XenForo 2.1.1 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.1 upgrade to this release to benefit from increased stability.
We have also made some improvements to the importer framework. Notably it is now possible to perform a multi-process import in order to make better use of multi-core processors. If you run an import via the CLI and you add the
--processesoption with a value greater than 1, then multiple PHP processes will be used to perform the import, instead of a single CPU core being used as is the PHP default. Your results may vary, but with the number of processes set to equal the number of physical cores on a sufficiently powerful server, you should notice a significant increase in performance.
You can also run your import command with the new
--finalizeoption which will run the finalize stage automatically after the data import has finished.
While we're talking about importers we should also point out that we are today also releasing XenForo Importers 1.2.0 with a new "Invision Community Forums" importer, XenForo Media Gallery 2.1.1 which reintroduces a number of importers originally included in XFMG 1.x and XenForo Resource Manager 2.1.1 which includes an XFRM to XFRM importer. See below for more information.
If you are upgrading from XenForo 2.1.0, please be aware that there is a new option called "Convert Markdown-style content to BB code" which is now disabled by default. If you would like to use Markdown-style formatting in your messages, you will need to enable this option first.
Other changes in XF 2.1.1 include:
The following public templates have had changes:
- Solve a critical bug which may allow an extreme number of push subscriptions to be inserted. (Thank you @vbresults)
- When pasting tables into the RTE, remove the rowspan/colspan attributes as they aren't supported. For any rows that don't have enough cells, append additional cells to the end (which is what the BB code renderer would do).
- When converting emoji shortcodes, ignore any that are also smilies. This effectively prioritizes smilies over emojis on conflict. Adjust the emoji autocompleter to match this behavior.
- Don't set a default alt when inserting an attachment into the rich text editor. (If no alt is present, when rendered, it will default to the filename.)
- Ensure that auto-completion does not insert an HTML-encoded value when doing a text-based completion.
- Ensure that textareas and code editors do not trim the values received before they are displayed.
- Use the absolute date and time for poll closing when editing a poll to ensure a consistent wording for the sentence structure.
- Add alt attributes to reaction <img> elements.
- Support editor icons in specific FA packs by specifying the icon as "fa(l|r|s|b) fa-icon-name".
- Ensure that we use the push receiver's language when rendering a push notification from a template.
- Send cache-control: no-cache for error images displayed by the image proxy. For successful fetches, set the max-age of the result based on when the next refresh is planned (and if unknown, cache for a day).
- Support Markdown image embedding without any alt text and maintain the alt text from Markdown image embeds.
- For min-max options, add validation to ensure that the max is never less than the min.
- When adding an avatar URL to a registration, only apply the avatar if the user would have permission (once their account is in the valid state).
- Don't set a length when setting up boolean columns in the schema manager as we don't actually output this for integer types.
- Re-enable ctrl/cmd+enter to submit textareas by default
- Fix an issue where some inline styling (such as colors) before a video can cause text to disappear unexpectedly.
- Prevent LESS compilation errors if removing certain style property elements (namely ones passed into H-scroller variations).
- Disable inline Markdown matches that are known to be smilies. (Note this only applies to exact matches.)
- Prevent URLs from being unfurled in signatures.
- Fix a situation where a URL would be double auto-linked if it started with www and was on its own line.
- Dynamically adjust the RTE z-index so that editor overlays work as expected when the editor is within an overlay itself
- Prevent an error if there is an orphaned user connected account record (for a user that doesn't exist) if that connected account is then re-associated with another user.
- When counting line limits in signatures, ensure that URLs are not unfurled as this will give an incorrect line count.
- Prevent duplicate key error from push subscription update.
- When listing watched forums, properly display forums that are children of nodes that are not displayed in the node list.
- Provide extra space in the structured list "meta" information (replies and views) cell for longer translations.
- Allow category_view template to have search constraints for "This category".
- Adjust phrase used on Google Analytics Web Property ID option phrase.
- Correctly use the payment profile display title when displaying a list of payment profiles if a display title is defined.
- Re-jig the wording and details of the Stripe payment profile page somewhat in an attempt to make the required steps clearer and ensure the instructions of where to find things is correct.
- Clarify the format of the expected event hint for the editor_dialog event. We coerce the dialog name to be alphanumeric so essentially anything beyond a-z/0-9 is stripped.
