Welcome to the next cycle, the first post-stable release.
Share in our excitement of releasing stable on the Announcement 🥳
We'll post information about our plans soon ™️ , but first we'll take a bit of time off to relax after our months of effort in releasing stable. We'll follow up with support and bug reports in a timely manner.

📖 Introduction

Today we want to introduce you to the newest edition of our blog posts. With Flarum now being stable, we can all be proud to see the ecosystem of Flarum growing with each day. Keeping track of all those great additions can be hard. While there are great tools, such as Extiverse, we want to take the time and highlight some of the recent additions to the community.

🕸️ Extension Highlights

Version 1.X compatibility

An insane number of 270 extensions is already compatible with Version 1.X of Flarum. With this vast number of extensions, it's easier than ever to modify your community. Also, it's worth pointing out that with Flarum now being stable, 🥳 you won't have to fear breaking your community anytime soon. It's expected for extensions to remain compatible with all 1.X versions to come!

New additions

• Keywords: Add keywords that get context-information on mouseover for your community.
• Mercury: Get information about extensions updates right from your administration interface.
• Prevent Double-Posting: An easy solution for communities dealing with people making double postings.
• Auto Moderator: A extremely versatile solution to automate your group management - including the possibility to create "Trust levels" or automate action after moderator warnings/strikes.

PS.: A shoutout to @Justoverclock for joining the extension development community and actively rocking out a ton of new extensions over the past months.

Updated Extensions

• Diff: Easy way to display changes within discussions.
• Sentry: Adds the possibility to get active notifications of errors happening.
• Support Plattform: A premium extension turning your community into a support platform.

PS.: A shoutout to @Kylo for returning and updating all his extensions to be compatible with 1.X!

Extension Outlook

Many new extensions are being developed. Also, there are new solutions for making your community real-time, which we will highlight in our next blog posting!

📢 Flarum Lang

Update

As you know, there has been a new initiative - an official part of the project now - bringing Flarum translations under a common roof to ensure availability for the community. We are very grateful that most of our language pack maintainers have joined the project - making it possible that already 20 language packs are available through flarum-lang!

Outlook

We will be sharing more information about the language pack maintainers and those where help is required. This will give everybody an easy overview of joining the project and making Flarum available in their language!

🏁 Final words

The Flarum team is extremely grateful for its great community. We hope to have given you a comprehensive overview of some highlights. Please share your thoughts about the new blog format to incorporate changes in our future community updates!
PS (Pinky-promise it's the last one).: If you want to know what's happening next within the core development you should definitely follow our Dev-Blog!

v1.0.0 - Kangaroo

---

• 🧔 A new user slug driver was introduced which uses the user Id.
• 🔐 Hardened headers against actors with bad intent.
• 📃 The admin area now has an extensible users list.
• 👆 New mentions system, detaching itself from usernames.
• 🤖 Many improvements to canonical URL generation.
• ⏩ Many improvements to performance in core and bundled extensions, including tags.
• 😎 Many improvements to accessibility.
• 🌐 Moved to the ICU format for translations, which paves the way for genderization in translations among others.
• 🔃 The pusher extension now also makes non public discussion realtime.
• 📃 Asset publishing separated from the migrate command into assets:publish.
• 🔍 Fixed searching discussion titles.
• 🐛 Tons of fixes.

by Austin Elder from Unsplash

📚 History

---

Eleven years ago, Toby Zerner set out with a mission: to build a forum for the future. The result, esoTalk, was a good product, and an excellent playground for learning and trying ideas. After a few years, esoTalk evolved into something bigger: a revolutionary new design, based around simplicity, elegance, and ease of use. This was the birth of Flarum.
Now, seven years and sixteen beta releases later by over hundred contributors, Flarum finds itself in an exciting period! Adoption of our software has skyrocketed, a substantial extension ecosystem has emerged, and even enterprises are migrating over. Although Toby has moved on to other entrepreneurial projects, the Flarum team is larger and more active than ever, with over a dozen people working passionately to advance the project. In 2019, the Flarum Foundation was brought into existence to safeguard the future of Flarum as a free and open-source product. We’ve also converted to a steady 2-3 month release cycle, and with that we managed to release the first stable version!
Our team at Flarum believes that the time has come to challenge the traditional forum design and architecture. While forums at their core have remained very much the same over the years, we see that people want something more, and we're here to build it. Flarum has been created specifically to engage and enhance community interactions in a digital world and to develop lean, extensible software that improves the experience of the admin, moderator, extension developer, and most importantly, the user.
Flarum is not just another forum software, it is much more an incredibly flexible framework that allows its users to add every feature imaginable to their installations. To this point, Flarum has been explicitly built with extensibility and ease of use in mind, while building upon modern software standards to ensure that this remains within our core ethos: Simple, Modern, and Fast.

📣 The Release

---

To us, beta never meant that Flarum would break while using it. It meant that extensions might no longer work when upgrading. Only twice have we seen a release that completely made almost all extensions incompatible, those being beta 8 and 14.
With stable out, we will do our best to postpone changes that break extensions to the next major release (v2.0.0) which we currently plan to release in about a year. The stable release as such will mark a time for 🌱 growth and 📈 stability.
That alone is a huge gain of this release, but let's not stray from everything else that has been done; because 78 issues were taken care of! We listed the most noticeable changes at the top, if you want to dive into all the changes please visit the changelog files on our repositories.

