HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 2.0.18.13 - Security release for old 2.0.18 installs
If you are on 2.0.18 (or any 2.0.* release) and have not yet made the upgrade to 2.1, this would be a great time to get moving! If you're still not ready leave our glorious 2.0 days behind, fear not, the latest security patch is here.
The 2.0 code base is only being given important security patches, and only until the end of 2014.
In this release, we close recently discovered XSS exploits:
- HtmLawed is upgraded and its filtering tightened (thanks @x00 & Psych0tr1a)
- parseJSON() is substituted for eval() in 2 places
- We refactor the definitions list into Javascript instead of using the DOM (thanks @businessdad)
0
Comments
SphinxSearch JSON error: http://vanillaforums.org/discussion/27543/json-error-with-vanilla-2-0-18-12
Quote plugin doesn't work correctly after upgrade. http://vanillaforums.org/discussion/27544/quotes-1-2-2-doesn-t-work-with-vanilla-2-0-18-12
In 2.0.18.12 adds extra blockquote html when blockquote appears in a post. (With or without Quote plugin enabled).
We have released 2.0.18.13 to address an HTML parsing glitch introduced by the new version of HtmLawed. h/t to @x00 for the bug report & fix.
Updating the OP from 2.0.18.12 to 2.0.18.13 rather than starting a second release discussion.
You can selectively upgrade from .12 to .13 by simply replacing
/plugins/HtmLawed/class.htmlawed.plugin.phpand, of course,index.php.In 2.0.18.13, youtube links that previously turned into embeds have stopped working for us. Not only do they not turn into embeds, the links themselves disappear on output. Anyone having a similar issue?
@PIXELovely All YouTube links, or a particular format of link?
@Linc All of them. I tried disabling all plugins and switching back to the basic theme, and it didn't seem to help.
@PIXELovely Are you getting any Javascript errors on the page? I still haven't seen any other reports of this yet.
I am experiencing the exact same YouTube issue after upgrading to 2.0.18.13. The only way I can get the videos to sometimes display correctly is if I disable the CLEditor plugin. But that only seems to work with new posts. Editing old posts doesn't bring back the embeded video.
I decided to reinstall version 2.0.18.11 and now all the videos display correctly. Also, to answer your question @Linc, no, there are no errors that I could see. For example, if the post only had a YouTube link in it and nothing else, it would display as a blank post. And if you look at the page source, the YouTube link wouldn't be present. Just a blank line where the class=Video code is.
For YouTube issue
Just test, it's working fine
Vanilla version=2.0.18.13
Upgrade method= 2.0.18.11 to new version,upgrade selected files only
Editor= Button Bar only
Test Youtube Video (Direct link)