etherpad-lite/CHANGELOG.md

22 KiB

1.6.4

  • SECURITY: exploitable /admin access - CVE-2018-9845
  • SECURITY: DoS with pad exports - CVE-2018-9327
  • SECURITY: Remote Code Execution - CVE-2018-9326
  • SECURITY: Pad data leak - CVE-2018-9325
  • Fix: Admin redirect URL
  • Fix: Various script Fixes
  • Fix: Various CSS/Style/Layout fixes
  • NEW: Improved Pad contents readability
  • NEW: Hook: onAccessCheck
  • NEW: SESSIONKEY and APIKey customizable path
  • NEW: checkPads script
  • NEW: Support "cluster mode"

1.6.3

  • SECURITY: Update ejs
  • SECURITY: xss vulnerability when reading window.location.href
  • SECURITY: sanitize jsonp
  • NEW: Catch SIGTERM for graceful shutdown
  • NEW: Show actual applied text formatting for caret position
  • NEW: Add settings to improve scrolling of viewport on line changes

1.6.2

  • NEW: Added pad shortcut disabling feature
  • NEW: Create option to automatically reconnect after a few seconds
  • Update: socket.io to 1.7.3
  • Update: l10n lib
  • Update: request to 2.83.0
  • Update: Node for windows to 8.9.0
  • Fix: minification of code

1.6.1

  • NEW: Hook aceRegisterNonScrollableEditEvents to register events that shouldn't scroll
  • NEW: Added 'item' parameter to registerAceCommand Hook
  • NEW: Added LibreJS support
  • Fix: Crash on malformed export url
  • Fix: Re-enable editor after user is reconnected to server
  • Fix: minification
  • Other: Added 'no-referrer' for all pads
  • Other: Improved cookie security
  • Other: Fixed compatibility with nodejs 7
  • Other: Updates
  • socket.io to 1.6.0
  • express to 4.13.4
  • express-session to 1.13.0
  • clean-css to 3.4.12
  • uglify-js to 2.6.2
  • log4js to 0.6.35
  • cheerio to 0.20.0
  • ejs to 2.4.1
  • graceful-fs to 4.1.3
  • semver to 5.1.0
  • unorm to 1.4.1
  • jsonminify to 0.4.1
  • measured to 1.1.0
  • mocha to 2.4.5
  • supertest to 1.2.0
  • npm to 4.0.2
  • Node.js for Windows to 6.9.2

1.6.0

  • SECURITY: Fix a possible xss attack in iframe link
  • NEW: Add a aceSelectionChanged hook to allow plugins to react when the cursor location changes.
  • NEW: Accepting Arrays on 'exportHtmlAdditionalTags' to handle attributes stored as ['key', 'value']
  • NEW: Allow admin to run on a sub-directory
  • NEW: Support version 5 of node.js
  • NEW: Update windows build to node version 4.4.3
  • NEW: Create setting to control if a new line will be indented or not
  • NEW: Add an appendText API
  • NEW: Allow LibreOffice to be used when exporting a pad
  • NEW: Create hook exportHtmlAdditionalTagsWithData
  • NEW: Improve DB migration performance
  • NEW: allow settings to be applied from the filesystem
  • NEW: remove applySettings hook and allow credentials.json to be part of core
  • NEW: Use exec to switch to node process
  • NEW: Validate incoming color codes
  • Fix: Avoid space removal when pasting text from word processor.
  • Fix: Removing style that makes editor scroll to the top on iOS without any action from the user
  • Fix: Fix API call appendChatMessage to send new message to all connected clients
  • Fix: Timeslider "Return to pad" button
  • Fix: Generating pad HTML with tags like instead of TAG:VALUE
  • Fix: Get git commit hash even if the repo only points to a bare repo.
  • Fix: Fix decode error if pad name contains special characters and is sanitized
  • Fix: Fix handleClientMessage_USER_* payloads not containing user info
  • Fix: Set language cookie on initial load
  • Fix: Timeslider Not Translated
  • Other: set charset for mysql connection in settings.json
  • Other: Dropped support for io.js
  • Other: Add support to store credentials in credentials.json
  • Other: Support node version 4 or higher
  • Other: Update uberDB to version 0.3.0

