Legend:
* = New feature
- = Removed stuff
+ = Improved feature
! = Fixed bug
? = Other stuff
Important
Major release. The default theme is rebuilt from the ground up. Custom themes that forked the pre-2.0 default keep working but render in a compatibility mode; see the migration notes in the release for details.
The web panel licence has changed from CC BY-NC-SA 3.0 to the Elastic License 2.0. Hobby / community self-hosting stays free (most operators see no operational change). Offering SourceBans++ to third parties as a hosted or managed service is now reserved by ELv2 and needs a separate commercial licence. SourceMod plugins remain GPLv3. Full breakdown: Upgrading 1.8 → 2.0 — Licence change.
01. * Rebuilt default theme: drawer-based admin nav, command palette
(Ctrl/Cmd-K), light/dark/system theming, accessibility-first
form controls, design-system tokens
02. * Public ban list redesign: marquee row layout, status-filter
chips, SteamID copy buttons, right-side player drawer
03. * Public dashboard, comms list, servers card grid, login,
lost-password, submit-ban and protest-ban forms all rebuilt
04. * Admin home card-grid landing
05. * Admin audit log page (drives off the existing :prefix_log table)
06. * `bans.detail` JSON action — payload for the public ban-row drawer
07. * `bans.search` JSON action — autocomplete backend for the command
palette
08. * Markdown rendering for the dashboard intro (`dash.intro.text`)
via league/commonmark + `Sbpp\Markup\IntroRenderer` (CommonMark
with `html_input: 'escape'`, no unsafe links, no JS execution)
09. * Typed View DTOs (`Sbpp\View\*`) for every panel template, with
a custom PHPStan rule that cross-checks template variables
against View properties
10. * `Sbpp\View\Perms::for($userbank)` permission helper + the
`{has_access flags=…}` Smarty block plugin
11. * Autogenerated JavaScript API contract (`Actions.*` + `Perms.*`)
produced by `web/bin/generate-api-contract.php`; CI fails on
diff
12. * Snapshot-tested JSON API responses (`tests/api/__snapshots__/`)
and an action-to-permission matrix lock
(`PermissionMatrixTest`)
13. * Configurable SMTP `From Email` / `From Name` (#1109)
14. * Local Docker dev stack (PHP 8.5 + Apache, MariaDB, Adminer,
Mailpit) driven by `./sbpp.sh`
15. * Static analysis: PHPStan level 5 + custom Smarty rule +
staabm/phpstan-dba SQL type-checking against the live schema
16. * `tsc --checkJs` over `web/scripts/` with `// @ts-check` +
JSDoc throughout
17. + Replaced xajax with a JSON API (`api.php` + `api/handlers/*.php`)
18. + Finished ADOdb -> PDO migration (`Database` wrapper with
`:prefix_` rewriting); ADOdb dependency dropped entirely
19. + CSRF protection on every state-changing form / JSON call
20. + Smarty global escape-by-default; explicit `nofilter` annotations
with mandatory `{* nofilter: <reason> *}` comments
21. + URL-encode user-controlled values in generated hrefs (#1085)
22. + Stream `exportbans.php` rows instead of buffering the full
result (#1093)
23. + Search now matches both `STEAM_0:` and `STEAM_1:` stored authid
variants (#1130)
24. + `utf8mb4` end-to-end (panel PDO + plugin `SET NAMES`); rejects
the 3-byte `utf8` alias (#1108)
25. - Removed `web/scripts/sourcebans.js` (~1.7k-line MooTools-flavoured
bulk file); per-page tail scripts are now self-contained
vanilla JS
26. - Removed TinyMCE WYSIWYG for `dash.intro.text` (it was the
stored-XSS vector behind #1113); replaced with a plain
`<textarea>` + Markdown
27. - Removed xajax (`sb-callback.php`) and the legacy callback
contracts that depended on it
28. - Removed ADOdb library
29. ! XSS via `dash.intro.text` rendered raw through `nofilter`
(#1113)
30. ! Stored-XSS / unescaped HTML through Smarty templates that
omitted explicit escape (audited as part of the global
escape-by-default flip)
31. ! Email injection on legacy mail flows tightened by Symfony
Mailer
32. ! Gated normal-login flow on its own `config.enablenormallogin`
setting (#1102)
33. ? PHP 8.5 minimum (was 8.2); Smarty 5; lcobucci/jwt for the
auth cookie; league/commonmark for admin Markdown (#1289
