Hey,
With v1.6 released, time to move onto v1.7
We will try to post updates on the roadmap progress in this cycle.

v1.6.0 - Kookaburra

---

📣 The Release

---

We are happy to announce the release of v1.6, not the biggest release but sizeable and important regardless:

• 🤙 You can now mention groups, like me mentioning @Flarum Team (flarum/framework#3658) - Bounty
• 📈 Statistics extension now supports custom date ranges (flarum/framework#3622)
• 📈 Statistics extension now allows exporting the graph (flarum/framework#3662)
• 🧩 Using an automated installer, you can now choose extensions to enable (flarum/framework#3655)
• 📧 Notifications for approved posts are now properly sent out (flarum/framework#3656) - Bounty
• 👯 Group edit modal now contains a color preview input field (flarum/framework#3650)
• 🐛 Many bugs have been squashed.
• ♿️ Accessibility improvements have been made.
• 🧑‍💻 And much much more...

👨‍💻 For Developers

---

Extensions compatible with 1.5 should still operate on Flarum 1.6 without any changes.

⤴️ Upgrading

---

Before you upgrade, make sure to create a backup of your public/assets directory, your composer.json and your database!

Before starting the upgrade process, ensure you are on Flarum 1.0.0 or above in your Admin Dashboard or by typing php flarum info. If you're not, use the previous release announcement for upgrading from an earlier version.
To upgrade from 1.0 or 1.5 to 1.6, take a look at our upgrade guide documentation. The process should be much easier compared to previous major version upgrades, due to the lack of breaking changes.

If you run into any issues, please open a new discussion under the Support tag. Ignore similar discussions and open a new one anyhow. Make sure to mention the output of php flarum info, composer why-not flarum/core v1.6.0, and any errors to their fullest.

😇 Thanks to our Sponsors

---

Financial donations keep Flarum alive and kicking. The following companies and people deserve credit for making Flarum sustainable:

• Glowing Blue AG
• Sridhar Kamma
• Lincoln Russell
• Bart van Bragt
• Lurker
• Circuit Dojo
• David Wheatley
• Timotheus Pokorra
• Edmilerad
• ange1k
• S4 Hosting
• Seaborn
• Alexander Skvortsov
• Paulina
• Jai Gupta
• Matt Kilgore
• Guoqing
• Miguel A. Lago
• LianSheng
• Soobin Rho
• PapaFig1
• Nsustain

Thank you to all the Supporters, backing us through Discuss:
@v17development and @waca !

Special thanks for all the Devotees (people pledging to our bounties in the Proposals tag), you are driving a lot of new features! These people have helped ship a new feature in this release with their pledge:
@datlechin @Darkle @SKevo @GreXXL @pkernstock @Lurker @CyberGene @meihuak .

Thanks for being awesome 😍 !

🙇‍♀️ Acknowledgements

---

Flarum wouldn't be the same without our over one hundred contributors, along with their generous time commitments! For this release we specifically thank these wonderful people:

• The non-team contributors that usually tackle unplanned, but extremely welcomed bugs or overhauls. We absolutely love contributions that help us move forward, so thank you very much:
  @datlechin @ornanovitch @iPurpl3x.
• The core and staff team contributors, people that have vast knowledge of the code base who sacrifice their free time to bring the awesome Flarum software to you, for free. Thank you so much:
  @askvortsov @SychO @davwheat @luceos @ianm @clarkwinkelmann
• The community staff is the foundation to a warm and welcoming community. Many cheers for all you do:
  @jordanjay29 @Prosperous @GreXXL
• The well-oiled machine that is the translation team, keeping up with new languages, their maintainers and the translations perfectly well. Very, very much appreciated:
  @GreXXL @Justoverclock @rob006
• All our additional staff who all help us where we need it most:
  @tankerkiller125 @Deebug @katos @victorparedes.
• A great shout out to everyone who's submitted carefully described issues and suggestions, especially:
  @ornanovitch @orschiro.
• And the whole community sharing their passion for Flarum, urging us on!

🆘 Support the Project

---

We need your support to:

• Guarantee continued development on the software.
• Create a valuable ecosystem around the project.
• Ensure healthy extensions are available.

