Security fixes
- Fixed leak of the writable pad ID when exporting from the pad's read-only ID. This only matters if you treat the writeable pad IDs as secret (e.g., you are not using ep_padlist2) and you share the pad's read-only ID with untrusted users. Instead of treating writeable pad IDs as secret, you are encouraged to take advantage of Etherpad's authentication and authorization mechanisms (e.g., use ep_openid_connect with ep_readonly_guest, or write your own authentication and authorization plugins).
- Updated dependencies.
Compatibility changes
- The
logconfig
setting is deprecated.
For plugin authors
- Etherpad now uses jsdom instead of cheerio for processing HTML imports. There are two consequences of this change:
require('ep_etherpad-lite/node_modules/cheerio')
no longer works. To fix, your plugin should directly depend oncheerio
and dorequire('cheerio')
.- The
collectContentImage
hook'snode
context property is now anHTMLImageElement
object rather than a Cheerio Node-like object, so the API is slightly different. See citizenos/ep_image_upload#49 for an example fix.
- The
clientReady
server-side hook is deprecated; use the newuserJoin
hook instead. - The
init_<pluginName>
server-side hooks are now run every time Etherpad starts up, not just the first time after the named plugin is installed. - The
userLeave
server-side hook's context properties have changed:auth
: Deprecated.author
: Deprecated; use the newauthorId
property instead.readonly
: Deprecated; use the newreadOnly
property instead.rev
: Deprecated.
- Changes to the
src/static/js/Changeset.js
library:opIterator()
: The unused start index parameter has been removed, as has the unusedlastIndex()
method on the returned object.smartOpAssembler()
: The returned object'sappendOpWithText()
method is deprecated without a replacement available to plugins (if you need one, let us know and we can make the privateopsFromText()
function public).- Several functions that should have never been public are no longer exported:
applyZip()
,assert()
,clearOp()
,cloneOp()
,copyOp()
,error()
,followAttributes()
,opString()
,stringOp()
,textLinesMutator()
,toBaseTen()
,toSplices()
.
Notable enhancements and fixes
- Accessibility fix for JAWS screen readers.
- Fixed "clear authorship" error (see issue #5128).
- Etherpad now considers square brackets to be valid URL characters.
- The server no longer crashes if an exception is thrown while processing a message from a client.
- The
useMonospaceFontGlobal
setting now works (thanks @Lastpixl!). - Chat improvements:
- The message input field is now a text area, allowing multi-line messages (use shift-enter to insert a newline).
- Whitespace in chat messages is now preserved.
- Docker improvements:
- New
HEALTHCHECK
instruction (thanks @Gared!). - New
settings.json
variables:DB_COLLECTION
,DB_URL
,SOCKETIO_MAX_HTTP_BUFFER_SIZE
,DUMP_ON_UNCLEAN_EXIT
(thanks @JustAnotherArchivist!). .ep_initialized
files are no longer created.
- New
- Worked around a Firefox Content Security Policy bug that caused CSP failures when
'self'
was in the CSP header. See issue #4975 for details. - UeberDB upgraded from v1.4.10 to v1.4.18. For details, see the ueberDB changelog. Highlights:
- The
postgrespool
driver was renamed topostgres
, replacing the old driver of that name. If you used the oldpostgres
driver, you may see an increase in the number of database connections. - For
postgres
, you can now set thedbSettings
value insettings.json
to a connection string (e.g.,"postgres://user:password@host/dbname"
) instead of an object. - For
mongodb
, thedbName
setting was renamed todatabase
(butdbName
still works for backwards compatibility) and is now optional (if unset, the database name inurl
is used).
- The
/admin/settings
now honors the--settings
command-line argument.- Fixed "Author X tried to submit changes as author Y" detection.
- Error message display improvements.
- Simplified pad reload after importing an
.etherpad
file.
For plugin authors
clientVars
was added to the context for thepostAceInit
client-side hook. Plugins should use this instead of theclientVars
global variable.- New
userJoin
server-side hook. - The
userLeave
server-side hook has a newsocket
context property. - The
helper.aNewPad()
function (accessible to client-side tests) now accepts hook functions to inject when opening a pad. This can be used to test any new client-side hooks your plugin provides. - Chat improvements:
- The
chatNewMessage
client-side hook context has new properties:message
: Provides access to the raw message object so that plugins can see the original unprocessed message text and any added metadata.rendered
: Allows plugins to completely override how the message is rendered in the UI.
- New
chatSendMessage
client-side hook that enables plugins to process the text before sending it to the server or augment the message object with custom metadata. - New
chatNewMessage
server-side hook to process new chat messages before they are saved to the database and relayed to users.
- The
- Readability improvements to browser-side error stack traces.
- Added support for socket.io message acknowledgments.