bumped the floor pre-tag)
34. ? `web/themes/default/` is the new default theme; the previous
default ships as a compatibility shape (legacy property
names, alias keys) so third-party themes that forked it
keep rendering off the same View DTOs
35. ? Documentation overhaul: `ARCHITECTURE.md` (codebase tour) +
`AGENTS.md` (workflow / conventions) live alongside
`README.md`; user-facing install / upgrade / configure
guides moved to the Starlight site at sbpp.github.io
36. • SourceMod native API epoch: `MAJOR_REVISION` / `MINOR_REVISION` and
`SB_VERSION` live in generated `include/sbpp_version.inc`
(`scripts/resolve-plugin-version.sh` — release CI tag via
`SBPP_RELEASE_VERSION`, then `configs/version.json` →
`git describe` → `dev` like the panel; `MINOR_REVISION` is the
native API additive counter, not panel semver minor). Direct
`spcomp` builds use the checked-in `dev` fallback or run the
script locally. New `SOURCEBANSPP_VERSION_MAJOR` for optional
compile-time guards. Third-party plugins need a rebuild only when
they use checker library
detection (`"sourcechecker++"`, not `"sourcebans++"` — #1034), new
checker mute/gag natives (#1032), or hook
`SBPP_OnClientPostAdminCheck` (#1431). Plugins that only call
existing SBPP ban/report forwards/natives can usually keep their
existing `.smx`. ([#1114](https://github.com/sbpp/sourcebans-pp/issues/1114))
This release ships default-on anonymous telemetry (#1126). Once per
day per install, the panel sends a small JSON payload to a SourceBans++
Cloudflare Worker so maintainers can see what versions, environments,
and feature toggles are actually in use. The payload is random
per-install ID + categorical / count fields only — no hostnames,
IPs, admin names, SteamIDs, ban reasons, or any other PII. The toggle
lives at Admin → Settings → Features → Privacy → Anonymous telemetry;
disabling it clears the per-install ID so re-enabling later issues a
fresh one. The complete field list lives in the code at
web/includes/Telemetry/schema-1.lock.json;
the upgrade-time disclosure (and self-hosted-collector escape hatch)
lives on the docs site at
Upgrading from 1.8.x to 2.0.x.
Companion Worker repo: sbpp/cf-analytics.
Important
This is a security release and we recommend to upgrade as soon as possible.
01. ! XAJAX API 'Plogin' Vulnerable to Brute Force Attacks
02. ! XAJAX API 'Plogin' can bypass disabled 'Enable Normal Login'
03. ! Vulnerability in Forgot Password implementation
04. * Locking account for 10 minutes if wrong password multiple times (x5)
05. ! Verify if user is already logged before display login page
06. ! Ignore chat triggers for interactive ban reason
07. * Checker: configure client connect message output
08. ! Support new line in comments
09. ? CI: Build with latest SM 1.12 stable version
10. ! Tab navigation logic and validation in admin panel
11. + Extend input compatibility to all steam id formats
12. ? Bump Font Awesome to 6.6.0
13. ! Do not print unblock infos if block still active
14. ! Prevent empty name on dashboard
15. ! Clean player names of unwanted chars
01. ? Add PHP 8.1 Compatibility
02. ? Update dependencies
03. ? Update requirements to PHP 8.1
04. ? Update requirements to SM 1.11
05. ? Rename Checker natives
06. ! Fixed display in Admin Panel
07. * Add Board Name support
08. ! Fixed Display in Installer
09. ? Emails changes (SMTP/Email templates)
10. * Auto Add server with rcon password
10. ! Fixed permissions for ADMIN_EDIT_ADMINS to changes admins pw
11. ! Fixed a way to insert invalid SteamID Format in DB
12. ? Improve game translations
13. + Improved sm_banip
01. * Comms in count list
02. ? Update requirements to SM 1.10
03. ! Fixed issue with Data Pack
04. ! Fixed display in Admin Panel
01. * Support challenges in A2S_INFO
02. ! Fixed security vulnerability in the SetupEditServer
03. ! Fixed auth check
Full Changelog: https://sbpp.github.io/blog/1.6.3_release/
01. ! Fixed issue with group Banning
02. ! Fixed AmxBans import issue
03. ! Fixed possible XSS Injection
04. + Adjusted regex for CSGO
05. + Added option to disable 'comms' tab
