ICEcoder is for sale

No JS output before DOCTYPE, fix path for required file
Changing REQUEST to POST and GET
2026-03-16 13:27:05 +01:00 · 2023-12-14 11:26:43 +00:00 · 2022-06-25 21:05:36 +01:00 · 2022-06-25 20:46:17 +01:00 · 2022-06-25 20:43:10 +01:00 · 2022-06-25 20:39:54 +01:00
28 changed files with 227 additions and 140 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.idea/*
 data/*
 !data/.gitkeep
 plugins/*
--- a/README.md
+++ b/README.md
@@ -1,10 +1,14 @@
+# ICEcoder is for sale! Please contact info@icecoder.net. Serious offers only.
+
+---
+
 # ICEcoder

 ## Code editor awesomeness ...in your browser

 ICEcoder is a browser based code editor, which provides a modern approach to building websites. By allowing you to code directly within the web browser, online or offline, it means you only need one program (your browser) to develop sites, plus can test on actual web servers. After development, you can also maintain the website easily, all of which make for speedy and smart development.

-<img src="https://icecoder.net/images/icecoder-8-1-browser-code-editor.png" alt="ICEcoder code editor">
+<img src="https://assets.icecoder.net/images/icecoder-8-1-browser-code-editor.png" alt="ICEcoder code editor">

 ### Requirements

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security issues to `info@icecoder.net`
--- a/assets/css/icecoder.css
+++ b/assets/css/icecoder.css
@@ -13,6 +13,7 @@ h2 {font-size: 18px; font-weight: normal; color: #fff}
 .blackMask {position: fixed; display: table; width: 100%; height: 100%; top: 0; left: 0; visibility: hidden; background-color: rgba(0,0,0,0.8); text-align: center; z-index: 100}
 .blackMask .popupVCenter {#position: absolute; display: table-cell; #top: 50%; vertical-align: middle; text-align: center}
 .popupVCenter .popup {#position: relative; #top: -50%; text-align: center; color: #fff; font-size: 10px}
+.popupVCenter .popup .imgDisplay {border: solid 10px #fff; max-width: 700px; max-height: 500px; background-color: #000; background-image: url('../images/checkerboard.png')}
 .floatingContainer {position: absolute; top: 0; left: 0; width: 55px; height: 55px; visibility: hidden; border: solid 1px #444; image-rendering: pixelated}
 .floatingContainer:before {position: absolute; display: inline-block; width: 3px; height: 3px; left: 25px; top: 25px; content: ''; border: solid 1px #b00}

@@ -74,7 +75,7 @@ h2 {font-size: 18px; font-weight: normal; color: #fff}
 .files .tools .error {background: #800}
 .files .tools .info {background: #080}

-.editor {position: absolute; display: inline-block; top: 0; left: 15px; width: 2400px}
+.editor {position: fixed; display: inline-block; top: 0; left: 15px; width: 2400px}
 .editor .tabsBar {display: inline-block; height: 27px; width: 2400px; margin-top: 15px; padding-left: 53px; background: #fff}
 .tabsBar .tab {position: absolute; display: none; height: 15px; padding: 6px 8px 6px 9px; border-right: 1px solid #ddd; color: #fff; white-space: nowrap; overflow: hidden; cursor: pointer; z-index: 1;
    transition: width, left 0.15s ease-in-out;
--- a/assets/js/icecoder.js
+++ b/assets/js/icecoder.js
@@ -10,8 +10,9 @@ var ICEcoder = {
    // INIT
    // ====

-    // URL we're viewing ICEcoder from
+    // URLs we're viewing ICEcoder and its assets from
    iceLoc:                window.location.origin + window.location.pathname.replace(/\/$/, ""),
+    assetsLoc:              get('icecoderJSFile').dataset.assetsRoot,

    // Define settings
    filesW:	               250,           // Width of files pane
@@ -2899,10 +2900,14 @@ var ICEcoder = {
    },

    findOnInput: function() {
+    	let thisCM, selectNext;
        // Realtime finding - only action for finding in current doc
        if ("" !== get('find').value && t['this document'] === document.findAndReplace.target.value) {
-            // Considers selecting next on value input, according to user setting
-            ICEcoder.findReplace(get('find').value, true === ICEcoder.selectNextOnFindInput, false, false);
+            // Get CM pane
+            thisCM = this.getThisCM();
+            // Consider selecting next on value input, according to not having result selected already and user setting
+            selectNext = thisCM.getSelection() !== get('find').value && true === ICEcoder.selectNextOnFindInput;
+            ICEcoder.findReplace(get('find').value, selectNext, false, false);
            get("find").focus();
        // Reset results display
        } else {
@@ -4425,7 +4430,7 @@ var ICEcoder = {
        this.openFiles.push(shortURL);

        // Setup a new tab
-        closeTabLink = '<a nohref onClick="ICEcoder.closeTab(parseInt(this.parentNode.id.slice(3), 10))"><img src="' + this.iceLoc + '/assets/images/nav-close.gif" class="closeTab" onMouseOver="prevBG = this.style.backgroundColor; this.style.backgroundColor = \'#333\'; parent.ICEcoder.overCloseLink = true" onMouseOut="this.style.backgroundColor = prevBG; parent.ICEcoder.overCloseLink = false"></a>';
+        closeTabLink = '<a nohref onClick="ICEcoder.closeTab(parseInt(this.parentNode.id.slice(3), 10))"><img src="' + this.assetsLoc + '/images/nav-close.gif" class="closeTab" onMouseOver="prevBG = this.style.backgroundColor; this.style.backgroundColor = \'#333\'; parent.ICEcoder.overCloseLink = true" onMouseOut="this.style.backgroundColor = prevBG; parent.ICEcoder.overCloseLink = false"></a>';
        get('tab' + (this.openFiles.length)).style.display = "inline-block";
        fileName = this.openFiles[this.openFiles.length - 1];
        fileExt = fileName.substr(fileName.lastIndexOf(".") + 1);
@@ -4473,7 +4478,7 @@ var ICEcoder = {
        this.openFiles[tabNum - 1] = newName;

