Some of the changes in XF 2.3.10 include:
Ensure "View Older Results" link appears on last page of search results
Ensure "No such recipient" bounce responses are classified as hard bounces
Ensure "Account Closed" bounce responses are classified as hard bounces
Ensure "Recipient not found" bounce responses are classified as hard bounces
Ensure "mailbox is disabled" bounce responses are classified as hard bounces
Ensure "not configured to receive" bounce responses are classified as hard bounces
Prevent inet_pton() ValueError when IP address contains null bytes
Use original Email object for error logging after DKIM signing to prevent undefined method error
Skip array values during custom field multiselect validation to prevent Array to string conversion warning
Normalize discouragement delay min/max values to prevent mt_rand() ValueError
Suppress dns_get_record() warning during DKIM verification to prevent job crash on DNS failure
Prevent alerts from being sent to banned users
Correct OAuth2 token revocation to properly invalidate both access and refresh tokens
Respect direction parameter for multi-column sort ordering in Finder
Re-enable passkey button when WebAuthn registration or authentication is aborted
Add missing bookmark_id index to xf_bookmark_label_use table
Prevent accumulating whitespace in GenerateFinders CLI command on repeated runs
Avoid exception-based flow control in getFinder for entity class resolution
Set explicit working directory for sub-processes to prevent failure when CWD is inaccessible
Prevent type error when custom field type changes with preserved values
Include purchasable ID in Stripe product and plan ID generation
does not round-trip after editing a post Implement ContainableInterface and DatableInterface on various child content entities Create template when generating a route with xf-make:route As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area. Current requirements Please note that XenForo 2.3 has higher system requirements than earlier versions. The following are minimum requirements: PHP 7.2 or newer (PHP 8.3 recommended) MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.) All of the official add-ons require XenForo 2.3. Enhanced Search requires at least Elasticsearch 7.2.
XenForo 2.2.19 has also been released. Please refer to the release notes above.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.
Note: If you decide to patch the files instead of doing full upgrades, your "File health check" will report these files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.
- Download 2219-patch.zip
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
Some users may struggle to apply the patch on pre-2.3.8 installs. If you are patching 2.3.7 or earlier you may try this patch.
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.
Some of the changes in XF 2.3.8 include:
- Fix an issue where EXIF orientation would be set when already adjusted client-side
- Fix some issues with entity type hinting
- Allow underscore word boundaries in read-only method names
- Fix empty user authorized applications list container
- Ensure language state is always restored in between generating activity summary emails
- Fix filter JS query parameter concatenation
- Allow passkey creation on local hosts
- Fix cleanUpInvalidRecords type hint
- Always coerce parse_less_color template function to hex for non-variable values
- Fix duplicate result-set hydration queries
- Return an error early when search keyword lengths are too long
- Use strict type checks when processing search input
- Only search and display posts on the profile postings tab
- Use post content filter and thread type sub-filter for member thread search
- Avoid converting SVGs to rasterised images
- Skip void method return in XF\Cli\Command\AbstractCommand::initialize
- Ensure invalid page numbers are handled correctly when viewing the watched threads list
- Add handling for null status message values when resuming jobs
- Ensure passkeys are deleted when the associated user is deleted
- Fix missing support for some webhook actions
- Add missing defaultname to xf:avatar and xf:username tags in the report_view template
- Support HTML for the summary_of_what_you_missed_recently phrase in the activity_summary email template
- Fix DKIM signing preventing List-Unsubscribe headers from being added to emails
- Require re-authentication before allowing passkey additions or modifications
- Support rebuilding unfurls when rebuilding metadata for supported content types
- Fix not being able to setup TOTP on Firefox via QR code if privacy.resistFingerprinting is enabled
- Add missing template annotation to EmbedResolver/AbstractHandler
- Update docblock hint on \XF\Repository\UserAlertRepository::fastDeleteAlertsForContent to include array of ints
- Improve add-on manager performance when coercing add-on IDs with a significant number installed
- When checking the replication status of a read server, make sure the query is properly sent to the read connection
- Support the "listitemclass" attribute when rendering checkboxes
- Try to preserve post ordering when there's an unexpected time sync issue
- Include a cache buster on direct attachment URLs
- Fix issue preventing "Handle report" button on an assigned report not revealing the save button
- Skip deleting style variation preference cookie on logout
- Throw an error if trying to rebuild search index with an invalid type
- Cache user online counts in the same request to reduce query usage
- Ensure _cascadeSave is cleared out when Entity::_saveCleanUp is called
- Guard against Request::getIp not returning a valid IP in some cases.
