Best Of

@Linc announced the 2.8 release over a month ago. We had some some summary release notes, but the full notes had not yet been accumulated. I will be providing that here.

First a couple notes:

• Vanilla 2.6 is no longer supported and has unpatched security vulnerabilities. It is recommended to upgrade as soon as possible.
• The self-hosting, installation, & upgrade docs have been moved out of the README and into our public documentation. Contributions can still be made over at [https://github.com/vanilla/docs].
• There is and EXTRA STEP being added to the standard upgrade process, as well as specific notes for upgrading from Vanilla 2.6 -> Vanilla 2.8 https://docs.vanillaforums.com/developer/installation/self-hosting/#upgrading
• We are taking steps to ensure that release and documentation makes it out in a more timely manner. As we've expanded our developer teams(s) we are now able to share the burden of making these notes and will be trying to do proactively as we add features and fixes.

Without further ado.

Rich Editor

Rich Editor is now the default editor for Vanilla.

The Rich Text Editor features a number of significant upgrades:

• Embedded link previews. When you paste a link, you will see the site’s title, description, and a thumbnail image if one is available.
• Better user mentioning experience (All unicode characters supported).
• Pure WYSIWYG. No need to “Preview” your posts because they are always 100% accurate.
• Toolbars that stay with you and only show when you need them. No need to scroll up to find your menus when composing a long post.
• Seamless mobile experience that is just as rich as desktop.
• Enhanced accessibility including full keyboard-based interactions.
• Built-in native emoji support.
• Drag-and-drop image embedding and file attachments.
• Code formatting is now built-in (no other addon needed).
• When you edit old posts, it will continue to use Advanced Editor. We do not yet support the automatic conversion of old posts to the new format.

Read more abot the rich editor in it’s documentation or it’s introductory blog post

New Default Theme (Keystone)

Vanilla 2.8 ships with a new, fully responsive theme Keystone.

Keystone ships as the default desktop and mobile themes on new installations and can be enabled on existing installations through the themes page.

Theme Options Keystone ships with 6 preset theme options. Covering a different variety of stylistic choices and colour palettes.

Features & Fixes

API

• Add APIv2 documentation to the dashboard. Navigate to settings/swagger in your site to see API documentation accurate to the addons currently installed.
• Add ability to get info for the current user to Users API v2 endpoint GET /api/v2/users/me.
• Make Categories default to allowdiscussions=1.
• Remove Garden.AllowJSONP from config
• Fix limit parameter not being properly validated on APIv2 endpoints.
• Fix permissions updates overwriting all saved permissions for a category in API V2 roles.
• Add ability to expand category to index of discussions endpoint.

Category Following

• Display ‘Unfollow’ option when filtering by followed categories.

Posting 

• Fix inability to reference HTML tags in discussion titles
• Add warning for trying to set the maximum post length beyond current limits
• Move ability to set post formatting from the Advanced Editor to the /vanilla/settings/posting page.
• Fix drafts double escaping special characters.
• Disable hashtags within post contents by default.
• Add support for seconds-only time parameter to YouTube embeds.

Q&A

• Add user option to disable/enable Q&A notifications.
• Fix recalculation of discussions’ Q&A status.

Themes

• Bootstrap 3: Fix Flag flyout menu being cut off in activity

Conversations

• Start new messages auto-enabled.

Dashboard

• Fix orphaning of UserRole records after the deletion of a role.
• Refresh page after adding/deleting bans.
• Refresh page after adding/deleting messages.
• Make minor aesthetic improvements to Dashboard, including using Open Sans font.
• Fix ban rules fatal error on search.

Akismet

• Akismet is now a core plugin. Be sure to delete your local copy before adding installing Vanilla 2.8
• Fix potentially overwriting another plugin’s spam detection results.

Q&A

• Fix accepting answer giving external link warning.

