From 2d7a8ebee03ccfe2f9597c0a09c22f95ebc52e4a Mon Sep 17 00:00:00 2001
From: Sam <1812544+samerton@users.noreply.github.com>
Date: Sun, 20 Jul 2025 09:59:16 +0100
Subject: [PATCH 1/4] fix: hide error with no permission in api requests

---
 core/classes/Misc/ErrorHandler.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/classes/Misc/ErrorHandler.php b/core/classes/Misc/ErrorHandler.php
index 05f2e5c675..7203d13969 100644
--- a/core/classes/Misc/ErrorHandler.php
+++ b/core/classes/Misc/ErrorHandler.php
@@ -79,6 +79,11 @@ public static function catchException(?Throwable $exception, ?string $error_stri
 
         // If this is an API request, print the error in plaintext and dont render the whole error trace page
         if (self::shouldUsePlainText()) {
+            if (!Debugging::canViewDetailedError()) {
+                // If we can't view the full error (i.e. not authenticated), show a simple message
+                die('Fatal error during request');
+            }
+
             die($error_string . ' in ' . $error_file . ' on line ' . $error_line . (!is_null($exception) ? PHP_EOL . $exception->getTraceAsString() : ''));
         }
 

From a70bcc5e74c87d27e20287e4d9957d1458ff578f Mon Sep 17 00:00:00 2001
From: Sam <1812544+samerton@users.noreply.github.com>
Date: Sun, 27 Jul 2025 10:00:13 +0100
Subject: [PATCH 2/4] fix: double escape entities before passing into editor

---
 core/classes/Core/Output.php             | 13 ++++++++++---
 core/classes/DTO/Announcement.php        |  2 +-
 core/includes/maintenance.php            |  2 +-
 modules/Core/hooks/ContentHook.php       |  2 +-
 modules/Core/pages/terms.php             |  2 +-
 modules/Forum/pages/forum/view_topic.php |  2 +-
 6 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/core/classes/Core/Output.php b/core/classes/Core/Output.php
index c2f1e42a47..1a3a4ca005 100644
--- a/core/classes/Core/Output.php
+++ b/core/classes/Core/Output.php
@@ -44,10 +44,11 @@ public static function getDecoded(?string $input): ?string
      *
      * @param string|null $input          String which will be purified.
      * @param bool        $escape_invalid Should invalid HTML be escaped instead of fully removed?
+     * @param bool        $for_editor     Whether the purification is for use in the WYSIWYG editor or not, default true
      *
      * @return string Purified string.
      */
-    public static function getPurified(?string $input, bool $escape_invalid = false): string
+    public static function getPurified(?string $input, bool $escape_invalid = false, bool $for_editor = true): string
     {
         if (!isset(self::$_purifier)) {
             $purifierConfig = HTMLPurifier_Config::createDefault();
@@ -80,8 +81,14 @@ public static function getPurified(?string $input, bool $escape_invalid = false)
             self::$_purifier = new HTMLPurifier($purifierConfig);
         }
 
-        // Purify the string
-        return self::$_purifier->purify($input);
+        $purified = self::$_purifier->purify($input);
+
+        if ($for_editor) {
+            // Double encode &lt; and &gt; to prevent editor from parsing them
+            return str_replace(['&lt;', '&gt;'], ['&amp;lt;', '&amp;gt;'], $purified);
+        }
+
+        return $purified;
     }
 
     /**
diff --git a/core/classes/DTO/Announcement.php b/core/classes/DTO/Announcement.php
index 5f5233a3f8..4935993b9a 100644
--- a/core/classes/DTO/Announcement.php
+++ b/core/classes/DTO/Announcement.php
@@ -23,7 +23,7 @@ public function __construct(object $row)
         $this->icon = $row->icon;
         $this->closable = $row->closable;
         $this->header = Output::getClean($row->header);
-        $this->message = Output::getPurified($row->message);
+        $this->message = Output::getPurified($row->message, false, false);
         $this->order = $row->order;
     }
 
