messagesystem: Makes zorg Messaging work again

Author: zTheArchitect

app/templates/layout/partials/messages/messages_list.tpl

@@ -4,35 +4,35 @@
 	<strong>Ausgew&auml;hlte Nachricht wurde gel&ouml;scht</strong>
 </div>
 {/if}
-<form name="inboxform" method="POST" action="{$form_action}">
+<style>
+	table .messages > tbody > tr:nth-child(odd){ldelim}background-color:{$smarty.const.TABLEBACKGROUNDCOLOR}{rdelim}
+	table .messages > tbody > .new{ldelim}background-color:{$smarty.const.NEWCOMMENTCOLOR} !important{rdelim}
+	table .messages > tbody > .my{ldelim}background-color:{$smarty.const.OWNCOMMENTCOLOR} !important{rdelim}
+</style>
+<table class="border messages" width="100%">{assign var="cols_total" value=5}
+	<thead>
+		<tr>
+			<th align="right" colspan="{$cols_total-2}">
+				<h3>{if $box == 'inbox'}
+					Empfangen / <a href="{get_changed_url change="box=outbox&user_id=`$user->id`"}">Gesendet</a>
+				{elseif $box == 'outbox'}
+					<a href="{get_changed_url change="box=inbox&user_id=`$user->id`"}">Empfangen</a> / Gesendet
+				{/if}</h3>
+			</th>
+			<th align="right" colspan="{$cols_total-3}">
+				<a href="/profil.php?do=newmsg&user_id={$user->id}"><button class="button primary" name="button_newMessage" style="float:right;">Neue Nachricht</button></a>
+			</th>
+		</tr>
+		<tr>
+			<th style="width:5%"><input class="button" onClick="selectAllMessages();" type="button" value="Alle"></th>
+			<th style="width:20%"><a href="{get_changed_url change="sort=date&order=asc"}">Datum</a></th>
+			<th style="width:35%;text-align:left;"><a href="{get_changed_url change="sort=subject"}">Message</a></th>
+			<th style="width:15%"><a href="{get_changed_url change="sort=from_user_id"}">Sender</a></th>
+			<th style="width:25%">Empf&auml;nger</th>
+		</tr>
+	</thead>
+	<form name="inboxform" method="POST" action="{$form_action}">
 	<input type="hidden" name="url" value="{$form_url}">
-	<style>
-		table .messages > tbody > tr:nth-child(odd){ldelim}background-color:{$smarty.const.TABLEBACKGROUNDCOLOR}{rdelim}
-		table .messages > tbody > .new{ldelim}background-color:{$smarty.const.NEWCOMMENTCOLOR} !important{rdelim}
-		table .messages > tbody > .my{ldelim}background-color:{$smarty.const.OWNCOMMENTCOLOR} !important{rdelim}
-	</style>
-	<table class="border messages" width="100%">{assign var="cols_total" value=5}
-		<thead>
-			<tr>
-				<th align="right" colspan="{$cols_total-2}">
-					<h3>{if $box == 'inbox'}
-						Empfangen / <a href="{get_changed_url change='box=outbox'}">Gesendet</a>
-					{elseif $box == 'outbox'}
-						<a href="{get_changed_url change='box=inbox'}">Empfangen</a> / Gesendet
-					{/if}</h3>
-				</th>
-				<th align="right" colspan="{$cols_total-3}">
-					<a href="{get_changed_url change="do=newmsg"}{*$newmsg_url*}"><button class="button primary" name="button_newMessage" style="float:right;">Neue Nachricht</button></a>
-				</th>
-			</tr>
-			<tr>
-				<th style="width:5%"><input class="button" onClick="selectAllMessages();" type="button" value="Alle"></th>
-				<th style="width:20%"><a href="{get_changed_url change="sort=date&order=asc"}">Datum</a></th>
-				<th style="width:35%;text-align:left;"><a href="{get_changed_url change="sort=subject"}">Message</a></th>
-				<th style="width:15%"><a href="{get_changed_url change="sort=from_user_id"}">Sender</a></th>
-				<th style="width:25%">Empf&auml;nger</th>
-			</tr>
-		</thead>
 		<tbody>
 		{section name='message' loop=$messages}
 			<tr {if $messages[message].isread == 0}class="new"{elseif $messages[message].from_user_id == $user->id}class="my"{/if}>
@@ -89,5 +89,5 @@
 				</td>
 			</tr>
 		</tfoot>
-	</table>
-</form>
+	</form>
+</table>

public/.htaccess

@@ -15,9 +15,11 @@ ErrorDocument 500 /error_static.html
 	RewriteRule smarty.php / [R=301,QSA,NC,NE,L]
 
