Released 2x XenForo 2.2.15 Released Upgrade | XenForo 2.2 ENXF 2.2.15

XenForo 2.2.5 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.

This release changes the default CAPTCHA method from reCAPTCHA to hCaptcha. If you were using the default CAPTCHA settings, you will automatically be switched over to hCaptcha. If you provided your own reCAPTCHA keys or chose a different CAPTCHA method, your existing CAPTCHA settings will be retained. If you are unable to upgrade to this release, you may need to change CAPTCHA settings to avoid disruption.

Some of the changes in XF 2.2.5 include:

• Bail out of Less color parsing if we already have a valid-CSS color.
• Adjust Request::isHostLocal to only return true for loopback addresses (and add a further explanation about its intended usage).
• Ensure that HTML is not shown in node bookmark descriptions.
• Improve checks that control whether a user's "about" section is shown.
• Do not require a custom statement descriptor when setting up Stripe, unless we can't derive a valid descriptor automatically.
• Ensure that clicking "open link" in the RTE always opens the link in a new tab.
• If a custom privacy policy or terms URL is selected but not provided, ensure that they are never shown as accessible help pages.
• In the RTE, maintain single leading spaces on new lines (particularly for code blocks).
• Fix faded out text display in article previews in RTL languages.
• Ensure that all pending rebuilds are triggered before asking about statistic collection when upgrading via the CLI.
• Allow embedded attachments with a height resize only to maintain the correct aspect ratio.
• Prevent a JS error related to app badge updates if the input value isn't the expected type.
• Ensure that user ignore caches are rebuilt correctly when merging users.
• Change the thread type selector to reduce the amount of wasted space on mobile and flip to a horizontally scrollable system when needed.
• Support additional phrase modifiers in option format parameters.
• When encountering a SMTP server error while sending email, attempt to establish a fresh connection before sending any further messages.
• Prevent an error when deleting a user if they have voted for content that relates to a disabled add-on.
• Use an alternative reCaptcha URL to ensure better availability.
• Check the correct scope when marking alerts as read via the API.
• Improve accessibility of radio and checkbox rows using ARIA roles.
• When editing custom field values, ensure that labels are associated with the related input for accessibility purposes.
• Ensure that inputs are associated with their labels whenever possible to improve accessibility of certain forms.
• Fix performance regression with emoji conversion and skip emoji conversion code entirely if using natively-styled emoji.
• Only skip spam cleaning via the approval queue if the user was spam cleaned recently.
• Do not cache the edit tags overlay to workaround an issue with tags duplicating in the tags editor.
• Add missing phrase for 'x_weeks' and fix issue with time based phrases not displaying the correct count.
• Limit the width of embedded Facebook content to be consistent with other embeds.
• Reduce peak memory usage when executing certain template/phrase rebuild jobs.
• Correctly handle errors when inlining CSS into emails with PHP 8.

The following public templates have had changes:

• account_privacy
• attachment_macros
• bookmark_item_node
• captcha_recaptcha
• color_picker_macros
• core.less
• core_datalist.less
• core_filter.less
• core_formrow.less
• core_input.less
• core_menu.less
• custom_fields_macros
• date_input
• forum_post_thread
• helper_js_global
• helper_user_dob_edit
• inline_mod_actions
• input_extended.less
• member_about
• notice_enable_push
• poll_macros
• post_article_macros
• post_macros
• prefix_macros
• rating_macros
• search_form_post
• setup.less
• tag_macros
• two_step_backup

Some of the changes in XF 2.2.4 include:

• Ensure multi-quote system does not overwrite unintended parts of the attachment upload request.
• Allow the "must login or register to reply" button to wrap if needed.
• Prevent an error from being sporadically triggered when cleaning up the filesystem cache.
• Prevent an error when checking if a conversation can be started with a user who is unexpectedly missing part of their profile data.
• Ensure that "click to expand" links are treated as buttons and are keyboard-navigation accessible.
• When logging in via an API generated token, allow the existing logged in user to be replaced (if logged in as a different user) with the new user if force=1 appended to the URL.
• When an account that does not have a password set is requesting a new password, ensure some amount of rate limiting is imposed to avoid repeat requests.
• Add support for using $context inside widget display condition field.
• Properly maintain the full table markup when selectively quoting only part of a table.
• Fix search result highlighting issues with certain non-ASCII characters.
• Prevent double conversion of CSS rules to BB code equivalents in some situations.
• When viewing the registerd members list, ensure unviewable member stat categories are filtered out from the sidebar.
• Ensure toggle:hidden event is triggered correctly when hiding toggle elements.
• Clean up news feed records belonging to posts when their thread is hard deleted.
• If a thread as multiple sort options, ensure the additional links are marked as nofollow
• Mark go-to links in quotes as nofollow
• When viewing the latest activity of an ignored member, show a link to view ignored content
• Prevent HTML errors outputting from Xdebug in some cases.
• When searching within a specific forum, ensure child forums are included in all cases.
• Adjust Auth::actionPost API documentation to recommend the login/password parameters should be passed into the request body to go along with a general recommendation in our development documentation that this should generally be done for all non-GET requests.
• When a pre-registration action is triggered, only show the welcome message if this is newly registered user.
• Correctly pass state of $forceCaptcha to contact_form template
• Disable a table quick insert button that sometimes appears in the rich text editor.
• Update phpdoc on entityColumnsToJson method to indicate the correct return type.
• If the unregistered group has the view permission revoked ensure that failed CAPTCHAs can successfully be reloaded in the event of an error.
• Fix an issue preventing installs from the command line when using PHP 8
• Avoid unexpected layout shifts when embedded images/attachments have known dimensions.
• Throw a required input missing error if the avatar file is not included in the request. PHPdoc updated to reflect the requirement in the online API docs.
• Ensure user rejection reasons can't exceed the 200 character limit
• Update PhpBb3 authentication handler to support verifying passwords using native PHP methods where possible.
• Render phrases presented as $value to XML createDomElement()
• Don't merge identical sibling URL and EMAIL bbcode tags
• For consistent behavior across PHP versions, explicitly trigger a notice if an array is passed in to XF::escapeString
• When inserting multiple attachments, allow the "thumbnail" button to insert audio/video attachments which do not support thumbnails.
• Maintain the single thread search constraint when returning to the advanced search form.
• Ensure that about and signature are not censored before rendering as BB code.
• In question and suggestion forums, ensure that all tab constraints are maintained in the filtering menu.
• Save undo points in the RTE when triggering certain actions such as quoting a message.
• Prevent an error on some browsers when inserting a video through the rich text editor.
• When importing users, if the primary user_group_id also appears in the secondary_group_ids field then remove it.
• Create a new POST post/{id}/mark-solution endpoint, to toggle/switch the solution post. Returns old_solution_post and new_solution_post to allow switching behaviours.
• Adjust universal lightbox option explanation
• Properly escape some phrases in HTML attributes
• Fix group sorting of field cache data
• Add a note about step dependencies to the import step chooser
• Don't throw an error when trying to add an admin on PHP 8
• Check permissions before displaying add-on control links
• Display option values when editing the current email transport method
• Trigger events when toggling the display of disabler containers
• Adjust new thread and search forum widget expanded display explanation
• When autolinking post content do not autolink if we match www. followed by an additional dot.
• When installing XF via the command line if the confirm password doesn't match the original password then go back to the original password prompt.
• Allow 'sort' to be passed to profile-posts/{id}/comments in order to get posts in asc/desc date order

The following public templates have had changes:

• PAGE_CONTAINER
• alert_macros
• alert_post_pre_reg
• alert_user_pre_reg_failed
• approval_queue_macros
• bb_code_tag_quote
• bookmark_macros
• connected_account_associated_facebook
• contact_form
• core_bbcode.less
• editor_dialog_media
• editor_insert_gif
• forum_filters_type_question
• forum_view_type_question
• forum_view_type_suggestion
• helper_attach_upload
• member_latest_activity
• member_macros
• member_recent_content
• member_tooltip
• member_view
• nestable.less
• offline.less
• post_article_macros
• post_macros
• post_question_macros
• push_post_pre_reg
• push_user_pre_reg_failed
• search_form_macros
• search_form_post
• service_worker_offline
• thread_view

Maintenance time! XenForo 2.2.2 has hatched, fledged and is ready to fly the nest directly to your community via one-click upgrade.

In addition to the changes listed below, 2.2.2 has some invisible changes to improve performance, stability and compatibility with the newly released PHP 8, which we look forward to supporting fully in future.

All licensed customers may download new XenForo releases, and in order to to benefit from increased stability offered by this new version, we strongly recommend that all sites running running earlier versions of XenForo 2.2 upgrade using the one-click system in their admin control panel.

