48 KiB
48 KiB
Next Release
Security fixes
- Fixed leak of the writable pad ID when exporting from the pad's read-only ID. This only matters if you treat the writeable pad IDs as secret (e.g., you are not using ep_padlist2) and you share the pad's read-only ID with untrusted users. Instead of treating writeable pad IDs as secret, you are encouraged to take advantage of Etherpad's authentication and authorization mechanisms (e.g., use ep_openid_connect with ep_readonly_guest, or write your own authentication and authorization plugins).
Compatibility changes
- The
logconfig
setting is deprecated. - For plugin authors:
- Etherpad now uses jsdom instead of
cheerio for processing HTML imports. There are
two consequences of this change:
require('ep_etherpad-lite/node_modules/cheerio')
no longer works. To fix, your plugin should directly depend oncheerio
and dorequire('cheerio')
.- The
node
context argument passed to thecollectContentImage
hook is now anHTMLImageElement
object rather than a Cheerio Node-like object, so the API is slightly different. See citizenos/ep_image_upload#49 for an example fix.
- The
clientReady
server-side hook is deprecated; use the newuserJoin
hook instead. - The
userLeave
server-side hook's context properties have changed:auth
: Deprecated.author
: Deprecated; use the newauthorId
property instead.readonly
: Deprecated; use the newreadOnly
property instead.rev
: Deprecated.
- Etherpad now uses jsdom instead of
cheerio for processing HTML imports. There are
two consequences of this change:
Notable enhancements
- Simplified pad reload after importing an
.etherpad
file. - For plugin authors:
clientVars
was added to the context for thepostAceInit
client-side hook. Plugins should use this instead of theclientVars
global variable.- New
userJoin
server-side hook. - The
userLeave
server-side hook has a newsocket
context property. - The
helper.aNewPad()
function (accessible to client-side tests) now accepts hook functions to inject when opening a pad. This can be used to test any new client-side hooks your plugin provides. - Chat improvements:
- The
chatNewMessage
client-side hook context has new properties:message
: Provides access to the raw message object so that plugins can see the original unprocessed message text and any added metadata.rendered
: Allows plugins to completely override how the message is rendered in the UI.
- New
chatSendMessage
client-side hook that enables plugins to process the text before sending it to the server or augment the message object with custom metadata. - New
chatNewMessage
server-side hook to process new chat messages before they are saved to the database and relayed to users.
- The
1.8.14
Security fixes
- Fixed a persistent XSS vulnerability in the Chat component. In case you can't
update to 1.8.14 directly, we strongly recommend to cherry-pick
a796811558
. Thanks to sonarsource for the professional disclosure.
Compatibility changes
- Node.js v12.13.0 or later is now required.
- The
favicon
setting is now interpreted as a pathname to a favicon file, not a URL. Please see the documentation comment insettings.json.template
. - The undocumented
faviconPad
andfaviconTimeslider
settings have been removed. - MySQL/MariaDB now uses connection pooling, which means you will see up to 10 connections to the MySQL/MariaDB server (by default) instead of 1. This might cause Etherpad to crash with a "ER_CON_COUNT_ERROR: Too many connections" error if your server is configured with a low connection limit.
- Changes to environment variable substitution in
settings.json
(see the documentation comments insettings.json.template
for details):- An environment variable set to the string "null" now becomes
null
instead of the string "null". Similarly, if the environment variable is unset and the default value is "null" (e.g.,"${UNSET_VAR:null}"
), the value now becomesnull
instead of the string "null". It is no longer possible to produce the string "null" via environment variable substitution. - An environment variable set to the string "undefined" now causes the setting
to be removed instead of set to the string "undefined". Similarly, if the
environment variable is unset and the default value is "undefined" (e.g.,
"${UNSET_VAR:undefined}"
), the setting is now removed instead of set to the string "undefined". It is no longer possible to produce the string "undefined" via environment variable substitution. - Support for unset variables without a default value is now deprecated.
Please change all instances of
"${FOO}"
in yoursettings.json
to${FOO:null}
to keep the current behavior. - The
DB_*
variable substitutions insettings.json.docker
that previously defaulted tonull
now default to "undefined".
- An environment variable set to the string "null" now becomes
- Calling
next
without argument when usingChangeset.opIterator
does always return a new Op. Seeb9753dcc71
for details.
Notable enhancements and fixes
- MySQL/MariaDB now uses connection pooling, which should improve stability and reduce latency.
- Bulk database writes are now retried individually on write failure.
- Minify: Avoid crash due to unhandled Promise rejection if stat fails.
- padIds are now included in /socket.io query string, e.g.
https://video.etherpad.com/socket.io/?padId=AWESOME&EIO=3&transport=websocket&t=...&sid=...
. This is useful for directing pads to separate socket.io nodes.