XenForo 2.2.16 Released Upgrade | XenForo 2.2 ENXF

Released 2x XenForo 2.2.16 Released Upgrade | XenForo 2.2 ENXF 2.2.16 Patch 2

No permission to download
XenForo 2.2.6 included support for YouTube embeds which contain a playlist ID which allows an embedded video to be viewed within the context of the playlist it is part of. While this was working perfectly fine, YouTube seemingly made a change yesterday which prevented all YouTube embeds from displaying because many of them would have had an empty list parameter in the embed URL.

This only affects customers who have already upgraded to XenForo 2.2.6 or XenForo 2.2.6 Patch 1. XenForo 2.2.6 Patch 2 resolves this issue.
Shortly after releasing 2.2.6, we became aware of a issue that may prevent user upgrade payments for legacy (XenForo 1.x-based) subscriptions from being processed. This only affects user upgrade subscriptions that were setup when the site was running XenForo 1.x and are still active. XenForo 2.2.6 Patch 1 resolves this issue.

For more details on the issue, see this bug report:

2.2.6 regression: legacy user upgrade payment failure​


If a PayPal payment is received for a user upgrade subscription that was created in XenForo 1.x, it may fail to process and the following error will be logged in the control panel:
ErrorException: [E_WARNING] Attempt to read property "extra_data" on null src/XF/Purchasable/UserUpgrade.php:50
This error may be logged a number of times for a single payment due to PayPal retrying the IPN callback a number of times.

This issue has been resolved with 2.2.6 Patch 1, but it can be manually resolved by making the following change. In src/XF/Payment/PayPal.php, find:
Code:
$state->purchasableHandler = $purchasable->handler;
Immediately after it, add:
Code:
return true;
If the error has been received, in most cases, you can update or manually patch the issue and simply wait for PayPal to attempt the callback again. This should allow the payment to go through and be processed successfully.
Some of the changes in XF 2.2.6 include:
  • Adjust file copying order of the one click upgrader to reduce issues with page breaks.
  • Support youtube.com/shorts/{id} format URLs
  • Change the CSS rules for inline spoilers to improve visibility
  • Replace Accept header to use official v3 of GitHub API for connected account requests rather than its beta.
  • Apply flood checking to thread create/reply pre-reg actions.
  • If there is no editor/quick-reply element available, bail out of the quote-click JS handler early.
  • Add some input placeholder styling to the stripe payment form.
  • Prevent editing/display/use of some payment profiles when they are no longer active or the payment provider is no longer usable.
  • When toggling comments with the profilePostCommentToggle style property enabled, ensure the editor placeholder is activated and, where possible, focus the editor.
  • When getting global permission entries, process conditions correctly to only select the relevant records.
  • Fix bad maxlength setting for warning definition titles and impose a maxlength for warning definition conversation titles.
  • Prevent an error when trying to update reactions counts if we find a reaction content entry without a matching reaction definition.
  • Implement the ability to add custom add/remove messages for the multi-quote button.
  • Fix prefix function usage in alert/push_thread_reply_ban templates.
  • Disable lightbox related output in RSS feeds.
  • Allow member stats to be used in widgets regardless of overview_display option.
  • Limit the size of each inline mod cookie to 3KB to avoid excessive header sizes.
  • Add header 'Auto-Submitted: auto-generated' header by default to outgoing emails with the ability to override or unset if needed.
  • Fix missing content type for contact form and protect against a PHP 8.0 issue if a content type phrase is empty.
  • Fix unsupported operand error when validating a style archive if hashes.json fails to decode correctly.
  • Add the ability to perform exact match email searches
  • Remove duplicate itemprop attribute on a post's username link
  • Validate usernames before trying to set them when creating threads as a guest
  • Ensure phrases are properly returned as strings
  • Wrap attachment action phrases that may not fit the thumbnail container
  • Adjust description for the forum statistics widget
  • Allow users to be reported regardless of their profile privacy settings
  • Add a separate phrase for prefix searching on the admin panel's quick filter
  • Ensure that non-ASCII characters are not in the local part of an email address.
  • When analysing images, check image type against image extension map
  • Allow alerts to be sent via an API super user key without a registered user.
  • Validate a purchasable item exists during the callback stage of a payment.
  • Ensure threads with a redirect thread type are included when batch updating threads or using a search forum
  • Ensure post thread page action buttons are marked as nofollow
  • Do not attempt to include a first_unread post in the API when the only unread posts in a thread are ignored.
  • Ensure that phrases indirectly used in push and email templates use the correct language.
  • Make the process of canceling recurring PayPal subscriptions clearer if the user does not have a PayPal account.
  • Improve performance of loading icons on the add-on list.
  • Use a new system for shortening strings that contain BB code so that they will not be cut off in the middle of BB code markup.
  • Do not allow transparent or system colors to be used in the color BB code.
  • Ensure that italics in user content are displayed as expected when using CJK languages.
  • Do not attempt to link URLs or email addresses that contain censored words.
  • Properly process Stripe subscription refunds in the payment system.
  • Do not display the "insert" option on attachments in contexts where they cannot be inserted into an editor.
  • Improve the display of message attribution rows with a large amount of content on smaller devices.
The following public templates have had changes:
  • account_upgrades
  • alert_thread_reply_ban
  • attachments.less
  • bb_code.less
  • core_datalist.less
  • core_setup.less
  • delete_confirm
  • fa.css
  • font_awesome_setup
  • forum_overview_wrapper
  • forum_post_thread_chooser
  • forum_view
  • helper_attach_upload
  • helper_js_global
  • message.less
  • message_macros
  • multi_quote_macros
  • payment_cancel_recurring_paypal
  • payment_initiate_stripe
  • post_macros
  • profile_post_macros
  • push_thread_reply_ban
  • reaction_item_profile_post
  • reaction_item_profile_post_comment
  • reaction_list_row
  • search_forum_view
  • setup_fa.less
  • thread_view
  • whats_new_posts
XenForo 2.2.5 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.

