Vanilla Forums 3.1
11 July 2019
Vanilla Forums version 3.1 is now available.
Upgrading to Vanilla Forums 3.1
Vanilla Forums 3.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Vanilla Forums updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Vanilla Forums install to test the 3.1 upgrade prior to applying it live. Get started managing your Vanilla Forums installations with Installatron
What's New in Vanilla Forums 3.1
This release patches multiple medium severity security issues.
- Fix invitation limits not being enforced
- Remove dynamic RemoteUrl detection code to fix XSS vulnerability (note: This could potentially be breaking change for sites that were improperly configured using a method deprecated 7 years ago)
- Fix potential security vulnerability in serveFile() method
- Fix Right to Left override character scrambling URL on leaving page
- Improper Access Control - API V2 media endpoint
- Fix Path disclosure
- Publish WordPress addon security fixes
- Fix unprivileged setting of QnA status when adding or editing comments
- Add additional rate limiting to some Vanilla sign-in URLs
- Add rate limiting to SSO connect endpoint
- Full Content Rendering for Moderation/Spam Queue
- Update media resource management permission to Garden.Community.Manage
- Fix incorrect editor selection handling
- Fix Rich Editor responding slowly in some browsers
- Fix clicking on Rich Editor mentions being able to crash the editor
- Fix Css bug when creating a spoiler
- Simplify showing and hiding name and password.
- Fix category following for members.
- Fix Rich Post formatting while using search without Advanced Search.
- Fix broken format when reporting a post
- Ensure users can view their own profile information even if they do not have the moderator level permissions to view other users personal information
- Fix category discussion type not respected when creating a question.
- Add boilerplate/keystone theming styles fixes
- Add state token support to Gdn_OAuth2
- Add ability to set standard target after registration by invitation
- Escape the title in Gdn_Theme::logo()
- Remove file path from some upload error messages