Releases

Security Fixes

• CVE-2021-39175: XSS vector in slide mode speaker-view
• This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config. See the docs for details

Features

• HedgeDoc now automatically retries connecting to the database up to 30 times on startup
• This release introduces the csp.allowFraming config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed. We strongly recommend disabling this option to reduce the risk of XSS attacks
• This release introduces the csp.allowPDFEmbed config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed. We recommend disabling this option if you don’t use the feature, to reduce the attack surface of XSS attacks
• Add additional environment variables to configure the database. This allows easier configuration in containerized environments, such as Kubernetes

Enhancements

• Further improvements to the frontend build process, reducing the initial bundle size by 60%
• Improve the error handling of the filesystem upload method
• Improve the error message of failing migrations

Bugfixes

• Fix crash when trying to read the current Git commit on startup
• Fix endless loop on shutdown when HedgeDoc can’t connect to the database
• Ensure that all cookies are set with the secure flag, if HedgeDoc is loaded via HTTPS
• Fix session cookies being created on calls to /metrics and /status
• Fix incorrect creation of S3 endpoint domain (thanks to @matejc)
• Remove CDN support, fixing inconsistencies in library versions delivered to the client
• Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
• Fix links between slides not working
• Fix Vimeo integration using a deprecated API

Miscellaneous

• Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it

Contributors

• Bogdan Cuza (translator)
• Heimen Stoffels (translator)
• igg17 (translator)
• Klorophatu (translator)
• Martin (translator)
• Matija (translator)
• Matthieu Devillers (translator)
• Mindaugas (translator)
• Quentin Pagès (translator)

This release fixes two security issues. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2021-29503: Improper Neutralization of Script-Related HTML Tags in Notes
• Fix a potential XSS-vector in the handling of usernames and profile pictures

Enhancements

• Speed up yarn install in production mode (as performed by bin/setup) by marking frontend-only dependencies as dev-dependencies. This also reduces the size of the docker container
• Speed up the frontend-build by using esbuild instead of terser to minify JavaScript
• Improve behavior of the ‘Quote’, ‘List’, ‘Unordered List’ and ‘Check List’ buttons in the editor to automatically apply to the complete first and last line of the selection

Bugfixes

• Correct the 1.8.0 release notes to state that CVE-2021-29475 has been fixed since HedgeDoc 1.5.0.
• Fix crash on startup when useSSL or csp.upgradeInsecureRequests is enabled (thanks to @mdegat01 for reporting)
• Automatically enable protocolUseSSL when useSSL is also enabled
• Fix the ‘Quote’, ‘List’, ‘Unordered List’ and ‘Check List’ buttons in the editor to not duplicate content when only parts of a line are selected (thanks to @AnomalRoil for reporting)
• Fix click handler for numbered task lists (thanks to @xoriade for reporting)

This release fixes multiple security issues. We recommend upgrading as soon as possible.

Please note: This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running the latest LTS release.

Security Fixes

• CVE-2021-29474: Relative path traversal Attack on note creation
• CVE-2021-21306: Underscore ReDoS in the marked library
  This issue allowed an attacker to hang HedgeDoc by inserting a malicious string into a note. Thanks to Ralph Krimmel for reporting!

We also published an advisory for CVE-2021-29475: PDF export allows arbitrary file reads,
which has already been fixed since HedgeDoc 1.5.0.

Features

• Database migrations are now automatically applied on application startup
  The separate .sequelizerc configuration file is no longer necessary and can be safely deleted
• A Prometheus-endpoint is now available at /metrics, exposing the same stats as /status in addition to various Node.js performance figures
• Add a config option to require authentication in FreeURL mode (#755 by @nidico)

Enhancements

• Removed dependency on external imgur library
• HTML language tags are now set up in a way that stops Google Translate from translating note contents while editing
• Removed yahoo.com from the default content security policy
• New translations for Bulgarian, Persian, Galician, Hebrew, Hungarian, Occitan and Brazilian Portuguese
  Updated translations for Arabic, English, Esperanto, Spanish, Hindi, Japanese, Korean, Polish, Portuguese, Turkish and Traditional Chinese Thanks to all translators!
• Various dependency updates

