Today, we continue the, uh, trend of weekly beta releases for XenForo 2.3 with Beta 4. This release fixes a number of bugs found since the previous release, and adds support for trending content which you can read about right here.
In addition to the trending content widget we have also made the following notable changes:
You can now log in to the admin control panel using your configured passkey.
Changes to the job queueing system that allows a caller to create jobs with a specified priority.
Webhook support for user upgrades.
Separated XF.Cropbox from avatar.js into its own file, crop_box.js.
Today, we continue the beta stage of XenForo 2.3 with Beta 3, albeit a little later than originally planned This release fixes a number of bugs found since the previous release, and adds support for passwordless logins with passkeys which you can read about right here. There are a few known issues with passkeys at this point, particularly with hardware-based keys, so please check the bug reports forum if you run into anything.
We strongly recommend anyone testing 2.3 during this beta period upgrade as each beta version is released.
More specific details regarding bugs fixed in this release can be found in the resolved bugs forum.
This is beta software. It is not officially supported.
We do not recommend running it in production.
Please remember that this is beta software. It contains known bugs and incomplete functionality.
Brand new in XenForo 2.3.0 Beta 2 is support for a few long overdue enhancements related to our payment and purchasable system. Let's look at each of these below!
Stripe Checkout
Stripe Checkout is Stripe's native and hosted checkout page which not only brings with it some powerful customisability, it also makes accepting new payment methods completely trivial and available in an instant. Allow user upgrades and other purchasables to be purchased with options for "Buy Now Pay Later" (e.g. Klarna, ClearPay), popular region-specific bank redirects (such as iDEAL and Sofort), and popular online wallets (such as Alipay and Revolut). You can even accept payments through PayPal! Through Stripe! 😲
You can enable and configure as many payment methods as you like, and you do this directly through your Stripe Dashboard with zero additional code or configuration required in XenForo. Stripe intelligently and dynamically displays the enabled payment methods they feel will most likely lead to a conversion based on the customer's previous purchases, their geographic location and currency.
This new purchase experience is a drop in replacement for the existing implementation and requires no additional setup or configuration and is available automatically.
PayPal (REST API)
Our existing PayPal implementation - while absolutely functional - is at least 2-3 generations behind so today is the day we make available a new implementation based on PayPal's current REST API. While functionally this will still be the same as the existing implementation, it is the right time to support PayPal's latest development experience which will continue to receive new functionality and enhancements long in to the future, as well as being more secure and actively maintained by PayPal.
We have implemented this as a brand new payment provider and marked the existing one as deprecated. We are not aware of any immediate plans for PayPal to sunset the legacy Checkout/IPN system we have been using for a long time, so you are free to continue using it. There is no known migration path to move existing customers (particularly recurring payments) to the new APIs but you can enable the new one for new purchases at any time.
The PayPal REST API being available in XenForo should allow developers to implement new, advanced functionality that previously wasn't available.
Ability to update payment details for subscriptions
Starting with Stripe only, initially, we've added the ability for purchasables and payment providers to be able to "Change payment" for existing recurring payments. In the case of Stripe, clicking "Change payment" takes you to a Stripe Checkout session which allows you to update your payment method.
This is a potentially frequently needed piece of functionality which will allow users to, for example, change their payment card after changing banks or having received new card details due to expiry of the previous card. Previously it was not possible for users to update their card details, and usually required the subscription to be cancelled before signing up with new card details.
This is an asynchronous process so once the user provides updated payment details, they will later receive an email confirmation once the new payment details have been applied.
Improved experience for cancelling subscriptions
It has always been possible for a user to be able to cancel their recurring payment but we didn't do the best job of reflecting that change in the UI. The cancel button would still be displayed after cancellation, and would simply error if you tried to use it again. We now track the cancellation state within the purchasable record and adjust the UI accordingly:
This should hopefully be a much less confusing experience.
That's it for new features in Beta 2. We've got more to come very soon! Thank you to everyone who has helped identify issues and provide feedback for XenForo 2.3 so far.