        // Setup a new tab
-        closeTabLink = '<a nohref onClick="ICEcoder.closeTab(parseInt(this.parentNode.id.slice(3), 10))"><img src="' + this.iceLoc + '/assets/images/nav-close.gif" class="closeTab" onMouseOver="prevBG = this.style.backgroundColor; this.style.backgroundColor = \'#333\'; parent.ICEcoder.overCloseLink = true" onMouseOut="this.style.backgroundColor = prevBG; parent.ICEcoder.overCloseLink = false"></a>';
+        closeTabLink = '<a nohref onClick="ICEcoder.closeTab(parseInt(this.parentNode.id.slice(3), 10))"><img src="' + this.assetsLoc + '/images/nav-close.gif" class="closeTab" onMouseOver="prevBG = this.style.backgroundColor; this.style.backgroundColor = \'#333\'; parent.ICEcoder.overCloseLink = true" onMouseOut="this.style.backgroundColor = prevBG; parent.ICEcoder.overCloseLink = false"></a>';
        fileName = this.openFiles[tabNum - 1];
        fileExt = fileName.substr(fileName.lastIndexOf(".") + 1);
        get('tab' + tabNum).innerHTML = closeTabLink + "<span style=\"display: inline-block; width: 19px\"></span>" + fileName.slice(fileName.lastIndexOf("/")).replace(/\//, "");
@@ -5297,7 +5302,7 @@ var ICEcoder = {
                "height": 55,
                "top": -55,
                "left": 0,
-                "title": "<img src=\"" + this.iceLoc + "/assets/images/icecoder.png\" style=\"position: absolute; margin: -105px 0 0 -55px\"><br><br>Code editor awesomeness ...in your browser",
+                "title": "<img src=\"" + this.assetsLoc + "/images/icecoder.png\" style=\"position: absolute; margin: -105px 0 0 -55px\"><br><br>Code editor awesomeness ...in your browser",
                "message": "View the quick start tutorial? (Well worthwhile!) or <a onclick=\"ICEcoder.viewTutorial(99, 0)\" style=\"font-size: 14px; text-decoration: underline; cursor: pointer\">skip it</a>.",
                "button": "view tutorial"
            },
--- a/classes/File.php
+++ b/classes/File.php
@@ -111,7 +111,7 @@ class File
    public function load() {
        global $file, $fileLoc, $fileName, $t, $lineNumber;
        echo 'action="load";';
-        $lineNumber = max(isset($_REQUEST['lineNumber']) ? intval($_REQUEST['lineNumber']) : 1, 1);
+        $lineNumber = max(isset($_GET['lineNumber']) ? intval($_GET['lineNumber']) : 1, 1);
        // Check this file isn't on the banned list at all
        $canOpen = true;
        for ($i = 0; $i < count($_SESSION['bannedFiles']); $i++) {
@@ -234,7 +234,7 @@ class File
            parent.parent.document.getElementById(\'blackMask\').style.visibility = "visible";
            parent.parent.document.getElementById(\'mediaContainer\').innerHTML =
                "<canvas id=\"canvasPicker\" width=\"1\" height=\"1\" style=\"position: absolute; margin: 10px 0 0 10px; cursor: crosshair\"></canvas>" +
-                "<img src=\"' . $fileLoc . "/" . $fileName . "?unique=" . microtime(true) .'\" style=\"border: solid 10px #fff; max-width: 700px; max-height: 500px; background-color: #000; background-image: url(\'assets/images/checkerboard.png\')\" onLoad=\"reducedImgMsg = (this.naturalWidth > 700 || this.naturalHeight > 500) ? \', ' .$t['displayed at'] . '\' + this.width + \' x \' + this.height : \'\'; document.getElementById(\'imgInfo\').innerHTML += \' (\' + this.naturalWidth + \' x \' + this.naturalHeight + reducedImgMsg + \')\'; ICEcoder.initCanvasImage(this); ICEcoder.interactCanvasImage(this)\"><br>" +
+                "<img src=\"' . $fileLoc . "/" . $fileName . "?unique=" . microtime(true) .'\" class=\"imgDisplay\" onLoad=\"reducedImgMsg = (this.naturalWidth > 700 || this.naturalHeight > 500) ? \', ' .$t['displayed at'] . '\' + this.width + \' x \' + this.height : \'\'; document.getElementById(\'imgInfo\').innerHTML += \' (\' + this.naturalWidth + \' x \' + this.naturalHeight + reducedImgMsg + \')\'; ICEcoder.initCanvasImage(this); ICEcoder.interactCanvasImage(this)\"><br>" +
            "<div style=\"display: inline-block; margin-top: -10px; border: solid 10px #fff; color: #000; background-color: #fff\" id=\"imgInfo\"  onmouseover=\"parent.parent.ICEcoder.overPopup=true\" onmouseout=\"parent.parent.ICEcoder.overPopup=false\">" +
            "<b>' . $fileLoc . "/" . $fileName . '</b>" +
            "</div><br>" +
--- a/classes/Settings.php
+++ b/classes/Settings.php
@@ -7,8 +7,10 @@ class Settings
    public function __construct()
    {
        // Set version number and document root as core settings
-        $this->versionNo = "8.1";
-        $this->docRoot = $_SERVER['DOCUMENT_ROOT'];
+        // Defaults to the right
+        $this->versionNo = "8.1";                           // "8.1";
+        $this->docRoot = $_SERVER['DOCUMENT_ROOT'];         // $_SERVER['DOCUMENT_ROOT']
+        $this->assetsRoot = "assets";                       // "assets" (relative or absolute)
    }

    public function getCoreDetails()
@@ -16,6 +18,7 @@ class Settings
        return [
            "versionNo" => $this->versionNo,
            "docRoot" => $this->docRoot,
+            "assetsRoot" => $this->assetsRoot,
        ];
    }

--- a/editor.php
+++ b/editor.php
@@ -10,16 +10,16 @@ $t = $text['editor'];
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> editor</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" href="assets/css/codemirror.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="assets/css/show-hint.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="assets/css/lint.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/codemirror.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/show-hint.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/lint.css?microtime=<?php echo microtime(true);?>">
 <!--
 codemirror-compressed.js
 - incls: codemirror
 - modes: clike, coffeescript, css, erlang, go, htmlmixed, javascript, julia, lua, markdown, perl, php, python, ruby, sass, sql, xml, yaml
 - addon: brace-fold, closebrackets, closetag, css-hint, foldcode, foldgutter, html-hint, javascript-hint, javascript-lint, lint, match-highlighter, matchbrackets, runmode, searchcursor, show-hint, simplescrollbars, sql-hint, trailingspace, xml-fold, xml-hint
 //-->
-<script src="assets/js/codemirror-compressed.js?microtime=<?php echo microtime(true);?>"></script>
+<script src="<?php echo $settingsClass->assetsRoot;?>/js/codemirror-compressed.js?microtime=<?php echo microtime(true);?>"></script>
 <?php
 $pluginFiles = [
 	"jshint/jshint-2.5.6.min.js",
@@ -36,7 +36,7 @@ for ($i = 0; $i < count($pluginFiles); $i++) {
 }
 ?>
 <link rel="stylesheet" href="<?php
-echo dirname(basename(__DIR__)) . '/assets/css/theme/';
+echo $settingsClass->assetsRoot . '/css/theme/';
 echo "default" === $ICEcoder["theme"] ? 'icecoder.css' : $ICEcoder["theme"] . '.css';
 echo "?microtime=" . microtime(true);
 // Light themes
@@ -53,9 +53,9 @@ if (false !== array_search($ICEcoder["theme"], ["base16-light", "chrome-devtools
 	$activeLineNum = "#ccc";
 }
 ?>">
-<script src="assets/js/mmd.js?microtime=<?php echo microtime(true);?>"></script>
-<link rel="stylesheet" href="assets/css/foldgutter.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="assets/css/simplescrollbars.css?microtime=<?php echo microtime(true);?>">
+<script src="<?php echo $settingsClass->assetsRoot;?>/js/mmd.js?microtime=<?php echo microtime(true);?>"></script>
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/foldgutter.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/simplescrollbars.css?microtime=<?php echo microtime(true);?>">