Bugfixes

• Improve readability of diagrams & embeddings in night-mode
• Use the default template for new notes in FreeURL mode
• Fix frontend-crash in slide-mode if no slideOptions are present in the frontmatter
• Return 404 on the /download route for non-existent notes in FreeURL mode
• Properly clean up the UNIX socket on application exit
• Don’t overwrite existing notes on POST-requests to /new/<alias> in FreeURL mode

Contributors

• Amit Upadhyay (translator)
• Atef Ben Ali (translator)
• Edi Feschiyan (translator)
• Gabriel Santiago Macedo (translator)
• Longyklee (translator)
• Nika. zhenya (translator)
• Nicolas Dietrich
• Nis (translator)
• rogerio-ar-costa (translator)
• sanami (translator)
• Tom Dereszynski (translator)
• 상규 (translator)
• uıʞǝʇuɐϽ (translator)
• UwYFmLpoKtYn (translator)

This release fixes a security issue. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2021-21259: Stored XSS in slide mode
  An attacker can inject arbitrary JavaScript into a HedgeDoc note.

Bugfixes

• Ensure the last line of the markdown editor is not covered by the status bar (thanks to @mhdrone for reporting!)

This release fixes two security issues. We recommend upgrading as soon as possible.

Security Fixes

• CVE-2020-26286: Arbitrary file upload
  An unauthenticated attacker can upload arbitrary files to the upload storage backend.
• CVE-2020-26287: Stored XSS in mermaid diagrams
  An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams.

We have renamed to HedgeDoc! 🎉
Many thanks to Éric Gaspar who designed our new logo!
Have a look at our new website (which also explains the reasoning behind the renaming) at https://hedgedoc.org

This is probably the last release in the 1.x series. Stay tuned for 2.0, scheduled for release next year.

Please note: This release dropped support for Node 8, which is end-of-life since January 2020. You now need at least Node 10.13 to run HedgeDoc, but we recommend running the latest LTS release.

Please note: If you use a reverse proxy and TLS, make sure it sets the X-Forwarded-Proto header correctly, otherwise you will encounter login-issues. Our docs have example configs for common reverse proxies.

Enhancements

• Our release tarballs now contain the frontend bundle. This saves users from building the frontend themselves, which was an issue on memory-constrained systems.
• Add OIDC scopes for email & profile retrieval (#278 & #419 by @elespike & @vberger)
• Allow to set a SAML client certificate (#350 by @n0emis & @em0lar)
• Add YunoHost docs (#431 by @ericgaspar)
• Set OAuth2 state parameter (#407 & #541 by @dalcde & @haslersn)
• Various documentation improvements (by @oupala, @autra & @AdamWorley)
• Add migration script for minio (#499 by @pierreozoux)
• Add authorization for OAuth (#595 by @joachimmathes)
• Improvements to our cookie handling
• Compatibility with Node 14
• Translation updates
• Various dependency updates

Bugfixes

• Fix compatibility with upper-case MIME-types (#509 by @pierreozoux)
• Add fix for missing deletion of notes on user-deletion request
• Fix relative path for fetching the style when set
• Fix broken redirect on login
• CSS fixes for slide mode
• Do not create new notes with null as content
• Fix crash when OAuth2 config parameters are missing (thanks to @vberger for reporting!)
• Handle broken SequelizeMeta table on MySQL/MariaDB (thanks to @titulebolide for reporting!)

Contributors

• Adam Worley
• andreas koidis (translator)
• Augustin Trancart
• Benjamin Bett (translator)
• Butterflyoffire (translator)
• civic john (translator)
• Daniel Lublin
• David Mehren
• david-sawatzke
• deluxghost (translator)
• Dexter Chua
• Dimitri (translator)
• em0lar
• Éric Gaspar
• Erik Michelson
• Giacomo lanza (translator)
• Girish Ramakrishnan
• Grzegorz (translator)
• haslersn
• Igor Kerstges (translator)
• Info (translator)
• Jleeothon (translator)
• Johannes Nilsso (translator)
• Jolly Jumper (translator)
• Jonas Zohren
• Jothish (translator)
• Julien lebranch (translator)
• Marvin Gaube
• Mdhm (translator)
• Mostafa Ahangarha (translator)
• Nick Hahn
• Nils van Zuijlen
• Nithin Prabhakaran (translator)
• numéro6 (translator)
• n0emis
• oupala
• Philip Molares
• Pierre Ozoux
• Quentin Pages (translator)
• Renan Rodrigues
• Renne (translator)
• Sandro
• Smaran (translator)
• Sooraj Kenoth (translator)
• themedleb (translator)
• Tilman Vatteroth
• Tomasz (translator)
• Victor Berger
• XoseM (translator)
• Yannick Bungers
• zgroska (translator)

Announcements

• After the 1.6 release we will start to develop Version 2.0, which will introduce breaking changes. But we will take care of making your way to 2.0 easy.
• Since Node version 8 is EOL since January 2020, 1.6 will be the last version with support for Node version 8
• useCDN is now false by default. This feature is deprecated already and will be removed in 2.0.

