HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 3.0 is now available (Updated 3.0.2)

charrondevcharrondev Developer Lead (PHP, JS)Montreal Vanilla Staff
edited June 2019 in Releases

After a successful RC1 and RC2 releases the 3.0 release is here! Thank you to everyone who helped test things on staging servers and who filed issues along the way.

Without further ado:


  • New Rich Editor features and improvements.
  • 100s of bug fixes.
  • Many medium-severity security issues reported via our HackerOne campaign are now resolved.
  • Improved default cache headers.
  • Deprecated some old classes, and removed some already deprecated ones.
  • Laid the groundwork for a new drafts & reaction systems.
  • Image upload limits.
  • Improvements to the Keystone theme.
  • Google SignIn.
  • Better SEO and performance w/ the DeferredLegacyScripts flag.

Upgrade Notes

Please note the next comment containing breaking changes in this release. Many sites will be unaffected by these changes, but please read the notes to see if additional steps will be needed for your site.

  • Vanilla 3.0 requires PHP 7.1 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.3 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
  • Follow the normal upgrade process, including running /utility/update.
  • Follow additional specific upgrade instructions.
  • Test your plugin & theme compatibility in a safe place before upgrading your production forum.


Get over in the addon directory. https://open.vanillaforums.com/addon/vanilla-core-3.0.2


  • Options
    charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited June 2019

    Breaking Changes

    Starting with this release Vanilla requires a minimum version of PHP 7.1. Starting with this release Vanilla's automated test suite now runs on PHP versions 7.1 - 7.3.


    Beginning in this release the following classes are now deprecated.

    • \Gdn_ApplicationManager
    • \Gdn_ThemeManager
    • \Gdn_PluginManager
    • \Gdn_Pluggable

    Additionally the following methods are now deprecated.

    • \Gdn::applicationManager()
    • \Gdn::pluginManager()
    • \Gdn::themeManager()
    • \PagerModule::rel()

    If you are using any of these methods please see their inline documentation for their newer alternatives.

    New Database Tables

    In this release we are laying the groundwork for bringing reactions into core. The user facing feature is not a part of this release but we have created new core models and a database structure for it. As a result there are two 2 database tables that will be created.

    • GDN_reaction
    • GDN_reactionOwner

    If you use a case-insensitive filesystem & the YAGA addon this will be breaking change.

    Unfortunately some open source addons has taken the database table `GDN_Reaction`. This is the cause of the conflict. If you are affected here your options are essentially:

    • Try to organize an update to the YAGA addon.
    • Wait for finalization of our core reactions feature and then disable YAGA (no hard timeline).
    • Switch to a case-sensitive filesystem.

    For people creating addons in the future I would recommend name-spacing both your classes and database tables. Was you code created as part of \Vanilla or part of the GDN_ framework? If not you should probably use a different prefix or append some additional prefix.

    Removed classes, method, & interfaces

    The following items were all deprecated with the 2.5 release. They have been removed starting in this release.

    • Gdn_Factory
    • ISingleton
    • Gdn::getFactory()
    • Gdn::factoryInstallDependency()
    • Gdn::factoryInstallDependencyFromConfig()
    • Gdn::factoryInstallFromConfig()

    URL rewriting is mandatory!!!

    This was part of the 2.5 release upgrade notes, but if becomes more and more important as time goes on.

    If your forum still uses URLs including ?p=, support for this URL structure has ended. Follow these steps to switch to the simpler format:

    1. Confirm your server is setup to handle rewrites. On Apache, using the .htaccess file provided will accomplish this. Additional setup is required on nginx and other platforms.
    2. Test whether it is working by visiting /discussions - if you see a discussions list (rather than a 404), it is likely setup correctly.
    3. Open /conf/config.php and find the line with $Configuration['Garden']['RewriteUrls'] = false; and delete the entire line.

    APIv2 is not compatible with ?p= style URLs. Going in forward more and more parts of Vanilla will be built on top of our API. Rich Editor requires it. Some upcoming UI features in this years releases will be built on the API.

    Users using nginx can refer to following resources as examples:

    Updated Cache Headers on /entry/*

    If you have any view override for a view in EntryController, eg. signin, register, etc, you have to update it. Otherwise all entry forms will no longer work for signed out users.

    Work was done in this release to allow caching /entry/* pages for guests. As a result Vanilla now sends down standard cache headers for these HTML pages, whereas previously it would prevent caching on these pages.

    The reason for the previous lack of caching was because these entry forms required a TransientKey in a cookie for every user and these need to be private & per user. Eg. cannot be cached.

    These forms no longer require a TransientKey if the request is submitted over AJAX with the X-Request-With header, but the forms must now be submitted over Ajax. The core views have been updated, but if you overrode one of those views, you will need to update it or users signing in will begin seeing errors when signing in or registering.

