[prep-release-3.3.8] Add migration for 3.3.8

[ticket/16987] Update composer dependencies to latest versions

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,7 +2,7 @@ Checklist:
 
 - [ ] Correct branch: master for new features; 3.3.x for fixes
 - [ ] Tests pass
-- [ ] Code follows coding guidelines: [master](https://area51.phpbb.com/docs/dev/master/development/coding_guidelines.html) and [3.3.x](https://area51.phpbb.com/docs/dev/3.3.x/development/coding_guidelines.html)
+- [ ] Code follows coding guidelines: [master](https://area51.phpbb.com/docs/master/coding-guidelines.html) and [3.3.x](https://area51.phpbb.com/docs/dev/3.3.x/development/coding_guidelines.html)
 - [ ] Commit follows commit message [format](https://area51.phpbb.com/docs/dev/3.3.x/development/git.html)
 
 Tracker ticket (set the ticket ID to **your ticket ID**):

.github/workflows/tests.yml

@@ -126,6 +126,8 @@ jobs:
                       db: "mysql:5.7"
                     - php: '8.1'
                       db: "mysql:5.7"
+                    - php: '8.2'
+                      db: "mysql:5.7"
 
         name: PHP ${{ matrix.php }} - ${{ matrix.db_alias != '' && matrix.db_alias || matrix.db }}
 
@@ -253,6 +255,10 @@ jobs:
                       db: "postgres:12"
                     - php: '8.0'
                       db: "postgres:13"
+                    - php: '8.1'
+                      db: "postgres:14"
+                    - php: '8.2'
+                      db: "postgres:14"
 
         name: PHP ${{ matrix.php }} - ${{ matrix.db }}
 
@@ -442,18 +448,36 @@ jobs:
 
     # Test with IIS & PostgreSQL on Windows
     windows-tests:
-        runs-on: windows-2016
+        runs-on: windows-latest
         strategy:
             matrix:
                 include:
                     - php: '7.4'
                       db: "postgres"
+                      type: 'unit'
                     - php: '8.0'
                       db: "postgres"
+                      type: 'unit'
                     - php: '8.1'
                       db: "postgres"
+                      type: 'unit'
+                    - php: '8.2'
+                      db: "postgres"
+                      type: 'unit'
+                    - php: '7.4'
+                      db: "postgres"
+                      type: 'functional'
+                    - php: '8.0'
+                      db: "postgres"
+                      type: 'functional'
+                    - php: '8.1'
+                      db: "postgres"
+                      type: 'functional'
+                    - php: '8.2'
+                      db: "postgres"
+                      type: 'functional'
 
-        name: Windows - PHP ${{ matrix.php }} - ${{ matrix.db }}
+        name: Windows - PHP ${{ matrix.php }} - ${{ matrix.db }} - ${{ matrix.type }}
 
         steps:
             - name: Prepare git for Windows
@@ -530,17 +554,27 @@ jobs:
               run: |
                   $postgreSqlSvc = Get-Service "postgresql*"
                   Set-Service $postgreSqlSvc.Name -StartupType manual
-                  $postgreSqlSvc.Start()
+                  $runningStatus = [System.ServiceProcess.ServiceControllerStatus]::Running
+                  $maxStartTimeout = New-TimeSpan -Seconds 30
                   try {
-                    (Get-Service "postgresql*").Start()
+                    $postgreSqlSvc.Start()
+                    $postgreSqlSvc.WaitForStatus($runningStatus, $maxStartTimeout)
                   } catch  {
                     $_ | select *
                   }
                   [System.Environment]::SetEnvironmentVariable('PATH',$Env:PATH+";${env:PGBIN}")
                   $env:PGPASSWORD = 'root'
+                  psql -c 'ALTER SYSTEM SET hot_standby = on;' -U postgres
+                  psql -c 'ALTER SYSTEM SET wal_level = minimal;' -U postgres
                   psql -c 'DROP DATABASE IF EXISTS phpbb_tests;' -U postgres
                   psql -c 'create database phpbb_tests;' -U postgres
-                  Add-MpPreference -ExclusionPath "${env:PGDATA}" # Exclude PGDATA directory from Windows Defender
+                  Set-MpPreference -ExclusionPath "${env:PGDATA}" # Exclude PGDATA directory from Windows Defender
+                  Set-MpPreference -DisableRealtimeMonitoring $true
             - name: Run unit tests
+              if: ${{ matrix.type == 'unit' }}
               run: |
-                  phpBB/vendor/bin/phpunit --configuration .github/phpunit-psql-windows-github.xml --verbose --stop-on-error
+                  phpBB/vendor/bin/phpunit --configuration .github/phpunit-psql-windows-github.xml --verbose --stop-on-error --exclude-group functional
+            - name: Run unit tests
+              if: ${{ matrix.type == 'functional' }}
+              run: |
+                  phpBB/vendor/bin/phpunit --configuration .github/phpunit-psql-windows-github.xml --verbose --stop-on-error --group functional

.gitignore

@@ -1,33 +1,54 @@
-*~
-/phpunit.xml
+# Excludes cache
 /phpBB/cache/*
 !/phpBB/cache/.htaccess
 !/phpBB/cache/index.html
-/phpBB/composer.phar
+
+# Excludes user data
 /phpBB/config*.php*
 /phpBB/ext/*
 /phpBB/files/*
 /phpBB/images/avatars/gallery/*
 /phpBB/images/avatars/upload/*
 /phpBB/images/ranks/*
-/phpBB/install/schemas/schema.json
+/phpBB/store/*
+
+# Excludes all custom langages
 /phpBB/language/*
 !/phpBB/language/en
-/phpBB/store/*
+
+# Excludes all custom styles
 /phpBB/styles/*
 !/phpBB/styles/prosilver
 /phpBB/styles/prosilver/theme/*/
 !/phpBB/styles/prosilver/theme/en
 !/phpBB/styles/prosilver/theme/images
 !/phpBB/styles/all
-node_modules
+
+# Excludes all custom env
+/phpBB/config/*
+!/phpBB/config/default
+!/phpBB/config/development
+!/phpBB/config/installer
+!/phpBB/config/production
+!/phpBB/config/test
+!/phpBB/config/.htaccess
+
+# Excludes vendors
 /phpBB/vendor
+
+# Excludes test / dev files
+/phpunit.xml
+/phpBB/composer.phar
 /tests/phpbb_unit_tests.sqlite*
 /tests/test_config*.php
 /tests/tmp/*
 /tests/vendor
 /vagrant/phpbb-install-config.yml
 .vagrant
+node_modules
+
+# Excludes IDE / editors files
+*~
 .idea
 *.DS_Store*
 /.vscode

README.md

@@ -35,9 +35,9 @@ phpBB's [Development Documentation](https://area51.phpbb.com/docs/dev/index.html
 
 ## 🔬 Automated Testing
 
-We have unit and functional tests in order to prevent regressions. You can view the bamboo continuous integration [here](https://bamboo.phpbb.com) or check our travis builds below:
+We have unit and functional tests in order to prevent regressions. You can view the bamboo continuous integration [here](https://bamboo.phpbb.com) or check our GitHub Actions below:
 
-Branch  | Description | Github Actions |
+Branch  | Description | GitHub Actions |
 ------- | ----------- | -------------- |
 **master** | Latest development version | ![Tests](https://github.com/phpbb/phpbb/workflows/Tests/badge.svg?branch=master) |
 **3.3.x** | Development of version 3.3.x | ![Tests](https://github.com/phpbb/phpbb/workflows/Tests/badge.svg?branch=3.3.x) |

build/build.xml

@@ -2,9 +2,9 @@
 
 <project name="phpBB" description="The phpBB forum software" default="all" basedir="../">
 	<!-- a few settings for the build -->
-	<property name="newversion" value="3.3.5" />
-	<property name="prevversion" value="3.3.4" />
-	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.5-RC1" />
+	<property name="newversion" value="3.3.8" />
+	<property name="prevversion" value="3.3.7" />
+	<property name="olderversions" value="3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.7-pl1, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8-RC1" />
 	<!-- no configuration should be needed beyond this point -->
 
 	<property name="oldversions" value="${olderversions}, ${prevversion}" />

build/generate_package_json.php

@@ -84,7 +84,7 @@ foreach ($older_verions as $version)
 		'phpBB ' . $version . ' to ' . $current_version . ' Update Package',
 		'phpBB-' . $version . '_to_' . $current_version,
 		'update',
-		'update',
+		'advanced_update',
 		$version
 	);
 }

git-tools/hooks/prepare-commit-msg

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # A hook to add [$branch] to the beginning of a commit message
 # if certain conditions are met.
@@ -31,12 +31,19 @@ branch="$(echo "$branch" | sed "s/refs\/heads\///g")"
 if [ "$2" = "" ]
 then
 	tail="";
+	ticket_id=$(sed -E 's/(ticket\/)(security\/)?([0-9]+)(.+$)?/\3/gm;t;d' <<< "$branch");
+	branch_title=$(sed -E 's/(ticket\/)(security\/)?([0-9]+)(.+$)?/\1\2\3/gm;t;d' <<< "$branch");
 
-	# Branch is prefixed with 'ticket/', append ticket ID to message
-	if [ "$branch" != "${branch##ticket/}" ];
+	if [ "security/" = "$(sed -E 's/(ticket\/)(security\/)?([0-9]+)(.+$)?/\2/gm;t;d' <<< "$branch")" ];
 	then
-		tail="$(printf "\n\nPHPBB3-${branch##ticket/}")";
+		tail="$(printf '\n\nSECURITY-%s' "$ticket_id")";
+	else
+		# Branch is prefixed with 'ticket/', append ticket ID to message
+		if [ "$branch" != "${branch##ticket/}" ];
+		then
+			tail="$(printf '\n\nPHPBB3-%s' "$ticket_id")";
+		fi
 	fi
 
-	echo "[$branch] $tail$(cat "$1")" > "$1"
+	echo "[$branch_title] $tail$(cat "$1")" > "$1"
 fi

phpBB/adm/style/acp_attachments.html

@@ -29,7 +29,7 @@
 
 	<!-- BEGIN upload -->
 		:: {upload.FILE_INFO}<br />
-		<!-- IF upload.S_DENIED --><span class="error">{upload.DENIED}</span><!-- ELSEIF upload.ERROR_MSG --><span class="error">{upload.ERROR_MSG}</span><!-- ELSE --><span class="success">{L_SUCCESSFULLY_UPLOADED}</span><!-- ENDIF -->
+		<!-- IF upload.S_DENIED --><span class="error">{upload.L_DENIED}</span><!-- ELSEIF upload.ERROR_MSG --><span class="error">{upload.ERROR_MSG}</span><!-- ELSE --><span class="success">{L_SUCCESSFULLY_UPLOADED}</span><!-- ENDIF -->
 		<br /><br />
 	<!-- END upload -->
 

phpBB/adm/style/acp_icons.html

@@ -105,7 +105,7 @@
 	<!-- BEGIN items -->
 		<tr>
 
-		<td style="text-align: center;"><img src="{items.IMG_SRC}" alt="{items.TEXT_ALT}" title="{items.TEXT_ALT}" /><input type="hidden" name="image[{items.IMG}]" value="1" /></td>
+		<td style="text-align: center;"><img src="{items.IMG_SRC}" alt="{items.TEXT_ALT}" title="{items.TEXT_ALT}" style="max-width: 160px;"><input type="hidden" name="image[{items.IMG}]" value="1" /></td>
 		<td style="vertical-align: top;">[{items.IMG}]</td>
 		<!-- IF S_SMILIES -->
 			<td><input class="text post" type="text" name="code[{items.IMG}]" value="{items.CODE}" size="10" maxlength="50" /></td>

phpBB/adm/style/acp_main.html

@@ -140,7 +140,6 @@
 						<td class="tabled"><strong>{{ PHP_VERSION_INFO }}</strong></td>
 					</tr>
 					<tr>
-					{% if S_TOTAL_ORPHAN %}
 						<td class="tabled">{{ lang('NUMBER_ORPHAN') ~ lang('COLON') }}</td>
 						<td class="tabled">
 						{% if TOTAL_ORPHAN > 0 %}
@@ -149,8 +148,6 @@
 							<strong>{{ TOTAL_ORPHAN }}</strong>
 						{% endif %}
 						</td>
-						{% else %}
-					{% endif %}
 					</tr>
 					{% if S_VERSIONCHECK %}
 					<tr>
@@ -204,10 +201,12 @@
 						<td class="tabled">{{ lang('FILES_PER_DAY') ~ lang('COLON') }}</td>
 						<td class="tabled"><strong>{{ FILES_PER_DAY }}</strong></td>
 					</tr>
+					{% if S_VERSIONCHECK %}
 					<tr>
 						<td class="tabled">&nbsp;</td>
 						<td class="tabled">&nbsp;</td>
 					</tr>
+					{% endif %}
 				</tbody>
 			</table>
 		</div>

phpBB/adm/style/acp_ranks.html

@@ -85,7 +85,7 @@
 	<!-- BEGIN ranks -->
 	<tr>
 		<!-- EVENT acp_ranks_list_column_before -->
-		<td style="text-align: center;"><!-- IF ranks.S_RANK_IMAGE --><img src="{ranks.RANK_IMAGE}" alt="{ranks.RANK_TITLE}" title="{ranks.RANK_TITLE}" /><!-- ELSE -->&nbsp; - &nbsp;<!-- ENDIF --></td>
+		<td style="text-align: center;"><!-- IF ranks.S_RANK_IMAGE --><img src="{ranks.RANK_IMAGE}" alt="{ranks.RANK_TITLE}" title="{ranks.RANK_TITLE}" style="max-width: 160px;"><!-- ELSE -->&nbsp; - &nbsp;<!-- ENDIF --></td>
 		<td style="text-align: center;">{ranks.RANK_TITLE}</td>
 		<td style="text-align: center;"><!-- IF ranks.S_SPECIAL_RANK -->&nbsp; - &nbsp;<!-- ELSE -->{ranks.MIN_POSTS}<!-- ENDIF --></td>
 		<!-- EVENT acp_ranks_list_column_after -->

phpBB/common.php

@@ -96,6 +96,8 @@ include($phpbb_root_path . 'includes/functions_compatibility.' . $phpEx);
 require($phpbb_root_path . 'includes/constants.' . $phpEx);
 require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx);
 
+// Registered before building the container so the development environment stay capable of intercepting
+// the container builder exceptions.
 if (PHPBB_ENVIRONMENT === 'development')
 {
 	\phpbb\debug\debug::enable();
@@ -129,6 +131,11 @@ catch (InvalidArgumentException $e)
 	}
 }
 
+if ($phpbb_container->getParameter('debug.error_handler'))
+{
+	\phpbb\debug\debug::enable();
+}
+
 $phpbb_class_loader->set_cache($phpbb_container->get('cache.driver'));
 $phpbb_class_loader_ext->set_cache($phpbb_container->get('cache.driver'));
 

phpBB/config/default/container/services.yml

@@ -40,6 +40,7 @@ services:
              - '@cache.driver'
              - '@config'
              - '@dbal.conn'
+             - '@dispatcher'
              - '%core.root_path%'
              - '%core.php_ext%'
 

phpBB/config/default/container/services_cron.yml

@@ -6,6 +6,7 @@ services:
             - '@routing.helper'
             - '%core.root_path%'
             - '%core.php_ext%'
+            - '@template'
 
     cron.lock_db:
         class: phpbb\lock\db

phpBB/config/development/config.yml

@@ -11,6 +11,7 @@ core:
         sql_explain: true
         memory: true
         show_errors: true
+        error_handler: true
 
     twig:
         debug: true

phpBB/develop/export_events_for_bbcode.php

@@ -0,0 +1,126 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+if (php_sapi_name() != 'cli')
+{
+	die("This program must be run from the command line.\n");
+}
+
+$phpEx = substr(strrchr(__FILE__, '.'), 1);
+$phpbb_root_path = __DIR__ . '/../';
+define('IN_PHPBB', true);
+
+function usage()
+{
+	echo "Usage: export_events_for_bbcode.php COMMAND [VERSION] [EXTENSION]\n";
+	echo "\n";
+	echo "COMMAND:\n";
+	echo "    diff:\n";
+	echo "        Generate the Event Diff for the release highlights\n";
+	echo "\n";
+	echo "    php:\n";
+	echo "        Generate the PHP event section of Event_List\n";
+	echo "\n";
+	echo "    adm:\n";
+	echo "        Generate the ACP Template event section of Event_List\n";
+	echo "\n";
+	echo "    styles:\n";
+	echo "        Generate the Styles Template event section of Event_List\n";
+	echo "\n";
+	echo "VERSION (diff only):\n";
+	echo "    Filter events (minimum version)\n";
+	echo "\n";
+	echo "EXTENSION (Optional):\n";
+	echo "    If not given, only core events will be exported.\n";
+	echo "    Otherwise only events from the extension will be exported.\n";
+	echo "\n";
+	exit(2);
+}
+
+function validate_argument_count($arguments, $count)
+{
+	if ($arguments <= $count)
+	{
+		usage();
+	}
+}
+
+validate_argument_count($argc, 1);
+
+$action = $argv[1];
+$extension = isset($argv[2]) ? $argv[2] : null;
+$min_version = null;
+require __DIR__ . '/../phpbb/event/php_exporter.' . $phpEx;
+require __DIR__ . '/../phpbb/event/md_exporter.' . $phpEx;
+require __DIR__ . '/../phpbb/event/rst_exporter.' . $phpEx;
+require __DIR__ . '/../includes/functions.' . $phpEx;
+require __DIR__ . '/../phpbb/event/recursive_event_filter_iterator.' . $phpEx;
+require __DIR__ . '/../phpbb/recursive_dot_prefix_filter_iterator.' . $phpEx;
+
+switch ($action)
+{
+
+	case 'diff':
+		echo "[size=200]Event changes[/size]\n\n";
+		$min_version = $extension;
+		$extension = isset($argv[3]) ? $argv[3] : null;
+
+	case 'php':
+		$exporter = new \phpbb\event\php_exporter($phpbb_root_path, $extension, $min_version);
+		$exporter->crawl_phpbb_directory_php();
+		echo $exporter->export_events_for_bbcode($action);
+
+		if ($action === 'php')
+		{
+			break;
+		}
+		echo "\n\n";
+		// no break;
+
+	case 'styles':
+		$exporter = new \phpbb\event\md_exporter($phpbb_root_path, $extension, $min_version);
+		if ($min_version && $action === 'diff')
+		{
+			$exporter->crawl_eventsmd('docs/events.md', 'styles');
+		}
+		else
+		{
+			$exporter->crawl_phpbb_directory_styles('docs/events.md');
+		}
+		echo $exporter->export_events_for_bbcode($action);
+
+		if ($action === 'styles')
+		{
+			break;
+		}
+		echo "\n\n";
+		// no break;
+
+	case 'adm':
+		$exporter = new \phpbb\event\md_exporter($phpbb_root_path, $extension, $min_version);
+		if ($min_version && $action === 'diff')
+		{
+			$exporter->crawl_eventsmd('docs/events.md', 'adm');
+		}
+		else
+		{
+			$exporter->crawl_phpbb_directory_adm('docs/events.md');
+		}
+		echo $exporter->export_events_for_bbcode($action);
+
+		echo "\n";
+	break;
+
+	default:
+		usage();
+}

phpBB/docs/CHANGELOG.html

@@ -50,6 +50,10 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ul>
+		<li><a href="#v337">Changes since 3.3.7</a></li>
+		<li><a href="#v336">Changes since 3.3.6</a></li>
+		<li><a href="#v336rc1">Changes since 3.3.6-RC1</a></li>
+		<li><a href="#v335">Changes since 3.3.5</a></li>
 		<li><a href="#v335rc1">Changes since 3.3.5-RC1</a></li>
 		<li><a href="#v334">Changes since 3.3.4</a></li>
 		<li><a href="#v334rc1">Changes since 3.3.4-RC1</a></li>
@@ -158,6 +162,105 @@
 		<div class="inner">
 
