XenForo 2.3 Released Full 2.3.7 Nulled

XenForo 2.3.7 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.​

In addition to the usual fixes and improvements, XenForo 2.3.7 also includes a critical security fix to ensure the security of Passkeys that have been added to your account. We'd very much like to thank Jai Niresh J for reporting this issue via Eric and team at Hypixel Inc.. Between them they also reported a less severe issue related to local account page caching on shared systems.

This version also tightens up the kinds of methods that can be called from within templates, evolving from a loose "prefix" match to a stricter "first word" match of methods that can be called through callbacks and variable method calls. This fix is courtesy of Cyanide who we extend huge thanks to in taking the time to report this to us.

We'd also like to take this opportunity to notify all third party developers that writing database queries inside templates is not recommended. While this is still allowed in XenForo 2.3.7, the behaviour is now considered deprecated and will be prevented in XenForo 2.3.8. Code which currently triggers this will insert an error into the Server error log and must be fixed prior to the release of XenForo 2.3.8. Where possible, data must be queried and processed and passed into the template rather than being written inside the template itself.

Finally, we'd like to thank @TickTackk for reporting a path disclosure issue in exceptions thrown due to open_basedir restrictions.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.

• Download 237-patch.zip
• Extract the .zip file
• Upload the contents of the upload directory to the root of your XenForo installation

Note: If you decide to patch the files instead of doing full upgrades, your "File health check" will report these files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area or upgrade from your Admin control panel (Tools > Check for upgrades...).

Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.3.7 include:

• Escape select input option labels
• Improve supported EXIF data when client-side image resizing is enabled
• Allow fetching forum prefixes even without node permissions
• Normalize entity manager repository cache keys
• Fix IPv6 binary to string expansion
• Fix appearance of member tooltip on recent Safari versions
• Use text structured data field for DiscussionForumPosting content
• Require confirmation for linking connected accounts
• Suppress logging of normal connected account exceptions
• Clear site cache data when logging out
• Move XF.SolutionEditClick into action.js to resolve dependency issues
• Fix carousel margin on RTL languages
• Expand global email template parameters
• Adjust wording of account approval phrases
• Improve typing of repository find methods
• Fix issue with missing verbosity when casting collections to webhook results.
• Avoid logging errors when IndexNow is having intermittent issues
• Delete related user alerts when a trophy is deleted
• Add support for viewing and revoking a user's authorised applications from the admin panel
• Handle nulls and empty-evaluated strings properly
• Detect Google Inspection Tool crawler
• No longer create user fields by default during install.
• Fix manual video thumbnail generation on iOS
• Remove legacy Imagick GIF optimization technique
• Display search suggestions properly when results contain guest content
• Fix lift ban link on ban edit page
• Render all activity summary display values in the user language
• Set default Accept-Language header in outgoing HTTP requests
• Allow overriding avatar usernames when a user is specified
• Fix generated entity type hints for JSON columns

The following public templates have had changes:

• carousel.less
• connected_account_macros
• core_datalist.less
• featured_content_item
• member_ban_edit
• member_tooltip.less
• message.less
• post_macros
• register_connected_account_confirm
• style_variation_macros
• whats_new_wrapper

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.

XenForo 2.3.6 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.3.6 include:

• Fix upgrades from XF 1 not having the correct xf_job table schema changes applied
• Fix an issue with updating multiple variation menu icons
• Fix some issues with HCaptcha
• Fix cookie third-party for X media site
• Remove bluesky_logo from template function list
• Attempt to sync PayPal REST API with current product name.
• Fix an issue with Less_Tree_Dimension

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

XenForo 2.3.5 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

In addition to the usual bug fixes, XenForo 2.3.5 includes a critical security fix for any customers making use of OAuth2 where client applications may be able to request unauthorized scopes. This will affect any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5.
Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.3.5 include:

• Fix unassociated attachment limit checks
• Clamp client-side color contrast evaluations
• Appropriately load tweets after page load.
• Update Twitter connected account references to X.
• Fix X (formerly Twitter) connected account
• Ensure xf_oauth_client and xf_oauth_request have primary keys.
• Allow a Passkey credential_id to occupy up to 1024 characters.
• Make code editor search highlighting similar to editor selection color.
• Remove unused jQuery snippet.
• Fix reactions tabs for direct message replies.
• Support multiple variation menus when updating variations
• Fix number box handling when step value is any
• Fix a server error when no custom error phrase is specified for an error response
• Improve type hinting of schema manager closures
• Properly reset write-pending status when calling Entity::saveIfChanged
• Fix server error when log search results return a record for a deleted user
• Properly represent field and prefix user group IDs as a list of unique sorted integers
• Support lazy-loading variation pictures
• Suppress PhpStorm warnings in class extension hint files
• Fix unstable sort order for class extension output
• Fix potentially undefined array key when determining an entity cover image
• Properly validate OAuth client redirect URIs
• Pass import command interactive state to import-finalize command
• Improve BBCode HTML rendering PHP 8.3 compatibility
• Do not escape HTML when rendering custom field titles in the control panel
• Allow saving cookie preferences when board is inactive
• Fix duplicate moderated icon in article preview thread titles
• Allow fetching all server globals using \XF\Http\Request::getServerInfo
• Fix incorrect phrase in user change log handler
• Fix handling of null auto-complete results
• Do not scroll to last viewed image when closing the lightbox
• Fix error 'TemplateFinder::searchTitle() accepts 1 parameters but 2 are passed'
• Fix server error getting conversations by ID via API.
• Fix incorrect route format for the OAuth2 account/applications route
• Fix issue where code challenges for public OAuth2 clients could not be verified

