HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.8 release notes

charrondevcharrondev Developer Lead (PHP, JS)Montreal Vanilla Staff

@Linc announced the 2.8 release over a month ago. We had some some summary release notes, but the full notes had not yet been accumulated. I will be providing that here.

First a couple notes:

  • Vanilla 2.6 is no longer supported and has unpatched security vulnerabilities. It is recommended to upgrade as soon as possible.
  • The self-hosting, installation, & upgrade docs have been moved out of the README and into our public documentation. Contributions can still be made over at [https://github.com/vanilla/docs].
  • There is and EXTRA STEP being added to the standard upgrade process, as well as specific notes for upgrading from Vanilla 2.6 -> Vanilla 2.8 https://docs.vanillaforums.com/developer/installation/self-hosting/#upgrading
  • We are taking steps to ensure that release and documentation makes it out in a more timely manner. As we've expanded our developer teams(s) we are now able to share the burden of making these notes and will be trying to do proactively as we add features and fixes.

Without further ado.

Rich Editor

Rich Editor is now the default editor for Vanilla.

The Rich Text Editor features a number of significant upgrades:

  • Embedded link previews. When you paste a link, you will see the site’s title, description, and a thumbnail image if one is available.
  • Better user mentioning experience (All unicode characters supported).
  • Pure WYSIWYG. No need to “Preview” your posts because they are always 100% accurate.
  • Toolbars that stay with you and only show when you need them. No need to scroll up to find your menus when composing a long post.
  • Seamless mobile experience that is just as rich as desktop.
  • Enhanced accessibility including full keyboard-based interactions.
  • Built-in native emoji support.
  • Drag-and-drop image embedding and file attachments.
  • Code formatting is now built-in (no other addon needed).
  • When you edit old posts, it will continue to use Advanced Editor. We do not yet support the automatic conversion of old posts to the new format.

Read more abot the rich editor in it’s documentation or it’s introductory blog post

New Default Theme (Keystone)

Vanilla 2.8 ships with a new, fully responsive theme Keystone.

Keystone ships as the default desktop and mobile themes on new installations and can be enabled on existing installations through the themes page.

Theme Options Keystone ships with 6 preset theme options. Covering a different variety of stylistic choices and colour palettes.

Features & Fixes


  • Add APIv2 documentation to the dashboard. Navigate to settings/swagger in your site to see API documentation accurate to the addons currently installed.
  • Add ability to get info for the current user to Users API v2 endpoint GET /api/v2/users/me.
  • Make Categories default to allowdiscussions=1.
  • Remove Garden.AllowJSONP from config
  • Fix limit parameter not being properly validated on APIv2 endpoints.
  • Fix permissions updates overwriting all saved permissions for a category in API V2 roles.
  • Add ability to expand category to index of discussions endpoint.

Category Following

  • Display ‘Unfollow’ option when filtering by followed categories.


  • Fix inability to reference HTML tags in discussion titles
  • Add warning for trying to set the maximum post length beyond current limits
  • Move ability to set post formatting from the Advanced Editor to the /vanilla/settings/posting page.
  • Fix drafts double escaping special characters.
  • Disable hashtags within post contents by default.
  • Add support for seconds-only time parameter to YouTube embeds.


  • Add user option to disable/enable Q&A notifications.
  • Fix recalculation of discussions’ Q&A status.


  • Bootstrap 3: Fix Flag flyout menu being cut off in activity


  • Start new messages auto-enabled.


  • Fix orphaning of UserRole records after the deletion of a role.
  • Refresh page after adding/deleting bans.
  • Refresh page after adding/deleting messages.
  • Make minor aesthetic improvements to Dashboard, including using Open Sans font.
  • Fix ban rules fatal error on search.


  • Akismet is now a core plugin. Be sure to delete your local copy before adding installing Vanilla 2.8
  • Fix potentially overwriting another plugin’s spam detection results.