This release changes the default CAPTCHA method from reCAPTCHA to hCaptcha. If you were using the default CAPTCHA settings, you will automatically be switched over to hCaptcha. If you provided your own reCAPTCHA keys or chose a different CAPTCHA method, your existing CAPTCHA settings will be retained. If you are unable to upgrade to this release, you may need to change CAPTCHA settings to avoid disruption.

Some of the changes in XF 2.2.5 include:
  • Bail out of Less color parsing if we already have a valid-CSS color.
  • Adjust Request::isHostLocal to only return true for loopback addresses (and add a further explanation about its intended usage).
  • Ensure that HTML is not shown in node bookmark descriptions.
  • Improve checks that control whether a user's "about" section is shown.
  • Do not require a custom statement descriptor when setting up Stripe, unless we can't derive a valid descriptor automatically.
  • Ensure that clicking "open link" in the RTE always opens the link in a new tab.
  • If a custom privacy policy or terms URL is selected but not provided, ensure that they are never shown as accessible help pages.
  • In the RTE, maintain single leading spaces on new lines (particularly for code blocks).
  • Fix faded out text display in article previews in RTL languages.
  • Ensure that all pending rebuilds are triggered before asking about statistic collection when upgrading via the CLI.
  • Allow embedded attachments with a height resize only to maintain the correct aspect ratio.
  • Prevent a JS error related to app badge updates if the input value isn't the expected type.
  • Ensure that user ignore caches are rebuilt correctly when merging users.
  • Change the thread type selector to reduce the amount of wasted space on mobile and flip to a horizontally scrollable system when needed.
  • Support additional phrase modifiers in option format parameters.
  • When encountering a SMTP server error while sending email, attempt to establish a fresh connection before sending any further messages.
  • Prevent an error when deleting a user if they have voted for content that relates to a disabled add-on.
  • Use an alternative reCaptcha URL to ensure better availability.
  • Check the correct scope when marking alerts as read via the API.
  • Improve accessibility of radio and checkbox rows using ARIA roles.
  • When editing custom field values, ensure that labels are associated with the related input for accessibility purposes.
  • Ensure that inputs are associated with their labels whenever possible to improve accessibility of certain forms.
  • Fix performance regression with emoji conversion and skip emoji conversion code entirely if using natively-styled emoji.
  • Only skip spam cleaning via the approval queue if the user was spam cleaned recently.
  • Do not cache the edit tags overlay to workaround an issue with tags duplicating in the tags editor.
  • Add missing phrase for 'x_weeks' and fix issue with time based phrases not displaying the correct count.
  • Limit the width of embedded Facebook content to be consistent with other embeds.
  • Reduce peak memory usage when executing certain template/phrase rebuild jobs.
  • Correctly handle errors when inlining CSS into emails with PHP 8.
The following public templates have had changes:
  • account_privacy
  • attachment_macros
  • bookmark_item_node
  • captcha_recaptcha
  • color_picker_macros
  • core.less
  • core_datalist.less
  • core_filter.less
  • core_formrow.less
  • core_input.less
  • core_menu.less
  • custom_fields_macros
  • date_input
  • forum_post_thread
  • helper_js_global
  • helper_user_dob_edit
  • inline_mod_actions
  • input_extended.less
  • member_about
  • notice_enable_push
  • poll_macros
  • post_article_macros
  • post_macros
  • prefix_macros
  • rating_macros
  • search_form_post
  • setup.less
  • tag_macros
  • two_step_backup
Some of the changes in XF 2.2.4 include:
  • Ensure multi-quote system does not overwrite unintended parts of the attachment upload request.
  • Allow the "must login or register to reply" button to wrap if needed.
  • Prevent an error from being sporadically triggered when cleaning up the filesystem cache.
  • Prevent an error when checking if a conversation can be started with a user who is unexpectedly missing part of their profile data.
  • Ensure that "click to expand" links are treated as buttons and are keyboard-navigation accessible.
  • When logging in via an API generated token, allow the existing logged in user to be replaced (if logged in as a different user) with the new user if force=1 appended to the URL.
  • When an account that does not have a password set is requesting a new password, ensure some amount of rate limiting is imposed to avoid repeat requests.
  • Add support for using $context inside widget display condition field.
  • Properly maintain the full table markup when selectively quoting only part of a table.
  • Fix search result highlighting issues with certain non-ASCII characters.
