Vanilla 2.8.1 is now available - Security Patches & Bug Fixes
Vanilla 2.8.1 contains multiple security and bug fixes. Please upgrade immediately.
If you are upgrading from a release prior to 2.8, read the 2.8 release notes first and follow those steps to upgrade. If you were not aware of the additional upgrade step (clearing the
/dist folder and additional files from 2.6, please be sure to do all of the steps with this update.)
A few notes to repeat from the last release notes:
- Vanilla 2.6 is no longer supported and has unpatched security vulnerabilities. It is recommended to upgrade as soon as possible.
- The self-hosting, installation, & upgrade docs have been moved out of the README and into our public documentation. Contributions can still be made over at [https://github.com/vanilla/docs].
- There is and EXTRA STEP being added to the standard upgrade process, as well as specific notes for upgrading from Vanilla 2.6 -> Vanilla 2.8 https://docs.vanillaforums.com/developer/installation/self-hosting/#upgrading
- We are taking steps to ensure that release and documentation makes it out in a more timely manner. As we've expanded our developer teams(s) we are now able to share the burden of making these notes and will be trying to do proactively as we add features and fixes.
Release notes follow.
7 medium-severity security issues were patched. Details are included below, but the linked issues with their details are currently still private. It is recommend to upgrade immediately.
- vanilla/vanilla-patches#478 - Fix stored XSS when deleting a tag
- vanilla/vanilla-patches#477 - InThisDiscussion Plugin: Fix XSS in username field
- vanilla/vanilla-patches#480 - Tagging: Fix Adding tags to discussions without proper permission
- vanilla/vanilla-patches#479 & vanilla/vanilla-patches#482 - Check Discussion permissions when flagging a discussion
- vanilla/vanilla-patches#492 - Fix: Bypassing trusted domains to post links using Right-to-left unicode character
- vanilla/vanilla-patches#497 - Fix XSS at add user/reveal password
- vanilla/vanilla-patches#496 - Fix: manipulating conversationID can shut down further new conversations
- Fix responsive theme support for keystone.
- Fix keystone
NewFlyoutsfeature flag not directly tied to the theme being enabled.
ThemeHooksremoved. No longer necessary.
- Keystone no longer forces itself as the mobile theme.
- #8475 && #8508 - Fix Advanced Editor flyouts on mobile with keystone. Thanks @MichaelTyson for assistance with debugging this.
- #8414 - Fix clearing of rich editor for conversations and activity
- #8397 - Fix formatting of notifications & emails for the following post formats: Rich, BBCode, Markdown
Previously these post formats were being sent out "raw" in notifications & emails. This looked particularly bad for the Rich format.
- #8516 - Fix undo/redo actions for embeds while creating rich posts
- #8492 & #8540 - Fix a bug causing partially loaded rich embeds from crashing the page.