Fixed Resource automatically followed when BB Code instructs browser to request `/download` path of a resource.

[alexD]

Affected version

Up until current one

Some bullet points that hopefully explain the issue:

• One of the most visited pages of a XenForo installation might be the What's New page.
• The Latest Profile Posts section allows use of BB Codes.
• Admins and moderators who find themselves downloading a lot of resources (to make sure the community guidelines are being followed) usually enable a profile setting so that they do NOT automatically subscribe to / follow a resource upon download.
• Image proxying doesn't work on same domain so the URL is loaded as is. The[IMG] tag runs the /download GET request successfully.
• Lazy loading helps somehow with the issue, preventing the download until the IMG appears ini the visible viewport.

You can visit https://xenforo.com/community/profile-posts/32305/ and view the BB Code of my post. Most users who will visit it will get subscribed to an unmaintained old version of a resource of mine. In the case I upload a new version for this resource, the users will be notified.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XFRM release (2.2.5).

Change log:

Forbid resource downloads to be embedded as images

There may be a delay before changes are rolled out to the XenForo Community.