 <style type="text/css">
 /* Make sure this next one remains the 1st item, updated with JS */
@@ -86,9 +86,9 @@ if (false !== array_search($ICEcoder["theme"], ["base16-light", "chrome-devtools
 h2 {color: rgba(0,198,255,0.7)}
 .cm-s-diff {left: 50%}
 </style>
-<link rel="stylesheet" href="assets/css/editor.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="assets/css/file-types.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="assets/css/file-type-icons.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/editor.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/file-types.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/file-type-icons.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body style="color: #fff; margin: 0" onkeydown="return parent.ICEcoder.interceptKeys('content', event);" onkeyup="parent.ICEcoder.resetKeys(event);" onblur="parent.ICEcoder.resetKeys(event);" oncontextmenu="return false">
@@ -150,7 +150,7 @@ h2 {color: rgba(0,198,255,0.7)}
            ?>
            <h2><?php echo $t['multi-user']; ?></h2>
            <span class="heading"><?php echo $t['Username']; ?></span><br>
-            <?php echo $_SESSION['username'];?><br><br>
+            <?php echo xssClean($_SESSION['username'], "html");?><br><br>
            <?php
        }
        ?>
--- a/files.php
+++ b/files.php
@@ -9,10 +9,10 @@ $t = $text['files'];
 <head>
    <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> file manager</title>
    <meta name="robots" content="noindex, nofollow">
-    <link rel="stylesheet" type="text/css" href="assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-    <link rel="stylesheet" type="text/css" href="assets/css/files.css?microtime=<?php echo microtime(true);?>">
-    <link rel="stylesheet" type="text/css" href="assets/css/file-types.css?microtime=<?php echo microtime(true);?>">
-    <link rel="stylesheet" type="text/css" href="assets/css/file-type-icons.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/files.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/file-types.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/file-type-icons.css?microtime=<?php echo microtime(true);?>">
    <!--Updated via settings so must remain 5th stylesheet//-->
    <style>
        ul.fileManager li a span { font-size:  <?php echo $ICEcoder["fontSize"];?>; }
--- a/images/file-manager-icons.png
+++ b/images/file-manager-icons.png
--- a/index.php
+++ b/index.php
@@ -47,16 +47,17 @@ $isMac = false !== strpos($_SERVER['HTTP_USER_AGENT'], "Macintosh") ? true : fal
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
 <meta name="viewport" content="width=device-width, initial-scale=0.5, user-scalable=no">
-<link rel="stylesheet" type="text/css" href="<?php echo $iceURLPath;?>/assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="<?php echo $iceURLPath;?>/assets/css/icecoder.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="<?php echo $iceURLPath;?>/assets/css/file-type-icons.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/icecoder.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/file-type-icons.css?microtime=<?php echo microtime(true);?>">
 <link rel="stylesheet" href="<?php
-echo $iceURLPath . "/assets/css/theme/";
+echo $settingsClass->assetsRoot . "/css/theme/";
 echo "default" === $ICEcoder["theme"] ? 'icecoder.css' : $ICEcoder["theme"] . '.css';
 echo "?microtime=" . microtime(true);
 ?>">
-<link rel="icon" type="image/png" href="<?php echo $iceURLPath;?>/assets/images/favicon.png">
+<link rel="icon" type="image/png" href="<?php echo $settingsClass->assetsRoot;?>/images/favicon.png">
 <script>
+docRoot = "<?php echo $ICEcoder['docRoot']; ?>";
 iceRoot = "<?php echo $ICEcoder['root']; ?>";

 window.onbeforeunload = function() {
@@ -85,7 +86,7 @@ $t = $text['index'];
 ?>
 }
 </script>
-<script language="JavaScript" src="<?php echo $iceURLPath;?>/assets/js/icecoder.js?microtime=<?php echo microtime(true);?>"></script>
+<script language="JavaScript" src="<?php echo $settingsClass->assetsRoot;?>/js/icecoder.js?microtime=<?php echo microtime(true);?>" id="icecoderJSFile" data-assets-root="<?php echo $settingsClass->assetsRoot;?>"></script>
 <?php
 $havePrettier = false;
 foreach ($ICEcoder['plugins'] as $plugin) {
@@ -106,10 +107,10 @@ if (true === $havePrettier && true === file_exists(dirname(__FILE__) . "/plugins
 <?php
 }
 ?>
-<script src="<?php echo $iceURLPath;?>/assets/js/mmd.js?microtime=<?php echo microtime(true);?>"></script>
-<script src="<?php echo $iceURLPath;?>/assets/js/farbtastic.js?microtime=<?php echo microtime(true);?>"></script>
-<script src="<?php echo $iceURLPath;?>/assets/js/difflib.js?microtime=<?php echo microtime(true);?>"></script>
-<link rel="stylesheet" href="<?php echo $iceURLPath;?>/assets/css/farbtastic.css?microtime=<?php echo microtime(true);?>" type="text/css">
+<script src="<?php echo $settingsClass->assetsRoot;?>/js/mmd.js?microtime=<?php echo microtime(true);?>"></script>
+<script src="<?php echo $settingsClass->assetsRoot;?>/js/farbtastic.js?microtime=<?php echo microtime(true);?>"></script>
+<script src="<?php echo $settingsClass->assetsRoot;?>/js/difflib.js?microtime=<?php echo microtime(true);?>"></script>
+<link rel="stylesheet" href="<?php echo $settingsClass->assetsRoot;?>/css/farbtastic.css?microtime=<?php echo microtime(true);?>" type="text/css">
 </head>

 <body onload="<?php
@@ -180,7 +181,7 @@ if (true === $havePrettier && true === file_exists(dirname(__FILE__) . "/plugins
 <div id="plugins" class="plugins" style="<?php echo $ICEcoder["pluginPanelAligned"];?>: 0" onmouseover="ICEcoder.showHidePlugins('show')" onmouseout="ICEcoder.showHidePlugins('hide')" onclick="ICEcoder.showHidePlugins('hide')">
 	<div style="padding: 15px">
 		<a nohref onclick="ICEcoder.showColorPicker(document.getElementById('color') ? document.getElementById('color').value : '#123456')" title="Farbtastic
-<?php echo $t['Color picker'];?>"><img src="<?php echo $iceURLPath;?>/assets/images/color-picker.png" style="cursor: pointer" alt="Color Picker"></a><br><br>
+<?php echo $t['Color picker'];?>"><img src="<?php echo $settingsClass->assetsRoot;?>/images/color-picker.png" style="cursor: pointer" alt="Color Picker"></a><br><br>
 		<div id="pluginsOptional"><?php echo $pluginsDisplay; ?></div>
 		<a nohref onclick="ICEcoder.pluginsManager()" title="<?php echo $t['Plugins Manager'];?>" style="color: #ddd; margin-left: 2px; cursor: pointer"><?php echo file_get_contents(dirname(__FILE__) . "/assets/images/icons/plus.svg");?></a>
 	</div>
@@ -303,8 +304,8 @@ if (true === $havePrettier && true === file_exists(dirname(__FILE__) . "/plugins