 	# Pretty URL for User Profile page
+	# Redirect /user/X to /profil.php?user_id=X (preserve other params)
 	# https://httpd.apache.org/docs/trunk/rewrite/remapping.html#rewrite-query
-	RewriteCond %{QUERY_STRING} user_id=([0-9]+)
-	RewriteRule profil.php /user/%1 [R=301,QSA,L]
+	RewriteRule ^user/([^/]+)/?$ /profil.php?user_id=$1 [R=301,QSA,NC,L]
+	# Redirect /user to /profil.php (preserve query params)
+	RewriteRule ^user/?$ /profil.php [R=301,QSA,NC,L]
 
 	# Pretty URL for Bugtracker Bug pages
 	RewriteCond %{QUERY_STRING} bug_id=([0-9]+)

public/includes/messagesystem.inc.php

@@ -47,11 +47,12 @@ class Messagesystem
 	 *
 	 * Controller für diverse Message Actions
 	 *
-	 * @version 2.2
+	 * @version 2.3
 	 * @since 1.0 `[z]milamber` method added
 	 * @since 2.0 `IneX` code optimizations
 	 * @since 2.1 `04.04.2021` `IneX` fixed wrong check if own message, and PHP Deprecated: Non-static method Messagesystem::sendMessage()
 	 * @since 2.2 `04.12.2024` `IneX` fixed passing NULL to htmlspecialchars_decode() stringg parameter is deprecated
+	 * @since 2.3 `15.11.2025` `IneX` Code hardenings
 	 *
 	 * @uses BARBARA_HARRIS
 	 * @uses Messagesystem::sendMessage()
@@ -64,7 +65,7 @@ static function execActions($doAction=null)
 		global $user;
 
 		/** Validate parameters */
-		$doAction = filter_var($doAction, FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null;
+		$doAction = filter_var($doAction, FILTER_SANITIZE_SPECIAL_CHARS) ?? null;
 		zorgDebugger::log()->debug('$doAction: %s', [$doAction]);
 		if (isset($_POST['message_id']) && is_array($_POST['message_id'])) { // $_POST['message_id'] (multiple)
 			$i=0;
@@ -78,7 +79,7 @@ static function execActions($doAction=null)
 		$deleteMessageId = filter_input(INPUT_POST, 'delete_message_id', FILTER_VALIDATE_INT) ?? null; // $_POST['delete_message_id']
 		$msgSubject = htmlspecialchars_decode(filter_input(INPUT_POST, 'subject', FILTER_SANITIZE_FULL_SPECIAL_CHARS) ?: '', ENT_COMPAT | ENT_SUBSTITUTE);
 		$msgText = htmlspecialchars_decode(filter_input(INPUT_POST, 'text', FILTER_SANITIZE_FULL_SPECIAL_CHARS) ?: '', ENT_COMPAT | ENT_SUBSTITUTE);
-		$headerLocation = base64url_decode(filter_input(INPUT_POST, 'url', FILTER_SANITIZE_FULL_SPECIAL_CHARS)) ?? sprintf('%s/user/%d?box=inbox', SITE_URL, $user->id);
+		$headerLocation = base64url_decode(filter_input(INPUT_POST, 'url', FILTER_SANITIZE_ENCODED)) ?? sprintf('%s/user/%d?box=inbox', SITE_URL, $user->id);
 		zorgDebugger::log()->debug('header() Location: %s', [$headerLocation]);
 
 		if($doAction === 'sendmessage')
@@ -206,7 +207,7 @@ static function execActions($doAction=null)
 	 * @param integer $deleter_userid User-ID welcher die Nachricht(en) löscht
 	 * @global object $db Globales Class-Object mit allen MySQL-Methoden
 	 */
-	function deleteMessage($messageid, $deleter_userid)
+	static function deleteMessage($messageid, $deleter_userid)
 	{
 		global $db;
 
