Remove $aroute/$admin_file transition aliases from core/security.php; remove tpl_eval(), tpl_func(), tpl_warn() legacy eval-based functions from core/template.php; consolidate theme loading into system.php boot sequence, removing redundant setThemeInclude() calls from index.php.
Core changes:
- Deprecated aliases removed (core/security.php):
- $aroute removed — was duplicate of $afile (conf['security']['afile'])
- $admin_file removed — was duplicate of $afile; all callers use $afile
- SQL injection fix in is_admin_god(): id → :id prepared statement
- Legacy eval functions removed (core/template.php):
- tpl_eval() removed — used eval() internally; replaced by setTemplateBasic()
- tpl_func() removed — used eval() with static cache; replaced by setTemplateBasic()
- tpl_warn() removed — used eval(); replaced by setTemplateWarning()
- All three functions had been deprecated since 6.3.0 planning phase
- Theme boot consolidation (index.php):
- setThemeInclude() calls removed from $go1, $go2, admin-god branches
Theme/template loading now happens once in core/system.php boot sequence (getTheme() + template require_once added in previous system.php commit)
- tpl_warn() call on line 97 replaced with setTemplateWarning()
Benefits: - $aroute/$admin_file removal eliminates stale alias confusion - tpl_eval/tpl_func/tpl_warn removal eliminates eval() security surface - Single theme boot point prevents double-include on complex request paths
Technical notes: - Any remaining tpl_eval/tpl_func/tpl_warn calls will now fatal — none exist - setTemplateWarning() signature: (string $tpl, array $vars): string - setThemeInclude() still exists but is no longer called from index.php
Remove deprecated getAdminInfo() and navi_gen() functions; add explicit typed parameters to all remaining functions that used func_get_args() or untyped variadic signatures, aligning core/admin.php with PHP 8.4 standards.
Core changes:
- Functions removed (core/admin.php):
getAdminInfo(): legacy info-page reader/editor — replaced by direct template rendering in individual admin modules that need it
navi_gen(...$arg): variadic wrapper around getAdminTabs() — all callers updated to call getAdminTabs() directly with explicit arguments
- func_get_args() removal — typed signatures added:
- ajax_cat(): (string $modul, int $obj) replaces variadic
- cat_order(): (): void — no parameters
- catacess(): (string $name, string $class, string $selected, int $limit)
- ajax_block(): (): string — no parameters
- blocks_order(): (): void
- fav_aliste(): (int $obj): string
- fav_adel(): (): void
- ajax_privat(): (int $obj): string
- ajax_privat_del(): (): void
Benefits: - getAdminInfo() removal eliminates file_put_contents without path validation - All admin core functions now have explicit PHP 8.4 type declarations - navi_gen() removal removes one variadic wrapper layer
Technical notes: - Callers of navi_gen() updated to use getAdminTabs() directly - getAdminInfo() callers updated to inline equivalent logic - No behavioral change — only signature and wrapper-layer simplification
Remove all func_get_args() calls and replace every raw $_GET/$_POST access with getVar() in core/user.php, completing input-validation guardrail coverage for all user-facing core functions.
Core changes:
- func_get_args() removal (core/user.php):
- setComShow(): explicit typed parameters replace variadic signature
- prmess(): typed parameters (int $id, string $mod, int $pg)
- favorliste(): typed parameters (string $mod, int $id, int $pg)
- Superglobals → getVar() (core/user.php):
- savecom(): $_POST fields (name, email, text, etc.) → getVar()
- editpost(): $_POST content fields → getVar()
- prmesssend(), prmesssave(), prmessdel(): message POST fields → getVar()
- favoradd(), favordel(): GET/POST id and mod params → getVar()
- rss_channel(): name, cat, num, id → getVar() with POST-over-GET fallback
- stat switch block: $_GET['stat'] and $_GET['img'] → getVar()
Benefits: - All superglobal access in core/user.php eliminated (getVar guardrail) - func_get_args() fully removed — PHP 8.4 typed parameters throughout - Consistent validation: POST-over-GET fallback pattern matches core/system.php
Technical notes: - getVar() returns false for empty values; code updated with ?: fallback - rss_channel(): getVar('post',...) ?: getVar('get',...) pattern throughout - No $_FILES access in user.php — only form data replaced
Eliminate all func_get_args() usage and replace every raw $_GET/$_POST/$_REQUEST access with getVar(); add filterMarkdown() Markdown parser and bb_decode() as a unified text-processing orchestrator; harden SQL with prepared statements.
