Add-ons [DBTech] DragonByte Shop 7.1.0

Update highlights

• This version fixes an XSS issue affecting thread titles and post messages.
• Please see this thread for more information:
• An XSS security issue has been discovered affecting all versions of DragonByte Shop from v6.1.0 to v6.4.6. This issue is critical in nature and you should patch your site immediately. This affects XenForo 2.0, 2.1 and 2.2 versions.
• All affected versions of DragonByte Shop have been patched, so even if your license has expired or you cannot update for whatever, you can still login and download a fixed version of the version you're currently running.
• If you cannot login or download, you can open src/addons/DBTech/Shop/Listener.php and find:
• public static function templaterFilterRichThreadTitle(
• Replace its contents with:

PHP:

        if (!$thread->thread_id
            || !$thread->User
        ) {
            return $value;
        }

        /** @var \DBTech\Shop\XF\Entity\User $user */
        $user = $thread->User;

        $styleProps = [];

        /** @var \DBTech\Shop\Entity\Purchase[]|ArrayCollection $purchases */
        $purchases = \XF::repository('DBTech\Shop:Purchase')->filterActivePurchasesForUser($user);
        foreach ($purchases as $purchase)
        {
            $handler = $purchase->handler;
            $handler->fire('thread_title_markup', [$thread, &$styleProps], $thread->thread_id);
        }

        if ($styleProps)
        {
            $escape = false;

            // Ensure we only add the span if needed
            return '<span style="' . implode('; ', $styleProps) . '">' . htmlspecialchars($value) . '</span>';
        }

        return $value;

Complete Change Log
Fix: Fix a security issue affecting thread titles and post messages

Update highlights

This version fixes a regression from 6.4.4 that could cause glitches in configurable items, as well as fixes an issue with copying items.


Complete Change Log

Fix: Copying items would produce a server error in certain circumstances
Fix: Fix an issue where item configuration would be incorrectly cached, leading to glitches in things like user name colours

Update highlights

This version contains a couple internal changes, but also fixes an issue that could occur while attempting to read a purchase's configuration.


Complete Change Log

Change: Update bundled Infinite Scroll library
Change: Add a missing property to type hinting
Fix: Fix server error when attempting to obtain purchase configuration