Flarum Advanced Pages

TryHackX

Advanced Pages for Flarum

Create advanced custom pages with HTML, BBCode, Markdown, PHP,
or plain text content types for your Flarum 2.x forum. A powerful
alternative to fof/pages with multi-format support, live preview,
formatting toolbars, and granular access control.

Latest highlights:

"View spoiler content" defaults to Members — a new migration
grants advancedPages.viewSpoilers to the Members group on install,
so the permission row in the admin grid is correctly defaulted
rather than being implicitly admin-only.

Reset Settings button in the admin panel — AdvancedPagesPage
is a custom admin page, so Flarum didn't auto-render the standard
Reset Settings button next to Save Changes. It now sits in the
familiar place (wrapped in Form-group Form-controls, danger
colour like other extensions) and reverts this extension's
settings via Flarum core's ResetExtensionSettingsModal.

Cancel button in the "Reset extension settings" modal uses
Flarum's standard Button--inverted style now (was a plain
borderless button under dark themes). Applied via a small
MutationObserver that tags the button when the modal appears.
Each TryHackX extension registers this independently in its admin
bundle, so the fix follows whichever extension is installed.

Note: Recent updates target the 2.x line only. There is no
1.x line for this extension (Advanced Pages is Flarum 2.x only).

Features

5 content types — HTML (HTMLPurifier sanitised), BBCode, Markdown,
PHP (sandboxed), Plain Text.
Formatting toolbars — context-aware buttons for the BBCode and
Markdown editors.
Live preview — Raw / Preview toggle with syntax highlighting
(highlight.js One Dark).
Code editor — CodeMirror-powered editor for HTML and PHP with
syntax highlighting.
BBCode extensions — [table], [spoiler], [center], extended
[url] parser (configurable).
Newline modes — Flarum vanilla or preserve-all for BBCode pages.
Spoiler system — [spoiler] / [spoiler=Title] with
permission-based visibility (advancedPages.viewSpoilers, default
Members).
Admin panel — full CRUD with pagination, per-page selector,
inline settings, Save Changes + Reset Settings buttons (Reset
opens Flarum core's ResetExtensionSettingsModal populated with
this extension's settings).
SEO support — meta descriptions and proper <title> tags.
Access control — publish, hide (admin-only), restrict
(login-required), per-group visibility.
Custom permissions — manage pages, view spoiler content.
Clean URLs — pages live at /p/{slug}.

Screenshots

Mobile view of the discussion list across multiple TryHackX layout combinations

Mobile view — discussion list rendered with different combinations of TryHackX extensions (thumbnails + ratings + views, thumbnails + views, thumbnails only, ratings only, views only, vanilla Flarum).

Advanced Pages admin settings — page list, BBCode toggles, forum integration and permissions

*Advanced Pages admin panel — page management, BBCode tag toggles ([table], [spoiler], [center], extended [url]), forum spoiler replacement and the Save Changes / Reset Settings row, plus the Manage Advanced Pages and View spoiler content permissions.*

Support Development

If you find this extension useful, consider supporting its development:

Monero (XMR): 45hvee4Jv7qeAm6SrBzXb9YVjb8DkHtFtFh7qkDMxS9zYX3NRi1dV27MtSdVC5X8T1YVoiG8XFiJkh4p9UncqWGxHi4tiwk
Bitcoin (BTC): bc1qncavcek4kknpvykedxas8kxash9kdng990qed2
Ethereum (ETH): 0xa3d38d5Cf202598dd782C611e9F43f342C967cF5

You can also find the donation option in the extension's admin settings panel.

Requirements

Flarum ^2.0
PHP ^8.1
PHP memory_limit 256M minimum (512M+ recommended — see Memory below).

Installation

composer require tryhackx/flarum-advanced-pages
php flarum migrate
php flarum cache:clear

Updating

composer update tryhackx/flarum-advanced-pages
php flarum migrate
php flarum cache:clear

Usage

Creating pages

Go to Admin Panel → Advanced Pages.
Click Create Page.
Choose a content type and write your content.
Configure visibility (published, hidden, restricted, group access).
Save — the page is available at /p/{your-slug}.