Advanced Editor

• Fix error message handling when uploading a duplicated file

Other

• Critical security fixes.
• Improve accessibility by adding placeholder/title for text areas.
• Add translation support for “All” and “Following” in category following filter menus.
• Add JSON LD microformat to discussion pages.
• Default Vanilla Stats to use HTTPS.
• Fix broken signout URL in embed comment form. (thanks @Bleistivt )
• ProfileExtender: add Instagram magic formatting. (thanks @Bleistivt )
• Steam Connect: Fix broken SSO connections (Steam’s endpoint moved to HTTPS).
• Fix category dropdown when editing drafts with old ‘DoHeadings’ setting enabled.
• Fix permission for accessing the Event Log for Administrators
• Fix emails not being saved when editing a user profile
• Removed the cooldown period before re-prompting for password when changing email address in Vanilla.
• Fix various accessibility issues.
• Improve performance across the application.
• Fix IP ban rules not getting properly applied on user login
• Fix the display of IPv6 when viewing the Event Log.
• Fix search count on the User page in the dashboard when searching by IPv6.
• Fix post counters on profile pages exceeding allotted area.
• Fix duplicated language element in multiple RSS feeds.
• Fix Twitter callback URL for profile connections.
• Fix reactions menu items not redirecting to user profile.
• Fix comment and discussion count displaying as blank when the user hasn’t posted any comment or discussion.
• Fix leaving page links that are double encoded.
• Fix Profile page shows a thread as un-viewed to guest.
• Fix various UI issues and race conditions.
• Fix Checking for duplicate discussion foreignIds (for embed comments) when a user comments in 2 tabs without refreshing the page.
• Add nofollow attribute for social reactions (Facebook, twitter).

Developer Notes

• Add support for converting Garden Schema exceptions to Gdn_Validation. )
• Add extra CSS class for remember password.
• Add a class to @mention inside user content.
• Fix search API not joining all rows when requested limit exceeds resource limit defaults.
• Add CSS class to comments with same author as the discussion.

Fix limit parameter not being properly validated on APIv2 endpoints:

This is a rather minor fix on our end, but it may have an impact on your set up if you are using API V2 anywhere on your side and you have a call set up with a limit parameter set higher than 100.

This has always been our suggested limit; however, we were not properly validating that limit parameter. This meant that you could use an API call with a higher limit parameter, and your calls would be successful. The call would only start to return errors once the community had grown to a point where these API calls they set up would then start pulling so may records that it would exacerbate the API and return an error with little to no helpful information.

Vanilla has implemented proper validation of the parameter so that we can return a valid error explaining that the limit should be lower than 100.

Global functions

Vanilla is transitioning away from the use of global functions. They are being slowly phased out in each release. If you are an addon developer it is recommended that you update your usages of these methods.

With 2.8 the following functions are deprecated and will be removed in a future release: val, addActivity, arrayInArray, arrayMergeRecursiveDistinct, arrayValue, arrayValuesToKeys, checkRequirements, compareHashDigest, consolidateArrayValuesByKey, cTo, forceSSL, forceNoSSL, formatArrayAssignment, formatArrayAssignment, formatDottedAssignment, getIncomingValue, getObject, getPostValue, getValue, mergeArrays, parseUrl, prepareArray, redirect, redirectUrl, removeKeyFromArray, removeQuoteSlashes, removeValueFromArray, safeParseStr, safeRedirect, trueStripSlashes, viewLocation, discussionLink, touchConfig

Most notable of these is val which had over 5000+ usages removed from vanilla since the last release.

Event deprecations

The following events have been deprecated and will be removed in a future release.

• editorPlugin_getFormats - Use getPostFormats instead.
• categoryModel_categoryWatch - Category watching has been replace with category following. See the categoryModel_visibleCategories event.

There are a number of addons with important security updates. Please audit your addons against this list:

1. FileUpload 1.9.2 was released today with 4 security patches. This is also its final release. Please upgrade to Advanced Editor or Rich Text Editor, which have uploading built into them. We will not make further security patches to it; it is now unsupported and will be deleted later this year.
2. Signatures 1.6.1 was released 18 January with a security patch. Support continues.
3. Q&A 1.4 - was released today with 2 security patches and a host of other overdue improvements. Support continues.
4. Last Edited 1.3 - was released today with 1 security patch and other updates.
5. Civil Tongue 1.2 - was released today with 1 security patch and other updates.

In 2018, we also deleted the Whispers and Customize Text addons. We strongly suggest removing them from your site if either is still there. The last known versions had security issues.

We removed these addons from the directory because they are now available within Vanilla 2.8:

• Pockets
• Akismet

You can manually retrieve addons we have sunset from core from our GitHub repo until they are deleted later this year:

• Button Bar
• Open ID
• Emotify (previously removed, now deleted from directory as well)

These addons are now open source for the first time:

• Hero Image (within Vanilla 2.8)
• DebugBar (a developer tool not for production use)

These addons were recently deleted from the directory due to lack of use:

• Submarine Discussions
• No Bump
• HTML Links
• Facebook ID Display

These addons are likely to be removed in the near future:

• Locale Developer (no longer supported)
• Eventi (encourages view-based hooks we wish to move away from)

These addons have been added to the directory, but were already open source:

• MathJax

More addons are being updated as well, but have no current security patches or status changes to announce.