👨‍💻 For Developers

---

Ahead of the release we announced major changes in a dedicated discussion, this seems to have had a very positive effect on the number of compatible extensions. We recommend (extension) developers towards the upgrade guide for a complete list of changes.

⤴️ Upgrading

---

Before you run the upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Before starting the upgrade process, ensure you are on 0.1.0-beta.16 in your Admin Dashboard or by typing php flarum info, use the previous release notes for upgrading from an earlier version.
To upgrade from 0.1.0-beta.16 to stable, take a look at our stable upgrade guide documentation.

If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions, and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.0.0 and any errors in their fullest.

🙇‍♀️ Acknowledgements

---

Reaching stable wouldn't have been possible without the sacrifice made by over hundred contributors! For this release we specifically thank these wonderful people:

• Contributors: @glowingblue sl-kr @ianm ahosker @rob006
• Core Developers: @askvortsov @SychO @davwheat @datitisev @tankerkiller125 @clarkwinkelmann @Kyrne @luceos
• Quality Assurance: @katos @Ralkage @Deebug @ianm
• Community Staff: @jordanjay29 @meetdilip @Liberty @Pollux
• Everyone submitting carefully described bug issues.
• And the whole community sharing their passion for Flarum, urging us on!

To every Open Collective supporter and Github Sponsor, but especially:

• Glowing Blue AG @glowingblue
• Thirdia
• Bitfalls
• ecomscan
• sansecio
• KAV partners
• @flarumster
• Sridhar Kamma
• Donald Broussard
• @phenomlab

And finally, to you for your ongoing support and enthusiasm that keeps us all going!

🆘 Support the Project

---

We need your support to:

• Guarantee continued development on the software.
• Create a valuable ecosystem around the project.
• Ensure healthy extensions are available.

You can support us:

• 👕 By getting some swag from our merchandise store!
• 💵 By backing us on Open Collective or on GitHub.
• 👩‍💻 By contributing to the source code, hop onto any of our open issues.
• 🌎 By translating Flarum and extensions into your own language.
• 💝 By sharing your love for Flarum with friends, family and on the internet.
• 💬 By hanging out with us, here on discuss!

🔮 What now?

---

The coming weeks we'll allow our team to relax as everyone has been pressing hard for this release for months on end! For this reason we have sent all our team members some well deserved swag in celebration of stable and as a thank you for their contributions to the project.
Our next release will be a minor patch version addressing any bugs we missed in 1.0. In the meantime, we'll be doing a lot of internal discussion and planning to put together roadmaps and strategy moving towards v2.

This discussion acts as a way for people to subscribe to announcements on releases. Before stable we would announce releases as separate discussions, because all changes were bundled and released as one beta.
Having passed that milestone we have already released several patch releases for v1.0. These releases were announced either in the v1.0 release announcement or in the Dev Diary. We felt this is not the right place.
From now on we will announce ALL releases, no matter the size, in this discussion. 🔔 So make sure to follow.

• ⏰ Releases for Flarum and all bundled extensions are announced here and/or linked to.
• 🔇 Comments are disabled. Please open a discussion for feedback or support.

Previous Release Announcements

• Flarum 1.0.0 Released
• Flarum 1.0.1 Released - minor patches
• Critical security update to Flarum core, with new incident write-up (v1.0.2)

This post was edited 2021-06-07 at 20:50 UTC to include a full write-up of the security incident. The original announcement is still available at the bottom of this post.
If you have not yet updated to v1.0.2 or later, do so immediately. The details of the vulnerability are public, and your forum could be maliciously exploited.
Affected versions:

• v1.0.0 - ⚠️ Affected
• v1.0.1 - ⚠️ Affected
• <= v0.1.0-beta.16 - ✅ Not affected

Upgrade instructions:

# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.0.2
composer show flarum/core

# Clear cache
php flarum cache:clear

---

Preface

On Saturday 5 June 2021 at 23:02 UTC, I (@davwheat) discovered a critical cross-site scripting (XSS) vulnerability in Flarum core, affecting versions v1.0.0 and v1.0.1.
This vulnerability related to the handling of variables passed to core's translator, and the possible conversion of strings into HTML DOM nodes.
The details of this vulnerability were disclosed on the Flarum Discord's #devs-security channel at 23:05 UTC (3 mins after discovery). The vulnerability's CVE score was 10.0, which is the highest CVE score possible.
The vulnerability was initially found while performing some local testing on an unrelated area of core's code, before noticing that HTML strings entered into the search box would be parsed and inserted into the DOM as HTML instead of text.
This was patched through a combination of efforts from multiple developers, and swiftly pushed to core's master branch at 01:47 UTC the next day (2021-06-06). Matt ( @tankerkiller125) manually pushed the update to demo.flarum.site and nightly.flarum.site for testing purposes and to patch the vulnerability. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.0.2 at 02:26 UTC.
Posts were made on Discuss involving the creation a new discussion (https://discuss.flarum.org/d/27558) and posts on the v1.0.0 and v1.0.1 release discussions. Jordan (@jordanjay29) sent an announcement in Discord a few minutes later at 02:32 UTC.

