Downloading from our site will require you to have a paid membership. Upgrade to a Premium Membership from 10$ a month today!
Dont forget read our Rules! Also anyone caught Sharing this content will be banned. By using this site you are agreeing to our rules so read them. Saying I did not know is simply not an excuse! You have been warned.
Firstly, to clarify some concerns that have arisen:
1. If you did a normal upgrade (either uploading files or via your admin control panel) you do not need to manually edit any files to receive the security fixes.
2. If you upgraded to the initial 2.2.16 release, you are fully protected against the security issues that were being addressed.
Secondly, a second patch is being released to address some minor bug fixes that may not have been correctly applied when upgrading to XenForo 2.2.16. This is only applicable if you performed a normal upgrade to 2.2.16, and this patch is not security related or affected by the security fixes.
You can download that now from your customer area or perform a one-click upgrade through your admin control panel. You can go to Tools > Check for upgrades in order to see the second patch release.
If you are running XenForo Cloud, the fixes have been applied automatically.
The patches above have been modified and include two additional files:
You should re-apply the patch if you are unable to upgrade.
- src/XF/Admin/Controller/Node.php
- src/XF/Admin/Controller/Permission.php
Hot on the heels of yesterday's XF 2.2.14 release and subsequent patches, we are today making XenForo 2.2.15 available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability, particularly if you already upgraded to XenForo 2.2.14.
As of this point, XenForo 2.2.14 and its patches are no longer available for download. We are still planning a final XF 2.2 release at some point around the release of XenForo 2.3!
One-click upgrade to XenForo 2.2.15
Directly from your admin control panel
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.
Some of the changes in XF 2.2.15 include:
- Avoid setting duplicate List-Unsubscribe headers.
- Include first post QA schema items unconditionally.
- Make outdated PHP version notice in admin control panel clearer.
- Retain the original unsubscribe EmailAddress option for backwards compatibility.
- New unsubscribe EmailHandling option to replace the new unsubscribeEmail option and conclusively fix issues arising from yesterday's XF 2.2.14 release.
- Fix URL unfurls no longer unfurling.
As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.
Current requirements
Please note that XenForo 2.2 has higher system requirements than earlier versions.
The following are minimum requirements:
- PHP 7.0 or newer (PHP 8.2 recommended)
- MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.2.
- Enhanced Search requires at least Elasticsearch 2.0.
Installation and upgrade instructions
Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.
XenForo 2.2.13 Released
XenForo 2.2.13 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
In addition to the fixes listed below, we have a few other aces up our sleeves this time around.
Full iOS PWA compatibility with push notification support
iOS 16.4 finally introduced push notifications for iOS devices. To facilitate this, your members need to install your site as a PWA (by utilising the Add to Home Screen feature in Safari). XenForo 2.2.13 now satisfies all of the prerequisites for this to support push notifications which can be enabled by your members once they log in through the PWA and enable push notifications in their Preferences.
The PWA (progressive web app) has now been enhanced with additional gesture based or UI controls, including pull down to refresh and a floating back button.
Structured data metadata improvements
With many thanks to Ryan Levering from Google we have made a number of improvements to structured data metadata. Structured data enriches the pages we output with additional information which enables Google and other search engines to better understand the structure of the information that is rendered. This helps Google provide rich search results and helps provide additional context to users who may find your content during their Google searches.
Support for OAuth authentication for Microsoft 365 business email accounts
Microsoft has deprecated the ability to send emails over SMTP using traditional username/password authentication. This is similar to what Google did a while ago. In light of this we have now added an additional option when setting up either your email transport or automated mail handlers (automated unsubscribe/bounce handling) which will enable you to authenticate with OAuth.
Note: The set up for this is fairly complex, requiring you to set up an Azure Active Directory application within the Azure developer portal. There is a link to the documentation when setting this up.
New CAPTCHA provider: Cloudflare Turnstile
In September, Cloudflare Turnstile was announced. You may have noticed that we quickly implemented this into the software and it has been running here now for a little while.
While on the surface this may seem like "just another CAPTCHA" option, we feel that Cloudflare has gotten a lot of things right in its approach to this product that is missing from many other providers including HCaptcha and Google reCAPTCHA. It's a much better experience for your users, respects your users privacy and with XF 2.2.12 also provides more granular logging in the Cloudflare dashboard so you can see analytics about where in the software a CAPTCHA is being used.
We encourage you to read more about Cloudflare Turnstile on their blog and consider signing your site up, for free, right here or if you are an existing Cloudflare user, get started in your Cloudflare dashboard.
