XenForo 1.4.8 Released (Includes Security Fix)

Today, we are releasing XenForo 1.4.8. This release addresses two potential security vulnerabilities and fixes a number of bugs found since the release of 1.4.7. We recommend that all customers running XenForo 1.4 upgrade to 1.4.8 or use the attached patch file as soon as possible.

The two security issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.
  • In the notices system, the name token was not escaped as expected. This could allow specially crafted requests to trigger an XSS for guests (or for a registered user to trigger an XSS on themselves).
  • In the filter list system in the admin control panel, dynamic highlighting when filtering did not escape output properly, potentially triggering an XSS against the user viewing the page.
Thanks to Diego Palacios for reporting these two issues.

In addition, some of the bugs fixed in 1.4.8 include:
  • Improved performance in the rich text editor.
  • Fixed trophies not being awarded at session creation as expected.
  • Fix certain cases where the image proxy would unexpectedly fail to detect a valid image.
  • Support downloading attachments with UTF-8 file names in IE.
  • Ensure a more correct following count is shown when viewing a member's profile in some cases.
  • Throw an error when sending a warning and only one of the conversation title or message box has been completed.
  • Fix an incorrect permission check over viewing the moderator actions taken against a thread.
  • Fix incorrect logic relating to the DNSBL cache used at registration.
  • Prune drafts hourly rather than daily.
  • Fix a situation where the spam cleaner would not remove replies by a spammer to their own thread.
  • Ensure that there is no default text decoration on <abbr> tags in Firefox.
  • Use a new "simple" BB code formatter when creating snippets for RSS feeds to prevent unexpected code from running.
  • Update the bundled version of jQuery Migrate to 1.2.1.
  • Copying from the template preview in template modifications did not maintain line breaks in Firefox.
  • Fix an issue importing older attachments from SMF.
  • Fix an issue where the vBulletin importer could infinitely loop.
See the Resolved Bug Reports forum for further information.

The following template has had changes:
  • xenforo_reset.css
Where necessary, the merge system within the "Outdated Templates" page should be used to integrate these changes.

All customers with active licenses may now download the new version from the customer area.

Applying a Fix: Upgrading
You may upgrade to 1.4.8 to fix this issue. You should upgrade as you would to any other release.

Customers with an active license may download 1.4.8 from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.

Applying a Fix: Patching
Alternatively, this issue can be fixed by applying the patch in the attached file. You should simply overwrite the following files with the versions attached to this message:
  • js/xenforo/filter_list.js
  • js/xenforo/full/filter_list.js
  • library/XenForo/ViewRenderer/HtmlPublic.php
The files can be found at the same path within the attachment.


  • xf-patch-148.zip
    9.1 KB · Views: 631