You can support us:

• 👕 By getting some swag from our merchandise store!
• 💵 By becoming a Supporter or Sponsor on Discuss, backing us on Open Collective or on GitHub.
• 🤟 By supporting new features with your pledge in our Proposals tag.
• 👩‍💻 By contributing to the source code, hop onto any of our open issues.
• 📈 By creating your own Flarum extensions and sharing them with the world!
• 🌎 By translating Flarum and extensions into your own language.
• 💝 By sharing your love for Flarum with friends, family and on the internet.
• 💬 By hanging out with us, here on discuss!

For installation instructions check our installation documentation. If you are interested in developing extensions for Flarum, check the extend section there.

📖 Introduction

Welcome to our newest community update. In this edition we want to show you the versitlity of Flarum as a multi-language forum patform. Also - like you are already used to - we will share interesting updates on the Flarum ecosystem, including the newest plugin additions and active bountries. In Edition 4 of our community updates 2022 we featured a overview about push notifications and mobile app support. Feel free to skip back to this post in case you are interested. But now lets move on to our newest update.

---

🗣️ Multi-language in Flarum! What are the options?

Many message boards have a target audience speaking different languages. Support for multiple languages is, therefore, at the heart of much good software. But supporting different languages as variables for text does not make for a good multi-language community. Many extensions are available that help you customise your community for a truly multilingual experience. But before we go there, let's start with language support in Flarum first.

🌐 Flarum Lang

With the Flarum Language Project, we started to get more of the available translations under a common roof. Those languages are also available on Weblate. This web-based platform allows you to contribute to all available languages to get new extensions translated or improve translations. Of course existing or new languages are always welcome to join the project. All contributions are welcomed!
Find all 40 available languages on the GitHub Project. A big thank you needs to be sent to all the many language pack maintainers and contributors.

🧩 Extensions

While Flarum offers great support for different languages to be installed in one installation, there are many extensions out there that greatly improve the handling of multi-languages.

Discussion Language by @FriendsOfFlarum

This extension allows one to assign a language to discussions, allowing one to filter content by language. There are many neat features like language auto-detect to assist users in finding what they are looking for.
Find out more on the extensions page.

Localizd by @glowingblue

This premium extension extends Flarum to add support for translating core features into different languages. This includes the Forum description as well as, most importantly, Tags. This allows users to change the Forum to the language of their desire completely.
Find out more on the extensions page.

Translate by @ianm

Another premium extension allows the automatic language detection and translation of discussions and posts. This allows users to easily view the complete content a multi-language has to offer and does not limit them to the languages they speak. Asides from the extension, a professional language translation service like Google Translate or DeepL is needed. Both offer free limits to get this started, though.
Find out more on the extensions page.

Other extensions

Of course, we also need to mention the FoF Linguist extension and the Translation Inspector, which are both useful tools to improve the languages of Flarum or modify them to the specific needs of your community.

🧪 Samples

Now one might argue that this is theoretically very nice but is there any bigger community out there using this in the real world? I am really happy to say yes! Also, this community has been highlighted in a previous community update already! You can read the interview of @Dany and visit the community.

📰 Other News

Flarum released Version 1.6, including the first two bounties successfully funded and implemented. Please also note that a critical security update has been released for affected version 1.5.x to 1.6.1. Work on the next version, 1.7 has already started.
Also on date of publishing this article there are currently different promotions running for Black Friday offering some big discounts on premium extensions worth checking out.

🏴‍☠️ Active Bounties:

• Mentioning Tags has been picked up by @ianm to be implemented in 1.7 but still happily takes supporters.
• Improving FoF Spamblock still looking for funding and implementation
• Turnstile Captcha has been picked up by @ianm to be implemented but still happily takes supporters
• Federation Extension has been picked up by @luceos but still needs a lot of funding

🕸️ Extension Highlights

• Sudo Mode by @clarkwinkelmann to protect sensible areas of Flarum administration
• Post Stream Search by @clarkwinkelmann allowing easy search within a discussion

---

🏁 Final words

We hope you have liked this edition of “Community Updates”. Looking forward to your comments and ideas for future updates. We are going to pickup speed again and hope to see you soon on the next edition of Community Updates.

