XenForo 2.3.4 Released
XenForo 2.3.4 is now available.
Some of the changes in XF 2.3.4 include:
- Include embed.php in hashes.json
- Fix error thrown when feed entry is missing an ID
- Use AbstractCollection for type hint on addContentToBookmarks method
- Fix deprecated usage of str_replace with API scopes
- Improve PHP 8.4 compatibility
- Output hsla in the color picker when an alpha channel is present
- Ensure URLs are valid when analyzing image usage
- Coerce nestable group to a number before peforming strict comparison
- Gracefully handle guest username and style variation containing invalid UTF-8
- Attempt to work-around abysmal Firefox form field retention heuristics
- Gracefully handle when an avatar cannot be processed
- Allow changing style variation when the previously selected style is forced to the default style
- Increase date input width further to accomodate Firefox icon clipping
- Fix editor autofocus behavior when in BBCode mode
- Add a note about some permissions not being applicable to guests
- Fix triggering Facebook embeds for document
- Fix calculation of local load time from navigation timing API
- Fix behavior of preview buttons
- Consider read-only number-box inputs as disabled
- Make required and recommended function checks more robust
- Allow null unique ID when enqueuing a job later
- Make report creation notifications easier to extend
- Attempt to work around aggressive Firefox auto-complete heuristics when editing a user
- Fix broken JS handlers when loading comments via AJAX
- Fix an issue with editing newly translated phrases
- Split ExifReader library out of attachment manager bundle
- Attempt to work around aggressive Firefox auto-complete heuristics on control panel index
- Fix number input buttons when step is set to any
- Fix some icon usage analysis issues when editing and deleting editor drop-downs and BBCodes
- Only record icon usage for active BBCodes and editor dropdowns
- Omit itemid microdata attribute when there is no valid user
- Ensure all control panel functionality is covered by permissions
- Handle invalid multiquote input more gracefully
- Attempt to avoid featured content carousel pager text overlap
- Only try to remove double quotes from URL strings once
- Set default color picker color to white instead of transparent
- Fix some issues with the JS icon renderer and BBCode previews
- Handle invalid session IDs more gracefully
- Do not mark unhidden usernames as aria-hidden
- Fix direction of back arrow on RTL languages
- Improve text node handling in XF.setupHtmlInsert
- Ignore Thumbs.db in style archive validator
- Fix structured list icon end cell padding
- Fix an issue with deferred resize event listener after autofocus
- Skip any file duplicates when importing banned emails
- Mark multiple consecutive asterisks as an invalid term word on MySQL full-text searches
- Make the default table collation configurable
- Fix calculation of report closure notifiable users
- Ensure PayPal products are created with a unique ID.
XenForo 2.3.3 Released
Some of the changes in XF 2.3.3 include:
- Fix select-to-quote handler error on soft-deleted threads
- Ignore port if Redis host appears to be a file path
- Fix a few cases where hashes were concatenated instead of passed to router
- Fix flickering issue with JS icon renderer
- Fix expandable content transition class callback
- Use correct finder when looking up Stripe subscriber IDs
- Do not attempt to set RSS feed language if no language code is set
- Check if job table exists before attempting to sync structure
- Fix issues serializing nestable elements which contain unrelated lists
- Adjust some automatic alert read-marking behaviors
- Adjust offset of focus-visible tab outline
- Re-enable caching for tag edit overlay
- Fix error handling for fetching/creating PayPal products and plans
- Fix determining locale from language code for string manipulation
- Ensure points phrase is used in trending weights.
- Optimize string transliteration performance
- Override some missing phrases for token inputs.
