Recent content by Steffen

It seems like it's best-practise to invalidate other sessions on 2FA activation/change ([1], [2]). At the moment, XenForo seems to invalidate other sessions on password change but not on 2FA activation/change. The scenario goes like this: Log in to the same account with two different browsers...

XF\Pub\Controller::setupConnectedRegistration calls XF\Service\User\Registration::applyAvatarFromUrl which in turn calls XF\Service\Avatar::updateAvatar which finally calls its own writeIpLog method. It seems like at this point in time XF::visitor()->user_id is still 0 which causes entries in...

It would be nice if XF\Pub\Controller\Thread::actionDraft did not only check for new replies but for the thread's discussion_open state, too. This would prevent users from typing lenthy replies only to find out that the thread has meanwhile been closed by a moderator. Simply adding a second...

Pruning 50k users has just resulted in a downtime for us because of the resulting XF:UserDeleteCleanUp jobs and the expensive query in XF\Reaction\AbstractHandler::updateRecentCacheForUserChange in particular. Our xf_post table as roughly 28,000,000 rows and there are roughly 200,000 rows in...

Place the cursor between two words, then click the "Insert link" button, enter a URL + link title, click the "Insert" button. Expected result: The link should be inserted at the cursor position. What actually happens: The link is inserted at the start of the line. The issue does not exist...

Consider this situation: Now place your cursor at the beginning of the first quote. Continue to press the "Delete" key until the quote is empty. Now presse "Delete" once more. This is the result: The text from Bob's quote has been moved up into Alice's quote. I don't know enough about...

True. IMHO that should be changed (i.e. turn these into POST requests). In modern browsers (unfortunately not in Safari, as always ;)) there is even a solution for GET requests: https://web.dev/fetch-metadata/ (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site) I'd guess...

CSRF-checking for POST requests is possible without CSRF tokens nowadays: https://xenforo.com/community/threads/compatibility-for-csrf-protection-cloudflare-full-html-page-caching.202315/post-1609573

What do you think about relying on the "Origin" HTTP header instead of CSRF tokens? Afaik, the last major browser that got reliable support for this was Firefox 70 in 2019. You could even fall back to the "Referer" header for even older browsers (then only really old browsers that for some...

I can confirm that this does the trick (though I don't know enough about this code to say anything about unwanted side-effects).

One of our users has noticed another consequence of XenForo's usage of $.FroalaEditor.ENTER_P. Consider this BB code: Now let the editor convert this BB code into HTML: <blockquote> <p><a href="https://www.xenforo.com/" target="_blank">Line 1</a></p> <p><a href="https://www.xenforo.com/"...

Create a new thread. This creates a "posted the thread" entry in the user's "Latest activity" tab. Now merge this thread into another thread. This removes the "Latest activity" entry (fine) but doesn't create a new "replied to the thread" entry (as it would exist had the user replied to the...

This does not help when the given email address exists and belongs to another person (who then complains rightfully that you are sending them email although there has never been a double-opt-in).

In the method XF\Spam\Checker\BannedUsers::check, if calling Ip::convertIpStringToBinary() returns false (*) then the finder call ->where('ip', $ip) builds the condition `xf_ip`.`ip` = 0 which MySQL evaluates to true for nearly all strings (see e.g...

At the end of this line I'll hit Shift+Enter (not just Enter) twice to create two line-breaks. Now when I hit the delete key anywhere in this line here, one of the two line-breaks above is removed unexpectedly. It seems like Enter creates a new paragraph (<p>) whereas Shift+Enter creates a...