Blog Post

Release Notes
5 MIN READ

17.7 Release Notes

JohnD's avatar
JohnD
Khoros Alumni (Retired)
8 years ago

 

New Features 

Support for reCAPTCHA v2  

With the 17.7 release, Lithium now supports reCAPTCHA v2, which is designed to establish whether a computer user is human or a bot.

Up to now, Lithium used reCAPTCHA v1. Recently, Google ended support for reCAPTCHA v1, in favor of reCAPTCHA v2reCAPTCHA v2 provides additional security for users entering sensitive information and dramatically simplifies the CAPTCHA process. With reCAPTCHA v2, users must only check a single box ("I am not a robot"), rather than enter an image challenge passphrase. 

With the 17.7 release, Lithium will be upgrading all customers using reCAPTCHA v1 to reCAPTCHA v2 and creating new Site and Secret Keys. Community customers not using reCAPTCHA are unaffected by this upgrade.

Important: Since Google is no longer supporting reCAPTCHA v1, Lithium will stop supporting v1 with this release.  

Learn more about reCAPTCHA v2 and review these common FAQs.  

Enabling reCAPTCHA v2 

New customers and existing customers who want to turn on reCAPTCHA after the 17.7 release can do so themselves and no longer need to open a Support ticket. 

 

Note: The upgrade to reCAPTCHA v2 changes the requirement for completing a verification challenge from once per session to once per post submission.

 

Enabling reCAPTCHA v2 involves two tasks: 

Create Site and Secret Keys 

To run automated tests with reCAPTCHA v2, you need to create both a Site Key and Secret Key: 

  1. Open a browser and go to Google's registration site. 
  2. Enter the URL for the site you want to register and generate keys. 
  3. Select the reCAPTCHA V2 option. 

  4. Accept the reCAPTCHA Terms of Service and click Register. 

  5. Copy down or copy to your clipboard both the Site Key and Secret Key.  

Use these keys when you enable reCAPTCHA in Community Admin in the next procedure. 

Enable reCAPTCHA in Community Admin 

You can enable reCAPTCHA for various verification scenarios, either globally or for specific boards/pages. When noted, specific user permissions are also required if the verification process is to be triggered. 

To enable and configure reCAPTCHA v2 for your community: 

  1. Go to Community Admin > System > Authentication. 

  2. If needed, click Choose to select the specific page/board where you want to apply the reCAPTCHA settings or set global settings on the top-level Community page. 
  3. Enable the scenarios where you want users to be presented with the reCAPTCHA verification challenge:  
    • Require verification when registering: presents challenge when users register for the community. 
    • Require verification when sending private messages: presents challenge when users try to send private messages to other users. This option also requires that the Post private messages without verification permission be set to Deny for the desired roles in your community. 
    • Require verification for users to post messages: presents challenge when users try to post new Forum messages. This option also requires that the Post messages without verification permission be set to Deny for the desired roles in your community. 
    • Require verification for anonymous users to comment on blogs: presents challenge when users try to post comments on blogs. 
  4. Enter the Site and Secret keys you got in the previous procedure. 
  5. Click Done. 

Here's an example of how the reCAPTCHA appears on the user registration page: 

 

FreeMarker Version Upgrade

 We've upgraded our FreeMarkder version 2.3.26.

 

New permission to embed content hosted by third parties

We have added a new permission: Use HTML which can embed third-party content. This permission can be used to restrict a user's ability to embed content hosted by third parties within a message body. Typically, this is done with HTML that makes user's browser request the content outside the community, for example: <img src="http://thirdpartysite.example/some-image.png>

 

This permission does not restrict users from embedding content hosted by third parties within signatures. 

 

When set to Deny, the permission adds an additional layer of restriction to the HTML tags and attributes allowed by the following permissions: 

  • Use simple HTML in posts and signatures
  • Allow user to use advanced HTML in posts and signatures
  • Use full HTML in posts and signatures permissions

See Allowed HTML tags in the Community text editor for more information about each permission.