- Reduce trending content widget queries
- Fix embedding Imgur galleries and applying JS states
- Romanize heading anchors
- Do not force romanization for category anchors
- Fix merging reactions with multiple source reactions from deleted users
- Do not cache report overlays
- Fix Tagify filtering out non-exact matches unexpectedly
- Set 1:1 aspect-ratio on connected account provider icons
- Use the editorButtonSelectedBg property for active editor button backgrounds
- Fix DM icon clipping on desktop Safari
- Fix phrase method casing in icon option handler
- Perform client-size image optimization even when no maximum image width/height is set
- Fix checking if Rocket Loader is disabled in the middle of an upgrade
- Throw an error when attempting to recursively load config file
- Fix string style property variations support for properties without assets enabled
- Prevent double logging of moderator changes for threads when editing first post
- Adjust width of inline time inputs
- Check private use TLDs when determining if a host is local
- Fix some issues with appending filter rows
- Use XF.setupHtmlInsert for filter AJAX responses
- Allow passing HTMLElement objects to alerts
- Fix support for alternative icon variants in custom BB codes
- Fix fetching default avatar when templater style is not set
- Address some phrases which reference conversations
- Handle unexpected values in cookie consent cookie
XenForo 2.3.2 Released
XenForo 2.3.2 is now available for all. We strongly recommend that all users running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.
Some of the changes in XF 2.3.2 include:
- Make PCRE character class check more robust.
- Do not attempt to redefine UTF-8 string shim functions if they already exist
- Rename search forum node type handler as expected
- Fix utf8_isASCII return type
- Fix an issue where the batch size for search rebuilds could grow unbounded
- Strip BBCode from trending content article displays
- Fix a regression with PWA orientation/screen rotation
- Set recommended PHP version dynamically
- Fix profile post position tracking
- Use absolute URLs in approval item emails
- Fix behavior of API keys with all scopes allowed
- Fix thread context support for featured and trending widgets
- Apply inline style to document.head correctly
- Fix type error for file clean counts.
- Attempt to have Cloudflare Rocket Loader automatically ignore scripts
- Don't try to ping IndexNow if no API key is set
- Gate search engine indexing settings for threads behind their own permission
- Fix error on shared IPs list when matching user has been deleted
- Allow the variation menu to open above fixed notices
- Fix saving permissions from the edit user page
- Fix passing \DateTime objects into \XF\Language::getDateTimeParts
- Use XF custom events for overlay and transition events
- Hydrate user relations when setting up base user
- Redirect to the first active option group when viewing an option
- Fix behavior of search short-name conversion
- Handle older SMTP option values more gracefully
- Fix responsive sidebar margins
- If a user can see the thread created by a report, respect their auto watch preference
- Mark threads as nofollow if they are non-indexable
- Support WebP images when uploading images for featured content
- Address several issues with XF.ajax
- Address even more one-click upgrade issues when caching is enabled
- Fix attachment list filter bar dates being displayed in wrong timezone
- Fix using hotkeys to submit a message in the plain text editor
- Fix event handling on auto-complete autosubmission
- Fix importing webp smilies
- Fix implicit join behavior of finder order clauses
- Fix addon_get_install_data code event description
- Only process the color scheme mixin when variations are enabled
- Position BBCode quote expansion link at bottom of quote
- Fix some issues when toggling variations when an active variation is selected
- Pass handler in params when rendering thread edit extra data templates
- Include type data definitions when rendering thread edit extra data templates
The following public templates have had changes:
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
- PAGE_CONTAINER
- app_body.less
- bb_code.less
- embed_view
- featured_content_edit
- helper_js_global
- helper_thread_options
- page_view
- payment_initiate_twocheckout
- profile_post_macros
- service_worker_offline
- setup.less
- style_variation_macros
- thread_list_macros
- trending_content_item_thread
- two_step_totp
It's time to party like it's202220232024! Today we are very pleased (and relieved) to announce the stable release of XenForo 2.3.0 and our official add-ons. It has been a long time coming so we thank you for your patience and support.
There are a myriad of new features and improvements. Here's a brief overview of our favourites:
This is not an exhaustive list of what's new in 2.3, and you can read more about the above and other new changes/improvements features in the Have you seen...? forum.
- Style variants with Dark mode
- Improved performance
- Featured content
- Image optimization
- Automation with webhooks
- SSO with OAuth2
- Passwordless logins with passkeys
- Trending content
XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery 2.1.9, 2.2.6 Released (Includes Security Fixes)
Security Fix Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16. If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no...xenforo.com
Hot on the heels of yesterday's XF 2.2.14 release and subsequent patches, we are today making XenForo 2.2.15 available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability, particularly if you already upgraded to XenForo 2.2.14.
As of this point, XenForo 2.2.14 and its patches are no longer available for download. We are still planning a final XF 2.2 release at some point around the release of XenForo 2.3!
