Best Of

Vanilla 2.8.1 contains multiple security and bug fixes. Please upgrade immediately.

If you are upgrading from a release prior to 2.8, read the 2.8 release notes first and follow those steps to upgrade. If you were not aware of the additional upgrade step (clearing the /dist folder and additional files from 2.6, please be sure to do all of the steps with this update.)

A few notes to repeat from the last release notes:

• Vanilla 2.6 is no longer supported and has unpatched security vulnerabilities. It is recommended to upgrade as soon as possible.
• The self-hosting, installation, & upgrade docs have been moved out of the README and into our public documentation. Contributions can still be made over at [https://github.com/vanilla/docs].
• There is and EXTRA STEP being added to the standard upgrade process, as well as specific notes for upgrading from Vanilla 2.6 -> Vanilla 2.8 https://docs.vanillaforums.com/developer/installation/self-hosting/#upgrading
• We are taking steps to ensure that release and documentation makes it out in a more timely manner. As we've expanded our developer teams(s) we are now able to share the burden of making these notes and will be trying to do proactively as we add features and fixes.

Release notes follow.

Security

7 medium-severity security issues were patched. Details are included below, but the linked issues with their details are currently still private. It is recommend to upgrade immediately.

• vanilla/vanilla-patches#478 - Fix stored XSS when deleting a tag
• vanilla/vanilla-patches#477 - InThisDiscussion Plugin: Fix XSS in username field
• vanilla/vanilla-patches#480 - Tagging: Fix Adding tags to discussions without proper permission
• vanilla/vanilla-patches#479 & vanilla/vanilla-patches#482 - Check Discussion permissions when flagging a discussion
• vanilla/vanilla-patches#492 - Fix: Bypassing trusted domains to post links using Right-to-left unicode character
• vanilla/vanilla-patches#497 - Fix XSS at add user/reveal password
• vanilla/vanilla-patches#496 - Fix: manipulating conversationID can shut down further new conversations

Keystone Fixes

• Fix responsive theme support for keystone.
• Fix keystone NewFlyouts feature flag not directly tied to the theme being enabled.
• theme-boilerplate ThemeHooks removed. No longer necessary.
• Keystone no longer forces itself as the mobile theme.
• #8473 - Fix keystone javascript error for signed out users (preventing refresh on signin).
• #8475 && #8508 - Fix Advanced Editor flyouts on mobile with keystone. Thanks @MichaelTyson for assistance with debugging this.

Rich Editor

• #8414 - Fix clearing of rich editor for conversations and activity
• #8397 - Fix formatting of notifications & emails for the following post formats: Rich, BBCode, Markdown

Previously these post formats were being sent out "raw" in notifications & emails. This looked particularly bad for the Rich format.

• #8516 - Fix undo/redo actions for embeds while creating rich posts
• #8492 & #8540 - Fix a bug causing partially loaded rich embeds from crashing the page.

Pockets

• #8455 - Pockets: Fix typo in pockets permissions
• #8431 - Fix casing of pockets CSS class location

Other

• #8502 - Fix installation on windows. Thanks @austins (github username)
• #8447 - Put back missing cache folder

@Linc announced the 2.8 release over a month ago. We had some some summary release notes, but the full notes had not yet been accumulated. I will be providing that here.

First a couple notes:

• Vanilla 2.6 is no longer supported and has unpatched security vulnerabilities. It is recommended to upgrade as soon as possible.
• The self-hosting, installation, & upgrade docs have been moved out of the README and into our public documentation. Contributions can still be made over at [https://github.com/vanilla/docs].
• There is and EXTRA STEP being added to the standard upgrade process, as well as specific notes for upgrading from Vanilla 2.6 -> Vanilla 2.8 https://docs.vanillaforums.com/developer/installation/self-hosting/#upgrading
• We are taking steps to ensure that release and documentation makes it out in a more timely manner. As we've expanded our developer teams(s) we are now able to share the burden of making these notes and will be trying to do proactively as we add features and fixes.

Without further ado.

Rich Editor

Rich Editor is now the default editor for Vanilla.

The Rich Text Editor features a number of significant upgrades:

• Embedded link previews. When you paste a link, you will see the site’s title, description, and a thumbnail image if one is available.
• Better user mentioning experience (All unicode characters supported).
• Pure WYSIWYG. No need to “Preview” your posts because they are always 100% accurate.
• Toolbars that stay with you and only show when you need them. No need to scroll up to find your menus when composing a long post.
• Seamless mobile experience that is just as rich as desktop.
• Enhanced accessibility including full keyboard-based interactions.
• Built-in native emoji support.
• Drag-and-drop image embedding and file attachments.
• Code formatting is now built-in (no other addon needed).
• When you edit old posts, it will continue to use Advanced Editor. We do not yet support the automatic conversion of old posts to the new format.

Read more abot the rich editor in it’s documentation or it’s introductory blog post

New Default Theme (Keystone)

Vanilla 2.8 ships with a new, fully responsive theme Keystone.

Keystone ships as the default desktop and mobile themes on new installations and can be enabled on existing installations through the themes page.

Theme Options Keystone ships with 6 preset theme options. Covering a different variety of stylistic choices and colour palettes.