Content types

Type	Description	Security
HTML	Full HTML with styles / scripts / forms	Raw output, permission-gated
BBCode	BBCode with custom tags & toolbar	Escaped and parsed via s9e/TextFormatter
Markdown	Full Markdown with live preview	Escaped and parsed via s9e/TextFormatter
PHP	Server-side PHP execution	Admin-only, sandboxed, errors logged never shown
Plain Text	Auto-escaped text with URL linking	Fully escaped output

BBCode toggles

Setting	Tags	Default
Tables	`[table]` `[tr]` `[th]` `[td]`	On
Spoiler	`[spoiler]` `[spoiler=Title]`	On
Center	`[center]`	On
Extended URL	`[url]` (accepts URLs Flarum rejects)	Off
Replace Forum Spoiler	swap Flarum's default `[spoiler]` for the Advanced Pages `details/summary` style across all posts	Off

After toggling BBCode settings, clear the formatter cache:

php flarum cache:clear

Newline mode (BBCode)

Per-page newline behaviour:

Flarum (default) — multiple newlines collapse to a single break
(vanilla Flarum behaviour).
Preserve — all newlines become <br> tags.

PHP pages

PHP pages execute in a sandboxed scope with access to:

$page — current Page model
$actor — current user (or null for guests)
$settings — Flarum SettingsRepository

<h1>Welcome, <?= htmlspecialchars($actor ? $actor->display_name : 'Guest') ?></h1>
<p>Current time: <?= date('Y-m-d H:i:s') ?></p>

PHP errors are written to Flarum's log but never shown to visitors.

Page visibility

Option	Description
Published	Accessible to permitted users.
Draft	Page exists but is not accessible.
Hidden	Only visible to administrators.
Restricted	Requires login to view.
Group access	Restrict to specific user groups.

Permissions

Permission	Section	Default	Description
Manage Advanced Pages	Moderate	Mods	Create, edit, delete pages.
View spoiler content	View	Members	See spoiler content on pages (default set by migration on install / enable).

Memory requirements

Flarum compiles all extension LESS styles together. If you get
PHP Fatal error: Allowed memory size exhausted:

Set memory_limit to at least 256M in php.ini
(512M+ recommended).
WAMP users: Apache with mod_fcgid uses the php.ini in the
Apache bin directory, not the PHP directory.
Restart Apache after changes.

Security

HTML pages are rendered raw (full HTML / CSS / JS) — page creation is
permission-gated.
PHP execution is sandboxed in an isolated closure with custom error
handling.
PHP errors are never exposed to end users.
Only admins can create PHP pages.
The raw content field is hidden from non-admin API responses.
URL-scheme blocking (javascript:, data:, vbscript:) in the
extended URL parser.
Spoiler content is stripped server-side for users without the
advancedPages.viewSpoilers permission.

License

MIT License. See LICENSE for details.

TryHackX

RAM usage is increased only for compilation, then it drops drastically.

Subarist

I would say this is a very practical extension.

The old pages had many limitations in terms of display, but with this extension, HTML support looks solid and should no longer be an issue. For users who want to build a more complete website beyond just forum functionality, this is extremely convenient.

Now we can easily have a consistent header and footer across pages. And once you turn off the hero display, it becomes a blank canvas—what you create from there is only limited by your imagination.

KBExit

I will have to try it out. The gif screenshots make it hard to make out what it looks like so I've been avoiding it just for that reason alone.

TryHackX

Working via 2.x and 1.x 🙂

Added

"Replace Forum Spoiler" setting - replaces Flarum's default inline spoiler with the Advanced Pages details/summary spoiler style across all forum posts
"Forum Integration" settings section in admin panel

Changed

Moved support button to the top of the admin settings page
Removed margin-top/padding-top/border-top CSS from the support button section

TryHackX

Admin PLEASE add tag for 1.x

KBExit

TryHackX done 🙂

TryHackX

Advanced Pages 2.0.4 — Reset Settings button, default Members spoiler permission, and a polished admin UX

Hi everyone,

I'm rolling out a sizeable update to tryhackx/flarum-advanced-pages — a Flarum 2.x extension for building advanced custom pages with HTML, BBCode, Markdown, PHP and plain text content types, with live preview, formatting toolbars, code editor, and per-group access control.

⚠️ Flarum 2.x only

This extension targets Flarum 2.x exclusively. There is no 1.x branch and there won't be one — all future development happens on the 2.x line. If you're still on Flarum 1.x and want page management with multi-format support, please plan a Flarum 2.x upgrade.