- Remove unused bit of code in the GA template.
- Ensure we include the fullUnicode default for new installs in the config.php.default file.
- When testing for push support, check we have access to the Notification API also.
- Use the correct error phrase when a profile post spam decision has been set to denied.
- Add support for the iso6 ftype when detecting whether we have a valid MP4 video.
- Use a standard textbox (of password type) for the SMTP password as we do not require strength checking or hide/show buttons there.
- Ensure that each editor instance starts with an empty set of buttons to remove so that removals only affect the desired editor.
- Sort the locale list when editing a language in an accent insensitive way.
- Display an error if no templates or style properties have been marked for mass reversion.
- Ensure a user cannot be following or ignoring themselves as a result of a merge, and rebuild following caches correctly.
- Automatically suggest a name for the import log table, based on the importer class name and a numeric suffix.
- Adjust positioning of reaction summary on the thread list.
- Update LightGallery to the latest version in order to fix an issue with the slideshow pause button.
- Use correct function name for reaction score ratio criteria.
- Use a slightly more strict regex when detecting shortcodes in order to not necessarily attempt to replace embedded shortcodes, especially those inside URLs.
- Improve behaviour of lists in content when they are used adjacent to floated images.
- When inserting the description received by XF.DescLoader.onLoad run it through XF.setupHtmlInsert to ensure the resulting HTML is activated and any new JS is initialized.
- When validating email addresses when handling email bounces, do so in a non-strict mode and ignore minor errors.
- Exclude disabled reactions from the thread list reaction summaries.
- Adjust usernameLength option so the max value cannot exceed 50 (the hardcoded username limit). Also apply that max value to the register form, rather than the max username limit (50).
- Ensure a permission check happens at the point of running a search.
- Prevent an error when building the backtrace of an error message that has no arguments.
- When deleting a reaction definition, delete all reactions of that type to ensure correct and consistent behavior.
- Add contentType values to the Report/ReportComment entity structure.
- Add a hint which suggests that adding bookmark labels is optional.
- Support passing in a custom perPage value to entityColumnsToJson and tableColumnsToJson methods. Set XF:ErrorLog.request_state to do only 300 per page - this table's records are quite data heavy and has been seen to exhaust memory limits.
- Delay logging when inserting an emoji via the editor menu so that the emojis do not switch position until 1.5 seconds after you stop inserting emojis.
- Change the double-encoded &amp; to simply & in the custom field edit template.
- For consistency with similar option groups, separate the "Enable content tagging" option from the other options on the page.
- Ensure the tagLength option cannot exceed a maximum length of 100.
- Fix next/prev month button color in the date picker and allow date ranges to pull colors from the style properties.
- Apply the body font family to message previews.
- When processing ajax responses, activate HTML elements after executing any inline scripts.
- Allow detection of failed unfurl image loads even when the image proxy is enabled.
- Add new template extension points for member_macros in the XF:action_groupsuter_start and XF:action_groupsuter_end positions.
- Display the enableTrophies option on the user-title-ladder page so that the trophy points option can be kept disabled or re-enabled if trophies are being enabled/disabled.
- Only apply the "Show value" option to member stats if the sort order is numeric (by default, if the sort order is not "username").
- In some option templates, protect against invalid user ID data
- Fix accidental N+1 query behavior on received reactions page and ensure consistent "all" vs type-specific counts.
- Remove the default values for first_post_reaction_score in the Thread searcher, similar to the reaction_score in the User searcher.
- Improve performance of loading the editor emoji menu on Android devices.
- Remove inconsistent <b> tags from notice edit message explain phrase.
- Add missing fal class in the core_contentrow less.
- Remove commented out menu headers from navigation item menus.
- Always apply the default prefix for a forum on reports sent into a forum.
- Make it easier to add additional menus/buttons to the member tooltip/member view template.
- Trigger class extension hint file to be rebuilt on class extension import.
- When navigating directly to the post-thread page for a forum, attempt to use a predefined title (from the title URL param) if it is available.
- Fix code event description argument list for app_admin_render_page event.
- Add aria-hidden="true" to share icon placeholders.
- In filter lists, do not count rows which we have forced to show - they most likely represent information rather than found results.
- Do not duplicate the data-xf-init attribute on the prefix_input template.
