Released 2x XenForo 2.2.16 Released Full | XenForo 2.2 ENXF 2.2.16 Patch 2

XenForo 2.2.6 included support for YouTube embeds which contain a playlist ID which allows an embedded video to be viewed within the context of the playlist it is part of. While this was working perfectly fine, YouTube seemingly made a change yesterday which prevented all YouTube embeds from displaying because many of them would have had an empty list parameter in the embed URL.

This only affects customers who have already upgraded to XenForo 2.2.6 or XenForo 2.2.6 Patch 1. XenForo 2.2.6 Patch 2 resolves this issue.

Shortly after releasing 2.2.6, we became aware of a issue that may prevent user upgrade payments for legacy (XenForo 1.x-based) subscriptions from being processed. This only affects user upgrade subscriptions that were setup when the site was running XenForo 1.x and are still active. XenForo 2.2.6 Patch 1 resolves this issue.

For more details on the issue, see this bug report:

2.2.6 regression: legacy user upgrade payment failure​

If a PayPal payment is received for a user upgrade subscription that was created in XenForo 1.x, it may fail to process and the following error will be logged in the control panel:

ErrorException: [E_WARNING] Attempt to read property "extra_data" on null src/XF/Purchasable/UserUpgrade.php:50

Click to expand...

This error may be logged a number of times for a single payment due to PayPal retrying the IPN callback a number of times.

This issue has been resolved with 2.2.6 Patch 1, but it can be manually resolved by making the following change. In src/XF/Payment/PayPal.php, find:

Code:

$state->purchasableHandler = $purchasable->handler;

Immediately after it, add:

Code:

return true;

If the error has been received, in most cases, you can update or manually patch the issue and simply wait for PayPal to attempt the callback again. This should allow the payment to go through and be processed successfully.

Some of the changes in XF 2.2.6 include:

• Adjust file copying order of the one click upgrader to reduce issues with page breaks.
• Support youtube.com/shorts/{id} format URLs
• Change the CSS rules for inline spoilers to improve visibility
• Replace Accept header to use official v3 of GitHub API for connected account requests rather than its beta.
• Apply flood checking to thread create/reply pre-reg actions.
• If there is no editor/quick-reply element available, bail out of the quote-click JS handler early.
• Add some input placeholder styling to the stripe payment form.
• Prevent editing/display/use of some payment profiles when they are no longer active or the payment provider is no longer usable.
• When toggling comments with the profilePostCommentToggle style property enabled, ensure the editor placeholder is activated and, where possible, focus the editor.
• When getting global permission entries, process conditions correctly to only select the relevant records.
• Fix bad maxlength setting for warning definition titles and impose a maxlength for warning definition conversation titles.
• Prevent an error when trying to update reactions counts if we find a reaction content entry without a matching reaction definition.
• Implement the ability to add custom add/remove messages for the multi-quote button.
• Fix prefix function usage in alert/push_thread_reply_ban templates.
• Disable lightbox related output in RSS feeds.
• Allow member stats to be used in widgets regardless of overview_display option.
• Limit the size of each inline mod cookie to 3KB to avoid excessive header sizes.
• Add header 'Auto-Submitted: auto-generated' header by default to outgoing emails with the ability to override or unset if needed.
• Fix missing content type for contact form and protect against a PHP 8.0 issue if a content type phrase is empty.
• Fix unsupported operand error when validating a style archive if hashes.json fails to decode correctly.
• Add the ability to perform exact match email searches
• Remove duplicate itemprop attribute on a post's username link
• Validate usernames before trying to set them when creating threads as a guest
• Ensure phrases are properly returned as strings
• Wrap attachment action phrases that may not fit the thumbnail container
• Adjust description for the forum statistics widget
• Allow users to be reported regardless of their profile privacy settings
• Add a separate phrase for prefix searching on the admin panel's quick filter
• Ensure that non-ASCII characters are not in the local part of an email address.
• When analysing images, check image type against image extension map
• Allow alerts to be sent via an API super user key without a registered user.
• Validate a purchasable item exists during the callback stage of a payment.
• Ensure threads with a redirect thread type are included when batch updating threads or using a search forum
• Ensure post thread page action buttons are marked as nofollow
• Do not attempt to include a first_unread post in the API when the only unread posts in a thread are ignored.
• Ensure that phrases indirectly used in push and email templates use the correct language.
• Make the process of canceling recurring PayPal subscriptions clearer if the user does not have a PayPal account.
• Improve performance of loading icons on the add-on list.
• Use a new system for shortening strings that contain BB code so that they will not be cut off in the middle of BB code markup.
• Do not allow transparent or system colors to be used in the color BB code.
• Ensure that italics in user content are displayed as expected when using CJK languages.
• Do not attempt to link URLs or email addresses that contain censored words.
• Properly process Stripe subscription refunds in the payment system.
• Do not display the "insert" option on attachments in contexts where they cannot be inserted into an editor.
• Improve the display of message attribution rows with a large amount of content on smaller devices.