What caused the vulnerability?

Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made between v0.1.0-beta.16 and v1.0.0 and was not noticed or documented.
This allowed for any user to type malicious HTML markup within certain user input fields and have this execute on client browsers. The example which led to the discovery of this vulnerability was in the forum search box. Entering faux-malicious HTML markup, such as <script>alert('test')</script> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, resulting in a CVE score of 10, the highest possible. See the CVSS score breakdown.
A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/core/security/advisories/GHSA-5qjq-69w6-fg57. We have been issued with a CVE (CVE-2021-32671) that will be published on the official CVE list at mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32671

CVSS breakdown

Attack vector: network
This attack is performed over a network without physical or local access required. The network does not have to be adjacent.

Attack complexity: low
The attack can be performed relatively simply and affected all forums, despite their individual configurations. It is repeatable under all conditions.

User interaction: none
The example that led to the discovery of this vulnerability does require user interaction: a malicious link must be clicked and then the search box must be entered. However, we believe there is a high chance that it may be possible to perform an attack due to this vulnerability without any user interaction

Scope: changed
The vulnerable component is the Flarum forum. The impacted component is the user's browser, therefore the scope has changed.

Confidentiality impact: high
An impacted user's details could be fully retrieved by the attacker via a malicious AJAX request.

Integrity impact: high
An impacted user's details could be changed by the attacker via a malicious AJAX request.

Availability impact: high
If a forum administrator was impacted, a malicious AJAX request could modify forum settings on the Admin dashboard and result in a full forum denial of service. This could be by injecting broken Javascript code into the custom header resulting in a broken forum frontend.

How was the vulnerability fixed?

When passing variables to the translator, we now perform some extra checks.
Now, if the passed variable is a string, we will wrap it in a Mithril fragment (a VDOM node that does not get converted into an actual node when rendered), and then use that instead. Mithril will ensure that the contents of this fragment are rendered as a string only, and not as HTML markup.
For more info, please see the commit that fixes this vulnerability: flarum/[email protected]440bed8

What did we do right?

The quick disclosure and reaction time of multiple developers allowed for the rapid patching of core. This vulnerability was patched in 3 hours and 24 minutes, which is incredible.
All available members of the core team dropped what they were working on to patch the vulnerability together. Over 630 messages were sent between developers, QA testers and the Foundation board members during the discovery, verification and patching of this vulnerability. We couldn't have asked for anything more from the entire Flarum team when we needed them.

What could we improve?

At the time of the discovery, no online developers had the ability to draft a security disclosure on GitHub. This would have provided us with a secure way to attempt to develop a patch together and review the code more easily. Instead, we needed to send screenshots of code and write suggestions in Discord. This also meant we could only easily test the patch on one device (mine) before pushing to master and then testing on other deployments.

How can we prevent this happening again?

Our rich text formatter is currently located outside of the Flarum organisation. This package was developed independently from the Flarum team, so code reviews by multiple core developers never took place. Despite this, however, our organisation code reviews often look more closely at code style, correctness and readability as opposed to searching for all possible exploits.
This vulnerability was discovered purely by luck. There is no telling how long this could have remained in Flarum if it was not caught. We need to work towards having Javascript tests as standard for Flarum core. We currently have PHP tests which check that users cannot perform dangerous actions if they do not have permission, but we don't have any way to automatically check the forum frontend for possible vulnerabilities and bugs. This would be extremely helpful for future release cycles, bug detection and vulnerability scanning.

Original announcement

Recently we released a critical security fix for Flarum core. We urge all forums running versions v1.0.0 and v1.0.1 to update immediately to v1.0.2.

Affected versions

• v1.0.0 - ⚠️ Affected
• v1.0.1 - ⚠️ Affected
• <= v0.1.0-beta.16 - ✅ Not affected

Impact

This critical vulnerability allows any user to perform a cross-site scripting (XSS) attack, which could result in escalation of privilege and denial of service for forums running the affected versions.
We estimate this to have a CVE score of 10, which is the highest possible severity.
Full details will be available in the near future as forums running on affected versions update.

Patches

All forums running Flarum core v1.0.0 or v1.0.1 should immediately update to v1.0.2.

References

A security advisory has been published on GitHub detailing this vulnerability: https://github.com/flarum/core/security/advisories/GHSA-5qjq-69w6-fg57.
Full details will be available in the near future as forums running on affected versions update.

Credit

Thank you to @davwheat for identifying the vulnerability and providing the patch.

A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [email protected], and we will address it promptly.
You can find our full security policy on GitHub.

How to update

Update immediately to Flarum core v1.0.2.

# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.0.2
composer show flarum/core

# Clear cache
php flarum cache:clear

Follow-up

Full details will be available in the near future as forums running on affected versions update.

Support

As always, for support, please create a new discussion in the Support tag.