We are delighted to announce that XenForo 2.3.0 Beta 1 is now available to all customers with active self-hosted licenses. XenForo 2.3 includes a large number of new features and improvements, including:
You can read more about the above in the Have you seen...? forum.
- Dark mode and style variants
- Extensive performance improvements
- Featured content
- Image optimization (WebP), client side image resizing and more
- Automation via webhooks
- Sign in with Apple, IndexNow, Full InnoDB and improved MySQL search
- Embed your content anywhere
- Single sign on
- Direct message searching
- ...plus a myriad of developer improvements
This is beta software. It is not officially supported.
We do not recommend running it in production.
Please remember that this is beta software. It contains known bugs and incomplete functionality. We do not recommend running beta software in a production environment, and support is limited at this time to questions here on the community forums.
If you would like to leave us feedback about your experience with XenForo 2.3 we recommend you do that here. From today, should you find any bugs, they should be reported in the Bug reports forum.
Add-ons and custom styles may be broken after upgrading to 2.3. You must test your add-ons thoroughly or look for updates. Be especially careful with add-ons that cover similar features to ones that are added to 2.3; these may conflict with the core XenForo data. If data conflicts are found, they will need to be resolved in a new add-on release or by removing the add-on before upgrading to 2.3.
If you choose to run beta software, it is your responsibility to ensure that you make a backup of your data. We recommend you do this before attempting an upgrade. If in doubt, always do a test upgrade on a copy of your production data.
All customers with active self-hosted licenses may now download the new version from the customer area.
Download XenForo 2.3.0 Beta 1
From the licensed customer area
Alongside the release of XenForo 2.3.0 Beta 1, we are also releasing updated versions of each of our official add-ons:
As we talk about in today's Have you seen...? thread, the changes in the official add-ons is currently minimal. There is additional functionality in development which will be added in a future Beta release.
- XenForo Media Gallery 2.3.0 Beta 1
- XenForo Resource Manager 2.3.0 Beta 1
- XenForo Enhanced Search 2.3.0 Beta 1
Customers with active self-hosted licenses for these add-ons may download the new versions from their customer area.
From the Licensed Customer Area
The following are minimum requirements:
Note: Please pay particular attention to the points above in bold as they represent changes to the minimum or planned increases!
- PHP 7.2.0 or newer (PHP 8.3 recommended)
- MySQL 5.7 or newer
- Enhanced Search requires at least Elasticsearch 7.0
- All of the add-ons listed here require XenForo 2.3
Installation and upgrade instructions
Full details for how to install and upgrade XenForo can be found in the XenForo manual. One-click upgrades from XF 2.2 are possible, but you must uncheck the "Only check for stable upgrades" option in Options > Basic options. Once the XF 2.3 upgrade has been complete, the official add-ons should be upgraded as well.
Please remember that this is beta/preview software. It contains known bugs and incomplete functionality. We do not recommend or support running beta software in a production environment. Support for beta releases is limited to questions here on the community forums.
Hot on the heels of yesterday's XF 2.2.14 release and subsequent patches, we are today making XenForo 2.2.15 available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability, particularly if you already upgraded to XenForo 2.2.14.
As of this point, XenForo 2.2.14 and its patches are no longer available for download. We are still planning a final XF 2.2 release at some point around the release of XenForo 2.3!
Some of the changes in XF 2.2.15 include:
Avoid setting duplicate List-Unsubscribe headers.
Include first post QA schema items unconditionally.
Make outdated PHP version notice in admin control panel clearer.
Retain the original unsubscribeEmailAddress option for backwards compatibility.
New unsubscribeEmailHandling option to replace the new unsubscribeEmail option and conclusively fix issues arising from yesterday's XF 2.2.14 release.
Fix URL unfurls no longer unfurling.
Current requirements
Please note that XenForo 2.2 has higher system requirements than earlier versions.
The following are minimum requirements:
PHP 7.0 or newer (PHP 8.2 recommended)
MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
All of the official add-ons require XenForo 2.2.
Enhanced Search requires at least Elasticsearch 2.0.
XenForo 2.2.13 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
In addition to the fixes listed below, we have a few other aces up our sleeves this time around.
