Just ran an install with a randomly generated password including an apostrophe (') only to hit an error about unexpected characters in ./inc/config.php.

This is caused by the input not being escaped before being inserted into the config file. This should be corrected.

IMO, MyBB should implement LESS support into the theme editor, even if it's like the code that @euantor posted on the forums where it gets transformed into pure CSS on commit.

Should be beneficial to theme authors, especially if it is transformed into CSS - that makes it easier for the end user to understand, instead of staring at a foreign syntax. Of course, if the user doesn't know what LESS is, they can simply use CSS.

Of course, one problem I encountered (and haven't fixed yet) is that variables don't get carried over sessions, so saving and reopening the stylesheet will cause variables to be parsed and lost.

What do you think? I tested it, adding in support on Stylesheet Creation and Editing only took about six lines of code, plus an extra file (the lessc.inc.php Euan posted).

You are not looking for this sort of thing I am sure, but I like the code to all be in the green, there are two really minor validating issues in the header template, not important in the slightest of course but some might like to clear it out none the less. :)

header template

this:
Quote: <!-- </div> -- in header_welcomeblock_member and header_welcomeblock_guest -->
<!-- </div> -- in header_welcomeblock_member and header_welcomeblock_guest -->

should be this:
Quote: <!-- </div> in header_welcomeblock_member and header_welcomeblock_guest -->
<!-- </div> in header_welcomeblock_member and header_welcomeblock_guest -->

Original thread: minor validating issues in the header template

JS could use an upgrade to include Multi-Quote functionality in quick edit.

This shows up when i select the master style, Im not sure if it's a bug or not but here's a screenshot

This feature will allow a member's posts to be edited up to X minutes after the post has been made.

Line 378 (misc.php) contains the following for the popout buddylist...
$buddy['avatar'] = $theme['imgdir'] . "/default_avatar.gif";

By the default MyBB installation, "default_avatar.gif" does not exist... but "default_avatar.png" does.
This causes the following broken image if the user hasn't changed their default avatar.

If you use the quick edit the time will contain a {2}. After refreshing, the time will shown correctly so it seems to be a js issue, but I'm not sure whether it is necessary to fix it now or whether it is better to wait until we have jQuery.

Original thread: Quick edit adds {2}

It is currently impossible to use MyBB with Amazon SES, as it does not follow the proper TLS upgrade mechanism when connecting over SMTP. I've submitted a pull request that was rejected for whitespace issues. Here is the code that works for me:

https://raw.github.com/BMintern/mybb/stable/inc/mailhandlers/smtp.php

Cheers,
Brandon

If you try to give a warning the following error occurs:
Fatal error: Cannot redeclare find_warnlevels_to_check() (previously declared in G:\www\18\warnings.php:1192) in G:\www\18\inc\functions_warnings.php on line 52
I suggest to remove the function in "/warnings.php"

Minor error causing the wrong post legend icon to be displayed in forum display for hot topic.

This:
Quote: <dd><span class="thread_status hotfolder.png" title="{$lang->hot_thread}">&nbsp;</span> {$lang->hot_thread}</dd>

should be this:
Quote: <dd><span class="thread_status hotfolder" title="{$lang->hot_thread}">&nbsp;</span> {$lang->hot_thread}</dd>

Original thread: minor error in template forumdisplay_threadlist

input.button in the global.css has its font-family defined twice.

Original thread: Double Defined Font

config.php
$config['security_pin'] = test; Does not work
$config['secret_pin'] = test; Works

Original thread: Admin CP PIN

Minor error causing the wrong post legend icon to be displayed in forum display for hot topic.

This:
Quote: <dd><span class="thread_status hotfolder.png" title="{$lang->hot_thread}">&nbsp;</span> {$lang->hot_thread}</dd>

should be this:
Quote: <dd><span class="thread_status hotfolder" title="{$lang->hot_thread}">&nbsp;</span> {$lang->hot_thread}</dd>

Original thread: minor error in template forumdisplay_threadlist

In UserCP, I tried adding a website in the "Your Website URL:" field but doesn't work. The only option that works is a URL with http:// and www. at the start and a slash at the end. Here in the MyBB community, I just need to type in google.com(Example) and I don't need to provide www. after http://(which is already there by default on MyBB community.