If you have not yet updated to v1.6.2 or later, do so immediately. The details of the vulnerability are public, and your forum could be maliciously exploited.
Affected versions:

• v1.5.0 to v1.6.1 - ⚠️ Affected
• v1.4.1 and below - ✅ Not affected

Upgrade instructions:

# Update to latest version
composer update --prefer-dist --no-dev -a -W

# Verify that you're on v1.6.2
composer show flarum/core

# Clear cache
php flarum cache:clear

---

Preface

On Friday 18 November 2022 at 11:57 UTC, we received a report of a critical cross-site scripting (XSS) vulnerability in Flarum core through huntr.dev, affecting versions from v1.5.0 to v1.6.1.
This vulnerability is related to the process of setting page titles client and server side, and the possible conversion of title strings into HTML DOM nodes.
The details of this vulnerability were disclosed on the Flarum Discord's team channel at 12:08 UTC. The vulnerability's CVE score was 9.0, which is an extremely high CVE score.
This was patched through a combination of efforts from multiple developers and pushed to the core's main branch at 21:09 UTC. After verifying that the patch worked as expected and didn't have noticeable effects on other areas of core and bundled extensions, it was released as v1.6.2 at 22:21 UTC.

What caused the vulnerability?

Flarum's page title system allowed for discussion title inputs to be converted into HTML DOM nodes when rendered (visiting a discussion page). This change was made in v1.5.0 and was not noticed.
This allowed for any user to type malicious HTML markup within discussion title user input, either through a new discussion o renaming an existing one, and have this execute on client browsers. Entering faux-malicious HTML markup, such as <img src=x onerror=alert(document.domain)> resulted in an alert box appearing on the forum. This attack could also be modified to perform AJAX requests on behalf of a user, possibly deleting discussions, modifying their settings or profile, or even modifying settings on the Admin panel if the attack was targeted towards a privileged user.
The estimated CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, resulting in a CVE score of 9. See the CVSS score breakdown.
A security advisory has been published on GitHub detailing information of the vulnerability: https://github.com/flarum/framework/security/advisories/GHSA-7x4w-j98p-854x. Waiting for a CVE to be issued.

CVSS breakdown

Attack vector: network
This attack is performed over a network without physical or local access required. The network does not have to be adjacent.

Attack complexity: low
The attack can be performed relatively simply and affected all forums, despite their individual configurations. It is repeatable under all conditions.

Privileges required: low
On a default installation of Flarum, users can create discussions after confirming their email address. This means that the only permissions required to exploit this vulnerability are a confirmed user account.

User interaction: required
For the vulnerability to be exploited, a user must open the malicious discussion within their browser.

Scope: changed
The vulnerable component is the Flarum forum. The impacted component is the user's browser, therefore the scope has changed.

Confidentiality impact: high
An impacted user's details could be fully retrieved by the attacker via a malicious AJAX request.

Integrity impact: high
An impacted user's details could be changed by the attacker via a malicious AJAX request.

Availability impact: high
If a forum administrator was impacted, a malicious AJAX request could modify forum settings on the Admin dashboard and result in a full forum denial of service. This could be by injecting broken Javascript code into the custom header resulting in a broken forum frontend.

How was the vulnerability fixed?

When setting the page title, we now prevent having the title evaluated through a temporary HTML element that was previously used to properly display raw HTML entities. This temporary element was within the scope of the browser's window, hence would execute Javascript within it and could access secrets within the page's Javascript scope (such as browser cookies).
Now, we use a DOMParser which has scripting disabled and is in a separate context from the window element. This prevents XSS attacks and allows raw HTML entities to be properly displayed. A more appropriate fix for the raw entities display issue will be looked into in further releases (see flarum/framework#3685).
For more info, please see the commit that fixes this vulnerability: flarum/[email protected]ed0cee9

What did we do right?

All available core developers jumped on the report to patch the vulnerability as soon as possible, an initial patch was proposed within a couple of hours and a final patch received the first approval within 7 hours, after thoroughly looking for the root cause and how it was introduced in the first place.

What could we improve?

At the time of the discovery, no online developers had the ability to draft a security disclosure on GitHub. This would have provided us with a secure way to attempt to develop a patch together and review the code more easily. Instead, we used a public PR which is less than ideal.
At the time of release, we struggled for some time with branching off and sub splitting from our monorepo for a lack of documentation and expanded use in our CLI utility.

