Xenforo CMS v2.2.12 Nulled Full v2.2.12 Full Nulled

XenForo 2.1.10 Patch 2 Nulled Changelog:

XenForo 2.1.10 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.1 upgrade to this release to benefit from increased stability.

Most importantly, this release fixes a security vulnerability in XenForo.

The issue is a XSS vulnerability. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access. The vulnerability requires some very specific steps to be taken, involving pasting malicious content into the XenForo rich text editor, which may mean it is difficult to trigger. XenForo extends thanks to @TickTackk for reporting the issue.

While we recommend doing a full upgrade to resolve this issue, you can also patch the issue yourself with the attached file.

To patch your existing installation, please follow these steps:

1. Download the patch files which are contained in a file called 2110patch.zip
2. Extract the zip file to your computer, which should contain the following files:
   1. upload/js/xf/editor.js
   2. upload/js/xf/editor.min.js
   3. upload/js/xf/editor-compiled.js
3. Upload the contents of the upload directory to the root of your XF installation.
4. This will overwrite the following files:
   1. js/xf/editor.js
   2. js/xf/editor.min.js
   3. js/xf/editor-compiled.js

Note: If you decide to patch the files instead of doing a full upgrade, your "File health check" will report these three files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.

For instructions on how to resolve the issue by upgrading, and to see what else has changed in XenForo 2.1.10, please read on.

Download XenForo 2.1.10
or
Upgrade directly from within your control panel

When we released XenForo 2.0.2 we told you that we wanted to start collecting certain information about your XenForo installation and the server on which it is installed. The data that we collect is your PHP version, MySQL version and your XenForo version. This information helps us make important decisions such as which minimum PHP version we should target for future releases and helps us get a better understanding of how quickly new XF versions are adopted.

In addition to the aforementioned data, we would also like to start getting an understanding of how many add-ons our customers have installed plus the specific add-on IDs of any official XenForo add-ons you have installed.

During this upgrade you will be prompted again whether you would like to provide the usage statistics or not.

This information is, and always will be, entirely anonymous and does not include any personal or private information, but it is a huge help.

Some of the other changes in XF 2.1.10 include:

• Properly support disabling memory limits when calling setMemoryLimit with -1.
• Prevent a race condition related to double clicking when reacting to content.
• Prevent a server error when trying to edit a super admin via a non-super admin. (Also, allow the bypass permissions option of the API request to bypass this constraint.)
• Do not display unsupported media sites in approved site list
• Properly set average tooltips in stats graphs
• Allow the message body '0' in report comments
• Allow searches for '0' in template and phrase titles and contents
• Don't throw an error when trying to view reactions on a conversation message by a deleted user.
• When deleting warning actions, correctly redirect to the warnings list.
• When deleting template modifications, redirect to the correct template modification type list.
• Set a maximum length for content_type field in the spam trigger log entity.
• Allow users to reconfirm their existing email addresses if emails have previously bounced to it.
• Opt not to show a title for HTML widgets if no explicit title is set.
• Avoid throwing a template error for approval queue items with no user relationship.
• Ensure the MySQL replication adapter throws the correct exception on failure and supports the charset option.
• Adjust the display of conversation filter checkboxes.
• Use the correct modifier when building attachment URLs for the editor.
• Ensure full thumbnail URLs are used when rendering the ATTACH BB code, notably for rendering in emails.
• Properly check required PHP, PHP extension, and MySQL versions during add-on installation
• Don't allow double backslashes for PHP callbacks.
• Redirect back to the option group list after deleting an option group.
• Redirect back to the option group when deleting an option.
• Ensure arrays are always returned from title pair methods
• Don't strip HTML tags on post content choosers.
• Correctly check permissions on user report page
• Correctly handle chargebacks for PayPal Funds Now accounts
• Log IP when TFA check is triggered
• Avoid table locking when checking if the error log table is populated
• Correct our auto-timezone data so that UTC+3 returns Europe/Moscow as expected.
• Slightly adjust the explain text for the boardDescription option to clarify it applies to the "Forums default page".
• Ensure we mark all forum descendants read when marking a forum read - not just its children.
• Opt for more desirable defaults when emailing users
• Fix incorrect type hint on App::service method.
• Attempt to convert incoming <code> tags to relevant BB code.
• Extend the color_picker.js infinite loop protection to allow colors to be resolved more than once up to a limit of 3 times each.
• Expand support for our share buttons to include the page image and send that along with the Pinterest share button clicks.
• Make query for finding newest/next posts in a thread more performant.
• Slightly adjust phrase about unique ad position keys to suggest the key may already be in use.
• Ensure "No permission" placeholder buttons correctly wrap text.
• Throw a clearer error if closure compiler returns an unexpected response when minifying JS.
• Load images when rebuilding recent emoji
• Use a consistent function when checking if CAPTCHA should be shown.
• Add title attributes to most of the style property edit fields to make clearer the specific CSS property being adjusted.
• Allow moderators to expire/delete warnings they issued
• Ensure alt text is correctly displayed when hovering over thumbnail attachments.
• Display field name in required custom field error message
• Ensure integer and float values are correctly casted when using searchers.
• Properly normalize page action criteria
• Implement the ability to extend all XF\CustomField\* classes - specifically Set and DefinitionSet.
• Avoid an error if a user has 25 incomplete subscription purchases with Stripe
• Make the appropriate usage of a language's currency_format value more clear.
• Check breadcrumb hrefs against the full request URI (including scheme and host) as well as the partial request URIs to determine when they should be automatically hidden.
• Prevent table overflow on the user change log with wide browser windows.
• Allow manually triggered rebuild jobs to be resumed via the command line.
• Support URLs being used in moderator log action params.
• When creating a new payment profile, only show providers from active add-ons.
• Fix LESS compilation failure when form input padding is blank
• Allow auto focus into tagging/token input elements.
• Make sure that iOS opens reactions on long press (consistent with previous versions and other mobile devices).
• Disable the CodeMirror code editor (with a fallback to a standard textarea) on Android devices due to compatibility issues.
• Make improvements to the moderator list especially when there are large numbers of moderator records.
• When importing users with invalid email addresses, correctly set their user states.

The following public templates have had changes:

• _help_page_bb_codes
• app_body.less
• bb_code_tag_attach
• code_editor
• conversation_list
• core_datalist.less
• core_input.less
• core_menu.less
• core_overlay.less
• editor.less
• editor_base.less
• editor_dialog_media
• forum_post_quick_thread
• forum_post_thread
• forum_post_thread_chooser
• forum_view
• lightbox.less
• lost_password_confirm
• PAGE_CONTAINER
• payment_cancel_recurring_confirm
• payment_initiate.less
• quick_reply_macros
• share_page_macros
• thread_reply
• thread_view
• widget_html

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.

Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2.x. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.

Current Requirements

Please note that XenForo 2.1.x has higher system requirements than XenForo 1.x.

The following are minimum requirements:

• PHP 5.6 or newer (PHP 7.4 recommended)
• MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.1.
• Enhanced Search requires at least Elasticsearch 2.0.

Installation and Upgrade Instructions for XenForo 2.1

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.

If you are already running XF 2.1 or above we strongly recommend upgrading directly from within your control panel.

Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.


XenForo 2.1.10 Patch 2 Released

Shortly after releasing 2.1.10, we became aware of an incompatibility related to how some add-ons add custom CSS to the control panel. This could lead to the control panel appearing unstyled. In order to resolve this, we have released XenForo 2.1.10 Patch 2.

You can perform the upgrade directly from your control panel by going to Tools > Check for upgrades (<url>/admin.php?tools/upgrade-check if you do not see the link due to display issues). You can also download the update from your Customer area and upgrade manually.

(Note that Patch 1 was briefly released and has been superseded with Patch 2 to resolve this issue.)