 <div id="editor" class="editor">
 	<div id="tabsBar" class="tabsBar" oncontextmenu="return false">
-		<a nohref onClick="ICEcoder.closeAllTabs()"><img src="<?php echo $iceURLPath;?>/assets/images/nav-close-all.gif" class="closeAllTabs" title="<?php echo $t['Close all tabs'];?>"></a>
-		<a nohref onClick="ICEcoder.alphaTabs()"><img src="<?php echo $iceURLPath;?>/assets/images/nav-alpha.png" class="alphaTabs" title="<?php echo $t['Alphabetize tabs'];?>"></a>
+		<a nohref onClick="ICEcoder.closeAllTabs()"><img src="<?php echo $settingsClass->assetsRoot;?>/images/nav-close-all.gif" class="closeAllTabs" title="<?php echo $t['Close all tabs'];?>"></a>
+		<a nohref onClick="ICEcoder.alphaTabs()"><img src="<?php echo $settingsClass->assetsRoot;?>/images/nav-alpha.png" class="alphaTabs" title="<?php echo $t['Alphabetize tabs'];?>"></a>
 		<?php
 		for ($i = 1; $i <= 100; $i++) {
 			echo '<div id="tab' . $i . '" class="tab" onmousedown="if (false === ICEcoder.overCloseLink) {ICEcoder.switchTab(parseInt(this.id.slice(3), 10)); ICEcoder.tabDragStart(parseInt(this.id.slice(3), 10))}; if (1 === event.button) {ICEcoder.closeTab(parseInt(this.id.slice(3), 10)); return false}; thisColor = ICEcoder.colorSelectedText;" onmouseover="thisColor = this.style.color; this.style.color = ICEcoder.colorSelectedText" onmouseout="this.style.color = thisColor" ondblclick="ICEcoder.focusUnfocusTab()"></div>';
--- a/lib/auto-logout-warning.php
+++ b/lib/auto-logout-warning.php
@@ -2,6 +2,10 @@
 include "headers.php";
 include "settings.php" ;
 $t = $text['auto-logout-warning'];
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot;
 ?>
 <!DOCTYPE html>

@@ -10,8 +14,8 @@ $t = $text['auto-logout-warning'];
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> auto-logout</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/auto-logout-warning.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/auto-logout-warning.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="auto-logout-warning">
--- a/lib/backup-versions.php
+++ b/lib/backup-versions.php
@@ -8,6 +8,10 @@ $t = $text['backup-versions'];
 $file = str_replace("|" ,"/", xssClean($_GET['file'], 'html'));
 $fileCountInfo = getVersionsCount(dirname($file), basename($file));
 $versions = $fileCountInfo['count'];
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot;
 ?>
 <!DOCTYPE html>

@@ -16,10 +20,10 @@ $versions = $fileCountInfo['count'];
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> backup version control</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/backup-versions.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="../assets/css/codemirror.css?microtime=<?php echo microtime(true);?>">
-<script src="../assets/js/codemirror-compressed.js?microtime=<?php echo microtime(true);?>"></script>
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/backup-versions.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $assetsPath;?>/css/codemirror.css?microtime=<?php echo microtime(true);?>">
+<script src="<?php echo $assetsPath;?>/js/codemirror-compressed.js?microtime=<?php echo microtime(true);?>"></script>

 <style type="text/css">
 .CodeMirror {position: absolute; width: 409px; height: 180px; font-size: <?php echo $ICEcoder["fontSize"];?>}
@@ -28,12 +32,12 @@ $versions = $fileCountInfo['count'];
 .cm-tab {border-left-width: <?php echo $ICEcoder["visibleTabs"] ? "1px" : "0";?>; margin-left: <?php echo $ICEcoder["visibleTabs"] ? "-1px" : "0";?>; border-left-style: solid; border-left-color: rgba(255,255,255,0.15)}
 </style>
 <link rel="stylesheet" href="<?php
-echo dirname(basename(__DIR__)) . '/../assets/css/theme/';
+echo $assetsPath . '/css/theme/';
 echo $ICEcoder["theme"] === "default" ? 'icecoder.css': $ICEcoder["theme"] . '.css';
 echo "?microtime=".microtime(true);
 ?>">
-<link rel="stylesheet" href="../assets/css/foldgutter.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="../assets/css/simplescrollbars.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $assetsPath;?>/css/foldgutter.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $assetsPath;?>/css/simplescrollbars.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="backup-versions" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'versions')" onload="this.focus();">
--- a/lib/bug-report.php
+++ b/lib/bug-report.php
@@ -2,6 +2,10 @@
 include "headers.php";
 include "settings.php" ;
 $t = $text['bug-report'];
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot;
 ?>
 <!DOCTYPE html>

@@ -10,8 +14,8 @@ $t = $text['bug-report'];
    <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> bug report</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="robots" content="noindex, nofollow">
-    <link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-    <link rel="stylesheet" type="text/css" href="../assets/css/bug-report.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/bug-report.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="bug-report">
--- a/lib/headers.php
+++ b/lib/headers.php
@@ -18,15 +18,17 @@ if (!isset($_SESSION["csrf"])) {
 	$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));
 }

-if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_SESSION["csrf"])) {
-	$req = isset($_REQUEST["csrf"]) ? xssClean($_REQUEST["csrf"], "html") : "";
-	die($t['Bad CSRF token...'] . "<br><br>
-		CSRF issue:<br>
-		REQUEST: " . $req . "<br>
-		SESSION: " . xssClean($_SESSION["csrf"], "html") . "<br>
-		FILE: " . xssClean($_SERVER["SCRIPT_NAME"], "html") . "<br>
-		GET: " . xssClean(var_export($_GET, true), "html") . "<br>
-		POST: " . xssClean(var_export($_POST, true), "html"));
+if (($_POST || $_GET) && !$_POST["csrf"] && !$_GET["csrf"]) {
+	$req = xssClean($_POST["csrf"] ?? $_GET['csrf'] ?? "", "html");
+    if ($req !== $_SESSION["csrf"]) {
+        die($t['Bad CSRF token...'] . "<br><br>
+            CSRF issue:<br>
+            REQUEST: " . $req . "<br>
+            SESSION: " . xssClean($_SESSION["csrf"], "html") . "<br>
+            FILE: " . xssClean($_SERVER["SCRIPT_NAME"], "html") . "<br>
+            GET: " . xssClean(var_export($_GET, true), "html") . "<br>
+            POST: " . xssClean(var_export($_POST, true), "html"));
+    }
 }

 if (!headers_sent()) {
--- a/lib/help.php
+++ b/lib/help.php
@@ -2,6 +2,10 @@
 include "headers.php";
 include "settings.php";
 $t = $text['help'];
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot;
 ?>
 <!DOCTYPE html>

@@ -10,8 +14,8 @@ $t = $text['help'];
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> help</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/help.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/help.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="help" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'help')" onload="this.focus();">
--- a/lib/icecoder.php
+++ b/lib/icecoder.php
@@ -1,12 +1,12 @@
 <?php
 // Classes
-require_once "../classes/_ExtraProcesses.php";
-require_once "../classes/Backup.php";
-require_once "../classes/File.php";
-require_once "../classes/Settings.php";
-require_once "../classes/System.php";
-require_once "../classes/URL.php";
+require_once dirname(__FILE__)."/../classes/_ExtraProcesses.php";
+require_once dirname(__FILE__)."/../classes/Backup.php";
+require_once dirname(__FILE__)."/../classes/File.php";
+require_once dirname(__FILE__)."/../classes/Settings.php";
+require_once dirname(__FILE__)."/../classes/System.php";
+require_once dirname(__FILE__)."/../classes/URL.php";

 // Headers & Settings
-require_once "headers.php";
-require_once "settings.php";
+require_once dirname(__FILE__)."/headers.php";
+require_once dirname(__FILE__)."/settings.php";
--- a/lib/login.php
+++ b/lib/login.php
@@ -25,6 +25,10 @@ if ($ICEcoder["multiUser"]) {
 	}
 	closedir($handle);
 }
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot
 ?>
 <!DOCTYPE html>