- Do not resolve attachment cover images for guests with no attachment permissions
- Pass criteria object to criteria_template_data event listeners
- Skip non-existent attachments when deleting from the control panel
- Set up search entity after searches have been executed
- Add JSDoc to XF.createElement
- Fix some issues with the quote plugin
- Correct some lingering links to twitter.com
- Hide additional contact heading from control panel user edit page when there are no contact user fields
- Remove pattern attribute from number inputs
- Fix DKIM signing in XF 2.3
- Fix missing trailing slash when linking to cookies explainer from privacy policy
- Workaround issue where Sign in with Apple might not return an email (#1199)
- Validate signature counter when using a passkey (#1198)
- Throw a clearer error when the current host and board URL do not match when creating or authenticating with passkeys (#1200)
- Log users in to the public forum when authenticating with passkeys via the admin panel (#1201)
- Inhibit sending push notifications to permanently removed Chrome subscriptions
- Ensure failed passkey logins count towards failed login attempts limit (#1207)
- Process Gmail inactive inbox bounce messages as a hard bounce (#1208)
- Make it easier to override PayPalRest plan parameters (#1209)
- Set tfa_trust cookie when logging in with a passkey (#1210)
- Create Finder directory if one does not exist when generating finder classes (#1211)
- Update PHPDoc for asVisitor function to better infer return types
- Reduce notification enqueuing delay when submitting posts
- Refactor delete clean up process to ensure rename and delete happens in one process
- Skip caching local URLs when using the image proxy
- Workaround potential race condition when saving bookmark labels
- Support using passkeys in place of password confirmations
- Support passing extra spam check data in the user registration service
- Add base webhook criteria classes
- Support accessing notification data in Notifier classes
- Add additional array functions to the templater
- Strip HTML tags when using the description as a title for an import from an RSS feed (#1214)
- Move XF\BbCodeRenderer\Html::getValidUrl functionality to a utility function (#1215)
- Throw an error if attempting to run an import step that does not exist (#1216)
- Include random string with DKIM selector (#1217)
- Check for case-mismatches when creating add-ons (#1218)
- Fix TypeError when non-array JSON input is submitted (#1223)
- Don't block image upload if EXIF processing fails (#1224)
- Fix issue where XF.phrase function was not able to handle repeated replacements
- Fix display of signatures set to falsey values
- Fix pagination scrolling behaviour for reactions received page
- Fix quick reply scroll-to-post behaviour
- Fix inverted logic in canResize method check
- Made add-on archive validator more robust by eliminating double extraction and adding proper JSON validation
- Finder::getCollectionFromResults doesn't check hydrateFromGrouped's return result is not null
- Ensure option values are cast to their proper data types when retrieved
- Incorrect operator precedence in template expressions
- Release builder fails with symlinked add-on directories
- Email bounce parser now handles multi-digit status codes (#1240)
- API routes generate invalid development output
- Improve delivery efficiency of CSS when using a cache
- Avoid unnecessary write of original avatar when only crop changes
- Reserve some memory for error reporting
- Pull protocol and host from board URL in CLI contexts
- Add support for AbstractCollection when using the Templater's array_* functions (#2182)
- Refactor lightbox sidebar toggle handling and ensure proper initialization
The following public templates have had changes:
- _help_page_privacy_policy
- account_reactions
- account_visitor_menu
- attachment_macros
- bb_code_tag_attach
- core.less
- core_action_bar.less
- embed_resolver_thread
- helper_attach_upload
- lightbox.less
- login_password_confirm
- member_about
- member_macros
- member_recent_content
- member_tooltip.less
- message.less
- message_macros
- news_feed_attached_images
- passkeys_macros
- report_view
- setup.less
- share_page_macros
- tag_macros
- tag_search
- two_step_totp
Some of the changes in XF 2.3.7 include:
- Escape select input option labels
- Improve supported EXIF data when client-side image resizing is enabled
- Allow fetching forum prefixes even without node permissions
- Normalize entity manager repository cache keys
- Fix IPv6 binary to string expansion
- Fix appearance of member tooltip on recent Safari versions
- Use text structured data field for DiscussionForumPosting content
- Require confirmation for linking connected accounts
- Suppress logging of normal connected account exceptions
- Clear site cache data when logging out
- Move XF.SolutionEditClick into action.js to resolve dependency issues
- Fix carousel margin on RTL languages
- Expand global email template parameters
- Adjust wording of account approval phrases
- Improve typing of repository find methods
- Fix issue with missing verbosity when casting collections to webhook results.