How can we prevent this from happening again?

A JavaScript automated test suite could have helped pick up on the introduced issue which was not noticed during reviews. There is already work in progress in implementing Jest for one of the next releases. Automated tests will have a massive effect on avoiding these problems in the future.

📖 Introduction

Welcome to our newest community update. In this edition we want to take a closer look on how to bring your Flarum community to the next level. Also - like you are already used to - we will share interesting updates on the Flarum ecosystem, including the newest plugin additions. In Edition 3 of our community updates 2022 we featured a stunning interview with FreeFlarum - feel free to skip back to this post in case you are interested. But now lets move on to our newest update.

---

🔔 Push Notifications, App Support - is this a thing?

Most websites - including of course discussion forums - are seeing increasing traffic from mobile clients, well exceeding half of the users. Naturally - and especially when compared with social networks - support for push notifications as well as a separate app are a big deal. While there currently are no apps supporting Flarum - there are ways to achieve (parts) of this functionality with existing Flarum extensions.

PWA - Progressive Web App

Both Android and iOS phones / tablets are able to install PWA applications. This allows you to run your Forum with a dedicated icon on your phone without the need to open / run the browser. While Android allows also push notifications for PWA applications iOS does currently not - although support is planned for iOS 17. Here is a short video showing you how to use a PWA on your phone:

In order to add this to your community you will need to install the PWA extension by @askvortsov. To make the application feel more real time you should think about adding Websockets to your community. There are different options available for that, which are highlighted in an community update back from 2021.

Native App support - is it coming soon?

Making a app is a complex process and involves a lot of effort - both one time as well as in long term maintanance. The Flarum team has currently not the necessary ressources to tackle such a project. So there will be no official apps launching anytime soon. Flarum offers an extensive API though, so making an APP as a community project is still very possible. There have been some efforts to start this but as of right now there is no community driven app project in the works.

📰 Other News

📢 Flarum Lang

Lately - and especially due to the work of @rob006 and @Justoverclock our language-gurus/coordinators - a lot of new languages have been introduced to the Flarum Language Project. There are now 40 languages on boarded! You can see those new additions over on GitHub - and more importantly on Weblate. If you want to contribute to an existing language you can most easily do so on Weblate. Of course there is always the possibility to add new languages to the project as well. If you are interested in this, get in touch with the Language Coordinators.

🏴‍☠️ Bounties

With Flarum being a stable software it was necessary to clean up feature requests. A new structure has been introduced to the proposals tag here on discuss. Within this tag we are using FoF Gamification to introduce a up-voting feature. Every community member has the ability to propose and up-vote features of the most interest to him/herself.
Besides the introduction of a new and cleaned up way to propose new features within the Flarum ecosystem - bounties have also been introduced. When a proposal is clearly enough specified a bounty may be requested. This will allow a certain feature request to be community funded. Any developer has the chance to pick up the money gathered in the bounty to implement the feature. The terms can be read within our community guidelines in detail.
Going forward with the community update I will highlight all ongoing bounties so you have a chance to follow the progress - or might even consider chipping in a few bucks to make the feature a reality. I am especially happy that two of the four active bounties have already been picked by a developer to be implemented!

🏴‍☠️ Active Bounties (direct access):

• Mentioning Tags still looking for funding and implementation
• Approval Notifications - implemented by @SychO
• Mentioning Groups - implementation started by @ianm
• Improving FoF Spamblock still looking for funding and implementation

🕸️ Extension Highlights

New & Noteworthy

Extensions

• Composer Page by @clarkwinkelmann introducing a dedicated page to create new discussions
• Offline Indicator by @datlechin introducing the possibility to check if you are still online
• Anonymous Posting by @clarkwinkelmann introducing the possibility to post anonymously
• E-Mail Conversations by @blomstra introducing the contribute to discussions via mail
• Maps for Discussions by @JeromeGillard extending FoF Upload to allow Maps to be added to discussions
• Turnstile by @blomstra introducing a privacy focused CAPTCHA

---

🏁 Final words

We hope you have liked this edition of “Community Updates”. Looking forward to your comments and ideas for future updates. We are going to pickup speed again and hope to see you soon on the next edition of Community Updates.