diff --git a/core/includes/maintenance.php b/core/includes/maintenance.php
index 5205a3736a..20a2e8e254 100644
--- a/core/includes/maintenance.php
+++ b/core/includes/maintenance.php
@@ -39,7 +39,7 @@
 $template->getEngine()->addVariables(
     [
         'MAINTENANCE_TITLE' => $language->get('errors', 'maintenance_title'),
-        'MAINTENANCE_MESSAGE' => Output::getPurified(Settings::get('maintenance_message', 'Maintenance mode is enabled.')),
+        'MAINTENANCE_MESSAGE' => Output::getPurified(Settings::get('maintenance_message', 'Maintenance mode is enabled.'), false, false),
         'RETRY' => $language->get('errors', 'maintenance_retry'),
     ]
 );
diff --git a/modules/Core/hooks/ContentHook.php b/modules/Core/hooks/ContentHook.php
index 134856cf6b..19b12f6a3b 100644
--- a/modules/Core/hooks/ContentHook.php
+++ b/modules/Core/hooks/ContentHook.php
@@ -64,7 +64,7 @@ public static function decode(array $params = []): array {
 
     public static function purify(array $params = []): array {
         if (parent::validateParams($params, ['content']) && empty($params['skip_purify'])) {
-            $params['content'] = Output::getPurified($params['content'], true);
+            $params['content'] = Output::getPurified($params['content'], true, false);
         }
 
         return $params;
diff --git a/modules/Core/pages/terms.php b/modules/Core/pages/terms.php
index a10a881fe7..d0ad04aa9f 100644
--- a/modules/Core/pages/terms.php
+++ b/modules/Core/pages/terms.php
@@ -30,7 +30,7 @@
 } else {
     $site_terms = $site_terms->first()->value;
 }
-$site_terms = Output::getPurified($site_terms);
+$site_terms = Output::getPurified($site_terms, false, false);
 
 $nameless_terms = Output::getPurified(Settings::get('t_and_c'));
 
diff --git a/modules/Forum/pages/forum/view_topic.php b/modules/Forum/pages/forum/view_topic.php
index a8c0370fba..7e8f891486 100644
--- a/modules/Forum/pages/forum/view_topic.php
+++ b/modules/Forum/pages/forum/view_topic.php
@@ -748,7 +748,7 @@
         'post_date' => $post_date,
         'buttons' => $buttons,
         'content' => $content,
-        'signature' => Output::getPurified(Text::renderEmojis($signature)),
+        'signature' => Output::getPurified(Text::renderEmojis($signature), false, false),
         'fields' => (empty($fields) ? [] : $fields),
         'edited' => is_null($nValue->last_edited)
             ? null

From 194b7bf4619ddd127a42e7cd7dde65f5a1e3b3a0 Mon Sep 17 00:00:00 2001
From: Sam <1812544+samerton@users.noreply.github.com>
Date: Wed, 30 Jul 2025 18:28:43 +0100
Subject: [PATCH 3/4] fix: clean default seo values in staff panel

---
 modules/Core/pages/panel/seo.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/Core/pages/panel/seo.php b/modules/Core/pages/panel/seo.php
index ee863a8508..2a6ae56e5b 100644
--- a/modules/Core/pages/panel/seo.php
+++ b/modules/Core/pages/panel/seo.php
@@ -114,9 +114,9 @@
 
     $template->getEngine()->addVariables([
         'DEFAULT_DESCRIPTION' => $language->get('admin', 'default_description'),
-        'DEFAULT_DESCRIPTION_VALUE' => Settings::get('default_meta_description'),
+        'DEFAULT_DESCRIPTION_VALUE' => Output::getClean(Settings::get('default_meta_description')),
         'DEFAULT_KEYWORDS' => $language->get('admin', 'default_keywords'),
-        'DEFAULT_KEYWORDS_VALUE' => Settings::get('default_meta_keywords'),
+        'DEFAULT_KEYWORDS_VALUE' => Output::getClean(Settings::get('default_meta_keywords')),
     ]);
 
     $template_file = 'core/seo';

From a1ee7ef46718836a3a9a4408cb5bc7c5a08b7efc Mon Sep 17 00:00:00 2001
From: Sam <samerton@users.noreply.github.com>
Date: Sun, 10 Aug 2025 11:12:33 +0100
Subject: [PATCH 4/4] release: 2.2.4