@@ -328,12 +329,9 @@ static function getFormDelete($id)
 	 *
 	 * Baut das HTML-Formular um eine neue Nachrichten zu versenden
 	 *
-	 * @author [z]milamber
-	 * @author IneX
-	 * @date 23.06.2018
 	 * @version 2.0
-	 * @since 1.0 initial method release
-	 * @since 2.0 frontend is now a template - as it should be
+	 * @since 1.0 `[z]milamber`initial method release
+	 * @since 2.0 `23.06.2018` `IneX` frontend is now a template - as it should be
 	 *
 	 * @param string $to_users Alle Empfänger der Nachricht
 	 * @param string $subject Titel der Nachricht
@@ -348,11 +346,11 @@ static function getFormSend($to_users, $subject, $text, $delete_message_id=0)
 		global $user, $smarty;
 
 		$smarty->assign('form_action', base64url_decode(getURL()));
-		$smarty->assign('form_url', getURL());
+		$smarty->assign('form_url', base64url_encode('/profil.php?user_id='.strval($user->id).'&box=outbox'));
 		$smarty->assign('subject', $subject);
 		$smarty->assign('text', $text);
 		$smarty->assign('userlist', $user->getFormFieldUserlist('to_users[]', 15, $to_users, 4));
-		$smarty->assign('backlink_url', '/user/'.$user->id.'?box=inbox');
+		$smarty->assign('backlink_url', '/profil.php?user_id='.strval($user->id).'&box=inbox');
 		$smarty->assign('delete_message_id', $delete_message_id);
 
 		return $smarty->fetch('file:layout/partials/messages/messages_send.tpl');
@@ -632,7 +630,7 @@ static function getPrevMessageid($id)
 	 * @global object $db Globales Class-Object mit allen MySQL-Methoden
 	 * @return boolean	Returns true or false, depening on the susccessful execution
 	 */
-	function sendMessage($from_user_id, $owner, $subject, $text='', $to_users='', $isread='0')
+	static function sendMessage($from_user_id, $owner, $subject, $text='', $to_users='', $isread='0')
 	{
 		global $db, $notification;
 

public/includes/notifications.inc.php

@@ -124,8 +124,14 @@ public function send($user_id, $notification_source, $content)
 					/** Validate $content for $notification_type 'message' */
 					if (!empty($content['message']) && !is_numeric($content['message']) && !is_array($content['message']))
 					{
+						/** If $notification_source is 'messagesystem' add some more Context for Telegram */
+						if ($notification_source === 'messagesystem')
+						{
+							$zMessageSenderName = (isset($content['from_user_id']) ? $user->id2user($content['from_user_id'], true) : 'someone');
+							$content['subject'] = sprintf('<blockquote>zorg Message from %s</blockquote>\n%s', $zMessageSenderName, $content['subject']);
+						}
 						/** Send notification */
-						$content['parameters'] = ['disable_web_page_preview' => 'false']; // TODO TEMP - REMOVE LATER! / Re-enabled because don't know why disabled... [17.01.2024/IneX]
+						$content['parameters'] = ['disable_web_page_preview' => 'false'];
 						if (isset($content['subject']) && !empty($content['subject'])) $content['message'] = $content['subject'].': '.$content['message']; // Merge Subject + Message
 						$telegram->send->message($user_id, $content['message'], $content['parameters']);
 					} else {

public/includes/telegrambot.inc.php

@@ -100,7 +100,7 @@ public function send($userScope, $messageType, $content)
 		if (isset($botconfigs) && is_array($botconfigs))
 		{
 			/** Get the corresponding Telegram Chat-ID */
-			if (DEVELOPMENT) error_log(sprintf('[DEBUG] <%s:%d> $userScope: %s', __METHOD__, __LINE__, $userScope));
+			zorgDebugger::log()->debug('$userScope: %s', [$userScope]);
 			switch ($userScope)
 			{
 				/** USER: If $userScope = User-ID: get the Telegram Chat-ID */
@@ -125,7 +125,7 @@ public function send($userScope, $messageType, $content)
 			/** When we got a Telegram Chat-ID... */
 			if (!empty($telegramChatId))
 			{
-				if (DEVELOPMENT) error_log(sprintf('[DEBUG] <%s:%d> found Telegram Chat-ID: %s', __METHOD__, __LINE__, $telegramChatId));
+				zorgDebugger::log()->debug('Found Telegram Chat-ID: %s', [$telegramChatId]);
 
