XOOPS 2.7.0 RC1 — A New Chapter

The XOOPS Development Team is pleased to announce XOOPS 2.7.0 Release Candidate 1.

Quote:

Download RC1: https://github.com/XOOPS/XoopsCore27/releases

This is a release candidate intended for testing only. Use in a production system is not without risks.

Headline Changes

Modern PHP

PHP 7.x support is dropped. PHP 8.2 is the new minimum; CI runs against 8.2, 8.3, 8.4, and 8.5 on every commit. Dead code for older PHP versions is removed, session handlers are consolidated, and the installer enforces the 8.2.0 minimum.

Smarty 4

The template engine moves from the ancient forked Smarty 2 to Smarty 4.5.5. Sites with old Smarty 2 syntax need a review before upgrading. The bundled

upgrade/preflight.php

scanner identifies outdated themes and module templates before you begin.

New Admin Theme: Modern

XOOPS 2.7.0 ships Modern, the first major admin UI refresh in years. The existing Transition theme continues to work. System admin themes gain a template overload capability for customisation without patching core files.

System Menu — Rebuilt Clean-Room

Custom site navigation is now a first-class admin feature. The system menu module is fully rewritten with new tables, controller, templates, CSRF protection, permission handling, cycle detection, and depth limits. Manage categories, items, display order, icons, and per-group permissions from System Admin.

Four New Front-End Theme Platforms

• xSwatch5 — Bootstrap 5.3.8, successor to xSwatch4. Drop in, pick a Bootswatch variant, done.
• xBootstrap5 — Pure Bootstrap 5 reference theme, kept in sync with upstream.
• xTailwind — Tailwind CSS + DaisyUI (35 palettes) + Alpine.js, with a new XoopsFormRendererTailwind so forms render natively without overrides.
• xTailwind2 — Art-directed sibling of xTailwind with curated palettes and stronger visual hierarchy.

Security Hardening

• CSRF tokens on all module admin AJAX requests — previously some GET-based toggle handlers had no token validation.
• SameSite + Secure session cookies are now admin-configurable (Lax/Strict/None) with secure-by-default values.
• eval() removed from core. DB-stored PHP blocks are retired; file-based PHP blocks still work. Protector's lifecycle files also purged of eval().
• unserialize() audit — every core call now uses ['allowed_classes' => false], blocking PHP object injection.
• Protector hardened — proper exec() override, input validation on table prefixes, safe badips file handling, failure-aware admin actions.
• XSS sweep — all SonarCloud-flagged reflected-data paths escaped.
• Open redirect fix — URL scheme check decodes HTML entities before matching, checks scheme only, and is whitelist-based.
• Directory traversal — filename allowlists call basename() before the character check.
• Multibyte validation — form length checks use mb_strlen() throughout; CJK/Arabic/emoji no longer over-count.
• Password comparisons use strict === and hash_equals() throughout.
• Request::getInt() Elvis pitfall fixed — 0 no longer silently falls back.

Form & UI Fixes

• XoopsFormTextDateSelect — renders genuinely empty when stored value is 0 instead of defaulting to today's date.
• DHTML editor image width — strict regex replaces permissive parseInt, so real widths are preserved.
• Required-field asterisks (*) now render correctly in module admin forms.
• Breadcrumbs and xoAdminIcons are consistent across all system admin pages.
• PM recipient pickers filter by module access permission.
• PM delete confirmation UX improved with centred popups and xBootstrap5 templates.

Developer Changes

Dependencies Inlined

The external xoops/base-requires25 metapackage is removed. All dependencies are listed directly in .

Updated Libraries

• Bootstrap 5.3.8
• Font Awesome 7.1.0
• Smarty 4.5.5
• HTML Purifier 4.19.0
• PhpMailer 6.12.0 (moved to /xoops_lib/)
• jQuery UI 1.14.1
• TinyMCE 7.9.2 (new default) + 5.10.9 (legacy, retained)
• tablesorter 2.32.0
• jquery.form 4.3.1
• jGrowl 1.4.10

Database Layer

• queryF() deprecated — use exec() for writes/DDL, query() for SELECTs.
• quoteString() deprecated — use quote().
• XoopsDatabase declares error(), errorno(), and query() as abstract methods.
• Criteria IN clauses accept arrays safely.
• All fetch calls require the two-part isResultSet() + instanceof \mysqli_result guard.

Observability

XoopsLogger now supports a composite logger pattern — PSR-3 and Debugbar receive raw messages with context rather than pre-formatted strings, opening the door to structured logging.

Legacy Cleanup

• PSR-12 throughout; legacy @package / @subpackage / @category PHPDoc tags removed.
• pda.php handler deleted.
• Direct-access guards use http_response_code(404) instead of bare exit().
• htmlSpecialChars() wrapper calls replaced with native htmlspecialchars().
• browse.php now serves source maps for JS/CSS files.

Tests & CI

• PHPUnit 11 with #[Test] / #[CoversClass] attribute syntax throughout.
• SonarCloud, Qodana, Scrutinizer, and CodeRabbit integrated into the PR workflow.
• CI now runs the real XOOPS test suite — the silent placeholder test is gone.

RTL Support

XOOPS 2.7.0 adds right-to-left language support at core level. Arabic, Hebrew, Persian, and Urdu sites now get proper directional rendering in admin and theme templates.


System Requirements

• PHP >= 8.2.0 (8.4+ strongly recommended)
• MySQL >= 8.0 (8.4+ strongly recommended)
• Web server: Apache 2.4+ or nginx

Upgrading from 2.5.x

Supported upgrade path from 2.5.11. Sites older than 2.5.11 should upgrade there first.

• Back up site files and database.
• Enable debugging; set site offline via System → Preferences → General.
• Copy into your XOOPS root.
• Run — fix flagged items, repeat until clean.
• Copy new contents over your web root.
• Copy and to their configured locations.
• Browse to and step through the prompts.
• Update the system, pm, profile, and protector modules from System → Modules.
• Turn your site back on.

The upgrade script handles: removing legacy HTMLPurifier and PhpMailer locations, creating the table, widening , and inserting the new session cookie preferences.

After upgrading, install or update the Protector module. It adds intrusion detection, SQL inspection, and request logging, and received material hardening in this release.


This is a Release Candidate

This is a release candidate intended for testing only. Use in a production system is not without risks.

The feature set is complete and is now fixed for 2.7.0. Only bug fixes will be accepted.

• Bug reports: github.com/XOOPS/XoopsCore27/issues
• Support forums: xoops.org/modules/newbb/
• Contributing: CONTRIBUTING.md

Please download from the current master!

If you are downloading this release for testing, please download from the current master instead.

Any bugs that have been found and fixed will be included in your testing that way, so we all won't keep finding and reporting the same bug over and over.

You can grab the current master here: https://github.com/XOOPS/XoopsCore25/archive/master.zip

Full Changelog: v2.7.0-RC1


Thank You

Thank you to everyone who submitted pull requests, reported issues, tested betas, translated strings, reviewed security findings, and kept the conversation going on the forums and GitHub.

Special thanks to new contributors since Beta 8: @koreus, @CHCCD, and عبدالعزيز الجهني.

Standing thanks to JetBrains for complimentary PhpStorm licenses.

For the complete change list see . For the language-constant diff see .

Download XOOPS 2.7.0 RC1: https://github.com/XOOPS/XoopsCore27/releases

The XOOPS Development Team
April 2026