The following public templates have had changes:

• account_upgrades
• alert_thread_reply_ban
• attachments.less
• bb_code.less
• core_datalist.less
• core_setup.less
• delete_confirm
• fa.css
• font_awesome_setup
• forum_overview_wrapper
• forum_post_thread_chooser
• forum_view
• helper_attach_upload
• helper_js_global
• message.less
• message_macros
• multi_quote_macros
• payment_cancel_recurring_paypal
• payment_initiate_stripe
• post_macros
• profile_post_macros
• push_thread_reply_ban
• reaction_item_profile_post
• reaction_item_profile_post_comment
• reaction_list_row
• search_forum_view
• setup_fa.less
• thread_view
• whats_new_posts

Maintenance time! XenForo 2.2.2 has hatched, fledged and is ready to fly the nest directly to your community via one-click upgrade.

In addition to the changes listed below, 2.2.2 has some invisible changes to improve performance, stability and compatibility with the newly released PHP 8, which we look forward to supporting fully in future.

All licensed customers may download new XenForo releases, and in order to to benefit from increased stability offered by this new version, we strongly recommend that all sites running running earlier versions of XenForo 2.2 upgrade using the one-click system in their admin control panel.

Some of the changes in XF 2.2.2 include:

• Fix opt-in functionality of the entity changelog behavior
• Properly sort columns for forum default sort orders
• Handle heading BB codes without a type option
• Apply base URL to relative notice display images
• Do not escape moderator log list entry action texts after stripping tags
• Catch class load errors when applying session activity details on PHP 7+
• Throw exceptions correctly in the alert API controller.
• Ensure that the "no matches" message in article preview forums always spans the full width.
• When merging posts, force the target post to be visible if it will become the first post of the thread.
• Disable user mention parsing within custom BB codes that disable auto linking or BB code parsing
• When setting a default title for avatars, do not override a custom version
• Use the correct forum type node icon in the sub forum menu/list
• Fix typo that prevents alerts from being marked as unread if a confirmation message is shown.
• Ensure the UI properly respects an explicit request to mark an alert as read or unread when a confirmation message is shown.
• Fix StylePropertyMap entity ParentProperty relation conditional
• Fix dynamic redirects for alert and conversation read state toggles
• Correct a few typos in some CLI commands
• Fix invalid format specifier in error trace argument builder
• Break the phrase import query into chunks to avoid a MariaDB performance regression.
• Fix a MySQL 8.0.22 incompatibility with the 1.x to 2.x upgrade code (related to phrase renames).
• Allow previewing to work when composing entirely in the BB code editor
• Respect API permission bypass when checking alert viewability
• Fix some sort callbacks on PHP 8+
• Fix PHP 8 compatibility in XML utilities
• When a username change request requires moderator approval, log the IP the request was received from.
• Remove user profile banners when banning users with the spam cleaner
• Prevent an error caused by GCM push notification subscriptions.
• When quoting a post, do not include quote tags if they would be empty
• Give MySQL an index hint to improve performance of newest thread API requests (with no other filters)
• Prevent an error in the structured data of questions if the plain text version contains no content
• Fix issue that prevented the RTE from being programmatically focused
• Relax validation of URLs in BB code content as users may submit URLs that are missing URL encoding in some scenarios.
• When a profile banner is applied, ensure that the text stroke applied to the username respects user group-based username CSS modifications.
• Prevent an error when rendering article previews if the thread's first post is not set correctly
• Prevent double URL autolinking when an unfurled URL contains a URL within it.
• Ensure that Facebook embeds are always responsive.
• Fix permission check when removing tags with the tag changer service
• Do not grant the change username permission to the unconfirmed user group when upgrading to 2.2 (from 2.1 or earlier). For existing upgrades, remove the permission from this group explicitly. If you wish to allow unconfirmed users to change their usernames, the permission will need to be explicitly re-added after upgrading to 2.2.2.
• Ensure that the RTE preview tab does not expand unexpectedly if there are no right aligned toolbar icons.
• Fix typo in overlay click options list.
• Ensure that BB code blocks (code, quote, and similar) do not appear behind floated images.
• Prevent an error when fetching a post that contains an embedded video via the API.
• Prevent invalid characters from being displayed in certain cases when highlighting search results.
• When clicking "more options", ensure that thread type-related fields don't come from a saved draft
• Render push templates with the receiver as the visitor
• Apply a content type to the username change entity.
• Ensure that banned users do not receive an activity summary email.
• Fix a situation where the "display children in navigation" option for node-based navigation entries does not work.
• Apply explanation tooltips more consistently to the account header section.
• Allow Google Analytics 4 measurement IDs as well as Universal Analytics property IDs.
• Allow passing through JS options for sticky submit rows
• Provide an option to use the given user's language when calling \XF::asVisitor()
• Ensure post ad positions are retained in article template extensions, and exclude them from appearing in article forums with an expanded display
• Disable auto closing HTML tags in the template modification find and replace inputs.
• When importing from another XF installation, properly rewrite quotes which are missing a member ID