 		<div class="content">
+			<a name="v337"></a><h3>Changes since 3.3.7</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-13821">PHPBB3-13821</a>] - Always show &quot;Display this post&quot; for foes</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16871">PHPBB3-16871</a>] - S_FORUM_ID and S_TOPIC_ID variables set by page_header may cause fatal errors in feeds</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16891">PHPBB3-16891</a>] - Controller Helper Routing in ACP can break Extension Installation</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16960">PHPBB3-16960</a>] - Migrations table not populated at the end of installation</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16962">PHPBB3-16962</a>] - Possible bug related with format date</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16966">PHPBB3-16966</a>] - &quot;Insecure redirect&quot; error while permanently deleting posts</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16976">PHPBB3-16976</a>] - phpBB Native Search returns 1 match and one page of results</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16977">PHPBB3-16977</a>] - Cron-job &quot;img&quot; tag at bottom breaks some styles and is inaccessible</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16978">PHPBB3-16978</a>] - &lt;/ul&gt; Tag Missing From posting_pm_header.html Template</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16981">PHPBB3-16981</a>] - HTML-encoded emojis `&amp;#128396;️ &amp;#128208;` in email subject line</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16990">PHPBB3-16990</a>] - Wrong style template code in the post editor prevents deleting a post with certain permission combination</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-13859">PHPBB3-13859</a>] - Youtube profilefield needs an upgrade</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-15947">PHPBB3-15947</a>] - &quot;X out of 0 messages stored&quot; in UCP</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16800">PHPBB3-16800</a>] - Language string NO_POSTS should be changed</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16959">PHPBB3-16959</a>] - Remove redundant URL parameters from notification mails</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16967">PHPBB3-16967</a>] - Deprecate use of PHP and INCLUDEPHP in templates</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16969">PHPBB3-16969</a>] - Flash status displays when posting when posts settings don't allow [FLASH] - BBCode</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16988">PHPBB3-16988</a>] - Ignore appended branch info when preparing commit message</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16991">PHPBB3-16991</a>] - Add events for bookmarks and subscribed topics in UCP</li>
+			</ul>
+
+			<a name="v336"></a><h3>Changes since 3.3.6</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16973">PHPBB3-16973</a>] - Remove orphaned roles migration may incorrectly remove role-based group permissions</li>
+			</ul>
+			<h4>Task</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16972">PHPBB3-16972</a>] - Rename subtype to advanced_update in package.json generation</li>
+			</ul>
+
+			<a name="v336rc1"></a><h3>Changes since 3.3.6-RC1</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16872">PHPBB3-16872</a>] - Create event exporter to BBCode</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16956">PHPBB3-16956</a>] - White screen after disable extention</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-15028">PHPBB3-15028</a>] - Change update instructions in ACP</li>
+			</ul>
+			<h4>Task</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16964">PHPBB3-16964</a>] - Update composer and composer dependencies to latest versions</li>
+			</ul>
+			<h4>Hardening</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/SECURITY-272">SECURITY-272</a>] - Use longer random string for activation key</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/SECURITY-273">SECURITY-273</a>] - Reset reset token info when re-activating account</li>
+			</ul>
+
+			<a name="v335"></a><h3>Changes since 3.3.5</h3>
+			<h4>Bug</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16881">PHPBB3-16881</a>] - Fix ACP Statistic Table</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16883">PHPBB3-16883</a>] - Check if var is array before using count in installer diff</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16887">PHPBB3-16887</a>] - Update required PHP version</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16889">PHPBB3-16889</a>] - Postgres on windows builds keep failing</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16892">PHPBB3-16892</a>] - Duplicate entry for jav files in extension guesser</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16895">PHPBB3-16895</a>] - 'Permission' migration tool incorrectly handles role removal</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16897">PHPBB3-16897</a>] - sqlite3 drivers generates warnings when executing an explain query plan that fails</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16900">PHPBB3-16900</a>] - Invalid email subject header on long topic titles</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16904">PHPBB3-16904</a>] - Regression for topic selection in MCP in 3.3.5</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16908">PHPBB3-16908</a>] - PHP warning on non-existent post id requests</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16910">PHPBB3-16910</a>] - PHP warning if trying to attach orphaned files to non existent posts</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16914">PHPBB3-16914</a>] - Missing id in memberlist email template</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16924">PHPBB3-16924</a>] - Double escaping of config values inserted with db config</li>
+			</ul>
+			<h4>Improvement</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-13508">PHPBB3-13508</a>] - Support using INCLUDEJS and INCLUDECSS in twig template format</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16828">PHPBB3-16828</a>] - Add hook event before find_users_for_notification() execute</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16859">PHPBB3-16859</a>] - Language selection option is displayed on register if only 1 language is installed</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16885">PHPBB3-16885</a>] - Add filters to Twig - INT and FLOAT</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16888">PHPBB3-16888</a>] - Add the list of allowed attachment types using accept attribute </li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16896">PHPBB3-16896</a>] - Improve .gitignore visibility</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16898">PHPBB3-16898</a>] - Do not restrict the debug error handler to the development environment</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16899">PHPBB3-16899</a>] - Add SVG and WEBP image type to ranks, smilies and topic icons</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16902">PHPBB3-16902</a>] - Improve search results count for MySQL</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16909">PHPBB3-16909</a>] - Add PHP 8.2 builds to test matrix</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16912">PHPBB3-16912</a>] - Improve mail encoding to better match RFC 2047</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16921">PHPBB3-16921</a>] - Increase PHP requirements in the DOCS</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16930">PHPBB3-16930</a>] - Remove redundant topic ID from last post URL</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16933">PHPBB3-16933</a>] - Inconsistent handling of hyphen by phpBB Native search backend</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16939">PHPBB3-16939</a>] - Wait for postgres service to start in GitHub Actions windows builds</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16940">PHPBB3-16940</a>] - Optimize phpBB Native Search</li>
+			</ul>
+			<h4>Task</h4>
+			<ul>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16927">PHPBB3-16927</a>] - Update plupload to latest version</li>
+				<li>[<a href="https://tracker.phpbb.com/browse/PHPBB3-16928">PHPBB3-16928</a>] - Update composer and composer dependencies to latest versions</li>
+			</ul>
+
 			<a name="v335rc1"></a><h3>Changes since 3.3.5-RC1</h3>
 			<h4>Bug</h4>
 			<ul>

phpBB/docs/INSTALL.html

@@ -64,7 +64,7 @@
 		<li><a href="#update_full">Full package</a></li>
 		<li><a href="#update_files">Changed files</a></li>
 		<li><a href="#update_patch">Patch file</a></li>
-		<li><a href="#update_auto">Automatic update package</a></li>
+		<li><a href="#update_advanced">Advanced update package</a></li>
 		<li><a href="#update_all">All package types</a></li>
 	</ol>
 	</li>
@@ -147,7 +147,7 @@
 			<li>Oracle</li>
 		</ul>
 		</li>
-		<li><strong>PHP 7.1.3+</strong> up to and including <strong>PHP 7.4</strong> with support for the database you intend to use.</li>
+		<li><strong>PHP 7.1.3+</strong> up to and including <strong>PHP 8.1</strong> with support for the database you intend to use.</li>
 		<li>The following PHP modules are required:
 		<ul>
 			<li>json</li>
@@ -291,7 +291,7 @@
 
 	<p>The patch file package is for those wanting to update through the patch application, and should only be used by those who are comfortable with it.</p>
 
-	<p>The patch file is one solution for those with changes in to the phpBB core files and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type <strong>patch</strong> application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the <a href="#update_auto">Automatic update package</a> explained below. It is also the recommended update method.</p>
+	<p>The patch file is one solution for those with changes in to the phpBB core files and do not want to re-add them back to all the changed files. To use this you will need command line access to a standard UNIX type <strong>patch</strong> application. If you do not have access to such an application, but still want to use this update approach, we strongly recommend the <a href="#update_full">Full package update</a> explained above. It is also the recommended update method.</p>
 
 	<p>A number of patch files are provided to allow you to update from previous stable releases. Select the correct patch, e.g. if your current version is <strong>3.3.0</strong>, you need the <code>phpBB-3.3.1-patch.zip/tar.bz2</code> file. Place the correct patch in the parent directory containing the phpBB core files (i.e. index.php, viewforum.php, etc.). With this done you should run the following command: <code>patch -cl -d [PHPBB DIRECTORY] -p1 &lt; [PATCH NAME]</code> (where PHPBB DIRECTORY is the directory name your phpBB Installation resides in, for example phpBB, and where PATCH NAME is the relevant filename of the selected patch file). This should complete quickly, hopefully without any HUNK FAILED comments.</p>
 
@@ -299,11 +299,13 @@
 
 	<p>You should, of course, delete the patch file (or files) after use. As for the other update procedures, you should navigate to <code>/install/app.php/update</code>, select "Update database only" and submit the page after you have finished updating the files. This will update your database schema and data (if appropriate) and increment the version number. If you have shell access to your server, you may wish to update via the command line interface. From your board's root, execute the following command: <code>php bin/phpbbcli.php --safe-mode db:migrate</code>.</p>
 
-<a name="update_auto"></a><h3>4.iv. Automatic update package</h3>
+<a name="update_advanced"></a><h3>4.iv. Advanced update package (Expert users)</h3>
 
-	<p>This update method is only recommended for installations with modifications to core phpBB files. This package detects changed files automatically and merges in changes if needed.</p>
+	<p>This update method should only be used for installations with modifications to core phpBB files. If you simply use Extensions or custom Styles and have not modified core files, please use the Full Package update.</p>
 
-	<p>The automatic update package will update the board from a given version to the latest version. A number of automatic update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is <strong>3.3.0</strong>, you need the <code>phpBB-3.3.0_to_3.3.1.zip/tar.bz2</code> file.</p>
+	<p>This package detects changed files and merges in changes if needed. Since this type of update has a potential to cause issues while upgrading, it should only be used by expert users.</p>
+
+	<p>The advanced update package will update the board from a given version to the latest version. A number of advanced update files are available, and you should choose the one that corresponds to the version of the board that you are currently running. For example, if your current version is <strong>3.3.0</strong>, you need the <code>phpBB-3.3.0_to_3.3.1.zip/tar.bz2</code> file.</p>
 
 	<p>To perform the update, either follow the instructions from the <strong>Administration Control Panel-&gt;System</strong> Tab - this should point out that you are running an outdated version and will guide you through the update - or follow the instructions listed below.</p>
 

phpBB/docs/README.html

@@ -104,7 +104,7 @@
 
 	<ul>
 		<li>Updates from phpBB 3.0 RC1, 3.1 RC1 and 3.2 RC1 to the latest version</li>
-		<li>Note: if using the <em>Automatic Update Package</em>, updates are supported from phpBB 3.0.2 onward. To update a pre-3.0.2 installation, first update to 3.0.2 and then update to the current version.</li>
+		<li>Note: if using the <em>Advanced Update Package</em>, updates are supported from phpBB 3.0.2 onward. To update a pre-3.0.2 installation, first update to 3.0.2 and then update to the current version.</li>
 		<li>Conversions from phpBB 2.0.x to the latest version</li>
 		<li>New installations of phpBB 3.2.x - only the latest released version</li>
 		<li>New installations of phpBB 3.3.x - only the latest released version</li>

phpBB/docs/coding-guidelines.html

@@ -1304,6 +1304,7 @@ parent = prosilver</pre>
 </pre></div>
 
 <h4>PHP</h4>
+<p><strong class="error">The use of PHP in HTML files has been deprecated in phpBB 3.3 and will be removed in phpBB 4.0.</strong></p>
 <p>A contentious decision has seen the ability to include PHP within the template introduced. This is achieved by enclosing the PHP within relevant tags:</p>
 
 <div class="codebox"><pre>

phpBB/docs/events.md

@@ -2530,6 +2530,13 @@ ucp_header_friends_online_username_full_prepend
 * Since: 3.2.10-RC1
 * Purpose: Prepend information to online friends username in UCP
 
+ucp_main_bookmarks_topic_title_after
+===
+* Locations:
+    + styles/prosilver/template/ucp_main_bookmarks.html
+* Since: 3.3.8-RC1
+* Purpose: Add content right after the topic title viewing UCP bookmarks
+
 ucp_main_front_user_activity_after
 ===
 * Locations:
@@ -2558,6 +2565,13 @@ ucp_main_front_user_activity_prepend
 * Since: 3.1.11-RC1
 * Purpose: Add content before first user activity info viewing UCP front page
 
+ucp_main_subscribed_topic_title_after
+===
+* Locations:
+    + styles/prosilver/template/ucp_main_subscribed.html
+* Since: 3.3.8-RC1
+* Purpose: Add content right after the topic title viewing UCP subscribed topics
+
 ucp_pm_history_post_buttons_after
 ===
 * Locations:

phpBB/includes/acp/acp_attachments.php

@@ -1000,29 +1000,45 @@ class acp_attachments
 						$result = $db->sql_query($sql);
 
 						$files_added = $space_taken = 0;
+						$error_msg = '';
+						$upload_row = [];
 						while ($row = $db->sql_fetchrow($result))
 						{
-							$post_row = $post_info[$upload_list[$row['attach_id']]];
+							$upload_row = [
+								'FILE_INFO'	=> $user->lang('UPLOADING_FILE_TO', $row['real_filename'], $upload_list[$row['attach_id']]),
+							];
 
-							$template->assign_block_vars('upload', array(
-								'FILE_INFO'		=> sprintf($user->lang['UPLOADING_FILE_TO'], $row['real_filename'], $post_row['post_id']),
-								'S_DENIED'		=> (!$auth->acl_get('f_attach', $post_row['forum_id'])) ? true : false,
-								'L_DENIED'		=> (!$auth->acl_get('f_attach', $post_row['forum_id'])) ? sprintf($user->lang['UPLOAD_DENIED_FORUM'], $forum_names[$row['forum_id']]) : '')
-							);
+							if (isset($post_info[$upload_list[$row['attach_id']]]))
+							{
+								$post_row = $post_info[$upload_list[$row['attach_id']]];
+								$upload_row = array_merge($upload_row, [
+									'S_DENIED'	=> !$auth->acl_get('f_attach', $post_row['forum_id']),
+									'L_DENIED'	=> !$auth->acl_get('f_attach', $post_row['forum_id']) ? $user->lang('UPLOAD_DENIED_FORUM', $forum_names[$row['forum_id']]) : '',
+								]);
+							}
+							else
+							{
+								$error_msg = $user->lang('UPLOAD_POST_NOT_EXIST', $row['real_filename'], $upload_list[$row['attach_id']]);
+								$upload_row = array_merge($upload_row, [
+									'ERROR_MSG'	=> $error_msg,
+								]);
+							};
 
-							if (!$auth->acl_get('f_attach', $post_row['forum_id']))
+							$template->assign_block_vars('upload', $upload_row);
+
+							if ($error_msg || !$auth->acl_get('f_attach', $post_row['forum_id']))
 							{
 								continue;
 							}
 
 							// Adjust attachment entry
-							$sql_ary = array(
+							$sql_ary = [
 								'in_message'	=> 0,
 								'is_orphan'		=> 0,
 								'poster_id'		=> $post_row['poster_id'],
 								'post_msg_id'	=> $post_row['post_id'],
 								'topic_id'		=> $post_row['topic_id'],
-							);
+							];
 
 							$sql = 'UPDATE ' . ATTACHMENTS_TABLE . '
 								SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
@@ -1042,7 +1058,7 @@ class acp_attachments
 							$space_taken += $row['filesize'];
 							$files_added++;
 
-							$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ATTACH_FILEUPLOAD', false, array($post_row['post_id'], $row['real_filename']));
+							$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ATTACH_FILEUPLOAD', false, [$post_row['post_id'], $row['real_filename']]);
 						}
 						$db->sql_freeresult($result);
 
@@ -1054,9 +1070,9 @@ class acp_attachments
 					}
 				}
 
-				$template->assign_vars(array(
-					'S_ORPHAN'		=> true)
-				);
+				$template->assign_vars([
+					'S_ORPHAN'		=> true,
+				]);
 
 				$attachments_per_page = (int) $config['topics_per_page'];
 
@@ -1084,15 +1100,15 @@ class acp_attachments
 
 				while ($row = $db->sql_fetchrow($result))
 				{
-					$template->assign_block_vars('orphan', array(
+					$template->assign_block_vars('orphan', [
 						'FILESIZE'			=> get_formatted_filesize($row['filesize']),
 						'FILETIME'			=> $user->format_date($row['filetime']),
 						'REAL_FILENAME'		=> utf8_basename($row['real_filename']),
 						'PHYSICAL_FILENAME'	=> utf8_basename($row['physical_filename']),
 						'ATTACH_ID'			=> $row['attach_id'],
-						'POST_IDS'			=> (!empty($post_ids[$row['attach_id']])) ? $post_ids[$row['attach_id']] : '',
-						'U_FILE'			=> append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'mode=view&id=' . $row['attach_id']))
-					);
+						'POST_ID'			=> (!empty($post_ids[$row['attach_id']])) ? $post_ids[$row['attach_id']] : '',
+						'U_FILE'			=> append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'mode=view&id=' . $row['attach_id']),
+					]);
 				}
 				$db->sql_freeresult($result);
 