1.5.7

  • NEW: Add support for intermediate CA certificates for ssl
  • NEW: Provide a script to clean up before running etherpad
  • NEW: Use ctrl+shift+1 to do a ordered list
  • NEW: Show versions of plugins on startup
  • NEW: Add author on padCreate and padUpdate hook
  • Fix: switchToPad method
  • Fix: Dead keys
  • Fix: Preserve new lines in copy-pasted text
  • Fix: Compatibility mode on IE
  • Fix: Content Collector to get the class of the DOM-node
  • Fix: Timeslider export links
  • Fix: Double prompt on file upload
  • Fix: setText() replaces the entire pad text
  • Fix: Accessibility features on embedded pads
  • Fix: Tidy HTML before abiword conversion
  • Fix: Remove edit buttons in read-only view
  • Fix: Disable user input in read-only view
  • Fix: Pads end with a single newline, rather than two newlines
  • Fix: Toolbar and chat for mobile devices

1.5.6

  • Fix: Error on windows installations

1.5.5

  • SECURITY: Also don't allow read files on directory traversal on minify paths
  • NEW: padOptions can be set in settings.json now
  • Fix: Add check for special characters in createPad API function
  • Fix: Middle click on a link in firefox don't paste text anymore
  • Fix: Made setPadRaw async to import larger etherpad files
  • Fix: rtl
  • Fix: Problem in older IEs
  • Other: Update to express 4.x
  • Other: Dropped support for node 0.8
  • Other: Update ejs to version 2.x
  • Other: Moved sessionKey from settings.json to a new auto-generated SESSIONKEY.txt file

1.5.4

  • SECURITY: Also don't allow read files on directory traversal on frontend tests path

1.5.3

  • NEW: Accessibility support for Screen readers, includes new fonts and keyboard shortcuts
  • NEW: API endpoint for Append Chat Message and Chat Backend Tests
  • NEW: Error messages displayed on load are included in Default Pad Text (can be supressed)
  • NEW: Content Collector can handle key values
  • NEW: getAttributesOnPosition Method
  • FIX: Firefox keeps attributes (bold etc) on cut/copy -> paste
  • Fix: showControls=false now works
  • Fix: Cut and Paste works...
  • SECURITY: Don't allow read files on directory traversal

1.5.2

  • NEW: Support for node version 0.12.x
  • NEW: API endpoint saveRevision, getSavedRevisionCount and listSavedRevisions
  • NEW: setting to allow load testing
  • Fix: Rare scroll issue
  • Fix: Handling of custom pad path
  • Fix: Better error handling of imports and exports of type "etherpad"
  • Fix: Walking caret in chrome
  • Fix: Better handling for changeset problems
  • SECURITY Fix: Information leak for etherpad exports (CVE-2015-2298)

1.5.1

  • NEW: High resolution Icon
  • NEW: Use HTTPS for plugins.json download
  • NEW: Add 'last update' column
  • NEW: Show users and chat at the same time
  • NEW: Support io.js
  • Fix: removeAttributeOnLine now works properly
  • Fix: Plugin search and list
  • Fix: Issue where unauthed request could cause error
  • Fix: Privacy issue with .etherpad export
  • Fix: Freeze deps to improve bisectability
  • Fix: IE, everything. IE is so broken.
  • Fix: Timeslider proxy
  • Fix: All backend tests pass
  • Fix: Better support for Export into HTML
  • Fix: Timeslider stars
  • Fix: Translation update
  • Fix: Check filesystem if Abiword exists
  • Fix: Docs formatting
  • Fix: Move Save Revision notification to a gritter message
  • Fix: UeberDB MySQL Timeout issue
  • Fix: Indented +9 list items
  • Fix: Don't paste on middle click of link
  • SECURITY Fix: Issue where a malformed URL could cause EP to disclose installation location