Also, why is there a dot before the link when viewing through profile? (I don't have a dot in the link when I added the link in UserCP. You guys can double check through ACP.

Error Picture

Options I tried are below

google.com
http://google.com
http://google.com/
http://Workalready.net/
Google.com

What worked
http://www.google.com/

Original thread: The website address you entered is invalid in UCP

1.6.10 - Searching with more than one thread prefix prefix only searches the prefix ID that is the largest (or the last in the form, not really sure as my test was alphabetical as well) and no other prefixes. The search functions themselves assume it is a single value, yet the build_prefix_select() allows multiple selections.

The functions in "install/resources/upgrade27.php" should be named "upgrade27_" but are named "upgrade28_". In addition the function "upgrade28_dbchanges()" hasn't the ´$db´ variable as global.

When attempting to use a custom moderation tool on a plain install of MyBB using Postgresql, the following error message is produced:

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
42703 - ERROR: column "2" does not exist LINE 1: SELECT * FROM mybb_modtools WHERE tid="2" ^
Query:
SELECT * FROM mybb_modtools WHERE tid="2"

Where tid varies based on the mod tool used.

If you have a fresh installation where the version task has not run, the version notice is shown. I think we should remove it completely.

useragent column in mybb_sessions table,
is type varchar(100) which is too short and cause useragent string to be cut,
which prevents proper client recognition.
(eg. google bots for mobile phones cannot be properly recognized
because Googlebot word is used in missing part of string which was cut out)

mybb_sessions useragent column type should be varchar(255)

Its even shown in mybb documentation that its 100
http://docs.mybb.com/Database_Tables-mybb_sessions.html

Also reported on SVN as Bug 2208 - column useragent in table mybb_sessions tooshort

Anyone can skip COPPA form during register because this code in member.php:

if($mybb->settings['coppa'] != "disabled" && !$mybb->input['step'])
{
// Here code to COPPA form

Param step is not used, but user can add its to url.
Standard url after click register (COPPA enabled):

/member.php?action=register

after change url to:

/member.php?action=register&step=1

COPPA form is not displayed.
Devs should remove condition with step param and only check coppa status from settings.

Also, there should be something like form token - now anyone can only send POST with all data and user is sucesfully registered (of course without any captcha). If COPPA is enabled, MyBB must check it in user data validation.

PHP errors occur when on step 3 of sending a mass mail.

I've never understood why the likes of get_user() are standalone functions instead of methods of the datahandler classes. The datahandler classes should, in my opinion, perform all CRUD operations for the data entities they're meant to handle.

This would make developing on top of MyBB make a lot more sense as one wouldn't need to require in a large file with many unnecessary functions and can simply require the datahandlers they need and any other classes (DB_*, cache handlers etc).

In order to maintain backwards compatibility with the 1.6.x series, we could have the usual get_*() function act as aliases to the class methods.

Just some food for thought.

plz see this pictures:

Currently the merge system can import timestamps as 0 for lastvisit, which is correct, however, when MyBB displays the user details, the my_date() function takes the "0" timestamp and applies TIME_NOW.

See http://dev.mybb.com/issues/2201

This is because the function uses if(empty($stamp)) which returns true when $stamp is set to 0.

if we lead off with

$stampint = (int)$stamp;
if($stampint === 0 && is_number($stamp))
{
return $lang->lastvisit_never;
}

before the if(emtpy()) block we can avoid the issue. we'd need to investigate the potential downstream impacts though.

Otherwise edit memberlist.php line 354 to

$user['lastvisit'] = ($user['lastactive'] == 0 ? $lang->lastvisit_never : my_date('relative', $user['lastactive']));

and admin/modules/users.php line 3171 to

$user['view']['lastvisit'] = ($user['lastactive'] == 0 ? $lang->lastvisit_never : my_date('relative', $user['lastactive']));

The changes made to implement IPv6 support ( 5e6e1a9 ) causes SQL errors upon installation for PostgreSQL. The binary data type (bytea) used for the IP address fields incorrectly limits the binary field; PostgreSQL does not limit this type. Changes reflect in install/resources/pgsql_db_tables.php.

In addition, the function 'escape_binary' causes an SQL error when used on applicable fields: '...is of type bytea but expression is of type bit'

After the installation of MyBB 1.7 Alpha, it seems my installer didn't lock.
Did this 3 times. Each time, the installer did not lock.

