Extends the existing transition alias block to cover all module-specific config variables. This allows not-yet-modernized modules to keep using their legacy \$confX globals while the config files now return arrays instead of setting globals as side effects.
Core changes:
- Transition aliases (core/security.php):
Added 17 new module aliases to the existing block:
- \$confn / \$conffa / \$conff / \$confw / \$confal / \$confl (news, faq, files, whois, auto_links, links)
- \$confj / \$conffo / \$confh / \$confp / \$confso / \$confm (jokes, forum, help, pages, shop, media)
- \$confmo / \$confor / \$confco / \$confcn (money, order, contact, content)
- \$confma / \$conflog (sitemap, changelog)
- All set at global scope once at startup via \$conf['namespace'] ?? []
Benefits:
- 33 not-yet-modernized modules continue working without changes
- include('config/config_X.php') calls in old modules become harmless no-ops
- Single authoritative source: all values come from \$conf loaded by getConfig()
- Enables gradual per-module migration without big-bang changes
Technical notes:
- Aliases are temporary; remove after full migration to \$conf['namespace']
- content module uses \$confcn (not \$confn) to avoid collision with news
- Changelog and RSS admin modules set their alias locally (redundant, harmless)
Converts the entire config/ directory to the new unified architecture. Every data config file now returns ['namespace' => [...]] so getConfig() can safely merge them all into a single \$conf array without side effects.
Core changes:
- Legacy config files (config/config_*.php — 25 files):
- All converted from \$confX = array(...) assignments to return ['key' => [...]]
Dangerous files set to return null (getConfig() skips null values safely):
- config_global.php: was overwriting \$conf in getConfig() function scope
- config_header.php: was executing echo during config load
- config_comments.php, config_users.php, config_templ.php: superseded
- config_chmod.php, system.php: empty files
- Active config files (config/comments.php, users.php, fields.php, etc.):
- Converted to return ['namespace' => [...]] format
- Heredoc strings preserved where needed (filetype.php, config_contact.php, etc.)
- Integer values kept as integers (sitemap.auto_t = 86400, not '86400')
- New file: config/local.php
- Template for server-specific overrides (DB credentials, dev_mode, etc.)
- Contains _meta.base_fingerprint placeholder for fingerprint tracking
- Only file the system writes to at runtime
Benefits:
- Zero side effects when loading config files (no global assignments)
- getConfig() collects all configs in one pass via glob()
- local.php overrides applied safely via filterConfigMerge()
- Dangerous files neutralized (return null) instead of deleted
Technical notes:
- Namespace keys match the module names (news, forum, shop, etc.)
- Backward compat: transition aliases defined in core/security.php
- config_rewrite.php and config_rules.php left unchanged (executable code)
Replaces scattered per-module config loading with a single, centralized bootstrap system. All config files are now loaded once at startup into a unified \$conf array, eliminating duplicate includes and global variable pollution across modules.
Core changes:
- Config loader (core/system.php):
getConfig(): loads all config/*.php via glob(), merges into \$conf
- Skips local.php (overrides file); applies it separately via filterConfigMerge()
- Triggers fingerprint update when dev_mode=true and configs have changed
filterConfigMerge(): safe recursive merge — only existing keys, type-matched
- Prevents adding unknown keys or type mismatches from local.php
getConfigFingerprint(): SHA1 over basename+sha1_file for each default config
- Including filename in hash detects file additions and removals
- checkConfigFingerprint(): convenience wrapper for fingerprint comparison
setConfigFingerprint(): reads local.php as array, updates _meta.base_fingerprint
- Atomic write: file_put_contents(tmp) + rename(); unlinks tmp on failure
- var_export output converted to [...] syntax via post-processing regex
- chmod(0640) only on newly created files
Benefits:
- Single load point eliminates N redundant file includes per request
- Fingerprint mechanism enables safe dev-mode config tracking
- filterConfigMerge prevents accidental key injection from local.php
- Atomic write prevents corrupt local.php on server crash
Technical notes:
- config/local.php is the only writable runtime config file
- dev_mode=true enables auto-update of local.php fingerprint
- All config files must return ['namespace' => [...]] or null
- Backward compat: old \$confX globals set as aliases in core/security.php
Replace hardcoded Open Graph and Schema.org strings in the SEO settings panel with language constants across all 6 supported languages (ru, en, de, fr, pl, uk).
Core changes:
- Admin language files (admin/language/*.php):
Add _OGRAPH - Open Graph toggle label
- Identical in all languages (technical term)
Add _OGRAPHT - Open Graph template field label
- Translated per language
Add _SCHEMA - Schema.org toggle label
- Identical in all languages (technical term)
Add _SCHEMAT - Schema.org template field label
- Translated per language
Add _TPLVARS - Template variables reference with descriptions
- Format: <b>[var]</b> - Description (matches existing _TPINFO style)
- Each variable on its own line via <br>
- Fully translated descriptions per language
- Admin config module (admin/modules/config.php):
Replace 4 hardcoded strings with constants _OGRAPH, _OGRAPHT, _SCHEMA, _SCHEMAT
Replace hardcoded variable list with _TPLVARS in both OG and Schema.org template fields
Benefits:
- Admin panel now fully translatable for OG/Schema section
- Variable descriptions visible to admin with bold formatting
- Consistent style with existing _TPINFO constant pattern
- Zero hardcoded strings remaining in SEO config section
Technical notes:
- _TPLVARS uses HTML (<b>, <br>) consistent with _TPINFO
- HTML5 <br> used (not XHTML <br/>)
- Constants appended after _SEOCTITLE group in each language file
Addresses 6 distinct errors found in config/logs/error.txt (17.02.2026). All fixes eliminate PHP 8.x warnings without changing business logic.
