XenForo 2.1.10 is now obtainable for all licensed prospects to download. We advocate that each one prospects working earlier variations of XenForo 2.1 improve to this launch to profit from elevated stability.
Most importantly, this launch fixes a safety vulnerability in XenForo.
The concern is a XSS vulnerability. XSS (Cross Site Scripting) points enable scripts and malicious HTML to be injected into the web page, doubtlessly permitting information theft or unauthenticated entry. The vulnerability requires some very particular steps to be taken, involving pasting malicious content material into the XenForo wealthy textual content editor, which can imply it’s tough to set off. XenForo extends because of @TickTackk for reporting the problem.
While we advocate doing a full improve to resolve this concern, you may as well patch the problem your self with the connected file.
To patch your current set up, please comply with these steps:
- Download the patch information that are contained in a file referred to as 2110patch.zip
- Extract the zip file to your laptop, which ought to include the next information:
- Upload the contents of the add listing to the foundation of your XF set up.
- This will overwrite the next information:
Note: If you resolve to patch the information as an alternative of doing a full improve, your “File health check” will report these three information as having “Unexpected contents”. Because these information not include the identical contents your model of XF was shipped with, that is anticipated and might be safely ignored.
For directions on tips on how to resolve the problem by upgrading, and to see what else has modified in XenForo 2.1.10, please learn on.
When we launched XenForo 2.0.2 we advised you that we needed to begin amassing sure details about your XenForo set up and the server on which it’s put in. The information that we acquire is your PHP model, MySQL model and your XenForo model. This info helps us make vital choices resembling which minimal PHP model we must always goal for future releases and helps us get a greater understanding of how rapidly new XF variations are adopted.
In addition to the aforementioned information, we might additionally like to begin getting an understanding of what number of add-ons our prospects have put in plus the particular add-on IDs of any official XenForo add-ons you’ve got put in.
During this improve you can be prompted once more whether or not you want to present the utilization statistics or not.
This info is, and all the time will probably be, solely nameless and doesn’t embrace any private or non-public info, however it’s a enormous assist.
Some of the opposite adjustments in XF 2.1.10 embrace:
- Properly support disabling memory limits when calling setMemoryLimit with -1.
- Prevent a race condition related to double clicking when reacting to content.
- Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
- Do not display unsupported media sites in approved site list
- Properly set average tooltips in stats graphs
- Allow the message body ‘0’ in report comments
- Allow searches for ‘0’ in template and phrase titles and contents
- Don’t throw an error when trying to view reactions on a conversation message by a deleted user.
- When deleting warning actions, correctly redirect to the warnings list.
- When deleting template modifications, redirect to the correct template modification type list.
- Set a maximum length for content_type field in the spam trigger log entity.
- Allow users to reconfirm their existing email addresses if emails have previously bounced to it.
- Opt not to show a title for HTML widgets if no explicit title is set.
- Avoid throwing a template error for approval queue items with no user relationship.
- Ensure the MySQL replication adapter throws the correct exception on failure and supports the charset option.
- Adjust the display of conversation filter checkboxes.
- Use the correct modifier when building attachment URLs for the editor.
- Ensure full thumbnail URLs are used when rendering the ATTACH BB code, notably for rendering in emails.
- Properly check required PHP, PHP extension, and MySQL versions during add-on installation
- Don’t allow double backslashes for PHP callbacks.
- Redirect back to the option group list after deleting an option group.
- Redirect back to the option group when deleting an option.
- Ensure arrays are always returned from title pair methods
- Don’t strip HTML tags on post content choosers.
- Correctly check permissions on user report page
- Correctly handle chargebacks for PayPal Funds Now accounts
- Log IP when TFA check is triggered
- Avoid table locking when checking if the error log table is populated
- Correct our auto-timezone data so that UTC+3 returns Europe/Moscow as expected.
- Slightly adjust the explain text for the boardDescription option to clarify it applies to the “Forums default page”.
- Ensure we mark all forum descendants read when marking a forum read – not just its children.
- Opt for more desirable defaults when emailing users
- Fix incorrect type hint on App::service method.
- Attempt to convert incoming <code> tags to relevant BB code.
- Extend the color_picker.js infinite loop protection to allow colors to be resolved more than once up to a limit of 3 times each.
- Expand support for our share buttons to include the page image and send that along with the Pinterest share button clicks.
- Make query for finding newest/next posts in a thread more performant.
- Slightly adjust phrase about unique ad position keys to suggest the key may already be in use.
- Ensure “No permission” placeholder buttons correctly wrap text.
- Throw a clearer error if closure compiler returns an unexpected response when minifying JS.
- Load images when rebuilding recent emoji
- Use a consistent function when checking if CAPTCHA should be shown.
- Add title attributes to most of the style property edit fields to make clearer the specific CSS property being adjusted.
- Allow moderators to expire/delete warnings they issued
- Ensure alt text is correctly displayed when hovering over thumbnail attachments.
- Display field name in required custom field error message
- Ensure integer and float values are correctly casted when using searchers.
- Properly normalize page action criteria
- Implement the ability to extend all XF\CustomField\* classes – specifically Set and DefinitionSet.
- Avoid an error if a user has 25 incomplete subscription purchases with Stripe
- Make the appropriate usage of a language’s currency_format value more clear.
- Check breadcrumb hrefs against the full request URI (including scheme and host) as well as the partial request URIs to determine when they should be automatically hidden.
- Prevent table overflow on the user change log with wide browser windows.
- Allow manually triggered rebuild jobs to be resumed via the command line.
- Support URLs being used in moderator log action params.
- When creating a new payment profile, only show providers from active add-ons.
- Fix LESS compilation failure when form input padding is blank
- Allow auto focus into tagging/token input elements.
- Make sure that iOS opens reactions on long press (consistent with previous versions and other mobile devices).
- Disable the CodeMirror code editor (with a fallback to a typical textarea) on Android gadgets as a result of compatibility points.
- Make improvements to the moderator list especially when there are large numbers of moderator records.
- When importing users with invalid email addresses, correctly set their user states.
The following public templates have had adjustments:
- app_body.much less
- core_datalist.much less
- core_input.much less
- core_menu.much less
- core_overlay.much less
- editor.much less
- editor_base.much less
- lightbox.much less
- payment_initiate.much less
Where vital, the merge system inside the “outdated templates” web page must be used to combine these adjustments.
As all the time, new releases of XenForo are free to download for all prospects with energetic licenses, who might now seize the brand new model from the customer area.
Note: add-ons, customizations and kinds made for XenForo 1.x should not suitable with XenForo 2.x. If your website depends upon these for important performance, make sure that a XenForo 2 model exists earlier than you begin to improve. We strongly advocate you make a backup earlier than making an attempt an improve.
Please notice that XenForo 2.1.x has greater system necessities than XenForo 1.x.
The following are minimal necessities:
- PHP 5.6 or newer (PHP 7.4 really useful)
- MySQL 5.5 and newer (Also suitable with MariaDB/Percona and so on.)
- All of the official add-ons require XenForo 2.1.
- Enhanced Search requires at the least Elasticsearch 2.0.
Installation and Upgrade Instructions for XenForo 2.1
Note that when upgrading from XenForo 1.x, all add-ons will probably be disabled and elegance customizations is not going to be maintained. New variations of add-ons will should be put in and customizations will should be redone. We strongly really useful that you simply make a backup earlier than making an attempt an improve. Once upgraded, you will be unable to downgrade with out restoring from a backup.