The message "MyBB is already installed" is shown on the installer, but the chance to overwrite the current installation configuration is there.

short color codes in tags are not supported. edit class_parser and add

$nestable_mycode['color_short']['regex'] = "#color=([a-zA-Z]_|#?[0-9a-fA-F]{3})[/color]#si";
$nestable_mycode['color_short']['replacement'] = "<span style="color: $1;">$2";

If you send a group join request in your UCP there is a message "You applied to join this group: Less than 1 minute ago, {2}"

test

Original thread: test

http://community.mybb.com/thread-105587.html

Simple as that.

I wrote 2 sentences but skipped a line for the second sentence but after the post, the lines came together. I suck at explaining this one so here's an example.

Type out in editor.

[img]http://puu.sh/1THct
[/img]

After post

[img]http://puu.sh/1THd4
[/img]

Test Thread: http://www.mybbsecurity.net/18/showthread.php?tid=33

Original thread: Can't skip lines in 1.8

27 and 29, lines are the same.

Original thread: datahandler_user.lang.php

why cant we opt out of email notifications for forum subscriptions too just like the thread subscriptions.
http://community.mybb.com/thread-145056.html

I'm working on a couple of things on the installer like I was a few months ago (with more success this time!) and I noticed a small language bug that I'll fix in my commits once I submit them (hopefully within the week?).

On Create Tables, the language is
"Connection to the database server and table you specified was successful."
and it should be
"Connection to the database server and database you specified was successful."

About to create a commits pull so feedback can be given on what I'm going to try and do with the installer.

Will fix the bug in stable as well.

EDIT: Now #2245 on Redmine for 1.6

In mybb 1.7 website button not aligned properly on postbit.

Screenshot:

Original thread: Website button not aligned properly on postbit

Well I set the theme to Dawn and no change.
But this had worked before, I had download it the day git was opened and put it on my localhost.

Then a few days later I noticed that there was some more work done to the alpha so I download again and installed and then the theme was not working.

So I thought maybe it was something I may have done so I drop all the database and installed to my localhost again and tried the theme and it's still is not working.

So I am unsure if I have done something wrong or if this is a bug.

Original thread: Theme dose not seam to work

This really isn't a security issue at all, but it should be fixed nonetheless. If you edit something in a theme named <SCRIPT>alert("XSS")</SCRIPT>, you will get a popup on the admin logs page. It doesn't look like there's a htmlspecialchars_uni present for any of the records.

Proof of concept:
http://i.imgur.com/ryieoEy.png

Original thread: Theme name in administrator logs

Hello,
I know it is very small bug but it's still a bug.

"Remove from Buddy List" button has a wrong icon:
[attachment=28496]

Original thread: Wron icon in "Remove from Buddy List" button

It seems, reported posts show currently in the ModCP if they haven't been marked as read (image 1).

However after marking them as read, the reason on the "All reports" page is correct, but they are shortened and not easily readable (image 2)

When you click on "Options" in Forums Management or Users & Groups, it literally does nothing however it shows a message at the bottom of my browser (Firefox)

Screenshot: http://puu.sh/48qpy.png

Message is the following:

Javascript:;

We need to replace CodePress by CodeMirror.

Filename: admin/modules/user/users.php
Line: 1026
Code:

if (!stristr($user['avatar'], 'http://'))

This code is responsible of displaying the avatar in the Admin Control Panel. You probably didn't expect that someone could add an https-based URL for the avatar, hence why an extra ../ is added to the URL (turning it into a broken image) for https-based URL.

Try to get a difference report between templates comes up with PHP errors and is unable to do any difference listing.

Blank textbox appears.

Steps to Reproduce
1.) Edit any template
2.) Go to options and Diff Report

A good task to add would be to be able to prune old PMs. For big boards especially, the PM table can get very large, even with inbox limits.

Thoughts? Wouldn't be too hard to make.

Hi.
See this pictures:
Normal:
[attachment=29497]
I Searched 'Test' in this thread:
[attachment=29498]

Original thread: Postbit Bug in search

https://github.com/mybb/mybb/tree/feature/inc

The file class_warnings.php appears to be missing from the feature branch. It's included on line 2030 of modcp.php.

Original thread: Missing: class_warnings.php