isso/CHANGES.rst

Changelog for Isso
==================

0.10 (unreleased)
-----------------

- add new configuration section for hash handling.

    [hash]
    salt = Eech7co8Ohloopo9Ol6baimi
    algorithm = pbkdf2

  You can customize the salt, choose different hash functions and tweak the
  parameters for PBKDF2.

- Python 3.4+ and Python 2.7.9+ validate TLS connections against the system's
  CA. Previously no validation was in place, see PEP-446__ for details.

- add `fenced_code` and `no_intra_emphasis` to default configuration.

  Fenced code allows to write code without indentation using `~~~` delimiters
  (optionally with language identifier).

  Intra emphasis would compile `foo_bar_baz` to foo<em>bar</em>baz. This
  behavior is very confusing for users not knowing the Markdown spec in detail.

- don't lose comment form if the server rejected the POST request, #144

- add localStorage fallback if QUOTA_EXCEEDED_ERR is thrown (e.g. Safari
  private browsing)

- new Bulgarian translation by sahwar, new Swedish translation by <Gustav
  Näslund, #143

- add --emptyid flag to import strange Disqus exports, #135

.. __: https://www.python.org/dev/peps/pep-0466/


0.9.8 (2014-10-08)
------------------

- add compatibility with configparser==3.5.0b1, #128


0.9.7 (2014-09-25)
------------------

- fix SMTP authentication using CRAM-MD5 (incorrect usage of
  `smtplib`), #126


0.9.6 (2014-08-18)
------------------

- remember name, email and website in localStorage, #119

- add option to hide voting feature, #115

    data-isso-vote="true|false"

- remove email field from JSON responses

  This is a quite serious issue. For the identicon, an expensive hash is used
  to avoid the leakage of personal information like a real email address. A
  `git blame` reveals, the email has been unintenionally exposed since the very
  first release of Isso :-/

  The testsuite now contains a dedicated test to prevent this error in the
  future.


0.9.5 (2014-08-10)
------------------

- prevent no-break space (&nbsp;) insertion to enable manual line breaks using
  two trailing spaces (as per Markdown convention), #112

- limit request size to 256 kb, #107

  Previously unlimited or limited by proxy server). 256 kb is a rough
  approximation of the next database schema with comments limited to 65535
  characters and additional fields.

- add support for logging to file, #103

    [general]
    log-file =

- show timestamp when hovering <time>, #104

- fix a regression when editing comments with multiple paragraphs introduced
  in 0.9.3 which would HTML escape manually inserted linebreaks.


0.9.4 (2014-07-09)
------------------

- fixed a regression when using Isso and Gevent


0.9.3 (2014-07-09)
------------------

- remove scrollIntoView while expanding further comments if a fragment is used
  (e.g. #isso-thread brought you back to the top, unexpectedly)

- implement a custom Markdown renderer to support multi-line code listings. The
  extension "fenced_code" is now enabled by default and generates HTML
  compatible with Highlight.js__.

- escape HTML entities when editing a comment with raw HTML

- fix CSS for input

- remove isso.css from binary distribution to avoid confusion (it's still there
  from the very first release, but modifications do not work)

.. __: http://highlightjs.org/


0.9 (2014-05-29)
----------------

- comment pagination by Srijan Choudhary, #15

  Isso can now limit the amount of comments shown by default and add link to
  show more. By default, all top-level comments are shown but only 5 nested
  comments (per reply). You can override the settings:

    isso-data-max-comments-top="N"
    isso-data-max-comments-nested="N"

  Where N is a number from 0 to infinity ("inf"). If you limit the amount of
  shown top level comments, the overall comment count may be incorrect and a
  known issue.

  You can also configure the amount of comments shown per click (5 by default):

    isso-data-reveal-on-click="N"

  This feature also required a change in the comment structure. Previously, all
  comments are stored tree-like but shown linearly. To ease the implementation
  of pagination, the comment tree is now limited to a maximum depth of one.
  Jeff Atwood explains, why `discussions are flat by design`__.

  .. __: http://blog.codinghorror.com/web-discussions-flat-by-design/

  When you upgrade, Isso will automatically normalize the tree and some
  information gets lost. All new replies to a comment are now automatically a
  direct child of the top-level comment.