  • Prevent double conversion of CSS rules to BB code equivalents in some situations.
  • When viewing the registerd members list, ensure unviewable member stat categories are filtered out from the sidebar.
  • Ensure toggle:hidden event is triggered correctly when hiding toggle elements.
  • Clean up news feed records belonging to posts when their thread is hard deleted.
  • If a thread as multiple sort options, ensure the additional links are marked as nofollow
  • Mark go-to links in quotes as nofollow
  • When viewing the latest activity of an ignored member, show a link to view ignored content
  • Prevent HTML errors outputting from Xdebug in some cases.
  • When searching within a specific forum, ensure child forums are included in all cases.
  • Adjust Auth::actionPost API documentation to recommend the login/password parameters should be passed into the request body to go along with a general recommendation in our development documentation that this should generally be done for all non-GET requests.
  • When a pre-registration action is triggered, only show the welcome message if this is newly registered user.
  • Correctly pass state of $forceCaptcha to contact_form template
  • Disable a table quick insert button that sometimes appears in the rich text editor.
  • Update phpdoc on entityColumnsToJson method to indicate the correct return type.
  • If the unregistered group has the view permission revoked ensure that failed CAPTCHAs can successfully be reloaded in the event of an error.
  • Fix an issue preventing installs from the command line when using PHP 8
  • Avoid unexpected layout shifts when embedded images/attachments have known dimensions.
  • Throw a required input missing error if the avatar file is not included in the request. PHPdoc updated to reflect the requirement in the online API docs.
  • Ensure user rejection reasons can't exceed the 200 character limit
  • Update PhpBb3 authentication handler to support verifying passwords using native PHP methods where possible.
  • Render phrases presented as $value to XML createDomElement()
  • Don't merge identical sibling URL and EMAIL bbcode tags
  • For consistent behavior across PHP versions, explicitly trigger a notice if an array is passed in to XF::escapeString
  • When inserting multiple attachments, allow the "thumbnail" button to insert audio/video attachments which do not support thumbnails.
  • Maintain the single thread search constraint when returning to the advanced search form.
  • Ensure that about and signature are not censored before rendering as BB code.
  • In question and suggestion forums, ensure that all tab constraints are maintained in the filtering menu.
  • Save undo points in the RTE when triggering certain actions such as quoting a message.
  • Prevent an error on some browsers when inserting a video through the rich text editor.
  • When importing users, if the primary user_group_id also appears in the secondary_group_ids field then remove it.
  • Create a new POST post/{id}/mark-solution endpoint, to toggle/switch the solution post. Returns old_solution_post and new_solution_post to allow switching behaviours.
  • Adjust universal lightbox option explanation
  • Properly escape some phrases in HTML attributes
  • Fix group sorting of field cache data
  • Add a note about step dependencies to the import step chooser
  • Don't throw an error when trying to add an admin on PHP 8
  • Check permissions before displaying add-on control links
  • Display option values when editing the current email transport method
  • Trigger events when toggling the display of disabler containers
  • Adjust new thread and search forum widget expanded display explanation
  • When autolinking post content do not autolink if we match www. followed by an additional dot.
  • When installing XF via the command line if the confirm password doesn't match the original password then go back to the original password prompt.
  • Allow 'sort' to be passed to profile-posts/{id}/comments in order to get posts in asc/desc date order
The following public templates have had changes:
  • PAGE_CONTAINER
  • alert_macros
  • alert_post_pre_reg
  • alert_user_pre_reg_failed
  • approval_queue_macros
  • bb_code_tag_quote
  • bookmark_macros
  • connected_account_associated_facebook
  • contact_form
  • core_bbcode.less
  • editor_dialog_media
  • editor_insert_gif
  • forum_filters_type_question
  • forum_view_type_question
  • forum_view_type_suggestion
  • helper_attach_upload
  • member_latest_activity
  • member_macros
  • member_recent_content
  • member_tooltip
  • member_view
  • nestable.less
  • offline.less
  • post_article_macros
  • post_macros
  • post_question_macros
  • push_post_pre_reg
  • push_user_pre_reg_failed
  • search_form_macros
  • search_form_post
  • service_worker_offline
  • thread_view
Maintenance time! XenForo 2.2.2 has hatched, fledged and is ready to fly the nest directly to your community via one-click upgrade.

