[!CAUTION] v2.3.6 is a bug-fix release for sites on v2.3.5 or earlier. Upgrade from v2.3.5 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.6, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.

Highlights

• [Security] Command injection in resize_image() (GHSA-3j33-c9v4-4p42). The ImageMagick convert command line did not shell-escape its destination filename; reachable via news submission with the right combination of prefs. (https://github.com/e107inc/e107/commit/794a179f)
• Host-header recovery for sites locked out by v2.3.4 / v2.3.5. The GHSA-7pmw-jwvr-cq2x killswitch now case-folds, strips www., and strips trailing ports before comparison, and returns a logged 503 instead of a bare die(). Closes #5627 and #5634. (https://github.com/e107inc/e107/commit/aba3b169)
• trusted_hosts SitePref for parked, staging, and multi-host setups. Authorise additional incoming hostnames from Admin → Preferences without touching e107_config.php. (https://github.com/e107inc/e107/commit/c2bb246b)
• PHP 8 fatal-error sweep. thumb.php (#5664), fpw.php on v1-style themes (#5653), the FAQ cron registration, and the admin nav / user-handler bare-constant reads all stop crashing on PHP 8. (https://github.com/e107inc/e107/commit/59aef4f1, https://github.com/e107inc/e107/commit/02a79729, https://github.com/e107inc/e107/commit/0635801a, https://github.com/e107inc/e107/commit/b1290139)

For Administrators

Added

• trusted_hosts SitePref. New textarea below the Site URL row in Admin → Preferences. Paste additional hostnames one per line (e.g. staging.example.com, example.org); the server-side normaliser strips schemes/paths and de-duplicates case-insensitively, so https://staging.example.com/ saves as staging.example.com. The pref is purely additive: requests whose Host matches the configured siteurl continue to pass without listing it here. Ref GHSA-7pmw-jwvr-cq2x, #5627. (https://github.com/e107inc/e107/commit/c2bb246b)

Changed

• Host-header validation (security). www. and the bare apex now match each other, hostnames compare case-insensitively, and trailing ports are stripped before comparison, so https://example.com:8080/ matches https://example.com/. Sites that were stuck on the "Site Configuration Issue Detected" page after upgrading from v2.3.3 should now boot again without manual SQL edits.

  The check itself still requires the request Host to match the configured siteurl (or fall under one of its subdomains, or be listed in trusted_hosts). Ref GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/aba3b169)

• Host-mismatch response. The bare die('Site Configuration Issue Detected. ...') that returned 200 OK with one line of plain text is replaced by a 503 Service Unavailable with a short HTML body that points the operator at the server error log. The diagnostic detail (configured siteurl, request Host) is written via error_log(), which previously sat after the die() and never fired.

  The visible page intentionally does not echo the incoming Host, the configured siteurl, or any admin URL. The diagnostic surface stays in the log, which already requires server access. (https://github.com/e107inc/e107/commit/aba3b169)

Fixed

• Thumbnail rendering on PHP 8. thumb.php boots the framework directly without class2.php, so E107_DEBUG_LEVEL was never defined for that request; the first call that opened a DB handle (typically when the SitePrefs disk cache was cold) hit a PHP 8+ fatal in e_db_pdo::__construct() and broke every thumbnail on the site. Now guarded with defset(). Fixes #5664. (https://github.com/e107inc/e107/commit/59aef4f1)
• Thumbnail database credentials. With the E107_DEBUG_LEVEL fatal out of the way, thumb.php then failed with SQLSTATE[HY000] [2002] No such file or directory because its manual bootstrap chain never populated the MySQL config the PDO connector reads. The bootstrap now routes through e107::initCore() (the same call class2.php uses), so credentials are set before the first DB call. Follow-up to #5664 / #5665. (https://github.com/e107inc/e107/commit/02a79729)
• Forgot-password page on v1-style themes. fpw.php fataled with Undefined constant LAN_112 when the active theme had no theme.xml (the legacy theme path uses e107_core/templates/legacy/fpw_template.php, which still references the old constant). The BC shim that mapped LAN_112 → LAN_FPW22 only fired in the members-only branch; it now fires before every downstream template require, regardless of branch. Fixes #5653. (https://github.com/e107inc/e107/commit/d9725b91)
• Other legacy templates. Any legacy core template under e107_core/templates/legacy/ that referenced a dropped v1.x LAN_* constant could fatal on PHP 8 with a single missed reference. e107::predefineLegacyLans() now tokenises each legacy template before it loads and auto-defines any missing LAN_* with its own name as a value, emitting an E_USER_WARNING per auto-define so the maintainer trail stays visible. Wired into the six legacy require sites (fpw.php ×2, search.php, signup.php, user.php, usersettings.php). Refs #5653. (https://github.com/e107inc/e107/commit/b1290139)
• Admin navigation icons and user-handler permissions on PHP 8. sitelinks_class::setIconArray() built the admin nav map from ~40 E_32_* constants and user_handler::$core_perms referenced dozens of ADLAN_* / ADMSLAN_* / E_16_* / E_32_* entries, all loaded lazily by the admin language file as bare reads. PHP 8 promotes bare reads of undefined constants to fatal Errors, so any caller that hit these before the admin language file loaded crashed. Both sites are now wrapped in defset() so the undefined case returns the empty default. (https://github.com/e107inc/e107/commit/0635801a)
• FAQ plugin cron registration on PHP 8. e107_plugins/faqs/e_cron.php referenced LANA_FAQ_CRON_1, LANA_FAQ_CRON_2, and LAN_AUTOMATION at admin cron-registration time, which runs before English_admin.php is loaded. PHP 8 turned the bareword fallback into a fatal; the registration path now uses defset(). (https://github.com/e107inc/e107/commit/21f7b584)
• strftime() deprecation on PHP 8.1+. StrptimeTrait::buildMonthArrays() called PHP's strftime() to localise month names. PHP 8.1 deprecated the function and PHP 9 will remove it, so the @-suppressed call still landed in error_log. Both calls are now routed through the eShims::strftime() polyfill that already exists in the tree. (https://github.com/e107inc/e107/commit/295ce2a1)

For Developers

Added

• e107::predefineLegacyLans($path) token-scan safety net for legacy templates. Tokenises the requested template, finds bare LAN_* token references (skipping function/method/class/static contexts and call sites), and define()s any that are still missing with their own name as value. Token extraction is cached on hash_file('sha256', $path) keyed entries (APCu when available, otherwise a file under e_CACHE); a process-local memo short-circuits repeat resolutions. Warm-cache cost is roughly 6 µs vs the ~4 µs baseline.

