bug

We're starting to see Twitter links that use x.com instead of twitter.com posted on our forums, despite the fact that x.com redirects to twitter.com. The "Share" button on tweets now gives an x.com URL. As such, match_urls should be updated to include x.com. Other XF customers also appear to...

Here’s an example with PayPal: Alice subscribed to an upgrade with monthly payments. For whatever reason, Alice’s bank declines the payment the following month. XenForo downgrades Alice when payment lapses, as it should. Alice notices that she no longer has an active upgrade and goes to the...

Good Morning Community. After upgrading to latest forum build i face an strange bug. did someone having the same issue?

Several calls to AbstractAdapter#executeTransaction in the UserAlert repository pass the ALLOW_DEADLOCK_RERUN option, but that option can't be combined with entities unless forceSet is set on the affected entities. Any attempt to re-run the closure in response to a deadlock will result in a...

Replacements it performs: % -> \% _ -> \_ However, it neglects to perform: \ -> \\ This means input such as this: \% Will become: \\% Which MySQL/MariaDB will interpret as a literal backslash followed by a LIKE wildcard. While this could theoretically result in security vulnerabilities in...

The following URL will result in a 404 with MariaDB but an exception with MySQL 8.0.x: https://xenforo.com/community/help/%c0a Furthermore, the exception may fail to log to the database and third-party monitoring services (in our case, Datadog). This tends to be triggered often by...

Facebook use to periodically verify their developers applications compliance, so one of their staff members contacted me complaining that I had to provide a test user account, so they could verify my application work flow and compliance as it seemed that it wasn't being used properly by my app...

Alice creates a thread in forum 1. The discussion_state is visible, so the forum's last_post_* and last_thread_* fields are updated. Bob creates a thread in forum 1 after Alice, but during the same second. The discussion_state is moderated or deleted. The latter state should never happen...

$ php cmd.php xf:upgrade Current version: 2020672 Upgrade target: 2020770 (2.2.7) Are you sure you want to continue with the upgrade? [y/n] y All upgrade steps run up to version 2.2.7. Importing... Master data (Templates) Rebuilding... Phrases . Rebuilding... Permissions . Rebuilding...

convertIpStringToBinary fails in some scenarios because it tries to handle a situation in which the input has already been converted. It would probably be better if it were just simple wrappers around inet_pton(). In particular, a valid IPv6 address in its string representation can be a valid...

Currently, email queue processing works roughly like this: Mark entry as being processed by setting send_date 15 minutes into the future. If marking failed, it's already being processed; skip this item. Deserialize mail_data. If deserialization failed or is not an instance of...

When a thread is deleted, XF\Entity\Thread#_postDelete() fails to clean some tables, such as xf_thread_watch. At the end of the method, it cleans thread reply bans: $db->delete('xf_thread_reply_ban', 'thread_id = ?', $this->thread_id); I would expect it to handle xf_thread_watch and...

In PHP, some comparisons with == or in_array may return true when the programmer expects them to return false. For example, "00" == "0000" is true in PHP, as is in_array("00", ["0000"]). XenForo 2 performs loose comparisons in some places that can potentially result in bugs...

The inlinemod cookies, such as xf_inlinemod_conversations, currently have an unbounded size. Cookies aren't really supposed to be > 4 KiB, but it's not too difficult for an end user to end up with a cookie far larger than that just by selecting several pages of conversations for deletion. From...

RSS generated for posts with embedded attachments may contain code such as the following: <content:encoded><![CDATA[<div class="bbWrapper"><b><i><span style="color: #ff0000">Test</span></i></b><br /> <br /> <script class="js-extraPhrases" type="application/json"> {...

Steps to reproduce: Create a new thread with a unique tag. That tag must not be used anywhere else. Click the tag edit link in the thread to edit its tags. Click the "x" next to the tag to remove it. Submit the form by clicking "Save", but do not refresh or navigate away from the page. The tag...

It's possible to create a warning definition with: 1. a title that is longer than the maximum length of a warning title 2. a conversation title that is longer than the maximum length of a conversation title There won't be any error when the warning definition is created, nor will there be any...

not sure where to report this... https://xenforo.com/docs/dev/general-concepts/ links to 'controller-basics' pages here are 404's.

Hi, I don't know how to explain the issue but you can see the image below: My forum is RTL (Arabic) and the feature seems not RTL compatible. Best Regards,

Currently (XF2.2.2), when a user doesn't have a password set for their account and requests a password via the "Password and security" page, they can send any number of requests without any restrictions. Of course, they can only flood their own email account in such a way, but this also...