Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Ready to contribute?

Amazing! Sign our contributors' agreement and then join us on GitHub.

Vanilla 2.2.1 is now available.

Vanilla 2.1.1 - important security & bug release

LincLinc Vanilla's BardDetroit Vanilla Staff
edited August 2014 in Releases

Announcing the availability of 2.1.1, a security & bug fix release for 2.1.

It is imperative all 2.1 forums upgrade immediately.


  • HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).

  • Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).

  • Fixed a Twitter SSL bug (thanks @Adrian for the patch).
  • Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
  • cleditor was patched to fix a crippling IE11 bug.
  • Profile Extender was upgraded and a security flaw in it was fixed.
  • Fixed a bug in Announcing while starting a discussion.
  • Corrected the default theme README.
  • Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
  • Fixes a theme screenshot bug (thanks @hgtonight‌ for the patch).

As you can see, some extremely critical fixes are included. The only feature addition is those added to the Profile Extender addon as a result of getting backported from 2.2 (master) branch.

Diff of 2.1.1 against 2.1 gold. (32 files changed, so I don't recommend a selective upgrade on this one.) has the same XSS issues and its patch will be released this weekend is available here as



Sign In or Register to comment.