Released 2x XenForo 2.3.0 Released Full | XenForo 2.3 ENXF 2.3.10

XenForo 2.3.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

In addition to the usual bug fixes, XenForo 2.3.10 includes a critical security fix involving a potential stored XSS vector in structured text mentions (mostly legacy profile post content). We'd like to extend thanks to metho for responsibly disclosing the issue.

If you are a XenForo Cloud customer running 2.3.8, the security fix has already been applied and no immediate action is required. XenForo 2.3.10 will be made available to you shortly.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.

fix error https://enxf.cc/threads/xenforo-2-3-0-released-full-xenforo-2-3-enxf.18369/post-87275

Today we are releasing XenForo 2.3.9 FULL to address some potential security vulnerabilities that were recently reported to us. This version only includes security fixes and any bug fixes we previously said would make it to 2.3.9 have now been delayed until 2.3.10.

• Prevention of a possible stored XSS (cross-site scripting) exploit related to BB code rendering (thank you to Antisocial)
• Prevention of a possible XSS exploit related to lightbox usage in posts (thank you UwU)
• Prevention of a possible RCE (remote code execution) exploit via authenticated, but malicious, admin users (thank you UwU)

fix error
https://enxf.cc/threads/xenforo-2-3-0-released-upgrade-xenforo-2-3-enxf.18768/post-86797

XenForo 2.3.8 is now available for all Nulled customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

XenForo 2.3.8 also includes a number of smaller new features and improvements which you can read about here:

Some of the changes in XF 2.3.8 include:

• Fix a potential denial of service bug related to pre-registration actions flooding. Thank you @vbresults!
• Fix an issue where EXIF orientation would be set when already adjusted client-side
• Fix some issues with entity type hinting
• Allow underscore word boundaries in read-only method names
• Fix empty user authorized applications list container
• Ensure language state is always restored in between generating activity summary emails
• Fix filter JS query parameter concatenation
• Allow passkey creation on local hosts
• Fix cleanUpInvalidRecords type hint
• Always coerce parse_less_color template function to hex for non-variable values
• Fix duplicate result-set hydration queries
• Return an error early when search keyword lengths are too long
• Use strict type checks when processing search input
• Only search and display posts on the profile postings tab
• Use post content filter and thread type sub-filter for member thread search
• Avoid converting SVGs to rasterised images
• Skip void method return in XF\Cli\Command\AbstractCommand::initialize
• Ensure invalid page numbers are handled correctly when viewing the watched threads list
• Add handling for null status message values when resuming jobs
• Ensure passkeys are deleted when the associated user is deleted
• Fix missing support for some webhook actions
• Add missing defaultname to xf:avatar and xf:username tags in the report_view template
• Support HTML for the summary_of_what_you_missed_recently phrase in the activity_summary email template
• Fix DKIM signing preventing List-Unsubscribe headers from being added to emails
• Require re-authentication before allowing passkey additions or modifications
• Support rebuilding unfurls when rebuilding metadata for supported content types
• Fix not being able to setup TOTP on Firefox via QR code if privacy.resistFingerprinting is enabled
• Add missing template annotation to EmbedResolver/AbstractHandler
• Update docblock hint on \XF\Repository\UserAlertRepository::fastDeleteAlertsForContent to include array of ints
• Improve add-on manager performance when coercing add-on IDs with a significant number installed
• When checking the replication status of a read server, make sure the query is properly sent to the read connection
• Support the "listitemclass" attribute when rendering checkboxes
• Try to preserve post ordering when there's an unexpected time sync issue
• Include a cache buster on direct attachment URLs
• Fix issue preventing "Handle report" button on an assigned report not revealing the save button
• Skip deleting style variation preference cookie on logout
• Throw an error if trying to rebuild search index with an invalid type
• Cache user online counts in the same request to reduce query usage
• Ensure _cascadeSave is cleared out when Entity::_saveCleanUp is called
• Guard against Request::getIp not returning a valid IP in some cases.
• Do not resolve attachment cover images for guests with no attachment permissions
• Pass criteria object to criteria_template_data event listeners
• Skip non-existent attachments when deleting from the control panel
• Set up search entity after searches have been executed
• Add JSDoc to XF.createElement
• Fix some issues with the quote plugin
• Correct some lingering links to twitter.com
• Hide additional contact heading from control panel user edit page when there are no contact user fields
• Remove pattern attribute from number inputs
• Fix DKIM signing in XF 2.3
• Fix missing trailing slash when linking to cookies explainer from privacy policy
• Workaround issue where Sign in with Apple might not return an email (#1199)
• Validate signature counter when using a passkey (#1198)
• Throw a clearer error when the current host and board URL do not match when creating or authenticating with passkeys (#1200)
• Log users in to the public forum when authenticating with passkeys via the admin panel (#1201)
• Inhibit sending push notifications to permanently removed Chrome subscriptions
• Ensure failed passkey logins count towards failed login attempts limit (#1207)
• Process Gmail inactive inbox bounce messages as a hard bounce (#1208)
• Make it easier to override PayPalRest plan parameters (#1209)
• Set tfa_trust cookie when logging in with a passkey (#1210)
• Create Finder directory if one does not exist when generating finder classes (#1211)
• Update PHPDoc for asVisitor function to better infer return types
• Reduce notification enqueuing delay when submitting posts
• Refactor delete clean up process to ensure rename and delete happens in one process
• Skip caching local URLs when using the image proxy
• Workaround potential race condition when saving bookmark labels
• Support using passkeys in place of password confirmations
• Support passing extra spam check data in the user registration service
• Add base webhook criteria classes
• Support accessing notification data in Notifier classes
• Add additional array functions to the templater
• Strip HTML tags when using the description as a title for an import from an RSS feed (#1214)
• Move XF\BbCodeRenderer\Html::getValidUrl functionality to a utility function (#1215)
• Throw an error if attempting to run an import step that does not exist (#1216)
• Include random string with DKIM selector (#1217)
• Check for case-mismatches when creating add-ons (#1218)
• Fix TypeError when non-array JSON input is submitted (#1223)
• Don't block image upload if EXIF processing fails (#1224)
• Fix issue where XF.phrase function was not able to handle repeated replacements
• Fix display of signatures set to falsey values
• Fix pagination scrolling behaviour for reactions received page
• Fix quick reply scroll-to-post behaviour
• Fix inverted logic in canResize method check
• Made add-on archive validator more robust by eliminating double extraction and adding proper JSON validation
• Finder::getCollectionFromResults doesn't check hydrateFromGrouped's return result is not null
• Ensure option values are cast to their proper data types when retrieved
• Incorrect operator precedence in template expressions
• Release builder fails with symlinked add-on directories
• Email bounce parser now handles multi-digit status codes (#1240)
• API routes generate invalid development output
• Improve delivery efficiency of CSS when using a cache
• Avoid unnecessary write of original avatar when only crop changes
• Reserve some memory for error reporting
• Pull protocol and host from board URL in CLI contexts
• Add support for AbstractCollection when using the Templater's array_* functions (#2182)
• Refactor lightbox sidebar toggle handling and ensure proper initialization

The following public templates have had changes:

• _help_page_privacy_policy
• account_reactions
• account_visitor_menu
• attachment_macros
• bb_code_tag_attach
• core.less
• core_action_bar.less
• embed_resolver_thread
• helper_attach_upload
• lightbox.less
• login_password_confirm
• member_about
• member_macros
• member_recent_content
• member_tooltip.less
• message.less
• message_macros
• news_feed_attached_images
• passkeys_macros
• report_view
• setup.less
• share_page_macros
• tag_macros
• tag_search
• two_step_totp

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Current requirements​

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

Installation and upgrade instructions​

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.

reupload fix error api and hash file

Some of the changes in XF 2.3.7 include:

• Escape select input option labels
• Improve supported EXIF data when client-side image resizing is enabled
• Allow fetching forum prefixes even without node permissions
• Normalize entity manager repository cache keys
• Fix IPv6 binary to string expansion
• Fix appearance of member tooltip on recent Safari versions
• Use text structured data field for DiscussionForumPosting content
• Require confirmation for linking connected accounts
• Suppress logging of normal connected account exceptions
• Clear site cache data when logging out
• Move XF.SolutionEditClick into action.js to resolve dependency issues
• Fix carousel margin on RTL languages
• Expand global email template parameters
• Adjust wording of account approval phrases
• Improve typing of repository find methods
• Fix issue with missing verbosity when casting collections to webhook results.
• Avoid logging errors when IndexNow is having intermittent issues
• Delete related user alerts when a trophy is deleted
• Add support for viewing and revoking a user's authorised applications from the admin panel
• Handle nulls and empty-evaluated strings properly
• Detect Google Inspection Tool crawler
• No longer create user fields by default during install.
• Fix manual video thumbnail generation on iOS
• Remove legacy Imagick GIF optimization technique
• Display search suggestions properly when results contain guest content
• Fix lift ban link on ban edit page
• Render all activity summary display values in the user language
• Set default Accept-Language header in outgoing HTTP requests
• Allow overriding avatar usernames when a user is specified
• Fix generated entity type hints for JSON columns

• Fix select-to-quote handler error on soft-deleted threads
• Ignore port if Redis host appears to be a file path
• Fix a few cases where hashes were concatenated instead of passed to router
• Fix flickering issue with JS icon renderer
• Fix expandable content transition class callback
• Use correct finder when looking up Stripe subscriber IDs
• Do not attempt to set RSS feed language if no language code is set
• Check if job table exists before attempting to sync structure
• Fix issues serializing nestable elements which contain unrelated lists
• Adjust some automatic alert read-marking behaviors
• Adjust offset of focus-visible tab outline
• Re-enable caching for tag edit overlay
• Fix error handling for fetching/creating PayPal products and plans
• Fix determining locale from language code for string manipulation
• Ensure points phrase is used in trending weights.
• Optimize string transliteration performance
• Override some missing phrases for token inputs.
• Reduce trending content widget queries
• Fix embedding Imgur galleries and applying JS states
• Romanize heading anchors
• Do not force romanization for category anchors
• Fix merging reactions with multiple source reactions from deleted users
• Do not cache report overlays
• Fix Tagify filtering out non-exact matches unexpectedly
• Set 1:1 aspect-ratio on connected account provider icons
• Use the editorButtonSelectedBg property for active editor button backgrounds
• Fix DM icon clipping on desktop Safari
• Fix phrase method casing in icon option handler
• Perform client-size image optimization even when no maximum image width/height is set
• Fix checking if Rocket Loader is disabled in the middle of an upgrade
• Throw an error when attempting to recursively load config file
• Fix string style property variations support for properties without assets enabled
• Prevent double logging of moderator changes for threads when editing first post
• Adjust width of inline time inputs
• Check private use TLDs when determining if a host is local
• Fix some issues with appending filter rows
• Use XF.setupHtmlInsert for filter AJAX responses
• Allow passing HTMLElement objects to alerts
• Fix support for alternative icon variants in custom BB codes
• Fix fetching default avatar when templater style is not set
• Address some phrases which reference conversations
• Handle unexpected values in cookie consent cookie

The following public templates have had changes:

• PAGE_CONTAINER
• account_banner
• app_nav.less
• conversation_message_macros
• core_block.less
• core_button.less
• core_input.less
• core_tab.less
• editor_override.less
• helper_js_global
• member_view
• passkeys_macros
• post_macros
• profile_post_macros
• tag_macros
• token_input

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.

If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

Shortly after the release of Release Candidate 1, we identified an issue related to editing node-like permissions. A very minor bug was surfaced by the changes today. Specifically one of our view class names was using a \ instead of a :

Due to a localised shortage of version numbers (we cannot increment the version to a patch release for release candidates) we have released Release Candidate 2 to address this.

The specific files with changes are:

• src/XF/Admin/Controller/Node.php
• src/XF/Admin/Controller/Permission.php

As we get ever closer to the fabled "release candidate" stage and the eventual stable release, today we are releasing the eighth beta for XenForo 2.3! Nothing particularly noteworthy this week other than a number of bug fixes.

We strongly recommend anyone testing 2.3 during this beta period upgrade as each beta version is released.