  Wired into fpw.php, search.php, signup.php, user.php, and usersettings.php. The wrappers call it immediately before the existing require/include so caller-scope template variables ($FPW_TABLE, $SIGNUP_BODY, etc.) remain assignable. Refs #5653. (https://github.com/e107inc/e107/commit/b1290139)

• trusted_hosts SitePref plumbing. A new e107::isAllowedHost() private helper composes the allow-list from parse_url(siteurl)['host'] plus the entries saved in trusted_hosts. The pref reads as a newline-separated list; the saver normalises (scheme/path strip, case-fold dedup) before writing back. (https://github.com/e107inc/e107/commit/c2bb246b)

• Docker-based parallel test environments. e107_tests/bin/e107-tests is a new CLI that spins up an isolated PHP + Apache + MySQL stack per worktree (up | down | reset | clean | install | urls | status | logs | shell | db-shell | exec | run | list). Each worktree + matrix combo gets a deterministic compose project name derived from the worktree path, so parallel sessions never collide on container names, networks, volumes, or host ports. A new config.docker.yml layer slots into the existing config cascade (sample → yml → docker → local).

  Existing deployers (local, sftp, cpanel, none) and the CI workflows are untouched. (https://github.com/e107inc/e107/commit/9b5f40ea)

• Test coverage. resize_handlerTest exercises the ImageMagick branch of resize_image() with three command-substitution payloads and asserts no marker file is created and no id-style output leaks into a filename. e107HostValidationTest covers the case-fold, www-strip, and port-strip behaviour of e107::isAllowedHost() plus trusted_hosts composition. e107RequireLegacyTemplateTest covers the tokeniser context filtering, define/warn behaviour, scope preservation, missing-file return value, and the #5653 regression case. (https://github.com/e107inc/e107/commit/794a179f, https://github.com/e107inc/e107/commit/c2bb246b, https://github.com/e107inc/e107/commit/b1290139)

Changed

• language::bcDefs() no-argument default expanded. The boot-time call from class2.php:590 previously defined only LAN_180 → LAN_SEARCH. Legacy templates that referenced any other dropped v1.x constant whose replacement happens to live in English/English.php still fataled on PHP 8. The default now covers ~20 boot-resolvable aliases: generic actions (LAN_406 / LAN_419 / LAN_435), the v1 download prefix (LAN_dl_7..LAN_dl_35), and a defined-as-empty group for dropped-without-replacement constants.

  Conflict policy: where the same legacy constant had divergent mappings across per-entrypoint shims (LAN_7..LAN_10, LAN_112, LAN_122, etc.) the global default deliberately omits them and per-entrypoint shims remain authoritative. Mappings whose replacement lives in a lazy lan_*.php cannot be resolved at boot (defined() returns false and the entry silently no-ops); those are still handled by per-entrypoint language::bcDefs() calls after the relevant e107::coreLan(). Refs #5653. (https://github.com/e107inc/e107/commit/d2ef6b10)

• Host comparison helper. A new e107::normaliseHost() lowercases, strips a trailing ort, and strips a leading www. before comparison. Plugins that previously did their own Host-header guards should switch to e107::isAllowedHost() so the trusted_hosts allow-list composes correctly. (https://github.com/e107inc/e107/commit/aba3b169)
• resize_image() shell escaping. The convert command line now passes the destination through escapeshellarg() and casts the integer geometry/quality args. If you maintain a fork or call resize_image() directly from a plugin, no migration is required, but any caller that previously relied on quoting the destination itself can drop that quoting. Ref GHSA-3j33-c9v4-4p42. (https://github.com/e107inc/e107/commit/794a179f)

Fixed

• thumb.php bootstrap. The manual bootstrap chain (prepare_request / setDirs / set_constants / ...) is replaced by e107::initCore() fed the same mySQL-prefixed $sql_info compact() array class2.php passes.

  Note the v2.3.x e107::_init() does not translate keys the way master's e107::setMySQLConfig() does, so the array must go in prefixed. The master-style str_replace('mySQL', '', $k) translation breaks v2.3.x because e_db_pdo still reads $config['mySQLserver'] etc. Follow-up to #5664 / #5665. (https://github.com/e107inc/e107/commit/02a79729)

• submitnews.php title slug. The slug used to build the destination filename for resize is now confined to [A-Za-z0-9_] before reaching resize_image(), so shell metacharacters never escape the filter even if a future caller relaxes the filename quoting. Ref GHSA-3j33-c9v4-4p42. (https://github.com/e107inc/e107/commit/794a179f)

• resize_handlerTest teardown sentinel. tearDown() ran even when setUp() had short-circuited via markTestSkipped() (CI images without ImageMagick); in that case $savedPref === null took the unset($GLOBALS['pref']) branch and wiped the global pref array for every following test in the shuffled unit-suite run. A prefMutated sentinel now flips true only after _before() mutates $pref, and _after() bails out early otherwise.

  Locally invisible because ImageMagick was usually installed and the early-skip branch wasn't taken. (https://github.com/e107inc/e107/commit/8cf19729)

• CI on the legacy PHP cells. actions/checkout@v3 was reclassified to a Node 20 action, which requires glibc 2.27+; the official php:5.6 / php:7.0 images are on Debian 9 (glibc 2.24) and the action errors before its main logic. The two legacy cells now use an inline git fetch + git checkout against the run SHA.