The following public templates have had changes:

• PAGE_CONTAINER
• _help_page_bb_codes
• account_alert_toggle
• account_alerts_mark_read
• attachments.less
• bb_code.less
• codemirror.less
• conversation_mark_unread
• core.less
• core_bbcode.less
• editor.less
• editor_base.less
• fa.css
• font_awesome_setup
• forum_post_thread
• member.less
• member_macros
• member_tooltip
• member_tooltip.less
• member_view
• message.less
• node_list.less
• node_list_forum
• notice_macros
• post_article_macros
• post_macros
• setup_fa.less
• thread_type_fields_poll
• thread_view_type_question

Maintenance time! XenForo 2.2.2 has hatched, fledged and is ready to fly the nest directly to your community via one-click upgrade.

In addition to the changes listed below, 2.2.2 has some invisible changes to improve performance, stability and compatibility with the newly released PHP 8, which we look forward to supporting fully in future.

All licensed customers may download new XenForo releases, and in order to to benefit from increased stability offered by this new version, we strongly recommend that all sites running running earlier versions of XenForo 2.2 upgrade using the one-click system in their admin control panel.

Some of the changes in XF 2.2.2 include:

• Fix opt-in functionality of the entity changelog behavior
• Properly sort columns for forum default sort orders
• Handle heading BB codes without a type option
• Apply base URL to relative notice display images
• Do not escape moderator log list entry action texts after stripping tags
• Catch class load errors when applying session activity details on PHP 7+
• Throw exceptions correctly in the alert API controller.
• Ensure that the "no matches" message in article preview forums always spans the full width.
• When merging posts, force the target post to be visible if it will become the first post of the thread.
• Disable user mention parsing within custom BB codes that disable auto linking or BB code parsing
• When setting a default title for avatars, do not override a custom version
• Use the correct forum type node icon in the sub forum menu/list
• Fix typo that prevents alerts from being marked as unread if a confirmation message is shown.
• Ensure the UI properly respects an explicit request to mark an alert as read or unread when a confirmation message is shown.
• Fix StylePropertyMap entity ParentProperty relation conditional
• Fix dynamic redirects for alert and conversation read state toggles
• Correct a few typos in some CLI commands
• Fix invalid format specifier in error trace argument builder
• Break the phrase import query into chunks to avoid a MariaDB performance regression.
• Fix a MySQL 8.0.22 incompatibility with the 1.x to 2.x upgrade code (related to phrase renames).
• Allow previewing to work when composing entirely in the BB code editor
• Respect API permission bypass when checking alert viewability
• Fix some sort callbacks on PHP 8+
• Fix PHP 8 compatibility in XML utilities
• When a username change request requires moderator approval, log the IP the request was received from.
• Remove user profile banners when banning users with the spam cleaner
• Prevent an error caused by GCM push notification subscriptions.
• When quoting a post, do not include quote tags if they would be empty
• Give MySQL an index hint to improve performance of newest thread API requests (with no other filters)
• Prevent an error in the structured data of questions if the plain text version contains no content
• Fix issue that prevented the RTE from being programmatically focused