Advanced cookie consent system
Starting with XF 2.2.12 you will be able to enable a new "Advanced" cookie consent system. This enables your users to have much more granular control over the specific cookies that are set, the purpose of each cookie and prevents certain cookies from being set at all until explicit consent is given.
As ever, this system is also extendable by add-on developers so that cookies set by an add-on can be appropriately categorised and also require consent before certain functionality is available.
This is not enabled by default and should currently be considered a Beta feature. If you wish to enable it, you can do so by searching for the cookieConsent option in your Admin control panel and setting the option to "Advanced". If you have feedback or further suggestions, please post a new thread in the XenForo suggestions forum, or if you notice any issues, please post a new thread in the Bug reports forum.
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically. For self-hosted customers, read on...
Today, we are releasing XenForo 2.2.11 to address a potential security vulnerability. We recommend that all customers running XenForo 2.2 upgrade to 2.2.11 or use the attached patch file as soon as possible.
The issue relates to HTML attribute injection which can be triggered when rendering editor content, such as when a post is edited or quoted.
XenForo extends thanks to @PaulB, the team at @NamePros and @Xon for reporting the issues.
We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.
Note: There are no other changes in this release and any work previously done towards XenForo 2.2.11 - including a new CAPTCHA option by Cloudflare Turnstile and various bug fixes and improvements - will be released alongside XenForo 2.2.12 in the coming weeks.
Applying a patch manually
If you are using XenForo 2.2.0 - 2.2.5
Download the 220-225patch.zip file attached to this message. It will contain the following file:
- src/XF/BbCode/Renderer/EditorHtml.php
- src/XF/BbCode/Renderer/Html.php
If you are using XenForo 2.2.6 or above
Download the 2211patch.zip file attached to this message. It will contain the following file:
Extract the zip file to your computer and upload the contents to the root of your XenForo installation. This should overwrite the files on your server with the new version.
- src/XF/BbCode/Renderer/EditorHtml.php
Note: If you decide to patch the files instead of doing a full upgrade, your "File health check" will report this file as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.
As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area or upgrade from your Admin control panel (Tools > Check for upgrades...).
One-click upgrade to XenForo 2.2.11
Directly from your admin control panel
Installation and upgrade instructions
Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.
Cloud customers have received this patch automatically and does not require an upgrade.
XenForo 2.2.10 Patch 1 Released
Shortly after we released XenForo 2.2.10 we became aware of a number of minor issues that may have affected a number of customers.
Therefore, today, we have released XenForo 2.2.10 Patch 1 to rectify these issues.
You may now upgrade from your admin control panel or grab the new version from the customer area.
XenForo Cloud customers who are running XF 2.2.10 will remain on XF 2.2.10 but the fixes have already been applied automatically.
XenForo 2.2.9 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
In addition to the usual bug fixes and improvements, we've continued to improve compatibility with PHP 8.1 and added support for self-hosted licenses to more easily sign outgoing emails with DKIM as per this recent suggestion by @digitalpoint.
One-click upgrade to XenForo 2.2.9
Directly from your admin control panel
If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.
Some of the changes in XF 2.2.9 include:
The following public templates have had changes:
- Fix fatal error when viewing debug page on PHP 8.1
- Revert previous change so that actioning conversation message report still relies on the 'warn' permission.
- Reset file hash when pruning proxied images
- Correctly remove duplicated relations when fetching the user entity within the Member controller
- Ensure there's a breadcrumb to return to the help pages list when modifying a help page
- When a suggested answer only contains an attachment, make sure the suggested schema text isn't blank
- Update various phrases to point to the new location of Google's Developer Console
- Fix an error that could occur when navigating search results after performing an exact match search for users but not providing a value for the username or email
- When registering with a connected provider, correctly redirect to the specified return URL
- When writing before registering but then logging in with an existing account, redirect to the newly created content
- When sending a push notification about a post being merged, avoid rendering the prefix as HTML
- Correctly mark the use_tfa field as a boolean value in the API documentation
- Patch Froala to workaround an issue which prevents "recently used" smilies from being stored as expected.
- Include $template in $params sent to email container templates
- Workaround a potential issue when upgrading from older versions due to new code in newer versions.
- Improve accessibility of inline spoilers.
- Fix Vimeo time-based links and support unlisted videos via the key portion of the URL.
- Append content link and title to report closure alerts.
