Commit Graph

3269 Commits

Author SHA1 Message Date
novgorodschi catalin b4e54c6ac3 Fix #291
// Bug fix: RemoveXSS() calls htmlspecialchars() (&,<,>,",' -> entities).
        // Every display site for these values ALREADY escapes correctly on output
        // (links.tpl's safeHTML(), and preference.tpl's edit-row value=""), so
        // encoding here too meant a saved "&" was stored as literal "&amp;" text
        // in the DB, then got escaped AGAIN on redisplay — surviving one level of
        // browser entity-decoding as visible "&amp;". Worse, it silently broke
        // any saved link with a real query parameter after the first one (e.g.
        // build.php?gid=16&t=99): the stored value no longer had a real "&"
        // separator there, so "t" was never received as its own GET param.
        // strip_tags() (for name) + mysqli_real_escape_string() (below, for SQL)
        // are sufficient at save time; HTML-escaping belongs only at display time.
2026-06-29 07:49:49 +03:00
novgorodschi catalin 757e0fcc8e Fix #292 gold club addraid/edit raid
Fix gold club -> add raid and edit raid duplicate
2026-06-29 07:48:24 +03:00
novgorodschi catalin bd9a1f886e Fix #296
Fix TREASURY ARTEFACTS AREA SORTING
2026-06-29 07:46:57 +03:00
novgorodschi catalin 5d6562f4b5 Added case for Players attackers
Added case for Players attackers @Ferywir must be added in Translate file please
2026-06-26 13:06:55 +03:00
novgorodschi catalin e1dd434f5b Fix Statistiken & Credits
Fix Statistiken & Credits
2026-06-26 12:42:16 +03:00
novgorodschi catalin 4561a84a2a fix hero regen
fix hero regen
2026-06-26 11:33:47 +03:00
novgorodschi catalin 0dea1068b3 Fix visualisation in report
Fix visualisation in report
2026-06-26 11:14:42 +03:00
novgorodschi catalin 21d50a1bc6 Fix warsim security issue & hero building
Fix warsim security issue & hero building
2026-06-26 09:10:47 +03:00
novgorodschi catalin 0991c5c906 File sysmsg remove
File sysmsg remove, no need anymore is moved into admin panel
2026-06-26 07:43:24 +03:00
Ferywir fa1057d277 Refactor(Technology): de-duplicate unit-summing and tidy getUpkeep() [#219] (#289) 2026-06-26 06:30:38 +03:00
Ferywir 0e13ae23be Refactor(Technology): split trainUnit() into focused helpers [#219] (#288) 2026-06-26 06:29:37 +03:00
Ferywir 082ad85697 Refactor(Technology): make getTrainingList() table-driven [#219] (#287) 2026-06-25 15:45:05 +03:00
novgorodschi catalin 8f204ec4ae Compact checkvacation function
Compact checkvacation function to reduce query
2026-06-25 14:35:04 +03:00
Ferywir 596f007139 Refactor(Units): extract resolveCatapultTargets() from sendTroops() [#219] (#284)
sendTroops() inlined ~65 lines deciding the catapult targets ctar1/ctar2: the
"Rivals great confusion" artefact lookup, the rally-point-level-driven list of
invalid target buildings, the troop/level eligibility rules and the Teuton
Brewery / artefact adjustments. Move that whole block into
resolveCatapultTargets(&$post, $data), which mutates $post['ctar1']/['ctar2'] by
reference exactly as before; sendTroops() now calls it before building the
attack. None of the block's locals were used afterwards. Behaviour-preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 13:44:42 +03:00
Ferywir 58469ea024 Refactor(Units): split checkErrors() into focused validators [#219] (#283) 2026-06-25 13:28:47 +03:00
Ferywir db3953d825 Refactor(Units): extract buildHeroStats() to de-duplicate Hero() [#219] (#282)
Both branches of Hero() (single hero when !$all, full list when $all) computed
the same five derived stats (atk/di/dc/ob/db) and assembled a byte-identical
hero stat array from a getHero() entry plus its unit base data. Extract that
into buildHeroStats($hero, $herodata) and call it from both branches.
Behaviour-preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:43:26 +03:00
Ferywir 1e661b7a03 Refactor(Units): collapse the duplicated procUnits() cases 1-4 [#219] (#281)
Cases 1 to 4 of the procUnits() switch had a byte-identical body (send troops
when the rally-point form is submitted, otherwise load the unit form). Stack the
four case labels and keep a single shared body via switch fall-through.
Behaviour-preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:37:54 +03:00
Ferywir 06089df64c Refactor(Technology): merge upgradeSword/upgradeArmour into upgradeWeaponOrArmour() [#219] (#280)
upgradeSword() and upgradeArmour() were near-identical: the only differences
were the AB-tech key prefix ('b' vs 'a'), the building type whose level gates
the research (Smithy 12 vs Armoury 13) and the matching bid building data
($bid12 vs $bid13). Merge them into a single upgradeWeaponOrArmour($get, $type)
parameterised by the prefix, deriving the building type from it, and route both
procTechno() cases through it. Resolves the pre-existing //TODO. Behaviour-
preserving.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 12:20:26 +03:00
novgorodschi catalin c37e8b23d9 Update version & hall of fame
Update version & hall of fame
2026-06-25 11:07:19 +03:00
novgorodschi catalin fe6ff01396 Fix Some PHP 8+ view error in Build & Credits
Fix Some PHP 8+ view error in Build & Credits