Core changes:
- func_get_args() removal (core/system.php):
getcat(), catlink(), catids(), catmids() — explicit typed parameters * catlink($id, $mod, $cat) replaces variadic signature
- getVoting(), num_ajax(), ad_save(), rss_select(), addBackupDb()
- setPageNumbers(), preview(), get_user_search(), url_types()
- addmail(), textarea(), cat_modul(), ashowcom(), numcom(), update_points()
- Superglobals → getVar() (core/system.php):
- goto_url(): $_REQUEST → isset($_GET[..]) || isset($_POST[..]) (presence-only)
- getThemeFile(): $_GET['cat'] → getVar('get', 'cat', 'num', 0)
- save_datetime(): dynamic key → getVar('post'/$name, 'raw', '')
- add_kasse() / del_kasse(): $_GET['id'] → getVar('get', 'id', 'num', 0)
- show_files(): 4 superglobals → getVar() with appropriate types
- fields_in(): $_POST['field'] → getVar('post', 'field', 'raw', '')
- get_user(): $_GET['term'] → getVar('get', 'term', 'text', '')
- ajax_rating(): 5 superglobals (id, typ, mod, rate, stl) → getVar()
- upload(): $_POST['token'], $_POST['sitefile'] → getVar(); $_FILES unchanged
editcom() / closecom() / avoting_save(): redundant isset() → getVar() * avoting_save(): $_POST['questions'] (array) handled with isset+is_array guard
- SQL prepared statements (core/system.php):
setCategories(): $mod/$locale/$id → named placeholders :mod/:loc/:pid * catid IN clause now uses dynamic :c0/:c1/... placeholders
- New functions added (core/system.php):
filterMarkdown(string $src, bool $safe, string $mod): string * Safe Markdown→HTML parser; $safe=true blocks dangerous constructs
- bb_decode(): updated to delegate inline processing to filterMarkdown()
setRedirect(string $url, bool $refer, int $code): never * Auto-upgrades 302→303 on POST; replaces inline header()+exit patterns
- Theme boot sequence moved to system.php:
- getTheme() + template require_once added to core boot (removed from callers)
- Deprecated functions removed:
- checkConfigFingerprint() — unused after fingerprint refactor
- isCompare(), isDate() — unused legacy helpers
Benefits: - All superglobal access in core/system.php eliminated (getVar guardrail) - func_get_args() fully removed — PHP 8.4 typed parameters throughout - SQL injection prevented in setCategories() and catid IN clause - filterMarkdown() and bb_decode() provide unified safe text pipeline
Technical notes: - $_FILES not replaced — getVar() has no file-upload equivalent - $_POST['questions'] (array) remains direct access with is_array() guard - setRedirect() auto-detects POST → sends 303 instead of 302 - filterMarkdown($src, $safe, $mod): $mod reserved for future bb/md/mixed modes
Replace all legacy tpl_eval()/tpl_func() interpolation in HTML templates with named {%key%} placeholders and setTemplateBasic() callers.
Stage 1: quote, code, hide, spoiler (core/system.php BB-code functions) Stage 2: pagenum, preview, cat-navi, list-bottom, title
(core/system.php, core/admin.php, modules/account, jokes) assoc-open/basic/close (modules/media/index.php)Themes updated: lite, default, admin (where applicable). Remaining: tpl_warn('warn',...) calls, comment/basic/liste templates (Stage 5).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two new design documents capturing the planned Markdown parser and the architectural decisions for integrating it with bb_decode().
Core changes:
- Design spec (docs/PARSE.md):
- Full self-contained implementation of filterMarkdown(string $src, bool $safe)
- Anonymous class with 15 private methods (filterBlocks, filterInlines, etc.)
Covers: ATX/Setext headings, blockquotes, lists, GFM tables, fenced/indented code, inline code, bold/italic/strike/highlight, links, images, auto-links
- Safe mode: filterText() + filterUrl() for XSS prevention
- Stash-salt mechanism for token collision prevention
- All method and variable names comply with SLAED §5 naming conventions
- Architecture discussion (docs/DISCUS.md):
- Records session decisions on unified bb_decode/filterMarkdown pipeline
- Three-stage pipeline: server-side BB tags → filterMarkdown() → stash restore
- Three modes: bb (legacy), md (markdown), mixed (both)
- Five pre-implementation decisions documented and agreed
Benefits: - Preserved design rationale for future contributors - Clear migration path from legacy bb_decode() to unified parser - All XSS concerns, mode semantics, and stash protocols specified
Technical notes: - filterMarkdown() is a pure function: no DB, no config, no side-effects - bb_decode() remains the orchestrator; [attach]/[usephp] stay outside parser
Replace bare setHead() call in view() with full SEO metadata block, and add is_view flag to setTemplateBasic() for h1/h3 template switching. Requires one additional DB query to fetch title/category/author for the top-level ticket (pid=0) before the main result loop.