@@ -37,9 +41,9 @@ echo true === $settingPW ? "Setup" : "Login";
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
 <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/icecoder.css?microtime=<?php echo microtime(true);?>">
-<link rel="icon" type="image/png" href="../assets/images/favicon.png">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/icecoder.css?microtime=<?php echo microtime(true);?>">
+<link rel="icon" type="image/png" href="<?php echo $assetsPath;?>/images/favicon.png">
 </head>

 <body style="background-color: #181817" onLoad="<?php if (false === isset($_GET["get"])) {$inputFocus = true === $ICEcoder["multiUser"] && (true === $ICEcoder["enableRegistration"] || 1 < count($configUsernames)) ? "username" : "password"; echo "document.settingsUpdate." . $inputFocus . ".focus(); ";}; ?>setTimeout(function(){document.getElementById('screenContainer').style.opacity = '1'}, 50)">
@@ -47,7 +51,7 @@ echo true === $settingPW ? "Setup" : "Login";
 <div class="screenContainer" id="screenContainer" style="background-color: #181817; opacity: 0; transition: opacity 0.1s ease-out">
 	<div class="screenVCenter">
 		<div class="screenCenter">
-		<img src="../assets/images/icecoder.png" alt="ICEcoder">
+		<img src="<?php echo $assetsPath;?>/images/icecoder.png" alt="ICEcoder">
 		<div class="version" style="margin-bottom: 22px"><?php echo $ICEcoder["versionNo"];?></div>

 		<form name="settingsUpdate" action="login.php" method="POST"<?php if (true === $settingPW) {?> onsubmit="return checkCanSubmit();"<?php } ?>>
@@ -61,7 +65,7 @@ echo true === $settingPW ? "Setup" : "Login";
 		if (true === $ICEcoder["multiUser"]) {
 			// Also set value to "admin" if only 1 user (has to be admin)
 			$showAdminValue = 1 === count($configUsernames) ? ' value="admin"' : '';
-			echo '<input type="text" name="username"' . $showAdminValue . ' class="password"><br><br>';
+			echo '<input type="text" name="username"' . $showAdminValue . ' class="password" id="username" onkeydown="return checkUsernameKey(event.key)" onkeyup="checkUsername(this.value, true)" onchange="checkUsername(this.value, true)" onpaste="checkUsername(this.value, true)"><br><br>';
 		};
 		?>
 		<input type="password" name="password" class="password" id="password"<?php
@@ -103,7 +107,8 @@ echo true === $settingPW ? "Setup" : "Login";
 			echo '<div class="text" style="position: relative"><input type="checkbox" name="disableFurtherRegistration" value="true" style="position: absolute; margin: -1px 0 0 -20px" checked> ' . $t['disable further registrations'] . '</div>';
 		}
 		if ("" === $ICEcoder["password"] || true === $ICEcoder["multiUser"]) {
-			echo '<div class="text" style="position: relative"><input type="checkbox" name="checkUpdates" value="true" style="position: absolute; margin: -1px 0 0 -20px" checked> ' . $t['auto-check for updates'] . '</div>';
+			$tickCheckUpdates = true === $ICEcoder['checkUpdates'] ? " checked" : "";
+			echo '<div class="text" style="position: relative"><input type="checkbox" name="checkUpdates" value="true" style="position: absolute; margin: -1px 0 0 -20px"' . $tickCheckUpdates . '> ' . $t['auto-check for updates'] . '</div>';
 		}
 		if (false === $ICEcoder["multiUser"]) { echo '<div class="text"><a href="javascript:alert(\'' . $t['To put into...'] . '\'); document.settingsUpdate.' . $inputFocus . '.focus();">' . $t['multi-user'] . '?</a></div>';};
 		?>
@@ -123,6 +128,21 @@ const get = function(elem) {
 	return document.getElementById(elem);
 };

+// Check keydown in username field meets simple rules (alphanums, underscore and hyphen only)
+const checkUsernameKey = function(key) {
+    return /[\w_\-]/g.test(key);
+}
+
+// Check username value meets simple rules (alphanums, underscore and hyphen only)
+const checkUsername = function(username, amend) {
+    // Amend username if OK to do this
+    if (true === amend) {
+        get("username").value = username.replace(/[^\w_\-]/g, "");
+    }
+    // Return a bool based on meeting the requirements
+    return username.replace(/[^\w_\-]/g, "").length === username.length;
+};
+
 // Check password strength and color requirements not met
 const pwStrength = function(pw) {
 	// Set variables
@@ -160,7 +180,16 @@ const checkCase = function(evt) {

 // Check if we can submit, else shake requirements
 const checkCanSubmit = function() {
-	// Password isn't strong enough, shake requirements
+    <?php
+    // Check username field if multiUser enabled
+    if (true === $ICEcoder["multiUser"]) {
+    ?>// Username isn't simple, can't submit
+    if(false === checkUsername(get("username").value, false)) {
+        return false;
+    }
+    <?php
+    }
+    ?>// Password isn't strong enough, shake requirements
 	if(false === pwStrength(get("password").value)) {
 		var posArray = [24, -24, 12, -12, 6, -6, 3, -3, 0];
 		var pos = -1;
--- a/lib/multiple-results.php
+++ b/lib/multiple-results.php
@@ -8,6 +8,10 @@ $t = $text['multiple-results'];
 $selectedFiles = true === isset($_GET['selectedFiles'])
    ? explode(":", $_GET['selectedFiles'])
    : [];
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot
 ?>
 <!DOCTYPE html>

@@ -16,8 +20,8 @@ $selectedFiles = true === isset($_GET['selectedFiles'])
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> multiple results screen</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/multiple-results.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/multiple-results.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="results" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'multipleResults')" onload="parent.document.getElementById('loadingMask').style.visibility = 'hidden'; this.focus();">
--- a/lib/plugins-manager.php
+++ b/lib/plugins-manager.php
@@ -63,7 +63,7 @@ if (false === $demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn']

        $ICEcoder["plugins"][] = [
            $pluginsData[$_GET['plugin']]['name'],
-            $pluginsData[$_GET['plugin']]['icon'],
+            str_replace("images/", "plugins/", $pluginsData[$_GET['plugin']]['icon']),
            $pluginsData[$_GET['plugin']]['style'],
            $pluginsData[$_GET['plugin']]['URL'],
            $pluginsData[$_GET['plugin']]['target'],
@@ -149,6 +149,10 @@ function deletePlugin($dir) {
    closedir($theDir);
    rmdir($dir);
 }
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot
 ?>
 <!DOCTYPE html>

@@ -157,8 +161,8 @@ function deletePlugin($dir) {
    <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> plugins manager</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="robots" content="noindex, nofollow">
-    <link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-    <link rel="stylesheet" type="text/css" href="../assets/css/plugins-manager.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+    <link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/plugins-manager.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="pluginsManager" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'pluginsManager')" onload="this.focus();">
@@ -242,7 +246,7 @@ function deletePlugin($dir) {
                    }

