Discourse 3.0.1 Stable Release
Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.
Changes
Security
- Prevent XSS in local oneboxes (CVE-2023-22468)
- Exclude_tags param could leak which topics had a specific hidden tag (CVE-2023-23624)
- Only show restricted tag lists to authorized users (CVE-2023-23620)
- Prevent ReDoS in user agent parsing (CVE-2023-23621)
- Prevent ReDOS by making the SSH url regex unambiguous (CVE pending)
- Remove bypass for base_url (CVE-2023-23615)
- Limit the character count of group membership requests (CVE-2023-23616)
- Limit the length of drafts (CVE-2023-22739)
- Limit chat drafts length and preloaded count (CVE-2023-22740)
- Bump Rails to v7.0.4.1 (see rubyonrails.org announcement)
- Default tags to show count of topics in unrestricted categories (CVE pending)
Bug Fixes
- Text selection breaks opening of links in new tabs
- Do not add empty use/svg tags in ExcerptParser
- Skip email if blank while syncing SSO attributes.
- TL4 user is not redirected to latest when delete topic
- Do not count deleted post for upload ref security
- Adds negative skidding to popper offset
- Data-popper-reference-hidden too broad
- Fix margin on mini-tag-chooser
- Prevents msg-actions to show hover text
- Generates automatic slug for trashed channels
- TL4 user can see deleted topics
- Allow modals to scroll on mobile when keyboard is open
- Don’t display staff-only options to non-staff in group member bulk menu
- Move min tag setting to tags section in edit category
- Deleted misconfigured embeddable hosts
- Query UploadReference in UploadSecurity for existing uploads
- Switch email domain site settings type to host_list
- Do not override channel name when category selected
- Enqueue notify_mailing_list_subscribers when post is recovered
- Change wording from title ->` name in channel about page
- New hashtag support for narrative bot advanced narrative
- Validate tags parameter of TopicQuery
- Fix incorrect hashtag setting migration
- Use hashtags in channel archive PMs if available
- Add migration to reindex invalid indexes
- Ensure poll extraction is not attempted if post body is absent
- Preload user sidebar attrs when
?enable_sidebar=1 - Prevent concurrent updates to top_topics
- Ruby 2 backward compatible plugin logout redirect
- Fix flaky test resulting from PostAlerter keyword arguments
- Improve error reporting and failure modes for channel archiving
- Regression in TopicTrackingState MessageBus message scope. (#19835)