diff --git a/Admin/Templates/player.tpl b/Admin/Templates/player.tpl index c2d7c471..756aa310 100644 --- a/Admin/Templates/player.tpl +++ b/Admin/Templates/player.tpl @@ -31,7 +31,12 @@ if(isset($id)) { include_once("../GameEngine/Ranking.php"); $varmedal = $database->getProfileMedal($id); - $profiel="".$user['desc1']."".md5('skJkev3')."".$user['desc2'].""; + // Issue #250: escape the user-controlled descriptions before they reach the + // raw nl2br() render in playerinfo.tpl, so a stored HTML/JS payload (e.g. + //
) is shown as inert text. BBCode is + // intentionally NOT expanded here: the admin panel has no $generator (the + // [coor] tag would fatal) and seeing the raw markup helps moderation. + $profiel=htmlspecialchars($user['desc1'] ?? '', ENT_QUOTES, 'UTF-8').md5('skJkev3').htmlspecialchars($user['desc2'] ?? '', ENT_QUOTES, 'UTF-8'); $separator="../"; require("../Templates/Profile/medal.php"); $profiel=explode("".md5('skJkev3')."", $profiel); diff --git a/GameEngine/Database.php b/GameEngine/Database.php index d0bb3658..1228c5c1 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -1309,8 +1309,10 @@ class MYSQLi_DB implements IDbConnection { $gender = (int)$gender; $location = mb_substr(trim($location), 0, 30, 'UTF-8'); $birthday = trim($birthday); - $desc1 = trim($desc1); - $desc2 = trim($desc2); + // Issue #250: cap profile descriptions (BBCode is rendered as HTML on + // display) so a single field cannot store an oversized payload. + $desc1 = mb_substr(trim($desc1), 0, 3000, 'UTF-8'); + $desc2 = mb_substr(trim($desc2), 0, 3000, 'UTF-8'); $stmt = $this->dblink->prepare( "UPDATE `".TB_PREFIX."users` diff --git a/GameEngine/Profile.php b/GameEngine/Profile.php index 95a2b681..84dbd5a5 100755 --- a/GameEngine/Profile.php +++ b/GameEngine/Profile.php @@ -239,6 +239,11 @@ class Profile { $database->setVillageName($varray[$i]['wref'], $newName); } + // Invalidate the 30s session user-cache (see Session::PopulateVar) so the + // saved description/birthday/etc. show up immediately on the edit form and + // header, without waiting for the cache to expire (issue #250). + unset($_SESSION['cache_user_' . ($_SESSION['username'] ?? '')]); + header("Location: spieler.php?uid=" . $session->uid); exit; } diff --git a/Templates/Profile/overview.tpl b/Templates/Profile/overview.tpl index fe7489b0..684007b0 100644 --- a/Templates/Profile/overview.tpl +++ b/Templates/Profile/overview.tpl @@ -40,8 +40,17 @@ $varmedal = $database->getProfileMedal($uid); // marker legacy (păstrat pentru compatibilitate DB) $profileSeparator = md5('skJkev3'); -// păstrăm exact formatul original (IMPORTANT pentru medal.php) -$profiel = $displayarray['desc1'] . $profileSeparator . $displayarray['desc2']; +// Issue #250: profile descriptions are user-controlled free text. Escape them +// BEFORE any markup expansion so embedded HTML/JS (e.g. a stored +//
payload) is rendered inert, then expand +// the BBCode the form advertises ("Suport BBCode"). The md5 separator and the +// [#..] medal markers carry no HTML/BBCode-special characters, so they survive +// htmlspecialchars()/BBCode.php untouched and are still handled by medal.php. +$input = htmlspecialchars($displayarray['desc1'] ?? '', ENT_QUOTES, 'UTF-8') + . $profileSeparator + . htmlspecialchars($displayarray['desc2'] ?? '', ENT_QUOTES, 'UTF-8'); +include("GameEngine/BBCode.php"); +$profiel = $bbcoded; // medal.php se ocupă de procesare (NU îi strica inputul) require("medal.php"); @@ -253,7 +262,12 @@ if ($uid == $session->uid) {
+ +
+
@@ -264,7 +278,10 @@ if ($uid == $session->uid) {
+ +
+
diff --git a/Templates/Profile/profile.tpl b/Templates/Profile/profile.tpl index 37f49732..a8d55ec0 100644 --- a/Templates/Profile/profile.tpl +++ b/Templates/Profile/profile.tpl @@ -95,7 +95,7 @@ maxlength="4" class="text year"> - + @@ -152,7 +152,7 @@ maxlength="30" class="text"> - +