- style improvements by William Dorffer, #39, #84 #90 and #91

  Isso now longer uses a fat SCSS library, but plain CSS instead. The design is
  now responsive and no longer sets global CSS rules.

- experimental WordPress import, #75

  Isso should be able to import WXR 1.0-1.2 exports. The import code is based
  on two WXR dumps I found (and created) and may not work for you. Please
  report any failure.

- avatar changes, #49

  You can now configure the client to not show avatars:

    data-isso-avatar="false"

  Also there is no longer an avatar shown next to the comment box. This is due
  to the new CSS and removes two runtime dependencies.

- you may now set a full From header, #87

    [smtp]
    from = Foo Bar <spam@local>

- SMTP (all caps) is now recognized for notifications, #95

- Isso now ships a small demo site at /demo, #44

- a few bugfixes: Disqus import now anonymizes IP addresses, uWSGI spooling for
  Python 3, HTTP-Referer fallback for HTTP-Origin

- remove Django's PBKDF2 implementation in favour of the PBKDF2 function
  available in werkzeug 0.9 or higher. If you're still using werkzeug 0.8, Isso
  imports passlib__ as fallback (if available).


This release also features a new templating engine Jade__ which replaces
Markup.js__. Jade can compile directly to JavaScript with a tiny runtime module
on the client. Along with the removal of sha1.js and pbkdf2.js and a few build
optimizations, the JS client now weighs only 40kb (12kb gzipped) – 52kb resp.
17kb before.

.. __: https://pypi.python.org/pypi/passlib
.. __: http://jade-lang.com/
.. __: https://github.com/adammark/Markup.js


0.8 (2014-03-28)
----------------

- replace ``<textarea>`` with ``<div contentedtiable="true">`` to remove the
  sluggish auto-resize on input feature. If you use a custom CSS, replace
  ``textarea`` with ``.textarea`` and also set ``white-space: pre``.

- remove superscript extension from Markdown defaults as it may lead to
  unexpected behavior for certain smileys such as "^^". To enable the extension,
  add

    [markup]
    options = superscript
    allowed-elements = sup

  to your configuration.

- comment count requests are now bundled into a single POST request, but the old
  API is still there (deprecated though).

- store *session-key* in database (once generated on database creation). That
  means links to activate, edit or delete comments are now always valid even
  when you restart Isso.

  Currently statically set session keys in ``[general]`` are automatically
  migrated into the database on startup and you will get a notice that you can
  remove this option.

- fix undefined timestamp when client time differs for more than 1 second.
  The human-readable "time ago" deltas have been refined to match `Moment.js`_
  behavior.

- avatar colors and background can now be customized:

  * ``data-isso-avatar-bg="#f0f0f0"`` sets the background color
  * ``data-isso-avatar-fg="#9abf88 #5698c4 #e279a3 #9163b6 ..."`` sets possible
    avatar colors (up to 8 colors are possible).

- new [markup] section to customize Misaka's Markdown generation (strikethrough,
  superscript and autolink enabled by default). Furthermore, you can now allow
  certain HTML elemenets and attributes in the generated output, e.g. to enable
  images, set

      [markup]
      allowed-elements = img
      allowed-attributes = src

  Check docs/configuration/server.rst for more details.

- replace requirejs-domready with a (self-made) HTML5 idiom, #51

.. _Moment.js: http://momentjs.com/docs/#/displaying/fromnow/


0.7 (2014-01-29)
----------------

- fix malicious HTML injection (due to wrong API usage). All unknown/unsafe
  HTML tags are now removed from the output (`html5lib` 0.99(9) or later) or
  properly escaped (older `html5lib` versions).

  See 36d702c and 3a1f92b for more details.

- remove kriskowal/q JS library (promises implementation) in favour of a
  self-made 50 LoC implementation to ease packaging (for Debian), #51

- add documentation to display a comment counter, #56 and #57

- SMTP notifications now support STARTTLS and use this transport security
  by default, #48 and #58. This also changes the configuration option from
  `ssl = [yes|no]` to `security = [none|starttls|ssl]`.

- translation can now be made (and updated) with Transifex_. If you want to
  take ownership for a language, contact me on IRC.