Today, we are releasing XenForo 2.1.9 and XenForo 2.0.13 to address a potential security vulnerability that may affect any customer who makes use of our PayPal payment handler.

As well as user upgrades, this may affect add-ons you have installed which process payments using our PayPal payment handler.

We recommend that all affected customers running XenForo 2.1 or XenForo 2.0 upgrade to 2.1.9 or 2.0.13 or use one of the attached patch files as soon as possible.

Specifically, the issue relates to a specially crafted callback (or IPN) which is then processed successfully using PayPal's sandbox validation endpoint instead of their live system. If successful, a purchase could be completed without your PayPal account actually receiving any funds.

There are no other fixes included in this version. There will be a further 2.1 maintenance release in the coming weeks.

Applying a Fix: Upgrading
You may upgrade to 2.1.9 or 2.0.13 to fix this issue. You should upgrade as you would to any other release.

Customers with an active license may download 2.1.9 or 2.0.13 from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.

If you are running XF 2.1 you can upgrade directly from within your control panel.

Applying a Fix: Patching
Alternatively, this issue can be fixed by applying the patch in the attached file. You should simply overwrite the following file with the version attached to this message:

• src/XF/Payment/PayPal.php

The file can be found at the same path within the attachment.

Please ensure you download the correct patch for your XenForo version. If you are running XenForo 2.1 then please only download xf-patch-219.zip. If you are running XenForo 2.0 then please only download xf-patch-2013.zip.

XenForo 2.1.8 Patch 2 Released​

We have identified an issue in 2.1.8 that may cause certain template modifications in add-ons to not be applied correctly. This issue is discussed in more detail in this bug report. In order to resolve this, we have released XenForo 2.1.8 Patch 2.

You can perform the upgrade directly from your control panel by going to Tools > Check for upgrades. You can also download the update from your Customer area.

XenForo v2.1.8 Patch 1 Final Changelog:
We have fixed two issues in XenForo 2.1.8 which cause errors or unexpected behavior:

• Error relating to warning_points when rebuilding user caches
• Error when sending a payment receipt with user upgrades/purchasables

We have released XenForo 2.1.8 Patch 1 to resolve these issues.

You can perform the upgrade directly from your control panel by going to Tools > Check for upgrades. You can also download the update from your Customer area.

XenForo v2.1.7 Final Changelog:

Some of the changes in XF 2.1.7 include:

• Ensure that some jobs do not attempt to complete or otherwise change state inside a transaction.
• Ensure correct URL is used in the bookmark label filter when friendly URLs are not enabled.
• Display correct username styling when viewing users linked to an IP.
• In alerts and the news feed, ensure the "your post" link in the reaction item is clickable.
• Ensure Gravatar rebuild job respects the options sent to it.
• Prevent users from deleting their own accounts
• Check for guest posts in post reaction items
• Ensure login button when viewing a forum as a guest wraps properly.
• Only try to hide the global action indicator if it's actually present.
• Do not redirect back to the login page after a connected account request
• Properly check for tag container inside tagger
• Do not escape outbound email test subject phrase
• Correctly handle add-ons created with incorrect casing when the namespace already exists.
• Add additional wording to make it clear that the rejection reason will be shown to users awaiting approval.
• Remove hard-coded height from payment inputs
• Add missing phrase for 'could_not_find_subscriber_id_for_this_purchase_request'
• Display PHP's memory_limit within server environment report.
• Force choice builder to use temporary variable with set tags
• Remove Google+ URL from the Google connected account template.
• Allow disabling pointer events for nested tooltips
• Remove unused parameter when fetching reaction phrase
• Update promotion history interface for clarity
• Fix post copier attachment regex

The following public templates have had changes:

• alert_post_reaction
• approval_item_user
• connected_account_associated_google
• core_button.less
• core_tooltip.less
• forum_view
• payment_initiate.less
• reaction_item_post
• thread_edit

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

CHANGELOG:

XenForo 2.1.6 Released

XenForo 2.1.6 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.1 upgrade to this release to benefit from increased stability.