                    $reloadExtra = "true" === $pluginsData[$i]['reload'] ? '<br><span style="color: #888">' . $t['Reload after install...'] . '</span>' : '';
-                    echo '<td style="padding: 0 10px 18px 0; width: 28px; text-align: center"><img src="https://icecoder.net/' . $pluginsData[$i]['icon'] . '" alt="'.$pluginsData[$i]['name'] . '"></td>';
+                    echo '<td style="padding: 0 10px 18px 0; width: 28px; text-align: center"><img src="https://plugins.icecoder.net/' . $pluginsData[$i]['icon'] . '" alt="'.$pluginsData[$i]['name'] . '"></td>';
                    echo '<td style="padding: 8px 10px 8px 0; width: 250px; white-space: nowrap">' . $pluginsData[$i]['name'] . $reloadExtra . '</td>';
                    $styleExtra = (1 === $i % 2 || $i === count($pluginsData) - 1) ? "0" : "30px";
                    echo '<td style="padding: 3px ' . $styleExtra . ' 8px 0">' . $installUninstallButton . '</td>';
--- a/lib/properties.php
+++ b/lib/properties.php
@@ -9,6 +9,10 @@ $fileName=realpath($docRoot . $iceRoot . str_replace("|", "/", $_GET['fileName']
 if (!file_exists($fileName) || 0 !== strpos(str_replace("\\", "/", $fileName),$docRoot)) {
        die("<script>alert('Sorry - problem with file/folder requested'); window.history.back();</script>");
 }
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot
 ?>
 <!DOCTYPE html>

@@ -17,8 +21,8 @@ if (!file_exists($fileName) || 0 !== strpos(str_replace("\\", "/", $fileName),$d
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> file/folder properties</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/properties.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/properties.css?microtime=<?php echo microtime(true);?>">
 </head>

 <body class="properties" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'properties')" onload="this.focus();">
--- a/lib/requirements.php
+++ b/lib/requirements.php
@@ -32,9 +32,9 @@ if (false === empty($reqsFailures)) {
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
 <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-<link rel="stylesheet" type="text/css" href="../assets/css/resets.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" type="text/css" href="../assets/css/icecoder.css?microtime=<?php echo microtime(true);?>">
-<link rel="icon" type="image/png" href="../assets/images/favicon.png">
+<link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/resets.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/icecoder.css?microtime=<?php echo microtime(true);?>">
+<link rel="icon" type="image/png" href="<?php echo $settingsClass->assetsRoot;?>/images/favicon.png">
 </head>

 <body style="background-color: #181817" onLoad="setTimeout(function(){document.getElementById('screenContainer').style.opacity = '1'}, 50)">
@@ -42,7 +42,7 @@ if (false === empty($reqsFailures)) {
 <div class="screenContainer" id="screenContainer" style="background-color: #181817; opacity: 0; transition: opacity 0.1s ease-out">
 	<div class="screenVCenter">
 		<div class="screenCenter">
-			<img src="../assets/images/icecoder.png" alt="ICEcoder">
+			<img src="<?php echo $settingsClass->assetsRoot;?>/images/icecoder.png" alt="ICEcoder">
 			<div class="version" style="margin-bottom: 22px"><?php echo $settingsClass->versionNo;?></div>

 			<span style="display: inline-block; color: #fff">
--- a/lib/settings-common.php
+++ b/lib/settings-common.php
@@ -25,18 +25,15 @@ if(false === isset($_SESSION)) {
 	ini_set('session.httponly', true);                           // Only allow http protocol (ie, not JS) access to the cookie
 	ini_set('session.cookie_httponly', true);                    // Only allow cookie via http protocol (ie, not JS) access to the cookie
 //	ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp
-	if(false === isset($_COOKIE['ICEcoder'])) {
-		$_COOKIE['ICEcoder'] = session_create_id();
-	}
-	session_id($_COOKIE['ICEcoder']);

 	if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
 		ini_set('session.cookie_secure', '1');                   // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition
 	}
-	session_start();                                             // Finally, start the session!
+	if (false === isset($_SESSION)) {
+		session_start();
+	}
 	if (false === isset($_SESSION['csrf'])){
-		session_regenerate_id(true);                             // Create a new ID to help prevent fixation & hijacking
-		$_COOKIE['ICEcoder'] = session_id();
+		session_regenerate_id(true);                          // Create a new ID to help prevent fixation & hijacking
 	}
 }

--- a/lib/settings-screen.php
+++ b/lib/settings-screen.php
@@ -2,6 +2,10 @@
 include "headers.php";
 include "settings.php";
 $t = $text['settings-screen'];
+
+$assetsPath = "assets" === $settingsClass->assetsRoot
+    ? "../" . $settingsClass->assetsRoot
+    : $settingsClass->assetsRoot
 ?>
 <!DOCTYPE html>

@@ -10,9 +14,9 @@ $t = $text['settings-screen'];
 <title>ICEcoder <?php echo $ICEcoder["versionNo"];?> settings screen</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
-<link rel="stylesheet" type="text/css" href="../assets/css/settings-screen.css?microtime=<?php echo microtime(true);?>">
-<link rel="stylesheet" href="../assets/css/codemirror.css?microtime=<?php echo microtime(true);?>">
-<script src="../assets/js/codemirror-compressed.js?microtime=<?php echo microtime(true);?>"></script>
+<link rel="stylesheet" type="text/css" href="<?php echo $assetsPath;?>/css/settings-screen.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $assetsPath;?>/css/codemirror.css?microtime=<?php echo microtime(true);?>">
+<script src="<?php echo $assetsPath;?>/js/codemirror-compressed.js?microtime=<?php echo microtime(true);?>"></script>

 <style type="text/css">
 .CodeMirror {position: absolute; width: 309px; height: 180px; font-size: <?php echo $ICEcoder["fontSize"];?>; transition: font-size 0.25s ease}
@@ -21,7 +25,7 @@ $t = $text['settings-screen'];
 .cm-tab {border-left-width: <?php echo $ICEcoder["visibleTabs"] ? "1px" : "0";?>; margin-left: <?php echo $ICEcoder["visibleTabs"] ? "-1px" : "0";?>; border-left-style: solid; border-left-color: rgba(255,255,255,0.2)}
 </style>

-<link rel="stylesheet" href="../assets/css/theme/icecoder.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $assetsPath;?>/css/theme/icecoder.css?microtime=<?php echo microtime(true);?>">
 <?php
 $themeArray = [];
 $handle = opendir('../assets/css/theme/');
@@ -33,22 +37,17 @@ while (false !== ($file = readdir($handle))) {
 closedir($handle);
 sort($themeArray);
 for ($i = 0;$i < count($themeArray); $i++) {
-	echo '<link rel="stylesheet" href="../assets/css/theme/' . $themeArray[$i] . '.css?microtime=' . microtime(true) . '">' . PHP_EOL;
+	echo '<link rel="stylesheet" href="' . $assetsPath . '/css/theme/' . $themeArray[$i] . '.css?microtime=' . microtime(true) . '">' . PHP_EOL;
 }

-// Do we have a tab to switch to?
-$tabSwitchExtra = "";
-if (true === isset($_GET['tab'])) {
-    $tabSwitchExtra = "switchTab('" . $_GET['tab'] . "');";
-}
 ?>
-<link rel="stylesheet" href="../assets/css/simplescrollbars.css?microtime=<?php echo microtime(true);?>">
+<link rel="stylesheet" href="<?php echo $assetsPath;?>/css/simplescrollbars.css?microtime=<?php echo microtime(true);?>">
 </head>