In addition to the changes listed below, 2.2.2 has some invisible changes to improve performance, stability and compatibility with the newly released PHP 8, which we look forward to supporting fully in future.

All licensed customers may download new XenForo releases, and in order to to benefit from increased stability offered by this new version, we strongly recommend that all sites running running earlier versions of XenForo 2.2 upgrade using the one-click system in their admin control panel.

Some of the changes in XF 2.2.2 include:
  • Fix opt-in functionality of the entity changelog behavior
  • Properly sort columns for forum default sort orders
  • Handle heading BB codes without a type option
  • Apply base URL to relative notice display images
  • Do not escape moderator log list entry action texts after stripping tags
  • Catch class load errors when applying session activity details on PHP 7+
  • Throw exceptions correctly in the alert API controller.
  • Ensure that the "no matches" message in article preview forums always spans the full width.
  • When merging posts, force the target post to be visible if it will become the first post of the thread.
  • Disable user mention parsing within custom BB codes that disable auto linking or BB code parsing
  • When setting a default title for avatars, do not override a custom version
  • Use the correct forum type node icon in the sub forum menu/list
  • Fix typo that prevents alerts from being marked as unread if a confirmation message is shown.
  • Ensure the UI properly respects an explicit request to mark an alert as read or unread when a confirmation message is shown.
  • Fix StylePropertyMap entity ParentProperty relation conditional
  • Fix dynamic redirects for alert and conversation read state toggles
  • Correct a few typos in some CLI commands
  • Fix invalid format specifier in error trace argument builder
  • Break the phrase import query into chunks to avoid a MariaDB performance regression.
  • Fix a MySQL 8.0.22 incompatibility with the 1.x to 2.x upgrade code (related to phrase renames).
  • Allow previewing to work when composing entirely in the BB code editor
  • Respect API permission bypass when checking alert viewability
  • Fix some sort callbacks on PHP 8+
  • Fix PHP 8 compatibility in XML utilities
  • When a username change request requires moderator approval, log the IP the request was received from.
  • Remove user profile banners when banning users with the spam cleaner
  • Prevent an error caused by GCM push notification subscriptions.
  • When quoting a post, do not include quote tags if they would be empty
  • Give MySQL an index hint to improve performance of newest thread API requests (with no other filters)
  • Prevent an error in the structured data of questions if the plain text version contains no content
  • Fix issue that prevented the RTE from being programmatically focused
  • Relax validation of URLs in BB code content as users may submit URLs that are missing URL encoding in some scenarios.
  • When a profile banner is applied, ensure that the text stroke applied to the username respects user group-based username CSS modifications.
  • Prevent an error when rendering article previews if the thread's first post is not set correctly
  • Prevent double URL autolinking when an unfurled URL contains a URL within it.
  • Ensure that Facebook embeds are always responsive.
  • Fix permission check when removing tags with the tag changer service
  • Do not grant the change username permission to the unconfirmed user group when upgrading to 2.2 (from 2.1 or earlier). For existing upgrades, remove the permission from this group explicitly. If you wish to allow unconfirmed users to change their usernames, the permission will need to be explicitly re-added after upgrading to 2.2.2.
  • Ensure that the RTE preview tab does not expand unexpectedly if there are no right aligned toolbar icons.
  • Fix typo in overlay click options list.
  • Ensure that BB code blocks (code, quote, and similar) do not appear behind floated images.
  • Prevent an error when fetching a post that contains an embedded video via the API.
  • Prevent invalid characters from being displayed in certain cases when highlighting search results.
  • When clicking "more options", ensure that thread type-related fields don't come from a saved draft
  • Render push templates with the receiver as the visitor
  • Apply a content type to the username change entity.
  • Ensure that banned users do not receive an activity summary email.
  • Fix a situation where the "display children in navigation" option for node-based navigation entries does not work.
  • Apply explanation tooltips more consistently to the account header section.
  • Allow Google Analytics 4 measurement IDs as well as Universal Analytics property IDs.
  • Allow passing through JS options for sticky submit rows
  • Provide an option to use the given user's language when calling \XF::asVisitor()
  • Ensure post ad positions are retained in article template extensions, and exclude them from appearing in article forums with an expanded display
  • Disable auto closing HTML tags in the template modification find and replace inputs.
  • When importing from another XF installation, properly rewrite quotes which are missing a member ID
The following public templates have had changes:
  • PAGE_CONTAINER
  • _help_page_bb_codes
  • account_alert_toggle
  • account_alerts_mark_read
  • attachments.less
  • bb_code.less
  • codemirror.less
  • conversation_mark_unread
  • core.less
  • core_bbcode.less
  • editor.less
  • editor_base.less
  • fa.css
  • font_awesome_setup
  • forum_post_thread
  • member.less
  • member_macros
  • member_tooltip
  • member_tooltip.less
  • member_view
  • message.less
  • node_list.less
  • node_list_forum
  • notice_macros
  • post_article_macros
  • post_macros
  • setup_fa.less
  • thread_type_fields_poll
  • thread_view_type_question
XenForo 2.2.1 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.