Some of the changes in XF 2.2.2 include:

• Fix opt-in functionality of the entity changelog behavior
• Properly sort columns for forum default sort orders
• Handle heading BB codes without a type option
• Apply base URL to relative notice display images
• Do not escape moderator log list entry action texts after stripping tags
• Catch class load errors when applying session activity details on PHP 7+
• Throw exceptions correctly in the alert API controller.
• Ensure that the "no matches" message in article preview forums always spans the full width.
• When merging posts, force the target post to be visible if it will become the first post of the thread.
• Disable user mention parsing within custom BB codes that disable auto linking or BB code parsing
• When setting a default title for avatars, do not override a custom version
• Use the correct forum type node icon in the sub forum menu/list
• Fix typo that prevents alerts from being marked as unread if a confirmation message is shown.
• Ensure the UI properly respects an explicit request to mark an alert as read or unread when a confirmation message is shown.
• Fix StylePropertyMap entity ParentProperty relation conditional
• Fix dynamic redirects for alert and conversation read state toggles
• Correct a few typos in some CLI commands
• Fix invalid format specifier in error trace argument builder
• Break the phrase import query into chunks to avoid a MariaDB performance regression.
• Fix a MySQL 8.0.22 incompatibility with the 1.x to 2.x upgrade code (related to phrase renames).
• Allow previewing to work when composing entirely in the BB code editor
• Respect API permission bypass when checking alert viewability
• Fix some sort callbacks on PHP 8+
• Fix PHP 8 compatibility in XML utilities
• When a username change request requires moderator approval, log the IP the request was received from.
• Remove user profile banners when banning users with the spam cleaner
• Prevent an error caused by GCM push notification subscriptions.
• When quoting a post, do not include quote tags if they would be empty
• Give MySQL an index hint to improve performance of newest thread API requests (with no other filters)
• Prevent an error in the structured data of questions if the plain text version contains no content
• Fix issue that prevented the RTE from being programmatically focused
• Relax validation of URLs in BB code content as users may submit URLs that are missing URL encoding in some scenarios.
• When a profile banner is applied, ensure that the text stroke applied to the username respects user group-based username CSS modifications.
• Prevent an error when rendering article previews if the thread's first post is not set correctly
• Prevent double URL autolinking when an unfurled URL contains a URL within it.
• Ensure that Facebook embeds are always responsive.
• Fix permission check when removing tags with the tag changer service
• Do not grant the change username permission to the unconfirmed user group when upgrading to 2.2 (from 2.1 or earlier). For existing upgrades, remove the permission from this group explicitly. If you wish to allow unconfirmed users to change their usernames, the permission will need to be explicitly re-added after upgrading to 2.2.2.
• Ensure that the RTE preview tab does not expand unexpectedly if there are no right aligned toolbar icons.
• Fix typo in overlay click options list.
• Ensure that BB code blocks (code, quote, and similar) do not appear behind floated images.
• Prevent an error when fetching a post that contains an embedded video via the API.
• Prevent invalid characters from being displayed in certain cases when highlighting search results.
• When clicking "more options", ensure that thread type-related fields don't come from a saved draft
• Render push templates with the receiver as the visitor
• Apply a content type to the username change entity.
• Ensure that banned users do not receive an activity summary email.
• Fix a situation where the "display children in navigation" option for node-based navigation entries does not work.
• Apply explanation tooltips more consistently to the account header section.
• Allow Google Analytics 4 measurement IDs as well as Universal Analytics property IDs.
• Allow passing through JS options for sticky submit rows
• Provide an option to use the given user's language when calling \XF::asVisitor()
• Ensure post ad positions are retained in article template extensions, and exclude them from appearing in article forums with an expanded display
• Disable auto closing HTML tags in the template modification find and replace inputs.
• When importing from another XF installation, properly rewrite quotes which are missing a member ID

The following public templates have had changes:

• PAGE_CONTAINER
• _help_page_bb_codes
• account_alert_toggle
• account_alerts_mark_read
• attachments.less
• bb_code.less
• codemirror.less
• conversation_mark_unread
• core.less
• core_bbcode.less
• editor.less
• editor_base.less
• fa.css
• font_awesome_setup
• forum_post_thread
• member.less
• member_macros
• member_tooltip
• member_tooltip.less
• member_view
• message.less
• node_list.less
• node_list_forum
• notice_macros
• post_article_macros
• post_macros
• setup_fa.less
• thread_type_fields_poll
• thread_view_type_question

XenForo 2.2.1 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.

Most importantly, this release fixes two potential security vulnerabilities in XenForo.

The issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.

XenForo extends thanks to security researcher Vincent ibn Winnie for reporting the issues.

We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.