✨ What's new in 2.0.4

Added

advancedPages.viewSpoilers default grant for Members. A new migration (2026_05_29_000000_grant_view_spoilers_to_members.php) grants View spoiler content to the Members group on install / enable. It uses Migration::addPermissions(), so it only inserts when the grant isn't already there — it never overwrites a manual admin change. The permission row in the admin grid is now correctly defaulted instead of being implicitly admin-only.
Reset Settings button in the admin panel. AdvancedPagesPage is a custom admin page, so Flarum didn't auto-render the standard Reset Settings button next to Save Changes. It now sits in the familiar place (wrapped in Form-group Form-controls, danger colour like other extensions) and reverts this extension's settings via Flarum core's ResetExtensionSettingsModal — exactly like the other TryHackX extensions.

Fixed

Cancel button in the "Reset extension settings" modal now uses Flarum's standard Button--inverted style so it doesn't render as a plain borderless button under dark themes. Implemented with a small MutationObserver that tags the button when the modal appears; each TryHackX extension registers this independently, so the fix follows whichever extension you install.

🧩 Quick feature recap

5 content types — HTML (HTMLPurifier sanitised), BBCode, Markdown, PHP (sandboxed), Plain Text.
Formatting toolbars for BBCode and Markdown editors.
Live preview with syntax highlighting (highlight.js One Dark).
CodeMirror editor for HTML and PHP.
BBCode extensions — [table], [spoiler], [center], extended [url] parser.
Replace Forum Spoiler — optionally swap Flarum's default [spoiler] for the Advanced Pages details/summary style across all forum posts.
Access control — publish, hide (admin-only), restrict (login-required), per-group visibility.
SEO — meta descriptions and proper <title> tags.
Clean URLs — pages live at /p/{slug}.

📦 Install / Update

composer require tryhackx/flarum-advanced-pages
php flarum migrate
php flarum cache:clear

Updating from an older 2.x:

composer update tryhackx/flarum-advanced-pages
php flarum migrate
php flarum cache:clear

🔗 Links

GitHub: TryHackX/flarum-advanced-pages
Packagist: https://packagist.org/packages/tryhackx/flarum-advanced-pages
Issues: TryHackX/flarum-advanced-pagesissues

If you find this extension useful, you can support development via XMR / BTC / ETH (addresses are in the README and inside the extension's admin settings panel). Bug reports, feature suggestions and translations are very welcome.

Cheers!

MaxDob

TryHackX Hi TryHackX,

Thank you for the Advanced Pages extension — it works great and is very useful.

I'm building an online documentation/encyclopedia for my community. I want to create a clear hierarchical structure like:

/p/docs
/p/docs/getting-started
/p/docs/getting-started/buying
/p/docs/getting-started/buying/versions

Currently, the extension doesn't seem to support parent pages and the Slug field doesn't accept slashes to create nested URLs. This makes it hard to build a proper hierarchy.

Are there any plans to add support for nested/child pages (with parent page selection and slash-based URLs) in a future update? This would be extremely helpful for documentation and wiki-style content.

Thanks for your work!

TryHackX

I'll probably take care of it, but for now I'm making security fixes and fixes to the mobile system for magnet links.

KBExit

There are some serious issues that need to be addressed on this extension:

Anyone you let create pages can take over your forum.
It only really works on MySQL/MariaDB.
The code quality is uneven.

Bottom line, don't install this on a production forum until:

Page content is sanitized (or page creation is hard-locked to admins only),
The external-script loading is removed or made opt-in per page,
The visibility query works on all databases Flarum supports — or the extension clearly declares it's MySQL-only.

TryHackX

MaxDob
Big update

Currently undergoing testing and final maintenance fixes. Check security and performance.

TryHackX

MaxDob

[2.1.1] - 2026-06-10

Added

Render cache for Markdown and BBCode pages. The expensive s9e
parse+render step is now memoised in Flarum's file cache. Cache keys derive
from the page content, so editing a page produces a fresh render
automatically, and php flarum cache:clear (already required after changing
BBCode/formatter settings) wipes the entries. PHP pages are never cached
(their output is request-dependent); the actor-dependent spoiler gating and
the [url] post-processing still run per request, outside the cache.

Changed

The raw content field is now also exposed to holders of
advancedPages.manage (page managers), not only administrators — so an
API-driven edit can read the current content instead of unintentionally
blanking it. Everyone else still receives only the rendered output.
The Allow script execution help text and the README Security section now
state plainly that the toggle gates <script> tags only and is not a
sandbox: raw HTML can still run JavaScript via other vectors (inline
event-handler attributes such as onerror), so HTML-page creators should be
treated as able to run JS regardless of the toggle.