 

If the user has Use HTML which can embed third-party content set to Grant, the user can post according to the permissions above -- no additional restrictions are applied.  If the user has Use HTML which can embed third-party content set to Deny, the user cannot use embed content hosted by third parties within the message body.

 

Note: While this permission is granted to all users by default, we recommend you discuss this permission with your security team to determine which users, if any, should be allowed to embed third-party content within a message body.

 

This is the set of HTML attributes denied to a user whenUse HTML which can embed third-party content is set to Deny:

  • img:src|srcset
  • script:src
  • source:src
  • embed:src
  • body:background
  • frame:src
  • iframe:src
  • audio:src
  • video:src|poster
  • track:src
  • object:archive
  • style:src

Note: We do not have a configuration or Community Admin to whitelist trusted hosts for this permission. 

 

You Found It. We Fixed It. 

  • We have fixed the browser issue where people using Internet Explorer 11 could not upload certain file types. 
  • When reordering the order of badges in the Admin > Users > Badges screen, the new order was not saved/retained when you clicked Save. This issue is now fixed. 
  • Previously, you were able to create duplicate usernames using the users/add API (user.sso_id), even if the SSO integration didn't allow it or if the username was hosted on our side via the select a screen name page. We have fixed this issue and now the API returns a message that there is a naming conflict. 
  • Previously, when you used a LiQL query with the online_status constraint, the results always returned all users (online and offline), regardless of the status specified. This filtering issue has been fixed. 
  • The Time Zone drop-down menu under user preferences is now localized based on the user's language preferences. 
  • We have fixed the display issue where the name of the author of an accepted solution was not being displayed when the accepted solution was floated to the top of the page, when using Responsive. 
  • We have fixed the issue where the rich text editor was being displayed on mobile devices when it was supposed to be disabled. 
  • We have fixed the issue where XSS content stored in a TKB preview box was being displayed in a pop-up window when using the Masonry view on Responsive. This display issue has been fixed, and now the TKB preview box displays properly. 

Check out the previous 17.6 Release Notes.

Updated 5 months ago
Version 21.0
  • JohnD's avatar
    JohnD
    Khoros Alumni (Retired)

    tmarshall - At this time, our implementation of reCAPTCHA v2 follows the browser locale.

    The Language settings of the captcha widget follows the end-user.

     At this time, you cannot set an explicit language as a community customization.

     

  • JohnD's avatar
    JohnD
    Khoros Alumni (Retired)

    Samantha_O - If you have v1 already enabled, yes, you will be automatically moved to v2 and your Site and Secret keys will be updated by us. Hope this helps.

  • JohnD's avatar
    JohnD
    Khoros Alumni (Retired)

    kthometz - I'm not sure if this will achieve what you want, but have you tried granting them the "Start new articles and edit drafts" permission? (Also, if this doesn't solve you issue, you might want to post your questions in the TKB article on this topic, instead of these Release Notes; might get more traction. Hope this helps.

  • This is awesome to hear JohnD! I wanted to ask a quick question - if we have the recaptcha turned on, it seems like we are going to be upgraded to v2 automatically. If we want to enable the recaptcha in other areas (for example, say we have it turned on for blog comments, but not for messages and we want to turn this on for messages), will we need to go through the Site & Secret Key steps through Google, or since you are upgrading any of us using recaptcha v1, is this being automatically done for all of us so that we do not need to perform these steps going forward? 

  • Yay! Captcha is awful but necessary. Glad we will now make registration easier for our new members to make a better first impression on the community.

     

    Thanks,

     

    Jason

  • Question about the preview tab in the TKB editor...

    As an admin, the preview works for me - both when previewing drafts of new articles and when editing an existing article.  However, my TKB moderators can only preview drafts; they can't preview edits of existing/previously published articles.  How can I allow them to use the preview functionality on all articles without giving them admin or publisher rights?

  • JohnD

     

    Thanks John. Yeah, they have the "Start new articles and edit drafts" permission already in place. They can see the Preview option, but when they click on it, they get a error message stating "Correct the highlighted errors and try again. [User] Does not have access to edit this message" even though they're in the TKB article editor making edits already (just can't see the preview).  Is this maybe a support ticket?