HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla - Security release for old 2.0.18 installs

LincLinc Detroit Admin
edited August 2014 in Releases

If you are on 2.0.18 (or any 2.0.* release) and have not yet made the upgrade to 2.1, this would be a great time to get moving! If you're still not ready leave our glorious 2.0 days behind, fear not, the latest security patch is here.


The 2.0 code base is only being given important security patches, and only until the end of 2014.

In this release, we close recently discovered XSS exploits:

  • HtmLawed is upgraded and its filtering tightened (thanks @x00 & Psych0tr1a)
  • parseJSON() is substituted for eval() in 2 places
  • We refactor the definitions list into Javascript instead of using the DOM (thanks @businessdad)

Complete diff here.


  • AnonymooseAnonymoose ✭✭
    edited August 2014
  • AnonymooseAnonymoose ✭✭
    edited August 2014

    In adds extra blockquote html when blockquote appears in a post. (With or without Quote plugin enabled).

  • LincLinc Detroit Admin
    edited August 2014

    We have released to address an HTML parsing glitch introduced by the new version of HtmLawed. h/t to @x00 for the bug report & fix.

    Updating the OP from to rather than starting a second release discussion.

    You can selectively upgrade from .12 to .13 by simply replacing /plugins/HtmLawed/class.htmlawed.plugin.php and, of course, index.php.

  • In, youtube links that previously turned into embeds have stopped working for us. Not only do they not turn into embeds, the links themselves disappear on output. Anyone having a similar issue?

  • LincLinc Detroit Admin

    @PIXELovely All YouTube links, or a particular format of link?

  • edited August 2014

    @Linc All of them. I tried disabling all plugins and switching back to the basic theme, and it didn't seem to help.

  • LincLinc Detroit Admin

    @PIXELovely Are you getting any Javascript errors on the page? I still haven't seen any other reports of this yet.

  • I am experiencing the exact same YouTube issue after upgrading to The only way I can get the videos to sometimes display correctly is if I disable the CLEditor plugin. But that only seems to work with new posts. Editing old posts doesn't bring back the embeded video.

  • I decided to reinstall version and now all the videos display correctly. Also, to answer your question @Linc, no, there are no errors that I could see. For example, if the post only had a YouTube link in it and nothing else, it would display as a blank post. And if you look at the page source, the YouTube link wouldn't be present. Just a blank line where the class=Video code is.

  • edited September 2014

    For YouTube issue

    Just test, it's working fine

    Vanilla version=
    Upgrade method= to new version,upgrade selected files only
    Editor= Button Bar only

    Test Youtube Video (Direct link)

Sign In or Register to comment.