@@ -1105,10 +1121,10 @@ class acp_attachments
 					$start
 				);
 
-				$template->assign_vars(array(
+				$template->assign_vars([
 					'TOTAL_FILES'		=> $num_files,
 					'TOTAL_SIZE'		=> get_formatted_filesize($total_size),
-				));
+				]);
 
 			break;
 

phpBB/includes/acp/acp_bbcodes.php

@@ -86,7 +86,7 @@ class acp_bbcodes
 				$display_on_posting = $request->variable('display_on_posting', 0);
 
 				$bbcode_match = $request->variable('bbcode_match', '');
-				$bbcode_tpl = htmlspecialchars_decode($request->variable('bbcode_tpl', '', true), ENT_COMPAT);
+				$bbcode_tpl = html_entity_decode($request->variable('bbcode_tpl', '', true), ENT_COMPAT);
 				$bbcode_helpline = $request->variable('bbcode_helpline', '', true);
 			break;
 		}

phpBB/includes/acp/acp_board.php

@@ -720,8 +720,8 @@ class acp_board
 				$messenger->set_addresses($user->data);
 				$messenger->anti_abuse_headers($config, $user);
 				$messenger->assign_vars(array(
-					'USERNAME'	=> htmlspecialchars_decode($user->data['username'], ENT_COMPAT),
-					'MESSAGE'	=> htmlspecialchars_decode($request->variable('send_test_email_text', '', true), ENT_COMPAT),
+					'USERNAME'	=> html_entity_decode($user->data['username'], ENT_COMPAT),
+					'MESSAGE'	=> html_entity_decode($request->variable('send_test_email_text', '', true), ENT_COMPAT),
 				));
 				$messenger->send(NOTIFY_EMAIL);
 

phpBB/includes/acp/acp_email.php

@@ -205,7 +205,7 @@ class acp_email
 				$email_template = 'admin_send_email';
 				$template_data = array(
 					'CONTACT_EMAIL' => phpbb_get_board_contact($config, $phpEx),
-					'MESSAGE'		=> htmlspecialchars_decode($message, ENT_COMPAT),
+					'MESSAGE'		=> html_entity_decode($message, ENT_COMPAT),
 				);
 				$generate_log_entry = true;
 
@@ -252,7 +252,7 @@ class acp_email
 
 					$messenger->anti_abuse_headers($config, $user);
 
-					$messenger->subject(htmlspecialchars_decode($subject, ENT_COMPAT));
+					$messenger->subject(html_entity_decode($subject, ENT_COMPAT));
 					$messenger->set_mail_priority($priority);
 
 					$messenger->assign_vars($template_data);

phpBB/includes/acp/acp_help_phpbb.php

@@ -90,7 +90,7 @@ class acp_help_phpbb
 
 			if (!empty($response))
 			{
-				$decoded_response = json_decode(htmlspecialchars_decode($response, ENT_COMPAT), true);
+				$decoded_response = json_decode(html_entity_decode($response, ENT_COMPAT), true);
 
 				if ($decoded_response && isset($decoded_response['status']) && $decoded_response['status'] == 'ok')
 				{

phpBB/includes/acp/acp_icons.php

@@ -91,29 +91,43 @@ class acp_icons
 				{
 					$img_size = getimagesize($phpbb_root_path . $img_path . '/' . $path . $img);
 
-					if (!$img_size[0] || !$img_size[1] || strlen($img) > 255)
+					if ($img_size)
 					{
-						continue;
-					}
+						if (!$img_size[0] || !$img_size[1] || strlen($img) > 255)
+						{
+							continue;
+						}
 
-					// adjust the width and height to be lower than 128px while perserving the aspect ratio (for icons)
-					if ($mode == 'icons')
+						// adjust the width and height to be lower than 128px while perserving the aspect ratio (for icons)
+						if ($mode == 'icons')
+						{
+							if ($img_size[0] > 127 && $img_size[0] > $img_size[1])
+							{
+								$img_size[1] = (int) ($img_size[1] * (127 / $img_size[0]));
+								$img_size[0] = 127;
+							}
+							else if ($img_size[1] > 127)
+							{
+								$img_size[0] = (int) ($img_size[0] * (127 / $img_size[1]));
+								$img_size[1] = 127;
+							}
+						}
+					}
+					else
 					{
-						if ($img_size[0] > 127 && $img_size[0] > $img_size[1])
-						{
-							$img_size[1] = (int) ($img_size[1] * (127 / $img_size[0]));
-							$img_size[0] = 127;
-						}
-						else if ($img_size[1] > 127)
-						{
-							$img_size[0] = (int) ($img_size[0] * (127 / $img_size[1]));
-							$img_size[1] = 127;
-						}
+						// getimagesize can't read the dimensions of the SVG files
+						// https://bugs.php.net/bug.php?id=71517
+						$xml_get = simplexml_load_file($phpbb_root_path . $img_path . '/' . $path . $img);
+
+						$svg_width = intval($xml_get['width']);
+						$svg_height = intval($xml_get['height']);
 					}
 
 					$_images[$path . $img]['file'] = $path . $img;
-					$_images[$path . $img]['width'] = $img_size[0];
-					$_images[$path . $img]['height'] = $img_size[1];
+
+					// Give SVG a fallback on failure
+					$_images[$path . $img]['width'] = $img_size ? $img_size[0] : ($svg_width ?: 32);
+					$_images[$path . $img]['height'] = $img_size ? $img_size[1] : ($svg_height ?: 32);
 				}
 			}
 			unset($imglist);

phpBB/includes/acp/acp_inactive.php

@@ -130,7 +130,7 @@ class acp_inactive
 								$messenger->anti_abuse_headers($config, $user);
 
 								$messenger->assign_vars(array(
-									'USERNAME'	=> htmlspecialchars_decode($row['username'], ENT_COMPAT))
+									'USERNAME'	=> html_entity_decode($row['username'], ENT_COMPAT))
 								);
 
 								$messenger->send(NOTIFY_EMAIL);
@@ -224,7 +224,7 @@ class acp_inactive
 							$messenger->anti_abuse_headers($config, $user);
 
 							$messenger->assign_vars(array(
-								'USERNAME'		=> htmlspecialchars_decode($row['username'], ENT_COMPAT),
+								'USERNAME'		=> html_entity_decode($row['username'], ENT_COMPAT),
 								'REGISTER_DATE'	=> $user->format_date($row['user_regdate'], false, true),
 								'U_ACTIVATE'	=> generate_board_url() . "/ucp.$phpEx?mode=activate&u=" . $row['user_id'] . '&k=' . $row['user_actkey'])
 							);

phpBB/includes/acp/acp_logs.php

@@ -108,7 +108,7 @@ class acp_logs
 		$sql_sort = $sort_by_sql[$sort_key] . ' ' . (($sort_dir == 'd') ? 'DESC' : 'ASC');
 
 		$keywords = $request->variable('keywords', '', true);
-		$keywords_param = !empty($keywords) ? '&keywords=' . urlencode(htmlspecialchars_decode($keywords, ENT_COMPAT)) : '';
+		$keywords_param = !empty($keywords) ? '&keywords=' . urlencode(html_entity_decode($keywords, ENT_COMPAT)) : '';
 
 		$l_title = $user->lang['ACP_' . strtoupper($mode) . '_LOGS'];
 		$l_title_explain = $user->lang['ACP_' . strtoupper($mode) . '_LOGS_EXPLAIN'];

phpBB/includes/acp/acp_main.php

@@ -544,20 +544,13 @@ class acp_main
 			$files_per_day = $total_files;
 		}
 
-		if ($config['allow_attachments'] || $config['allow_pm_attach'])
-		{
-			$sql = 'SELECT COUNT(attach_id) AS total_orphan
-				FROM ' . ATTACHMENTS_TABLE . '
-				WHERE is_orphan = 1
-					AND filetime < ' . (time() - 3*60*60);
-			$result = $db->sql_query($sql);
-			$total_orphan = (int) $db->sql_fetchfield('total_orphan');
-			$db->sql_freeresult($result);
-		}
-		else
-		{
-			$total_orphan = false;
-		}
+		$sql = 'SELECT COUNT(attach_id) AS total_orphan
+			FROM ' . ATTACHMENTS_TABLE . '
+			WHERE is_orphan = 1
+				AND filetime < ' . (time() - 3*60*60);
+		$result = $db->sql_query($sql);
+		$total_orphan = (int) $db->sql_fetchfield('total_orphan');
+		$db->sql_freeresult($result);
 
 		$dbsize = get_database_size();
 
@@ -575,7 +568,6 @@ class acp_main
 			'DBSIZE'			=> $dbsize,
 			'UPLOAD_DIR_SIZE'	=> $upload_dir_size,
 			'TOTAL_ORPHAN'		=> $total_orphan,
-			'S_TOTAL_ORPHAN'	=> ($total_orphan === false) ? false : true,
 			'GZIP_COMPRESSION'	=> ($config['gzip_compress'] && @extension_loaded('zlib')) ? $user->lang['ON'] : $user->lang['OFF'],
 			'DATABASE_INFO'		=> $db->sql_server_info(),
 			'PHP_VERSION_INFO'	=> PHP_VERSION,

phpBB/includes/acp/acp_ranks.php

@@ -55,8 +55,8 @@ class acp_ranks
 				$min_posts = ($special_rank) ? 0 : max(0, $request->variable('min_posts', 0));
 				$rank_image = $request->variable('rank_image', '');
 
-				// The rank image has to be a jpg, gif or png
-				if ($rank_image != '' && !preg_match('#(\.gif|\.png|\.jpg|\.jpeg)$#i', $rank_image))
+				// The rank image has to be a jp(e)g, gif, png, svg or webp
+				if ($rank_image != '' && !preg_match('#(\.gif|\.png|\.jpg|\.jpeg|\.svg|\.webp)$#i', $rank_image))
 				{
 					$rank_image = '';
 				}
@@ -70,7 +70,7 @@ class acp_ranks
 					'rank_title'		=> $rank_title,
 					'rank_special'		=> $special_rank,
 					'rank_min'			=> $min_posts,
-					'rank_image'		=> htmlspecialchars_decode($rank_image, ENT_COMPAT)
+					'rank_image'		=> html_entity_decode($rank_image, ENT_COMPAT)
 				);
 
 				/**

phpBB/includes/acp/acp_search.php

@@ -322,9 +322,9 @@ class acp_search
 						{
 							$sql = 'SELECT post_id, poster_id, forum_id
 								FROM ' . POSTS_TABLE . '
-								WHERE post_id >= ' . (int) ($post_counter + 1) . '
-									AND post_id <= ' . (int) ($post_counter + $this->batch_size);
-							$result = $db->sql_query($sql);
+								WHERE post_id > ' . (int) $post_counter . '
+								ORDER BY post_id ASC';
+							$result = $db->sql_query_limit($sql, $this->batch_size);
 
 							$ids = $posters = $forum_ids = array();
 							while ($row = $db->sql_fetchrow($result))
@@ -339,14 +339,13 @@ class acp_search
 							if (count($ids))
 							{
 								$this->search->index_remove($ids, $posters, $forum_ids);
+								$post_counter = $ids[count($ids) - 1];
 							}
-
-							$post_counter += $this->batch_size;
 						}
 						// save the current state
 						$this->save_state();
 
-						if ($post_counter <= $this->max_post_id)
+						if ($post_counter < $this->max_post_id)
 						{
 							$totaltime = microtime(true) - $starttime;
 							$rows_per_second = $row_count / $totaltime;
@@ -393,9 +392,9 @@ class acp_search
 						{
 							$sql = 'SELECT post_id, post_subject, post_text, poster_id, forum_id
 								FROM ' . POSTS_TABLE . '
-								WHERE post_id >= ' . (int) ($post_counter + 1) . '
-									AND post_id <= ' . (int) ($post_counter + $this->batch_size);
-							$result = $db->sql_query($sql);
+								WHERE post_id > ' . (int) $post_counter . '
+								ORDER BY post_id ASC';
+							$result = $db->sql_query_limit($sql, $this->batch_size);
 
 							$buffer = $db->sql_buffer_nested_transactions();
 
@@ -416,13 +415,12 @@ class acp_search
 									$this->search->index('post', $row['post_id'], $row['post_text'], $row['post_subject'], $row['poster_id'], $row['forum_id']);
 								}
 								$row_count++;
+								$post_counter = $row['post_id'];
 							}
 							if (!$buffer)
 							{
 								$db->sql_freeresult($result);
 							}
-
-							$post_counter += $this->batch_size;
 						}
 						// save the current state
 						$this->save_state();
@@ -434,7 +432,7 @@ class acp_search
 						$this->search->tidy();
 						$config['num_posts'] = $num_posts;
 
-						if ($post_counter <= $this->max_post_id)
+						if ($post_counter < $this->max_post_id)
 						{
 							$totaltime = microtime(true) - $starttime;
 							$rows_per_second = $row_count / $totaltime;

phpBB/includes/acp/acp_users.php

@@ -402,8 +402,8 @@ class acp_users
 								$messenger->anti_abuse_headers($config, $user);
 
 								$messenger->assign_vars(array(
-									'WELCOME_MSG'	=> htmlspecialchars_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
-									'USERNAME'		=> htmlspecialchars_decode($user_row['username'], ENT_COMPAT),
+									'WELCOME_MSG'	=> html_entity_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
+									'USERNAME'		=> html_entity_decode($user_row['username'], ENT_COMPAT),
 									'U_ACTIVATE'	=> "$server_url/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k=$user_actkey")
 								);
 
@@ -466,7 +466,7 @@ class acp_users
 									$messenger->anti_abuse_headers($config, $user);
 
 									$messenger->assign_vars(array(
-										'USERNAME'	=> htmlspecialchars_decode($user_row['username'], ENT_COMPAT))
+										'USERNAME'	=> html_entity_decode($user_row['username'], ENT_COMPAT))
 									);
 
 									$messenger->send(NOTIFY_EMAIL);

phpBB/includes/constants.php

@@ -28,7 +28,7 @@ if (!defined('IN_PHPBB'))
 */
 
 // phpBB Version
-@define('PHPBB_VERSION', '3.3.5');
+@define('PHPBB_VERSION', '3.3.8');
 
 // QA-related
 // define('PHPBB_QA', 1);

phpBB/includes/diff/diff.php

@@ -168,8 +168,14 @@ class diff
 				$final = $edit->final;
 
 				// We can simplify one case where the array is usually supposed to be empty...
-				if (count($orig) == 1 && trim($orig[0]) === '') $orig = array();
-				if (count($final) == 1 && trim($final[0]) === '') $final = array();
+				if (is_array($orig) && count($orig) == 1 && trim($orig[0]) === '')
+				{
+					$orig = array();
+				}
+				if (is_array($final) && count($final) == 1 && trim($final[0]) === '')
+				{
+					$final = array();
+				}
 
 				if (!$orig && !$final)
 				{

phpBB/includes/functions.php

@@ -263,49 +263,68 @@ function phpbb_version_compare($version1, $version2, $operator = null)
 // functions used for building option fields
 
 /**
-* Pick a language, any language ...
-*/
-function language_select($default = '')
+ * Pick a language, any language ...
+ *
+ * @param string $default	Language ISO code to be selected by default in the dropdown list
+ * @param array $langdata	Language data in format of array(array('lang_iso' => string, lang_local_name => string), ...)
+ *
+ * @return string			HTML options for language selection dropdown list.
+ */
+function language_select($default = '', array $langdata = [])
 {
 	global $db;
 
-	$sql = 'SELECT lang_iso, lang_local_name
-		FROM ' . LANG_TABLE . '
-		ORDER BY lang_english_name';
-	$result = $db->sql_query($sql);
+	if (empty($langdata))
+	{
+		$sql = 'SELECT lang_iso, lang_local_name
+			FROM ' . LANG_TABLE . '
+			ORDER BY lang_english_name';
+		$result = $db->sql_query($sql);
+		$langdata = (array) $db->sql_fetchrowset($result);
+		$db->sql_freeresult($result);
+	}
 
 	$lang_options = '';
-	while ($row = $db->sql_fetchrow($result))
+	foreach ($langdata as $row)
 	{
 		$selected = ($row['lang_iso'] == $default) ? ' selected="selected"' : '';
 		$lang_options .= '<option value="' . $row['lang_iso'] . '"' . $selected . '>' . $row['lang_local_name'] . '</option>';
 	}
-	$db->sql_freeresult($result);
 
 	return $lang_options;
 }
 
 /**
-* Pick a template/theme combo,
-*/
-function style_select($default = '', $all = false)
+ * Pick a template/theme combo
+ *
+ * @param string $default	Style ID to be selected by default in the dropdown list
+ * @param bool $all			Flag indicating if all styles data including inactive ones should be fetched
+ * @param array $styledata	Style data in format of array(array('style_id' => int, style_name => string), ...)
+ *
+ * @return string			HTML options for style selection dropdown list.
+ */
+function style_select($default = '', $all = false, array $styledata = [])
 {
 	global $db;
 
-	$sql_where = (!$all) ? 'WHERE style_active = 1 ' : '';
-	$sql = 'SELECT style_id, style_name
-		FROM ' . STYLES_TABLE . "
-		$sql_where
-		ORDER BY style_name";
-	$result = $db->sql_query($sql);
+	if (empty($styledata))
+	{
+		$sql_where = (!$all) ? 'WHERE style_active = 1 ' : '';
+		$sql = 'SELECT style_id, style_name
+			FROM ' . STYLES_TABLE . "
+			$sql_where
+			ORDER BY style_name";
+		$result = $db->sql_query($sql);
+		$styledata = (array) $db->sql_fetchrowset($result);
+		$db->sql_freeresult($result);
+	}
 
 	$style_options = '';
-	while ($row = $db->sql_fetchrow($result))
+	foreach ($styledata as $row)
 	{
 		$selected = ($row['style_id'] == $default) ? ' selected="selected"' : '';
 		$style_options .= '<option value="' . $row['style_id'] . '"' . $selected . '>' . $row['style_name'] . '</option>';
 	}
-	$db->sql_freeresult($result);
 
 	return $style_options;
 }
@@ -3855,8 +3874,9 @@ function page_header($page_title = '', $display_online_list = false, $item_id =
 		}
 	}
 