Enhancements

• Add AWS endpoint configuration options
• Add ability to add an imprint using ./public/docs/imprint.md
• Improve documentation in various sections
• Add ability to create note based on alias in free-url-mode
• Add security note describing the preferred way for responsible disclosures
• Extend forbiddenNoteIds to prevent conflicts with resource directories
• Add OpenGraph metadata support
• Add slovak language
• Add API documentation
• Allow different reference-url styles
• Add automatic focus username field in login modal
• Add ability to limit google-auth to own domain
• Upgrade revealJS to version 3.9.2
• Upgrade mermaid to version 8.4.6
• Update translations (zh-cn, zh-TW, en, de, id, pl, ar, ca, fr, it, sk, sv, ja, nl, pt, ru, es)

Fixes

• Fix docker secrets support
• Fix sequlize-cli dependency location
• Fix crash in lutim integration
• Fix manage_users CLI handling of non-existing user
• Fix ability to serve CodiMD from different urlpath than /
• Fix change from gravatar to libravatar in privacy policy example
• Fix missing browser icons in README

Refactors

• Refactor note creation handling
• Improve webpack documentation
• Split note actions into own files
• Refactor returnTo handling for auth

Removals

• Legacy handling of socket.io connections
• Node 8 CI jobs

Contributors

• Amolith
• Andrea Rossi (translator)
• CasperS (translator)
• Cpp.create (translator)
• David Mehren
• Deluxghost (translator)
• em_crx (translator)
• Enrico Guiraud
• Epson12332 (translator)
• Erik Michelson
• Fajar Maulana (translator)
• Fonata
• foobarable
• Girish Ramakrishnan
• Grzegorz (translator)
• hoijui
• Ian Tsai
• id7xyz (translator)
• ike
• Info (translator)
• Javier Leandro (translator)
• Jonas Thelemann
• Jonas Zohren
• kazutomo.waragai (translator)
• MartinT
• Mathias Merscher
• Matthias Lindinger
• Mdhm (translator)
• Me (translator)
• mondstern (translator)
• Patrick (translator)
• Rafael Gauna Trindade (translator)
• Ramon van Biljouw (translator)
• RyotaK
• Sandro
• Sören Wegener
• Stefan Peters
• Yukai Huang

Announcements

• There is a new docker image available by LinuxServer.io providing an ARM container
• Disabling PDF export due to security problems

Enhancements

• Add migration guide for Node version 6
• Add functionality to respect Do-Not-Track header
• Add Arabian translation

Fixes

• Fix styling in slide preview
• Fix some lint warning
• Upgrade Sequelize to version 5
• Add Linuxserver.io setup instructions for CodiMD
• Update translations for DE, SV, ID
• Add ability to upload SVGs
• Add dbURLconfig as docker secret
• Upgrade meta-marked - Fixes DOS capability in CodiMD (https://github.com/codimd/server/commit/ba6a24a673c24db25969de2a59b9341247f3f722)
• Fix variable names in docker secrets config library

Refactors

• Refactor debug logging in various places

Deprecations

• useCDN will be deprecated and will disappear in favor of locally served resources. (https://community.codimd.org/t/poll-on-cdn-usage/28)

Contributors

• Amolith (social media)
• Aro Row (translator)
• bitinerant (security)
• Butterflyoffire (translator)
• Claudius Coenen (ccoenen)
• Erik (translator)
• Fajar Maulana (translator)
• id7xyz (translator)
• joohoi (security)
• Jonas Thelemann (dargmuesli)
• Lennart Weller (lhw)
• chbmb
• Raccoon (a60814billy)
• RS232 (translator)
• Toma Tasovac (ttasovac)

Announcements

• CodiMD now has a Mastodon account
• CodiMD now has a community forum
• With CodiMD 1.4.0 we’re dropping node 6 support. That version of node.js is discontinued and no longer receives any security updates. We would like to encourage you to upgrade node 8 or later. Node 8 will continue to be supported at least until its end-of-life in January 2020.

