Releases XenForo 2.3 Released Full Nulled By XnForo.Ir 2.3.11

XenForo 2.3.11 is now available for all XNFORO.IR members to download. We strongly recommend that all members running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

Some of the changes in XF 2.3.11 include:

• Fix cron job runner being deleted if a cron job itself hits a fatal error
• Skip moderator log IP capture when no request IP is available, so CLI-triggered moderator actions no longer crash with Invalid string IP.
• Make parse_less_color() return null for an empty string instead of #000000, restoring 2.2 behaviour so callers can omit the meta tag when no color is configured.
• Skip emitting the theme-color meta tag when the style property is empty, so admins can opt out and let the browser use its default.
• Use viewport-relative coordinates when computing nestable drop position so an item can be dropped before the first element of a list.
• Set the EHLO local domain from the server hostname when constructing the Symfony SMTP transport so strict mail relays no longer reject messages identifying themselves as [127.0.0.1].
• Add a non-development xf-rebuild:icon-usage CLI command so administrators can rebuild font-awesome icon usage outside development mode, mirroring the admincp tool.
• Refactor the missing-config handling on the App into an override point and let the CLI app continue running with a warning when only the legacy config is present, so list, help and the upgrade command remain usable while the site is mid-upgrade.
• Delete xf_api_login_token, xf_oauth_token, xf_oauth_request and the linked xf_oauth_refresh_token rows during user account deletion so abandoned access tokens and OAuth authorization records do not linger after the user is gone.
• Recognise additional invalid-mailbox bounce phrases (No such local user, Invalid Recipient, RecipientNotFound and recipient not known) and rewrite the recipient-not-found rule as a regex so spaceless variants are also caught, ensuring these 550 responses are treated as hard bounces.
• Use the canonical entry URL as the RSS item GUID for thread and featured-content feeds so guids are globally unique permalinks rather than bare numeric IDs that could collide with other feeds.
• Suppress the third-party cookie consent form in the HTML BB code renderer when the noCookieConsent option is set and enable that option for thread RSS feeds so embedded media renders without the interactive consent UI that has no place in a feed reader.
• When the user API admin save accepts secondary_group_ids, merge in any groups still listed in xf_user_group_change so moderator promotions, automatic promotions and user upgrade groups are not silently dropped from the rebuilt user group cache by API consumers that round-trip the secondary group list.
• Batch xf_search prune deletes in chunks of 1000 to avoid Galera writeset size limits
• Guard the null user when building search data in prepareMessageData()
• Remove deprecated allowtransparency="false" from Spotify iframe embed
• Capture the full multi-line selection when opening the Insert Code dialog
• Fix invalid child-combinator selectors and createElement calls in editor paste normalisation
• Add public getters to DeleteCleanUpService for code event listeners
• Gracefully handle VAPID key generation failure when enabling push notifications
• Fix QuoteClick scroll position using absolute offset instead of viewport-relative
• Insert editor preview box outside the enclosing form to prevent nested form submission conflict
• Anchor the aliasable-namespace check in getClassForAlias() to prevent false positives
• Remove scrollIntoView from FocusTrigger to prevent page jumping when focusing the status textarea
• Avoid full History relation load for template edit/history pages
• Fix HScroller.step() missing RTL direction inversion
• Stop navigator.share() prepending title and text before the URL on Android and iOS
• Normalise path separators in FileCleanUpRepository for Windows compatibility
• Preserve inner HTML when stripping sup/sub/ins/del/code elements on paste
• Fix hour-constrained crons being scheduled at the wrong minute offset
• Limit alert prune queries to 1000 rows per cron run to avoid unbounded memory use
• Eager-load PermissionCombination in NewProfilePosts widget to eliminate N+1 permission queries
• Strip the leading # from cleanedHash so getElementById resolves the target
• Use ISO year token in weekly stats label
• Only return a renamed class from getClassForAlias/getAliasForClass when the resolved class exists
• Ping idle SMTP keep-alive connections before sending to avoid 451 timeout errors

The following public templates have had changes:

• OAUTH_CONTAINER
• OFFLINE_CONTAINER
• PAGE_CONTAINER

Current requirements​

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

XenForo 2.3.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

In addition to the usual bug fixes, XenForo 2.3.10 includes a critical security fix involving a potential stored XSS vector in structured text mentions (mostly legacy profile post content). We'd like to extend thanks to metho for responsibly disclosing the issue.

If you are a XenForo Cloud customer running 2.3.8, the security fix has already been applied and no immediate action is required. XenForo 2.3.10 will be made available to you shortly.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.

The issues identified are as follows:

• Prevention of a possible stored XSS (cross-site scripting) exploit related to BB code rendering (thank you to Antisocial)
• Prevention of a possible XSS exploit related to lightbox usage in posts (thank you UwU)
• Prevention of a possible RCE (remote code execution) exploit via authenticated, but malicious, admin users (thank you UwU)

If you are a XenForo Cloud customer, fixes for these issues have been rolled out automatically, and no further action is required to address them.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually. See below for further details.

Upload patch files​

• Download 239-patch.zip
• Extract the .zip file
• Upload the contents of the upload directory to the root of your XenForo installation
• Rebuild master data by logging in to your install URL, or running xf:rebuild-master-data on the command line

If you are a XenForo Cloud customer, your installations have already been patched and no further action is required. You will remain on version 2.3.8 until 2.3.10 is released.

The following public templates have had changes:

• attachment_macros
• bb_code_tag_attach
• lightbox_macros

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.