This beta includes several security fixes for issues reported by our community and HackerOne. It also includes improvements to API scopes.
Security
- Prevent XSS in local oneboxes (CVE-2023-22468)
- Exclude_tags param could leak which topics had a specific hidden tag (CVE-2023-23624)
- Only show restricted tag lists to authorized users (CVE-2023-23620)
- Prevent ReDoS in user agent parsing (CVE-2023-23621)
- Prevent ReDOS by making the SSH url regex unambiguous (CVE pending)
- Remove bypass for base_url (CVE-2023-23615)
- Limit the character count of group membership requests (CVE-2023-23616)
- Limit the length of drafts (CVE-2023-22739)
- Limit chat drafts length and preloaded count (CVE-2023-22740)
- Bump Rails to v7.0.4.1 (see rubyonrails.org announcement)
- Default tags to show count of topics in unrestricted categories (CVE pending)
New Features
- Add API scopes for suspending users, creating invites, searching
- Add better TikTok onebox support
- Allow admins to permanently delete revisions
- Add setting that allows TL4 users to deleted posts
- Allow TL4 users to see unlisted topics
- Show more context in Discourse-to-Discourse topic oneboxes
Additional Features and Fixes
Click to expand
- Allow changing slug on chat create channel
- Introduce
pg_force_readonly_mode
GlobalSetting - Add
in:polls
filter to search - Add rake task to mark old hashtag format for rebake
- Verify email webhook signatures
- Extend topic update API scope to allow status updates
- Raise redirect avatar cache to 1 day
- Add basic instrumentation to defer queue
- Allow group owners promote more owners
Bug Fixes
- Lazy_yt_enabled doesn’t affect the engine
- Delete reviewables associated to posts automatically
- Text selection breaks opening of links in new tabs
- Do not add empty use/svg tags in ExcerptParser
- Skip email if blank while syncing SSO attributes.
- TL4 user is not redirected to latest when delete topic
- Do not count deleted post for upload ref security
- Adds negative skidding to popper offset
- Data-popper-reference-hidden too broad
- Fix margin on mini-tag-chooser
- Prevents msg-actions to show hover text
- Generates automatic slug for trashed channels
- TL4 user can see deleted topics
- Allow modals to scroll on mobile when keyboard is open
- Don’t display staff-only options to non-staff in group member bulk menu
- Move min tag setting to tags section in edit category
- Deleted misconfigured embeddable hosts
- Query UploadReference in UploadSecurity for existing uploads
- Switch email domain site settings type to host_list
- Do not override channel name when category selected
- Enqueue notify_mailing_list_subscribers when post is recovered
- Change wording from title ->` name in channel about page
- New hashtag support for narrative bot advanced narrative
- Restore class-property babel transform for themes
- Validate tags parameter of TopicQuery
- Display Discourse onebox tag icon properly in chat
- Fix incorrect hashtag setting migration
- Use hashtags in channel archive PMs if available
- Add migration to reindex invalid indexes
- Ensure poll extraction is not attempted if post body is absent
- Preload user sidebar attrs when
?enable_sidebar=1
- Prevent concurrent updates to top_topics
- Ruby 2 backward compatible plugin logout redirect
- Fix flaky test resulting from PostAlerter keyword arguments
- Regression in TopicTrackingState MessageBus message scope.
- Improve error reporting and failure modes for channel archiving
UX Changes
- Remove extra whitespace in search helper
- Prevent user card status overflow
- Improve bulk button layout and alignment
- Fixes and adjustments for user nav
- Set penalty history to sticky
- Hide date in timeline when wrapping
- Remove left margin
- Add margin to search keyword
- Switch categories-boxes layouts from flexbox to grid
- Prevent search context btn text from wrapping
- Add missing space and other minor search adjustments
- Reorders chat-channel fields
- Restyle quote/share popup, fix hover jitter
- Refactor alignment of tag icon in Discourse onebox
- Fix alignment issues with autocomplete
- Streamline avatar in topic list
Performance
- Don’t parse posts for mentions when user status is disabled
- N+1 queries when viewing tags
Accessibility
- Discourse-tags should have a role and label
- Add aria-labels for flagging textareas
- Remove heading tags from user profile
- Add secondary skip link to user profiles
- More descriptive user page titles
- Add aria tags to the new user nav