-	$forum_id = $request->variable('f', 0);
-	$topic_id = $request->variable('t', 0);
+	// Negative forum and topic IDs are not allowed
+	$forum_id = max(0, $request->variable('f', 0));
+	$topic_id = max(0, $request->variable('t', 0));
 
 	$s_feed_news = false;
 

phpBB/includes/functions_admin.php

@@ -479,7 +479,7 @@ function copy_forum_permissions($src_forum_id, $dest_forum_ids, $clear_dest_perm
 /**
 * Get physical file listing
 */
-function filelist($rootdir, $dir = '', $type = 'gif|jpg|jpeg|png')
+function filelist($rootdir, $dir = '', $type = 'gif|jpg|jpeg|png|svg|webp')
 {
 	$matches = array($dir => array());
 

phpBB/includes/functions_compatibility.php

@@ -759,7 +759,7 @@ function phpbb_http_login($param)
 	{
 		if ($request->is_set($k, \phpbb\request\request_interface::SERVER))
 		{
-			$username = htmlspecialchars_decode($request->server($k), ENT_COMPAT);
+			$username = html_entity_decode($request->server($k), ENT_COMPAT);
 			break;
 		}
 	}
@@ -769,7 +769,7 @@ function phpbb_http_login($param)
 	{
 		if ($request->is_set($k, \phpbb\request\request_interface::SERVER))
 		{
-			$password = htmlspecialchars_decode($request->server($k), ENT_COMPAT);
+			$password = html_entity_decode($request->server($k), ENT_COMPAT);
 			break;
 		}
 	}

phpBB/includes/functions_content.php

@@ -803,8 +803,8 @@ function make_clickable_callback($type, $whitespace, $url, $relative_url, $class
 	$orig_url		= $url;
 	$orig_relative	= $relative_url;
 	$append			= '';
-	$url			= htmlspecialchars_decode($url, ENT_COMPAT);
-	$relative_url	= htmlspecialchars_decode($relative_url, ENT_COMPAT);
+	$url			= html_entity_decode($url, ENT_COMPAT);
+	$relative_url	= html_entity_decode($relative_url, ENT_COMPAT);
 
 	// make sure no HTML entities were matched
 	$chars = array('<', '>', '"');
@@ -1456,7 +1456,7 @@ function truncate_string($string, $max_length = 60, $max_store_length = 255, $al
 		$string = substr($string, 4);
 	}
 
-	$_chars = utf8_str_split(htmlspecialchars_decode($string, ENT_COMPAT));
+	$_chars = utf8_str_split(html_entity_decode($string, ENT_COMPAT));
 	$chars = array_map('utf8_htmlspecialchars', $_chars);
 
 	// Now check the length ;)
@@ -1471,7 +1471,7 @@ function truncate_string($string, $max_length = 60, $max_store_length = 255, $al
 	if (utf8_strlen($string) > $max_store_length)
 	{
 		// let's split again, we do not want half-baked strings where entities are split
-		$_chars = utf8_str_split(htmlspecialchars_decode($string, ENT_COMPAT));
+		$_chars = utf8_str_split(html_entity_decode($string, ENT_COMPAT));
 		$chars = array_map('utf8_htmlspecialchars', $_chars);
 
 		do

phpBB/includes/functions_download.php

@@ -208,7 +208,7 @@ function send_file_to_browser($attachment, $upload_dir, $category)
 
 	if (empty($user->browser) || ((strpos(strtolower($user->browser), 'msie') !== false) && !phpbb_is_greater_ie_version($user->browser, 7)))
 	{
-		header('Content-Disposition: attachment; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'], ENT_COMPAT)));
+		header('Content-Disposition: attachment; ' . header_filename(html_entity_decode($attachment['real_filename'], ENT_COMPAT)));
 		if (empty($user->browser) || (strpos(strtolower($user->browser), 'msie 6.0') !== false))
 		{
 			header('Expires: ' . gmdate('D, d M Y H:i:s', time()) . ' GMT');
@@ -216,7 +216,7 @@ function send_file_to_browser($attachment, $upload_dir, $category)
 	}
 	else
 	{
-		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(htmlspecialchars_decode($attachment['real_filename'], ENT_COMPAT)));
+		header('Content-Disposition: ' . ((strpos($attachment['mimetype'], 'image') === 0) ? 'inline' : 'attachment') . '; ' . header_filename(html_entity_decode($attachment['real_filename'], ENT_COMPAT)));
 		if (phpbb_is_greater_ie_version($user->browser, 7) && (strpos($attachment['mimetype'], 'image') !== 0))
 		{
 			header('X-Download-Options: noopen');
@@ -327,7 +327,7 @@ function download_allowed()
 		return true;
 	}
 
-	$url = htmlspecialchars_decode($request->header('Referer'), ENT_COMPAT);
+	$url = html_entity_decode($request->header('Referer'), ENT_COMPAT);
 
 	if (!$url)
 	{

phpBB/includes/functions_mcp.php

@@ -35,7 +35,7 @@ function phpbb_module_notes_url($mode, $module_row)
 	}
 
 	global $user_id;
-	return ($user_id) ? "&u=$user_id" : '';
+	return phpbb_extra_url();
 }
 
 function phpbb_module_warn_url($mode, $module_row)
@@ -43,34 +43,18 @@ function phpbb_module_warn_url($mode, $module_row)
 	if ($mode == 'front' || $mode == 'list')
 	{
 		global $forum_id;
-
-		return ($forum_id) ? "&f=$forum_id" : '';
+		return phpbb_extra_url();
 	}
 
 	if ($mode == 'warn_post')
 	{
 		global $forum_id, $post_id;
-
-		if ($post_id)
-		{
-			$url_extra = "&p=$post_id";
-		}
-		else if ($forum_id)
-		{
-			$url_extra = "&f=$forum_id";
-		}
-		else
-		{
-			$url_extra = '';
-		}
-
-		return $url_extra;
+		return phpbb_extra_url();
 	}
 	else
 	{
 		global $user_id;
-
-		return ($user_id) ? "&u=$user_id" : '';
+		return phpbb_extra_url();
 	}
 }
 
@@ -99,30 +83,34 @@ function phpbb_module_reports_url($mode, $module_row)
 	return phpbb_extra_url();
 }
 
-function phpbb_extra_url()
+/**
+ * Generate URL parameters for MCP modules
+ *
+ * @param array $additional_parameters	Array with additional parameters in format of ['key' => 'parameter_name']
+ *
+ * @return string						String with URL parameters (empty string if not any)
+ */
+function phpbb_extra_url($additional_parameters = [])
 {
-	global $forum_id, $topic_id, $post_id, $report_id, $user_id;
+	$url_extra = [];
+	$url_parameters = array_merge([
+		'f' => 'forum_id',
+		't' => 'topic_id',
+		'p' => 'post_id',
+		'r' => 'report_id',
+		'u' => 'user_id',
+	], $additional_parameters);
 
-	if ($post_id)
+	foreach ($url_parameters as $key => $value)
 	{
-		$url_extra = "&p=$post_id";
+		global $$value;
+		if (isset($$value) && $parameter = $$value)
+		{
+			$url_extra[] = "$key=$parameter";
+		}
 	}
-	else if ($topic_id)
-	{
-		$url_extra = "&t=$topic_id";
-	}
-	else if ($forum_id)
-	{
-		$url_extra = "&f=$forum_id";
-	}
-	else
-	{
-		$url_extra = '';
-	}
-	$url_extra .= ($user_id) ? "&u=$user_id" : '';
-	$url_extra .= ($report_id) ? "&r=$report_id" : '';
 
-	return $url_extra;
+	return implode('&', $url_extra);
 }
 
 /**

phpBB/includes/functions_messenger.php

@@ -320,8 +320,8 @@ class messenger
 		// We add some standard variables we always use, no need to specify them always
 		$this->assign_vars(array(
 			'U_BOARD'	=> generate_board_url(),
-			'EMAIL_SIG'	=> str_replace('<br />', "\n", "-- \n" . htmlspecialchars_decode($config['board_email_sig'], ENT_COMPAT)),
-			'SITENAME'	=> htmlspecialchars_decode($config['sitename'], ENT_COMPAT),
+			'EMAIL_SIG'	=> str_replace('<br />', "\n", "-- \n" . html_entity_decode($config['board_email_sig'], ENT_COMPAT)),
+			'SITENAME'	=> html_entity_decode($config['sitename'], ENT_COMPAT),
 		));
 
 		$subject = $this->subject;
@@ -427,7 +427,7 @@ class messenger
 			$user->session_begin();
 		}
 
-		$calling_page = htmlspecialchars_decode($request->server('PHP_SELF'), ENT_COMPAT);
+		$calling_page = html_entity_decode($request->server('PHP_SELF'), ENT_COMPAT);
 
 		switch ($type)
 		{
@@ -557,7 +557,7 @@ class messenger
 			$use_queue = true;
 		}
 
-		$contact_name = htmlspecialchars_decode($config['board_contact_name'], ENT_COMPAT);
+		$contact_name = html_entity_decode($config['board_contact_name'], ENT_COMPAT);
 		$board_contact = (($contact_name !== '') ? '"' . mail_encode($contact_name) . '" ' : '') . '<' . $config['board_contact'] . '>';
 
 		$break = false;
@@ -691,7 +691,7 @@ class messenger
 		if (!$use_queue)
 		{
 			include_once($phpbb_root_path . 'includes/functions_jabber.' . $phpEx);
-			$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password'], ENT_COMPAT), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']);
+			$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], html_entity_decode($config['jab_password'], ENT_COMPAT), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']);
 
 			if (!$this->jabber->connect())
 			{
@@ -891,7 +891,7 @@ class queue
 					}
 
 					include_once($phpbb_root_path . 'includes/functions_jabber.' . $phpEx);
-					$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password'], ENT_COMPAT), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']);
+					$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], html_entity_decode($config['jab_password'], ENT_COMPAT), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']);
 
 					if (!$this->jabber->connect())
 					{
@@ -1208,7 +1208,7 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $headers = false)
 	}
 
 	// Let me in. This function handles the complete authentication process
-	if ($err_msg = $smtp->log_into_server($config['smtp_host'], $config['smtp_username'], htmlspecialchars_decode($config['smtp_password'], ENT_COMPAT), $config['smtp_auth_method']))
+	if ($err_msg = $smtp->log_into_server($config['smtp_host'], $config['smtp_username'], html_entity_decode($config['smtp_password'], ENT_COMPAT), $config['smtp_auth_method']))
 	{
 		$smtp->close_session($err_msg);
 		return false;
@@ -1840,65 +1840,84 @@ class smtp_class
 }
 
 /**
-* Encodes the given string for proper display in UTF-8.
-*
-* This version is using base64 encoded data. The downside of this
-* is if the mail client does not understand this encoding the user
-* is basically doomed with an unreadable subject.
-*
-* Please note that this version fully supports RFC 2045 section 6.8.
-*
-* @param string $str
-* @param string $eol End of line we are using (optional to be backwards compatible)
-*/
+ * Encodes the given string for proper display in UTF-8 or US-ASCII.
+ *
+ * This version is based on iconv_mime_encode() implementation
+ * from symfomy/polyfill-iconv
+ * https://github.com/symfony/polyfill-iconv/blob/fd324208ec59a39ebe776e6e9ec5540ad4f40aaa/Iconv.php#L355
+ *
+ * @param string $str
+ * @param string $eol Lines delimiter (optional to be backwards compatible)
+ *
+ * @return string
+ */
 function mail_encode($str, $eol = "\r\n")
 {
 	// Check if string contains ASCII only characters
 	$is_ascii = strlen($str) === utf8_strlen($str);
 
-	// Define start delimimter, end delimiter and spacer
+	$scheme = $is_ascii ? 'Q' : 'B';
+
+	// Define start delimiter, end delimiter
 	// Use the Quoted-Printable encoding for ASCII strings to avoid unnecessary encoding in Base64
-	$start = $is_ascii ? "=?US-ASCII?Q?" : "=?UTF-8?B?";
-	$end = "?=";
-	$delimiter = "$eol ";
+	$start = '=?' . ($is_ascii ? 'US-ASCII' : 'UTF-8') . '?' . $scheme . '?';
+	$end = '?=';
 
 	// Maximum encoded-word length is 75 as per RFC 2047 section 2.
-	// $split_length *must* be a multiple of 4, but <= 75 - strlen($start . $delimiter . $end)!!!
-	$split_length = 75 - strlen($start . $delimiter . $end);
+	// $split_length *must* be a multiple of 4, but <= 75 - strlen($start . $eol . $end)!!!
+	$split_length = 75 - strlen($start . $eol . $end);
 	$split_length = $split_length - $split_length % 4;
 
-	// Use the Quoted-Printable encoding for ASCII strings to avoid unnecessary encoding in Base64
-	$encoded_str = $is_ascii ? quoted_printable_encode($str) : base64_encode($str);
+	$line_length = strlen($start) + strlen($end);
+	$line_offset = strlen($start) + 1;
+	$line_data = '';
 
-	// If encoded string meets the limits, we just return with the correct data.
-	if (strlen($encoded_str) <= $split_length)
+	$is_quoted_printable = 'Q' === $scheme;
+
+	preg_match_all('/./us', $str, $chars);
+	$chars = $chars[0] ?? [];
+
+	$str = [];
+	foreach ($chars as $char)
 	{
-		return $start . $encoded_str . $end;
-	}
+		$encoded_char = $is_quoted_printable
+			? $char = preg_replace_callback(
+				'/[=_\?\x20\x00-\x1F\x80-\xFF]/',
+				function ($matches)
+				{
+					$hex = dechex(ord($matches[0]));
+					$hex = strlen($hex) == 1 ? "0$hex" : $hex;
+					return '=' . strtoupper($hex);
+				},
+				$char
+			)
+			: base64_encode($line_data . $char);
 
-	// If there is only ASCII data, we just return what we want, correctly splitting the lines.
-	if ($is_ascii)
-	{
-		return $start . implode($end . $delimiter . $start, str_split($encoded_str, $split_length)) . $end;
-	}
-
-	// UTF-8 data, compose encoded lines
-	$array = utf8_str_split($str);
-	$str = '';
-
-	while (count($array))
-	{
-		$text = '';
-
-		while (count($array) && intval((strlen($text . $array[0]) + 2) / 3) << 2 <= $split_length)
+		if (isset($encoded_char[$split_length - $line_length]))
 		{
-			$text .= array_shift($array);
+			if (!$is_quoted_printable)
+			{
+				$line_data = base64_encode($line_data);
+			}
+			$str[] = $start . $line_data . $end;
+			$line_length = $line_offset;
+			$line_data = '';
 		}
 
-		$str .= $start . base64_encode($text) . $end . $delimiter;
+		$line_data .= $char;
+		$is_quoted_printable && $line_length += strlen($char);
 	}
 
-	return substr($str, 0, -strlen($delimiter));
+	if ($line_data !== '')
+	{
+		if (!$is_quoted_printable)
+		{
+			$line_data = base64_encode($line_data);
+		}
+		$str[] = $start . $line_data . $end;
+	}
+
+	return implode($eol . ' ', $str);
 }
 
 /**
@@ -1906,7 +1925,7 @@ function mail_encode($str, $eol = "\r\n")
  */
 function phpbb_mail($to, $subject, $msg, $headers, $eol, &$err_msg)
 {
-	global $config, $phpbb_root_path, $phpEx;
+	global $config, $phpbb_root_path, $phpEx, $phpbb_dispatcher;
 
 	// Convert Numeric Character References to UTF-8 chars (ie. Emojis)
 	$subject = utf8_decode_ncr($subject);
@@ -1935,8 +1954,54 @@ function phpbb_mail($to, $subject, $msg, $headers, $eol, &$err_msg)
 	 */
 	$additional_parameters = $config['email_force_sender'] ? '-f' . $config['board_email'] : '';
 
+	/**
+	 * Modify data before sending out emails with PHP's mail function
+	 *
+	 * @event core.phpbb_mail_before
+	 * @var	string	to						The message recipient
+	 * @var	string	subject					The message subject
+	 * @var	string	msg						The message text
+	 * @var string	headers					The email headers
+	 * @var string	eol						The endline character
+	 * @var string	additional_parameters	The additional parameters
+	 * @since 3.3.6-RC1
+	 */
+	$vars = [
+		'to',
+		'subject',
+		'msg',
+		'headers',
+		'eol',
+		'additional_parameters',
+	];
+	extract($phpbb_dispatcher->trigger_event('core.phpbb_mail_before', compact($vars)));
+
 	$result = mail($to, mail_encode($subject, ''), wordwrap(utf8_wordwrap($msg), 997, "\n", true), $headers, $additional_parameters);
 
+	/**
+	 * Execute code after sending out emails with PHP's mail function
+	 *
+	 * @event core.phpbb_mail_after
+	 * @var	string	to						The message recipient
+	 * @var	string	subject					The message subject
+	 * @var	string	msg						The message text
+	 * @var string	headers					The email headers
+	 * @var string	eol						The endline character
+	 * @var string	additional_parameters	The additional parameters
+	 * @var bool	result					True if the email was sent, false otherwise
+	 * @since 3.3.6-RC1
+	 */
+	$vars = [
+		'to',
+		'subject',
+		'msg',
+		'headers',
+		'eol',
+		'additional_parameters',
+		'result',
+	];
+	extract($phpbb_dispatcher->trigger_event('core.phpbb_mail_after', compact($vars)));
+
 	$collector->uninstall();
 	$err_msg = $collector->format_errors();
 

phpBB/includes/functions_module.php

@@ -662,7 +662,7 @@ class p_master
 		// Add url_extra parameter to u_action url
 		if (!empty($this->module_ary) && $this->active_module !== false && $this->module_ary[$this->active_module_row_id]['url_extra'])
 		{
-			$this->module->u_action .= $this->module_ary[$this->active_module_row_id]['url_extra'];
+			$this->module->u_action .= '&' . $this->module_ary[$this->active_module_row_id]['url_extra'];
 		}
 
 		// Assign the module path for re-usage
@@ -920,7 +920,7 @@ class p_master
 			}
 
 			// Was not allowed in categories before - /*!$item_ary['cat'] && */
-			$u_title .= (isset($item_ary['url_extra'])) ? $item_ary['url_extra'] : '';
+			$u_title .= (isset($item_ary['url_extra']) && $item_ary['url_extra']) ? '&' . $item_ary['url_extra'] : '';
 