---
 .github/ISSUE_TEMPLATE/bug-report.yml         |  4 ++--
 .github/SECURITY.md                           |  4 ++--
 CHANGELOG.md                                  | 11 +++++++++++
 core/classes/Database/DatabaseInitialiser.php |  2 +-
 core/includes/updates/223.php                 | 10 ++++++++++
 custom/panel_templates/Default/template.php   |  4 ++--
 custom/templates/DefaultRevamp/template.php   |  4 ++--
 modules/Cookie Consent/module.php             |  4 ++--
 modules/Core/module.php                       |  4 ++--
 modules/Discord Integration/module.php        |  4 ++--
 modules/Forum/module.php                      |  4 ++--
 modules/Members/module.php                    |  4 ++--
 package.json                                  |  2 +-
 13 files changed, 41 insertions(+), 20 deletions(-)
 create mode 100644 core/includes/updates/223.php

diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml
index 99dd8b0abe..d69a917bd5 100644
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -16,8 +16,8 @@ body:
       description: From StaffCP -> Overview
       options:
         - Development version
-        - 2.2.3
-        - <= 2.2.2
+        - 2.2.4
+        - <= 2.2.3
     validations:
       required: true
 
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index ab3d58b04d..f188edc4e0 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -8,8 +8,8 @@ The following NamelessMC releases are supported by the development team
 
 | Version   | Supported          |
 |-----------|--------------------|
-| 2.2.3     | :white_check_mark: |
-| <= 2.2.2  | :x:                |
+| 2.2.4     | :white_check_mark: |
+| <= 2.2.3  | :x:                |
 | <= 1.0.22 | :x:                |
 
 ## Reporting a Vulnerability
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6a6d12ae40..56fb7b1b76 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,17 @@
 ## [Unreleased](https://github.com/NamelessMC/Nameless/compare/v2.2.0...develop)
 > [Milestone](https://github.com/NamelessMC/Nameless/milestone/23)
 
+## [2.2.4](https://github.com/NamelessMC/Nameless/compare/v2.2.3...v2.2.4) - 2025-08-10
+### Added
+- No additions this releasse
+
+### Changed
+- Hide error in API requests if the user has no permission
+- Clean default SEO values in staff panel
+
+### Fixed
+- Double escape entities before passing into editor
+
 ## [2.2.3](https://github.com/NamelessMC/Nameless/compare/v2.2.2...v2.2.3) - 2025-05-22
 ### Added
 - No additions this releasse
diff --git a/core/classes/Database/DatabaseInitialiser.php b/core/classes/Database/DatabaseInitialiser.php
index 3db852cb1e..d3d913b263 100644
--- a/core/classes/Database/DatabaseInitialiser.php
+++ b/core/classes/Database/DatabaseInitialiser.php
@@ -214,7 +214,7 @@ private function initialiseSettings(): void
         Settings::set('recaptcha_type', 'Recaptcha3');
         Settings::set('recaptcha_login', '0');
         Settings::set('email_verification', '1');
-        Settings::set('nameless_version', '2.2.3');
+        Settings::set('nameless_version', '2.2.4');
         Settings::set('version_checked', date('U'));
         Settings::set('phpmailer', '0');
         Settings::set('user_avatars', '0');
diff --git a/core/includes/updates/223.php b/core/includes/updates/223.php
new file mode 100644
index 0000000000..c525adacae
--- /dev/null
+++ b/core/includes/updates/223.php
@@ -0,0 +1,10 @@
+<?php
+
+return new class() extends UpgradeScript {
+    public function run(): void
+    {
+        $this->runMigrations();
+
+        $this->setVersion('2.2.4');
+    }
+};
diff --git a/custom/panel_templates/Default/template.php b/custom/panel_templates/Default/template.php
index b9add6833d..e896812970 100644
--- a/custom/panel_templates/Default/template.php
+++ b/custom/panel_templates/Default/template.php
@@ -26,8 +26,8 @@ public function __construct(Language $language)
 