  The php:5.6 × mysql:8.0 and php:7.0 × mysql:8.0 combinations have also been dropped via matrix.exclude. Mysql:8 starts with character-set-server=utf8mb4 by default and the PDO driver in those PHP versions doesn't recognise the charset, failing the connection handshake before any test runs. (https://github.com/e107inc/e107/commit/d024d205, https://github.com/e107inc/e107/commit/756dc92c)

• Composer audit no longer blocks resolution. Composer 2.9.x refuses to resolve package versions affected by a Packagist security advisory at install time. Every twig/twig between v1.28 and v3.20 carries at least one advisory, leaving v3.26.0 as the only resolution candidate; v3.26.0 requires PHP 8.1+, so the PHP 7.4 cell of the unit-test matrix failed composer update. The test harness is dev-only and never ships with a release, so the audit's resolution-time block is now disabled via config.audit.block-insecure: false. composer audit still runs after install and reports any advisories. (https://github.com/e107inc/e107/commit/46351d1a)
• Matrix CI design restored. The "Collapse 5×5 matrix into one host-orchestrated job" experiment that landed during the v2.3.5 cycle was reverted: single jobs ran ~20 minutes end-to-end vs ~5 minutes per cell under master's parallel matrix, and exhibited intermittent docker / mysql container startup races at the per-cell DB pre-create step. v2.3.x CI is back to the matrix layout that mirrors master, with the legacy PHP cells extended via the inline-checkout and matrix.exclude pair above. (https://github.com/e107inc/e107/commit/da47684c)
• language::bcDefs() graveyard collisions on v2.3.x. Pre-defining LAN_199, LAN_406, and LAN_419 at boot collided with v2.3.x's lazy lan_search.php and lan_upload.php (which still use define(); master converted them to array form in #5465). PHPUnit's convertWarningsToExceptions=true escalated the "Constant already defined" warning and aborted mid-load. Those three entries are dropped on this branch; the lazy LAN files remain authoritative. (https://github.com/e107inc/e107/commit/f1b4bf27)

[!CAUTION] v2.3.5 is a security release for sites on v2.3.4 or earlier. Upgrade from v2.3.4 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.5, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.

[!IMPORTANT] v2.3.5 ships a single fix for a CSRF vulnerability in the AJAX comment moderation endpoints. Sites that allow user comments and have at least one logged-in moderator or admin should upgrade promptly.

Highlights

• [Security] CSRF on AJAX comment moderation (GHSA-m4hh-m278-jwg5). The AJAX delete, approve, and edit branches in comment.php previously executed when only the payload and the ADMIN gate were present, so a cross-origin POST without an e-token would still go through. A logged-in moderator visiting an attacker page could be made to block, approve, or edit comments without their knowledge. The endpoints now reject any mutation request that lacks a valid form token, and the front-end UI threads the token through the delete/approve/edit anchors so legitimate clicks keep working. (https://github.com/e107inc/e107/commit/a46a77a6)

For Administrators

Changed

• AJAX comment moderation (security). /comment.php?mode=delete, ?mode=approve, and ?mode=edit now return {"msg":"Unauthorized access!","error":true} when the request omits or fails the e-token check. The shipped front-end UI was updated in lockstep, so this is transparent for legitimate use. If you maintain a custom theme that replaces the comment-options or comment-edit shortcodes, see the developer note below. Ref: GHSA-m4hh-m278-jwg5. (https://github.com/e107inc/e107/commit/a46a77a6)

For Developers

Changed

• Comment-options shortcodes now emit data-token. comment_shortcodes::sc_comment_delete() and the comment-edit anchor render a data-token attribute populated from e_TOKEN. The corresponding handlers in front.jquery.js read it back and include e-token in the AJAX payload. If you ship a fork of these shortcodes or a custom AJAX client that talks to /comment.php, mirror the change — without it your delete/approve/edit calls will be rejected. Ref: GHSA-m4hh-m278-jwg5. (https://github.com/e107inc/e107/commit/a46a77a6)

  Token enforcement is local to comment.php for now. The central session_handler::check() still only validates the token when one is present. If you add new AJAX mutation branches to comment.php or to similar endpoints, guard them explicitly with e107::getSession()->checkFormToken($_POST['e-token']) until the central gate is tightened.

[!CAUTION] v2.3.4 is a bug-fix release for sites on v2.3.3 or earlier. Upgrade from v2.3.3 or earlier 2.x. If your site tracks the master branch, you are already past v2.3.4, so installing it would be a downgrade. v2.4.x is planned to be the next forward step.

[!IMPORTANT] v2.3.4 collects the most overdue work in the queue: security advisory fixes for password reset, comment editing, and Media Manager imports; the PHP 8.x compatibility patches that have been accumulating; and the bug fixes that really needed to ship. It's not a feature release; the goal is to give v2.3.x sites a stable point release they can adopt while v2.4 work continues separately.

Highlights

• [Security] Critical Broken Access Control on comment edit (GHSA-5w63-63rh-99q6). comment.php previously allowed any authenticated user to overwrite another user's comment by passing that comment's itemid. The updateComment() SQL now requires the row's comment_author_id to match the editor's USERID, so cross-user edits return "Update Failed" instead of succeeding silently. (https://github.com/e107inc/e107/commit/23961a8f)
• [Security] Server-Side Request Forgery in Media Manager imports (GHSA-92fr-7h4f-22pp). e_file::getRemoteFile() and getRemoteContent() now reject URLs that resolve to private, loopback, link-local, or otherwise reserved IP addresses, and limit cURL to HTTP/HTTPS. Sites that legitimately need to fetch from intranet hosts can opt back in by defining e_REMOTE_FILE_ALLOW_PRIVATE to true. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• [Security] Host Header Injection in password reset (GHSA-7pmw-jwvr-cq2x). The emailed password-reset link no longer trusts the incoming HTTP Host header. Requests with a Host that doesn't match the configured siteurl are rejected, and fpw.php now refuses to run at all if siteurl is unset rather than falling back to HTTP_HOST. (https://github.com/e107inc/e107/commit/04511f9f, https://github.com/e107inc/e107/commit/b0dee823, https://github.com/e107inc/e107/commit/c4f9f71b)
• [Security] Privilege hardening. Media Manager preferences and avatar settings now require Main Admin. The default userclass visibility and edit permissions are also Main Admin by default (previously Admin). (#5489, #5477)
• Admin area usability. Numerous fatal-error and rendering fixes across admin search, admin UI grids, mailout, polls, datetimepicker, phpinfo, and legacy admin pages. (#5211, #5464, #5271, #5473)
• Email reliability. Fixes to CC handling, DKIM identity, persistent-recipient leakage across sendEmail() calls, and IP logging in notifications. (#5498, #5535, #5545)
• PHP 8.x compatibility. Several warnings and fatals on PHP 8.0–8.5 removed from db_verify, thumb.php, file_class, theme_handler, and rating-/forum-info rendering. (#4501, #5443, #5482)
• Forum info restored. sc_foruminfo now renders active-user counts and the newest member again. Two long-standing bugs had been hiding the whole block: the SELECT for the newest user was commented out, and the e_TRACKING_DISABLED ternary condition was inverted so the block was only shown when tracking was disabled, which is never the default. (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/54e4b9de)