 			// Only output a categories items if it's currently selected
 			if (!$depth || ($depth && (in_array($item_ary['parent'], array_values($this->module_cache['parents'])) || $item_ary['parent'] == $this->p_parent)))

phpBB/includes/functions_posting.php

@@ -813,20 +813,42 @@ function posting_gen_inline_attachments(&$attachment_data)
 }
 
 /**
-* Generate inline attachment entry
-*/
-function posting_gen_attachment_entry($attachment_data, &$filename_data, $show_attach_box = true)
+ * Generate inline attachment entry
+ *
+ * @param array		$attachment_data	The attachment data
+ * @param string	$filename_data		The filename data (filecomment)
+ * @param bool		$show_attach_box	Whether to show the attach box
+ * @param mixed		$forum_id			The forum id to check or false if private message
+ * @return int
+ */
+function posting_gen_attachment_entry($attachment_data, &$filename_data, $show_attach_box = true, $forum_id = false)
 {
-	global $template, $config, $phpbb_root_path, $phpEx, $user, $phpbb_dispatcher;
+	global $template, $cache, $config, $phpbb_root_path, $phpEx, $user, $phpbb_dispatcher;
+
+	$allowed_attachments = array_keys($cache->obtain_attach_extensions($forum_id)['_allowed_']);
 
 	// Some default template variables
-	$template->assign_vars(array(
+	$default_vars = [
 		'S_SHOW_ATTACH_BOX'				=> $show_attach_box,
 		'S_HAS_ATTACHMENTS'				=> count($attachment_data),
 		'FILESIZE'						=> $config['max_filesize'],
 		'FILE_COMMENT'					=> (isset($filename_data['filecomment'])) ? $filename_data['filecomment'] : '',
 		'MAX_ATTACHMENT_FILESIZE'		=> $config['max_filesize'] > 0 ? $user->lang('MAX_ATTACHMENT_FILESIZE', get_formatted_filesize($config['max_filesize'])) : '',
-	));
+		'ALLOWED_ATTACHMENTS'			=> !empty($allowed_attachments) ? implode(',', $allowed_attachments) : '',
+	];
+
+	/**
+	 * Modify default attachments template vars
+	 *
+	 * @event core.modify_default_attachments_template_vars
+	 * @var	array	allowed_attachments		Array containing allowed attachments data
+	 * @var	array	default_vars			Array containing default attachments template vars
+	 * @since 3.3.6-RC1
+	 */
+	$vars = ['allowed_attachments', 'default_vars'];
+	extract($phpbb_dispatcher->trigger_event('core.modify_default_attachments_template_vars', compact($vars)));
+
+	$template->assign_vars($default_vars);
 
 	if (count($attachment_data))
 	{
@@ -1231,11 +1253,11 @@ function topic_review($topic_id, $forum_id, $mode = 'topic_review', $cur_post_id
 			'POST_AUTHOR'			=> get_username_string('username', $poster_id, $row['username'], $row['user_colour'], $row['post_username']),
 			'U_POST_AUTHOR'			=> get_username_string('profile', $poster_id, $row['username'], $row['user_colour'], $row['post_username']),
 
-			'S_HAS_ATTACHMENTS'	=> (!empty($attachments[$row['post_id']])) ? true : false,
-			'S_FRIEND'			=> ($row['friend']) ? true : false,
-			'S_IGNORE_POST'		=> ($row['foe']) ? true : false,
-			'L_IGNORE_POST'		=> ($row['foe']) ? sprintf($user->lang['POST_BY_FOE'], get_username_string('full', $poster_id, $row['username'], $row['user_colour'], $row['post_username']), "<a href=\"{$u_show_post}\" onclick=\"phpbb.toggleDisplay('{$post_anchor}', 1); return false;\">", '</a>') : '',
-			'S_POST_DELETED'	=> ($row['post_visibility'] == ITEM_DELETED) ? true : false,
+			'S_HAS_ATTACHMENTS'	=> !empty($attachments[$row['post_id']]),
+			'S_FRIEND'			=> (bool) $row['friend'],
+			'S_IGNORE_POST'		=> (bool) $row['foe'],
+			'L_IGNORE_POST'		=> $row['foe'] ? $user->lang('POST_BY_FOE', get_username_string('full', $poster_id, $row['username'], $row['user_colour'], $row['post_username']), "<a href=\"{$u_show_post}\" onclick=\"phpbb.toggleDisplay('{$post_anchor}', 1); return false;\">", '</a>') : '',
+			'S_POST_DELETED'	=> $row['post_visibility'] == ITEM_DELETED,
 			'L_DELETE_POST'		=> $l_deleted_message,
 
 			'POST_SUBJECT'		=> $post_subject,

phpBB/includes/functions_user.php

@@ -1575,11 +1575,11 @@ function validate_string($string, $optional = false, $min = 0, $max = 0)
 		return false;
 	}
 
-	if ($min && utf8_strlen(htmlspecialchars_decode($string, ENT_COMPAT)) < $min)
+	if ($min && utf8_strlen(html_entity_decode($string, ENT_COMPAT)) < $min)
 	{
 		return 'TOO_SHORT';
 	}
-	else if ($max && utf8_strlen(htmlspecialchars_decode($string, ENT_COMPAT)) > $max)
+	else if ($max && utf8_strlen(html_entity_decode($string, ENT_COMPAT)) > $max)
 	{
 		return 'TOO_LONG';
 	}

phpBB/includes/mcp/mcp_logs.php

@@ -179,7 +179,7 @@ class mcp_logs
 		$sql_sort = $sort_by_sql[$sort_key] . ' ' . (($sort_dir == 'd') ? 'DESC' : 'ASC');
 
 		$keywords = $request->variable('keywords', '', true);
-		$keywords_param = !empty($keywords) ? '&keywords=' . urlencode(htmlspecialchars_decode($keywords, ENT_COMPAT)) : '';
+		$keywords_param = !empty($keywords) ? '&keywords=' . urlencode(html_entity_decode($keywords, ENT_COMPAT)) : '';
 
 		// Grab log data
 		$log_data = array();

phpBB/includes/mcp/mcp_main.php

@@ -1245,7 +1245,7 @@ function mcp_delete_post($post_ids, $is_soft = false, $soft_delete_reason = '',
 			else
 			{
 				// Remove any post id anchor
-				if ($anchor_pos = (strrpos($redirect, '#p')) !== false)
+				if (($anchor_pos = strrpos($redirect, '#p')) !== false)
 				{
 					$redirect = substr($redirect, 0, $anchor_pos);
 				}

phpBB/includes/mcp/mcp_notes.php

@@ -206,7 +206,7 @@ class mcp_notes
 		$sql_sort = $sort_by_sql[$sk] . ' ' . (($sd == 'd') ? 'DESC' : 'ASC');
 
 		$keywords = $request->variable('keywords', '', true);
-		$keywords_param = !empty($keywords) ? '&keywords=' . urlencode(htmlspecialchars_decode($keywords, ENT_COMPAT)) : '';
+		$keywords_param = !empty($keywords) ? '&keywords=' . urlencode(html_entity_decode($keywords, ENT_COMPAT)) : '';
 
 		$log_data = array();
 		$log_count = 0;

phpBB/includes/message_parser.php

@@ -506,7 +506,7 @@ class bbcode_firstpass extends bbcode
 				}
 
 				// Because highlight_string is specialcharing the text (but we already did this before), we have to reverse this in order to get correct results
-				$code = htmlspecialchars_decode($code, ENT_COMPAT);
+				$code = html_entity_decode($code, ENT_COMPAT);
 				$code = highlight_string($code, true);
 
 				$str_from = array('<span style="color: ', '<font color="syntax', '</font>', '<code>', '</code>','[', ']', '.', ':');
@@ -1247,7 +1247,7 @@ class parse_message extends bbcode_firstpass
 		));
 
 		// Parse this message
-		$this->message = $parser->parse(htmlspecialchars_decode($this->message, ENT_QUOTES));
+		$this->message = $parser->parse(html_entity_decode($this->message, ENT_QUOTES));
 
 		// Remove quotes that are nested too deep
 		if ($config['max_quote_depth'] > 0)

phpBB/includes/questionnaire/questionnaire.php

@@ -150,11 +150,11 @@ class phpbb_questionnaire_system_data_provider
 
 		// Start discovering the IPV4 server address, if available
 		// Try apache, IIS, fall back to 0.0.0.0
-		$server_address = htmlspecialchars_decode($request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0')), ENT_COMPAT);
+		$server_address = html_entity_decode($request->server('SERVER_ADDR', $request->server('LOCAL_ADDR', '0.0.0.0')), ENT_COMPAT);
 
 		return array(
 			'os'	=> PHP_OS,
-			'httpd'	=> htmlspecialchars_decode($request->server('SERVER_SOFTWARE'), ENT_COMPAT),
+			'httpd'	=> html_entity_decode($request->server('SERVER_SOFTWARE'), ENT_COMPAT),
 			// we don't want the real IP address (for privacy policy reasons) but only
 			// a network address to see whether your installation is running on a private or public network.
 			'private_ip'	=> $this->is_private_ip($server_address),

phpBB/includes/ucp/ucp_activate.php

@@ -76,10 +76,12 @@ class ucp_activate
 		if ($update_password)
 		{
 			$sql_ary = array(
-				'user_actkey'		=> '',
-				'user_password'		=> $user_row['user_newpasswd'],
-				'user_newpasswd'	=> '',
-				'user_login_attempts'	=> 0,
+				'user_actkey'				=> '',
+				'user_password'				=> $user_row['user_newpasswd'],
+				'user_newpasswd'			=> '',
+				'user_login_attempts'		=> 0,
+				'reset_token'				=> '',
+				'reset_token_expiration'	=> 0,
 			);
 
 			$sql = 'UPDATE ' . USERS_TABLE . '
@@ -101,8 +103,14 @@ class ucp_activate
 
 			user_active_flip('activate', $user_row['user_id']);
 
-			$sql = 'UPDATE ' . USERS_TABLE . "
-				SET user_actkey = ''
+			$sql_ary = [
+				'user_actkey'				=> '',
+				'reset_token'				=> '',
+				'reset_token_expiration'	=> 0,
+			];
+
+			$sql = 'UPDATE ' . USERS_TABLE . '
+				SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
 				WHERE user_id = {$user_row['user_id']}";
 			$db->sql_query($sql);
 
@@ -134,7 +142,7 @@ class ucp_activate
 			$messenger->anti_abuse_headers($config, $user);
 
 			$messenger->assign_vars(array(
-				'USERNAME'	=> htmlspecialchars_decode($user_row['username'], ENT_COMPAT))
+				'USERNAME'	=> html_entity_decode($user_row['username'], ENT_COMPAT))
 			);
 
 			$messenger->send($user_row['user_notify_type']);

phpBB/includes/ucp/ucp_main.php

@@ -396,23 +396,25 @@ class ucp_main
 						if ($row['forum_last_post_id'])
 						{
 							$last_post_time = $user->format_date($row['forum_last_post_time']);
+							$last_post_time_rfc3339 = gmdate(DATE_RFC3339, $row['forum_last_post_time']);
 							$last_post_url = append_sid("{$phpbb_root_path}viewtopic.$phpEx", "p=" . $row['forum_last_post_id']) . '#p' . $row['forum_last_post_id'];
 						}
 						else
 						{
-							$last_post_time = $last_post_url = '';
+							$last_post_time = $last_post_time_rfc3339 = $last_post_url = '';
 						}
 
 						$template_vars = array(
-							'FORUM_ID'				=> $forum_id,
-							'FORUM_IMG_STYLE'		=> $folder_image,
-							'FORUM_FOLDER_IMG'		=> $user->img($folder_image, $folder_alt),
-							'FORUM_IMAGE'			=> ($row['forum_image']) ? '<img src="' . $phpbb_root_path . $row['forum_image'] . '" alt="' . $user->lang[$folder_alt] . '" />' : '',
-							'FORUM_IMAGE_SRC'		=> ($row['forum_image']) ? $phpbb_root_path . $row['forum_image'] : '',
-							'FORUM_NAME'			=> $row['forum_name'],
-							'FORUM_DESC'			=> generate_text_for_display($row['forum_desc'], $row['forum_desc_uid'], $row['forum_desc_bitfield'], $row['forum_desc_options']),
-							'LAST_POST_SUBJECT'		=> $row['forum_last_post_subject'],
-							'LAST_POST_TIME'		=> $last_post_time,
+							'FORUM_ID'					=> $forum_id,
+							'FORUM_IMG_STYLE'			=> $folder_image,
+							'FORUM_FOLDER_IMG'			=> $user->img($folder_image, $folder_alt),
+							'FORUM_IMAGE'				=> ($row['forum_image']) ? '<img src="' . $phpbb_root_path . $row['forum_image'] . '" alt="' . $user->lang[$folder_alt] . '" />' : '',
+							'FORUM_IMAGE_SRC'			=> ($row['forum_image']) ? $phpbb_root_path . $row['forum_image'] : '',
+							'FORUM_NAME'				=> $row['forum_name'],
+							'FORUM_DESC'				=> generate_text_for_display($row['forum_desc'], $row['forum_desc_uid'], $row['forum_desc_bitfield'], $row['forum_desc_options']),
+							'LAST_POST_SUBJECT'			=> $row['forum_last_post_subject'],
+							'LAST_POST_TIME'			=> $last_post_time,
+							'LAST_POST_TIME_RFC3339'	=> $last_post_time_rfc3339,
 
 							'LAST_POST_AUTHOR'			=> get_username_string('username', $row['forum_last_poster_id'], $row['forum_last_poster_name'], $row['forum_last_poster_colour']),
 							'LAST_POST_AUTHOR_COLOUR'	=> get_username_string('colour', $row['forum_last_poster_id'], $row['forum_last_poster_name'], $row['forum_last_poster_colour']),

phpBB/includes/ucp/ucp_prefs.php

@@ -159,33 +159,23 @@ class ucp_prefs
 				phpbb_timezone_select($template, $user, $data['tz'], true);
 
 				// check if there are any user-selectable languages
-				$sql = 'SELECT COUNT(lang_id) as languages_count
-								FROM ' . LANG_TABLE;
+				$sql = 'SELECT lang_iso, lang_local_name
+					FROM ' . LANG_TABLE . '
+					ORDER BY lang_english_name';
 				$result = $db->sql_query($sql);
-				if ($db->sql_fetchfield('languages_count') > 1)
-				{
-					$s_more_languages = true;
-				}
-				else
-				{
-					$s_more_languages = false;
-				}
+				$lang_row = (array) $db->sql_fetchrowset($result);
 				$db->sql_freeresult($result);
+				$s_more_languages = count($lang_row) > 1;
 
 				// check if there are any user-selectable styles
-				$sql = 'SELECT COUNT(style_id) as styles_count
-								FROM ' . STYLES_TABLE . '
-								WHERE style_active = 1';
+				$sql = 'SELECT style_id, style_name
+					FROM ' . STYLES_TABLE . '
+					WHERE style_active = 1
+					ORDER BY style_name';
 				$result = $db->sql_query($sql);
-				if ($db->sql_fetchfield('styles_count') > 1)
-				{
-					$s_more_styles = true;
-				}
-				else
-				{
-					$s_more_styles = false;
-				}
+				$styles_row = (array) $db->sql_fetchrowset($result);
 				$db->sql_freeresult($result);
+				$s_more_styles = count($styles_row) > 1;
 
 				$template->assign_vars(array(
 					'ERROR'				=> (count($error)) ? implode('<br />', $error) : '',
@@ -205,11 +195,11 @@ class ucp_prefs
 					'DEFAULT_DATEFORMAT'	=> $config['default_dateformat'],
 					'A_DEFAULT_DATEFORMAT'	=> addslashes($config['default_dateformat']),
 
-					'S_MORE_LANGUAGES'	=> $s_more_languages,
+					'S_MORE_LANGUAGES'		=> $s_more_languages,
 					'S_MORE_STYLES'			=> $s_more_styles,
 
-					'S_LANG_OPTIONS'		=> language_select($data['lang']),
-					'S_STYLE_OPTIONS'		=> ($config['override_user_style']) ? '' : style_select($data['user_style']),
+					'S_LANG_OPTIONS'		=> language_select($data['lang'], $lang_row),
+					'S_STYLE_OPTIONS'		=> ($config['override_user_style']) ? '' : style_select($data['user_style'], false, $styles_row),
 					'S_CAN_HIDE_ONLINE'		=> ($auth->acl_get('u_hideonline')) ? true : false,
 					'S_SELECT_NOTIFY'		=> ($config['jab_enable'] && $user->data['user_jabber'] && @extension_loaded('xml')) ? true : false)
 				);

phpBB/includes/ucp/ucp_profile.php

@@ -186,7 +186,7 @@ class ucp_profile
 							$messenger->anti_abuse_headers($config, $user);
 
 							$messenger->assign_vars(array(
-								'USERNAME'		=> htmlspecialchars_decode($data['username'], ENT_COMPAT),
+								'USERNAME'		=> html_entity_decode($data['username'], ENT_COMPAT),
 								'U_ACTIVATE'	=> "$server_url/ucp.$phpEx?mode=activate&u={$user->data['user_id']}&k=$user_actkey")
 							);
 

phpBB/includes/ucp/ucp_register.php

@@ -150,15 +150,11 @@ class ucp_register
 			}
 
 			// Checking amount of available languages
-			$sql = 'SELECT lang_id
-				FROM ' . LANG_TABLE;
+			$sql = 'SELECT lang_iso, lang_local_name
+				FROM ' . LANG_TABLE . '
+				ORDER BY lang_english_name';
 			$result = $db->sql_query($sql);
-
-			$lang_row = array();
-			while ($row = $db->sql_fetchrow($result))
-			{
-				$lang_row[] = $row;
-			}
+			$lang_row = (array) $db->sql_fetchrowset($result);
 			$db->sql_freeresult($result);
 
 			if ($coppa === false && $config['coppa_enable'])
@@ -171,7 +167,7 @@ class ucp_register
 				unset($now);
 
 				$template_vars = array(
-					'S_LANG_OPTIONS'	=> (count($lang_row) > 1) ? language_select($user_lang) : '',
+					'S_LANG_OPTIONS'	=> (count($lang_row) > 1) ? language_select($user_lang, $lang_row) : '',
 					'L_COPPA_NO'		=> $user->lang('UCP_COPPA_BEFORE', $coppa_birthday),
 					'L_COPPA_YES'		=> $user->lang('UCP_COPPA_ON_AFTER', $coppa_birthday),
 