Some of the other changes in XF 2.2.1 include:

• Fix erroneous phrase in success alert when posting a reply before registering
• Ensure that service worker offline caching does not trigger session activity updates (or various other assertions)
• Allow insertTable and xfBbCode commands to be added to custom dropdowns. Prevent paragraphFormat command being added.
• Empty the mail queue when upgrading to 2.2 due to underlying Swiftmailer changes and catch errors (as well as exceptions) during mail sending to prevent queue items from becoming stuck.
• Only bail out of toggling the editor preview when the editor is empty if you are not already previewing.
• Fix displaying emoji phrases when the shortname contains an accented character and fix issue with accented shortname emojis from being converted.
• Bail out of matching a URL to BB code media sites if the string matches censor words.
• More consistently apply permission dependencies when passing from global to content-level permissions. Display permission changes due to failed dependencies when analyzing.
• Expose unread state for conversations and conversation messages
• Bypass global visibility check when trying to validate usernames for registration
• Add missing phrases when Gravatar rebuild is run.
• On the registration form, update the username field's explain text as usernames can be changed now
• Ensure article preview images aren't underlined when hovered over
• In the RTE, do not parse for emojis when smilies are disabled. This is consistent with how BB code is normally rendered.
• Ensure that Attachment::getDirectUrl only returns raw display URLs when the attachment is viewable
• Remove content voting links from HTML if the visitor cannot use them
• Apply width: auto to the small logo to ensure it maintains the correct aspect ratio when resized
• Fix email sharing link
• Add PHPDocs to noPermission() and notFound() controller methods

The following public templates have had changes:

• alert_post_pre_reg
• app_nav.less
• attachment_macros
• content_vote_macros
• message.less

Today, after a refreshingly short beta and release candidate phase, we are excited to announce that XenForo 2.2.0 is now prepared, seasoned, baked and served, replacing XenForo 2.1.11 as our primary supported XenForo version.

This release adds a collection of great new features to XenForo, including the ability to repurpose forums as article repositories, a new way to encourage guest users to register, a progressive web app and a completely redesigned rich text editor. Check out the following list for some highlights:

• Forum and thread types system
• Updated rich text editor
• User profile banners
• Username change requests
• Search forums
• Forum SEO controls
• Writing before registering support
• Progressive web app
• Activity summary emails
• Style archive import and export
• REST API additions
• Profile post attachments

This is not an exhaustive list of what's new in 2.2, and you can read more about the above and other new changes/improvements features in the Have you seen...? forum.

We have also added preliminary support for the upcoming major release of PHP 8.0.

Today we continue the release candidate stage of XenForo 2.2 with Release Candidate 2. We recommend that all customers running previous 2.2 versions upgrade to this release.

This release is similar to the previous betas, but indicates that we are now a step closer to the stable 2.2.0 release. This is still considered a pre-release version, so we do not recommend running it in production and ticket support for this version is not yet available.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is pre-release software. It is not officially supported.
We do not recommend running it in production.

Today we're happy to announce the next step towards a stable and supported release of XenForo 2.2 by moving onto the "release candidate" stage. We recommend that all customers running previous 2.2 versions upgrade to this release.

This release is similar to the previous betas, but indicates that we are now a step closer to the stable 2.2.0 release. This is still considered a pre-release version, so we do not recommend running it in production and ticket support for this version is not yet available.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is pre-release software. It is not officially supported.
We do not recommend running it in production.

Please remember that this is pre-release software. It contains known bugs and incomplete functionality. We do not recommend running pre-release software in a production environment, and support is limited at this time to questions here on the community forums.

Add-ons and custom styles may be broken after upgrading to 2.2. You must test your add-ons thoroughly or look for updates. Be especially careful with add-ons that cover similar features to ones that are added to 2.2; these may conflict with the core XenForo data. If data conflicts are found, they will need to be resolved in a new add-on release or by removing the add-on before upgrading to 2.2.

If you choose to run pre-release software, it is your responsibility to ensure that you make a backup of your data. We recommend you do this before attempting an upgrade. If in doubt, always do a test upgrade on a copy of your production data.

After last week's Wednesday-which-was-sort-of-Tuesday-a-bit release, we are back on our regular Tuesday release cycle with 2.2.0 Beta 6. We are hopeful that this may be our final beta release before we move to a Release Candidate stage.

We strongly recommend anyone testing 2.2 during this beta period upgrade as each beta version is released.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This past Monday was a bank holiday in the UK, so as far as the working week goes, today is Tuesday, which means it's time for Beta 5. This release fixes a number of bugs found since the previous release.

We strongly recommend anyone testing 2.2 during this beta period upgrade as each beta version is released.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is beta software. It is not officially supported.
We do not recommend running it in production.

Today, we continue the beta stage of XenForo 2.2 with Beta 4. This release fixes a number of bugs found since the previous release.

We strongly recommend anyone testing 2.2 during this beta period upgrade as each beta version is released.

More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.

This is beta software. It is not officially supported.
We do not recommend running it in production.