Skip to content

v0.24-beta1

Pre-release
Pre-release
Compare
Choose a tag to compare
@sbrl sbrl released this 05 Jul 00:41
· 61 commits to master since this release
33734e9

Hey there, one and all! Welcome to the first beta release of Pepperminty Wiki v0.24.

Before we continue, I need to mention that you need to install this release or higher if you want to edit pages in the latest version of the Android client app. This is actually the main reason I'm making this beta release now - to give people something to update to that's not "build from source from the latest git".

With that out of the way, this release has a number of cool features:

  • 📺 Support for embedding YouTube / Vimeo videos: e.g. ![alt text](https://youtube.com/watch?v=pID0xQ2qnrQ). If you can think of another site that should have native embed support, please open an issue
  • 📦 Added oneboxing: Rich previews for internal links. If an internal link with 3 square brackets (e.g. [[[example]]]) is on it's own with nothing before or after it on a line, then it'll be turned into a onebox
  • 🔐 Improved security: The method by which these security issues were disclosed leaves a lot to be desired, but they are fixed anyway.
  • 📱 Improved API support for the Android client app (GitHub): This may be a constant feature in the next few updates as I add more functionality to the app :D

Have you updated to this release? Click this link to say hi!

This release also has an experimental GPG and SHA256 hashes file attached. My GPG key is C2F7843F9ADF9FEE264ACB9CC1C6C0BB001E1725 - please open an issue if you encounter any issues 🙂

Updating

You can update to this release simply by grabbing an updated copy of index.php and replacing the version in your current wiki (don't forget to take backups! I make every effort to squash as many bugs as possible, but you can never be too certain). You can get an updated copy of index.php in a number of ways:

  • By downloading the index.php file attached to this release
  • Using the online downloader (always has the latest stable version): I have updated the online downloader for this version. Normally this is only done for stable releases!
  • Using the online downloader offline
  • Building your own from source

For more information on the last 2 methods, please see the documentation for more information.

For those who want to contribute financially as a thank you, I've recently setup a Liberapay to accept donations. It's certainly not required, but would definitely help me out :-) If you want to contribute but Liberapay isn't for you, please let me know (e.g. open an issue, see my website for more contact options)

Since v0.23

Added

  • Added support for embedding external YouTube and Vimeo videos (e.g. ![alt text](https://youtube.com/watch?v=pID0xQ2qnrQ))
    • If you know of a cool service that should be supported, please open an issue - YouTube and Vimeo were just the only 2 I could think of
    • Known issue: specifying the size (i.e. with | 500x400 inside the brackets () there) doesn't currently work because iframes are weird
  • Added oneboxing: rich previews for internal links. If an internal link with 3 square brackets (e.g. [[[example]]]) is on it's own with nothing before or after it on a line, then it'll be turned into a onebox
    • 2 new settings have also been added to control it: parser_onebox_enabled and parser_onebox_preview_length
    • TODO: Update the dynamic help page for this.
  • [Rest API] Add new x-tags HTTP header to raw action (required for v2.2 of the android client app to edit pages!)

Changed

  • Display returnto URL above the login form if present to further mitigate CSRF issues
  • [Rest API] Return a 409 Conflict instead of a 200 OK on an edit conflict when saving a page in the save action, and add x-failure-reason for more errors

Fixed

  • Stats: Fix crash when loading the stats page
  • Fix crash when leaving a top-level comment
  • [security] Fixed an XSS vulnerability in the format GET parameter of the stats action (thanks, @JamieSlome)
  • [security] Ensured that the returnto GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
  • [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to this answer even Inkscape doesn't strip all Javascript when asked to)
  • [security] Fixed XSS when the action GET param doesn't match a known action
  • [security] User pages are now only savable in the HTTP API by either a moderator or the owning user (previously only the edit action was protected, so if you made a request direct to the save action, you could bypass the check)
  • StorageBox: Create SQLite DB if it doesn't exist explicitly with touch(), because some systems are weird
  • StorageBox: Fix crash when index.php is a symbolic link
  • Fixed erroneous additional entries in complex tables of contents
  • Make PeppermintParsedown::extract_page_names more multibyte safe to avoid empty statistics