Download XenForo 2.1.6
or
Upgrade directly from within your control panel

Some of the changes in XF 2.1.6 include:

• We need to detect if an icon defined as fa includes an fa prefix, such as fab etc., and if it already includes one, don't prepend our own.
• Check that we do actually have some valid content before we start working with it, and bug out if not
• Ensure we don't overwrite the rebuildDefaultData array in rebuild jobs. Additional data should be initialized in the defaultData array as normal.
• When viewing the approval queue, ensure the "Spam clean" option only displays to moderators who have permission to use the spam cleaner.
• Store the master Toggle cookie data for a set time, rather than per session (1 year). Support being able to specify the expiry date of each storage item and default it to 1 day. Fix some bugs which may have prevented entries from expiring when needed.
• Enable Facebook story.php links to embed like normal Facebook posts.
• Generally improve support for Duotone FA icons, especially in usage of addon.json.
• When moving posts into an existing thread, ensure we only change the thread's visibility if the first source post is now the target's first post.
• Fix incorrect logic in AbstractField for entity structures that may not support display grouping.
• Workaround a weird quirk where some browsers may not render a broken image placeholder if the alt/title attributes are empty.
• Add support for the theme attribute when rendering recaptcha. The value comes from the "Style type" style property in the "Color palette" group which has a light/dark value.
• Update Linkedin connected account provider to use their updated API.
• Apply proper fix to ensure the user's correct approval queue counts are displayed.
• Fix an issue that would break prepending a table prefix to table names in the database adapter.
• Reverse a change that allowed admin templates to be called from within public templates.
• Display a more coherent error message when trying to warn a user for content they have already been warned for.
• When deleting an attachment from content, prevent any upload errors.
• Add missing (and undocumented!) structured data to the DiscussionForumPosting entry for the thread view.
• Ensure that xfUniqueId() returns the new id attribute value if one was set.
• Revert a previous change related to the conversion of some non-emoji characters to images.
• Adjust styling of deleted structured list items (thread list etc) so that only the correct parts are underlined.
• In the Admin CP template editor, ensure content of <xf:js> and <xf:css> tags are highlighted appropriately.
• Prevent XF.CheckAll from updating disabled checkboxes.
• In the news feed, ensure the reaction item is consistent so that "your post" links to the actual post.
• If no error message exists when we check the permission for quick close/quick stick then give a generic no permission message.
• Further fixes to sticky form submit row positioning with relation to notices.
• In Markdown parsing, do not match a string of asterisks or underlines as valid blocks of bold or italics.
• Prevent unexpected spacing changes when editing a message in the RTE that has tables
• Support embedding IGTV URLs.
• Prevent conversation reply counts from getting out of sync due to a race condition.
• Fix mentions not always being processed correctly when a dotted capital I is present.
• When filtering bookmarks in the popup, make the "show all" link respect the currently selected label.
• Prevent double change logs when a user registration is outright rejected for spam behaviour.
• Fix potential incorrect behavior when pasting into the RTE from external sources. Improve behavior when pasting from Google Docs.
• Ensure that the RTE code editor dialog consistently automatically focuses the code editor when it is shown.

The following public templates have had changes:

• account_bookmarks_popup
• account_visitor_menu
• captcha_recaptcha
• connected_account_associated_linkedin
• core_contentrow.less
• editor_dialog_code
• lightbox_macros
• reaction_item_post
• structured_list.less
• thread_view

Some of the changes in XF 2.1.5 include:

