# 1.9.0 (not yet released) ### Notable enhancements #### For plugin authors * New APIs for processing attributes: `ep_etherpad-lite/static/js/attributes` (low-level API) and `ep_etherpad-lite/static/js/AttributeMap` (high-level API). # 1.8.15 ### Security fixes * Fixed leak of the writable pad ID when exporting from the pad's read-only ID. This only matters if you treat the writeable pad IDs as secret (e.g., you are not using [ep_padlist2](https://www.npmjs.com/package/ep_padlist2)) and you share the pad's read-only ID with untrusted users. Instead of treating writeable pad IDs as secret, you are encouraged to take advantage of Etherpad's authentication and authorization mechanisms (e.g., use [ep_openid_connect](https://www.npmjs.com/package/ep_openid_connect) with [ep_readonly_guest](https://www.npmjs.com/package/ep_readonly_guest), or write your own [authentication](https://etherpad.org/doc/v1.8.14/#index_authenticate) and [authorization](https://etherpad.org/doc/v1.8.14/#index_authorize) plugins). * Updated dependencies. ### Compatibility changes * The `logconfig` setting is deprecated. #### For plugin authors * Etherpad now uses [jsdom](https://github.com/jsdom/jsdom) instead of [cheerio](https://cheerio.js.org/) for processing HTML imports. There are two consequences of this change: * `require('ep_etherpad-lite/node_modules/cheerio')` no longer works. To fix, your plugin should directly depend on `cheerio` and do `require('cheerio')`. * The `collectContentImage` hook's `node` context property is now an [`HTMLImageElement`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement) object rather than a Cheerio Node-like object, so the API is slightly different. See [citizenos/ep_image_upload#49](https://github.com/citizenos/ep_image_upload/pull/49) for an example fix. * The `clientReady` server-side hook is deprecated; use the new `userJoin` hook instead. * The `init_` server-side hooks are now run every time Etherpad starts up, not just the first time after the named plugin is installed. * The `userLeave` server-side hook's context properties have changed: * `auth`: Deprecated. * `author`: Deprecated; use the new `authorId` property instead. * `readonly`: Deprecated; use the new `readOnly` property instead. * `rev`: Deprecated. * Changes to the `src/static/js/Changeset.js` library: * `opIterator()`: The unused start index parameter has been removed, as has the unused `lastIndex()` method on the returned object. * `smartOpAssembler()`: The returned object's `appendOpWithText()` method is deprecated without a replacement available to plugins (if you need one, let us know and we can make the private `opsFromText()` function public). * Several functions that should have never been public are no longer exported: `applyZip()`, `assert()`, `clearOp()`, `cloneOp()`, `copyOp()`, `error()`, `followAttributes()`, `opString()`, `stringOp()`, `textLinesMutator()`, `toBaseTen()`, `toSplices()`. ### Notable enhancements and fixes * Accessibility fix for JAWS screen readers. * Fixed "clear authorship" error (see issue #5128). * Etherpad now considers square brackets to be valid URL characters. * The server no longer crashes if an exception is thrown while processing a message from a client. * The `useMonospaceFontGlobal` setting now works (thanks @Lastpixl!). * Chat improvements: * The message input field is now a text area, allowing multi-line messages (use shift-enter to insert a newline). * Whitespace in chat messages is now preserved. * Docker improvements: * New `HEALTHCHECK` instruction (thanks @Gared!). * New `settings.json` variables: `DB_COLLECTION`, `DB_URL`, `SOCKETIO_MAX_HTTP_BUFFER_SIZE`, `DUMP_ON_UNCLEAN_EXIT` (thanks @JustAnotherArchivist!). * `.ep_initialized` files are no longer created. * Worked around a [Firefox Content Security Policy bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1721296) that caused CSP failures when `'self'` was in the CSP header. See issue #4975 for details. * UeberDB upgraded from v1.4.10 to v1.4.18. For details, see the [ueberDB changelog](https://github.com/ether/ueberDB/blob/master/CHANGELOG.md). Highlights: * The `postgrespool` driver was renamed to `postgres`, replacing the old driver of that name. If you used the old `postgres` driver, you may see an increase in the number of database connections. * For `postgres`, you can now set the `dbSettings` value in `settings.json` to a connection string (e.g., `"postgres://user:password@host/dbname"`) instead of an object. * For `mongodb`, the `dbName` setting was renamed to `database` (but `dbName` still works for backwards compatibility) and is now optional (if unset, the database name in `url` is used). * `/admin/settings` now honors the `--settings` command-line argument. * Fixed "Author *X* tried to submit changes as author *Y*" detection. * Error message display improvements. * Simplified pad reload after importing an `.etherpad` file. #### For plugin authors * `clientVars` was added to the context for the `postAceInit` client-side hook. Plugins should use this instead of the `clientVars` global variable. * New `userJoin` server-side hook. * The `userLeave` server-side hook has a new `socket` context property. * The `helper.aNewPad()` function (accessible to client-side tests) now accepts hook functions to inject when opening a pad. This can be used to test any new client-side hooks your plugin provides. * Chat improvements: * The `chatNewMessage` client-side hook context has new properties: * `message`: Provides access to the raw message object so that plugins can see the original unprocessed message text and any added metadata. * `rendered`: Allows plugins to completely override how the message is rendered in the UI. * New `chatSendMessage` client-side hook that enables plugins to process the text before sending it to the server or augment the message object with custom metadata. * New `chatNewMessage` server-side hook to process new chat messages before they are saved to the database and relayed to users. * Readability improvements to browser-side error stack traces. * Added support for socket.io message acknowledgments. # 1.8.14 ### Security fixes * Fixed a persistent XSS vulnerability in the Chat component. In case you can't update to 1.8.14 directly, we strongly recommend to cherry-pick a7968115581e20ef47a533e030f59f830486bdfa. Thanks to sonarsource for the professional disclosure. ### Compatibility changes * Node.js v12.13.0 or later is now required. * The `favicon` setting is now interpreted as a pathname to a favicon file, not a URL. Please see the documentation comment in `settings.json.template`. * The undocumented `faviconPad` and `faviconTimeslider` settings have been removed. * MySQL/MariaDB now uses connection pooling, which means you will see up to 10 connections to the MySQL/MariaDB server (by default) instead of 1. This might cause Etherpad to crash with a "ER_CON_COUNT_ERROR: Too many connections" error if your server is configured with a low connection limit. * Changes to environment variable substitution in `settings.json` (see the documentation comments in `settings.json.template` for details): * An environment variable set to the string "null" now becomes `null` instead of the string "null". Similarly, if the environment variable is unset and the default value is "null" (e.g., `"${UNSET_VAR:null}"`), the value now becomes `null` instead of the string "null". It is no longer possible to produce the string "null" via environment variable substitution. * An environment variable set to the string "undefined" now causes the setting to be removed instead of set to the string "undefined". Similarly, if the environment variable is unset and the default value is "undefined" (e.g., `"${UNSET_VAR:undefined}"`), the setting is now removed instead of set to the string "undefined". It is no longer possible to produce the string "undefined" via environment variable substitution. * Support for unset variables without a default value is now deprecated. Please change all instances of `"${FOO}"` in your `settings.json` to `${FOO:null}` to keep the current behavior. * The `DB_*` variable substitutions in `settings.json.docker` that previously defaulted to `null` now default to "undefined". * Calling `next` without argument when using `Changeset.opIterator` does always return a new Op. See b9753dcc7156d8471a5aa5b6c9b85af47f630aa8 for details. ### Notable enhancements and fixes * MySQL/MariaDB now uses connection pooling, which should improve stability and reduce latency. * Bulk database writes are now retried individually on write failure. * Minify: Avoid crash due to unhandled Promise rejection if stat fails. * padIds are now included in /socket.io query string, e.g. `https://video.etherpad.com/socket.io/?padId=AWESOME&EIO=3&transport=websocket&t=...&sid=...`. This is useful for directing pads to separate socket.io nodes. *