Etherpad: A modern really-real-time collaborative document editor.
Security
Bugfixes
CHANGESET_REQ
(timeslider) and export (txt, html, custom)
are now checked to be numbers.Enhancements
node.exe
was upgraded from v12 to v16.node.exe
is now a 64-bit executable. If you need the 32-bit
version you must download and install Node.js yourself.express_sid
cookies and sessionstorage:*
database records are no longer
created unless requireAuthentication
is true
(or a plugin causes them to
be created).sessionstorage:*
database records are automatically deleted when the login
session expires (with some exceptions that will be fixed in the future)./robots.txt
) and special pages (e.g.,
the HTTP API, /stats
) no longer create login session state.settings.json
are now applied as expected (they
were unintentionally ignored before):
padOptions.lang
padOptions.showChat
padOptions.userColor
padOptions.userName
getText
when called with a specific revision.copyPadWithoutHistory
.createGroupIfNotExistsFor
are now removed from the
database when the group is deleted.setText
, appendText
, and restoreRevision
functions.authorId
parameter to appendText
,
copyPadWithoutHistory
, createGroupPad
, createPad
, restoreRevision
,
setHTML
, and setText
, and bumped the latest API version to 1.3.0./health
endpoint for getting information about Etherpad's health (see
draft-inadarei-api-health-check-06)./health
endpoint for health checks, which avoids
issues when authentication is enabled. It also avoids the unnecessary creation
of database records for managing browser sessions..etherpad
format should be faster thanks to bulk
database record fetches..etherpad
file, records are now saved to the database in
batches to avoid database timeouts with large pads.expressPreSession
server-side hook.padCheck
: New hook.padCopy
: New srcPad
and dstPad
context properties.padDefaultContent
: New hook.padRemove
: New pad
context property.db
property on Pad objects is now public.getAuthorId
server-side hook.ep_etherpad-lite/static/js/attributes
(low-level API) and ep_etherpad-lite/static/js/AttributeMap
(high-level
API).import
server-side hook has a new ImportError
context property.exportEtherpad
and importEtherpad
server-side hooks.handleMessageSecurity
and handleMessage
server-side hooks have a new
sessionInfo
context property that includes the user's author ID, the pad ID,
and whether the user only has read-only access.handleMessageSecurity
server-side hook can now be used to grant write
access for the current message only.init_<pluginName>
server-side hooks have a new logger
context
property that plugins can use to log messages.requireAuthentication
is
true
) changed from never to 10 days after the user leaves.client
context property for the handleMessageSecurity
and
handleMessage
server-side hooks is deprecated; use the socket
context
property instead.padCopy
:
originalPad
context property is deprecated; use srcPad
instead.destinationID
context property is deprecated; use dstPad.id
instead.padCreate
: The author
context property is deprecated; use the new
authorId
context property instead. Also, the hook now runs asynchronously.padLoad
: Now runs when a temporary Pad object is created during import.
Also, it now runs asynchronously.padRemove
: The padID
context property is deprecated; use pad.id
instead.padUpdate
: The author
context property is deprecated; use the new
authorId
context property instead. Also, the hook now runs asynchronously.true
from a handleMessageSecurity
hook function is deprecated;
return 'permitOnce'
instead.src/static/js/Changeset.js
library:
attribsAttributeValue()
eachAttribNumber()
makeAttribsString()
opAttributeValue()
opIterator()
: Deprecated in favor of the new deserializeOps()
generator
function.appendATextToAssembler()
: Deprecated in favor of the new opsFromAText()
generator function.newOp()
: Deprecated in favor of the new Op
class.AuthorManager.getAuthor4Token()
function is deprecated; use the new
AuthorManager.getAuthorId()
function instead.exportEtherpadAdditionalContent
server-side hook now include keys like ${customPrefix}:${padId}:*
, not just
${customPrefix}:${padId}
.CHANGESET_REQ
message handler that allowed a user with any access to read any pad if the pad ID is known.This release includes fixes for GHSA-w3g3-qf3g-2mqc (CVE-2021-43802).