Most importantly, this release fixes two potential security vulnerabilities in XenForo.

The issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.

XenForo extends thanks to security researcher Vincent ibn Winnie for reporting the issues.

We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.

Some of the other changes in XF 2.2.1 include:
  • Fix erroneous phrase in success alert when posting a reply before registering
  • Ensure that service worker offline caching does not trigger session activity updates (or various other assertions)
  • Allow insertTable and xfBbCode commands to be added to custom dropdowns. Prevent paragraphFormat command being added.
  • Empty the mail queue when upgrading to 2.2 due to underlying Swiftmailer changes and catch errors (as well as exceptions) during mail sending to prevent queue items from becoming stuck.
  • Only bail out of toggling the editor preview when the editor is empty if you are not already previewing.
  • Fix displaying emoji phrases when the shortname contains an accented character and fix issue with accented shortname emojis from being converted.
  • Bail out of matching a URL to BB code media sites if the string matches censor words.
  • More consistently apply permission dependencies when passing from global to content-level permissions. Display permission changes due to failed dependencies when analyzing.
  • Expose unread state for conversations and conversation messages
  • Bypass global visibility check when trying to validate usernames for registration
  • Add missing phrases when Gravatar rebuild is run.
  • On the registration form, update the username field's explain text as usernames can be changed now
  • Ensure article preview images aren't underlined when hovered over
  • In the RTE, do not parse for emojis when smilies are disabled. This is consistent with how BB code is normally rendered.
  • Ensure that Attachment::getDirectUrl only returns raw display URLs when the attachment is viewable
  • Remove content voting links from HTML if the visitor cannot use them
  • Apply width: auto to the small logo to ensure it maintains the correct aspect ratio when resized
  • Fix email sharing link
  • Add PHPDocs to noPermission() and notFound() controller methods
The following public templates have had changes:
  • alert_post_pre_reg
  • app_nav.less
  • attachment_macros
  • content_vote_macros
  • message.less
Today, after a refreshingly short beta and release candidate phase, we are excited to announce that XenForo 2.2.0 is now prepared, seasoned, baked and served, replacing XenForo 2.1.11 as our primary supported XenForo version.

This release adds a collection of great new features to XenForo, including the ability to repurpose forums as article repositories, a new way to encourage guest users to register, a progressive web app and a completely redesigned rich text editor. Check out the following list for some highlights:
  • Forum and thread types system
  • Updated rich text editor
  • User profile banners
  • Username change requests
  • Search forums
  • Forum SEO controls
  • Writing before registering support
  • Progressive web app
  • Activity summary emails
  • Style archive import and export
  • REST API additions
  • Profile post attachments
This is not an exhaustive list of what's new in 2.2, and you can read more about the above and other new changes/improvements features in the Have you seen...? forum.

We have also added preliminary support for the upcoming major release of PHP 8.0.
Today we continue the release candidate stage of XenForo 2.2 with Release Candidate 2. We recommend that all customers running previous 2.2 versions upgrade to this release.

This release is similar to the previous betas, but indicates that we are now a step closer to the stable 2.2.0 release. This is still considered a pre-release version, so we do not recommend running it in production and ticket support for this version is not yet available.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is pre-release software. It is not officially supported.
We do not recommend running it in production.
Top