• Relax validation of URLs in BB code content as users may submit URLs that are missing URL encoding in some scenarios.
• When a profile banner is applied, ensure that the text stroke applied to the username respects user group-based username CSS modifications.
• Prevent an error when rendering article previews if the thread's first post is not set correctly
• Prevent double URL autolinking when an unfurled URL contains a URL within it.
• Ensure that Facebook embeds are always responsive.
• Fix permission check when removing tags with the tag changer service
• Do not grant the change username permission to the unconfirmed user group when upgrading to 2.2 (from 2.1 or earlier). For existing upgrades, remove the permission from this group explicitly. If you wish to allow unconfirmed users to change their usernames, the permission will need to be explicitly re-added after upgrading to 2.2.2.
• Ensure that the RTE preview tab does not expand unexpectedly if there are no right aligned toolbar icons.
• Fix typo in overlay click options list.
• Ensure that BB code blocks (code, quote, and similar) do not appear behind floated images.
• Prevent an error when fetching a post that contains an embedded video via the API.
• Prevent invalid characters from being displayed in certain cases when highlighting search results.
• When clicking "more options", ensure that thread type-related fields don't come from a saved draft
• Render push templates with the receiver as the visitor
• Apply a content type to the username change entity.
• Ensure that banned users do not receive an activity summary email.
• Fix a situation where the "display children in navigation" option for node-based navigation entries does not work.
• Apply explanation tooltips more consistently to the account header section.
• Allow Google Analytics 4 measurement IDs as well as Universal Analytics property IDs.
• Allow passing through JS options for sticky submit rows
• Provide an option to use the given user's language when calling \XF::asVisitor()
• Ensure post ad positions are retained in article template extensions, and exclude them from appearing in article forums with an expanded display
• Disable auto closing HTML tags in the template modification find and replace inputs.
• When importing from another XF installation, properly rewrite quotes which are missing a member ID

The following public templates have had changes:

• PAGE_CONTAINER
• _help_page_bb_codes
• account_alert_toggle
• account_alerts_mark_read
• attachments.less
• bb_code.less
• codemirror.less
• conversation_mark_unread
• core.less
• core_bbcode.less
• editor.less
• editor_base.less
• fa.css
• font_awesome_setup
• forum_post_thread
• member.less
• member_macros
• member_tooltip
• member_tooltip.less
• member_view
• message.less
• node_list.less
• node_list_forum
• notice_macros
• post_article_macros
• post_macros
• setup_fa.less
• thread_type_fields_poll
• thread_view_type_question

Maintenance time! XenForo 2.2.2 has hatched, fledged and is ready to fly the nest directly to your community via one-click upgrade.

In addition to the changes listed below, 2.2.2 has some invisible changes to improve performance, stability and compatibility with the newly released PHP 8, which we look forward to supporting fully in future.

All licensed customers may download new XenForo releases, and in order to to benefit from increased stability offered by this new version, we strongly recommend that all sites running running earlier versions of XenForo 2.2 upgrade using the one-click system in their admin control panel.