1.5.0

  • NEW: Lots of performance improvements for page load times
  • NEW: Hook for adding CSS to Exports
  • NEW: Allow shardable socket io
  • NEW: Allow UI to show when attr/prop is applied (CSS)
  • NEW: Various scripts
  • NEW: Export full fidelity pads (including authors etc.)
  • NEW: Various front end tests
  • NEW: Backend tests
  • NEW: switchPad hook to instantly switch between pads
  • NEW: Various translations
  • NEW: Icon sets instead of images to provide quality high DPI experience
  • Fix: HTML Import blocking / hanging server
  • Fix: Export Bullet / Numbered lists HTML
  • Fix: Swagger deprecated warning
  • Fix: Bad session from crashing server
  • Fix: Allow relative settings path
  • Fix: Stop attributes being improperly assigned between 2 lines
  • Fix: Copy / Move Pad API race condition
  • Fix: Save all user preferences
  • Fix: Upgrade majority of dependency inc upgrade to SocketIO1+
  • Fix: Provide UI button to restore maximized chat window
  • Fix: Timeslider UI Fix
  • Fix: Remove Dokuwiki
  • Fix: Remove long paths from windows build (stops error during extract)
  • Fix: Various globals remvoed
  • Fix: Move all scripts into bin/
  • Fix: Various CSS bugfixes for Mobile devices
  • Fix: Overflow Toolbar
  • Fix: Line Attribute management

1.4.1

  • NEW: Translations
  • NEW: userLeave Hook
  • NEW: Script to reinsert all DB values of a Pad
  • NEW: Allow for absolute settings paths
  • NEW: API: Get Pad ID from read Only Pad ID
  • NEW: Huge improvement on MySQL database read/write (InnoDB to MyISAM)
  • NEW: Hook for Export File Name
  • NEW: Preprocessor Hook for DOMLine attributes (allows plugins to wrap entire line contents)
  • Fix: Exception on Plugin Search and fix for plugins not being fetched
  • Fix: Font on innerdoc body can be arial on paste
  • Fix: Fix Dropping of messages in handleMessage
  • Fix: Don't use Abiword for HTML exports
  • Fix: Color issues with user Icon
  • Fix: Timeslider Button
  • Fix: Session Deletion error
  • Fix: Allow browser tabs to be cycled when focus is in editor
  • Fix: Various Editor issues with Easysync potentially entering forever loop on bad changeset

1.4

  • NEW: Disable toolbar items through settings.json
  • NEW: Internal stats/metrics engine
  • NEW: Copy/Move Pad API functions
  • NEW: getAttributeOnSelection method
  • NEW: CSS function when an attribute is active on caret location
  • NEW: Various new eejs blocks
  • NEW: Ace afterEditHook
  • NEW: Import hook to introduce alternative export methods
  • NEW: preProcessDomLine allows Domline attributes to be processed before native attributes
  • Fix: Allow for lighter author colors
  • Fix: Improved randomness of session tokens
  • Fix: Don't panic if an author2session/group2session no longer exists
  • Fix: Gracefully fallback to related languages if chosen language is unavailable
  • Fix: Various changeset/stability bugs
  • Fix: Re-enable import buttons after failed import
  • Fix: Allow browser tabs to be cycled when in editor
  • Fix: Better Protocol detection
  • Fix: padList API Fix
  • Fix: Caret walking issue
  • Fix: Better settings.json parsing
  • Fix: Improved import/export handling
  • Other: Various whitespace/code clean-up
  • Other: .deb packaging creator
  • Other: More API Documentation
  • Other: Lots more translations
  • Other: Support Node 0.11

1.3

  • NEW: We now follow the semantic versioning scheme!
  • NEW: Option to disable IP logging
  • NEW: Localisation updates from http://translatewiki.net.
  • Fix: Fix readOnly group pads
  • Fix: don't fetch padList on every request