-<body class="settings" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'settings')" onload="<?php echo $tabSwitchExtra;?>this.focus();">
+<body class="settings" onkeyup="parent.ICEcoder.handleModalKeyUp(event, 'settings')" onload="this.focus();">

 <div class="infoPane">
-	<a href="https://icecoder.net" target="_blank"><img src="../assets/images/icecoder.png" alt="ICEcoder" class="logo"></a>
+	<a href="https://icecoder.net" target="_blank"><img src="<?php echo $assetsPath;?>/images/icecoder.png" alt="ICEcoder" class="logo"></a>

 	<h1 style="margin: 10px 0"><?php echo $t['settings'];?></h1>

@@ -205,13 +204,17 @@ if (true === isset($_GET['tab'])) {
 		// Display number of days backups available
 		$backupDirBase = str_replace("\\", "/", dirname(__FILE__)) . "/../data/backups/";
 		$backupDirHost = "localhost";
-		$backupDirsList = scandir($backupDirBase . $backupDirHost);
-		// Remove . and .. from array
-		for ($i = 0; $i < count($backupDirsList); $i++) {
-			if ($backupDirsList[$i] === "." || $backupDirsList[$i] === "..") {
-				array_splice($backupDirsList, $i, 1);
-				$i--;
+		if (true === is_dir($backupDirBase . $backupDirHost)) {
+			$backupDirsList = scandir($backupDirBase . $backupDirHost);
+			// Remove . and .. from array
+			for ($i = 0; $i < count($backupDirsList); $i++) {
+				if ($backupDirsList[$i] === "." || $backupDirsList[$i] === "..") {
+					array_splice($backupDirsList, $i, 1);
+					$i--;
+				}
 			}
+		} else {
+			$backupDirsList = [];
 		}
 		// Display text re the number of days backups have taken place
 		$backupNumDays = "" != $backupDirsList[0] && count($backupDirsList) > 0 ? count($backupDirsList) : 0;
@@ -594,6 +597,12 @@ function switchTab(tab) {
 function submitSettings() {
    <?php echo true === $ICEcoder['demoMode'] ? "parent.ICEcoder.message('Sorry, can\'t commit settings in demo mode')" : "validatePasswords()"; ?>;
 }
+<?php
+// Do we have a tab to switch to?
+if (true === isset($_GET['tab'])) {
+    echo "switchTab('" . $_GET['tab'] . "');";
+}
+?>
 </script>

 <div class="update" id="updateButton" onclick="submitSettings()">update</div>
--- a/lib/settings-update.php
+++ b/lib/settings-update.php
@@ -95,7 +95,8 @@ if (false === $demoMode && true === isset($_SESSION['loggedIn']) && true === $_S

 	// Work out the theme to use now
    $themeURL =
-        "assets/css/theme/" .
+        $settingsClass->assetsRoot .
+        "/css/theme/" .
        ("default" === $ICEcoder["theme"] ? 'icecoder.css' : $ICEcoder["theme"] . '.css') .
 	    "?microtime=" . microtime(true);

--- a/lib/settings.php
+++ b/lib/settings.php
@@ -19,7 +19,7 @@ if (false === $settingsClass->getDataDirDetails()['readable']) {
    include dirname(__FILE__) . "/requirements.php";
 }

-if (false === $settingsClass->getDataDirDetails()['writable']) {
+if (false === $ICEcoder["demoMode"] && false === $settingsClass->getDataDirDetails()['writable']) {
    $reqsFailures = ["phpDataDirNotWritable"];
    include dirname(__FILE__) . "/requirements.php";
 }
@@ -46,7 +46,7 @@ if (false === $settingsClass->getConfigGlobalFileDetails()['readable']) {
 }

 // Check we can write global config settings file
-if (false === $settingsClass->getConfigGlobalFileDetails()['writable']) {
+if (false === $ICEcoder["demoMode"] && false === $settingsClass->getConfigGlobalFileDetails()['writable']) {
    $reqsFailures = ["phpGlobalConfigWriteFile"];
    include dirname(__FILE__) . "/requirements.php";
 }
@@ -57,9 +57,13 @@ $ICEcoderSettings = $settingsClass->getConfigGlobalSettings();
 // Load common functions
 include_once dirname(__FILE__) . "/settings-common.php";

+$postUsername = true === isset($_POST['username']) && is_string($_POST['username'])
+    ? preg_replace("/[^\w_\-]/", "", $_POST['username'])
+    : "";
+
 // Establish user settings file
 $username = "admin-";
-if (true === isset($_POST['username']) && "" !== $_POST['username']) {$username = $_POST['username'] . "-";};
+if ("" !== $postUsername) {$username = $postUsername . "-";};
 if (true === isset($_SESSION['username']) && "" !== $_SESSION['username']) {$username = $_SESSION['username'] . "-";};
 $settingsFile = 'config-' . $username . str_replace(".", "_", str_replace("www.", "", $_SERVER['SERVER_NAME'])) . '.php';

@@ -101,7 +105,7 @@ if (false === $settingsClass->getConfigUsersFileDetails($settingsFile)['readable
 }

 // Check we can write users config settings file
-if (false === $settingsClass->getConfigUsersFileDetails($settingsFile)['writable']) {
+if (false === $ICEcoder["demoMode"] && false === $settingsClass->getConfigUsersFileDetails($settingsFile)['writable']) {
    $reqsFailures = ["phpUsersConfigWriteFile"];
    include dirname(__FILE__) . "/requirements.php";
 }
@@ -164,7 +168,7 @@ if (true === isset($_POST['submit']) && "login" === $setPWorLogin) {
    if (verifyHash($_POST['password'], $ICEcoder["password"]) === $ICEcoder["password"]) {
        session_regenerate_id();
        if ($ICEcoder["multiUser"]) {
-            $_SESSION['username'] = $_POST['username'];
+            $_SESSION['username'] = $postUsername;
        }
        $_SESSION['loggedIn'] = true;
        $extraProcessesClass = new ExtraProcesses();
@@ -182,9 +186,6 @@ if (true === isset($_POST['submit']) && "login" === $setPWorLogin) {
 $serverType = $systemClass->getOS();
 $docRoot = rtrim(str_replace("\\", "/", $ICEcoder['docRoot']));
 $iceRoot = rtrim(str_replace("\\", "/", $ICEcoder["root"]));
-if ($_SESSION['loggedIn'] && "index.php" === basename($_SERVER['SCRIPT_NAME'])) {
-    echo "<script>docRoot = '" . $docRoot . "'; iceRoot='" . $iceRoot . "'</script>";
-}