[!NOTE] A note from the maintainer, @Deltik:

v2.4 is going to need more time before it's at the quality level the e107 community deserves. Here's what's upcoming:

• MyISAM → InnoDB as the default engine, for crash recovery, row-level locking, and proper transactions
• utf8mb3 → utf8mb4 for native emoji support and full Unicode in usernames, posts, and comments
• Implicit FULLTEXT indexes that work on InnoDB, so search no longer pins us to MyISAM
• JWT-backed CAPTCHAs where the challenge carries its own server-signed solution token, eliminating the need to stash state in a guest session
• No more sessions for guests. Every anonymous visitor today gets a server-side session row; that goes away.
• New admin area skin with a collapsible sidebar, badges, and mobile navigation
• Bootstrap 5.3 + FontAwesome 6 UI refresh across the front-end and admin
• Admin change history with revert for auditable database edits
• Custom domains per page and static URL mapping for editorial control over URLs
• Schema.org (JSON-LD) support for better SEO, with news schema baked in
• Sitemap index support for sites past the single-sitemap limit
• Image alt-attribute management in Media Manager
• Plugin test runner so plugin authors can ship PHPUnit/Codeception tests with their plugins
• The community PR backlog finally getting reviewed and processed

For Administrators

Added

• Misconfiguration error on fpw.php when the siteurl preference is empty, so admins get a visible signal instead of silently broken password-reset emails. (GHSA-7pmw-jwvr-cq2x, https://github.com/e107inc/e107/commit/04511f9f)

Changed

• Comment editing (security). comment.updateComment() now scopes the SQL update to the editor's own user id, so cross-user comment edits via /comment.php?mode=edit are rejected. Ref: GHSA-5w63-63rh-99q6. (https://github.com/e107inc/e107/commit/23961a8f)
• Remote file fetching (security). e_file::getRemoteFile() and getRemoteContent() now block private, loopback, link-local, and reserved IP ranges by default and limit cURL to HTTP/HTTPS. Define e_REMOTE_FILE_ALLOW_PRIVATE = true to opt back in for intranet/self-hosted use. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• Password reset (security). fpw.php now refuses to process any request when the siteurl preference is unset, and builds the reset link from the pref directly rather than from SITEURL (which could be derived from HTTP_HOST). Ref: GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/04511f9f)
• Host header validation (security). The core URL bootstrap now rejects requests whose Host header doesn't match the configured siteurl or the site_hosts config entry, with subdomain support. Misconfigured setups now fail fast with a "Site Configuration Issue" message. (#5458, GHSA-7pmw-jwvr-cq2x, https://github.com/e107inc/e107/commit/b0dee823, https://github.com/e107inc/e107/commit/c4f9f71b)
• Media Manager permissions (security). Media Manager Preferences and Avatar settings now require Main Admin. Media Category management is restricted to the A2 permission. (#5489)
• Userclass defaults (security). Default userclass visibility and edit permissions now default to Main Admin instead of Admin. (#5477)
• Admin area theme gate. Non-bootstrap3 admin themes that were known to break the admin area are no longer accepted; the admin falls back to a working theme. (https://github.com/e107inc/e107/commit/3b7097e0)
• Site redirection. www. → bare-domain (and vice versa) handling was refactored out of class2.php into a dedicated method. (#5097)

Fixed

• Fatal errors on the admin search page (#5211), the admin-UI with custom method attribute+filter (#5464), the polls form column selector (#5271), and the plugin-repair extended-user-field path (#5483).
• Admin user area: avatar rendering (#5146), extended user fields restored after plugin refresh (#5483), unbanned users keeping "not verified" status (https://github.com/e107inc/e107/commit/e875515d), oversized navigation icons (#5345).
• Admin email/mailout: CC recipients added correctly, DKIM identity corrected, recipients no longer persist across multiple sendEmail() calls, core prefs no longer stored on instance, mailout mailer-type restriction that was blocking pref saves. (#5498, #5535, #4123, #5355)
• Admin log: query-speed optimization and indexing improvements, duplicate column removed from the rolling log, debug SQL query output. (#5490, #5473)
• Admin phpinfo page: responsive layout, dark-on-dark text readability in modern-light theme, refactored rendering for theme compatibility, and sidebar menu added to legacy admin pages. (https://github.com/e107inc/e107/commit/730245ef, https://github.com/e107inc/e107/commit/929f5494, https://github.com/e107inc/e107/commit/48b30bc8)
• Password reset: Bootstrap 5 fpw template rendering. (#5336)
• Avatars: remote file checks (#5146, #5387), missing-avatar fallback (https://github.com/e107inc/e107/commit/295a5dad), default avatar rendering (https://github.com/e107inc/e107/commit/81ae03c3), MIME type handling for remote images (#5387), .wav audio (#5390) and video dimension handling (#5396) in the media parser.
• Forum plugin: newforumposts_menu page rendering (#5340), shortcodes now use e_HTTP for online.php links (PR #5340), sc_foruminfo now renders the active-users block and the newest-member link (previously hidden by an inverted condition, with the underlying user lookup query commented out) (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/54e4b9de).
• Ratings: widget renders cleanly for items that have not been rated yet; previously a missing rating row triggered a PHP warning that became a fatal on PHP 8.5. (https://github.com/e107inc/e107/commit/db358ca1)
• News plugin: language loading (#5465), body/extended search scope (#5523).
• Signup: COPPA links updated (#5121), duplicate LAN_ERROR_* constants removed (#3438).
• Notifications: IPv4 format on user_ban_flood (#3612), IP populated in notify_class (#5545), mcp_token tracker ignored in application tracker (#5288).
• Core boot: database warning in class2.php (#5220), missing creation-log entry ID (#5317), config-hash handling (#5120), override-class conflict (#5114), SEF URL in the admin user-settings nav link (#5082).
• Download plugin: duplicate assignment in download_shortcodes (https://github.com/e107inc/e107/commit/c55de23b), missing DOWNLOAD_CAT_CAPTION template var initialization (https://github.com/e107inc/e107/commit/83bd620e, https://github.com/e107inc/e107/commit/a996b769).
• Theme modern-dark: admin nav dropdown alignment. (#5406)
• File Inspector: graceful handling of tmpfile() failure in phar loaders. (https://github.com/e107inc/e107/commit/da1b6f9c)