Full iOS PWA compatibility with push notification support
iOS 16.4 finally introduced push notifications for iOS devices. To facilitate this, your members need to install your site as a PWA (by utilising the Add to Home Screen feature in Safari). XenForo 2.2.13 now satisfies all of the prerequisites for this to support push notifications which can be enabled by your members once they log in through the PWA and enable push notifications in their Preferences.
The PWA (progressive web app) has now been enhanced with additional gesture based or UI controls, including pull down to refresh and a floating back button.
Structured data metadata improvements
With many thanks to Ryan Levering from Google we have made a number of improvements to structured data metadata. Structured data enriches the pages we output with additional information which enables Google and other search engines to better understand the structure of the information that is rendered. This helps Google provide rich search results and helps provide additional context to users who may find your content during their Google searches.
Support for OAuth authentication for Microsoft 365 business email accounts
Microsoft has deprecated the ability to send emails over SMTP using traditional username/password authentication. This is similar to what Google did a while ago. In light of this we have now added an additional option when setting up either your email transport or automated mail handlers (automated unsubscribe/bounce handling) which will enable you to authenticate with OAuth.
Note: The set up for this is fairly complex, requiring you to set up an Azure Active Directory application within the Azure developer portal. There is a link to the documentation when setting this up.
XenForo 2.2.12 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.
We're pleased to announce the introduction of two new features available in XenForo 2.2.12.
New CAPTCHA provider: Cloudflare Turnstile
In September, Cloudflare Turnstile was announced. You may have noticed that we quickly implemented this into the software and it has been running here now for a little while.
While on the surface this may seem like "just another CAPTCHA" option, we feel that Cloudflare has gotten a lot of things right in its approach to this product that is missing from many other providers including HCaptcha and Google reCAPTCHA. It's a much better experience for your users, respects your users privacy and with XF 2.2.12 also provides more granular logging in the Cloudflare dashboard so you can see analytics about where in the software a CAPTCHA is being used.
We encourage you to read more about Cloudflare Turnstile on their blog and consider signing your site up, for free, right here or if you are an existing Cloudflare user, get started in your Cloudflare dashboard.
Advanced cookie consent system
Starting with XF 2.2.12 you will be able to enable a new "Advanced" cookie consent system. This enables your users to have much more granular control over the specific cookies that are set, the purpose of each cookie and prevents certain cookies from being set at all until explicit consent is given.
As ever, this system is also extendable by add-on developers so that cookies set by an add-on can be appropriately categorised and also require consent before certain functionality is available.
Some of the changes in XF 2.2.12 include:
The following public templates have had changes:
- Always default to an empty array when IPv6 lookup fails
- Fix a server error when guests tried to access non-existent search results
- Include some missing entries in the hashes file
- Suppress warnings when converting invalid IP addresses on older versions of PHP
- Implement suggested password normalization for PhpBb3 authentication
- Check for "Manage add-ons" permission when viewing or triggering a file health check
- Fix not being able to follow users in an email bounced user state
- Fix custom user titles set to falsy values not being displayed
- Add missing pagination when searching for a user's reported content
- Only sign emails if DKIM setup has been verified
- Properly account for falsy values in wholeWordTrim and snippetString functions
- Fix PHP 8.1 compatibility issue when performing a search with no keywords
- Update Swiftmailer to v6.3.0 for PHP 8.1 support
- Make adjustments to Facebook media site to support new pfbid IDs
- Add support for detecting utf8mb3 and treating it the same as utf8 thus ensuring unicode mismatch detection and table conversion to utf8mb4 is working correctly.
- Add missing CSS to the comment macro in the profile_post_macros template
- When trying to unapprove a deleted thread, undelete it and put it in the approval queue
- Prevent configuration of two-factor authentication when it is disabled via the config.php switch
- Fix outdated link in the you_can_preview_icons_and_their_names_here phrase
- Fix typo in legacy Instagram embed template
- Re-implement Instagram embeds without a reliance on the oEmbed endpoints and support reel links.
- Adjust template Parser to allow for more precise parentheses placement in some previously ambiguous usages.
