Users can now select a topic they wish to feature on their profile. The topic will appear on their user card, as well as on their profile page. Users can add a topic from their Preferences, Profile tab.
Remove unsafe-eval from CSP
We’re always looking for ways we can make Discourse even more secure. Late last year we added support for Content Security Policy to Discourse. CSPs help mitigate XSS attacks, one of the most common web vulnerabilities. In order to fully support existing Discourse features and plugins, we included the unsafe-eval directive. We’ve now removed all usage of eval() from Discourse in production, as well as our official plugins, so we’ve removed unsafe-eval from our CSP, making our CSP even stricter.
Hash API keys in the Database
API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.
Move Internet Explorer support to core plugin
Discourse will be dropping support for Internet Explorer in June 2020. (A formal announcement will be made mid-January). In preparation for this, Internet Explorer specific code has been moved into a plugin, making it easier to remove come June.
Warning when theme component is installed but not added to a theme
When creating or installing a theme component, users may forget that it needs to be added to a theme in order to become active. After the initial creation/installation only, users will be warned should they attempt to navigate away from the theme component without first adding it to a theme.
But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.
Security Updates
This beta includes 6 security fixes for issues reported by our community and HackerOne.
Correct permission check when revoking user API keys
Vulnerability in WildcardUrlChecker
Upgrade rack-mini-profiler to avoid possible XSS
Remove event handlers from SVG files
Ensure only image uploads can be inlined
Bump puma from 3.12.1 to 3.12.2
Plugin improvements
BCC
Bug fix
Data Explorer
Add additional enums
Improve info popup display
RSS Polling
Bug fixes
Voting
Bug fix
Solved
Bug fix
Docker Manager
Security fix: update dependencies
GitHub
Bug fixes
User Notes
Bug fix
Group Tracker
UX improvements
Sitemap
Bug fix
Policy
Bug fixes
Calendar
Display holidays for next 6 months, not just next holiday
Improve timezone logic for all-day events
Auto-trash direct replies to posts that were auto-trashed
Performance improvements
Bug fixes
Encrypt
Bug fix
Logster
Support custom grouping patterns
Bug fixes
Additional Features and Fixes
Click to expand
New Features
Make ‘Reorder Categories’ work with nested categories
Adds a message when the passwords doesn’t match in rake admin:create
Add site setting to remove X-Frame-Options header.
Bug Fixes
Include Symbol polyfill for IE11
IE11 compatibility for readonly check
Show parent and subcategories for 2nd level categories
Prevent errors in IE11 following AJAX request
Add missing Object.entries polyfill for IE11
Show new/unread button when a new topic or post is created
Parallel spec system needs a dedicated upload folder for each worker.
Move IE specific CSS rules to discourse-internet-explorer plugin
Remove ‘staff_only’ results option for non-staff
Fix choose-topic component to search by url
Avoid String.matchAll for IE11 support
Use updated_at date to denote expired invites
Prevents crash in discourse_tagging with empty term
If a prettified slug is a number, return defaultt
Require: false for rotp gem
Category id in filterCategory
Ensure currentUser exists before getting ID
If we run db:migrate on its own, it should load the environment
Migration paths were being forgotten
Allow IE script to load with a CDN
Granting staff status should auto-approve users waiting approval
Constraint error when inserting the same topic group twice
Cache short upload URL
Disallow c as a tag
Disallow none as a category slug
Hide old bookmark button on post-menu if SiteSetting.enable_bookmarks_with_reminders
Replace deprecated URI.encode, URI.escape, URI.unescape and URI.unencode
Update S3 stubs for more aws-sdk API changes
Add new content type for theme/component
Don’t raise an error if the user is not present
Prevent scientific notation in free space check
Always add username span in quick access item
Reorder categories not working
Alphabetical tag sorting in mini-tag-chooser
Tag input doesn’t show all top 5 permitted tags
Ensures slug and id are not arrays
Muted tags are respected by TopicTrackingState
Don’t try to create an empty tag when updating a topic
Default draft key in openComposerWithTopicParams
Optimize images in Onebox
Do not autocomplete categories or emojis in code blocks
Crawler requests not tracked for non UTF-8 user agents
Skip validation on enforcing second factor change if the value is “no”
Avoid unpinning composer on iOS when invoking emojis
Ignore DMARC for emails sent to mailing list mirror
Image file names with dots were showing incorrectly in composer markdown
Login page that redirects to preferences was broken
Redirect to /login-preferences didn’t work for subfolders
Anonymous cache regression
Export poll UI should only show for admins
UX Changes
Improve sub-sub-categories styling in categories list
Show grandchildren in categories list
Prevent the post admin menu from appearing under the header on OP
Reduce opacity on hidden topic contents, but not the controls
Minor user admin page adjustments, accomodating for long group names
Minor adjustment to give the PM recipient input more flexibility.
Increase combo-box tap area for mobile
Pluralize “likes/read this”
Improve alignment of social login/signup buttons in Firefox
Z-index of image lightbox needs to be higher than modal z-index
Improve copy on Move to Topic and Move to Message modals