Some of the changes in XF 2.2.15 include:
- Avoid setting duplicate List-Unsubscribe headers.
- Include first post QA schema items unconditionally.
- Make outdated PHP version notice in admin control panel clearer.
- Retain the original unsubscribeEmailAddress option for backwards compatibility.
- New unsubscribeEmailHandling option to replace the new unsubscribeEmail option and conclusively fix issues arising from yesterday's XF 2.2.14 release.
- Fix URL unfurls no longer unfurling.
XenForo 2.2.14 Released
XenForo 2.2.14 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability. In addition to the usual slew of bug fixes and improvements, there are a few...xenforo.comXenForo 2.2.14 Patch 2 Released
Sincere apologies. A further issue has been identified in which initial upgrades to 2.2.14 may have set the default 'http' option for the unsubscribe option incorrectly.
The latest patch will workaround this issue if you are affected.
Alternatively, going to Options > Email options in your admin control panel and setting the "Unsubscribe email handling" option as desired will fix the issue without needing to upgrade.
This is being rolled out to existing Cloud customers automatically if affected.
XenForo 2.2.13 Released
XenForo 2.2.13 is now available for all. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
In addition to the fixes listed below, we have a few other aces up our sleeves this time around.
Full iOS PWA compatibility with push notification support
iOS 16.4 finally introduced push notifications for iOS devices. To facilitate this, your members need to install your site as a PWA (by utilising the Add to Home Screen feature in Safari). XenForo 2.2.13 now satisfies all of the prerequisites for this to support push notifications which can be enabled by your members once they log in through the PWA and enable push notifications in their Preferences.
The PWA (progressive web app) has now been enhanced with additional gesture based or UI controls, including pull down to refresh and a floating back button.
Structured data metadata improvements
With many thanks to Ryan Levering from Google we have made a number of improvements to structured data metadata. Structured data enriches the pages we output with additional information which enables Google and other search engines to better understand the structure of the information that is rendered. This helps Google provide rich search results and helps provide additional context to users who may find your content during their Google searches.
Support for OAuth authentication for Microsoft 365 business email accounts
Microsoft has deprecated the ability to send emails over SMTP using traditional username/password authentication. This is similar to what Google did a while ago. In light of this we have now added an additional option when setting up either your email transport or automated mail handlers (automated unsubscribe/bounce handling) which will enable you to authenticate with OAuth.
Note: The set up for this is fairly complex, requiring you to set up an Azure Active Directory application within the Azure developer portal. There is a link to the documentation when setting this up.
One-click upgrade to XenForo 2.2.13
Directly from your admin control panel
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.
Some of the changes in XF 2.2.13 include:
- Adjust several cookie third party identifiers
- Fix simple cookie notice flash for guests
- Update thread creation latest activity items when merging threads
- Add null checks when we're inspecting the result of the getPhraseGroup method of the Phrase entity.
- Add context to node permission list with node type icons.
- Don't attempt to access getCookieThirdParties on payment providers which may no longer exist.
- Update enable push option to reflect better browser support.
- Check search permissions when displaying the 'Your content' link in the visitor menu
- Restore "notes" phrase that was inadvertently deleted in the previous release
- Avoid leaking the email address linked to an account that is using email two-step verification
- Don't show the view more link on a member's recent content page for users who have no permissions to search
- Ensure wrapper display HTML value has whitespace trimmed
- Properly set custom titles when batch updating users
- When adding/editing nodes, the description for the URL portion field now refers to nodes rather than forums
- Fix a typo in the cookie_consent.cookie_description_dbWriteForced phrase
- Replace MaxCDN with jsDelivr as the CDN for Twemojis
- Ensure emojis are properly displayed in the chosen style
- More consistently set content key across different content types
- Fix error thrown when xf_consent cookie has an invalid value
- Escape backslashes when escaping SQL like clauses
- Do not prepare member stat results prior to caching
- Fix some entity collection return type hints
- Clamp input filterer float values
- Attempt to prevent browsers from autofilling credentials in the find member widget
- Rebuild permissions in batches to limit memory usage
- Display an error when an invalid URL is used to test URL unfurling
- Display content vote scores in LTR orientation
- Make stream closing attempts more robust when working with abstract files
- Fix type hint in Oembed subcontainer
- Gracefully handle Redis mget failures
- Only display flash message once when tags are edited
- Fix max length attribute of custom warning title input
- Perform validation on email address options
- Allow restricting forum RSS results by prefix IDs
- Do not attempt to decrement alert counters when a new alert is inserted
- Fix behavior of falsy code event listener hints
- Perform validation on error reply values
- Always include search query arguments when building search links
- Retain previous selection when changing poll votes
- Improve notice controller/action criteria validation
- Include support for embedding YouTube Live URLs
- Check thread visibility before redirecting for invalid post links
- Improve user IP lookup query performance
- Make user entity timezone verification more robust
- Remove dead code from vBulletin 5 authentication handler
- currencyFormat was changed to allow figures with no decimals to show without decimal places, but to show the decimals if any were present. In doing so, we managed to kill the ability to specify the number of decimals. Oopsie. So now you can do that again, and you can also now specify -1 precision in order to prevent number_format from limiting or artificially extending the decimal places at all.
