1.8 - Adagio
This update adds several major features and fixes many bugs, including a security issue.
Critical bugs
- #192, #196: An arbitrary HTML/Javascript injection vulnerability was removed. The emoticon and URL-link processor used the obsolete jquery-replacetext library, which implicitly evaluated any escaped HTML code in messages as a side effect. The library has been removed and replaced with a more robust approach.
Features
- #101: Rooms can be configured via arguments for /create or the newly added /configure command. This allows toggling room persistence, logging, permissions and other settings.
- #103: Direct messages can be sent and received via the /dmsg command. This allows sending a message directly to any JID (including across domains), and even to a specific client session identified by its resource.
- #167: Desktop notifications (if the browser and desktop environment support them) can be enabled for certain events when the client is in the background.
- #178: A list of navigational links can be inserted in the title bar.
- #180: Six new pony emotes have been added to the pack: :fluttersmile:, :ididntlisten:, :rdmad:, :shutup:, :symadder: :tavizero:
- #182: The new /dnd command sets your status to "do not disturb", which turns off sounds and notifications, while also showing up as a status icon in the roster.
Bugs
- #142: All BBCode buttons now have shortcuts supported by most browsers, including Chromium-based ones that didn't work previously. These use the HTML5 accesskey attribute. The specific key combination may vary accross browsers, and is shown in the button tooltips.
- #166: The full RGB color selection now works reliably, by adding an "Advanced" button to the palette dialog that opens the color picker.
- #186: Disabling inline images now actually works, instead of showing both the image and the alt-text.
- #189: Emoticons will no longer render inside hyperlink anchors, which avoids rendering 8o or :D in URLs.
Minor fixes
- #179: Alphabetize /who output.
- #188: Some incorrect labels in the settings form have been fixed.
- #190: Open all links in new tab.
- #191: The text color RGB code is in monospace; the sliders have a set width.
- #195: JS libraries were updated (strophe, buzz, jquery and moment)
- #197: The codes in the help sidebar now line-wrap.
- #198: Some unused images have been removed, one image was renamed.
- #202: The stderr output of
which
is now suppressed. - #203: The room title is no longer run through Strophe.unescapeNode
- #205: The onclick event for users is now attached instead of injected in HTML.
- #206: Private messages can now be sent to nicks that contain backslashes.
- #207: Pressing Escape or Cancel on the URL prompt no longer inserts [url][/url].
- #209: Make the recipient clickable on outgoing /msg and /dmsg whispers.
- #210: Some control flow refactoring.