- fix french pluralform

- the (by default random) session-key is now shown on application startup
  to make different keys per startup more visible

- use `threading.lock` by default for systems without semaphore support

.. _Transifex: https://www.transifex.com/projects/p/isso/


0.6 (2013-12-16)
----------------

Major improvements:

- override thread discovery with data-isso-id="...", #27

  To use the same thread for different URLs, you can now add a custom
  ``data-isso-id="my-id"`` attribute which is used to identify and retrieve
  comments (defaults to current URL aka `window.location.pathname`).

- `isso.dispatch` now dispatches multiple websites (= configurations) based on
  URL prefixes

- fix a cross-site request forgery vulnerability for comment creation, voting,
  editing and deletion, #40

- show modal dialog to confirm comment deletion and activation, #36

- new, comprehensive documentation based on reST + Sphinx:
  http://posativ.org/docs (or docs/ in the repository). Also includes an
  annotated `example.conf`, #43

- new italian and russian translations

Minor improvements:

- move `isso:application` to `isso.run:application` to avoid uneccessary
  initialization in some cases (change module if you use uWSGI or Gunicorn)
- add Date header to email notifications, #42
- check for blank text in new comment, #41
- work around IE10's HTML5 abilities for custom data-attributes
- add support for Gunicorn (and other pre-forking WSGI servers)


0.5 (2013-11-17)
----------------

Major improvements:

- `listen` option replaces `host` and `port` to support UNIX domain sockets, #25

  Instead of `host = localhost` and `port = 8080`, use
  `listen = http://localhost:8080`. To listen on a UNIX domain socket, replace
  `http://` with `unix://`, e.g. `unix:///tmp/isso.sock`.

- new option `notify` (in the general section) is used to choose (one or more)
  notification backends (currently only SMTP is available, though). Isso will
  no longer automatically use SMTP for notifications if the initial connection
  succeeds.

- new options to control the client integration

  * ``data-isso-css="false"`` prevents the client from appending the CSS to the
    document. Enabled by default.

  * ``data-isso-lang="de"`` overrides the useragent's preferred language (de, en
    and fr are currently supported).

  * ``data-isso-reply-to-self="true"`` should be set, when you allow reply to
    own comments (see server configuration for details).

- add support for `gevent <http://www.gevent.org/>`_, a coroutine-based Python
  networking library that uses greenlets (lightweight threads). Recommended
  WSGI server when not running with uWSGI (unfortunately stable gevent is not
  yet able to listen on a UNIX domain socket).

- fix a serious issue with the voters bloomfilter. During an Isso run, the
  ip addresses from all commenters accumulated into the voters bloomfilter
  for new comments. Thus, previous commenters could no longer vote other
  comments. This fixes the rare occurences of #5.

  In addition to this fix, the current voters bloomfilter will be re-initialized
  if you are using Isso 0.4 or below (this is not necessary, but on the
  other hand, the current bloomfilter for each comment is sort-of useless).

- french translation (thanks to @sploinga), #38

- support for multiple sites, part of #34

Minor improvements:

- `ipaddr` is now used as `ipaddress` fallback for Python 2.6 and 2.7, #32
- changed URL to activate and delete comments to `/id/<N:int>/activate` etc.
- import command uses `<link>` tag instead of `<id>` to extract the relative
  URL path, #37
- import command now uses `isDeleted` to mark comments as deleted (and
  eventually remove stale comments). This seems to affect only a few comments
  from a previous WordPress import into Disqus.
- import command lists orphaned comments after import.
- import command now has a ``--dry-run`` option to do no actual operation on
  the database.


0.4 (2013-11-05)
----------------

- Isso now handles cross-domain requests and cookies, fixes #24
- Isso for Python 2.x now supports werkzeug>=0.8
- limit email length to 254 to avoid Hash-DDoS
- override Isso API location with ``data-isso="..."`` in the script tag
- override HTML title parsing with a custom ``data-title="..."`` attribute
  in ``<div id="isso-thread"></div>``


0.3 (2013-11-01)
----------------

- improve initial comment loading performance in the client
- cache slow REST requests, see #18
- add a SQLite trigger that detects and removes stale threads (= threads,
  with all comments being removed) from the database when a comment is
  removed.
- PyPi releases now include an uncompressed version of the JavaScript
  files -- `embed.dev.js` and `count.dev.js` -- to track down errors.
- use uWSGI's internal locking instead of a self-made shared memory lock


0.2 (2013-10-29)
----------------

- initial PyPi release