Discourse 2.4.0.beta9 Release Notes

New features in 2.4.0.beta9

Feature topic on profile

Users can now select a topic they wish to feature on their profile. The topic will appear on their user card, as well as on their profile page. Users can add a topic from their Preferences, Profile tab.


Remove unsafe-eval from CSP

We’re always looking for ways we can make Discourse even more secure. Late last year we added support for Content Security Policy to Discourse. CSPs help mitigate XSS attacks, one of the most common web vulnerabilities. In order to fully support existing Discourse features and plugins, we included the unsafe-eval directive. We’ve now removed all usage of eval() from Discourse in production, as well as our official plugins, so we’ve removed unsafe-eval from our CSP, making our CSP even stricter.

Hash API keys in the Database

API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.

Move Internet Explorer support to core plugin

Discourse will be dropping support for Internet Explorer in June 2020. (A formal announcement will be made mid-January). In preparation for this, Internet Explorer specific code has been moved into a plugin, making it easier to remove come June.

Warning when theme component is installed but not added to a theme

When creating or installing a theme component, users may forget that it needs to be added to a theme in order to become active. After the initial creation/installation only, users will be warned should they attempt to navigate away from the theme component without first adding it to a theme.



Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Security Updates

This beta includes 6 security fixes for issues reported by our community and HackerOne.

  • Correct permission check when revoking user API keys
  • Vulnerability in WildcardUrlChecker
  • Upgrade rack-mini-profiler to avoid possible XSS
  • Remove event handlers from SVG files
  • Ensure only image uploads can be inlined
  • Bump puma from 3.12.1 to 3.12.2

Plugin improvements


  • Bug fix

Data Explorer

  • Add additional enums
  • Improve info popup display

RSS Polling

  • Bug fixes


  • Bug fix


  • Bug fix

Docker Manager

  • Security fix: update dependencies


  • Bug fixes

User Notes

  • Bug fix

Group Tracker

  • UX improvements


  • Bug fix


  • Bug fixes


  • Display holidays for next 6 months, not just next holiday
  • Improve timezone logic for all-day events
  • Auto-trash direct replies to posts that were auto-trashed
  • Performance improvements
  • Bug fixes


  • Bug fix


  • Support custom grouping patterns
  • Bug fixes

Additional Features and Fixes

Click to expand

New Features

  • Make ‘Reorder Categories’ work with nested categories
  • Adds a message when the passwords doesn’t match in rake admin:create
  • Add site setting to remove X-Frame-Options header.

Bug Fixes

  • Include Symbol polyfill for IE11
  • IE11 compatibility for readonly check
  • Show parent and subcategories for 2nd level categories
  • Prevent errors in IE11 following AJAX request
  • Add missing Object.entries polyfill for IE11
  • Show new/unread button when a new topic or post is created
  • Parallel spec system needs a dedicated upload folder for each worker.
  • Move IE specific CSS rules to discourse-internet-explorer plugin
  • Remove ‘staff_only’ results option for non-staff
  • Fix choose-topic component to search by url
  • Avoid String.matchAll for IE11 support
  • Use updated_at date to denote expired invites
  • Prevents crash in discourse_tagging with empty term
  • If a prettified slug is a number, return defaultt
  • Require: false for rotp gem
  • Category id in filterCategory
  • Ensure currentUser exists before getting ID
  • If we run db:migrate on its own, it should load the environment
  • Migration paths were being forgotten
  • Allow IE script to load with a CDN
  • Granting staff status should auto-approve users waiting approval
  • Constraint error when inserting the same topic group twice
  • Cache short upload URL
  • Disallow c as a tag
  • Disallow none as a category slug
  • Hide old bookmark button on post-menu if SiteSetting.enable_bookmarks_with_reminders
  • Replace deprecated URI.encode, URI.escape, URI.unescape and URI.unencode
  • Update S3 stubs for more aws-sdk API changes
  • Add new content type for theme/component
  • Don’t raise an error if the user is not present
  • Prevent scientific notation in free space check
  • Always add username span in quick access item
  • Reorder categories not working
  • Alphabetical tag sorting in mini-tag-chooser
  • Tag input doesn’t show all top 5 permitted tags
  • Ensures slug and id are not arrays
  • Muted tags are respected by TopicTrackingState
  • Don’t try to create an empty tag when updating a topic
  • Default draft key in openComposerWithTopicParams
  • Optimize images in Onebox
  • Do not autocomplete categories or emojis in code blocks
  • Crawler requests not tracked for non UTF-8 user agents
  • Skip validation on enforcing second factor change if the value is “no”
  • Avoid unpinning composer on iOS when invoking emojis
  • Ignore DMARC for emails sent to mailing list mirror
  • Image file names with dots were showing incorrectly in composer markdown
  • Login page that redirects to preferences was broken
  • Redirect to /login-preferences didn’t work for subfolders
  • Anonymous cache regression
  • Export poll UI should only show for admins

UX Changes

  • Improve sub-sub-categories styling in categories list
  • Show grandchildren in categories list
  • Prevent the post admin menu from appearing under the header on OP
  • Reduce opacity on hidden topic contents, but not the controls
  • Minor user admin page adjustments, accomodating for long group names
  • Minor adjustment to give the PM recipient input more flexibility.
  • Increase combo-box tap area for mobile
  • Pluralize “likes/read this”
  • Improve alignment of social login/signup buttons in Firefox
  • Z-index of image lightbox needs to be higher than modal z-index
  • Improve copy on Move to Topic and Move to Message modals
  • Include public groups in mentionable groups set
  • Small fixes for iOS signup modal
  • Tag combo box styles should match tags on topics
  • Minor style updates for tag info
  • Attempts to make charts loading less laggy
  • Remove ‘show more’ from upload modals
  • Removes avatar animation for mobile-user cards
  • Remove the double-encoding of user titles.