See details here: https://xoops.org/modules/publisher/item.php?itemid=6114The XOOPS Development Team is pleased to announce
XOOPS 2.7.0 Release Candidate 1.
Quote:
Why the version jump? The cumulative changes since 2.5.11 — PHP 8.2 as the new baseline, Smarty 4, a new admin theme, a rewritten system menu, aggressive security hardening, and a rebuilt dependency chain — far exceeded a patch release. Betas 1–8 published as 2.5.12 remain in the changelog under their original numbers for historical accuracy.
PHP 7.x support is dropped.
PHP 8.2 is the new minimum; CI runs against
8.2, 8.3, 8.4, and 8.5 on every commit. Dead code for older PHP versions is removed, session handlers are consolidated, and the installer enforces the 8.2.0 minimum.
Smarty 4The template engine moves from the ancient forked Smarty 2 to
Smarty 4.5.5. Sites with old Smarty 2 syntax need a review before upgrading. The bundled
upgrade/preflight.php
scanner identifies outdated themes and module templates before you begin.
New Admin Theme: ModernXOOPS 2.7.0 ships
Modern, the first major admin UI refresh in years. The existing
Transition theme continues to work. System admin themes gain a
template overload capability for customisation without patching core files.
System Menu — Rebuilt Clean-RoomCustom site navigation is now a first-class admin feature. The system menu module is fully rewritten with new tables, controller, templates, CSRF protection, permission handling, cycle detection, and depth limits. Manage categories, items, display order, icons, and per-group permissions from System Admin.
Four New Front-End Theme Platforms•
xSwatch5 — Bootstrap 5.3.8, successor to xSwatch4. Drop in, pick a Bootswatch variant, done.
•
xBootstrap5 — Pure Bootstrap 5 reference theme, kept in sync with upstream.
•
xTailwind — Tailwind CSS + DaisyUI (35 palettes) + Alpine.js, with a new
XoopsFormRendererTailwind so forms render natively without overrides.
•
xTailwind2 — Art-directed sibling of xTailwind with curated palettes and stronger visual hierarchy.
Security Hardening•
CSRF tokens on all module admin AJAX requests — previously some GET-based toggle handlers had no token validation.
•
SameSite + Secure session cookies are now admin-configurable (Lax/Strict/None) with secure-by-default values.
•
eval() removed from core. DB-stored PHP blocks are retired; file-based PHP blocks still work. Protector's lifecycle files also purged of eval().
•
unserialize() audit — every core call now uses ['allowed_classes' => false], blocking PHP object injection.
•
Protector hardened — proper exec() override, input validation on table prefixes, safe badips file handling, failure-aware admin actions.
•
XSS sweep — all SonarCloud-flagged reflected-data paths escaped.
•
Open redirect fix — URL scheme check decodes HTML entities before matching, checks scheme only, and is whitelist-based.
•
Directory traversal — filename allowlists call basename() before the character check.
•
Multibyte validation — form length checks use mb_strlen() throughout; CJK/Arabic/emoji no longer over-count.
•
Password comparisons use strict === and hash_equals() throughout.
•
Request::getInt() Elvis pitfall fixed — 0 no longer silently falls back.
Form & UI Fixes• XoopsFormTextDateSelect — renders genuinely empty when stored value is 0 instead of defaulting to today's date.
• DHTML editor image width — strict regex replaces permissive parseInt, so real widths are preserved.
• Required-field asterisks (*) now render correctly in module admin forms.
• Breadcrumbs and xoAdminIcons are consistent across all system admin pages.
• PM recipient pickers filter by module access permission.
• PM delete confirmation UX improved with centred popups and xBootstrap5 templates.
