Hey there, one and all! Welcome to the first beta release of Pepperminty Wiki v0.24.
Before we continue, I need to mention that you need to install this release or higher if you want to edit pages in the latest version of the Android client app. This is actually the main reason I'm making this beta release now - to give people something to update to that's not "build from source from the latest git".
With that out of the way, this release has a number of cool features:
- 📺 Support for embedding YouTube / Vimeo videos: e.g.
![alt text](https://youtube.com/watch?v=pID0xQ2qnrQ)
. If you can think of another site that should have native embed support, please open an issue - 📦 Added oneboxing: Rich previews for internal links. If an internal link with 3 square brackets (e.g.
[[[example]]]
) is on it's own with nothing before or after it on a line, then it'll be turned into a onebox - 🔐 Improved security: The method by which these security issues were disclosed leaves a lot to be desired, but they are fixed anyway.
- 📱 Improved API support for the Android client app (GitHub): This may be a constant feature in the next few updates as I add more functionality to the app :D
Have you updated to this release? Click this link to say hi!
This release also has an experimental GPG and SHA256 hashes file attached. My GPG key is C2F7843F9ADF9FEE264ACB9CC1C6C0BB001E1725
- please open an issue if you encounter any issues 🙂
Updating
You can update to this release simply by grabbing an updated copy of index.php
and replacing the version in your current wiki (don't forget to take backups! I make every effort to squash as many bugs as possible, but you can never be too certain). You can get an updated copy of index.php
in a number of ways:
- By downloading the
index.php
file attached to this release - Using the online downloader (always has the latest stable version): I have updated the online downloader for this version. Normally this is only done for stable releases!
- Using the online downloader offline
- Building your own from source
For more information on the last 2 methods, please see the documentation for more information.
For those who want to contribute financially as a thank you, I've recently setup a Liberapay to accept donations. It's certainly not required, but would definitely help me out :-) If you want to contribute but Liberapay isn't for you, please let me know (e.g. open an issue, see my website for more contact options)
Since v0.23
Added
- Added support for embedding external YouTube and Vimeo videos (e.g.
![alt text](https://youtube.com/watch?v=pID0xQ2qnrQ)
)- If you know of a cool service that should be supported, please open an issue - YouTube and Vimeo were just the only 2 I could think of
- Known issue: specifying the size (i.e. with
| 500x400
inside the brackets()
there) doesn't currently work because iframes are weird
- Added oneboxing: rich previews for internal links. If an internal link with 3 square brackets (e.g.
[[[example]]]
) is on it's own with nothing before or after it on a line, then it'll be turned into a onebox- 2 new settings have also been added to control it:
parser_onebox_enabled
andparser_onebox_preview_length
- TODO: Update the dynamic help page for this.
- 2 new settings have also been added to control it:
- [Rest API] Add new
x-tags
HTTP header toraw
action (required for v2.2 of the android client app to edit pages!)
Changed
- Display returnto URL above the login form if present to further mitigate CSRF issues
- [Rest API] Return a 409 Conflict instead of a 200 OK on an edit conflict when saving a page in the
save
action, and addx-failure-reason
for more errors
Fixed
- Stats: Fix crash when loading the stats page
- Fix crash when leaving a top-level comment
- [security] Fixed an XSS vulnerability in the
format
GET parameter of thestats
action (thanks, @JamieSlome) - [security] Ensured that the
returnto
GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) - [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to this answer even Inkscape doesn't strip all Javascript when asked to)
- [security] Fixed XSS when the
action
GET param doesn't match a known action - [security] User pages are now only savable in the HTTP API by either a moderator or the owning user (previously only the
edit
action was protected, so if you made a request direct to thesave
action, you could bypass the check) - StorageBox: Create SQLite DB if it doesn't exist explicitly with
touch()
, because some systems are weird - StorageBox: Fix crash when
index.php
is a symbolic link - Fixed erroneous additional entries in complex tables of contents
- Make
PeppermintParsedown::extract_page_names
more multibyte safe to avoid empty statistics