For Developers

Added

• e_file::isUrlSafe($url) helper that validates a URL against private/reserved IP ranges and the HTTP/HTTPS scheme; called by getRemoteFile() and getRemoteContent(). IPv4-mapped IPv6 inputs (e.g. ::ffff:127.0.0.1) are canonicalized to their IPv4 form before the range check so they cannot bypass it. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• Scaffold for XmlAdminIcons in plugin_class (with rename guard in media_class). (#5295)

Changed

• Comment ownership check. comment::updateComment() now constrains its SQL update to comment_author_id = USERID. If you maintain a fork or plugin that calls this method on behalf of another user (moderator tooling, cron-based imports), expect those calls to silently no-op and refactor toward a moderator-aware helper. Ref: GHSA-5w63-63rh-99q6. (https://github.com/e107inc/e107/commit/23961a8f)
• e_file SSRF defense. getRemoteFile() and getRemoteContent() reject URLs that resolve to private/loopback/reserved IPs and any non-HTTP(S) scheme; cURL CURLOPT_PROTOCOLS/CURLOPT_REDIR_PROTOCOLS are pinned to HTTP/HTTPS. IPv4-mapped IPv6 addresses are canonicalized to IPv4 before the range check, so ::ffff:10.0.0.1 is treated as 10.0.0.1 and blocked. Define e_REMOTE_FILE_ALLOW_PRIVATE = true in e107_config.php to bypass for legitimate intranet use. Ref: GHSA-92fr-7h4f-22pp. (https://github.com/e107inc/e107/commit/5f98cc9f, https://github.com/e107inc/e107/commit/40b2d111)
• Password reset link construction. fpw.php builds the reset URL from e107::getPref('siteurl') directly instead of the SITEURL constant. If you rely on SITEURL in similar contexts elsewhere, consider doing the same for anything that leaves the server (emails, webhooks, signed URLs). Ref: GHSA-7pmw-jwvr-cq2x. (https://github.com/e107inc/e107/commit/04511f9f)
• Language file tooltips. Inline tooltip LAN constants standardized; some constants were consolidated. (#5465)
• Permissions schema. Media Manager and userclass permissions tightened — plugins that depended on Admin (A) access to Media Manager prefs or avatars will now need Main Admin (0). (#5489, #5477)

Fixed

• PHP 8.x compatibility. Fatal errors and warnings removed from db_verify_class (#4501), thumb.php (https://github.com/e107inc/e107/commit/aaa71257), file_class (finfo/getimagesize warnings) (#4501), theme_handler empty path warning (#5482), validator_class fatal (#5443), rater::render() (https://github.com/e107inc/e107/commit/db358ca1) and sc_foruminfo() (https://github.com/e107inc/e107/commit/0e23f651, https://github.com/e107inc/e107/commit/8c390f4f) — PHP 8.5 promoted the "list() on false" case to a new fatal warning.
• e_parse::cleanHtml(). HTML5 void elements (, , etc.) are now normalized before serialization so saveHTML() output is identical across libxml versions. libxml < 2.13 parsed as non-void and captured following content as its child; the new pre-serialization pass promotes that content to a sibling, and a complementary post-saveHTML pass strips the stray (and other void-element closing tags) that older libxml still emits, so every libxml ends up with the spec-compliant form. (https://github.com/e107inc/e107/commit/b63d11a2, https://github.com/e107inc/e107/commit/87abb7f7)
• e_parse_class. Base64 image data-URL generation when a file is set (https://github.com/e107inc/e107/commit/bc6b51d4), avatar upload path handling (https://github.com/e107inc/e107/commit/105fe205).
• Plugin builder. Admin links, table-name test typo. (https://github.com/e107inc/e107/commit/8c319720, https://github.com/e107inc/e107/commit/d241ab64, https://github.com/e107inc/e107/commit/d4a665a2)
• Form handler. Help-icon rendering, optgroup class identifiers, DST-related test stability. (#5214, #5269)
• JavaScript. Invalid-element tab switch issue in admin/front JS. (#5230)
• Update routines. Clear update info after GitHub update in admin boot/db, minor update_routines.php tweak (#5481), warning suppression in admin/auth.php for invalid language values (#5443).
• Caching. Fatal in plugin_class.php cache-path resolution. (#5484)

Enjoy!

Features

• Add missing setMetaTitle() method to e_admin_response #5112
• Change length of newsfeed_image field in db #5108
• Add option to alt_auth plugin #5107
• Improve system notifications handling in the admin area. #5106
• Display current time when settings timezone in admin preferences. #5099
• Add option to e_file::getRemoteFile() to prevent time out on larger files or slow connections. #5098
• Allow developers to choose which fields to export in e107Export(). #5094
• Render favicon in admin area the same way as on frontend #5062
• Add option to email any critical error message to an admin #4986
• Add {NEWS_MODIFIED} shortcode for modified date #4978
• Add FontAwsome 6 support #4969
• Add support for PUT or JSON POST to e_file::initCurl() method #4941
• Provide more options to resize the rich text editor. (bbarea, Tinymce) #4927
• Allow plugins to provide their own routing for notifications. #4922
• Allow plugins to use their own email templates when using e107::getEmail()->sendEmail(); #4919
• Improved Database SQL Verify page use of space by using 3 columns. #4907
• Admin-UI: Allow for entry of Primary ID in create/edit modes if needed. #4906
• Enhance e107 to allow for third-party email address validation. #4900
• Update plupload #4887
• Add eventName to Featurebox like News #4841
• Add dedicated Pages/Menus "delete" perms #4827
• Allow plugins to create siteLinks in areas other than the main navigation. #4810
• Exclude the currently viewed news item for the 'latest news' menu. #4786
• Custom SEO title for News and Pages #4783
• Add This Week, This Month and This Year to Admin-UI date filtering options. #4778
• Allow developers to set the URL that users will be directed to after they log out #4777
• Add support for images in plugin-generated sitemaps. #4760

