Fixed Resource automatically followed when BB Code instructs browser to request `/download` path of a resource.

alexD

Well-known member
Affected version
Up until current one
Some bullet points that hopefully explain the issue:
  • One of the most visited pages of a XenForo installation might be the What's New page.
  • The Latest Profile Posts section allows use of BB Codes.
  • Admins and moderators who find themselves downloading a lot of resources (to make sure the community guidelines are being followed) usually enable a profile setting so that they do NOT automatically subscribe to / follow a resource upon download.
  • Image proxying doesn't work on same domain so the URL is loaded as is. The[IMG] tag runs the /download GET request successfully.
  • Lazy loading helps somehow with the issue, preventing the download until the IMG appears ini the visible viewport.
You can visit https://xenforo.com/community/profile-posts/32305/ and view the BB Code of my post. Most users who will visit it will get subscribed to an unmaintained old version of a resource of mine. In the case I upload a new version for this resource, the users will be notified.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XFRM release (2.2.5).

Change log:
Forbid resource downloads to be embedded as images
There may be a delay before changes are rolled out to the XenForo Community.
 
Back
Top Bottom