TO DO :  Full audit in build directory
2026-06-25 10:54:58 +03:00
Catalin Novgorodschi 23708a2e54 Fix critic bug typo critic: $refValule
Fix critic bug typo critic: $refValule
2026-06-24 20:24:35 +03:00
Ferywir 49ce36fd99 Refactor(Automation): TO-DO list items 7-9 [#266] (#278) 2026-06-24 18:21:30 +03:00
Ferywir e13586a2d7 fix(market): reject resource sends above the warehouse stock (#277) 2026-06-24 17:25:55 +03:00
Ferywir 045f72a6e8 Refactor(Automation): clean up the Automation.php TO-DO list [#266] (#276) 2026-06-24 17:25:22 +03:00
novgorodschi catalin 13d54b7184 Added some graphics TravianZ
Added some graphics TravianZ
2026-06-24 13:45:05 +03:00
Ferywir e432eeef95 fix(rally-point): show incoming hero column for attacks [#267] (#274) 2026-06-24 06:59:24 +03:00
Ferywir d0479a55ce fix(profile): store profile descriptions raw to stop double-escaping (#273) 2026-06-24 06:51:24 +03:00
Ferywir c0bbf2bfbe fix(admin): escape stored player values in admin templates [#139] (#272) 2026-06-23 22:00:51 +03:00
Ferywir 90c5cdd97c fix(admin): escape reflected filter param in report/msg templates [#139] (#271) 2026-06-23 17:59:00 +03:00
Ferywir 749a55aaf5 fix(admin): escape reflected request params in admin templates [#139] (#270) 2026-06-23 17:37:11 +03:00
Ferywir e17bb3dec6 fix(admin): verify CSRF token in maintenance admin Mods [#139] (#269) 2026-06-23 17:01:20 +03:00
Ferywir 886f421f50 fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268) 2026-06-23 16:12:54 +03:00
novgorodschi catalin c98bcf266b Set white font to view name
Set white font to view name
2026-06-23 14:45:38 +03:00
novgorodschi catalin 31b13873e8 Fix Server Settings in Admin Panel
Fix Server Settings in Admin Panel + fix New function in admin.php
2026-06-23 14:40:23 +03:00
novgorodschi catalin 8d492bebd3 Update some files & remove unused code
Update some files & remove unused code
2026-06-23 13:43:17 +03:00
Ferywir 6472b30bd2 fix(admin): verify CSRF token in message admin Mods [#139] (#264)
sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:49:32 +03:00
novgorodschi catalin 5f86fdcbf6 Merge branch 'master' of https://github.com/Shadowss/TravianZ 2026-06-23 11:13:05 +03:00
novgorodschi catalin a9be6204db Added TravianZ Logo
Added TravianZ Logo
2026-06-23 11:12:58 +03:00
Ferywir fb225b562f fix(admin): repair broken admin-log variables in medals Mod (#262)
The post-delete admin-log block referenced variables that were never defined
($admid/$adminID/$medalid/$uid), so on PHP 8.1+ (mysqli throws on error) the
malformed INSERT raised an uncaught mysqli_sql_exception → HTTP 500 after the
medal was already deleted. Use the correct ids ($admid from session, $uid from
POST), look up the target player's username (escaped), and redirect to the
sanitized $uid.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:12:04 +03:00
Ferywir 8a3a67d175 fix(admin): verify CSRF token in alliance/medal admin Mods [#139] (#261)
editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek
and deletemedalbyweek are POSTed to directly, bypassing admin.php's central
csrf_verify(). Add csrf_verify() (after the admin access check, via the shared
GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl,
editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:11:32 +03:00
Ferywir e4658f250f fix(admin): route alliance management pages [#139] (#260)
The alliance/editAli/delAli pages are linked all over the admin panel
(?p=alliance&aid=, ?p=editAli, ?p=delAli) but were never in
admin_validated_page()'s whitelist, so admin.php fell back to search.tpl and
the pages never showed. Add them to the whitelist plus switch cases for the
breadcrumb (the templates resolve $aid/$alidata themselves from $_GET, like
editSitter/editPassword).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 11:06:03 +03:00
Ferywir ca991408c1 fix(admin): verify CSRF token in village admin Mods [#139] (#259)
editVillageOwner, renameVillage, editBuildings and editResources are POSTed
to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify()
(after the admin access check, via the shared GameEngine/Admin/csrf.php) and
csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 10:31:08 +03:00
novgorodschi catalin 113e9029bd Fix ban view
Fix ban view
2026-06-23 10:30:16 +03:00
novgorodschi catalin b587e26591 Fix map view in Admin Panel
Fix map view in Admin Panel
2026-06-23 09:09:21 +03:00
Ferywir 8d1a1cab38 fix(admin): verify CSRF token in troop admin Mods [#139] (#258)
addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 08:43:18 +03:00
Ferywir b880622fd1 fix(admin): route password/protection pages and align username validation (#257) 2026-06-23 06:55:13 +03:00
Ferywir e49069a9c6 fix(admin): verify CSRF token in player-management admin Mods [#139] (#256) 2026-06-23 06:54:03 +03:00
Ferywir 6888a09b5f fix(admin): let editPlus subtract Plus/bonus days as the form advertises (#254) 2026-06-22 18:41:28 +03:00
Ferywir 6e79c47951 fix(admin): verify CSRF token in Plus/Gold admin Mods [#139] (#253) 2026-06-22 18:40:43 +03:00
Ferywir 9d2d7699a9 fix(profile): neutralize stored XSS in profile descriptions [#250] (#252) 2026-06-22 16:31:20 +03:00