Fixes

• Comments without ajax issue #5111
• Cron Schedule might not trigger with some timezones set in the preferences. #5096
• Admin-UI: Using the label 'True' or 'False' in a select (dropdown) displays incorrect labels. #5093
• Plugin Builder - Generated customPage method contains an error. #5092
• Errors showing up in error_log when running cron. #5091
• Admin-UI: renderValue() of type boolean ignores custom true/false readParm string values when inline editing is not enabled. #5089
• activatejavascript.org as found in default header is a broken link #5087
• Array order not being retained by x-editable inline dropdown/checkbox list. #5083
• PHP 8.1 - Fatal error: Uncaught Error: Undefined constant "USERNAME" in ***ehandlersmail.php on line 451 #5080
• "Force user to update settings" breaks home page for logged in users on PHP 8 #5052
• An Admin with only "Quick Add User" permission can see all users and access inline edit for all #5045
• Force user to update settings causes fatal error im PHP 8.2 #5041
• sendEmail() may render an 'info' message "Could not access file:" under some circumstances. #5020
• Emptying browser cache adds "Empty Thumbnail Cache" to the system logs. #5017
• Admin-UI: Setting readonly=true for a field containing an array value, posts 'Array' in the form results. #5016
• e107 corrupts form-submitted array values when GET method is used. #5005
• Canonical URL is not consistent when parked domains are in use. #4994
• Fatal errors - userposts.php - IMODE is not defined #4966
• Banner plugin - banner_campaign is saving only first campain #4959
• $_GET contains 'configure' key on all pages of admin area. #4945
• Flexpanel layout is not working #4940
• Cron 'Last-Run' value in admin area is always empty #4933
• National characters in title are not converted to sef url correctly. #4925
• sendMail() not using latest PHPMailer methods. #4924
• data-modal-submit attribute fails when an input tag is used instead of a button tag #4923
• Anomoly with some plugins losing their entry from e_url_list after upgrading others. #4917
• FAQs - PHP 8 error #4916
• Bootstrap-notify won't display alerts in admin area #4915
• Wrong HTML markup for date field in advanced search #4904
• PHP 8 - Fatal error LAN_PLUGIN_DOWNLOAD_NAME in comment's search #4890

User Contributions

• Bump guzzlehttp/guzzle from 7.4.3 to 7.4.4 in /e107_tests by @dependabot #4791
• Bump guzzlehttp/guzzle from 7.4.4 to 7.4.5 in /e107_tests by @dependabot #4796
• Some corrections by @yesszus #4788
• 4844: File Inspector: Do not traverse above the base directory by @Deltik #4845
• 4830: Sensible no delete log in admin_log_ui::maintenanceProcess() by @Deltik #4831
• Add support for wrappers in contact menu by @Jimmi08 #4850
• Fix for #4860 and correct fix for #3983 - correct second authorization by @Jimmi08 #4864
• Login flow consistency: Do not use redirect in admin area login box by @Deltik #4865
• sef-url for RSS news - category news #4868 by @Jimmi08 #4870
• Add support for wrapper in custom menus by @Jimmi08 #4873
• Bump twig/twig from 3.4.1 to 3.4.3 in /e107_tests by @dependabot #4877
• Fix #4847 - mistypo in route by @Jimmi08 #4882
• add wrapper support on fpw page #4883 by @Jimmi08 #4884
• Fix for #4895 - wrong message chatbox plugin by @Jimmi08 #4896
• 4897 class parameter for CB_AVATAR shortcode by @Jimmi08 #4898
• Tests: MDEV-29446 workaround: Ignore COLLATE clause in SHOW CREATE TABLE by @Deltik #4913
• Hotfix for tests failing after PHP 8.2 released by @Deltik #4921
• missing national character from toAscii() by @Jimmi08 #4926
• 4929: Fix type mismatch in usage of e107forum::getForumClassMembers() by @Deltik #4931
• 4938: Workaround for PHP 8.2.0 segmentation fault / assertion error by @Deltik #4939
• Reintroduce automated acceptance tests by @Deltik #4943
• fix for ranks in top.php #4967 by @Jimmi08 #4975
• Fix news category breadcrumbs by @RichardBarrell #4982
• deprecated static::method() calls for PHP 8.2 by @Jimmi08 #4988
• news: Fix category link in both breadcrumb and menu by @Deltik #4984
• 4991: Fix improper array access in sc_signup_extended_user_fields by @Deltik #4993
• Bump guzzlehttp/psr7 from 2.4.3 to 2.5.0 in /e107_tests by @dependabot #4995
• partial fix #4517 - fix for settings of plugin.xml by @Jimmi08 #5029
• Fix #5025: Type error when sending a PM without the attachment field by @Deltik #5027
• Fix #5013 False Error if UEF type DBField has no records by @Jimmi08 #5014
• fix #5031 for false error when deleting plugin DB field by @Jimmi08 #5032
• Fix #4517 UEF settings in plugin.xml - fix for parms by @Jimmi08 #5033
• Fix #5000 user profile UEF change added to event by @Jimmi08 #5036
• fix for feed logo image #4866 by @Jimmi08 #5015
• fix for type checkboxes and filtering #4474 by @Jimmi08 #5048
• Missing preferences in bootstrap5 #4683 by @Jimmi08 #5058
• db_verify::getIndex(): Support index_col_name optional parts by @Deltik #5055
• Unify logic of e_user_model::checkAdminPerms() and getperms() by @Deltik #5070
• install.php: PHP 8.2 exception handler signature compatibility by @Deltik #5073