- Use SFS' load balanced API for SFS lookups. (Submissions do not appear to have changed).
- Parse user mentions before MD parsing to avoid issues with user names that have valid MD-style markup.
- Use a sufficient number of backslashes (5!) to appropriately escape the fnMaxLength templater function shortname regex.
- Replace all hard-coded instances of N/A to the n_a phrase.
- Swap order of filters and additional params on the forum_view "Show older items" link.
- Add aria-hidden="true" to icon placeholder in the react HTML.
- Hide links within ispoilers (and make them clicking the link not trigger while the spoiler is blurred).
- Prevent an InvalidStateError in some cases with the numberbox input. Also change its support detection and prevent the stepping starting from an unexpected number.
- Allow content_username and content_user_id to be empty/0 by default in the moderator log.
- When navigating to a cached page, use conversation/alert unread counters from the most recent stored data, rather than what may have been included with the cached result.
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.
Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2.x. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.
Please note that XenForo 2.1.x has higher system requirements than XenForo 1.x.
The following are minimum requirements:
Installation and Upgrade Instructions for XenForo 2.1
- PHP 5.6 or newer (PHP 7.3 recommended)
- MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.1.
- Enhanced Search requires at least Elasticsearch 2.0.
Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.
Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.
Today, we are pleased to release XenForo 1.5.10. This release fixes several bugs and issues that were found since the release of 1.5.9.
Most importantly, this release includes a fix for a security issue that we found during internal testing. The issue is known as a server-side request forgery (SSRF). This could allow an attacker to use your server to bypass your server's firewall and make internal requests. Depending on the services found, this could lead to privilege escalation or remote code execution.
This is a potentially serious issue and we strongly recommend all customers follow one of the below methods to fix this security issue.
If you are running XenForo 1.4, please see the 1.4.13 announcement for a patch. If you are running XenForo 1.3 or older, you must upgrade to the latest 1.4 or 1.5 release to fix this issue.
If you are running XenForo Media Gallery 1.0, you must also follow the instructions in the XFMG 1.0.10 release announcement to fully patch this issue. If you are running XFMG 1.1.0 to 1.1.4, you must upgrade to a newer XFMG release. XFMG 1.1.5+ will be automatically fixed by following one of the steps below.
Method 1: Upgrade to the New Version (Recommended)
You may upgrade to XenForo 1.5.10 (or any subsequent version) to fix this issue. You should upgrade as you would to any other release. See further below in this announcement for more details on this release. If you take this approach, you should not apply the patch below.
Method 2: Install the Patch (for 1.5 Users)
Download the patch zip file attached to the end of this message. It contains 4 files:
These 4 files should be uploaded to your server, overwriting the existing files of the same names.
Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.
Other Changes in 1.5.10
Some of the bugs fixed in 1.5.10 include:
See the Resolved Bug Reports forum for further information.
- Add several language code/locale options for pages.
- Fix a situation where white space may not be maintained 100% when pasting code/pre-formatted into the rich text editor.
- Add a 1000 user limit to ignoring to prevent potential errors.
- Ensure that poll resetting/deleting is logged correctly.
- Automatically adjust uploaded image extensions to match their type (rather than throwing an error).
- Change NoCaptcha requests to POST to prevent a possible regular expression failure.
- Fix an issue with automatic vendor prefixing in the CSS when using @supports.
- Fix a timezone related issue when displaying stats output.
- Adjust the meta description of member profiles to handle missing components better.
- Prevent an error in the phpBB 3.1 importer relating to timezones.
The following templates have had changes:
Where necessary, the merge system within the "Outdated Templates" page should be used to integrate these changes.
Please note that we are now formally recommending that you upgrade to PHP 5.4 or newer. Our intention with XenForo 2.0 is to require PHP 5.4 or newer. If you are running PHP 5.3 or 5.2, you will receive a warning when installing or upgrading XenForo.
All customers with active licenses may now download the new version from the customer area.
Download XenForo 1.5.10
From the Licensed Customer Area
This release follows our principle that third-point (x.x.X) releases should always be more stable than the preceding version, so for the most part you will not find new features in this release. Major new features will be reserved for second point versions (x.X.x).
Installation and Upgrade Instructions
Full details for how to install and upgrade XenForo can be found in the XenForo Manual.