@@ -186,7 +182,7 @@ class ucp_register
 			else
 			{
 				$template_vars = array(
-					'S_LANG_OPTIONS'	=> (count($lang_row) > 1) ? language_select($user_lang) : '',
+					'S_LANG_OPTIONS'	=> (count($lang_row) > 1) ? language_select($user_lang, $lang_row) : '',
 					'L_TERMS_OF_USE'	=> sprintf($user->lang['TERMS_OF_USE_CONTENT'], $config['sitename'], generate_board_url()),
 
 					'S_SHOW_COPPA'		=> false,
@@ -367,7 +363,7 @@ class ucp_register
 					$config['require_activation'] == USER_ACTIVATION_SELF ||
 					$config['require_activation'] == USER_ACTIVATION_ADMIN) && $config['email_enable'])
 				{
-					$user_actkey = gen_rand_string(mt_rand(6, 10));
+					$user_actkey = strtolower(gen_rand_string(32));
 					$user_type = USER_INACTIVE;
 					$user_inactive_reason = INACTIVE_REGISTER;
 					$user_inactive_time = time();
@@ -472,9 +468,9 @@ class ucp_register
 					$messenger->anti_abuse_headers($config, $user);
 
 					$messenger->assign_vars(array(
-						'WELCOME_MSG'	=> htmlspecialchars_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
-						'USERNAME'		=> htmlspecialchars_decode($data['username'], ENT_COMPAT),
-						'PASSWORD'		=> htmlspecialchars_decode($data['new_password'], ENT_COMPAT),
+						'WELCOME_MSG'	=> html_entity_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
+						'USERNAME'		=> html_entity_decode($data['username'], ENT_COMPAT),
+						'PASSWORD'		=> html_entity_decode($data['new_password'], ENT_COMPAT),
 						'U_ACTIVATE'	=> "$server_url/ucp.$phpEx?mode=activate&u=$user_id&k=$user_actkey")
 					);
 
@@ -633,6 +629,14 @@ class ucp_register
 		// Assign template vars for timezone select
 		phpbb_timezone_select($template, $user, $data['tz'], true);
 
+		// Checking amount of available languages
+		$sql = 'SELECT lang_iso, lang_local_name
+			FROM ' . LANG_TABLE . '
+			ORDER BY lang_english_name';
+		$result = $db->sql_query($sql);
+		$lang_row = (array) $db->sql_fetchrowset($result);
+		$db->sql_freeresult($result);
+
 		$template_vars = array(
 			'USERNAME'			=> $data['username'],
 			'PASSWORD'			=> $data['new_password'],
@@ -643,7 +647,7 @@ class ucp_register
 			'L_USERNAME_EXPLAIN'		=> $user->lang($config['allow_name_chars'] . '_EXPLAIN', $user->lang('CHARACTERS', (int) $config['min_name_chars']), $user->lang('CHARACTERS', (int) $config['max_name_chars'])),
 			'L_PASSWORD_EXPLAIN'		=> $user->lang($config['pass_complex'] . '_EXPLAIN', $user->lang('CHARACTERS', (int) $config['min_pass_chars'])),
 
-			'S_LANG_OPTIONS'	=> language_select($data['lang']),
+			'S_LANG_OPTIONS'	=> (count($lang_row) > 1) ? language_select($data['lang'], $lang_row) : '',
 			'S_TZ_PRESELECT'	=> !$submit,
 			'S_CONFIRM_REFRESH'	=> ($config['enable_confirm'] && $config['confirm_refresh']) ? true : false,
 			'S_REGISTRATION'	=> true,

phpBB/includes/ucp/ucp_resend.php

@@ -99,8 +99,8 @@ class ucp_resend
 				$messenger->anti_abuse_headers($config, $user);
 
 				$messenger->assign_vars(array(
-					'WELCOME_MSG'	=> htmlspecialchars_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
-					'USERNAME'		=> htmlspecialchars_decode($user_row['username'], ENT_COMPAT),
+					'WELCOME_MSG'	=> html_entity_decode(sprintf($user->lang['WELCOME_SUBJECT'], $config['sitename']), ENT_COMPAT),
+					'USERNAME'		=> html_entity_decode($user_row['username'], ENT_COMPAT),
 					'U_ACTIVATE'	=> generate_board_url() . "/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k={$user_row['user_actkey']}")
 				);
 
@@ -134,7 +134,7 @@ class ucp_resend
 					$messenger->anti_abuse_headers($config, $user);
 
 					$messenger->assign_vars(array(
-						'USERNAME'			=> htmlspecialchars_decode($user_row['username'], ENT_COMPAT),
+						'USERNAME'			=> html_entity_decode($user_row['username'], ENT_COMPAT),
 						'U_USER_DETAILS'	=> generate_board_url() . "/memberlist.$phpEx?mode=viewprofile&u={$user_row['user_id']}",
 						'U_ACTIVATE'		=> generate_board_url() . "/ucp.$phpEx?mode=activate&u={$user_row['user_id']}&k={$user_row['user_actkey']}")
 					);

phpBB/install/convertors/convert_phpbb20.php

@@ -38,7 +38,7 @@ $dbms = $phpbb_config_php_file->convert_30_dbms_to_31($dbms);
 $convertor_data = array(
 	'forum_name'	=> 'phpBB 2.0.x',
 	'version'		=> '1.0.3',
-	'phpbb_version'	=> '3.3.5',
+	'phpbb_version'	=> '3.3.8',
 	'author'		=> '<a href="https://www.phpbb.com/">phpBB Limited</a>',
 	'dbms'			=> $dbms,
 	'dbhost'		=> $dbhost,

phpBB/install/phpbbcli.php

@@ -23,7 +23,7 @@ if (php_sapi_name() !== 'cli')
 define('IN_PHPBB', true);
 define('IN_INSTALL', true);
 define('PHPBB_ENVIRONMENT', 'production');
-define('PHPBB_VERSION', '3.3.5');
+define('PHPBB_VERSION', '3.3.8');
 $phpbb_root_path = __DIR__ . '/../';
 $phpEx = substr(strrchr(__FILE__, '.'), 1);
 

phpBB/install/schemas/schema_data.sql

@@ -316,7 +316,7 @@ INSERT INTO phpbb_config (config_name, config_value) VALUES ('update_hashes_lock
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_icons_path', 'images/upload_icons');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('upload_path', 'files');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('use_system_cron', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.3.5');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('version', '3.3.8');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_expire_days', '90');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('warnings_gc', '14400');
 

phpBB/language/en/acp/attachments.php

@@ -170,4 +170,5 @@ $lang = array_merge($lang, array(
 	'UPLOAD_DIR_EXPLAIN'			=> 'Storage path for attachments. Please note that if you change this directory while already having uploaded attachments you need to manually copy the files to their new location.',
 	'UPLOAD_ICON'					=> 'Upload icon',
 	'UPLOAD_NOT_DIR'				=> 'The upload location you specified does not appear to be a directory.',
+	'UPLOAD_POST_NOT_EXIST'			=> 'File “%1$s” can not be uploaded to post number %2$d as the post does not exist.',
 ));

phpBB/language/en/common.php

@@ -432,6 +432,7 @@ $lang = array_merge($lang, array(
 	'MESSAGE'				=> 'Message',
 	'MESSAGES'				=> 'Messages',
 	'MESSAGES_COUNT'		=> array(
+		0	=> 'unlimited messages',
 		1	=> '%d message',
 		2	=> '%d messages',
 	),
@@ -603,7 +604,7 @@ $lang = array_merge($lang, array(
 	'POSTS_UNAPPROVED_FORUM'=> 'At least one post in this forum has not been approved.',
 	'POST_BY_AUTHOR'		=> 'by',
 	'POST_BY_FOE'			=> '<strong>%1$s</strong>, who is currently on your ignore list, made this post.',
-	'POST_DISPLAY'			=> '%1$sDisplay this post%2$s.',
+	'POST_DISPLAY'			=> 'Display this post',
 	'POST_DAY'				=> '%.2f posts per day',
 	'POST_DELETED_ACTION'	=> 'Deleted post:',
 	'POST_DELETED'			=> 'This post has been deleted.',

phpBB/language/en/install.php

@@ -347,7 +347,7 @@ $lang = array_merge($lang, array(
 // Common updater messages
 $lang = array_merge($lang, array(
 	'UPDATE_INSTALLATION'			=> 'Update phpBB installation',
-	'UPDATE_INSTALLATION_EXPLAIN'	=> 'With this option, it is possible to update your phpBB installation to the latest version.<br />During the process all of your files will be checked for their integrity. You are able to review all differences and files before the update.<br /><br />The file update itself can be done in two different ways.</p><h2>Manual Update</h2><p>With this update you only download your personal set of changed files to make sure you do not lose your file modifications you may have done. After you downloaded this package you need to manually upload the files to their correct position under your phpBB root directory. Once done, you are able to do the file check stage again to see if you moved the files to their correct location.</p><h2>Automatic Update with FTP</h2><p>This method is similar to the first one but without the need to download the changed files and uploading them on your own. This will be done for you. In order to use this method you need to know your FTP login details since you will be asked for them. Once finished you will be redirected to the file check again to make sure everything got updated correctly.<br /><br />',
+	'UPDATE_INSTALLATION_EXPLAIN'	=> 'With this option, it is possible to update your phpBB installation to the latest version.<br />During the process all of your files will be checked for their integrity. You are able to review all differences and files before the update.<br /><br />The file update itself can be done in two different ways.</p><h2>Manual Update</h2><p>With this update you only download your personal set of changed files to make sure you do not lose your file modifications you may have done. After you downloaded this package you need to manually upload the files to their correct position under your phpBB root directory. Once done, you are able to do the file check stage again to see if you moved the files to their correct location.</p><h2>Advanced Update with FTP</h2><p>This method is similar to the first one but without the need to download the changed files and uploading them on your own. This will be done for you. In order to use this method you need to know your FTP login details since you will be asked for them. Once finished you will be redirected to the file check again to make sure everything got updated correctly.<br /><br />',
 	'UPDATE_INSTRUCTIONS'			=> '
 
 		<h1>Release announcement</h1>
@@ -358,7 +358,7 @@ $lang = array_merge($lang, array(
 
 		<h1>How to update your installation with the Full Package</h1>
 
-		<p>The recommended way of updating your installation is using the full package. If core phpBB files have been modified in your installation you may wish to use the automatic update package in order to not lose these changes. You are also able to update your installation using the other methods listed within the INSTALL.html document. The steps for updating phpBB3 using the full package are:</p>
+		<p>The recommended way of updating your installation is using the full package. If core phpBB files have been modified in your installation you may wish to use the advanced update package in order to not lose these changes. You are also able to update your installation using the other methods listed within the INSTALL.html document. The steps for updating phpBB3 using the full package are:</p>
 
 		<ol style="margin-left: 20px; font-size: 1.1em;">
 			<li><strong class="error">Backup all board files and the database.</strong></li>
@@ -379,12 +379,12 @@ $lang = array_merge($lang, array(
 			<li>Update your style<br><br></li>
 		</ul>
 
-		<h1>How to update your installation with the Automatic Update Package</h1>
+		<h1>How to update your installation with the Advanced Update Package</h1>
 
-		<p>The automatic update package is only recommended in case core phpBB files have been modified in your installation. You are also able to update your installation using the methods listed within the INSTALL.html document. The steps for updating phpBB3 using the automatic update package are:</p>
+		<p>The advanced update package is only recommended for expert users in case core phpBB files have been modified in your installation. You are also able to update your installation using the methods listed within the INSTALL.html document. The steps for updating phpBB3 using the advanced update package are:</p>
 
 		<ol style="margin-left: 20px; font-size: 1.1em;">
-			<li>Go to the <a href="https://www.phpbb.com/downloads/" title="https://www.phpbb.com/downloads/">phpBB.com downloads page</a> and download the "Automatic Update Package" archive.</li>
+			<li>Go to the <a href="https://www.phpbb.com/downloads/" title="https://www.phpbb.com/downloads/">phpBB.com downloads page</a> and download the "Advanced Update Package" archive.</li>
 			<li>Unpack the archive.</li>
 			<li>Upload the complete uncompressed "install" and "vendor" folders to your phpBB root directory (where your config.php file is).<br><br></li>
 		</ol>

phpBB/language/en/migrator.php

@@ -77,5 +77,6 @@ $lang = array_merge($lang, array(
 	'PARENT_MODULE_FIND_ERROR'			=> 'Unable to determine the parent module identifier: %s',
 	'PERMISSION_NOT_EXIST'				=> 'The permission setting "%s" unexpectedly does not exist.',
 
+	'ROLE_ASSIGNED_NOT_EXIST'			=> 'The permission role assigned to group "%1$s" unexpectedly does not exist. Role id: "%2$s"',
 	'ROLE_NOT_EXIST'					=> 'The permission role "%s" unexpectedly does not exist.',
 ));

phpBB/memberlist.php

@@ -442,16 +442,16 @@ switch ($mode)
 						$messenger = new messenger(false);
 
 						$messenger->template('profile_send_im', $row['user_lang']);
-						$messenger->subject(htmlspecialchars_decode($subject, ENT_COMPAT));
+						$messenger->subject(html_entity_decode($subject, ENT_COMPAT));
 
 						$messenger->replyto($user->data['user_email']);
 						$messenger->set_addresses($row);
 
 						$messenger->assign_vars(array(
 							'BOARD_CONTACT'	=> phpbb_get_board_contact($config, $phpEx),
-							'FROM_USERNAME'	=> htmlspecialchars_decode($user->data['username'], ENT_COMPAT),
-							'TO_USERNAME'	=> htmlspecialchars_decode($row['username'], ENT_COMPAT),
-							'MESSAGE'		=> htmlspecialchars_decode($message, ENT_COMPAT))
+							'FROM_USERNAME'	=> html_entity_decode($user->data['username'], ENT_COMPAT),
+							'TO_USERNAME'	=> html_entity_decode($row['username'], ENT_COMPAT),
+							'MESSAGE'		=> html_entity_decode($message, ENT_COMPAT))
 						);
 
 						$messenger->send(NOTIFY_IM);
@@ -804,8 +804,8 @@ switch ($mode)
 			'S_USER_NOTES'				=> ($user_notes_enabled) ? true : false,
 			'S_WARN_USER'				=> ($warn_user_enabled) ? true : false,
 			'S_ZEBRA'					=> ($user->data['user_id'] != $user_id && $user->data['is_registered'] && $zebra_enabled) ? true : false,
-			'U_ADD_FRIEND'				=> (!$friend && !$foe && $friends_enabled) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=zebra&add=' . urlencode(htmlspecialchars_decode($member['username'], ENT_COMPAT))) : '',
-			'U_ADD_FOE'					=> (!$friend && !$foe && $foes_enabled) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=zebra&mode=foes&add=' . urlencode(htmlspecialchars_decode($member['username'], ENT_COMPAT))) : '',
+			'U_ADD_FRIEND'				=> (!$friend && !$foe && $friends_enabled) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=zebra&add=' . urlencode(html_entity_decode($member['username'], ENT_COMPAT))) : '',
+			'U_ADD_FOE'					=> (!$friend && !$foe && $foes_enabled) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=zebra&mode=foes&add=' . urlencode(html_entity_decode($member['username'], ENT_COMPAT))) : '',
 			'U_REMOVE_FRIEND'			=> ($friend && $friends_enabled) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=zebra&remove=1&usernames[]=' . $user_id) : '',
 			'U_REMOVE_FOE'				=> ($foe && $foes_enabled) ? append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=zebra&remove=1&mode=foes&usernames[]=' . $user_id) : '',
 
@@ -987,7 +987,7 @@ switch ($mode)
 		{
 			$user_list[] = [
 				'user_id'		=> (int) $row['user_id'],
-				'result'		=> htmlspecialchars_decode($row['username']),
+				'result'		=> html_entity_decode($row['username']),
 				'username_full'	=> get_username_string('full', $row['user_id'], $row['username'], $row['user_colour']),
 				'display'		=> get_username_string('no_profile', $row['user_id'], $row['username'], $row['user_colour']),
 			];

phpBB/phpbb/auth/provider/apache.php

@@ -73,7 +73,7 @@ class apache extends base
 	 */
 	public function init()
 	{
-		if (!$this->request->is_set('PHP_AUTH_USER', request_interface::SERVER) || $this->user->data['username'] !== htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT))
+		if (!$this->request->is_set('PHP_AUTH_USER', request_interface::SERVER) || $this->user->data['username'] !== html_entity_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT))
 		{
 			return $this->language->lang('APACHE_SETUP_BEFORE_USE');
 		}
@@ -113,8 +113,8 @@ class apache extends base
 			);
 		}
 
-		$php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT);
-		$php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW'), ENT_COMPAT);
+		$php_auth_user = html_entity_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT);
+		$php_auth_pw = html_entity_decode($this->request->server('PHP_AUTH_PW'), ENT_COMPAT);
 
 		if (!empty($php_auth_user) && !empty($php_auth_pw))
 		{
@@ -180,8 +180,8 @@ class apache extends base
 			return array();
 		}
 
-		$php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT);
-		$php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW'), ENT_COMPAT);
+		$php_auth_user = html_entity_decode($this->request->server('PHP_AUTH_USER'), ENT_COMPAT);
+		$php_auth_pw = html_entity_decode($this->request->server('PHP_AUTH_PW'), ENT_COMPAT);
 
 		if (!empty($php_auth_user) && !empty($php_auth_pw))
 		{

phpBB/phpbb/auth/provider/ldap.php

@@ -83,7 +83,7 @@ class ldap extends base
 
 		if ($this->config['ldap_user'] || $this->config['ldap_password'])
 		{
-			if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_password'], ENT_COMPAT)))
+			if (!@ldap_bind($ldap, html_entity_decode($this->config['ldap_user'], ENT_COMPAT), html_entity_decode($this->config['ldap_password'], ENT_COMPAT)))
 			{
 				return $this->language->lang('LDAP_INCORRECT_USER_PASSWORD');
 			}
@@ -92,11 +92,11 @@ class ldap extends base
 		// ldap_connect only checks whether the specified server is valid, so the connection might still fail
 		$search = @ldap_search(
 			$ldap,
-			htmlspecialchars_decode($this->config['ldap_base_dn'], ENT_COMPAT),
+			html_entity_decode($this->config['ldap_base_dn'], ENT_COMPAT),
 			$this->ldap_user_filter($this->user->data['username']),
 			(empty($this->config['ldap_email'])) ?
-				array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT)) :
-				array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_email'], ENT_COMPAT)),
+				array(html_entity_decode($this->config['ldap_uid'], ENT_COMPAT)) :
+				array(html_entity_decode($this->config['ldap_uid'], ENT_COMPAT), html_entity_decode($this->config['ldap_email'], ENT_COMPAT)),
 			0,
 			1
 		);
@@ -115,7 +115,7 @@ class ldap extends base
 			return $this->language->lang('LDAP_NO_IDENTITY', $this->user->data['username']);
 		}
 