New Contributors

• @RichardBarrell made their first contribution #4982

Full Changelog: https://github.com/e107inc/e107/compare/v2.3.2...2.3.3

What's Changed

• Handle previously unhandled exceptions with social plugin and Hybridauth by @Deltik in #4643
• Bump twig/twig from 3.3.4 to 3.3.8 in /e107_tests by @dependabot in #4691
• New API to concatenate an array of HTML attributes by @Deltik in #4688
• fix for templating signature bbcodes by @Jimmi08 in #4709
• use the same markup (bootstrap) for pagination in forum and topic by @Jimmi08 in #4714
• Forum breadcrumbs on topic view with 3 forums #4286 by @Jimmi08 in #4710
• fix for not clearing forum cache by @Jimmi08 in #4716
• fix for access / check for access to forum type in forum post by @Jimmi08 in #4717
• Fix for Forum permissions for creating topics by @Jimmi08 in #4718
• Update theme.html by @brwnie in #4632
• Fix for Recalculation forum replies in Tools by @Jimmi08 in #4721
• #4724 forum - possibility to add forum ID as column by @Jimmi08 in #4729
• #4715 correct display of Last Post info by @Jimmi08 in #4723
• #4659 forum main admin as silent moderator by @Jimmi08 in #4730
• #4712 canonical URLs for paged forum topic by @Jimmi08 in #4733
• #3470 login error message is loaded 2x by @Jimmi08 in #4734
• #4670 ranks issue for first level by @Jimmi08 in #4735
• #4708 load bbcode buttons only if HTML is allowed for user by @Jimmi08 in #4732
• #4665 correct user last visit information by @Jimmi08 in #4741
• #4245 stay on correct page after editing paginated topic by @Jimmi08 in #4742

Full Changelog:

• Support for PHP 5.6 through PHP 8.1 (#4554) – e107 v2 now adds PHP 8.0 and 8.1 support while maintaining support for PHP 5.6.

• New Admin Theme Skins - Modern Light and Modern Dark. May now be selected during initial installation of e107.

• Collapsible Navigation Panel - Option to reduce left-panel admin area navigation to icons only, for increased screen real-estate where it matters.

• Database session handler performance improvement (#4575) – e107 v2.3.0 introduced a non-blocking session handler backed by the database; however, a missing index causes gradually slower performance the more rows there are in the session table. This release fixes that bug by adding the missing index through a database update (migration).

• Thumbnail Generator rebuilt to use Intervention library.

• WebP image support (#4270) – e107 can now serve WebP images to compatible browsers and convert existing images on-the-fly. Requires PHP 7.0+ with the GD WebP extension installed.

• More reliable file uploads – A common complaint with e107 v2.3.0 was rejected file uploads. To fix this, e107 now recognizes files based on their MIME type.

• Increased protection against cross-site scripting (XSS) – There is now improved layering of HTML tag rendering to reduce the likelihood of corrupting pages with bad HTML.

• Increased protection against cross-site request forgery (CSRF) – Nonces have been added to some forms to prevent external sites from submitting them unbeknown to the authenticated user.

• New theming features – Theme developers can now take advantage of Bootstrap 5 and customisable breadcrumbs.

• SEO optimizations for Google, Facebook (Open Graph) and Twitter.

• New "Hero" plugin for home page carousel management. Supports animated bullet points and buttons. (see e107.org home page for example)

• News item Previous/Next navigation shortcode options.

• jQuery updated to v3.6.0

• FontAwesome updated to v5.14.0

For a full list of changes, please go here.

Please see our downloads section to download a copy.

Thank you for continuing to use e107. Please feel free to tell us what you think about e107 in our Gitter chatroom!

Please note that the 2.2.0 release was a major release with some important notes. Please refer to the previous post for more information on that release, including an overview of numerous great new features which were added! 

New features:

• Added new News shortcode {NEWS_AUTHOR_EUF} to retrieve Extended User Fields (e.g. {NEWS_AUTHOR_EUF: field=biography})

Fixes & Improvements:

• Fixed a database check/update issue that occurred when the database name contains a hyphen (-) (#3800)
• Fixed an issue with the Menu Manager preview not loading in some cases (#3815)
• Fixed frontpage button link to Admin Area (#3775)
• Fixed an issue with inserting a new custom page when using PHP 7.3 (#3812)
• Added tablerender id to error pages (#3801)
• Fixed an issue with (un)seralization (#2990)
• Fixed comment author avatar not showing correctly in comment form (#3813)
• Fixed issue in Download plugin with batch userclass options
• Fixed issue in Forum plugin with forum mderator userclass recognition (#3814), with the Userlist shortcode links (#3809), and added placeholder option in {SEARCH} shortcode
• Several Forum template optimizations for Bootstrap 4 (#2969)
• Several PHP 7.3 compatibility improvements

For a full list of changes, please go here.

Please see our downloads section to download a copy.

Thank you for continuing to use e107. Please feel free to tell us what you think about e107 in our Gitter chatroom!

This major release contains numerous new fatures as well as a great bunch of bug fixes and additional improvements. We recommend everyone upgrade immediately! Additionaly there are some important notes that should be considered when updating to the latest version. Please read these carefully!

Important notes:

• The minimum PHP version as of 2.2.0 is now set to 5.6. Using PHP 7.1+ is recommended.
• If you use any PHP version lower than 5.6, your website may break!
• Bootstrap 4 Library has been updated to latest version: 4.3.1. See examples in the bootstrap4 theme
• FontAwesome has been updated to the latest version 5.7.2. See examples in the _blank theme (theme.xml and theme.php)
• db_Fetch() in e_LEGACY_MODE permanently removed. Old plugins should use e107::getDb->fetch('both'); if this is still required.
• Changes to comments: Any reference to #comments-container (div ID) in the theme must be changed to .comments-container (div class) (#1944)

New features:

• GDPR features: added "Privacy Policy" and "Terms and conditions" preferences. Added {SIGNUP_GDPR_PRIVACYPOLICY_LINK} and {SIGNUP_GDPR_TERMSANDCONDITIONS_LINK} shortcodes. (#3175 and #3579).
• Admin Login with email address is now functional
• Chatbox plugin: new default templates added (#3630)
• Constats SITENAME SITEDESCRIPTION can be overridden using Englishcustom.php or Englishglobal.php plugin LAN files.
• Added more styling functionality to {SIGNUP_IMAGES} and {SIGNUP_SIGNUP_TEXT} (#3582) and {LOGIN_*} shortcodes (#3466)
• Added event triggers for rate/like functionality: user_like_submitted & user_rate_submitted (#3552)
• Added load() method for the e_admin addon. See _blank plugin for examples. (#3695)
• New MySQL database export method integrated to increase performance when creating a backup
• "Under the hood" preparations to clean-up existing code (improving code quality) and introduction of new (database) interfaces for better support of up-to-date technology and easier 'hookings' of other/external interfaces (e.g. databases)
• For developers: automated tests added in e107-test/code> repository https://github.com/e107inc/e107-test (to prevent bugs from being introduced, rather than having to fix them after they are an issue)
• FontAwesome is now used by the NextPrev
• New method added e107::getUserClass()->getUsersInClass
• News e_related, added {RELATED_DATE} shortcode
• Added afterPrefsSave() method in Admin-UI (#3799)

