Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
After February 6, this site will no longer have Facebook, Twitter, or OpenID sign-in options. Read our announcement about social media SSO support in 2.8 for more info.

Make sure you have a current, valid email address set in your profile and set a password so you can login without it. If you get locked out after that time, you can choose "Forgot Password" to fix it as long as a valid email is on your account.

Vanilla - Security release for old 2.0.18 installs

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited August 2014 in Releases

If you are on 2.0.18 (or any 2.0.* release) and have not yet made the upgrade to 2.1, this would be a great time to get moving! If you're still not ready leave our glorious 2.0 days behind, fear not, the latest security patch is here.


The 2.0 code base is only being given important security patches, and only until the end of 2014.

In this release, we close recently discovered XSS exploits:

  • HtmLawed is upgraded and its filtering tightened (thanks @x00 & Psych0tr1a)
  • parseJSON() is substituted for eval() in 2 places
  • We refactor the definitions list into Javascript instead of using the DOM (thanks @businessdad)

Complete diff here.


Sign In or Register to comment.