 				/** Build API Call */
 				$parameters = array_merge( $content, [ 'chat_id' => $telegramChatId ] );
@@ -262,13 +262,13 @@ public function formatText($notificationText)
 		/**
 		 * Strip away all HTML-tags & unix line breaks
 		 * Except from the whitelist:
-		 * <b>, <strong>, <i>, <em>, <a>, <code>, <pre>
+		 * <a>, <b>, <blockquote>, <code>, <em>, <i>, <pre>, <strong>
 		 * -> However: "Tags must not be nested"!
 		 */
 		$notificationText = stripslashes($notificationText); // remove escaping slashes
 		$notificationText = str_replace(array('&nbsp;', '  '), ' ', $notificationText); // spaces
 		$notificationText = str_replace(array("\r\n", "\r\n ", "\r", "\r ", "\n "), "\n", $notificationText); // line-breaks
-		$notificationText = remove_html($notificationText, '<b><strong><i><em><a><code><pre>'); // html-tags
+		$notificationText = remove_html($notificationText, '<b><strong><i><em><a><code><pre><blockquote>'); // html-tags
 
 		/**
 		 * Cleanup nested HTML-Tags, e.g. <a ...><i>text</i></a>

public/includes/usersystem.inc.php

@@ -1264,35 +1264,38 @@ function userImage($userid, $large=false)
 	/**
 	 * Retrieve list of Users for Notification-Messages in Comments or Personal Messages
 	 *
-	 * @deprecated
-	 *
-	 * @author IneX
-	 * @date 26.12.2017
-	 *
-	 * @TODO remove this function 'getFormFieldUserlist()' & make sure to remove all references in corresponding files pointing to it
+	 * // TODO Make this method obsolete / deprecated once all forms referencing it support inline "@mention" / IneX
+	 *
+	 * @1.6
+	 * @version 1.0 method added
+	 * @version 1.5 `26.12.2017` `IneX` Corde hardening, and using SQL prepared statement
+	 * @version 1.5 `26.12.2017` `IneX` Corde hardening, and using SQL prepared statement
+	 *
+	 * @param string $name Name to use for the Select-Container
+	 * @param integer $size (Optional) Column-based Width of the Select-Container. Default: 15 (cols)
+	 * @param array $users_selected Array (Optional) with User-IDs that should be pre-selected. Default: none
+	 * @param integer $tabindex (Optional) Keyboard Tabbing index of the element. Default: 10
+	 * @return string Full HTML-markup of the Select-Container
 	 */
-	function getFormFieldUserlist($name, $size, $users_selected=0, $tabindex=10) {
+	function getFormFieldUserlist($name, $size=15, $users_selected=0, $tabindex=10) {
 		global $db;
 
 		/** Wenn User ganz neue Message schreibt */
-		if (empty($users_selected) || $users_selected === 0) $users_selected = [];
+		if (empty($users_selected)) $users_selected = [];
+		/** Make an Array, if comma-separated String - or only 1 value (UserID) provided */
+		else if (!is_array($users_selected)) $users_selected = explode(',', $users_selected);
 
-		/** check and make an Array, if necessary */
-		if (!is_array($users_selected)) // Fixes: PHP Warning: strpos() expects parameter 1 to be string, array given
-		{
-			if (strpos($users_selected, ',') !== false) $users_selected = explode(',', $users_selected);
-		}
 		/** Remove any duplicate User-IDs */
 		$users_selected = array_unique($users_selected);
 
-		$sql = 'SELECT id, clan_tag, username FROM user'
-				.' WHERE UNIX_TIMESTAMP(lastlogin) > (UNIX_TIMESTAMP(NOW())-?)'
-				.' OR z_gremium = "1" OR (vereinsmitglied != "0" AND vereinsmitglied != "")'
-				.(!empty($users_selected) ? ' OR id IN (?)' : null)
+		$sql = 'SELECT id, clan_tag, username FROM user
+				WHERE UNIX_TIMESTAMP(lastlogin) > (UNIX_TIMESTAMP(NOW())-?)
+				OR z_gremium = "1" OR (vereinsmitglied != "0" AND vereinsmitglied != "")
+				'.(!empty($users_selected) ? ' OR id IN (?)' : null)
 				.' ORDER BY clan_tag DESC, username ASC'
 		;
-		$params = [ USER_OLD_AFTER*2 ];
-		if (!empty($users_selected)) { $params[] = implode(',', $users_selected); }
+		$params[] = USER_OLD_AFTER*2;
+		if (!empty($users_selected)) $params[] = implode(',', $users_selected);
 		$result = $db->query($sql, __FILE__, __LINE__, __METHOD__, $params);
 