  • Fix accepting answer giving external link warning.

Advanced Editor

  • Fix error message handling when uploading a duplicated file


  • Critical security fixes.
  • Improve accessibility by adding placeholder/title for text areas.
  • Add translation support for “All” and “Following” in category following filter menus.
  • Add JSON LD microformat to discussion pages.
  • Default Vanilla Stats to use HTTPS.
  • Fix broken signout URL in embed comment form. (thanks @Bleistivt )
  • ProfileExtender: add Instagram magic formatting. (thanks @Bleistivt )
  • Steam Connect: Fix broken SSO connections (Steam’s endpoint moved to HTTPS).
  • Fix category dropdown when editing drafts with old ‘DoHeadings’ setting enabled.
  • Fix permission for accessing the Event Log for Administrators
  • Fix emails not being saved when editing a user profile
  • Removed the cooldown period before re-prompting for password when changing email address in Vanilla.
  • Fix various accessibility issues.
  • Improve performance across the application.
  • Fix IP ban rules not getting properly applied on user login
  • Fix the display of IPv6 when viewing the Event Log.
  • Fix search count on the User page in the dashboard when searching by IPv6.
  • Fix post counters on profile pages exceeding allotted area.
  • Fix duplicated language element in multiple RSS feeds.
  • Fix Twitter callback URL for profile connections.
  • Fix reactions menu items not redirecting to user profile.
  • Fix comment and discussion count displaying as blank when the user hasn’t posted any comment or discussion.
  • Fix leaving page links that are double encoded.
  • Fix Profile page shows a thread as un-viewed to guest.
  • Fix various UI issues and race conditions.
  • Fix Checking for duplicate discussion foreignIds (for embed comments) when a user comments in 2 tabs without refreshing the page.
  • Add nofollow attribute for social reactions (Facebook, twitter).

Developer Notes

  • Add support for converting Garden Schema exceptions to Gdn_Validation. )
  • Add extra CSS class for remember password.
  • Add a class to @mention inside user content.
  • Fix search API not joining all rows when requested limit exceeds resource limit defaults.
  • Add CSS class to comments with same author as the discussion.

Fix limit parameter not being properly validated on APIv2 endpoints:

This is a rather minor fix on our end, but it may have an impact on your set up if you are using API V2 anywhere on your side and you have a call set up with a limit parameter set higher than 100.

This has always been our suggested limit; however, we were not properly validating that limit parameter. This meant that you could use an API call with a higher limit parameter, and your calls would be successful. The call would only start to return errors once the community had grown to a point where these API calls they set up would then start pulling so may records that it would exacerbate the API and return an error with little to no helpful information.

Vanilla has implemented proper validation of the parameter so that we can return a valid error explaining that the limit should be lower than 100.

Global functions

Vanilla is transitioning away from the use of global functions. They are being slowly phased out in each release. If you are an addon developer it is recommended that you update your usages of these methods.

With 2.8 the following functions are deprecated and will be removed in a future release: valaddActivityarrayInArrayarrayMergeRecursiveDistinctarrayValuearrayValuesToKeyscheckRequirementscompareHashDigestconsolidateArrayValuesByKeycToforceSSLforceNoSSLformatArrayAssignmentformatArrayAssignmentformatDottedAssignmentgetIncomingValuegetObjectgetPostValuegetValuemergeArraysparseUrlprepareArrayredirectredirectUrlremoveKeyFromArrayremoveQuoteSlashesremoveValueFromArraysafeParseStrsafeRedirecttrueStripSlashesviewLocationdiscussionLinktouchConfig

Most notable of these is val which had over 5000+ usages removed from vanilla since the last release.

Event deprecations

The following events have been deprecated and will be removed in a future release.

  • editorPlugin_getFormats - Use getPostFormats instead.
  • categoryModel_categoryWatch - Category watching has been replace with category following. See the categoryModel_visibleCategories event.

Sign In or Register to comment.