Features & Fixes

API

• Add APIv2 documentation to the dashboard. Navigate to settings/swagger in your site to see API documentation accurate to the addons currently installed.
• Add ability to get info for the current user to Users API v2 endpoint GET /api/v2/users/me.
• Make Categories default to allowdiscussions=1.
• Remove Garden.AllowJSONP from config
• Fix limit parameter not being properly validated on APIv2 endpoints.
• Fix permissions updates overwriting all saved permissions for a category in API V2 roles.
• Add ability to expand category to index of discussions endpoint.

Category Following

• Display ‘Unfollow’ option when filtering by followed categories.

Posting 

• Fix inability to reference HTML tags in discussion titles
• Add warning for trying to set the maximum post length beyond current limits
• Move ability to set post formatting from the Advanced Editor to the /vanilla/settings/posting page.
• Fix drafts double escaping special characters.
• Disable hashtags within post contents by default.
• Add support for seconds-only time parameter to YouTube embeds.

Q&A

• Add user option to disable/enable Q&A notifications.
• Fix recalculation of discussions’ Q&A status.

Themes

• Bootstrap 3: Fix Flag flyout menu being cut off in activity

Conversations

• Start new messages auto-enabled.

Dashboard

• Fix orphaning of UserRole records after the deletion of a role.
• Refresh page after adding/deleting bans.
• Refresh page after adding/deleting messages.
• Make minor aesthetic improvements to Dashboard, including using Open Sans font.
• Fix ban rules fatal error on search.

Akismet

• Akismet is now a core plugin. Be sure to delete your local copy before adding installing Vanilla 2.8
• Fix potentially overwriting another plugin’s spam detection results.

Q&A

• Fix accepting answer giving external link warning.

Advanced Editor

• Fix error message handling when uploading a duplicated file

Other

• Critical security fixes.
• Improve accessibility by adding placeholder/title for text areas.
• Add translation support for “All” and “Following” in category following filter menus.
• Add JSON LD microformat to discussion pages.
• Default Vanilla Stats to use HTTPS.
• Fix broken signout URL in embed comment form. (thanks @Bleistivt )
• ProfileExtender: add Instagram magic formatting. (thanks @Bleistivt )
• Steam Connect: Fix broken SSO connections (Steam’s endpoint moved to HTTPS).
• Fix category dropdown when editing drafts with old ‘DoHeadings’ setting enabled.
• Fix permission for accessing the Event Log for Administrators
• Fix emails not being saved when editing a user profile
• Removed the cooldown period before re-prompting for password when changing email address in Vanilla.
• Fix various accessibility issues.
• Improve performance across the application.
• Fix IP ban rules not getting properly applied on user login
• Fix the display of IPv6 when viewing the Event Log.
• Fix search count on the User page in the dashboard when searching by IPv6.
• Fix post counters on profile pages exceeding allotted area.
• Fix duplicated language element in multiple RSS feeds.
• Fix Twitter callback URL for profile connections.
• Fix reactions menu items not redirecting to user profile.
• Fix comment and discussion count displaying as blank when the user hasn’t posted any comment or discussion.
• Fix leaving page links that are double encoded.
• Fix Profile page shows a thread as un-viewed to guest.
• Fix various UI issues and race conditions.
• Fix Checking for duplicate discussion foreignIds (for embed comments) when a user comments in 2 tabs without refreshing the page.
• Add nofollow attribute for social reactions (Facebook, twitter).

Developer Notes

• Add support for converting Garden Schema exceptions to Gdn_Validation. )
• Add extra CSS class for remember password.
• Add a class to @mention inside user content.
• Fix search API not joining all rows when requested limit exceeds resource limit defaults.
• Add CSS class to comments with same author as the discussion.

Fix limit parameter not being properly validated on APIv2 endpoints:

This is a rather minor fix on our end, but it may have an impact on your set up if you are using API V2 anywhere on your side and you have a call set up with a limit parameter set higher than 100.

This has always been our suggested limit; however, we were not properly validating that limit parameter. This meant that you could use an API call with a higher limit parameter, and your calls would be successful. The call would only start to return errors once the community had grown to a point where these API calls they set up would then start pulling so may records that it would exacerbate the API and return an error with little to no helpful information.

Vanilla has implemented proper validation of the parameter so that we can return a valid error explaining that the limit should be lower than 100.

Global functions

Vanilla is transitioning away from the use of global functions. They are being slowly phased out in each release. If you are an addon developer it is recommended that you update your usages of these methods.

With 2.8 the following functions are deprecated and will be removed in a future release: val, addActivity, arrayInArray, arrayMergeRecursiveDistinct, arrayValue, arrayValuesToKeys, checkRequirements, compareHashDigest, consolidateArrayValuesByKey, cTo, forceSSL, forceNoSSL, formatArrayAssignment, formatArrayAssignment, formatDottedAssignment, getIncomingValue, getObject, getPostValue, getValue, mergeArrays, parseUrl, prepareArray, redirect, redirectUrl, removeKeyFromArray, removeQuoteSlashes, removeValueFromArray, safeParseStr, safeRedirect, trueStripSlashes, viewLocation, discussionLink, touchConfig

Most notable of these is val which had over 5000+ usages removed from vanilla since the last release.

Event deprecations

The following events have been deprecated and will be removed in a future release.

• editorPlugin_getFormats - Use getPostFormats instead.
• categoryModel_categoryWatch - Category watching has been replace with category following. See the categoryModel_visibleCategories event.