- Avoid logging errors when IndexNow is having intermittent issues
- Delete related user alerts when a trophy is deleted
- Add support for viewing and revoking a user's authorised applications from the admin panel
- Handle nulls and empty-evaluated strings properly
- Detect Google Inspection Tool crawler
- No longer create user fields by default during install.
- Fix manual video thumbnail generation on iOS
- Remove legacy Imagick GIF optimization technique
- Display search suggestions properly when results contain guest content
- Fix lift ban link on ban edit page
- Render all activity summary display values in the user language
- Set default Accept-Language header in outgoing HTTP requests
- Allow overriding avatar usernames when a user is specified
- Fix generated entity type hints for JSON columns
XenForo 2.3.7 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.
In addition to the usual fixes and improvements, XenForo 2.3.7 also includes a critical security fix to ensure the security of Passkeys that have been added to your account. We'd very much like to thank Jai Niresh J for reporting this issue via Eric and team at Hypixel Inc.. Between them they also reported a less severe issue related to local account page caching on shared systems.
This version also tightens up the kinds of methods that can be called from within templates, evolving from a loose "prefix" match to a stricter "first word" match of methods that can be called through callbacks and variable method calls. This fix is courtesy of Cyanide who we extend huge thanks to in taking the time to report this to us.
We'd also like to take this opportunity to notify all third party developers that writing database queries inside templates is not recommended. While this is still allowed in XenForo 2.3.7, the behaviour is now considered deprecated and will be prevented in XenForo 2.3.8. Code which currently triggers this will insert an error into the Server error log and must be fixed prior to the release of XenForo 2.3.8. Where possible, data must be queried and processed and passed into the template rather than being written inside the template itself.
Finally, we'd like to thank @TickTackk for reporting a path disclosure issue in exceptions thrown due to open_basedir restrictions.
If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.
Note: If you decide to patch the files instead of doing full upgrades, your "File health check" will report these files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.
- Download 237-patch.zip
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area or upgrade from your Admin control panel (Tools > Check for upgrades...).
Some of the changes in XF 2.3.6 include:
- Fix upgrades from XF 1 not having the correct xf_job table schema changes applied
- Fix an issue with updating multiple variation menu icons
- Fix some issues with HCaptcha
- Fix cookie third-party for X media site
- Remove bluesky_logo from template function list
- Attempt to sync PayPal REST API with current product name.
- Fix an issue with Less_Tree_Dimension
XenForo 2.3.5 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.
In addition to the usual bug fixes, XenForo 2.3.5 includes a critical security fix for any customers making use of OAuth2 where client applications may be able to request unauthorized scopes. This will affect any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5.
Directly from your admin control panel
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.
Some of the changes in XF 2.3.5 include:
- Fix unassociated attachment limit checks
- Clamp client-side color contrast evaluations
- Appropriately load tweets after page load.
- Update Twitter connected account references to X.
- Fix X (formerly Twitter) connected account
- Ensure xf_oauth_client and xf_oauth_request have primary keys.
- Allow a Passkey credential_id to occupy up to 1024 characters.
- Make code editor search highlighting similar to editor selection color.
- Remove unused jQuery snippet.
- Fix reactions tabs for direct message replies.
- Support multiple variation menus when updating variations
- Fix number box handling when step value is any
- Fix a server error when no custom error phrase is specified for an error response
- Improve type hinting of schema manager closures
- Properly reset write-pending status when calling Entity::saveIfChanged
- Fix server error when log search results return a record for a deleted user
- Properly represent field and prefix user group IDs as a list of unique sorted integers
- Support lazy-loading variation pictures
- Suppress PhpStorm warnings in class extension hint files
- Fix unstable sort order for class extension output
- Fix potentially undefined array key when determining an entity cover image
- Properly validate OAuth client redirect URIs
- Pass import command interactive state to import-finalize command
- Improve BBCode HTML rendering PHP 8.3 compatibility
- Do not escape HTML when rendering custom field titles in the control panel
- Allow saving cookie preferences when board is inactive
- Fix duplicate moderated icon in article preview thread titles
- Allow fetching all server globals using \XF\Http\Request::getServerInfo
- Fix incorrect phrase in user change log handler
- Fix handling of null auto-complete results
- Do not scroll to last viewed image when closing the lightbox
- Fix error 'TemplateFinder::searchTitle() accepts 1 parameters but 2 are passed'
- Fix server error getting conversations by ID via API.
