Security Updates
This beta includes 8 security fixes for issues reported by our community and HackerOne.
Security
- BCC active user emails from group SMTP CVE-2022-46168
- Sanitize PendingPost titles before rendering to prevent XSS CVE-2023-22454
- Don’t expose user post counts to users who can’t see the topic CVE-2023-22453
- Escape quotes in tag description when rendering CVE-2023-22455
- Check the length of raw post body to prevent max_length bypass CVE-2022-23549
- Delete email tokens when a user’s email is changed or deleted CVE-2022-46177
- Use rstrip instead of regex gsub to prevent ReDOS CVE-2022-23548
- Convert send_digest to a post request CVE-2022-23546
Theme Component Security Updates
The mermaid theme component has also received a security fix. Be sure to update theme components in addition to Discourse.
- Render errors as plain text CVE-2022-46180
Additional Features and Fixes
Click to expand
Features
- Make experimental hashtag autocomplete default for new sites
Bug Fixes
- Bookmark auto delete preference usage and default value
- Check that the node has a src attr when getting size
UX Changes
- More descriptive sidebar titles, casing
- Fix the positioning of topic admin popup menu
- Remove unused strings
- Fix for misalignment in autocomplete
Performance
- Use user-specific channel for message-bus logout