Released 2x XenForo 2.3.0 Released Upgrade | XenForo 2.3 ENXF 2.3.3

• Fix select-to-quote handler error on soft-deleted threads
• Ignore port if Redis host appears to be a file path
• Fix a few cases where hashes were concatenated instead of passed to router
• Fix flickering issue with JS icon renderer
• Fix expandable content transition class callback
• Use correct finder when looking up Stripe subscriber IDs
• Do not attempt to set RSS feed language if no language code is set
• Check if job table exists before attempting to sync structure
• Fix issues serializing nestable elements which contain unrelated lists
• Adjust some automatic alert read-marking behaviors
• Adjust offset of focus-visible tab outline
• Re-enable caching for tag edit overlay
• Fix error handling for fetching/creating PayPal products and plans
• Fix determining locale from language code for string manipulation
• Ensure points phrase is used in trending weights.
• Optimize string transliteration performance
• Override some missing phrases for token inputs.
• Reduce trending content widget queries
• Fix embedding Imgur galleries and applying JS states
• Romanize heading anchors
• Do not force romanization for category anchors
• Fix merging reactions with multiple source reactions from deleted users
• Do not cache report overlays
• Fix Tagify filtering out non-exact matches unexpectedly
• Set 1:1 aspect-ratio on connected account provider icons
• Use the editorButtonSelectedBg property for active editor button backgrounds
• Fix DM icon clipping on desktop Safari
• Fix phrase method casing in icon option handler
• Perform client-size image optimization even when no maximum image width/height is set
• Fix checking if Rocket Loader is disabled in the middle of an upgrade
• Throw an error when attempting to recursively load config file
• Fix string style property variations support for properties without assets enabled
• Prevent double logging of moderator changes for threads when editing first post
• Adjust width of inline time inputs
• Check private use TLDs when determining if a host is local
• Fix some issues with appending filter rows
• Use XF.setupHtmlInsert for filter AJAX responses
• Allow passing HTMLElement objects to alerts
• Fix support for alternative icon variants in custom BB codes
• Fix fetching default avatar when templater style is not set
• Address some phrases which reference conversations
• Handle unexpected values in cookie consent cookie

The following public templates have had changes:

• PAGE_CONTAINER
• account_banner
• app_nav.less
• conversation_message_macros
• core_block.less
• core_button.less
• core_input.less
• core_tab.less
• editor_override.less
• helper_js_global
• member_view
• passkeys_macros
• post_macros
• profile_post_macros
• tag_macros
• token_input

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

• Fix select-to-quote handler error on soft-deleted threads
• Ignore port if Redis host appears to be a file path
• Fix a few cases where hashes were concatenated instead of passed to router
• Fix flickering issue with JS icon renderer
• Fix expandable content transition class callback
• Use correct finder when looking up Stripe subscriber IDs
• Do not attempt to set RSS feed language if no language code is set
• Check if job table exists before attempting to sync structure
• Fix issues serializing nestable elements which contain unrelated lists
• Adjust some automatic alert read-marking behaviors
• Adjust offset of focus-visible tab outline
• Re-enable caching for tag edit overlay
• Fix error handling for fetching/creating PayPal products and plans
• Fix determining locale from language code for string manipulation
• Ensure points phrase is used in trending weights.
• Optimize string transliteration performance
• Override some missing phrases for token inputs.
• Reduce trending content widget queries
• Fix embedding Imgur galleries and applying JS states
• Romanize heading anchors
• Do not force romanization for category anchors
• Fix merging reactions with multiple source reactions from deleted users
• Do not cache report overlays
• Fix Tagify filtering out non-exact matches unexpectedly
• Set 1:1 aspect-ratio on connected account provider icons
• Use the editorButtonSelectedBg property for active editor button backgrounds
• Fix DM icon clipping on desktop Safari
• Fix phrase method casing in icon option handler
• Perform client-size image optimization even when no maximum image width/height is set
• Fix checking if Rocket Loader is disabled in the middle of an upgrade
• Throw an error when attempting to recursively load config file
• Fix string style property variations support for properties without assets enabled
• Prevent double logging of moderator changes for threads when editing first post
• Adjust width of inline time inputs
• Check private use TLDs when determining if a host is local
• Fix some issues with appending filter rows
• Use XF.setupHtmlInsert for filter AJAX responses
• Allow passing HTMLElement objects to alerts
• Fix support for alternative icon variants in custom BB codes
• Fix fetching default avatar when templater style is not set
• Address some phrases which reference conversations
• Handle unexpected values in cookie consent cookie

The following public templates have had changes:

• PAGE_CONTAINER
• account_banner
• app_nav.less
• conversation_message_macros
• core_block.less
• core_button.less
• core_input.less
• core_tab.less
• editor_override.less
• helper_js_global
• member_view
• passkeys_macros
• post_macros
• profile_post_macros
• tag_macros
• token_input

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers running XenForo 2.3.0 should upgrade to XenForo 2.3.0 Release Candidate 1, including XenForo Media Gallery 2.3.0 Release Candidate 1 if needed.

If you also have active installs of XenForo 2.2 or XenForo 2.1 you should refer to the earlier thread with details and patch.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

Shortly after the release of Release Candidate 1, we identified an issue related to editing node-like permissions. A very minor bug was surfaced by the changes today. Specifically one of our view class names was using a \ instead of a :

Due to a localised shortage of version numbers (we cannot increment the version to a patch release for release candidates) we have released Release Candidate 2 to address this.

The specific files with changes are:

• src/XF/Admin/Controller/Node.php
• src/XF/Admin/Controller/Permission.php

Finally, the add-ons have some love ❤️ While there is the usual amount of bug fixes as we work hard to make XenForo 2.3 even more stable, this Beta in particular brings a number of new features to our official add-ons.

Today, we continue the, uh, trend of weekly beta releases for XenForo 2.3 with Beta 4. This release fixes a number of bugs found since the previous release, and adds support for trending content which you can read about right here.

In addition to the trending content widget we have also made the following notable changes:

• You can now log in to the admin control panel using your configured passkey.
• Changes to the job queueing system that allows a caller to create jobs with a specified priority.
• Webhook support for user upgrades.
• Separated XF.Cropbox from avatar.js into its own file, crop_box.js.

Today, we continue the beta stage of XenForo 2.3 with Beta 3, albeit a little later than originally planned This release fixes a number of bugs found since the previous release, and adds support for passwordless logins with passkeys which you can read about right here. There are a few known issues with passkeys at this point, particularly with hardware-based keys, so please check the bug reports forum if you run into anything.

We strongly recommend anyone testing 2.3 during this beta period upgrade as each beta version is released.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is beta software. It is not officially supported.
We do not recommend running it in production.