- Fix incorrect route format for the OAuth2 account/applications route
- Fix issue where code challenges for public OAuth2 clients could not be verified
The following public templates have had changes:
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
- code_editor.less
- connected_account_associated_x
- connected_account_macros
- core_button.less
- editor_insert_gif
- helper_js_global
- login
- passkeys_macros
- post_article_macros
- share_page_macros
- style_variation_macros
As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.
Please note that XenForo 2.3 has higher system requirements than earlier versions.
The following are minimum requirements:
- PHP 7.2 or newer (PHP 8.3 recommended)
- MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.3.
- Enhanced Search requires at least Elasticsearch 7.2.
Today, we are releasing XenForo 2.2.17 to address a potential security vulnerability. We recommend that all customers running XenForo 2.2 upgrade to 2.2.17 or use the patch instructions below as soon as possible.
Notes:
a. XenForo 2.3.1 and above is not affected by this issue. If you are still running XenForo 2.3.0 you should upgrade to the latest release or apply the patch below.
b. The few XenForo Cloud customers still running XenForo 2.2 have been patched automatically.
XenForo 2.3.4 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.
Some of the changes in XF 2.3.4 include:
The following public templates have had changes:
- Include embed.php in hashes.json
- Fix error thrown when feed entry is missing an ID
- Use AbstractCollection for type hint on addContentToBookmarks method
- Fix deprecated usage of str_replace with API scopes
- Improve PHP 8.4 compatibility
- Output hsla in the color picker when an alpha channel is present
- Ensure URLs are valid when analyzing image usage
- Coerce nestable group to a number before peforming strict comparison
- Gracefully handle guest username and style variation containing invalid UTF-8
- Attempt to work-around abysmal Firefox form field retention heuristics
- Gracefully handle when an avatar cannot be processed
- Allow changing style variation when the previously selected style is forced to the default style
- Increase date input width further to accomodate Firefox icon clipping
- Fix editor autofocus behavior when in BBCode mode
- Add a note about some permissions not being applicable to guests
- Fix triggering Facebook embeds for document
- Fix calculation of local load time from navigation timing API
- Fix behavior of preview buttons
- Consider read-only number-box inputs as disabled
- Make required and recommended function checks more robust
- Allow null unique ID when enqueuing a job later
- Make report creation notifications easier to extend
- Attempt to work around aggressive Firefox auto-complete heuristics when editing a user
- Fix broken JS handlers when loading comments via AJAX
- Fix an issue with editing newly translated phrases
- Split ExifReader library out of attachment manager bundle
- Attempt to work around aggressive Firefox auto-complete heuristics on control panel index
- Fix number input buttons when step is set to any
- Fix some icon usage analysis issues when editing and deleting editor drop-downs and BBCodes
- Only record icon usage for active BBCodes and editor dropdowns
- Omit itemid microdata attribute when there is no valid user
- Ensure all control panel functionality is covered by permissions
- Handle invalid multiquote input more gracefully
- Attempt to avoid featured content carousel pager text overlap
- Only try to remove double quotes from URL strings once
- Set default color picker color to white instead of transparent
- Fix some issues with the JS icon renderer and BBCode previews
- Handle invalid session IDs more gracefully
- Do not mark unhidden usernames as aria-hidden
- Fix direction of back arrow on RTL languages
- Improve text node handling in XF.setupHtmlInsert
- Ignore Thumbs.db in style archive validator
- Fix structured list icon end cell padding
- Fix an issue with deferred resize event listener after autofocus
- Skip any file duplicates when importing banned emails
- Mark multiple consecutive asterisks as an invalid term word on MySQL full-text searches
- Make the default table collation configurable
- Fix calculation of report closure notifiable users
- Ensure PayPal products are created with a unique ID.
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
- PAGE_CONTAINER
- approval_queue_macros
- carousel.less
- core_input.less
- fancybox.less
- helper_attach_upload
- lightbox.less
- message_macros
- profile_post_macros
- structured_list.less