XF 2.1 Welcome to XenForo 2.1 / Assorted improvements


Active member
BB code and rich text editing for profile posts and comments

For some communities, profile posts are an essential factor in helping your members to engage with each other. Yet the overall experience in terms of creating this content isn't quite as advanced as, say, standard forum posts. So we thought it was time to change that :)

Creating profile posts now allows you to use the rich text editor, full BB code (and Markdown), smilies and everything that comes with it.

Profile post pages can have quite a few editors on the screen at any given time. Trying to initialise all of the rich text editors on page load would be fairly intensive, so we have added a new deferred initialisation so that we only load the editor when you click on it, as demonstrated by the above two screenshots.

Here's a completed profile post with some richer formatting:

You may notice something else slightly different here too. To comment on profile posts you previously had to click a "Comment" link in the profile post action bar.

The main issue with that is if you've got a long list of comments then you would have to scroll up to tap the Comment link. As you can see above we now have a "Write a comment..." input directly below the list of comments. Clicking this, as mentioned above, loads the editor which, again, also supports rich formatting:

In case you prefer the old approach to triggering the comment input, then we still support that too. You would just enable this style property:

You have a bug in the text editor. When I click in the text editor for the first time, it will send me to one line below. see this video:

Last edited:

Chris D

XenForo developer
Staff member
This isn't the right place to report bugs but, regardless, this is a known issue which is fixed in a future version of the editor.


New member
Welcome to XenForo 2.1!

We said there would be something special accompanying the final HYS in this series for XF 2.1, and here it is. This is your first opportunity to help us put the new feature set through its paces.

We also said there would be a number of other miscellaneous changes/improvements to show you, so read on for more 👇


Well-known member
New authentication configuration

Now we have finally said goodbye to PHP 5.4 we can begin to improve even further our tools used to create and verify password hashes. Since XF 2.0 we have already attempted to use the following functions which were added in PHP 5.5 if they were available:
Now everyone will be running PHP 5.6 as a minimum, we can solely use these native PHP functions for all our password hashing needs.

Since XF 1.2 we have used Bcrypt for our password hashes, this was before it was even natively supported by PHP and even today it remains to be the default hashing algorithm for even PHP 7.2 and 7.3.

But, over time, PHP will add additional hashing methods, and it would be ideal if we could just support them out of the box without us having to make any code changes. The aforementioned functions serve as a consistent interface and therefore get us part of the way there towards being that flexible, but until now there wasn't actually a straightforward way to use a different algorithm if one was available, or support a more granular configuration.

However, PHP actually has implemented (technically) two new password hashing algorithms based around Argon2. This was first introduced in PHP 7.2 using a variant known as Argon2i and it is further improved in PHP 7.3 using a variant known as Argon2id.

By default, XF will always aim to use the default or most widely supported password hashing algorithm available, so in this case that is still Bcrypt. But should you have an appropriate PHP version and the required prerequisites installed (PHP has to be compiled explicitly with Argon2 support) then we should allow you to use that, so in XF 2.1, now you can. And it's as simple as a couple of additional lines in src/config.php.

The following will enable Argon2i support if you're using PHP 7.2:
$config['auth'] = [
   'algo' => PASSWORD_ARGON2I
The following will enable Argon2id support if you're using PHP 7.3:
$config['auth'] = [
   'algo' => PASSWORD_ARGON2ID
And, although not required because the PHP defaults should be sufficient (and will potentially increase over time), you can even make your password hashes even more secure by passing in additional parameters to control various cost factors:
$config['auth'] = [
   'algo' => PASSWORD_ARGON2ID,
   'options' => [
      'memory_cost' => 1<<17,
      'time_cost' => 4,
      'threads' => 2
Thanks to the flexibility of the password hashing API in PHP, any changes to the algorithm and options will automatically cause existing passwords to be rehashed when a user logs in.

Although we'd highly recommend using the latest PHP version we support, and also recommend using Argon2i/id hashing where available, you do have to plan carefully should you ever need to downgrade PHP or move to a different server. If Argon2 suddenly becomes unavailable for any reason, then you will likely encounter errors and be unable to verify any passwords without doing a password reset first.
This post was the only info I could find about this, there doesn't seem to be anything in the docs. Might be worth adding a section.


Active member
Not even on our radar at the moment.

And, worth noting, even if it was, it wouldn't actually necessarily be a rewrite as XF 2.0 was. I'd like to think the lengthy work we did between 2014 and 2017 has given us a strong code base which lasts for years to come.
so! we hope to have other interesting things coming!


Active member
And, worth noting, even if it was, it wouldn't actually necessarily be a rewrite as XF 2.0 was. I'd like to think the lengthy work we did between 2014 and 2017 has given us a strong code base which lasts for years to come.
It is very strong. I love the code you guys write. I am learning a lot and really enjoy the flexibility of the add-on system. It is unmatched.