-		if (!empty($this->config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($this->config['ldap_email'])]))
+		if (!empty($this->config['ldap_email']) && !isset($result[0][html_entity_decode($this->config['ldap_email'])]))
 		{
 			return $this->language->lang('LDAP_NO_EMAIL');
 		}
@@ -180,7 +180,7 @@ class ldap extends base
 
 		if ($this->config['ldap_user'] || $this->config['ldap_password'])
 		{
-			if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_password'], ENT_COMPAT)))
+			if (!@ldap_bind($ldap, html_entity_decode($this->config['ldap_user'], ENT_COMPAT), html_entity_decode($this->config['ldap_password'], ENT_COMPAT)))
 			{
 				return array(
 					'status'		=> LOGIN_ERROR_EXTERNAL_AUTH,
@@ -192,11 +192,11 @@ class ldap extends base
 
 		$search = @ldap_search(
 			$ldap,
-			htmlspecialchars_decode($this->config['ldap_base_dn'], ENT_COMPAT),
+			html_entity_decode($this->config['ldap_base_dn'], ENT_COMPAT),
 			$this->ldap_user_filter($username),
 			(empty($this->config['ldap_email'])) ?
-				array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT)) :
-				array(htmlspecialchars_decode($this->config['ldap_uid'], ENT_COMPAT), htmlspecialchars_decode($this->config['ldap_email'], ENT_COMPAT)),
+				array(html_entity_decode($this->config['ldap_uid'], ENT_COMPAT)) :
+				array(html_entity_decode($this->config['ldap_uid'], ENT_COMPAT), html_entity_decode($this->config['ldap_email'], ENT_COMPAT)),
 			0,
 			1
 		);
@@ -205,7 +205,7 @@ class ldap extends base
 
 		if (is_array($ldap_result) && count($ldap_result) > 1)
 		{
-			if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password, ENT_COMPAT)))
+			if (@ldap_bind($ldap, $ldap_result[0]['dn'], html_entity_decode($password, ENT_COMPAT)))
 			{
 				@ldap_close($ldap);
 
@@ -257,7 +257,7 @@ class ldap extends base
 					$ldap_user_row = array(
 						'username'		=> $username,
 						'user_password'	=> '',
-						'user_email'	=> (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'], ENT_COMPAT)][0]) : '',
+						'user_email'	=> (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][html_entity_decode($this->config['ldap_email'], ENT_COMPAT)][0]) : '',
 						'group_id'		=> (int) $row['group_id'],
 						'user_type'		=> USER_NORMAL,
 						'user_ip'		=> $this->user->ip,
@@ -337,7 +337,7 @@ class ldap extends base
 	 */
 	private function ldap_user_filter($username)
 	{
-		$filter = '(' . $this->config['ldap_uid'] . '=' . $this->ldap_escape(htmlspecialchars_decode($username, ENT_COMPAT)) . ')';
+		$filter = '(' . $this->config['ldap_uid'] . '=' . $this->ldap_escape(html_entity_decode($username, ENT_COMPAT)) . ')';
 		if ($this->config['ldap_user_filter'])
 		{
 			$_filter = ($this->config['ldap_user_filter'][0] == '(' && substr($this->config['ldap_user_filter'], -1) == ')') ? $this->config['ldap_user_filter'] : "({$this->config['ldap_user_filter']})";

phpBB/phpbb/cache/service.php

@@ -18,6 +18,12 @@ namespace phpbb\cache;
 */
 class service
 {
+	/** @var string Name of event used for cache purging */
+	private const PURGE_DEFERRED_ON_EVENT = 'core.garbage_collection';
+
+	/** @var bool Flag whether cache purge has been deferred */
+	private $cache_purge_deferred = false;
+
 	/**
 	* Cache driver.
 	*
@@ -39,6 +45,9 @@ class service
 	*/
 	protected $db;
 
+	/** @var \phpbb\event\dispatcher phpBB Event dispatcher */
+	protected $dispatcher;
+
 	/**
 	* Root path.
 	*
@@ -59,14 +68,16 @@ class service
 	* @param \phpbb\cache\driver\driver_interface $driver The cache driver
 	* @param \phpbb\config\config $config The config
 	* @param \phpbb\db\driver\driver_interface $db Database connection
+	* @param \phpbb\event\dispatcher $dispatcher Event dispatcher
 	* @param string $phpbb_root_path Root path
 	* @param string $php_ext PHP file extension
 	*/
-	public function __construct(\phpbb\cache\driver\driver_interface $driver, \phpbb\config\config $config, \phpbb\db\driver\driver_interface $db, $phpbb_root_path, $php_ext)
+	public function __construct(\phpbb\cache\driver\driver_interface $driver, \phpbb\config\config $config, \phpbb\db\driver\driver_interface $db, \phpbb\event\dispatcher $dispatcher, $phpbb_root_path, $php_ext)
 	{
 		$this->set_driver($driver);
 		$this->config = $config;
 		$this->db = $db;
+		$this->dispatcher = $dispatcher;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
 	}
@@ -81,6 +92,25 @@ class service
 		return $this->driver;
 	}
 
+	/**
+	 * Deferred purge of the cache.
+	 *
+	 * A deferred purge will be executed after rendering a page.
+	 * It is recommended to be used in cases where an instant purge of the cache
+	 * is not required, i.e. when the goal of a cache purge is to start from a
+	 * clear cache at the next page load.
+	 *
+	 * @return void
+	 */
+	public function deferred_purge(): void
+	{
+		if (!$this->cache_purge_deferred)
+		{
+			$this->dispatcher->addListener(self::PURGE_DEFERRED_ON_EVENT, [$this, 'purge']);
+			$this->cache_purge_deferred = true;
+		}
+	}
+
 	/**
 	* Replaces the cache driver used by this cache service.
 	*

phpBB/phpbb/config/db.php

@@ -170,9 +170,9 @@ class db extends config
 		if (!isset($this->config[$key]))
 		{
 			$sql = 'INSERT INTO ' . $this->table . ' ' . $this->db->sql_build_array('INSERT', array(
-				'config_name'	=> $this->db->sql_escape($key),
-				'config_value'	=> $this->db->sql_escape($new_value),
-				'is_dynamic'	=> ($use_cache) ? 0 : 1));
+				'config_name'	=> $key,
+				'config_value'	=> $new_value,
+				'is_dynamic'	=> $use_cache ? 0 : 1));
 			$this->db->sql_query($sql);
 		}
 

phpBB/phpbb/console/command/user/activate.php

@@ -209,7 +209,7 @@ class activate extends command
 			$messenger->set_addresses($user_row);
 			$messenger->anti_abuse_headers($this->config, $this->user);
 			$messenger->assign_vars(array(
-					'USERNAME'	=> htmlspecialchars_decode($user_row['username'], ENT_COMPAT))
+					'USERNAME'	=> html_entity_decode($user_row['username'], ENT_COMPAT))
 			);
 
 			$messenger->send(NOTIFY_EMAIL);

phpBB/phpbb/console/command/user/add.php

@@ -312,9 +312,9 @@ class add extends command
 		$messenger->to($this->data['email'], $this->data['username']);
 		$messenger->anti_abuse_headers($this->config, $this->user);
 		$messenger->assign_vars(array(
-			'WELCOME_MSG' => htmlspecialchars_decode($this->language->lang('WELCOME_SUBJECT', $this->config['sitename']), ENT_COMPAT),
-			'USERNAME'    => htmlspecialchars_decode($this->data['username'], ENT_COMPAT),
-			'PASSWORD'    => htmlspecialchars_decode($this->data['new_password'], ENT_COMPAT),
+			'WELCOME_MSG' => html_entity_decode($this->language->lang('WELCOME_SUBJECT', $this->config['sitename']), ENT_COMPAT),
+			'USERNAME'    => html_entity_decode($this->data['username'], ENT_COMPAT),
+			'PASSWORD'    => html_entity_decode($this->data['new_password'], ENT_COMPAT),
 			'U_ACTIVATE'  => generate_board_url() . "/ucp.{$this->php_ext}?mode=activate&u=$user_id&k=$user_actkey")
 		);
 

phpBB/phpbb/controller/helper.php

@@ -363,8 +363,8 @@ class helper
 
 			if ($task)
 			{
-				$url = $task->get_url();
-				$this->template->assign_var('RUN_CRON_TASK', '<img src="' . $url . '" width="1" height="1" alt="cron" />');
+				$cron_task_tag = $task->get_html_tag();
+				$this->template->assign_var('RUN_CRON_TASK', $cron_task_tag);
 			}
 			else
 			{

phpBB/phpbb/cron/manager.php

@@ -59,6 +59,11 @@ class manager
 	 */
 	protected $php_ext;
 
+	/**
+	 * @var \phpbb\template\template
+	 */
+	protected $template;
+
 	/**
 	* Constructor. Loads all available tasks.
 	*
@@ -66,13 +71,15 @@ class manager
 	* @param helper $routing_helper Routing helper
 	* @param string $phpbb_root_path Relative path to phpBB root
 	* @param string $php_ext PHP file extension
+	* @param \phpbb\template\template $template
 	*/
-	public function __construct(ContainerInterface $phpbb_container, helper $routing_helper, $phpbb_root_path, $php_ext)
+	public function __construct(ContainerInterface $phpbb_container, helper $routing_helper, $phpbb_root_path, $php_ext, $template)
 	{
 		$this->phpbb_container = $phpbb_container;
 		$this->routing_helper = $routing_helper;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
+		$this->template = $template;
 	}
 
 	/**
@@ -193,6 +200,6 @@ class manager
 	*/
 	public function wrap_task(\phpbb\cron\task\task $task)
 	{
-		return new wrapper($task, $this->routing_helper, $this->phpbb_root_path, $this->php_ext);
+		return new wrapper($task, $this->routing_helper, $this->phpbb_root_path, $this->php_ext, $this->template);
 	}
 }

phpBB/phpbb/cron/task/wrapper.php

@@ -41,6 +41,11 @@ class wrapper
 	 */
 	protected $php_ext;
 
+	/**
+	 * @var \phpbb\template\template
+	 */
+	protected $template;
+
 	/**
 	* Constructor.
 	*
@@ -50,13 +55,15 @@ class wrapper
 	* @param helper	$routing_helper		Routing helper for route generation
 	* @param string	$phpbb_root_path	Relative path to phpBB root
 	* @param string	$php_ext			PHP file extension
+	* @param \phpbb\template\template	$template
 	*/
-	public function __construct(task $task, helper $routing_helper, $phpbb_root_path, $php_ext)
+	public function __construct(task $task, helper $routing_helper, $phpbb_root_path, $php_ext, $template)
 	{
 		$this->task = $task;
 		$this->routing_helper = $routing_helper;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
+		$this->template = $template;
 	}
 
 	/**
@@ -105,6 +112,23 @@ class wrapper
 		return $this->routing_helper->route('phpbb_cron_run', $params);
 	}
 
+	/**
+	 * Returns HTML for an invisible `img` tag that can be displayed on page
+	 * load to trigger a request to the relevant cron task endpoint.
+	 *
+	 * @return string       HTML to render to trigger cron task
+	 */
+	public function get_html_tag()
+	{
+		$this->template->set_filenames([
+			'cron_html_tag' => 'cron.html',
+		]);
+
+		$this->template->assign_var('CRON_TASK_URL', $this->get_url());
+
+		return $this->template->assign_display('cron_html_tag');
+	}
+
 	/**
 	* Forwards all other method calls to the wrapped task implementation.
 	*

phpBB/phpbb/db/driver/sqlite3.php

@@ -390,7 +390,7 @@ class sqlite3 extends \phpbb\db\driver\driver
 				{
 					$html_table = false;
 
-					if ($result = $this->dbo->query("EXPLAIN QUERY PLAN $explain_query"))
+					if ($result = @$this->dbo->query("EXPLAIN QUERY PLAN $explain_query"))
 					{
 						while ($row = $result->fetchArray(SQLITE3_ASSOC))
 						{

phpBB/phpbb/db/migration/data/v33x/profilefield_youtube_update.php

@@ -0,0 +1,82 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v33x;
+
+class profilefield_youtube_update extends \phpbb\db\migration\migration
+{
+	protected $youtube_url_matcher = 'https:\\/\\/(www\\.)?youtube\\.com\\/.+';
+
+	public function effectively_installed()
+	{
+		$profile_fields = $this->table_prefix . 'profile_fields';
+
+		$result = $this->db->sql_query(
+			"SELECT field_validation
+				FROM $profile_fields
+				WHERE field_name = 'phpbb_youtube'"
+		);
+
+		$row = $this->db->sql_fetchrow($result);
+		$this->db->sql_freeresult($result);
+
+		return $row['field_validation'] === $this->youtube_url_matcher;
+	}
+
+	public static function depends_on()
+	{
+		return ['\phpbb\db\migration\data\v33x\v337'];
+	}
+
+	public function update_data()
+	{
+		return [['custom', [[$this, 'update_youtube_profile_field']]]];
+	}
+
+	public function update_youtube_profile_field()
+	{
+		$profile_fields = $this->table_prefix . 'profile_fields';
+		$profile_fields_data = $this->table_prefix . 'profile_fields_data';
+
+		$field_validation = $this->db->sql_escape($this->youtube_url_matcher);
+
+		$min_length = strlen('https://youtube.com/c/') + 1;
+
+		$this->db->sql_query(
+			"UPDATE $profile_fields SET
+				field_length = '40',
+				field_minlen = '$min_length',
+				field_maxlen = '255',
+				field_validation = '$field_validation',
+				field_contact_url = '%s'
+				WHERE field_name = 'phpbb_youtube'"
+		);
+
+		$yt_profile_field = 'pf_phpbb_youtube';
+		$prepend_legacy_youtube_url = $this->db->sql_concatenate(
+			"'https://youtube.com/user/'", $yt_profile_field
+		);
+		$is_not_already_youtube_url = $this->db->sql_not_like_expression(
+			$this->db->get_any_char()
+				. 'youtube.com/'
+				. $this->db->get_any_char()
+		);
+
+		$this->db->sql_query(
+			"UPDATE $profile_fields_data SET
+				$yt_profile_field = $prepend_legacy_youtube_url
+				WHERE $yt_profile_field <> ''
+				AND $yt_profile_field $is_not_already_youtube_url"
+		);
+	}
+}

phpBB/phpbb/db/migration/data/v33x/remove_orphaned_roles.php

@@ -0,0 +1,81 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v33x;
+
+class remove_orphaned_roles extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return ['\phpbb\db\migration\data\v33x\v335'];
+	}
+
+	public function update_data()
+	{
+		return [
+			['custom', [[$this, 'acl_remove_orphaned_roles']]],
+		];
+	}
+
+	public function acl_remove_orphaned_roles()
+	{
+		$role_ids = [];
+		$auth_role_ids = [];
+
+		$sql = 'SELECT auth_role_id
+			FROM ' . ACL_GROUPS_TABLE . '
+			WHERE auth_role_id <> 0
+				AND forum_id = 0';
+		$result = $this->db->sql_query($sql);
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			$auth_role_ids[] = $row['auth_role_id'];
+		}
+		$this->db->sql_freeresult($result);
+
+		if (count($auth_role_ids))
+		{
+			$sql = 'SELECT role_id
+				FROM ' . ACL_ROLES_TABLE . '
+				WHERE ' . $this->db->sql_in_set('role_id', $auth_role_ids);
+			$result = $this->db->sql_query($sql);
+			while ($row = $this->db->sql_fetchrow($result))
+			{
+				$role_ids[] = $row['role_id'];
+			}
+			$this->db->sql_freeresult($result);
+		}
+
+		$non_existent_role_ids = array_diff($auth_role_ids, $role_ids);
+
+		// Nothing to do, there are no non-existent roles assigned to groups
+		if (empty($non_existent_role_ids))
+		{
+			return true;
+		}
+
+		// Remove assigned non-existent roles from users and groups
+		$sql = 'DELETE FROM ' . ACL_USERS_TABLE . '
+			WHERE ' . $this->db->sql_in_set('auth_role_id', $non_existent_role_ids);
+		$this->db->sql_query($sql);
+
+		$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
+			WHERE ' . $this->db->sql_in_set('auth_role_id', $non_existent_role_ids);
+		$this->db->sql_query($sql);
+
+		$auth = new \phpbb\auth\auth();
+		$auth->acl_clear_prefetch();
+
+		return true;
+	}
+}

phpBB/phpbb/db/migration/data/v33x/v336.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v336 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.6', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\v336rc1',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.6']],
+		];
+	}
+}

phpBB/phpbb/db/migration/data/v33x/v336rc1.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v336rc1 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.6-RC1', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\remove_orphaned_roles',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.6-RC1']],
+		];
+	}
+}

phpBB/phpbb/db/migration/data/v33x/v337.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v337 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.7', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\v336',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.7']],
+		];
+	}
+}

phpBB/phpbb/db/migration/data/v33x/v338.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v338 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.8', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\v338rc1',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.8']],
+		];
+	}
+}

phpBB/phpbb/db/migration/data/v33x/v338rc1.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v33x;
+
+class v338rc1 extends \phpbb\db\migration\migration
+{
+	public function effectively_installed()
+	{
+		return version_compare($this->config['version'], '3.3.8-RC1', '>=');
+	}
+
+	public static function depends_on()
+	{
+		return [
+			'\phpbb\db\migration\data\v33x\profilefield_youtube_update',
+		];
+	}
+
+	public function update_data()
+	{
+		return [
+			['config.update', ['version', '3.3.8-RC1']],
+		];
+	}
+}

phpBB/phpbb/db/migration/tool/permission.php

@@ -21,6 +21,9 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 	/** @var \phpbb\auth\auth */
 	protected $auth;
 
