Hosting Vanilla Forums

2.6
 (major version) (security release)
28 May - 30MBSecurity

Prevent activity record data from leaking in AJAX response.

Fix XSS in Editor attachment viewer.

Fix XSS is SSO connection screen.

Regenerate confirmation code when changing email address.

Require confirmation of manually-entered emails during SSO.

Fix permission check on private conversation participants adding messages.

Fix permission-based email leaking in private conversations.

Fix permission problem in "getRecord" function.

Fix ownership checking of drafts before allowing overwrite.

Blacklist the 'download' attribute from user-generated content.

Fix our use of cURL to not allow non-HTTP redirects.



Highlights

Users may now "Follow" categories.

Recent Discussions page may be filtered to only show discussions from followed categories.

This feature must be enabled in the Dashboard.

Enabling it adds a new menu to the Recent Discussions page, so theming conflicts should be checked.

We removed the old "Mute" function for categories to make room for this new feature.



API v2

New addon "API v2 Docs" (in plugins/swagger-ui) is now part of the default package and on by default in new installs.

It adds API documentation to the Dashbord menu.

The API documentation auto-builds when accessed, giving you custom docs that are specific to what addons you currently have enabled on your site.

Add API v2 support for search.

API change for Q&A addon: A discussion that is a Question can no longer be updated or deleted from the discussion endpoint. It must use the new Ideation or Q&A endpoints. This prevents loss of data integrity for their current status.

API: Add pagination information to response headers for multiple endpoints.

API: Add filtering by archived status to categories endpoint.

Allow the API v2 to authenticate with API v1 access tokens.

API docs: Parameters of type 'enum' now correctly list all values that are accepted.



Bug Fixes

Fix ability to delete items in moderation logs.

Fix spider crawling errors for non-existent pages.

Fix image upload button not always appearing in Advanced Editor and Signature editing.

Fix filter menus showing for guests on Recent Discussions and categories root.

Add "none found" message to category pages with no categories.

Fix image cropper overflow when editing avatars.

Fix broken links to theme documentation from dashboard.

Update redirection after adding a category.

Update System user's default avatar.

Rename database column GDN_Session.DateExpire to DateExpires to match conventions and fix structure update problem.

Fix translations for file upload error messages.

Fix Google+ SSO link to signin.

Make 'image upload' button on by default in Editor.

Fix user search by IP not returning results

Adjust comment editing permission checks to avoid re-querying the database unnecessarily.

Multiple accessibility improvements.

Read more: https://open.vanillaforums.com/discussion/comment/252706/#Comment_252706