Some of the changes in XF 2.2.2 include:

• Fix opt-in functionality of the entity changelog behavior
• Properly sort columns for forum default sort orders
• Handle heading BB codes without a type option
• Apply base URL to relative notice display images
• Do not escape moderator log list entry action texts after stripping tags
• Catch class load errors when applying session activity details on PHP 7+
• Throw exceptions correctly in the alert API controller.
• Ensure that the "no matches" message in article preview forums always spans the full width.
• When merging posts, force the target post to be visible if it will become the first post of the thread.
• Disable user mention parsing within custom BB codes that disable auto linking or BB code parsing
• When setting a default title for avatars, do not override a custom version
• Use the correct forum type node icon in the sub forum menu/list
• Fix typo that prevents alerts from being marked as unread if a confirmation message is shown.
• Ensure the UI properly respects an explicit request to mark an alert as read or unread when a confirmation message is shown.
• Fix StylePropertyMap entity ParentProperty relation conditional
• Fix dynamic redirects for alert and conversation read state toggles
• Correct a few typos in some CLI commands
• Fix invalid format specifier in error trace argument builder
• Break the phrase import query into chunks to avoid a MariaDB performance regression.
• Fix a MySQL 8.0.22 incompatibility with the 1.x to 2.x upgrade code (related to phrase renames).
• Allow previewing to work when composing entirely in the BB code editor
• Respect API permission bypass when checking alert viewability
• Fix some sort callbacks on PHP 8+
• Fix PHP 8 compatibility in XML utilities
• When a username change request requires moderator approval, log the IP the request was received from.
• Remove user profile banners when banning users with the spam cleaner
• Prevent an error caused by GCM push notification subscriptions.
• When quoting a post, do not include quote tags if they would be empty
• Give MySQL an index hint to improve performance of newest thread API requests (with no other filters)
• Prevent an error in the structured data of questions if the plain text version contains no content
• Fix issue that prevented the RTE from being programmatically focused
• Relax validation of URLs in BB code content as users may submit URLs that are missing URL encoding in some scenarios.
• When a profile banner is applied, ensure that the text stroke applied to the username respects user group-based username CSS modifications.
• Prevent an error when rendering article previews if the thread's first post is not set correctly
• Prevent double URL autolinking when an unfurled URL contains a URL within it.
• Ensure that Facebook embeds are always responsive.
• Fix permission check when removing tags with the tag changer service
• Do not grant the change username permission to the unconfirmed user group when upgrading to 2.2 (from 2.1 or earlier). For existing upgrades, remove the permission from this group explicitly. If you wish to allow unconfirmed users to change their usernames, the permission will need to be explicitly re-added after upgrading to 2.2.2.
• Ensure that the RTE preview tab does not expand unexpectedly if there are no right aligned toolbar icons.
• Fix typo in overlay click options list.
• Ensure that BB code blocks (code, quote, and similar) do not appear behind floated images.
• Prevent an error when fetching a post that contains an embedded video via the API.
• Prevent invalid characters from being displayed in certain cases when highlighting search results.
• When clicking "more options", ensure that thread type-related fields don't come from a saved draft
• Render push templates with the receiver as the visitor
• Apply a content type to the username change entity.
• Ensure that banned users do not receive an activity summary email.
• Fix a situation where the "display children in navigation" option for node-based navigation entries does not work.
• Apply explanation tooltips more consistently to the account header section.
• Allow Google Analytics 4 measurement IDs as well as Universal Analytics property IDs.
• Allow passing through JS options for sticky submit rows
• Provide an option to use the given user's language when calling \XF::asVisitor()
• Ensure post ad positions are retained in article template extensions, and exclude them from appearing in article forums with an expanded display
• Disable auto closing HTML tags in the template modification find and replace inputs.
• When importing from another XF installation, properly rewrite quotes which are missing a member ID

The following public templates have had changes:

• PAGE_CONTAINER
• _help_page_bb_codes
• account_alert_toggle
• account_alerts_mark_read
• attachments.less
• bb_code.less
• codemirror.less
• conversation_mark_unread
• core.less
• core_bbcode.less
• editor.less
• editor_base.less
• fa.css
• font_awesome_setup
• forum_post_thread
• member.less
• member_macros
• member_tooltip
• member_tooltip.less
• member_view
• message.less
• node_list.less
• node_list_forum
• notice_macros
• post_article_macros
• post_macros
• setup_fa.less
• thread_type_fields_poll
• thread_view_type_question

XenForo 2.2.1 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.

Most importantly, this release fixes two potential security vulnerabilities in XenForo.

The issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.