+	/** @var \includes\acp\auth\auth_admin */
+	protected $auth_admin;
+
 	/** @var \phpbb\cache\service */
 	protected $cache;
 
@@ -49,6 +52,12 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 		$this->auth = $auth;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
+
+		if (!class_exists('auth_admin'))
+		{
+			include($this->phpbb_root_path . 'includes/acp/auth.' . $this->php_ext);
+		}
+		$this->auth_admin = new \auth_admin();
 	}
 
 	/**
@@ -118,12 +127,6 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 		// We've added permissions, so set to true to notify the user.
 		$this->permissions_added = true;
 
-		if (!class_exists('auth_admin'))
-		{
-			include($this->phpbb_root_path . 'includes/acp/auth.' . $this->php_ext);
-		}
-		$auth_admin = new \auth_admin();
-
 		// We have to add a check to see if the !$global (if global, local, and if local, global) permission already exists.  If it does, acl_add_option currently has a bug which would break the ACL system, so we are having a work-around here.
 		if ($this->exists($auth_option, !$global))
 		{
@@ -140,19 +143,19 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 		{
 			if ($global)
 			{
-				$auth_admin->acl_add_option(array('global' => array($auth_option)));
+				$this->auth_admin->acl_add_option(array('global' => array($auth_option)));
 			}
 			else
 			{
-				$auth_admin->acl_add_option(array('local' => array($auth_option)));
+				$this->auth_admin->acl_add_option(array('local' => array($auth_option)));
 			}
 		}
 
 		// The permission has been added, now we can copy it if needed
-		if ($copy_from && isset($auth_admin->acl_options['id'][$copy_from]))
+		if ($copy_from && isset($this->auth_admin->acl_options['id'][$copy_from]))
 		{
-			$old_id = $auth_admin->acl_options['id'][$copy_from];
-			$new_id = $auth_admin->acl_options['id'][$auth_option];
+			$old_id = $this->auth_admin->acl_options['id'][$copy_from];
+			$new_id = $this->auth_admin->acl_options['id'][$auth_option];
 
 			$tables = array(ACL_GROUPS_TABLE, ACL_ROLES_DATA_TABLE, ACL_USERS_TABLE);
 
@@ -177,7 +180,7 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 				}
 			}
 
-			$auth_admin->acl_clear_prefetch();
+			$this->auth_admin->acl_clear_prefetch();
 		}
 	}
 
@@ -291,6 +294,8 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 
 		$sql = 'INSERT INTO ' . ACL_ROLES_TABLE . ' ' . $this->db->sql_build_array('INSERT', $sql_ary);
 		$this->db->sql_query($sql);
+
+		return $this->db->sql_nextid();
 	}
 
 	/**
@@ -327,6 +332,66 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 			return;
 		}
 
+		// Get the role type
+		$sql = 'SELECT role_type
+			FROM ' . ACL_ROLES_TABLE . '
+			WHERE role_id = ' . (int) $role_id;
+		$result = $this->db->sql_query($sql);
+		$role_type = $this->db->sql_fetchfield('role_type');
+		$this->db->sql_freeresult($result);
+
+		// Get complete auth array
+		$sql = 'SELECT auth_option, auth_option_id
+			FROM ' . ACL_OPTIONS_TABLE . "
+			WHERE auth_option " . $this->db->sql_like_expression($role_type . $this->db->get_any_char());
+		$result = $this->db->sql_query($sql);
+
+		$auth_settings = [];
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			$auth_settings[$row['auth_option']] = ACL_NO;
+		}
+		$this->db->sql_freeresult($result);
+
+		// Get the role auth settings we need to re-set...
+		$sql = 'SELECT o.auth_option, r.auth_setting
+			FROM ' . ACL_ROLES_DATA_TABLE . ' r, ' . ACL_OPTIONS_TABLE . ' o
+			WHERE o.auth_option_id = r.auth_option_id
+				AND r.role_id = ' . (int) $role_id;
+		$result = $this->db->sql_query($sql);
+
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			$auth_settings[$row['auth_option']] = $row['auth_setting'];
+		}
+		$this->db->sql_freeresult($result);
+
+		// Get role assignments
+		$hold_ary = $this->auth_admin->get_role_mask($role_id);
+
+		// Re-assign permissions
+		foreach ($hold_ary as $forum_id => $forum_ary)
+		{
+			if (isset($forum_ary['users']))
+			{
+				$this->auth_admin->acl_set('user', $forum_id, $forum_ary['users'], $auth_settings, 0, false);
+			}
+
+			if (isset($forum_ary['groups']))
+			{
+				$this->auth_admin->acl_set('group', $forum_id, $forum_ary['groups'], $auth_settings, 0, false);
+			}
+		}
+
+		// Remove role from users and groups just to be sure (happens through acl_set)
+		$sql = 'DELETE FROM ' . ACL_USERS_TABLE . '
+			WHERE auth_role_id = ' . $role_id;
+		$this->db->sql_query($sql);
+
+		$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
+			WHERE auth_role_id = ' . $role_id;
+		$this->db->sql_query($sql);
+
 		$sql = 'DELETE FROM ' . ACL_ROLES_DATA_TABLE . '
 			WHERE role_id = ' . $role_id;
 		$this->db->sql_query($sql);
@@ -425,6 +490,11 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 						WHERE role_id = ' . $role_id;
 					$this->db->sql_query($sql);
 					$role_data = $this->db->sql_fetchrow();
+					if (!$role_data)
+					{
+						throw new \phpbb\db\migration\exception('ROLE_ASSIGNED_NOT_EXIST', $name, $role_id);
+					}
+
 					$role_name = $role_data['role_name'];
 					$role_type = $role_data['role_type'];
 
@@ -571,6 +641,10 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 						WHERE role_id = ' . $role_id;
 					$this->db->sql_query($sql);
 					$role_name = $this->db->sql_fetchfield('role_name');
+					if (!$role_name)
+					{
+						throw new \phpbb\db\migration\exception('ROLE_ASSIGNED_NOT_EXIST', $name, $role_id);
+					}
 
 					return $this->permission_unset($role_name, $auth_option, 'role');
 				}

phpBB/phpbb/di/container_builder.php

@@ -229,7 +229,7 @@ class container_builder
 				}
 			}
 
-			if ($this->compile_container && $this->config_php_file)
+			if ($this->config_php_file)
 			{
 				$this->container->set('config.php', $this->config_php_file);
 			}

phpBB/phpbb/di/extension/container_configuration.php

@@ -40,6 +40,7 @@ class container_configuration implements ConfigurationInterface
 						->booleanNode('sql_explain')->defaultValue(false)->end()
 						->booleanNode('memory')->defaultValue(false)->end()
 						->booleanNode('show_errors')->defaultValue(false)->end()
+						->booleanNode('error_handler')->defaultValue(false)->end()
 					->end()
 				->end()
 				->arrayNode('twig')

phpBB/phpbb/event/md_exporter.php

@@ -364,6 +364,64 @@ class md_exporter
 		return $rst_exporter->get_rst_output();
 	}
 
+	/**
+	 * Format the md events as BBCode list
+	 *
+	 * @param string $action
+	 * @return string		Events BBCode
+	 */
+	public function export_events_for_bbcode(string $action = ''): string
+	{
+		if ($this->filter === 'adm')
+		{
+			if ($action === 'diff')
+			{
+				$bbcode_text = "[size=150]ACP Template Events[/size]\n";
+			}
+			else
+			{
+				$bbcode_text = "[size=200]ACP Template Events[/size]\n";
+			}
+		}
+		else
+		{
+			if ($action === 'diff')
+			{
+				$bbcode_text = "[size=150]Template Events[/size]\n";
+			}
+			else
+			{
+				$bbcode_text = "[size=200]Template Events[/size]\n";
+			}
+		}
+
+		if (!count($this->events))
+		{
+			return $bbcode_text . "[list][*][i]None[/i][/list]\n";
+		}
+
+		foreach ($this->events as $event_name => $event)
+		{
+			$bbcode_text .= "[list]\n";
+			$bbcode_text .= "[*][b]{$event_name}[/b]\n";
+
+			if ($this->filter === 'adm')
+			{
+				$bbcode_text .= "Placement: " . implode(', ', $event['files']['adm']) . "\n";
+			}
+			else
+			{
+				$bbcode_text .= "Prosilver Placement: " . implode(', ', $event['files']['prosilver']) . "\n";
+			}
+
+			$bbcode_text .= "Added in Release: {$event['since']}\n";
+			$bbcode_text .= "Explanation: {$event['description']}\n";
+			$bbcode_text .= "[/list]\n";
+		}
+
+		return $bbcode_text;
+	}
+
 	/**
 	* Validates a template event name
 	*

phpBB/phpbb/event/php_exporter.php

@@ -207,6 +207,37 @@ class php_exporter
 		return $rst_exporter->get_rst_output();
 	}
 
+	/**
+	 * Format the PHP events as a BBCode list
+	 *
+	 * @param string $action
+	 * @return string
+	 */
+	public function export_events_for_bbcode(string $action = ''): string
+	{
+		if ($action === 'diff')
+		{
+			$bbcode_text = '[size=150]PHP Events[/size]' . "\n";
+		}
+		else
+		{
+			$bbcode_text = '[size=200]PHP Events[/size]' . "\n";
+		}
+
+		foreach ($this->events as $event)
+		{
+			$bbcode_text .= "[list]\n";
+			$bbcode_text .= "[*][b]{$event['event']}[/b]\n";
+			$bbcode_text .= "Placement: {$event['file']}\n";
+			$bbcode_text .= 'Arguments: ' . implode(', ', $event['arguments']) . "\n";
+			$bbcode_text .= "Added in Release: {$event['since']}\n";
+			$bbcode_text .= "Explanation: {$event['description']}\n";
+			$bbcode_text .= "[/list]\n";
+		}
+
+		return $bbcode_text;
+	}
+
 	/**
 	* @param string $file
 	* @return int Number of events found in this file

phpBB/phpbb/extension/manager.php

@@ -197,7 +197,7 @@ class manager
 
 		if ($this->cache)
 		{
-			$this->cache->purge();
+			$this->cache->deferred_purge();
 		}
 	}
 

phpBB/phpbb/install/helper/iohandler/ajax_iohandler.php

@@ -418,7 +418,7 @@ class ajax_iohandler extends iohandler_base
 
 		if ($msg !== null)
 		{
-			$link_properties['msg'] = htmlspecialchars_decode($this->language->lang($msg), ENT_COMPAT);
+			$link_properties['msg'] = html_entity_decode($this->language->lang($msg), ENT_COMPAT);
 		}
 
 		$this->download[] = $link_properties;

phpBB/phpbb/install/helper/iohandler/iohandler_base.php

@@ -108,7 +108,7 @@ abstract class iohandler_base implements iohandler_interface
 	{
 		if (!is_array($error_title) && strpos($error_title, '<br />') !== false)
 		{
-			$error_title = strip_tags(htmlspecialchars_decode($error_title, ENT_COMPAT));
+			$error_title = strip_tags(html_entity_decode($error_title, ENT_COMPAT));
 		}
 		$this->errors[] = $this->translate_message($error_title, $error_description);
 	}

phpBB/phpbb/install/module/install_finish/task/notify_user.php

@@ -120,8 +120,8 @@ class notify_user extends \phpbb\install\task_base
 			$messenger->to($this->config['board_email'], $this->install_config->get('admin_name'));
 			$messenger->anti_abuse_headers($this->config, $this->user);
 			$messenger->assign_vars(array(
-					'USERNAME'		=> htmlspecialchars_decode($this->install_config->get('admin_name'), ENT_COMPAT),
-					'PASSWORD'		=> htmlspecialchars_decode($this->install_config->get('admin_passwd'), ENT_COMPAT))
+					'USERNAME'		=> html_entity_decode($this->install_config->get('admin_name'), ENT_COMPAT),
+					'PASSWORD'		=> html_entity_decode($this->install_config->get('admin_passwd'), ENT_COMPAT))
 			);
 			$messenger->send(NOTIFY_EMAIL);
 		}

phpBB/phpbb/install/module/obtain_data/task/obtain_server_data.php

@@ -54,7 +54,7 @@ class obtain_server_data extends \phpbb\install\task_base implements \phpbb\inst
 		$server_port = $this->io_handler->get_server_variable('SERVER_PORT', 0);
 
 		// HTTP_HOST is having the correct browser url in most cases...
-		$server_name = strtolower(htmlspecialchars_decode($this->io_handler->get_header_variable(
+		$server_name = strtolower(html_entity_decode($this->io_handler->get_header_variable(
 			'Host',
 			$this->io_handler->get_server_variable('SERVER_NAME')
 		), ENT_COMPAT));
@@ -65,11 +65,11 @@ class obtain_server_data extends \phpbb\install\task_base implements \phpbb\inst
 			$server_name = substr($server_name, 0, strpos($server_name, ':'));
 		}
 
-		$script_path = htmlspecialchars_decode($this->io_handler->get_server_variable('PHP_SELF'), ENT_COMPAT);
+		$script_path = html_entity_decode($this->io_handler->get_server_variable('PHP_SELF'), ENT_COMPAT);
 
 		if (!$script_path)
 		{
-			$script_path = htmlspecialchars_decode($this->io_handler->get_server_variable('REQUEST_URI'), ENT_COMPAT);
+			$script_path = html_entity_decode($this->io_handler->get_server_variable('REQUEST_URI'), ENT_COMPAT);
 		}
 
 		$script_path = str_replace(array('\\', '//'), '/', $script_path);

phpBB/phpbb/install/module/obtain_data/task/obtain_update_ftp_data.php

@@ -87,7 +87,7 @@ class obtain_update_ftp_data extends task_base
 
 			$ftp_host = $this->iohandler->get_input('ftp_host', '', true);
 			$ftp_user = $this->iohandler->get_input('ftp_user', '', true);
-			$ftp_pass = htmlspecialchars_decode($this->iohandler->get_input('ftp_pass', '', true), ENT_COMPAT);
+			$ftp_pass = html_entity_decode($this->iohandler->get_input('ftp_pass', '', true), ENT_COMPAT);
 			$ftp_path = $this->iohandler->get_input('ftp_path', '', true);
 			$ftp_port = $this->iohandler->get_input('ftp_port', 21);
 			$ftp_time = $this->iohandler->get_input('ftp_timeout', 10);

phpBB/phpbb/message/message.php

@@ -262,13 +262,13 @@ class message
 				$messenger->headers('X-AntiAbuse: Username - ' . $this->sender_username);
 			}
 
-			$messenger->subject(htmlspecialchars_decode($this->subject, ENT_COMPAT));
+			$messenger->subject(html_entity_decode($this->subject, ENT_COMPAT));
 
 			$messenger->assign_vars(array(
 				'BOARD_CONTACT'	=> $contact,
-				'TO_USERNAME'	=> htmlspecialchars_decode($recipient['to_name'], ENT_COMPAT),
-				'FROM_USERNAME'	=> htmlspecialchars_decode($this->sender_name, ENT_COMPAT),
-				'MESSAGE'		=> htmlspecialchars_decode($this->body, ENT_COMPAT))
+				'TO_USERNAME'	=> html_entity_decode($recipient['to_name'], ENT_COMPAT),
+				'FROM_USERNAME'	=> html_entity_decode($this->sender_name, ENT_COMPAT),
+				'MESSAGE'		=> html_entity_decode($this->body, ENT_COMPAT))
 			);
 
 			if (count($this->template_vars))

phpBB/phpbb/message/topic_form.php

@@ -122,7 +122,7 @@ class topic_form extends form
 
 		$this->message->set_template('email_notify');
 		$this->message->set_template_vars(array(
-			'TOPIC_NAME'	=> htmlspecialchars_decode($this->topic_row['topic_title'], ENT_COMPAT),
+			'TOPIC_NAME'	=> html_entity_decode($this->topic_row['topic_title'], ENT_COMPAT),
 			'U_TOPIC'		=> generate_board_url() . '/viewtopic.' . $this->phpEx . '?t=' . $this->topic_id,
 		));
 		$this->message->set_body($this->body);

phpBB/phpbb/mimetype/extension_guesser.php

@@ -163,7 +163,6 @@ class extension_guesser extends guesser_base
 		'ivr'		=> 'i-world/i-vrml',
 		'ivy'		=> 'application/x-livescreen',
 		'jam'		=> 'audio/x-jam',
-		'jav'		=> 'text/plain',
 		'jav'		=> 'text/x-java-source',
 		'java'		=> 'text/x-java-source',
 		'jcm'		=> 'application/x-java-commerce',

phpBB/phpbb/notification/manager.php

@@ -255,9 +255,36 @@ class manager
 			'ignore_users'		=> array(),
 		), $options);
 
+		$notified_users = [];
+		$add_notifications_override = false;
+
+		/**
+		* Get notification data before find_users_for_notification() execute
+		*
+		* @event core.notification_manager_add_notifications_before
+		* @var	bool			add_notifications_override	Flag indicating whether function should return after event
+		* @var	array|string	notification_type_name		Type identifier or array of item types
+		* @var	string			data						Data specific for this notification type that will be inserted
+		* @var	array 			notified_users				Array of notified users
+		* @var	string			options						Optional options to control what notifications are loaded
+		* @since 3.3.6-RC1
+		*/
+		$vars = [
+			'add_notifications_override',
+			'notification_type_name',
+			'data',
+			'notified_users',
+			'options',
+		];
+		extract($this->phpbb_dispatcher->trigger_event('core.notification_manager_add_notifications_before', compact($vars)));
+
+		if ($add_notifications_override)
+		{
+			return $notified_users;
+		}
+
 		if (is_array($notification_type_name))
 		{
-			$notified_users = array();
 			$temp_options = $options;
 
 			foreach ($notification_type_name as $type)

phpBB/phpbb/notification/type/admin_activate_user.php

@@ -150,7 +150,7 @@ class admin_activate_user extends \phpbb\notification\type\base
 		$username = $this->user_loader->get_username($this->item_id, 'username');
 
 		return array(
-			'USERNAME'			=> htmlspecialchars_decode($username, ENT_COMPAT),
+			'USERNAME'			=> html_entity_decode($username, ENT_COMPAT),
 			'U_USER_DETAILS'	=> "{$board_url}/memberlist.{$this->php_ext}?mode=viewprofile&u={$this->item_id}",
 			'U_ACTIVATE'		=> "{$board_url}/ucp.{$this->php_ext}?mode=activate&u={$this->item_id}&k={$this->get_data('user_actkey')}",
 		);