The following public templates have had changes:

• code_editor.less
• connected_account_associated_x
• connected_account_macros
• core_button.less
• editor_insert_gif
• helper_js_global
• login
• passkeys_macros
• post_article_macros
• share_page_macros
• style_variation_macros

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

XenForo 2.3.4 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

One-click upgrade to XenForo 2.3.4
Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.3.4 include:

• Include embed.php in hashes.json
• Fix error thrown when feed entry is missing an ID
• Use AbstractCollection for type hint on addContentToBookmarks method
• Fix deprecated usage of str_replace with API scopes
• Improve PHP 8.4 compatibility
• Output hsla in the color picker when an alpha channel is present
• Ensure URLs are valid when analyzing image usage
• Coerce nestable group to a number before peforming strict comparison
• Gracefully handle guest username and style variation containing invalid UTF-8
• Attempt to work-around abysmal Firefox form field retention heuristics
• Gracefully handle when an avatar cannot be processed
• Allow changing style variation when the previously selected style is forced to the default style
• Increase date input width further to accomodate Firefox icon clipping
• Fix editor autofocus behavior when in BBCode mode
• Add a note about some permissions not being applicable to guests
• Fix triggering Facebook embeds for document
• Fix calculation of local load time from navigation timing API
• Fix behavior of preview buttons
• Consider read-only number-box inputs as disabled
• Make required and recommended function checks more robust
• Allow null unique ID when enqueuing a job later
• Make report creation notifications easier to extend
• Attempt to work around aggressive Firefox auto-complete heuristics when editing a user
• Fix broken JS handlers when loading comments via AJAX
• Fix an issue with editing newly translated phrases
• Split ExifReader library out of attachment manager bundle
• Attempt to work around aggressive Firefox auto-complete heuristics on control panel index
• Fix number input buttons when step is set to any
• Fix some icon usage analysis issues when editing and deleting editor drop-downs and BBCodes
• Only record icon usage for active BBCodes and editor dropdowns
• Omit itemid microdata attribute when there is no valid user
• Ensure all control panel functionality is covered by permissions
• Handle invalid multiquote input more gracefully
• Attempt to avoid featured content carousel pager text overlap
• Only try to remove double quotes from URL strings once
• Set default color picker color to white instead of transparent
• Fix some issues with the JS icon renderer and BBCode previews
• Handle invalid session IDs more gracefully
• Do not mark unhidden usernames as aria-hidden
• Fix direction of back arrow on RTL languages
• Improve text node handling in XF.setupHtmlInsert
• Ignore Thumbs.db in style archive validator
• Fix structured list icon end cell padding
• Fix an issue with deferred resize event listener after autofocus
• Skip any file duplicates when importing banned emails
• Mark multiple consecutive asterisks as an invalid term word on MySQL full-text searches
• Make the default table collation configurable
• Fix calculation of report closure notifiable users
• Ensure PayPal products are created with a unique ID.

The following public templates have had changes:

• PAGE_CONTAINER
• approval_queue_macros
• carousel.less
• core_input.less
• fancybox.less
• helper_attach_upload
• lightbox.less
• message_macros
• profile_post_macros
• structured_list.less

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Current requirements
Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

XenForo 2.3.3 Released​

XenForo 2.3.3 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.3.3 include:

• Fix select-to-quote handler error on soft-deleted threads
• Ignore port if Redis host appears to be a file path
• Fix a few cases where hashes were concatenated instead of passed to router
• Fix flickering issue with JS icon renderer
• Fix expandable content transition class callback
• Use correct finder when looking up Stripe subscriber IDs
• Do not attempt to set RSS feed language if no language code is set
• Check if job table exists before attempting to sync structure
• Fix issues serializing nestable elements which contain unrelated lists
• Adjust some automatic alert read-marking behaviors
• Adjust offset of focus-visible tab outline
• Re-enable caching for tag edit overlay
• Fix error handling for fetching/creating PayPal products and plans
• Fix determining locale from language code for string manipulation
• Ensure points phrase is used in trending weights.
• Optimize string transliteration performance
• Override some missing phrases for token inputs.
• Reduce trending content widget queries
• Fix embedding Imgur galleries and applying JS states
• Romanize heading anchors
• Do not force romanization for category anchors
• Fix merging reactions with multiple source reactions from deleted users
• Do not cache report overlays
• Fix Tagify filtering out non-exact matches unexpectedly
• Set 1:1 aspect-ratio on connected account provider icons
• Use the editorButtonSelectedBg property for active editor button backgrounds
• Fix DM icon clipping on desktop Safari
• Fix phrase method casing in icon option handler
• Perform client-size image optimization even when no maximum image width/height is set
• Fix checking if Rocket Loader is disabled in the middle of an upgrade
• Throw an error when attempting to recursively load config file
• Fix string style property variations support for properties without assets enabled
• Prevent double logging of moderator changes for threads when editing first post
• Adjust width of inline time inputs
• Check private use TLDs when determining if a host is local
• Fix some issues with appending filter rows
• Use XF.setupHtmlInsert for filter AJAX responses
• Allow passing HTMLElement objects to alerts
• Fix support for alternative icon variants in custom BB codes
• Fix fetching default avatar when templater style is not set
• Address some phrases which reference conversations
• Handle unexpected values in cookie consent cookie

The following public templates have had changes:

• PAGE_CONTAINER
• account_banner
• app_nav.less
• conversation_message_macros
• core_block.less
• core_button.less
• core_input.less
• core_tab.less
• editor_override.less
• helper_js_global
• member_view
• passkeys_macros
• post_macros
• profile_post_macros
• tag_macros
• token_input

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.

XenForo 2.3.2 Released​

XenForo 2.3.2 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.3.2 include:

• Make PCRE character class check more robust.
• Do not attempt to redefine UTF-8 string shim functions if they already exist
• Rename search forum node type handler as expected
• Fix utf8_isASCII return type
• Fix an issue where the batch size for search rebuilds could grow unbounded
• Strip BBCode from trending content article displays
• Fix a regression with PWA orientation/screen rotation
• Set recommended PHP version dynamically
• Fix profile post position tracking
• Use absolute URLs in approval item emails
• Fix behavior of API keys with all scopes allowed
• Fix thread context support for featured and trending widgets
• Apply inline style to document.head correctly
• Fix type error for file clean counts.
• Attempt to have Cloudflare Rocket Loader automatically ignore scripts
• Don't try to ping IndexNow if no API key is set
• Gate search engine indexing settings for threads behind their own permission
• Fix error on shared IPs list when matching user has been deleted
• Allow the variation menu to open above fixed notices
• Fix saving permissions from the edit user page
• Fix passing \DateTime objects into \XF\Language::getDateTimeParts
• Use XF custom events for overlay and transition events
• Hydrate user relations when setting up base user
• Redirect to the first active option group when viewing an option
• Fix behavior of search short-name conversion
• Handle older SMTP option values more gracefully
• Fix responsive sidebar margins
• If a user can see the thread created by a report, respect their auto watch preference
• Mark threads as nofollow if they are non-indexable
• Support WebP images when uploading images for featured content
• Address several issues with XF.ajax
• Address even more one-click upgrade issues when caching is enabled
• Fix attachment list filter bar dates being displayed in wrong timezone
• Fix using hotkeys to submit a message in the plain text editor
• Fix event handling on auto-complete autosubmission
• Fix importing webp smilies
• Fix implicit join behavior of finder order clauses
• Fix addon_get_install_data code event description
• Only process the color scheme mixin when variations are enabled
• Position BBCode quote expansion link at bottom of quote
• Fix some issues when toggling variations when an active variation is selected
• Pass handler in params when rendering thread edit extra data templates
• Include type data definitions when rendering thread edit extra data templates

The following public templates have had changes:

• PAGE_CONTAINER
• app_body.less
• bb_code.less
• embed_view
• featured_content_edit
• helper_js_global
• helper_thread_options
• page_view
• payment_initiate_twocheckout
• profile_post_macros
• service_worker_offline
• setup.less
• style_variation_macros
• thread_list_macros
• trending_content_item_thread
• two_step_totp

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

It's time to party like it's 2022 2023 2024! Today we are very pleased (and relieved) to announce the stable release of XenForo 2.3.0 and our official add-ons. It has been a long time coming so we thank you for your patience and support.

There are a myriad of new features and improvements. Here's a brief overview of our favourites:

• Style variants with Dark mode
• Improved performance
• Featured content
• Image optimization
• Automation with webhooks
• SSO with OAuth2
• Passwordless logins with passkeys
• Trending content

This is not an exhaustive list of what's new in 2.3, and you can read more about the above and other new changes/improvements features in the Have you seen...? forum.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area or upgrade from your Admin control panel (Tools > Check for upgrades...).