Core changes:
- engines_word() (core/system.php):
Add null coalescing for missing query key in parse_url() result
- Fixes 116 log entries: Undefined key "query" + parse_str(null)
- Triggered by referer URLs without query string
- checkFileChmod() (core/system.php):
Create test file before chmod attempt, delete after test
- config/chmod.php is a temporary test file, must be created first
- Prevents chmod(): No such file or directory warning
- head() session cleanup (core/system.php):
Guard unlink(sess.txt) with file_exists() check
- Prevents unlink warning when file was never created
- create_dump() (core/system.php):
Add is_readable() check before md5_file()
- Skips files with permission denied (e.g. .htaccess)
- bb_decode() (core/system.php):
Cast $sourse to string with null fallback before preg_replace
- Prevents str_replace(null) deprecation notice
- $file initialization (index.php):
Replace undefined $file reference with ?: operator
- Fixes Undefined variable $file warning on line 39
Benefits:
- Error log reduced from 120+ entries to 0 for these error types
- No false warnings masking real errors in production log
- PHP 8.x deprecation notices eliminated
Add unused constants detection to PHPUnit, fix token analysis bug in security test, and remove standalone script replaced by the new test.
Core changes:
- Unused constants test (tests/LanguageValidationTest.php):
- Add testNoUnusedConstants() that dynamically discovers all ru.php files
- Scans entire codebase (core, admin, modules, blocks, templates, setup)
- Excludes language directories from search to avoid self-matches
- Reports file path and constant name for each unused definition
- Security test fix (tests/SecurityValidationTest.php):
- Fix testNoIncludesInsideFunctions() token analysis bug
T_WHITESPACE between T_FUNCTION and function name was resetting nextIsFuncName flag, causing all include/require detections to fail
- Skip whitespace and comment tokens in the flag reset condition
- Removed standalone script (tests/check_constants.php):
- Functionality fully covered by new PHPUnit testNoUnusedConstants()
- PHPUnit test is broader: checks all module language files automatically
Benefits:
- Automated detection of dead language constants in CI pipeline
- Security test now correctly identifies include/require inside functions
- Single test runner (PHPUnit) for all validation checks
Add missing SEO constants to non-Russian admin language files and remove unused constants detected by the new automated validation test.
Core changes:
- Added missing constants (admin/language/{en,de,fr,pl,uk}.php):
- _TSEP: Title separator for SEO URLs
- _SEOTITLE: Add title toggle label
- _SEOCTITLE: Add category title toggle label
- Removed unused _A_LINKS_LOGO (modules/auto_links/language/):
- Constant not referenced anywhere in application code
- Removed from all 6 language files (ru, en, de, fr, pl, uk)
- Removed unused _CSIZE (modules/clients/):
- Removed from admin/language/ (6 files) and language/ (6 files)
- Total: 12 files cleaned
- Removed unused _NEW_LINKS (modules/links/language/):
- Removed from all 6 language files
Benefits:
- All languages have complete set of admin SEO constants
- No dead constants cluttering language files
- Automated test now passes for constant usage validation
Fix config save function that double-encoded HTML in graph, schema, and mtemp fields through save_text() when admin editor was enabled.
Core changes:
- Config save function (admin/modules/config.php):
- Switch graph, schema, mtemp fields from 'text' to 'raw' type in getVar()
- Remove unnecessary preg_replace for <br> tag stripping
- Prevents save_text() from applying htmlspecialchars() to already-encoded HTML
- Global config (config/global.php):
- Update Schema.org context URLs from http to https
- Store raw quotes in graph/schema templates instead of HTML entities
- Alphabetical key reordering, add tsep separator setting
- Update slogan text
- Directory index (config/index.html):
- Update redirect URL from http://www.slaed.net to https://slaed.net
Benefits:
- Eliminates progressive corruption of template fields on each save
- Correct HTML output for OG meta tags and JSON-LD schema
- HTTPS everywhere for external URLs
Technical notes:
- Fields with 'raw' type bypass save_text() processing entirely
- Output in core/system.php uses str_replace() on raw values, no encoding needed
Align block management URLs with the standard module routing convention used across the admin panel (name=blocks&op=action&id=N).
Core changes:
- Block toggle function (admin/modules/blocks.php):
- Rename parameter 'bid' to 'id' for consistency with other modules
- Update SQL binding to match new parameter name
- Block listing URLs (core/admin.php):
Change action URLs from legacy format (op=blocks_change&bid=) to unified format (name=blocks&op=change&id=)
- Update edit and delete links to match new routing scheme
Benefits:
- Consistent URL scheme across all admin modules
- Eliminates legacy routing format for block management
Remove legacy blocks and plugins that depend on obsolete technologies (Flash SWF player, IPB forum integration) no longer supported by modern browsers.
Core changes:
- Removed blocks (blocks/):
- block-radio.php: Flash-based SWF radio player block
- block-ipb_center_forum.php: IPB forum integration block with raw SQL
- Removed radio plugin (plugins/radio/):
- mju.swf: Flash player binary
- playlist.mpl: Radio station playlist with dead stream URLs
- radio.html: Popup window for radio player
- index.html: Directory index redirect
Benefits:
- Reduces attack surface (raw SQL in IPB block, Flash vulnerabilities)
- Removes dead code depending on discontinued technologies
- Cleaner project structure without obsolete third-party integrations