- If guest content is awaiting approval, show the username the content was submitted under
- Fix PHP 8.1 compatibility issue when rebuilding a thread's first post information
- Remove extraneous line breaks from the news feed option description
- If a user is also a moderator, update the URL on their admin profile page to only show forums they moderate
- Exclude nodes where a user can't view thread content from search queries
- When importing from an RSS feed and posting as a particular user, respect their auto-watch preferences
- Add support for 3GP encoded videos
- Fix $fromEmail variable not being set correctly when sending emails
- Fix accidentally exposing thread content to guests without the "View threads by others" permission when the thread starter's account has been deleted
- Ensure error logging isn't silently skipped if stacktrace arguments contain invalid utf-8.
- Adjust CSS for Spotify media embed.
- Adjust Select2 and native auto-completer to accept tab key as selecting a result.
- Support node_name / URL portion for categories (relevant if categoryOwnPage option enabled)
- Remove reference to non-existent reaction_text column
- Fix typo in mail template rendering exception message
- Fix connected account providers not appearing on the login form in some cases
- More accurate way of parsing byte values from PHP config values.
- Ensure only valid users are able to change their username.
- Better support cross platform directory separator trimming in ComposerAutoload
- Mark XF\Payment\CallbackState as allowing dynamic properties.
- Include PHP 8.2 compatibility fixes in non-vendor classes and utf8.php
- Fix Vimeo embed start timestamp behavior
- Use late static binding in utility classes to make them easier to extend
- Ensure job max run-time checks occur at end of loops
- Dynamically build link to front-end in the control panel
- Include content IDs in extra data when performing spam checks
- Include content IDs in extra data when performing spam checks
- Improve the extensibility of spam trigger log request data
- Add validation to widget display conditions
- Fix validation for negative whole number custom fields
- Adjust title attributes on bookmark links and buttons
- Adjust line height of inline mod go button to match select height
- In Text::copy return a Text element rather than Tag.
- Properly escape regex when rendering a BB code table.
- Disable PSR class path inspection in extension_hint.php
- In the ChangeLoggable behaviour add a new option to force a change to be from a specific user ID. In contexts where actions are performed from an email link, such as email stop or password resets, this allows us to ensure the password reset change log is attributed to the correct user.
- Update flow.js to the latest version, remove legacy FustyFlow for ancient IE fallback.
- Apply recommended fix for wrapping selection text in different editor functionality.
- Return a HTTP 404 error code when trying to view a tag with no viewable content
- Handle null arguments when stripping BBcode from strings
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.
- PAGE_CONTAINER
- _help_page_cookies
- _media_site_embed_oembed
- _media_site_legacy_embed
- account_confirm_resend
- account_security
- app.less
- app_inlinemod.less
- approval_queue_macros
- bookmark_macros
- captcha
- captcha_turnstile
- contact_form
- core_bbcode.less
- core_utilities.less
- editor_base.less
- forum_post_quick_thread
- forum_post_thread
- google_analytics
- helper_attach_upload
- login
- lost_password
- misc_cookies
- notice_cookies
- notices.less
- register_form
- report_search
- thread_list_macros
- thread_reply
- thread_view
Please note that XenForo 2.2 has higher system requirements than earlier versions.
The following are minimum requirements:
- PHP 7.0 or newer (PHP 8.0 recommended)
- MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
- All of the official add-ons require XenForo 2.2.
- Enhanced Search requires at least Elasticsearch 2.0.
Today, we are releasing XenForo 2.2.11 to address a potential security vulnerability. We recommend that all customers running XenForo 2.2 upgrade to 2.2.11 or use the attached patch file as soon as possible.
The issue relates to HTML attribute injection which can be triggered when rendering editor content, such as when a post is edited or quoted.
XenForo extends thanks to security researcher @PaulB, the team at @NamePros and @Xon for reporting the issues.
We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.
Note: There are no other changes in this release and any work previously done towards XenForo 2.2.11 - including a new CAPTCHA option by Cloudflare Turnstile and various bug fixes and improvements - will be released alongside XenForo 2.2.12 in the coming weeks.