- Update the intl-tl-input JS library
- Fix CSS border radius shifting for RTL styling
- Increase entropy of temporary directory name generation to reduce the likelihood of race conditions
- Improve performance of \XF\Extension::resolveExtendedClassToRoot using an inverse lookup table
- Correctly replace urlencoded CSRF token values before returning cached pages to fix an issue with Advanced cookie management.
- Ensure that unsubscribing from emails also unsubscribes the user from activity summary emails
- Support embedding YouTube videos from youtube-nocookie.com
- Fix incorrect type hints in prefix and prompt group entities
The following public templates have had changes:
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
- PAGE_CONTAINER
- account_confirm_resend
- account_connected_associate
- account_details
- account_email
- account_request_password
- account_two_step_authy_config
- account_visitor_menu
- app_body.less
- app_content_vote.less
- approval_item_user
- approval_queue_macros
- connected_account_macros
- contact_form
- content_vote_macros
- core.less
- core_button.less
- core_list.less
- custom_fields_macros
- editor_base.less
- email_stop_confirm
- google_analytics
- helper_js_global
- lost_password_confirm
- member_about
- member_recent_content
- member_view
- member_warn
- message_macros
- notice_confirm_email
- notice_email_bounce
- poll_macros
- post_macros
- post_question_macros
- register_confirm
- register_connected_account
- security_lock_resend
- security_lock_reset
- spam_cleaner
- tag_macros
- tel_box.less
- two_step_email
- widget_find_member
As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.
Current requirements
Please note that XenForo 2.2 has higher system requirements than earlier versions.
The following are minimum requirements:
- PHP 7.0 or newer (PHP 8.0 recommended)
- MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.2.
- Enhanced Search requires at least Elasticsearch 2.0.
XenForo 2.2.12 Released
XenForo 2.2.12 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
We're pleased to announce the introduction of two new features available in XenForo 2.2.12.
New CAPTCHA provider: Cloudflare Turnstile
In September, Cloudflare Turnstile was announced. You may have noticed that we quickly implemented this into the software and it has been running here now for a little while.
While on the surface this may seem like "just another CAPTCHA" option, we feel that Cloudflare has gotten a lot of things right in its approach to this product that is missing from many other providers including HCaptcha and Google reCAPTCHA. It's a much better experience for your users, respects your users privacy and with XF 2.2.12 also provides more granular logging in the Cloudflare dashboard so you can see analytics about where in the software a CAPTCHA is being used.
We encourage you to read more about Cloudflare Turnstile on their blog and consider signing your site up, for free, right here or if you are an existing Cloudflare user, get started in your Cloudflare dashboard.
Advanced cookie consent system
Starting with XF 2.2.12 you will be able to enable a new "Advanced" cookie consent system. This enables your users to have much more granular control over the specific cookies that are set, the purpose of each cookie and prevents certain cookies from being set at all until explicit consent is given.
As ever, this system is also extendable by add-on developers so that cookies set by an add-on can be appropriately categorised and also require consent before certain functionality is available.
This is not enabled by default and should currently be considered a Beta feature. If you wish to enable it, you can do so by searching for the cookieConsent option in your Admin control panel and setting the option to "Advanced". If you have feedback or further suggestions, please post a new thread in the XenForo suggestions forum, or if you notice any issues, please post a new thread in the Bug reports forum.