- Workaround an undefined array key error that may happen during upgrade
- Do not display view count for directly viewed attachments (video and audio).
- When opening a page in an overlay that contains share buttons, override the page URL to the URL of the overlay loaded.
- Update Asia/Novosibirsk timezone to UTC+7
- Adjust job-related type hints to int|float.
- Log payment callbacks that come from an unknown source
- Document where scrolling notices are located
- Implement __isset() in the Finder class
- Make it easier to load additional relations with the search forum user cache
- Improve cross-table data consistency when threads are created
- Allow feed reader entries without a title to fallback to the description, and vice-versa
- Pass referrer through poll creation form
- Default to the first option value for read-only select inputs
- Improve PHP 8.1 compatibility when logging payment callbacks
- Fix null query parameter handling on the debug page
- Correct the IRR currency precision
- Include a content setter for report entities
- Fix attributes on the registration defaults option not referring to unique inputs
- Don't re-save avatars if the crop positioning hasn't changed
- Redirect to page 1 if a non-number value is passed to the "Go to page" form
- List the events a Stripe webhook endpoint should listen for
- Improve PHP 8.1 compatibility within the Register controller
- Work around an upstream issue in WinCache
- Always throw an exception when a file fils to copy to an abstracted file path
- Attempt to determine first proxyable favicon when fetching page metadata
- Canonicalize proxied thread cover image URLs
- Prevent search engines from attempting to index thread preview URLs
- Throw an exception when add-on requirement errors or warnings are not arrays
- Update watch notifier getDefaultWatchNotifyData method visibility to match parent class
- Fix route normalization in policy acceptance bypass check
- Improve PHP 8.1 compatibility in template trim tag/function
- Add response documentation to the POST posts/ API route
- Adjust maximum width of board title in control panel header
- Normalize root breadcrumb URL before checking if it matches the current page
- Make unfurl usage analysis more robust
- Improve PHP 8.1 compatibility within template filters
- When logging a failed email exception, include the from email in the exception message
- Add embed support for public Spotify playlists
- Make the default cookie same-site behavior configurable
- Always allow top-level categories which are not displayed in the node list to be accessed at their dedicated URL
- Fix article preview text fade not applying to articles without a cover image
- Strip AJAX query params from password confirmation redirects
- Avoid decreasing user message count twice when moving a thread in/out of a forum that does not count messages
- Improve PHP 8.1 compatibility within the API docs generator
- Fix potential stale recompilation of grouped phrases
- Include some missing entries in the hashes file
- Ensure zlib output compression is disabled to prevent interference with XF output compression
- Hide the article forum snippet length option when using the preview display style
- Correct the description for the user_content_change_init code event description
- Reword the "this_accounts_email_is_already_associated_with_another_member" phrase
- Add option to disable appending a CAPTCHA provider's privacy policy to the site's privacy policy
- Only send certain moderator action alerts when the content is or was visible to the author
- Improve PHP 8.1 compatibility within the unsharp image mask algorithm
- Improve PHP 8.1 compatibility within the route filter entity
- Remove stray XF.Element.register() in password_box.js
- Improve PHP 8.1 compatibility when resizing and cropping an image
- When converting tables to utf8mb4, only show the prompt to add fullUnicode to config.php if the value isn't set already
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
- PAGE_CONTAINER
- alert_user_report_rejected
- alert_user_report_resolved
- attachment_macros
- browser_warning_macros
- core_block.less
- core_datalist.less
- core_menu.less
- core_tab.less
- editor_base.less
- login_password_confirm
- member.less
- message.less
- page_nav
- poll_create
- post_article_macros
- progress_bar.less
- progress_bar_macros
- push_user_post_merge
- push_user_report_rejected
- push_user_report_resolved
- thread_preview
- widget_html
As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.
Current requirements
Please note that XenForo 2.2 has higher system requirements than earlier versions.
The following are minimum requirements:
- PHP 7.0 or newer (PHP 8.0 recommended)
- MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.2.
- Enhanced Search requires at least Elasticsearch 2.0.
Installation and upgrade instructions
Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.
XenForo 2.2.5 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
This release changes the default CAPTCHA method from reCAPTCHA to hCaptcha. If you were using the default CAPTCHA settings, you will automatically be switched over to hCaptcha. If you provided your own reCAPTCHA keys or chose a different CAPTCHA method, your existing CAPTCHA settings will be retained. If you are unable to upgrade to this release, you may need to change CAPTCHA settings to avoid disruption
XenForo 2.2.3 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.