3.5.1：安全与维护版本

Discourse 3.5.1 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Security Updates

This release includes fixes for these security issues reported by our community and HackerOne.

• XSS when quoting chat messages via channel title and thread title in RTE · Advisory · discourse/discourse · GitHub
• Insecure Direct Object Reference via AI Suggestions · Advisory · discourse/discourse · GitHub
• Backup restore meta-command injection leading to cross-site data access in multisite environments · Advisory · discourse/discourse · GitHub

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

All Features and Fixes

Bug Fixes

• Include TOS and Privacy Policy URLs in signup when login require… (34985)
• Exclude non-text user fields from watch word check (34651)
• Handle lower case dark (34444)
• Broken base_scheme_id migration when base is default (34430)
• Allow creating new color palettes based on custom palettes (34351)
• Required confirmations not showing up (stable) (34508)
• DiscourseConnect & SiteSetting.auth_immediately = false (stable) (34443)
• Support light-dark on older browsers (stable) (34441)
• Restore styles in finish-installation route (34422)

Security Changes

• AI helper suggestions based on a topic should check user has access to it
• Rich editor chat transcript XSS
• Use nonce-based restrictions during restore