1.2.12

  • NEW: Add explanations for more disconnect scenarios
  • NEW: export sessioninfos so plugins can access it
  • NEW: pass pad in postAceInit hook
  • NEW: Add trustProxy setting. ALlows to make ep use X-forwarded-for as remoteAddress
  • NEW: userLeave hook (UNDOCUMENTED)
  • NEW: Plural macro for translations
  • NEW: backlinks to main page in Admin pages
  • NEW: New translations from translatewiki.net
  • SECURITY FIX: Filter author data sent to clients
  • FIX: Never keep processing a changeset if it's corrupted
  • FIX: Some client-side performance fixes for webkit browsers
  • FIX: Only execute listAllPads query on demand (not on start-up)
  • FIX: HTML import (don't crash on malformed or blank HTML input; strip title out of html during import)
  • FIX: check if uploaded file only contains ascii chars when abiword disabled
  • FIX: Plugin search in /admin/plugins
  • FIX: Don't create new pad if a non-existant read-only pad is accessed
  • FIX: Drop messages from unknown connections (would lead to a crash after a restart)
  • FIX: API: fix createGroupFor endpoint, if mapped group is deleted
  • FIX: Import form for other locales
  • FIX: Don't stop processing changeset queue if there is an error
  • FIX: Caret movement. Chrome detects blank rows line heights as incorrect
  • FIX: allow colons in password
  • FIX: Polish logging of client-side errors on the server
  • FIX: Username url param
  • FIX: Make start script POSIX ompatible

1.2.11

  • NEW: New Hook for outer_ace dynamic css manager and author style hook
  • NEW: Bump log4js for improved logging
  • Fix: Remove URL schemes which don't have RFC standard
  • Fix: Fix safeRun subsequent restarts issue
  • Fix: Allow safeRun to pass arguements to run.sh
  • Fix: Include script for more efficient import
  • Fix: Fix sysv comptibile script
  • Fix: Fix client side changeset spamming
  • Fix: Don't crash on no-auth
  • Fix: Fix some IE8 errors
  • Fix: Fix authorship sanitation

1.2.10

  • NEW: Broadcast slider is exposed in timeslider so plugins can interact with it
  • Fix: IE issue where pads wouldn't load due to missing console from i18n
  • Fix: console issue in collab client would error on cross domain embeds in IE
  • Fix: Only Restart Etherpad once plugin is installed
  • Fix: Only redraw lines that exist after drag and drop
  • Fix: Pasting into ordered list
  • Fix: Import browser detection
  • Fix: 2 Part Locale Specs
  • Fix: Remove language string from chat element
  • Fix: Make Saved revision Star fade back out on non Top frames
  • Other: Remove some cruft legacy JS from old Etherpad
  • Other: Express 3.1.2 breaks sessions, set Express to 3.1.0

1.2.91

  • NEW: Authors can now send custom object messages to other Authors making 3 way conversations possible. This introduces WebRTC plugin support.
  • NEW: Hook for Chat Messages Allows for Desktop Notification support
  • NEW: FreeBSD installation docs
  • NEW: Ctrl S for save revision makes the Icon glow for a few sconds.
  • NEW: Various hooks and expose the document ACE object
  • NEW: Plugin page revamp makes finding and installing plugins more sane.
  • NEW: Icon to enable sticky chat from the Chat box
  • Fix: Cookies inside of plugins
  • Fix: Don't leak event emitters when accessing admin/plugins
  • Fix: Don't allow user to send messages after they have been "kicked" from a pad
  • Fix: Refactor Caret navigation with Arrow and Pageup/down keys stops cursor being lost
  • Fix: Long lines in Firefox now wrap properly
  • Fix: Session Disconnect limit is increased from 10 to 20 to support slower restarts
  • Fix: Support Node 0.10
  • Fix: Log HTTP on DEBUG log level
  • Fix: Server wont crash on import fails on 0 file import.
  • Fix: Import no longer fails consistantly
  • Fix: Language support for non existing languages
  • Fix: Mobile support for chat notifications are now usable
  • Fix: Re-Enable Editbar buttons on reconnect
  • Fix: Clearing authorship colors no longer disconnects all clients
  • Other: New debug information for sessions