Enhancements

• Use libravatar instead of Gravatar
• Fix language description capitalization
• Move upload button into the toolbar
• Clean up Heroku configurations
• Add new screenshot to README and index page
• Add link to community call to README
• Update languages (pl, sr, zh-CN, fr, it, ja, zh-TW, de, sv, es)
• Change edit link to both view
• Hide minio default ports
• Add missing passport-saml configuration
• Add lutim support
• Update dependencies
• Add documentation for keycloak
• Add tests for user model
• Add Mastodon link
• Add config for toobusy middleware
• Add vietnamese language

Fixes

• Fix missing space in footer
• Fix various possible security vulnerabilities in dependencies
• Fix broken dependency js-sequence-diagrams
• Fix XSS in graphviz error message rendering
• Fix toolbar night mode
• Fix hidden header on scroll
• Fix missing pictures for OpenID
• Fix statusbar hiding text in edit view

Refactors

• Refactor README and documentation
• Integrate the old wiki into documentation section
• Refactor headers on Features page
• Replace js-url with wurl
• Refactor scrypt integration

Removals

• Remove sass-loader

Contributors

• Amolith
• CasperS (translator)
• Cedric.couralet (translator)
• Claudius Coenen (ccoenen)
• Daniel (translator)
• Deluxghost (translator)
• Dylan Dervaux (Dylanderv)
• Emmanuel Ormancey (nopap)
• Grzegorz (translator)
• Henrik Hüttemann (HerHde)
• Hồng (translator)
• Mauricio Robayo (archemiro)
• Max Wu (jackycute)
• naimo
• Pedro Ferreira (pferreir)
• Simon Fish (boardfish)
• Stéphane Guillou (stragu)
• Sylke Vicious (translator)
• Thor77
• veracosta (translator)
• Vladan (translator)
• War (translator)
• Zhai233 (translator)

Announcement

• CodiMD is now running in an own organization. Check out our vision for the future

Fixes

• Update various links to the new repositories
• Fix background color for mode switching button in night mode

Enhancements

• Add some missing translations
• Add Serbian language

Fixes

• Fix broken redirect for empty serverURL
• Fix wrong variable type for HSTS maxAge
• Fix GitLab snippets showing up without being configured
• Fix Google’s API after disabling Google+
• Fix broken PDF export

Contributors

• atachibana (translator)
• Aurélien JANVIER (translator)
• Daan Sprenkels (translator)
• Farizrizaldy (translator)
• Luclu7
• Sylke Vicious (translator)
• toshi0123 & okochi-toshiki
• Turakar
• Vladan (translator)

Enhancements

• Run db migrations on npm start
• Add documentation about integration with AD LDAP
• Add rel="noopener" to all links
• Add documentation about integration with Nextcloud for authentication
• Update URL on frontpage to point to codimd.org
• Replace Fontawesome with Forkawesome
• Add OpenID support
• Add print icon to slide view
• Add auto-complete for language names that are highlighted in codeblocks
• Improve translations for Chinese, Dutch, French, German, Italien, Korean, Polish, and Russian language
• Add Download action to published document API
• Add reset password feature to manage_users script
• Move from own ./tmp directory to system temp directory
• Add Etherpad migration guide
• Move XSS library to a more native position
• Use full version string to determine changes from the backend
• Update winston (logging library)
• Use slide preview in slide example
• Improve migration handling
• Update reveal.js to version 3.7.0
• Replace scrypt library with its successor
• Replace to-markdown with turndown (successor library)
• Update socket.io
• Add warning on missing base URL
• Update bootstrap to version 3.4.0
• Update handlebar

Fixes

• Fix paths in GitLab documentation
• Fix missing data: URL in CSP
• Fix oAuth2 name/label field
• Fix GitLab API integration
• Fix auto-completed but not rendered emojis
• Fix menu organization depending on enabled services
• Fix some logging in the OT module
• Fix some unhandled internalOAuthError exception
• Fix unwanted creation of robots.txt document in “freeurl-mode”
• Fix some links on index page to lead to the right sections on feature page
• Fix document breaking, empty headlines
• Fix wrong multiplication for HSTS header seconds
• Fix wrong subdirectories in exported user data
• Fix CSP for speaker notes
• Fix CSP for disqus
• Fix URL API usage
• Fix Gist embedding
• Fix upload provider error message
• Fix unescaped disqus user names
• Fix SAML vulnerability
• Fix link to SAML guide
• Fix deep dependency problem with node 6.x
• Fix broken PDF export by wrong unlink call
• Fix possible XSS attack in MathJax