• Correctly handle Stripe review callbacks
• Fix issue with the +/- buttons on number box elements not working in MS Edge browser.
• Ensure the import permission helper doesn't fall over when faced with a permission value of 0.
• Update Font Awesome to 5.11 and improve support for duotone icons.
• Add "Spam" button on possible spammers when viewing reports.
• Back out of a few older iOS workarounds which seem to only be applicable to very old versions of iOS related to inputs within fixed elements in order to fix some issues these cause with iOS 13.
• Ensure favicon / title alert count indicator still displays for counts greater than 999.
• When trying to find matching transactions when processing payments, ensure we limit it to transactions from the same provider.
• Switch to a case insensitive match when analyzing an MP4 video ftyp types.
• Workaround for displaying future relative timestamps in pages output from the guest page cache.
• Changes to allow certain URLs which do not have a trailing slash to work in a more predictable way.
• Only display "Spam" buttons to visitors who have permission to use the spam cleaner.
• When fetching new Oembed data from an endpoint catch all exceptions and return the typical error output.
• Fix an issue with fixed menu positioning on Safari when scrolling.
• Prevent left/right aligned contents of spoilers from overspilling their container.
• Avoid a quirk on the deferred loading rich text editor in Firefox which may insert an empty line when content is first entered.
• Update Redis cache provider to use del function rather than delete.
• Deaccent and romanize URLs before validation
• Restore the ordering by post_date, post_id as per XF1, so that posts with identical datestamps are ordered sequentially.
• Prevent superfluous dot character being prepended to forum list category anchor links.
• Create a 'title' getter for the WarningAction entity (return \XF:hrase('warning_points:') . ' ' . $this->points
• When displaying an unfurling error in the test tool, allow the error message to wrap as needed.
• On the discouraged IP list in the Admin CP ensure that the list is properly paginated.
• Disable validation when reverting to a previous revision of content
• Check that the follow/unfollow ignore/unignore result returns something before attempting to read any associated errors
• Remove the link URL, as there is no 'edit' page for a thread reply ban so a link URL is nonsensical
• Update fa-warning to fa-exclamation-triangle in the XF Templater
• Updated the Twitter dev link in the option_explain_tweet phrase
• Ensure unfurled URLs are displayed in blocks but work nicely with floated images.
• Prevent an undefined index error in some situations when rebuilding field cache data.
• Add a further failover catch for when sites sent totally bonkers HTTP headers back to Guzzle for reasons best known to themelves....
• Added meta description/og:description/twitter:description using the metadata_macros->metadata template macro
• Use a URL friendly add-on ID when exporting languages/styles.
• Force invisible reCaptcha to be visible on the login form. Creates a minor BC break in all Captcha classes that will need to be observed by any third-party captcha providers
• Reduce number of queries on the node moderator lists with a new getFullNodeListCached method.
• Update the xf_thread_read table after a thread merge to reflect the earliest read date for each source thread for each user, so that unread posts from source threads are not marked as read when they are merged into a destination thread whose original content has itself already been read
• Implement a transaction and also fetch the last insert id on dupe
• Wrap a bunch of jobs in transactions so we don't ever find out SELECT results are invalid by the time we UPDATE them
• Implement the suggested check on is_counted from the report thread
• Wrap Throwable in ErrorException for compatibility with Symfony component
• Fix logic around user reaction scores when deleting content/changing Reaction scores
• Prevent false positive detection of duplicate key exceptions in queries due to generic SQL state code.
• Gracefully handle a race condition when inserting bookmarks.
• Make the list sorter more usable on touch devices by ensuring the page doesn't scroll when trying to drag items.
• Fix a situation where tables would not be converted to BB code correctly if there was CSS/alignment applied at the table row level.
• Move setting up XenForo's error handling to be part of startSystem rather than standardizeEnvironment to ensure that the necessary classes/functions are available before they may be called.
• Fix timestamp issues after timezone/DST changes
• When loading recently used smilies/emoji, prioritize smilies over emojis when there are conflicting shortcodes. (This may still lead to the incorrect icon being shown, but only when the conflicting emoji is inserted instead of the smilie.)

The following public templates have had changes:

• approval_item_user
• bb_code.less
• core.less
• core_fa.less
• core_utilities.less
• helper_js_global
• help_page
• login
• member_shared_ips_list
• report_view
• setup_fa.less

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.