0.8

• replace <textarea> with <div contentedtiable="true"> to remove the sluggish auto-resize on input feature. If you use a custom CSS, replace textarea with .textarea.

• remove superscript extension from Markdown defaults as it may lead to unexpected behavior for certain smileys such as "^^". To enable the extension, add

  [markup]
  options = superscript
  allowed-elements = sup
  

  to your configuration.

• comment count requests are now bundled into a single POST request, but the old API is still there (deprecated though).

• store session-key in database (once generated on database creation). That means links to activate, edit or delete comments are now always valid even when you restart Isso.

  Currently statically set session keys in [general] are automatically migrated into the database on startup and you will get a notice that you can remove this option.

• fix undefined timestamp when client time differs for more than 1 second. The human-readable "time ago" deltas have been refined to match Moment.js behavior.

• avatar colors and background can now be customized:

  • data-isso-avatar-bg="#f0f0f0" sets the background color
  • data-isso-avatar-fg="#9abf88 #5698c4 #e279a3 #9163b6 ..." sets possible avatar colors (up to 8 colors are possible).

• new [markup] section to customize Misaka's Markdown generation (strikethrough and autolink enabled by default). Furthermore, you can now allow certain HTML elemenets and attributes in the generated output, e.g. to enable images, set

  [markup]
  allowed-elements = img
  allowed-attributes = src
  

  Check docs/configuration/server.rst for more details.

• replace requirejs-domready with a (self-made) HTML5 idiom, #51

0.7

• fix malicious HTML injection (due to wrong API usage). All unknown/unsafe HTML tags are now removed from the output (html5lib 0.99(9) or later) or properly escaped (older html5lib versions).

  See 36d702c and 3a1f92b for more details.

• remove kriskowal/q JS library (promises implementation) in favour of a self-made 50 LoC implementation to ease packaging (for Debian), #51

• add documentation to display a comment counter, #56 and #57

• SMTP notifications now support STARTTLS and use this transport security by default, #48 and #58. This also changes the configuration option from ssl = [yes|no] to security = [none|starttls|ssl].

• translation can now be made (and updated) with Transifex. If you want to take ownership for a language, contact me on IRC.

• fix french pluralform

• the (by default random) session-key is now shown on application startup to make different keys per startup more visible

• use threading.lock by default for systems without semaphore support

fix malicious HTML injection

This bugfix release now sanitizes HTML tags based on a whitelist (also prevents auto-link to "unsafe" web protocols and images) as intended.

Fortunately because of Sundown's typography support, it did not affect JS injection, but custom style tags and iframes.

PS: thanks to the anonymous submitter of a comment including a style tag for 24pt, red font ;-)

0.6

Major improvements:

• override thread discovery with data-isso-id="...", #27

To use the same thread for different URLs, you can now add a custom data-isso-id="my-id" attribute which is used to identify and retrieve comments (defaults to current URL aka window.location.pathname).

• isso.dispatch now dispatches multiple websites (= configurations) based on URL prefixes
• fix a cross-site request forgery vulnerability for comment creation, voting, editing and deletion, #40
• show modal dialog to confirm comment deletion and activation, #36
• new, comprehensive documentation based on reST + Sphinx: http://posativ.org/docs (or docs/ in the repository). Also includes an annotated example.conf, #43
• new italian and russian translations

Minor improvements:

• move isso:application to isso.run:application to avoid uneccessary initialization in some cases (change module if you use uWSGI or Gunicorn)
• add Date header to email notifications, #42
• check for blank text in new comment, #41
• work around IE10's HTML5 abilities for custom data-attributes
• add support for Gunicorn (and other pre-forking WSGI servers)

0.5.2

• fix CSRF vulnerability, #40
• use getAttribute instead of el.dataset to access custom data-attributes in IE10

0.5.1

• add url dispatcher for comment activation
• translate activation and deletion links in email notification

0.5

Major improvements:

• listen option replaces host and port to support UNIX domain sockets, #25

  Instead of host = localhost and port = 8080, use listen = http://localhost:8080. To listen on a UNIX domain socket, replace http:// with unix://, e.g. unix:///tmp/isso.sock.

• new option notify (in the general section) is used to choose (one or more) notification backends (currently only SMTP is available, though). Isso will no longer automatically use SMTP for notifications if the initial connection succeeds.

• new options to control the client integration

  • data-isso-css="false" prevents the client from appending the CSS to the document. Enabled by default.
  • data-isso-lang="de" overrides the useragent's preferred language (de, en and fr are currently supported).
  • data-isso-reply-to-self="true" should be set, when you allow reply to own comments (see server configuration for details).

• add support for gevent, a coroutine-based Python networking library that uses greenlets (lightweight threads). Recommended WSGI server when not running with uWSGI (unfortunately
  stable gevent is not yet able to listen on a UNIX domain socket).

• fix a serious issue with the voters bloomfilter. During an Isso run, the ip addresses from all commenters accumulated into the voters bloomfilter for new comments. Thus, previous commenters could no longer vote other comments. This fixes the rare occurences of #5.

  In addition to this fix, the current voters bloomfilter will be re-initialized if you are using Isso 0.4 or below (this is not necessary, but on the other hand, the current bloomfilter for each comment is sort-of useless).

• french translation (thanks to @sploinga), #38

• support for multiple sites, part of #34

Minor improvements:

• ipaddr is now used as ipaddress fallback for Python 2.6 and 2.7, #32
• changed URL to activate and delete comments to /id/<N:int>/activate etc.
• import command uses tag instead of to extract the relative URL path, #37
• import command now uses isDeleted to mark comments as deleted (and eventually remove stale comments). This seems to affect only a few comments from a previous WordPress import into Disqus.
• import command lists orphaned comments after import.
• import command now has a --dry-run option to do no actual operation on the database.