Refactors

• Refactor to use ws instead of the the no longer supported uws
• Refactor frontend build system to use webpack version 4
• Refactor file path configuration (views, uploads, …)
• Refactor manage_users script
• Refactor handling of template variables
• Refactor linting to use eslint

Removes

• Remove no longer working Octicons
• Remove links to our old Gitter channel
• Remove unused library node-uuid
• Remove unneeded blueimp-md5 dependency
• Remove speakerdeck due to broken implementation

Contributors

• Adam.emts (translator)
• Alex Garcia
• Cédric Couralet (micedre)
• Claudius Coenen
• Daan Sprenkels
• David Mehren
• Erona
• Felix Yan
• Jonathan
• Jong-kai Yang (translator)
• MartB
• Max Wu (jackycute)
• mcnesium
• Nullnine (translator)
• RanoIP (translator)
• SuNbiT
• Sylke Vicious (translator)
• Timothee (translator)
• WilliButz
• Xaver Maierhofer
• 云屿

Enhancements

• Update Italian translations
• Update Japanese translations
• Update markdown-pdf
• Add support for unix sockets
• Update “follow us” information to Community channel and translation
• Add Cloudron installation method
• Add guide for Mattermost authentication
• Update various packages
• Add Indonesian language as new translation

Fixes

• Fix content types in status router
• Fix some modal colors in night mode
• Fix CSP to allow usage of speaker notes
• Fix some wrong title attributes in the editor toolbar
• Fix some confusion about the default location of images. It’s always the local filesystem now
• Fix object handling in avatar generation code
• Finally fix error handling of LZ-String by using self-maintained version
• Fix migration handling
• Fix gitlab API version
• Fix some server crashes caused by PDF creation
• Fix document length limit on post to /new
• Fix broken youtube embedding on /features page

Refactors

• Refactor generation of table of contents
• Refactor “copyright”-section to be a “Powered by”

Removes

• Remove unneeded inline styling

Deprecations

• NodeJS version 6
• Mattermost login integration (is replaced by generic oAuth2 module)

Honorable mentions

• Alex Hesse (Pingu501)
• Alexander Wellbrock (w4tsn)
• Cédric Couralet (micedre)
• Girish Ramakrishnan (gramakri)
• maahl
• Max Wu (jackycute)
• Miranda (ahihi)
• Ondřej Slabý (maxer456)

Announcement

• HackMD CE is renamed to CodiMD to prevent confusion. For details see here

Enhancements

• Show full title by hovering over to table of contents entries
• Add generic OAUTH2 support for authentication
• Redirect unauthenticated user to login page on “forbidden” pages
• Add ability to add ToS and privacy documents without code changes
• Add account deletion as part of user self-management
• Add download of all own notes
• Add privacy policy example (no legal advice)
• Increase checkbox size on slides
• Add support for Azure blob storage for image uploads
• Add Korean translation
• Add note about official K8s chart for deployment
• Add toolbar for markdown shortcuts in editor
• Add ability to disable Gravatar integration
• Add print icon to slide menu which leads to the print view.
• Add sequelize to setup instructions
• Update various packages

Fixes

• Fix local writes for non-existing translations in production
• Fix wrong documentation about default image upload type
• Fix possible error if CodiMD is started with wrong working directory
• Fix issues caused by cached/cacheeable client config
• Fix issues caused by notes created via curl/API with CRLF line endings
• Fix broken images for downloaded PDFs while using filesystem as imageUploadType
• Fix Unicode URLs when using allowFreeURL=true

Refactors

• Split auth documentation into multiple documents

Removes

• Remove polyfill for useCDN=false setups
• Remove unused and no longer needed symlink from translations

Honorable mentions

• Adam Hoka (ahoka)
• Edgar Z. Alvarenga (aivuk)
• Jacob Burden (jekrb)
• Pedro Ferreira (pferreir)
• TC Liu (liuderchi)