    Emoji Extender case sensitive rename

    Some changes renaming has occurred within the EmojiExtender plugin and additional upgrade steps are required on certain systems to prevent having duplicate versions of the plugin.

    1. Delete EmojiExtender from your plugins directory. The plugin directory now matches its addon key emojiextender.
  • Options
    charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited June 2019

    Update 3.0.1

    This update fixes a bug where sometimes a user resetting their password would not get redirected properly after successfully resetting it.

    Update 3.0.2

    Update 3.0.2 contains multiple important security fixes and bug fixes.


    This fix required copying over the new files and doing the following:

    • Delete container.html
    • Do a utility/update


    • Fix emoji extender event name changing. #8947
    • Improve iOS rich editor performance. #8936
    • Fix some editor selection/insertion bugs (embed getting inserted at the incorrect position). #8967
    • Fix keystone mobile searchbar not appearing w/out the proprietary AdvancedSearch plugin. #8960


    HSTS Configuration

    This Vanilla release improves security by allowing sites to enable stricter security on their domains.

    This feature is now on by default and means that once a user has visited a site over https:// their browser will always use https:// for this domain in the future. This is a more secure mechanism for enforcing https:// than redirects, and prevents user from accidentally browsing the insecure version of a site.

    This should not affect sites without https:// support as it only applies if a site is visited by a user over https:// .

    Various configuration options and their descriptions can be found on the Security page in the Vanilla dashboard.

    Other Security Fixes

    • Add OAuth2 state support (fixes security issues). #8949
    • Set the content security policy frame-ancestors header #8970
    • Fix rate limiting not being applied properly on some authorization endpoints vanilla/vanilla-patches#573

    Get it here.

  • Options

    Doesn't seem that the issue with "blur effect" on the sign in popup is solved yet. I'm also having troubles with uploading pics with rich editor (although I've no problems with wysiwsg) it give me server error 400, any suggestions?

    On the other hand pics optimization is a amazing, well done! Thank you

  • Options
    charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    @Lorenzo Is there an issue filed somewhere to track the sign in popup thing? I'm not sure what issue you're referring to.

    I'd recommend starting a separate help thread about the upload endpoint. It's likely server configuration related.

  • Options
    edited June 2019

    Thanks Vanilla team for fixing mobile search issue (#8960) and other ones. Vanilla 3.0 with new impressive Rich editor looks like almost perfect.

    But what about issue #8680? After updating 3.0.2 the search results still replaced with “There was an error rendering this rich post”.

  • Options

    Fatal Error in PHP.slugify();

    Call to undefined function iconv()

    The error occurred on or near: /home/htcadmin/public_html/discuss/library/core/functions.general.php

    4036:         // replace non letter or digits by -
    4037:         $text = preg_replace('/[^\pL\d]+/u', '-', $text);
    4039:         // transliterate
    4040:         $text = iconv('utf-8', 'us-ascii//TRANSLIT', $text);
    4042:         // remove unwanted characters
    4043:         $text = preg_replace('/[^-\w]+/', '', $text);


    [/home/htcadmin/public_html/discuss/library/core/class.form.php:795] PHP::slugify();
    [/home/htcadmin/public_html/discuss/applications/dashboard/views/modules/configuration.php:78] Gdn_Form->imageUploadPreview();
    [/home/htcadmin/public_html/discuss/library/core/class.module.php:130] PHP::include();
    [/home/htcadmin/public_html/discuss/library/core/class.module.php:281] Gdn_Module->fetchView();
    [/home/htcadmin/public_html/discuss/library/core/class.module.php:258] Gdn_Module->toString();
    [/home/htcadmin/public_html/discuss/applications/dashboard/views/settings/branding.php:9] Gdn_Module->render();
    [/home/htcadmin/public_html/discuss/library/core/class.controller.php:773] PHP::include();
    [/home/htcadmin/public_html/discuss/library/core/class.controller.php:1377] Gdn_Controller->fetchView();
    [/home/htcadmin/public_html/discuss/library/core/class.pluggable.php:217] Gdn_Controller->xRender();
    [/home/htcadmin/public_html/discuss/applications/dashboard/controllers/class.settingscontroller.php:560] Gdn_Pluggable->__call();
    [/home/htcadmin/public_html/discuss/library/core/class.dispatcher.php:862] SettingsController->branding();
    [/home/htcadmin/public_html/discuss/library/core/class.dispatcher.php:279] Gdn_Dispatcher->dispatchController();
    [/home/htcadmin/public_html/discuss/index.php:29] Gdn_Dispatcher->dispatch()
  • Options
    R_JR_J Ex-Fanboy Munich Admin

    Your PHP installation is missing the iconv extension.

  • Options

    Love Love Love! the image upload limits. Thank you to the vanilla team!

Sign In or Register to comment.