1.2.9

  • Fix: MAJOR Security issue, where a hacker could submit content as another user
  • Fix: security issue due to unescaped user input
  • Fix: Admin page at /admin redirects to /admin/ now to prevent breaking relative links
  • Fix: indentation in chrome on linux
  • Fix: PadUsers API endpoint
  • NEW: A script to import data to all dbms
  • NEW: Add authorId to chat and userlist as a data attribute
  • NEW: Refactor and fix our frontend tests
  • NEW: Localisation updates

1.2.81

  • Fix: CtrlZ-Y for Undo Redo
  • Fix: RTL functionality on contents & fix RTL/LTR tests and RTL in Safari
  • Fix: Various other tests fixed in Android

1.2.8

! IMPORTANT: New setting.json value is required to automatically reconnect clients on disconnect

  • NEW: Use Socket IO for rooms (allows for pads to be load balanced with sticky rooms)
  • NEW: Plugins can now provide their own frontend tests
  • NEW: Improved server-side logging
  • NEW: Admin dashboard mobile device support and new hooks for Admin dashboard
  • NEW: Get current API version from API
  • NEW: CLI script to delete pads
  • Fix: Automatic client reconnection on disonnect
  • Fix: Text Export indentation now supports multiple indentations
  • Fix: Bugfix getChatHistory API method
  • Fix: Stop Chrome losing caret after paste is texted
  • Fix: Make colons on end of line create 4 spaces on indent
  • Fix: Stop the client disconnecting if a rev is in the wrong order
  • Fix: Various server crash issues based on rev in wrong order
  • Fix: Various tests
  • Fix: Make indent when on middle of the line stop creating list
  • Fix: Stop long strings breaking the UX by moving focus away from beginning of line
  • Fix: Redis findKeys support
  • Fix: padUsersCount no longer hangs server
  • Fix: Issue with two part locale specs not working
  • Fix: Make plugin search case insensitive
  • Fix: Indentation and bullets on text export
  • Fix: Resolve various warnings on dependencies during install
  • Fix: Page up / Page down now works in all browsers
  • Fix: Stop Opera browser inserting two new lines on enter keypress
  • Fix: Stop timeslider from showing NaN on pads with only one revision
  • Other: Allow timeslider tests to run and provide & fix various other frontend-tests
  • Other: Begin dropping referene to Lite. Etherpad Lite is now named "Etherpad"
  • Other: Update to latest jQuery
  • Other: Change loading message asking user to please wait on first build
  • Other: Allow etherpad to use global npm installation (Safe since node 6.3)
  • Other: Better documentation for log rotation and log message handling

1.2.7

  • NEW: notifications are now modularized and can be stacked
  • NEW: Visit a specific revision in the timeslider by suffixing #%revNumber% IE http://localhost/p/test/timeslider#12
  • NEW: Link to plugin on Admin page allows admins to easily see plugin details in a new window by clicking on the plugin name
  • NEW: Automatically see plugins that require update and be able to one click update
  • NEW: API endpoints for Chat .. getChatHistory, getChatHead
  • NEW: API endpoint to see a pad diff in HTML format from revision x to revision y .. createPadDiffHTML
  • NEW: Real time plugin search & unified menu UI for admin pages
  • Fix: MAJOR issue where server could be crashed by malformed client message
  • Fix: AuthorID is now included in padUsers API response
  • Fix: make docs
  • Fix: Timeslider UI bug with slider not being in position
  • Fix: IE8 language issue where it wouldn't load pads due to IE8 suckling on the bussum of hatrid
  • Fix: Import timeout issue
  • Fix: Import now works if Params are set in pad URL
  • Fix: Convert script
  • Other: Various new language strings and update/bugfixes of others
  • Other: Clean up the getParams functionality
  • Other: Various new EEJS blocks: index, timeslider, html etc.

