Most importantly, this release fixes a security vulnerability in XenForo.
The issue is a XSS vulnerability. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access. The vulnerability requires some very specific steps to be taken, involving pasting malicious content into the XenForo rich text editor, which may mean it is difficult to trigger. XenForo extends thanks to @TickTackk for reporting the issue.
While we recommend doing a full upgrade to resolve this issue, you can also patch the issue yourself with the attached file.
To patch your existing installation, please follow these steps:
- Download the patch files which are contained in a file called 2110patch.zip
- Extract the zip file to your computer, which should contain the following files:
- Upload the contents of the upload directory to the root of your XF installation.
- This will overwrite the following files:
For instructions on how to resolve the issue by upgrading, and to see what else has changed in XenForo 2.1.10, please read on.
When we released XenForo 2.0.2 we told you that we wanted to start collecting certain information about your XenForo installation and the server on which it is installed. The data that we collect is your PHP version, MySQL version and your XenForo version. This information helps us make important decisions such as which minimum PHP version we should target for future releases and helps us get a better understanding of how quickly new XF versions are adopted.
In addition to the aforementioned data, we would also like to start getting an understanding of how many add-ons our customers have installed plus the specific add-on IDs of any official XenForo add-ons you have installed.
During this upgrade you will be prompted again whether you would like to provide the usage statistics or not.
This information is, and always will be, entirely anonymous and does not include any personal or private information, but it is a huge help.
Some of the other changes in XF 2.1.10 include:
- Properly support disabling memory limits when calling setMemoryLimit with -1.
- Prevent a race condition related to double clicking when reacting to content.
- Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
- Do not display unsupported media sites in approved site list
- Properly set average tooltips in stats graphs
- Allow the message body '0' in report comments
- Allow searches for '0' in template and phrase titles and contents
- Don't throw an error when trying to view reactions on a conversation message by a deleted user.
- When deleting warning actions, correctly redirect to the warnings list.
- When deleting template modifications, redirect to the correct template modification type list.
- Set a maximum length for content_type field in the spam trigger log entity.
- Allow users to reconfirm their existing email addresses if emails have previously bounced to it.
- Opt not to show a title for HTML widgets if no explicit title is set.
- Avoid throwing a template error for approval queue items with no user relationship.
- Ensure the MySQL replication adapter throws the correct exception on failure and supports the charset option.
- Adjust the display of conversation filter checkboxes.
- Use the correct modifier when building attachment URLs for the editor.
- Ensure full thumbnail URLs are used when rendering the ATTACH BB code, notably for rendering in emails.
- Properly check required PHP, PHP extension, and MySQL versions during add-on installation
- Don't allow double backslashes for PHP callbacks.
- Redirect back to the option group list after deleting an option group.
- Redirect back to the option group when deleting an option.
- Ensure arrays are always returned from title pair methods
- Don't strip HTML tags on post content choosers.
- Correctly check permissions on user report page
- Correctly handle chargebacks for PayPal Funds Now accounts
- Log IP when TFA check is triggered
- Avoid table locking when checking if the error log table is populated
- Correct our auto-timezone data so that UTC+3 returns Europe/Moscow as expected.
- Slightly adjust the explain text for the boardDescription option to clarify it applies to the "Forums default page".
- Ensure we mark all forum descendants read when marking a forum read - not just its children.
- Opt for more desirable defaults when emailing users
- Fix incorrect type hint on App::service method.
- Attempt to convert incoming <code> tags to relevant BB code.
- Extend the color_picker.js infinite loop protection to allow colors to be resolved more than once up to a limit of 3 times each.
- Expand support for our share buttons to include the page image and send that along with the Pinterest share button clicks.
- Make query for finding newest/next posts in a thread more performant.
- Slightly adjust phrase about unique ad position keys to suggest the key may already be in use.
- Ensure "No permission" placeholder buttons correctly wrap text.
- Throw a clearer error if closure compiler returns an unexpected response when minifying JS.
- Load images when rebuilding recent emoji
- Use a consistent function when checking if CAPTCHA should be shown.
- Add title attributes to most of the style property edit fields to make clearer the specific CSS property being adjusted.
- Allow moderators to expire/delete warnings they issued
- Ensure alt text is correctly displayed when hovering over thumbnail attachments.
- Display field name in required custom field error message
- Ensure integer and float values are correctly casted when using searchers.
- Properly normalize page action criteria
- Implement the ability to extend all XF\CustomField\* classes - specifically Set and DefinitionSet.
- Avoid an error if a user has 25 incomplete subscription purchases with Stripe
- Make the appropriate usage of a language's currency_format value more clear.
- Check breadcrumb hrefs against the full request URI (including scheme and host) as well as the partial request URIs to determine when they should be automatically hidden.
- Prevent table overflow on the user change log with wide browser windows.
- Allow manually triggered rebuild jobs to be resumed via the command line.
- Support URLs being used in moderator log action params.
- When creating a new payment profile, only show providers from active add-ons.
- Fix LESS compilation failure when form input padding is blank
- Allow auto focus into tagging/token input elements.
- Make sure that iOS opens reactions on long press (consistent with previous versions and other mobile devices).
- Disable the CodeMirror code editor (with a fallback to a standard textarea) on Android devices due to compatibility issues.
- Make improvements to the moderator list especially when there are large numbers of moderator records.
- When importing users with invalid email addresses, correctly set their user states.
The following public templates have had changes:
As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.
Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2.x. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.
Please note that XenForo 2.1.x has higher system requirements than XenForo 1.x.
The following are minimum requirements:
- PHP 5.6 or newer (PHP 7.4 recommended)
- MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.1.
- Enhanced Search requires at least Elasticsearch 2.0.
Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.
If you are already running XF 2.1 or above we strongly recommend upgrading directly from within your control panel.
Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.