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically. For self-hosted customers, read on...
Some of the changes in XF 2.2.12 include:
- Always default to an empty array when IPv6 lookup fails
- Fix a server error when guests tried to access non-existent search results
- Include some missing entries in the hashes file
- Suppress warnings when converting invalid IP addresses on older versions of PHP
- Implement suggested password normalization for PhpBb3 authentication
- Check for "Manage add-ons" permission when viewing or triggering a file health check
- Fix not being able to follow users in an email bounced user state
- Fix custom user titles set to falsy values not being displayed
- Add missing pagination when searching for a user's reported content
- Only sign emails if DKIM setup has been verified
- Properly account for falsy values in wholeWordTrim and snippetString functions
- Fix PHP 8.1 compatibility issue when performing a search with no keywords
- Update Swiftmailer to v6.3.0 for PHP 8.1 support
- Make adjustments to Facebook media site to support new pfbid IDs
- Add support for detecting utf8mb3 and treating it the same as utf8 thus ensuring unicode mismatch detection and table conversion to utf8mb4 is working correctly.
- Add missing CSS to the comment macro in the profile_post_macros template
- When trying to unapprove a deleted thread, undelete it and put it in the approval queue
- Prevent configuration of two-factor authentication when it is disabled via the config.php switch
- Fix outdated link in the you_can_preview_icons_and_their_names_here phrase
- Fix typo in legacy Instagram embed template
- Re-implement Instagram embeds without a reliance on the oEmbed endpoints and support reel links.
- Adjust template Parser to allow for more precise parentheses placement in some previously ambiguous usages.
- If guest content is awaiting approval, show the username the content was submitted under
- Fix PHP 8.1 compatibility issue when rebuilding a thread's first post information
- Remove extraneous line breaks from the news feed option description
- If a user is also a moderator, update the URL on their admin profile page to only show forums they moderate
- Exclude nodes where a user can't view thread content from search queries
- When importing from an RSS feed and posting as a particular user, respect their auto-watch preferences
- Add support for 3GP encoded videos
- Fix $fromEmail variable not being set correctly when sending emails
- Fix accidentally exposing thread content to guests without the "View threads by others" permission when the thread starter's account has been deleted
- Ensure error logging isn't silently skipped if stacktrace arguments contain invalid utf-8.
- Adjust CSS for Spotify media embed.
- Adjust Select2 and native auto-completer to accept tab key as selecting a result.
- Support node_name / URL portion for categories (relevant if categoryOwnPage option enabled)
- Remove reference to non-existent reaction_text column
- Fix typo in mail template rendering exception message
- Fix connected account providers not appearing on the login form in some cases
- More accurate way of parsing byte values from PHP config values.
- Ensure only valid users are able to change their username.
- Better support cross platform directory separator trimming in ComposerAutoload
- Mark XF\Payment\CallbackState as allowing dynamic properties.
- Include PHP 8.2 compatibility fixes in non-vendor classes and utf8.php
- Fix Vimeo embed start timestamp behavior
- Use late static binding in utility classes to make them easier to extend
- Ensure job max run-time checks occur at end of loops
- Dynamically build link to front-end in the control panel
- Include content IDs in extra data when performing spam checks
- Include content IDs in extra data when performing spam checks
- Improve the extensibility of spam trigger log request data
- Add validation to widget display conditions
- Fix validation for negative whole number custom fields
- Adjust title attributes on bookmark links and buttons
- Adjust line height of inline mod go button to match select height
- In Text::copy return a Text element rather than Tag.
- Properly escape regex when rendering a BB code table.
- Disable PSR class path inspection in extension_hint.php
- In the ChangeLoggable behaviour add a new option to force a change to be from a specific user ID. In contexts where actions are performed from an email link, such as email stop or password resets, this allows us to ensure the password reset change log is attributed to the correct user.
- Update flow.js to the latest version, remove legacy FustyFlow for ancient IE fallback.
- Apply recommended fix for wrapping selection text in different editor functionality.
- Return a HTTP 404 error code when trying to view a tag with no viewable content
- Handle null arguments when stripping BBcode from strings