Setting a column definition's changeLog property to true results in the wrong code path being taken; it's interpreted as 'changeLog' => 'customFields'. This is problematic when optIn is enabled, since the intention is to set changeLog to true in that scenario.
Lines 58-65 of the ChangeLoggable...
Currently, there's no locale-invariant timezone. The available UTC-ish timezones are subject to change and discrepancies such as DST; for example, Europe/London is currently in DST, so it's UTC+1 instead of UTC.
This isn't great for global forums. We'd like to have a culture-agnostic...
This was initially submitted as a potential security vulnerability via the contact form, but it was deemed to be a standard bug, not a vulnerability.
Under certain circumstances, users can bump each other out of conversations. When this happens, there is no way for a user to rejoin the...
Typically, I expect the following behavior:
Mouse cursor is over a button.
Left mouse button is depressed.
Mouse cursor is moved elsewhere on the page.
Left mouse button is released.
Some websites, including XenForo, perform one of the following unexpected actions in place of...
Is it possible to override options from config.php in XF2? For XF1 development, we patched XenForo to permit options to be overridden from config.php; we could then distribute a template config.php to our developers with sane defaults. However, this required us to maintain a variety of...
This also applies to 1.x, which is what I'm personally interested, but it seems to be an issue on XenForo.com as well, which I assume uses 2.x.
We're getting CSP reports indicating that when users attempt to embed images in posts using the WYSIWYG editor, the image is loaded directly without...
In Model/User.php, function follow, around line 1760:
The ordering of beginTransaction and removeDuplicateFollowUserIds is wrong. Because removeDuplicateFollowUserIds is performed outside the transaction, a race condition occurs. If the user is experiencing internet connectivity issues and...
Anyone who can see an item in the moderation queue can approve or delete it. The permissions required to view a thread or post in the moderation queue are view, edit any, and delete any. approveUnapprove should probably be in there as well, but that's only used for the inline moderation tool...
In XenForo_DnsBl, the necessary code for three blacklists exists:
Project Honey Pot
The method for Spamhaus isn't referenced anywhere, so that leaves Project Honey Pot and Tornevall. This is what the control panel says on those:
Looking at the code, that description is...
If the accept form is visited without a redirect querystring parameter (e.g., /misc/accept-privacy-policy), an infinite redirect loop will occur when the user accepts, resulting in an ERR_TOO_MANY_REDIRECTS error in Chrome.
Searching for a user results in a dropdown in several places (/members/, @-tags, /admin.php?users/). This results in a JSON response, in the form:
Both the avatar and username...
This is probably the same as https://xenforo.com/community/threads/1-5-20a-upgrade-issue-have-to-accept-privacy-policy-twice.147733/, but I've included steps for reproducing it.
If a moderator edits a title by clicking Edit -> More Options... and then editing the title in the thread form, it doesn't appear in the Moderator Log, and clicking Thread Options -> Moderator Actions in the thread doesn't show the change. However, if a moderator edits the title by clicking...
$typeAndId = XenES_Api::getTypeAndIdFromHit($result);
$record is the wrong variable here and will result in an exception...