Releases XenForo 2.3 Released Upgrade Nulled By XnForo.Ir 2.3.11

XenForo 2.3.11 is now available for all XNFORO.IR members to download. We strongly recommend that all members running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability.

Some of the changes in XF 2.3.11 include:

• Fix cron job runner being deleted if a cron job itself hits a fatal error
• Skip moderator log IP capture when no request IP is available, so CLI-triggered moderator actions no longer crash with Invalid string IP.
• Make parse_less_color() return null for an empty string instead of #000000, restoring 2.2 behaviour so callers can omit the meta tag when no color is configured.
• Skip emitting the theme-color meta tag when the style property is empty, so admins can opt out and let the browser use its default.
• Use viewport-relative coordinates when computing nestable drop position so an item can be dropped before the first element of a list.
• Set the EHLO local domain from the server hostname when constructing the Symfony SMTP transport so strict mail relays no longer reject messages identifying themselves as [127.0.0.1].
• Add a non-development xf-rebuild:icon-usage CLI command so administrators can rebuild font-awesome icon usage outside development mode, mirroring the admincp tool.
• Refactor the missing-config handling on the App into an override point and let the CLI app continue running with a warning when only the legacy config is present, so list, help and the upgrade command remain usable while the site is mid-upgrade.
• Delete xf_api_login_token, xf_oauth_token, xf_oauth_request and the linked xf_oauth_refresh_token rows during user account deletion so abandoned access tokens and OAuth authorization records do not linger after the user is gone.
• Recognise additional invalid-mailbox bounce phrases (No such local user, Invalid Recipient, RecipientNotFound and recipient not known) and rewrite the recipient-not-found rule as a regex so spaceless variants are also caught, ensuring these 550 responses are treated as hard bounces.
• Use the canonical entry URL as the RSS item GUID for thread and featured-content feeds so guids are globally unique permalinks rather than bare numeric IDs that could collide with other feeds.
• Suppress the third-party cookie consent form in the HTML BB code renderer when the noCookieConsent option is set and enable that option for thread RSS feeds so embedded media renders without the interactive consent UI that has no place in a feed reader.
• When the user API admin save accepts secondary_group_ids, merge in any groups still listed in xf_user_group_change so moderator promotions, automatic promotions and user upgrade groups are not silently dropped from the rebuilt user group cache by API consumers that round-trip the secondary group list.
• Batch xf_search prune deletes in chunks of 1000 to avoid Galera writeset size limits
• Guard the null user when building search data in prepareMessageData()
• Remove deprecated allowtransparency="false" from Spotify iframe embed
• Capture the full multi-line selection when opening the Insert Code dialog
• Fix invalid child-combinator selectors and createElement calls in editor paste normalisation
• Add public getters to DeleteCleanUpService for code event listeners
• Gracefully handle VAPID key generation failure when enabling push notifications
• Fix QuoteClick scroll position using absolute offset instead of viewport-relative
• Insert editor preview box outside the enclosing form to prevent nested form submission conflict
• Anchor the aliasable-namespace check in getClassForAlias() to prevent false positives
• Remove scrollIntoView from FocusTrigger to prevent page jumping when focusing the status textarea
• Avoid full History relation load for template edit/history pages
• Fix HScroller.step() missing RTL direction inversion
• Stop navigator.share() prepending title and text before the URL on Android and iOS
• Normalise path separators in FileCleanUpRepository for Windows compatibility
• Preserve inner HTML when stripping sup/sub/ins/del/code elements on paste
• Fix hour-constrained crons being scheduled at the wrong minute offset
• Limit alert prune queries to 1000 rows per cron run to avoid unbounded memory use
• Eager-load PermissionCombination in NewProfilePosts widget to eliminate N+1 permission queries
• Strip the leading # from cleanedHash so getElementById resolves the target
• Use ISO year token in weekly stats label
• Only return a renamed class from getClassForAlias/getAliasForClass when the resolved class exists
• Ping idle SMTP keep-alive connections before sending to avoid 451 timeout errors

The following public templates have had changes:

• OAUTH_CONTAINER
• OFFLINE_CONTAINER
• PAGE_CONTAINER

Current requirements​

Please note that XenForo 2.3 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.3 recommended)
• MySQL 5.7 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.3.
• Enhanced Search requires at least Elasticsearch 7.2.

Some of the changes in XF 2.3.10 include:

• Ensure "View Older Results" link appears on last page of search results
• Ensure "No such recipient" bounce responses are classified as hard bounces
• Ensure "Account Closed" bounce responses are classified as hard bounces
• Ensure "Recipient not found" bounce responses are classified as hard bounces
• Ensure "mailbox is disabled" bounce responses are classified as hard bounces
• Ensure "not configured to receive" bounce responses are classified as hard bounces
• Prevent inet_pton() ValueError when IP address contains null bytes
• Use original Email object for error logging after DKIM signing to prevent undefined method error
• Skip array values during custom field multiselect validation to prevent Array to string conversion warning
• Normalize discouragement delay min/max values to prevent mt_rand() ValueError
• Suppress dns_get_record() warning during DKIM verification to prevent job crash on DNS failure
• Prevent alerts from being sent to banned users
• Correct OAuth2 token revocation to properly invalidate both access and refresh tokens
• Respect direction parameter for multi-column sort ordering in Finder
• Re-enable passkey button when WebAuthn registration or authentication is aborted
• Add missing bookmark_id index to xf_bookmark_label_use table
• Prevent accumulating whitespace in GenerateFinders CLI command on repeated runs
• Avoid exception-based flow control in getFinder for entity class resolution
• Set explicit working directory for sub-processes to prevent failure when CWD is inaccessible
• Prevent type error when custom field type changes with preserved values
• Include purchasable ID in Stripe product and plan ID generation
• does not round-trip after editing a post
• Implement ContainableInterface and DatableInterface on various child content entities
• Create template when generating a route with xf-make:route.

Today, XenForo has released XenForo 2.3.9, a critical security update designed to address several recently reported potential security vulnerabilities. This release focuses exclusively on security fixes. Any bug fixes that were previously expected to be included in version 2.3.9 have now been officially postponed and will be delivered with XenForo 2.3.10.

XenForo 2.3.9 is now available for download to all licensed customers. To ensure optimal security, improved stability, and protection against known exploits, we strongly recommend that all customers running earlier versions of XenForo 2.3 upgrade to XenForo 2.3.9 as soon as possible.

Security Issues Addressed in XenForo 2.3.9

The following vulnerabilities have been identified and resolved in this release:

• Prevention of a possible stored XSS (Cross-Site Scripting) exploit related to BB code rendering
  (Thanks to Antisocial)
• Prevention of a possible XSS exploit related to lightbox usage within posts
  (Thanks to UwU)
• Prevention of a possible RCE (Remote Code Execution) exploit via authenticated but malicious administrator accounts
  (Thanks to UwU)

These vulnerabilities could pose a significant security risk if exploited, making XenForo 2.3.9 an essential security update for all self-hosted XenForo installations.