/modules/Core/includes/endpoints/VerifyEndpoint.php
index 9cbaa549c6..9639d70592 100644
--- a/modules/Core/includes/endpoints/VerifyEndpoint.php
+++ b/modules/Core/includes/endpoints/VerifyEndpoint.php
@@ -28,7 +28,7 @@ public function execute(Nameless2API $api, User $user): void {
 
         $user->update([
             'active' => true,
-            'reset_code' => ''
+            'reset_code' => null,
         ]);
 
         EventHandler::executeEvent(new UserValidatedEvent(
diff --git a/modules/Core/module.php b/modules/Core/module.php
index 6421fceccd..da8ce27ad6 100644
--- a/modules/Core/module.php
+++ b/modules/Core/module.php
@@ -21,8 +21,8 @@ public function __construct(Language $language, Pages $pages, User $user, Naviga
 
         $name = 'Core';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Core/pages/forgot_password.php b/modules/Core/pages/forgot_password.php
index f12f448519..30e8f3dc71 100644
--- a/modules/Core/pages/forgot_password.php
+++ b/modules/Core/pages/forgot_password.php
@@ -19,7 +19,7 @@
     Redirect::to(URL::build('/'));
 }
 
-if (!isset($_GET['c'])) {
+if (empty($_GET['c'])) {
     // Enter email address form
     if (Input::exists()) {
         if (Token::check()) {
diff --git a/modules/Core/pages/panel/users_edit.php b/modules/Core/pages/panel/users_edit.php
index 73dffa77d0..9b7361fb3d 100644
--- a/modules/Core/pages/panel/users_edit.php
+++ b/modules/Core/pages/panel/users_edit.php
@@ -41,7 +41,7 @@
             if ($user_query->active == 0) {
                 $view_user->update([
                     'active' => true,
-                    'reset_code' => ''
+                    'reset_code' => null,
                 ]);
 
                 EventHandler::executeEvent(new UserValidatedEvent(
diff --git a/modules/Discord Integration/module.php b/modules/Discord Integration/module.php
index a752617b0f..5bed6135b8 100644
--- a/modules/Discord Integration/module.php	
+++ b/modules/Discord Integration/module.php	
@@ -9,8 +9,8 @@ public function __construct(Language $language, Pages $pages, Endpoints $endpoin
 
         $name = 'Discord Integration';
         $author = '<a href="https://tadhg.sh" target="_blank" rel="nofollow noopener">Aberdeener</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Forum/module.php b/modules/Forum/module.php
index 7d0bfad6bd..4c5b74eba9 100644
--- a/modules/Forum/module.php
+++ b/modules/Forum/module.php
@@ -20,8 +20,8 @@ public function __construct(Language $language, Language $forum_language, Pages
 
         $name = 'Forum';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Forum/pages/forum/view_topic.php b/modules/Forum/pages/forum/view_topic.php
index 223cf7b962..fe78bec317 100644
--- a/modules/Forum/pages/forum/view_topic.php
+++ b/modules/Forum/pages/forum/view_topic.php
@@ -615,13 +615,16 @@
     }
 
     // Profile fields
-    $fields = $post_creator->getProfileFields(false, true);
+    $fields = array_map(
+        fn($field): object => (object) ['name' => Output::getClean($field->name), 'value' => $field->purifyValue()],
+        $post_creator->getProfileFields(false, true)
+    );
 
     // User integrations
     $user_integrations = [];
     foreach ($post_creator->getIntegrations() as $key => $integrationUser) {
         if ($integrationUser->data()->username != null && $integrationUser->data()->show_publicly) {
-            $fields[] = [
+            $fields[] = (object) [
                 'name' => Output::getClean($key),
                 'value' => Output::getClean($integrationUser->data()->username)
             ];
@@ -635,9 +638,9 @@
 
     $forum_placeholders = $post_creator->getForumPlaceholders();
     foreach ($forum_placeholders as $forum_placeholder) {
-        $fields[] = [
-            'name' => $forum_placeholder->friendly_name,
-            'value' => $forum_placeholder->value
+        $fields[] = (object) [
+            'name' => Output::getClean($forum_placeholder->friendly_name),
+            'value' => Output::getClean($forum_placeholder->value),
         ];
     }
 
diff --git a/modules/Members/module.php b/modules/Members/module.php
index 4ccfbe36a7..65afd9010e 100644
--- a/modules/Members/module.php
+++ b/modules/Members/module.php
@@ -20,8 +20,8 @@ public function __construct(Language $language, Language $members_language, Page
 
         $name = 'Members';
         $author = '<a href="https://tadhg.sh" target="_blank" rel="nofollow noopener">Aberdeener</a>';
-        $module_version = '2.1.2';
-        $nameless_version = '2.1.2';
+        $module_version = '2.1.3';
+        $nameless_version = '2.1.3';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/package.json b/package.json
index 4e854444b2..7363364fb0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nameless",
-  "version": "2.1.2",
+  "version": "2.1.3",
   "repository": "https://github.com/NamelessMC/Nameless",
   "license": "MIT",
   "private": true,