             parent::__construct(
                 'Default',  // Template name
-                '2.2.3',  // Template version
-                '2.2.3',  // Nameless version template is made for
+                '2.2.4',  // Template version
+                '2.2.4',  // Nameless version template is made for
                 '<a href="https://coldfiredzn.com" target="_blank">Coldfire</a>',  // Author, you can use HTML here
                 __DIR__, // Specify the path to the template
             );
diff --git a/custom/templates/DefaultRevamp/template.php b/custom/templates/DefaultRevamp/template.php
index b557ff8eb2..29c4d37f11 100755
--- a/custom/templates/DefaultRevamp/template.php
+++ b/custom/templates/DefaultRevamp/template.php
@@ -27,8 +27,8 @@ public function __construct(Cache $cache, Language $language, User $user, Pages
     {
         $template = [
             'name' => 'DefaultRevamp',
-            'version' => '2.2.3',
-            'nl_version' => '2.2.3',
+            'version' => '2.2.4',
+            'nl_version' => '2.2.4',
             'author' => '<a href="https://xemah.com/" target="_blank">Xemah</a>',
         ];
 
diff --git a/modules/Cookie Consent/module.php b/modules/Cookie Consent/module.php
index 1640ba9c9a..19276466a3 100644
--- a/modules/Cookie Consent/module.php	
+++ b/modules/Cookie Consent/module.php	
@@ -18,8 +18,8 @@ public function __construct(Language $language, Language $cookie_language, Pages
 
         $name = 'Cookie Consent';
         $author = '<a href="https://samerton.dev" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.2.3';
-        $nameless_version = '2.2.3';
+        $module_version = '2.2.4';
+        $nameless_version = '2.2.4';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Core/module.php b/modules/Core/module.php
index 578e21ed1c..cd8c669c3e 100644
--- a/modules/Core/module.php
+++ b/modules/Core/module.php
@@ -19,8 +19,8 @@ public function __construct(Language $language, Pages $pages, User $user, Naviga
 
         $name = 'Core';
         $author = '<a href="https://samerton.me" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.2.3';
-        $nameless_version = '2.2.3';
+        $module_version = '2.2.4';
+        $nameless_version = '2.2.4';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Discord Integration/module.php b/modules/Discord Integration/module.php
index e42c6aa56d..e2728e5387 100644
--- a/modules/Discord Integration/module.php	
+++ b/modules/Discord Integration/module.php	
@@ -16,8 +16,8 @@ public function __construct(Language $language, Pages $pages, Endpoints $endpoin
 
         $name = 'Discord Integration';
         $author = '<a href="https://tadhg.sh" target="_blank" rel="nofollow noopener">Aberdeener</a>';
-        $module_version = '2.2.3';
-        $nameless_version = '2.2.3';
+        $module_version = '2.2.4';
+        $nameless_version = '2.2.4';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Forum/module.php b/modules/Forum/module.php
index 290954e869..80eedceb18 100644
--- a/modules/Forum/module.php
+++ b/modules/Forum/module.php
@@ -18,8 +18,8 @@ public function __construct(Language $language, Language $forum_language, Pages
 
         $name = 'Forum';
         $author = '<a href="https://samerton.dev" target="_blank" rel="nofollow noopener">Samerton</a>';
-        $module_version = '2.2.3';
-        $nameless_version = '2.2.3';
+        $module_version = '2.2.4';
+        $nameless_version = '2.2.4';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/modules/Members/module.php b/modules/Members/module.php
index 766d88d701..ad3398d087 100644
--- a/modules/Members/module.php
+++ b/modules/Members/module.php
@@ -18,8 +18,8 @@ public function __construct(Language $language, Language $members_language, Page
 
         $name = 'Members';
         $author = '<a href="https://tadhg.sh" target="_blank" rel="nofollow noopener">Aberdeener</a>';
-        $module_version = '2.2.3';
-        $nameless_version = '2.2.3';
+        $module_version = '2.2.4';
+        $nameless_version = '2.2.4';
 
         parent::__construct($this, $name, $author, $module_version, $nameless_version);
 
diff --git a/package.json b/package.json
index 98e15c680d..aa2d22aa04 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nameless",
-  "version": "2.2.3",
+  "version": "2.2.4",
   "repository": "https://github.com/NamelessMC/Nameless",
   "license": "MIT",
   "private": true,