Fixes & Improvements:

• Several improvements to plugin installation and related addons (#3531, #3536, #3592)
• Improvements to plugin identification when checking for updates (#3711)
• Several fixes to the Private Messenger plugin (#1758, #3413)
• Several fixes to the Banner plugin (#3141)
• Several fixes to the FAQ plugin
• Several fixes to the Forum plugin: not being able to move a forum post (#3619), forum moderators permissions (#3490), deleting of last post (#3490), forum pagination, newforumposts plugin (#3757), inline editing of forum name was changing SEF URL (#3798)
• Several fixes to the Download plugin (#3201, #3189, #3199, #2486, #3787)
• Fixed an issue where the verification of LAN pack would falsely return errors (#3632)
• Fixes to 'type' => 'country' in the Admin-UI (#3644)
• Enhancements to the 'search' functionality in Admin-UI across different fields
• User Extended Field country correctly displayed in User Profile (#3646)
• User Extended Fields 'read' permission is now properly checked (#1799)
• Avatars now support 'crop' to allow for non-square images. Simple usage: {USER_AVATAR: w=150&h=150&crop=1&shape=circle} (#3721)
• Fixed an issue with the Admin Area > Preferences page crashing on specific Windows server environments (#3625)
• Fixed an issue with the SEF URL configuration when social network tracking queries were used (e.g. Facebook links) (#3546)
• Several improvements to theme layout detection
• Improved user_forum_post_report, user_forum_post_report and user_forum_topic_created_probationary event triggers (#3618)
• Improved filetypes and filesize checks when uploading files (#3507, #3460)
• Added /contact SEF URL (#3566)
• Fixed an issue with navigation (site links) icons not resizing properly (#3712)
• Fixed an issue with list() method in the the e_admin addon (#3695)
• Fixed an issue with userclasses being reset when 'probationary' user was automatically promoted to 'normal' user (#3657)
• Rewritten "password reset" functionality to support webmail software pre-loading links. Links expire in 10 minutes now. (#3443)
• "Required fields" indicator now properly showing on signup page and usersettings (profile) (#3676)
• Relative datestamp now properly distinguishes between past and future dates (#3605)
• Improved backwards compatibility when using BBcodes and WYSIWYG editor
• Fixed an issue with Admin Help text not displaying in correct language (#3485)
• Several enhancements to handle deprecated mysql_*() methods and improved PDO usage
• Several compatibility fixes with Bootstrap 4 (#2962, #2969, and others)
• Several PHP 7 compatibility fixes (#3216, #3596, #3562 and others)
• PHPMailer upgraded to 5.2.27
• plupload upgraded to v2.3.6
• And dozens more fixes and improvements

For a full list of changes, please go here.

Please see our downloads section to download a copy.

Thank you for continuing to use e107. Please feel free to tell us what you think about e107 in our Gitter chatroom!

This release contains some great improvements as well as bug fixes. We recommend everyone upgrade immediately. 

New features

• It is now possible to override the chosen editor pref (WYSIWYG), using the e107::getForm()->bbarea() method by changing the $options array, e.g. $options['wysiwyg'] = 'tinymce4' (#3330)
• Added option define('X-FRAME-SAMEORIGIN', false); in e107_config to allow for external websites including an e107 website through an iframe (#3101)

Fixes & improvements:

• Fixed issue in update routine caused by an incorrect version number (#3302 #3311)
• Added backwards compatibility fix to handle old data formatting better (#3305)
• Fixed issue with multiple userclass selection in the Admin UI (#3249)
• The CSS file ensuring backwards compatibility for non-boostrap or legacy themes (backcompat.css) is now correctly loaded
• Fixed issue with LAN's not loading properly on contact.php page
• Fixed issue with parsing the sign (#3307)
• Fixed issue with 'To' textbox not showing in mail-out functionality (#3303)
• Fixed issue with missing navigation text in Admin Area when using 'medium' width devices
• Improved support for SVG icons (#1958)
• Fixed several issues related to the displaying of comments (#2425 #2281 #2937)
• Fixed issue so 'Items per page' option is now respected on custom pages (#3188)
• Added default custom fields to Bootstrap 3 template (#3103)
• Improved support for Cyrillic characters on registration and login (#2440)
• Plugin Builder generated output improved with examples of custom filter and batch options.
• Fixed an issue with the language packs not displaying in the Admin Area (#3059)
• Added e_gsitemap addon to News and Download plugin (#2606)
• Fixed an issue with error pages and redirection (#3179)
• Added new event triggers and notifications for the Forum plugin: user_forum_topic_created_probationary, user_forum_topic_updated, user_forum_topic_moved, user_forum_topic_deleted, user_forum_topic_split, user_forum_post_created, user_forum_post_updated, user_forum_post_deleted, user_forum_post_report
• Added BBcode template for Forum plugin (#3317)
• New preferences in Forum plugin which allow to choose between BBcode or TinyMCE editor (#3318)
• Fixed issues with Forum plugin URLs (#3171)
• Fixed URL issue in Forum plugin when moving a forum topic (#3244)
• Improved Forum parsing: forum titles are only shown using plain text (no HTML or BBcode) (#3245)
• Fixed an issue in the forum plugin when marking a forum topic as 'read' (#3338)
• Fixed issue in the featurebox plugin which caused debug information to show (#3290 #3074)
• Fixed issue with incorrect 'update required' message showing for the featurebox plugin
• Several PHP 7 compatibility fixes
• And dozens more fixes and improvements

For a full list of changes, please go here.

Please see our downloads section to download a copy.

Important Update

Anyone experiencing core-prefs backward compatibility issues after this upgrade, please use this patch. 

Thank you for continuing to use e107!