06. ! Fixed bugs with SteamID format
07. ! Fixed version checks
08. ? Git version is now only shown in dev builds
09. ! Fixed issue with email links
10. * Added session based logins
01. ! Fixed an issue while XAJAX initialized
02. ! Fixed the 'dash intro text' not displaying custom HTML elements
03. ! Fixed 'change password' function
04. ! Fixed encoding issues with player names
05. ! Fixed aspect ratio of map image
06. ! Fixed editing groups/override pages
07. ! Fixed display error for 'edit mod' page
08. ! Fixed version numbering displaying 0
09. + Improved sizes and file types of images
01. ! Fixed some XSS exploits
02. + Improved password hashing / security
03. * Added utf8mb4 support
04. + Updated tinymce
05. + Reformatted most of the code
06. * Added new natives (SourceBans_OnBanPlayer, SourceComms_OnBlockAdded)
07. - Removed DB Info page (potential attack vector)
08. ! various Plugin fixes
09. + Updated Installer Theme
01. ! Fix Admins and Groups Not Loading from Config
01. ! Fix Perm Ban bug in SourceSleuth
02. ! Fix Updater
01. ! Fix Variuous Bugs in the Plugins EXCEPT SourceSleuth
02. ? Updated ADOdb and LightOpenID Library
01. ! Fix Memory Leak in SourceSleuth Plugin
02. ? Optimized and updated IpToCountry.csv
01. ! Downgrade plugin to 1.5.3
02. + Add ULX Module for GMOD (Not Maintained by Me)
01. ! Fix XSS Vulnerability in SourceComms Page
01. ! Fix Ban/Comm Reason Issue in Plugin
02. ? CC-BY-NC-SA-3.0
01. * Added Steam3 ID to Ban and Comm list
02. * Added PHP7 Support
03. + Updated Comms page with better CSS
04. + Small misc theme fixes
05. + Small plugin fixes/optimizations
06. ! Fixed config.php bug with APIKey and URL
07. ! Fix MariaDB Empty Ban List
08. ? Optimized and updated IpToCountry.csv
01. * Added Steam API Key to Installer for Future Use
02. * Added Steam OpenID Login Support
03. * Added Updater Support
04. * Added Own Admin Config System (No More admins.cfg)
05. + Updated Smarty Library to 2.6.29
06. + Updated Plugins to use partial SourceMod 1.7 Syntax/API
07. + Changed Webpanel Background Color
08. ! Fixed Email Injection Bug on Webpanel
09. ! Fixed admin-flatfile issue in TF2 with New Config System
10. ! Fixed RCON on webpanel skipping NULL characters (RCON XML error)
11. ! Fixed importing banned_user.cfg with Steam3 [U:1:X]
12. ! Fixed BoxToMask Issue #52 in SourceBans.js
13. ! Fix HHVM issues with ADOdb
14. ? Optimized and updated IpToCountry.csv
01. * Changed licence to GNU AGPL v3
02. * Replaced GetClientAuthString with GetClientAuthId for SourceMod 1.7
03. * Added IP Banning with SourceSleuth
04. + Updated ADOdb Library to 5.19
05. + Updated TinyMCE Library to 3.5.11
06. - SourceMod 1.6.x and below are not supported
07. - Removed FamilySharing Ban Evasion Detection
08. - MariaDB not does not work anymore (Never was supported anyways)
09. ! Fixed Ban List lagging on MySQL 5.6+
10. ! Fixed Plugin Showing DataPack error
11. ! Fixed KickId in Webpanel not working when trying to use Steam3
12. ? Optimized and updated IpToCountry.csv
01. * Changed licence to GNU GPL v3
02. * Added SourceBans Connection Debugger
03. * Added SourceComms Search Box
04. + Re-made SourceBans Logo in Footer
05. ! Fixed getdemo.php spewing errors
06. ! Fixed Invalid Query in SB Plugin
07. ! Fixed parsing rcon status in CS:GO
08. ? Added/Fixed Copyright Headers
09. ? Updated SteamWorks Ext to git90
10. ? Optimized and updated IpToCountry.csv
01. * Integrated SourceComms
02. * Added TF2 Modern Theme as Default (Made by IceMan)
03. * Integrated SourceBans Checker
04. * Re-made SourceBans FAQ
05. * Added MvM and HL2 Map Pics
06. * Added Synergy to the Game List
07. + Re-arranged/Renamed Tabs
08. + Added More Robust LFI Patch
09. ! Fixed Plugin Pointing to wrong FAQ link
10. ? Optimized and updated IpToCountry.csv
01. ! Fixed LFI EXPLOIT //Thanks jsifuentes
02. ? Optimized and updated IpToCountry.csv
01. * Added Steam3 Support for Player Menu
02. * Added IP Ban checking from SourceSlueth
03. ! Fixed Steam Family Sharing Ban Evasion.
04. ? Added SteamWorks Extension
05. ? Optimized and updated IpToCountry.csv