Fixed

Nested spoilers no longer leak. hideSpoilerContent() now finds the
matching close of each outermost spoiler with a depth-aware scan instead of a
non-greedy regex, which previously stopped at the first </details> and
leaked the remainder of an outer spoiler that contained a nested one (and
produced malformed markup). Non-spoiler HTML is left byte-for-byte untouched.
A page whose slug is all digits (e.g. 2024) is now reachable through the
Show endpoint: find() falls back to a slug lookup when no page has that id.
The editor's <select> menus (Parent Page, Content Type, Newline Mode) no
longer clip the descenders of letters — Flarum's fixed .FormControl
height: 36px is relaxed to height: auto (with a min-height) for selects
inside the modal.

Chore

Deduplicated .gitignore (doubled vendor/ and node_modules/, redundant
.DS_Store, and the self-referential .gitignore entry that kept the file
itself untracked).

[2.1.0] - 2026-06-10

Added

Nested / child pages. Pages can have a parent, forming a tree. The editor
has a Parent Page selector, the admin list shows the hierarchy as an indented
tree, and pages render breadcrumbs from the parent chain. The hierarchy is the
organisation (tree / order / breadcrumbs); the slug is the independent URL and
may still be a slash path (e.g. /p/docs/getting-started).
Drag-and-drop ordering & nesting. Each admin row has a grip handle (⋮⋮)
at the end of the Actions column. Drag a page onto another to nest it under
that page, or between rows to reorder — with live drop indicators and
animations. Order persists (position) per parent. A page can't be dropped
into its own subtree.
Per-tree breadcrumb CSS. On a root page (no parent), tick Custom
breadcrumbs CSS? to style — or hide (display:none) — the breadcrumbs for
that whole tree (targets .AdvancedPages-breadcrumbs).
Per-content-type creation permissions — advancedPages.create.text,
.bbcode, .markdown, .html, .php (admins always bypass). The safe
types (text / BBCode / Markdown) are toggleable in the admin permission grid;
the code/script-capable types (HTML, PHP) are intentionally not in the grid.
php flarum advancedpages:permission console command — grant / revoke /
list these permissions per group from the CLI. Granting the sensitive
html / php / all permissions requires an explicit --force flag. This
is the only way to delegate HTML/PHP page creation, so it can never be enabled
by an accidental click in the admin panel.
Per-page "Allow script execution" toggle. <script> tags embedded in page
content now run only when this is enabled (off by default for new pages).
Existing HTML/PHP pages are migrated with it enabled so they keep working.
$actor now works inside PHP pages — it is the real current user (a guest
object for guests), passed straight from the request rather than always null.
PHP pages can handle POST and file uploads. /p/{slug} now also accepts
POST, so PHP pages receive $_POST / $_FILES from forms that submit back to
themselves (e.g. contact forms, uploaders). $_GET already worked. CSRF stays
enforced: forms must submit the session token, exposed to PHP pages as the new
$csrfToken variable. A live demo ships at /p/php-request-test.
$pages tree helper in PHP pages — a read-only, visibility-scoped
navigator over the page tree (->all(), ->roots(), ->children(),
->tree($slug), ->find(), ->ancestors()) for building nav menus, sidebars
or sitemaps without leaking pages the viewer can't see.

Changed

Per-group page visibility now uses Laravel's cross-database
whereJsonContains() instead of the MySQL-only JSON_CONTAINS(), so it works
on SQLite 3.38+ and PostgreSQL as well as MySQL/MariaDB.
Migrations standardised on Flarum\Database\Migration helpers; removed the
MySQL-only ->after() column modifiers.
The admin page list now loads every page (previously only the first 20 were
shown) and renders from the store.
The "Reset extension settings" cancel-button styling is now pure CSS instead
of a document-wide MutationObserver.

Fixed

Spoiler permission gating now works regardless of the Replace Forum
Spoiler setting and no longer leaks spoiler content that contains nested
<div>s. The locked-spoiler message is now translatable.
Embedded page scripts no longer execute twice; removed the global
DOMContentLoaded re-dispatch that could disrupt other extensions.
PagePolicy::view() now enforces per-group visibility, matching the list scope.
PHP render errors are logged with the real page id.

Security

HTML and PHP page creation are admin-only by default and can only be delegated
through the advancedpages:permission console command. HTML is still rendered
raw by design (see Security in the README) — it is not sanitised.

Removed

Dead code: unused PageValidator, PageRepository, and FormattedEditor.js.

TryHackX

[2.1.2]

Unified and improved Composer.json file