 		$html = '<select multiple="multiple" name="'.$name.'" size="'.$size.'" tabindex="'.$tabindex.'">';

public/index.php

@@ -27,7 +27,7 @@
 	switch ($routeSwitch)
 	{
 		/** Route: /user/[user-id|username] */
-		case 'username':
+		case 'user_id':
 			$getUserId = ( is_numeric($routeValue) ? $routeValue : $user->user2id($routeValue) );
 			if (!empty($getUserId)) {
 				$_GET['user_id'] = $getUserId;

public/messagesystem.php

@@ -65,11 +65,14 @@
 			}
 
 			$html .= '<br />';
+			$preselect_to_users = [];
+			if (intval($messageDetails['from_user_id']) === $user->id) $preselect_to_users = $messageDetails['to_users'];
+			else $preselect_to_users[] = intval($messageDetails['from_user_id']);
 			$html .= Messagesystem::getFormSend(
-						array(intval($messageDetails['from_user_id']))
-						, $subject, '> '.str_replace("\n", "\n> "
-						, $messageDetails['text'])
-						, $messageId
+						 $preselect_to_users
+						,$subject, '> '.str_replace("\n", "\n> "
+						,$messageDetails['text'])
+						,$messageId
 					);
 		}
 		/** User darf diese Nachricht nicht lesen (weil es nicht seine ist, doh!) */

public/profil.php

@@ -9,17 +9,20 @@
  * File includes
  * @include main.inc.php required
  * @include core.model.php required
+ * @include messagesystem.inc.php required
  */
 require_once __DIR__.'/includes/config.inc.php';
+require_once INCLUDES_DIR.'messagesystem.inc.php';
 require_once MODELS_DIR.'core.model.php';
 
 /**
  * Validate GET-Parameters
  */
-$doAction = (isset($doAction) ? $doAction : (filter_input(INPUT_GET, 'do', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null)); // $_GET['do']
-$postDoAction = filter_input(INPUT_POST, 'do', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_POST['do']
-$user_id = (isset($getUserId) ? intval($getUserId) : (filter_input(INPUT_GET, 'user_id', FILTER_VALIDATE_INT) ?? null)); // $_GET['user_id']
+$doAction = filter_input(INPUT_GET, 'do', FILTER_SANITIZE_SPECIAL_CHARS) ?? null; // $_GET['do']
+$postDoAction = filter_input(INPUT_POST, 'action', FILTER_SANITIZE_SPECIAL_CHARS) ?? null; // $_POST['action']
 $userRegcode = filter_input(INPUT_GET, 'regcode', FILTER_SANITIZE_SPECIAL_CHARS) ?? null; // $_GET['regcode']
+$user_id = (isset($getUserId) ? $getUserId : (filter_input(INPUT_GET, 'user_id', FILTER_SANITIZE_SPECIAL_CHARS) ?? null)); // $_GET['user_id']
+$user_id = !empty($user_id) ? (ctype_digit($user_id) ? intval($user_id) : $user->user2id($user_id)) : null;
 $view_as_user = filter_input(INPUT_GET, 'viewas', FILTER_VALIDATE_INT) ?? null; // $_GET['viewas']
 $messageToUsers = filter_input(INPUT_GET, 'msgusers', FILTER_SANITIZE_FULL_SPECIAL_CHARS) ?? null; // $_GET['msgusers']
 $messageSubject = filter_input(INPUT_GET, 'msgsubject', FILTER_SANITIZE_FULL_SPECIAL_CHARS) ?? null; // $_GET['msgsubject']
@@ -220,7 +223,7 @@
 
 		/** Der User ist jemand anderes */
 		} else {
-			$htmlOutput .= Messagesystem::getFormSend(array($user_id), '', '');
+			$htmlOutput .= Messagesystem::getFormSend([$user_id], '', '');
 		}
 
 		/** User markierte Gallery-Pics */