If you cannot upgrade to v1.8.16 for some reason, you are encouraged to try cherry-picking the fixes to the version you are running:
git cherry-pick b7065eb9a0ec..77bcb507b30e
.etherpad
files can no longer overwrite arbitrary non-pad database records when imported..etherpad
files are now subject to numerous consistency checks before any records are written to the database. This should help avoid denial-of-service attacks via imports of malformed .etherpad
files..etherpad
import bugs..etherpad
imports.logconfig
setting is deprecated.require('ep_etherpad-lite/node_modules/cheerio')
no longer works. To fix, your plugin should directly depend on cheerio
and do require('cheerio')
.collectContentImage
hook's node
context property is now an HTMLImageElement
object rather than a Cheerio Node-like object, so the API is slightly different. See citizenos/ep_image_upload#49 for an example fix.clientReady
server-side hook is deprecated; use the new userJoin
hook instead.init_<pluginName>
server-side hooks are now run every time Etherpad starts up, not just the first time after the named plugin is installed.userLeave
server-side hook's context properties have changed:
auth
: Deprecated.author
: Deprecated; use the new authorId
property instead.readonly
: Deprecated; use the new readOnly
property instead.rev
: Deprecated.src/static/js/Changeset.js
library:
opIterator()
: The unused start index parameter has been removed, as has the unused lastIndex()
method on the returned object.smartOpAssembler()
: The returned object's appendOpWithText()
method is deprecated without a replacement available to plugins (if you need one, let us know and we can make the private opsFromText()
function public).applyZip()
, assert()
, clearOp()
, cloneOp()
, copyOp()
, error()
, followAttributes()
, opString()
, stringOp()
, textLinesMutator()
, toBaseTen()
, toSplices()
.useMonospaceFontGlobal
setting now works (thanks @Lastpixl!).HEALTHCHECK
instruction (thanks @Gared!).settings.json
variables: DB_COLLECTION
, DB_URL
, SOCKETIO_MAX_HTTP_BUFFER_SIZE
, DUMP_ON_UNCLEAN_EXIT
(thanks @JustAnotherArchivist!)..ep_initialized
files are no longer created.'self'
was in the CSP header. See issue #4975 for details.postgrespool
driver was renamed to postgres
, replacing the old driver of that name. If you used the old postgres
driver, you may see an increase in the number of database connections.postgres
, you can now set the dbSettings
value in settings.json
to a connection string (e.g., "postgres://user:password@host/dbname"
) instead of an object.mongodb
, the dbName
setting was renamed to database
(but dbName
still works for backwards compatibility) and is now optional (if unset, the database name in url
is used)./admin/settings
now honors the --settings
command-line argument..etherpad
file.clientVars
was added to the context for the postAceInit
client-side hook. Plugins should use this instead of the clientVars
global variable.userJoin
server-side hook.userLeave
server-side hook has a new socket
context property.helper.aNewPad()
function (accessible to client-side tests) now accepts hook functions to inject when opening a pad. This can be used to test any new client-side hooks your plugin provides.chatNewMessage
client-side hook context has new properties:
message
: Provides access to the raw message object so that plugins can see the original unprocessed message text and any added metadata.rendered
: Allows plugins to completely override how the message is rendered in the UI.chatSendMessage
client-side hook that enables plugins to process the text before sending it to the server or augment the message object with custom metadata.chatNewMessage
server-side hook to process new chat messages before they are saved to the database and relayed to users.favicon
setting is now interpreted as a pathname to a favicon file, not a URL. Please see the documentation comment in settings.json.template
.faviconPad
and faviconTimeslider
settings have been removed.settings.json
(see the documentation comments in settings.json.template
for details):null
instead of the string "null". Similarly, if the environment variable is unset and the default value is "null" (e.g., "${UNSET_VAR:null}"
), the value now becomes null
instead of the string "null". It is no longer possible to produce the string "null" via environment variable substitution."${UNSET_VAR:undefined}"
), the setting is now removed instead of set to the string "undefined". It is no longer possible to produce the string "undefined" via environment variable substitution."${FOO}"
in your settings.json
to ${FOO:null}
to keep the current behavior.DB_*
variable substitutions in settings.json.docker
that previously defaulted to null
now default to "undefined".next
without argument when using Changeset.opIterator
does always return a new Op. See b9753dcc7156d8471a5aa5b6c9b85af47f630aa8 for details.https://video.etherpad.com/socket.io/?padId=AWESOME&EIO=3&transport=websocket&t=...&sid=...
. This is useful for directing pads to separate socket.io nodes.USER_NEWINFO
messages on reconnect.Special mention: Thanks to Sauce Labs for additional testing tunnels to help us grow! :)
dirty
database driver that sometimes caused Node.js to crash during shutdown and lose buffered database writes.