Core changes:
- SEO metadata — view() (modules/help/index.php):
- Additional SQL query fetches: title, hometext, time, c.title, u.user_name
setHead() now receives: * title: ticket title, ctitle: category title * desc: bb_decode + strip_tags + cutstr(160) * img: first image from hometext via getImgText() * time: ticket timestamp, author: user_name or sitename fallback
- Template flag (modules/help/index.php):
setTemplateBasic() call extended with if_flag => ['is_view' => !$pid] * is_view=true for top-level ticket (pid=0) → renders <h1> in template * is_view=false for replies → renders <h3> as before
Benefits: - Unique per-ticket <title> and og:* meta for SEO - Semantic <h1> on ticket detail page via template flag - No behavior change for listing or reply rendering
Technical notes: - Extra query runs once per view() call, not per row - Backward compatibility: full — no DB schema or template engine changes
Replace raw superglobal access with getVar(), add full SEO metadata to view() via setHead(), and fix a raw SQL concatenation in status query. No behavioral changes to listing or form logic.
Core changes:
- Input handling (modules/forum/index.php):
- $_GET['num'] -> getVar('req', 'num', 'num') in forum() and view()
- $_GET['id'] -> getVar('req', 'id', 'num') in view()
- $_GET['word'] -> text_filter(getVar('req', 'word', 'text')) in view()
- $b initialized as int 0 instead of string ''
- SEO metadata — view() (modules/forum/index.php):
setHead() now receives full structured data: * title: topic title, ctitle: category title * desc: bb_decode + strip_tags + cutstr(160) * img: first image from hometext via getImgText() * time: topic timestamp, author: user_name or sitename fallback
- SQL security (modules/forum/index.php):
Status query in view() replaced raw $id concat with named param :id * 'WHERE id = :id' with ['id' => $id]
Benefits: - XSS-safe input handling via getVar() type enforcement - Unique per-topic <title> and og:* meta for SEO - SQL injection eliminated in status fetch query
Technical notes: - Backward compatibility: full — no template or DB schema changes
template.php was loaded inside setThemeInclude() (called per-request during theme setup), which meant template helpers were unavailable during early bootstrap before theme selection. Moving the require_once to the top-level boot block ensures template functions are available as soon as core/system.php is loaded.
Core changes:
- Boot sequence (core/system.php):
Added require_once BASE_DIR.'/core/template.php' after security.php/legacy.php * Removed duplicate require_once from setThemeInclude()
- Trailing newline (core/legacy.php):
- Added missing EOF newline
Benefits: - Template helpers available earlier in request lifecycle - Eliminates hidden dependency on setThemeInclude() call order - Consistent require_once placement with other core files
Technical notes: - No behavior change for standard request flow - Backward compatibility: full
Rename all non-compliant local variables to lowercase-no-underscore format per refactoring-standards.md §5, and expand $lctx closure to add cookie/session key truncation with explicit truncation flags.
Core changes:
- $lctx closure (core/security.php):
Expanded with per-key truncation: $ck, $cktr, $sk, $sktr, $ctx * Limits cookie/session key arrays to 50 entries * Adds cookie_keys_truncated / session_keys_truncated flags when cut
- Renamed: query/post use $q/$p; empty arrays become stdClass for JSON
- HTTP error handler (core/security.php):
- $http_msg -> $httpmsg
- error_reporting_log() parameters and locals (core/security.php):
- $error_num -> $errno, $error_var -> $errmsg
- $error_file -> $errfile, $error_line -> $errline
- $level_map -> $levelmap, $php_err -> $phperr
- error_sql_log() locals (core/security.php):
- $sql_orig -> $sqlorig, $sql_bytes -> $sqlbytes
- $sql_hash -> $sqlhash, $sql_safe -> $sqlsafe
Benefits: - Consistent naming across entire security layer - No behavior change — pure rename refactor
Technical notes: - All renamed variables are local scope only; no public API change - Backward compatibility: full