1.2.6

  • Fix: Package file UeberDB reference
  • New #users EEJS block for plugins

1.2.5

  • Create timeslider EEJS blocks for plugins
  • Allow for "more messages" to be loaded in chat
  • Introduce better logging
  • API endpoint for "listAllPads"
  • Fix: Stop highlight of timeslider when dragging mouse
  • Fix: Time Delta on Timeslider make date update properly
  • Fix: Prevent empty chat messages from being sent
  • Fix: checkPad script
  • Fix: IE onLoad listener for i18n

1.2.4

  • Fix IE console issue created in 1.2.3
  • Allow CI Tests to pass by ignoring timeslider test
  • Fix broken placeholders in locales
  • Fix extractPadData script
  • Fix documentation for checkToken
  • Fix hitting enter on form in admin/plugins

1.2.3

  • Fix #1307: Chrome needs console.log to be called on console obj
  • Fix #1309: We had broken support for node v0.6 in the last release

1.2.2

  • More translations and better language support. See https://translatewiki.net/wiki/Translating:Etherpad_lite for more details
  • Add a checkToken Method to the API
  • Bugfix for Internal Caching issue that was causing some 404s on images.
  • Bugfix for IE Import
  • Bugfix for Node 0.6 compatibility
  • Bugfix for multiple cookie support
  • Bugfix for API when requireAuth is enabled.
  • Plugin page now shows plugin version #
  • Show color of Author in Chat messages
  • Allow plugin search by description
  • Allow for different socket IO transports
  • Allow for custom favicon path
  • Control S now does Create new Revision functionality
  • Focus on password when required
  • Frontend Timeslider test
  • Allow for basic HTML etc. import without abiword
  • Native HTTPS support

1.2.1

  • Allow ! in urls inside the editor (Not Pad urls)
  • Allow comments in language files
  • More languages (Finish, Spanish, Bengali, Dutch) Thanks to TranslateWiki.net team. See https://translatewiki.net/w/i.php?title=Special:MessageGroupStats&group=out-etherpad-lite for more details
  • Bugfix for IE7/8 issue with a JS error #1186
  • Bugfix windows package extraction issue and make the .zip file smaller
  • Bugfix group pad API export
  • Kristen Stewart is a terrible actress and Twilight sucks.

v1.2

  • Internationalization / Language / Translation support (i18n) with support for German/French
  • A frontend/client side testing framework and backend build tests
  • Customizable robots.txt
  • Customizable app title (finally you can name your epl instance!)
  • eejs render arguments are now passed on to eejs hooks through the newly introduced renderContext argument.
  • Plugin-specific settings in settings.json (finally allowing for things like a google analytics plugin)
  • Serve admin dashboard at /admin (still very limited, though)
  • Modify your settings.json through the newly created UI at /admin/settings
  • Fix: Import
      's as
        's and not as
          's!
        • Added solaris compatibility (bin/installDeps.sh was broken on solaris)
        • Fix a bug with IE9 and Password Protected Pads using HTTPS

        v1.1.5

        • We updated to express v3 (please make sure your plugin works under express v3)
        • userColor URL parameter which sets the initial author color
        • Hooks for "padCreate", "padRemove", "padUpdate" and "padLoad" events
        • Security patches concerning the handling of messages originating from clients
        • Our database abstraction layer now natively supports couchDB, levelDB, mongoDB, postgres, and redis!
        • We now provide a script helping you to migrate from dirtyDB to MySQL
        • Support running Etherpad Lite behind IIS, using iisnode
        • LibreJS Licensing information in headers of HTML templates
        • Default port number to PORT env var, if port isn't specified in settings
        • Fix for convert.js
        • Raise upper char limit in chat to 999 characters
        • Fixes for mobile layout
        • Fixes for usage behind reverse proxy
        • Improved documentation
        • Fixed some opera style bugs
        • Update npm and fix some bugs, this introduces

        v1.1

        • Introduced Plugin framework
        • Many bugfixes
        • Faster page loading
        • Various UI polishes
        • Saved Revisions
        • Read only Real time view
        • More API functionality

        v 1.0.1

        • Updated MySQL driver, this fixes some problems with mysql
        • Fixed export,import and timeslider link when embed parameters are used