XenForo extends thanks to security researcher Vincent ibn Winnie for reporting the issues.

We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.

Some of the other changes in XF 2.2.1 include:

• Fix erroneous phrase in success alert when posting a reply before registering
• Ensure that service worker offline caching does not trigger session activity updates (or various other assertions)
• Allow insertTable and xfBbCode commands to be added to custom dropdowns. Prevent paragraphFormat command being added.
• Empty the mail queue when upgrading to 2.2 due to underlying Swiftmailer changes and catch errors (as well as exceptions) during mail sending to prevent queue items from becoming stuck.
• Only bail out of toggling the editor preview when the editor is empty if you are not already previewing.
• Fix displaying emoji phrases when the shortname contains an accented character and fix issue with accented shortname emojis from being converted.
• Bail out of matching a URL to BB code media sites if the string matches censor words.
• More consistently apply permission dependencies when passing from global to content-level permissions. Display permission changes due to failed dependencies when analyzing.
• Expose unread state for conversations and conversation messages
• Bypass global visibility check when trying to validate usernames for registration
• Add missing phrases when Gravatar rebuild is run.
• On the registration form, update the username field's explain text as usernames can be changed now
• Ensure article preview images aren't underlined when hovered over
• In the RTE, do not parse for emojis when smilies are disabled. This is consistent with how BB code is normally rendered.
• Ensure that Attachment::getDirectUrl only returns raw display URLs when the attachment is viewable
• Remove content voting links from HTML if the visitor cannot use them
• Apply width: auto to the small logo to ensure it maintains the correct aspect ratio when resized
• Fix email sharing link
• Add PHPDocs to noPermission() and notFound() controller methods

The following public templates have had changes:

• alert_post_pre_reg
• app_nav.less
• attachment_macros
• content_vote_macros
• message.less

Today, after a refreshingly short beta and release candidate phase, we are excited to announce that XenForo 2.2.0 is now prepared, seasoned, baked and served, replacing XenForo 2.1.11 as our primary supported XenForo version.

This release adds a collection of great new features to XenForo, including the ability to repurpose forums as article repositories, a new way to encourage guest users to register, a progressive web app and a completely redesigned rich text editor. Check out the following list for some highlights:

• Forum and thread types system
• Updated rich text editor
• User profile banners
• Username change requests
• Search forums
• Forum SEO controls
• Writing before registering support
• Progressive web app
• Activity summary emails
• Style archive import and export
• REST API additions
• Profile post attachments

This is not an exhaustive list of what's new in 2.2, and you can read more about the above and other new changes/improvements features in the Have you seen...? forum.

We have also added preliminary support for the upcoming major release of PHP 8.0.

Today we continue the release candidate stage of XenForo 2.2 with Release Candidate 2. We recommend that all customers running previous 2.2 versions upgrade to this release.

This release is similar to the previous betas, but indicates that we are now a step closer to the stable 2.2.0 release. This is still considered a pre-release version, so we do not recommend running it in production and ticket support for this version is not yet available.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is pre-release software. It is not officially supported.
We do not recommend running it in production.

Today we're happy to announce the next step towards a stable and supported release of XenForo 2.2 by moving onto the "release candidate" stage. We recommend that all customers running previous 2.2 versions upgrade to this release.

This release is similar to the previous betas, but indicates that we are now a step closer to the stable 2.2.0 release. This is still considered a pre-release version, so we do not recommend running it in production and ticket support for this version is not yet available.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is pre-release software. It is not officially supported.
We do not recommend running it in production.

Please remember that this is pre-release software. It contains known bugs and incomplete functionality. We do not recommend running pre-release software in a production environment, and support is limited at this time to questions here on the community forums.

Add-ons and custom styles may be broken after upgrading to 2.2. You must test your add-ons thoroughly or look for updates. Be especially careful with add-ons that cover similar features to ones that are added to 2.2; these may conflict with the core XenForo data. If data conflicts are found, they will need to be resolved in a new add-on release or by removing the add-on before upgrading to 2.2.

If you choose to run pre-release software, it is your responsibility to ensure that you make a backup of your data. We recommend you do this before attempting an upgrade. If in doubt, always do a test upgrade on a copy of your production data.