 // Establish the dir ICEcoders running from
 $ICEcoderDirFullPath = rtrim(str_replace("\\", "/", dirname($_SERVER['SCRIPT_FILENAME'])), "/lib");
@@ -228,14 +229,14 @@ if (true === $ICEcoder['loginRequired'] && false === isset($_POST['password']) &
    // If the password hasn't been set and we're setting it
    if ("" === $ICEcoder["password"] && true === isset($_POST['submit']) && -1 < strpos($_POST['submit'], "set password")) {
        $password = generateHash($_POST['password']);
-        $settingsClass->updateConfigUsersSettings($settingsFile, ["password" => $password, "checkUpdates" => $_POST["checkUpdates"]]);
+        $settingsClass->updateConfigUsersSettings($settingsFile, ["password" => $password, "checkUpdates" => isset($_POST["checkUpdates"])]);
        $settingsClass->createIPSettingsFileIfNotExist();
        if (true === isset($_POST['disableFurtherRegistration'])) {
            $settingsClass->updateConfigGlobalSettings(['enableRegistration' => false]);
        }
        // Set the session user level
        if ($ICEcoder["multiUser"]) {
-            $_SESSION['username'] = $_POST['username'];
+            $_SESSION['username'] = $postUsername;
        }
        $_SESSION['loggedIn'] = true;
        $extraProcessesClass = new ExtraProcesses();
--- a/lib/terminal-xhr.php
+++ b/lib/terminal-xhr.php
@@ -45,7 +45,7 @@ function returnHTMLPromptCommand($cmd) {
 // If proc_open isn't enabled, display prompt, command and a message re needing this enabled
 if (false === proc_open_enabled()) {
    echo json_encode([
-        "output" => returnHTMLPromptCommand($_REQUEST['command'] . "<br><br>Sorry but you can't use this terminal if your proc_open is disabled"),
+        "output" => returnHTMLPromptCommand($_POST['command'] . "<br><br>Sorry but you can't use this terminal if your proc_open is disabled"),
        "user" => $user,
        "cwd" => $cwd
    ]);
@@ -55,7 +55,7 @@ if (false === proc_open_enabled()) {
 // If in demo mode, display message and go no further
 if (true === $demoMode) {
    echo json_encode([
-        "output" => returnHTMLPromptCommand($_REQUEST['command'] . "<br><br>Sorry, shell usage not enabled in demo mode"),
+        "output" => returnHTMLPromptCommand($_POST['command'] . "<br><br>Sorry, shell usage not enabled in demo mode"),
        "user" => $user,
        "cwd" => $cwd
    ]);
@@ -63,9 +63,9 @@ if (true === $demoMode) {
 }

 // If no command, display message and go no further
-if (false === isset($_REQUEST['command'])) {
+if (false === isset($_POST['command'])) {
    echo json_encode([
-        "output" => returnHTMLPromptCommand($_REQUEST['command'] . "<br><br>Sorry, no command received"),
+        "output" => returnHTMLPromptCommand($_POST['command'] . "<br><br>Sorry, no command received"),
        "user" => $user,
        "cwd" => $cwd
    ]);
@@ -73,16 +73,16 @@ if (false === isset($_REQUEST['command'])) {
 }

 // Strip any slashes from command
-$_REQUEST['command'] = stripslashes($_REQUEST['command']);
+$_POST['command'] = stripslashes($_POST['command']);

 // Start output with the prompt and command they provided last
-$output = returnHTMLPromptCommand($_REQUEST['command']);
+$output = returnHTMLPromptCommand($_POST['command']);

 // If command contains cd but no dir
-if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $_REQUEST['command'])) {
+if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $_POST['command'])) {
 	$_SESSION['cwd'] = $cwd;
 // Else cd to a dir
-} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $_REQUEST['command'], $regs)) {
+} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $_POST['command'], $regs)) {
 	// The current command is 'cd', which we have to handle as an internal shell command
    $newDir = "/" === $regs[1][0] ? $regs[1] : $_SESSION['cwd'] . "/" . $regs[1];

@@ -110,15 +110,15 @@ if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $_REQUEST['command'])) {
 	// The command is not a 'cd' command

 	// Alias expansion
-	$length = strcspn($_REQUEST['command'], " \t");
-	$token = substr($_REQUEST['command'], 0, $length);
+	$length = strcspn($_POST['command'], " \t");
+	$token = substr($_POST['command'], 0, $length);
 	if (true === isset($aliases[$token])) {
-		$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
+		$_POST['command'] = $aliases[$token] . substr($_POST['command'], $length);
 	}

 	// Open a proc with array and $io return
 	$p = proc_open(
-		$_REQUEST['command'],
+		$_POST['command'],
 		array(
 			1 => array('pipe', 'w'),
 			2 => array('pipe', 'w')
--- a/terminal.php
+++ b/terminal.php
@@ -9,7 +9,7 @@ include "lib/settings.php";
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex, nofollow">
 <meta name="viewport" content="width=device-width, initial-scale=0.5, user-scalable=no">
-<link rel="stylesheet" type="text/css" href="assets/css/terminal.css?microtime=<?php echo microtime(true);?>" />
+<link rel="stylesheet" type="text/css" href="<?php echo $settingsClass->assetsRoot;?>/css/terminal.css?microtime=<?php echo microtime(true);?>" />
 <script type="text/javascript" language="JavaScript">
 commandHistory = [];
 currentLine = 0;
Author	SHA1	Message	Date
Matt Pass	4a61847ef7	ICEcoder is for sale	2023-12-14 11:26:43 +00:00
mattpass	7001178b79	No JS output before DOCTYPE, fix path for required file	2022-06-25 21:05:36 +01:00
mattpass	4ac0f0b43a	Changing REQUEST to POST and GET	2022-06-25 20:46:17 +01:00
mattpass	d72121ff8c	Specify path when requiring and code tidy	2022-06-25 20:43:10 +01:00
mattpass	b5cee2dc2d	lineNumber should be via GET method	2022-06-25 20:39:54 +01:00
mattpass	351633bad6	Remove need for COOKIE via PHP	2022-06-24 21:56:46 +01:00
mattpass	361c353157	Use POST not REQUEST in terminal	2022-06-24 21:51:06 +01:00
mattpass	20fe466d84	Still need a session in demoMode	2022-06-24 21:48:42 +01:00
mattpass	c5146d7f2b	Only consider writing if not in demoMode	2022-06-24 20:03:34 +01:00
mattpass	5fa36d5749	Typo and format fixes	2022-06-17 14:35:25 +01:00
mattpass	ab6610846c	Usernames can have alphanums, underscore and hyphen only	2022-06-17 14:23:41 +01:00
mattpass	e720ba5d5a	Dynamic assets path, tweak and fix in settings, ignore .idea	2022-06-11 21:53:45 +01:00
Matt Pass	958e91a67f	Set editor to fixed position	2022-05-29 14:48:53 +01:00
Matt Pass	e21c16e1ee	No selectNext if selected already on findOnInput	2022-05-21 13:15:52 +01:00
Matt Pass	509b5b8fb8	PHP v7.0 fallback added re session_create_id	2022-05-14 16:21:20 +01:00
Matt Pass	51cf24b2a3	rXSS cleaned username in editor info display	2022-01-17 12:38:29 +00:00
Matt Pass	cd964f816f	Merge pull request #1007 from JamieSlome/master Create SECURITY.md	2022-01-16 08:21:59 +00:00
Jamie Slome	99f5d1a7c9	Create SECURITY.md	2022-01-16 03:40:08 +00:00
Matt Pass	d6124b0811	Fix for installed plugin images dir	2021-12-17 17:23:18 +00:00
Matt Pass	517be5a5e0	Change plugin icon path	2021-11-24 13:26:42 +00:00
Matt Pass	fef1927690	Update README.md to use S3	2021-10-25 12:02:25 +01:00
mattpass	d642ed0fab	Setup screen checks update box if needed, set bool not string	2021-07-27 09:12:03 +01:00