Shortly after the release of XenForo 2.3.0, Cloud customers will receive an email notifying them that their upgrade has been scheduled automatically.

Please pay close attention to the scheduled date / time of the upgrade. As a XenForo Cloud customer you are able to defer the automatic upgrade for as far as six months from the date of release. While the sheer majority of customers will be fine upgrading much sooner, we do recommend taking additional time before upgrading to verify that add-ons on which you depend on are updated and style designers have ample time to prepare 2.3.0 compatible versions of styles before upgrading.

Prior to upgrading, ensure you have updated add-ons and styles downloaded and be sure to follow the specific developer/designer's instructions and guidance when upgrading those.

It may also be worth scheduling your upgrade at times where we have more staff available. While XenForo staff are generally available outside of these hours, responses are much quicker during the hours of Monday - Friday 9am to 5pm UK time (currently BST / UTC+1).

Note that add-ons and custom styles may be broken after upgrading to 2.3. You must test your add-ons thoroughly or look for updates. Be especially careful with add-ons that cover similar features to ones that are added to 2.3; these may conflict with the core XenForo data. If data conflicts are found, they will need to be resolved in a new add-on release or by removing the add-on before upgrading to 2.3.

Alongside the release of XenForo 2.3.0, we are also releasing updated versions of each of our official add-ons:

• XenForo Media Gallery 2.3.0
• XenForo Resource Manager 2.3.0
• XenForo Enhanced Search 2.3.0

Each of these has been updated to integrate with the new features in XenForo 2.3 and add features of their own, including:

Improved media gallery performance

Split-score review graph

Search suggestions

Customers with active licenses for these add-ons may download the new versions from their customer area.

The following are minimum requirements:

• PHP 7.2 or newer
• MySQL 5.7 and newer
• All of the add-ons listed here require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2

Note: Some requirements here have changed. Notably, PHP 7.2 is now required, and MySQL 5.7 (or equivalent) is required. That being said, we highly recommend upgrading to PHP 8.3 or MySQL 8.0 at the earliest opportunity.

Full details for how to install and upgrade XenForo can be found in the XenForo manual. One-click upgrades from XF 2.2 are possible. Once the XF 2.3 upgrade has been complete, the official add-ons should be upgraded as well, otherwise you may run into incompatibilities.

Today we are releasing XenForo 2.3.0 Release Candidate 5. While the majority of this release is focusing on bug fixes and stability, there are a few noteworthy changes.

Automatic legacy file clean up​

XenForo installations after upgrading to XenForo 2.3 will have a number of files sitting in the file system which are no longer used. Any XenForo installation that has been around for a while, will to a lesser extent, have a similar issue. These files on their own shouldn't present any issue, but at the same time, keeping them around doesn't make much sense either.

There are three approaches to cleaning up legacy files automatically.

To address a backwards compatibility issue with some add-ons, we are today releasing XenForo 2.3.0 Release Candidate 4. If you are running Release Candidate 3 already we encourage you to upgrade as soon as possible. If you were previously affected by issues with certain add-ons or experience other issues, please let us know via a bug report in the first instance.

This release also fixes the issue with admin search returning an error.

This week in addition to a bunch of bug fixes, we've also been doing a spot of housekeeping in our code. The following is quite technically heavy so if you're a non-developer, shield your eyes and read the less boring bits.

Much wider usage for class strings​

As a reminder, XenForo 2.3 brings with it support for using native PHP class strings. For example, originally we used "class short names" to point to certain classes. While these were easy to write, it makes refactoring classes difficult, and you need these PHP doc comments to hint to code editors what object is ultimately returned in the code:

PHP:
<span>/** @var \XF\Entity\User $user **/</span><br><span>$user</span> <span>=</span> \<span>XF</span><span>:</span><span>:</span><span>em</span><span>(</span><span>)</span><span>-</span><span>&gt;</span><span>create</span><span>(</span><span>'XF:User'</span><span>)</span><span>;</span>

Our preference going forwards is using class strings:

PHP:
<span>$user</span> <span>=</span> \<span>XF</span><span>:</span><span>:</span><span>em</span><span>(</span><span>)</span><span>-</span><span>&gt;</span><span>create</span><span>(</span>\<span>XF<span>\</span>Entity<span>\</span>User</span><span>:</span><span>:</span><span>class</span><span>)</span><span>;</span>

Because PHP natively understands these special strings, the issues with type hinting are no more, and doing things like renames of classes or moving classes becomes a much more trivial exercise.

Throughout the core XF code now, starting with RC3, we have replaced the majority of these legacy class short names with native class strings.