Osclass 8.3.1 – Security, PHP 8.5 Support, Cookies Rework and Utf8mb4 Upgrade

Osclass 8.3.1 is a major maintenance and security-focused release that introduces full compatibility with PHP 8.5, a significant rework of session and cookie handling, database-wide UTF8MB4 support for emojis, and numerous fixes and enhancements across the backoffice, search system, caching, routing, email handling, and API behavior.

This update strengthens security, improves stability, and resolves several long-standing edge cases. Due to the scope of internal changes, administrators should carefully review upgrade notes before deployment.

Full PHP 8.5 Compatibility

Osclass 8.3.1 fully supports PHP 8.5. All major internal and third-party libraries used by Osclass have been updated accordingly, including the PHP mailer. This ensures forward compatibility with modern hosting environments and improves long-term maintainability.

Major Session and Cookie Architecture Rework

A significant internal redesign of session and cookie handling has been implemented. This change affects how cookies are defined, stored, encoded, and transmitted by browsers.

• All cookies are now created with HttpOnly=true by default, preventing access from JavaScript.
• When SSL is enabled, cookies are automatically created with Secure=true and are only transmitted over HTTPS.
• Cookies are now encoded to prevent issues with WAF and mod_security rules (403 errors, invalid character ranges, etc.).
• Cookie keys are sanitized and unsupported characters are removed.

These changes significantly reduce exposure to cross-site scripting and man-in-the-middle attacks.

JavaScript-Readable Cookies

If a cookie must be accessible from JavaScript, its key must:

• Contain _unsercure, _unsec, or _js, or
• Start with ocjs_

The cookie key must not start with oc_. Example valid keys include my_id_unsercure or secret_key_unsecure.

Standardized Cookie Management Functions

New standardized functions were introduced to manage cookies consistently:

• _get
• _set
• _drop

Additional helper wrappers were added:

• osc_get_cookie(), osc_set_cookie(), osc_drop_cookie()
• osc_get_session(), osc_set_session(), osc_drop_session()
• osc_get_param()
• osc_get_view()

This resolves issues with unstable cookies caused by non-friendly URLs and improves compatibility with plugins such as Saved Items.

Important: After upgrade, users and administrators may be logged out and browser cookies may need to be cleared.

UTF8MB4 Database Upgrade and Emoji Support

Osclass 8.3.1 introduces full UTF8MB4 support, enabling proper emoji handling and improved international compatibility.

During upgrade, Osclass attempts to convert:

• Database connection charset
• Database charset and collation
• All tables and text fields

The default charset and collation are now utf8mb4 and utf8mb4_unicode_ci.

Soft Upgrade Option

If the conversion fails due to database limitations, administrators can define:

UPGRADE_UTF8MB4_SOFT

This performs a partial upgrade only. Remaining SQL statements can be retrieved using:

osc_utf8mb4_sqls()

These statements may then be executed manually in phpMyAdmin or another database tool.

Search, Pagination and Sorting Improvements

Search behavior received multiple fixes and enhancements:

• Search controller now uses iPerPage instead of iPagesize.
• Logged-in administrators may set higher per-page values beyond global limits.
• Improved sorting type management on search pages.
• Order by relevance is now supported when a search pattern is provided.
• Fixed pagination issues with custom search rules.
• osc_search_url() no longer includes iPage when page number is ≤ 1.

Search Cache and Performance Fixes

Several critical cache-related bugs were resolved:

• Fixed pagination not working due to cached search pages.
• Improved cache key generation for search pages.
• Dynamic timestamps and time values are masked in cache keys.
• Additional filters, hooks and conditions are included in cache keys.

Alert-related cache behavior remains unchanged.

Routing and URL Handling Enhancements

Routing capabilities were significantly expanded:

• Theme routes may now point to files located in theme, custom, or plugin folders.
• Support added for super route parameter sParams, enabling flexible parameter mapping.

Example:

sParams=param1,value1/param2,value2

Results in:

param1=value1, param2=value2

• Query parameters at the end of URLs are now correctly parsed and stored.
• Previously misattached query strings are now handled properly.

New helper functions:

• osc_get_prev_url()
• osc_get_next_url()
• osc_static_page_url_from_page($page, $locale)

Email Templates and Notifications

Email handling was improved in multiple areas:

• New backoffice feature detects and removes duplicated email templates.
• New helper functions:

 osc_email_template_create($internal_name, $title, $text) osc_email_template_delete($internal_name) 

• Resending account activation links is now rate-limited to once every 5 minutes.
• Comment reply notifications are sent to the original comment author.
• Alerts are no longer sent to banned email addresses.
• Fixed alert emails being sent to non-registered users.

Backoffice UI and Management Improvements

• Improved Debug/Error Log section with ability to select any .log file from oc-content.
• Includes Osclass Pay and plugin logs.
• New layout for location management.
• Additional action buttons on user profile edit page.
• Persistent plugin search term stored in session.
• New option to block search engine indexing in Backoffice > Settings.
• Manual language synchronization between database and filesystem (.po files).

Comments, Users and Listings Fixes

• Fixed item search by item ID in backoffice.
• User statistics now count only active listings and active comments.
• Fixed incorrect email visibility indicator on item pages.
• Fixed ability to post comments using a different email than logged user.
• Sigma theme bug fixed where comment section was fully hidden.

Cron, Logs and System Warnings

• Daily cleanup of temporary upload directory (oc-content/uploads/temp).
• New system warnings displayed on admin dashboard for cron issues.
• Improved action logs.

Upgrade and Compatibility Improvements

• Automated upgrades now handle renamed oc-admin and oc-content folders.
• Manual upgrades still require folder name adjustment.
• Frontend cookies are dropped when subdomain mode is toggled.
• Fixed 404 error on user items page after upgrading from 8.3.0.

Additional Enhancements

• Enhanced cURL with headers and descriptive debug output.
• Improved API key validation and external response handling.
• Improved TinyMCE editor behavior on mobile devices.
• Improved static files cache cleanup when optimization is enabled.

Summary

Osclass 8.3.1 is a critical release focused on security, modern PHP compatibility, database encoding standards, and platform stability. The cookie and session rework alone represents a major security milestone, while UTF8MB4 support ensures future-proof internationalization.

Due to the scope of internal changes, administrators are strongly advised to perform full backups before upgrading and test custom plugins and themes thoroughly.