All Versions
Latest Version
Avg Release Cycle
14 days
Latest Release

Changelog History
Page 1

  • v5.0.0 Changes


    🚀 This release was centered around two main goals:

    1. Implement a new, more modern and minimalist design with rounded corners and simpler colors 🚀 2. Remove detailed information about the open-source project from the platform itself and instead host it on the recently deployed project site (

    ⚡ī¸ Update notes

    🚀 Recent versions of CryptPad have introduced strict configuration requirements. If you are not already running version 4.14.1 then we recommend you read the notes of our past few releases and apply their updates in sequence. Each version introduces new tests on the checkup page which will help to identify configuration errors that may result in a non-functional server unless corrected.

    🔖 Version 5.0.0 introduces a new server-side API (/api/instance) which serves customized information (server name, description, hosting location) from the admin panel so that it can be displayed on the redesigned home page.

    🚀 We've done some extra work relative to similar APIs we've introduced in the past to ensure that the client-side code will continue to work without it. The upgrade process should go smoothly even if you fail to apply the suggested updates to your reverse proxy configuration (see cryptpad/docs/example.nginx.conf). If this data cannot be retrieved by the client it will fall back to some sensible defaults, but we recommend you take the time to fix it now in case this API ceases to be optional in some future release. The checkup page will identify whether the API is accessible and display an error otherwise.

    diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
    index a2d1cb1ce..23139c58c 100644
    --- a/docs/example.nginx.conf
    +++ b/docs/example.nginx.conf
    @@ -183,7 +183,7 @@ server {
         # /api/config is loaded once per page load and is used to retrieve
         # the caching variable which is applied to every other resource
         # which is loaded during that session.
    -    location ~ ^/api/(config|broadcast).*$ {
    +    location ~ ^/api/.*$ {
             proxy_pass http://localhost:3000;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;

    ⚡ī¸ To update from 4.14.1 to 5.0.0:

    ⚡ī¸ 1. Update your reverse proxy configuration to forward all /api/ requests to the API server, as per the diff shown above, and reload your reverse proxy config

    1. Stop your API server ✅ 3. Fetch the latest code with git ⚡ī¸ 4. Install the latest dependencies with bower update and npm i
    2. Restart your server ✅ 6. Review your instance's checkup page to ensure that you are passing all tests

    🔋 Features

    • 🚀 The most notable feature of this release is its new look: with rounded corners, a more subtle use of colors, and some updated icons.
    • As noted above, instance information from the admin panel is now displayed on the home page, making it easier to customize a CryptPad instance without having to edit so many files on the server. In particular, the home page will now display:
      1. The instance's configured name or its domain (as a default).
      2. The instance's description or a default string.
      3. The instance's hosting location (if specified).
      4. An optional notice to be displayed as a banner.
    • Many of the informational pages have been replaced by a link the project site ( Links to optional, instance-specific pages like its terms of service, privacy policy, legal notice and contact information are displayed inline, allowing for a smaller footer.
    • The drive's directory tree (also shown in teams) can now be resized by dragging its border.
    • ✅ The checkup page features several new tests, including some which only apply to public instances (a description and location are expected if you have opted into the public instance directory (

    🐛 Bug fixes

    • 🛠 The font selector in our OnlyOffice-based editors (sheets, docs, presentations) now supports several new fonts, and we've fixed a rendering error which caused the wrong font to be selected when clicking on certain options in the dropdown list (
    • đŸ’ģ Clicking on an option in the user administration menu (in the top-right corner) didn't automatically close the menu in some cases because some browsers emitted an event while others did not. We now explicitly close this menu when any of its options are clicked.
    • 🔀 We now guard against a type error that occurred when trying to generate a list of documents to "pin" while shared folders were still in the process of synchronizing.
    • ⚡ī¸ Thanks to a user report we identified that when a premium user uploaded to a non-premium team the error message incorrectly indicated that the uploaded file exceeded the premium size limit (rather than the non-premium size limit). This resulted in confusing behaviour where a 30MB file was described as being over the 150MB file upload limit. We've updated the resulting error message to display the appropriate size limit and indicate that it is relative to the target drive or team, rather than the user's account.
    • 🚚 Another user reported that they had trouble exporting OnlyOffice documents that contained certain unprintable control characters in their file names. We now remove those unprintable characters when exporting.
    • 💅 We noticed that very long messages in team invitation links could overflow their container, so we fixed its incorrect styles.
    • 🔧 We observed that some third-party instances had been incorrectly configured such that when they entered an editor's URL (such as /pad) they only observed a blank page rather than being redirected to the appropriate URL which contained a trailing slash (ie. /pad/). We've added a script which detects such cases and redirects to the appropriate URL if it exists.
  • v4.14.1 Changes

    🚀 This minor release fixes a number of bugs that we noticed after deploying 4.14.0.

    • 📇 A bug in the code responsible for loading document metadata caused documents to be incorrectly treated as if they had no owners. As a result, several options in the Drive's UI did not work as expected:
      • owned documents could not be destroyed from the access menu.
      • document passwords could not be changed from the access menu.
      • document history could not be trimmed from the properties menu.
    • đŸ’ģ We also found that some components did not behave as expected in the Drive UI while in history mode:
      • it was not possible to open shared folders' menus (properties, share, access) to view what their properties were in the past (in the event that they had been deleted or had their passwords changed).
      • shared folders names were not correctly displayed even when their data was available.
    • 🚀 Some last minute changes to the checkup page before the 4.14.0 release caused a default error message to be incorrectly concatenated with the intended error message for each failing test.
    • 👕 A rule in one of our translation linting scripts incorrectly flagged the "ise" in the word "milliseconds" as an instance of the UK-English "-ise" suffix (we use "-ize" elsewhere).
    • ⚡ī¸ An admin of a third-party instance found that they were unable to load their checkup page. As it turned out, they were trying to access it via /checkup instead of /checkup/. We've updated our example NGINX config to rewrite this URL to include the trailing slash.
    • 🚚 Some of the comments in cryptpad/config/config.example.js were outdated or incorrect and have been removed or corrected.
    • The "About CryptPad" now correctly accepts handles custom links provided as protocol-relative URLs.
    • ⚡ī¸ A number of pages did not set custom titles and instead used the default "CryptPad". They now update the document title, making it possible to distinguish between such pages when you have multiple tabs open.
    • 🔧 The forms and kanban apps both allow users to write content in Markdown, but did not always display the toolbar above their editors. This was because they inferred the user's preferred editor configuration based on whether they had collapsed the toolbar in the code editor. Since these apps don't offer an easy way to display the toolbar once more, we decided that it was better to just display it all the time.

    🔀 We've also merged a few significant improvements:

    • 💅 The Polish translation was updated by Dariusz Laska.
    • 🌐 A significant percentage (currently 66%) of the Ukrainian translation has also been completed and enabled.
    • ⚡ī¸ We've updated Mermaidjs to version 9.0.0, which fixes a number of bugs and also introduces support for gitGraph diagrams
    • 📚 Users on will no longer be warned that they are leaving the platform when they open a link to our documentation. Users on third-party instances will continue to see the usual warning, since they really are navigating to a site operated by different admins.

    🚀 Our 4.14.0 release notes introduced breaking changes. If you are not already running 4.14.0 we recommend updating to that first, then updating to 4.14.1 once you've confirmed that you are correctly passing all the tests on your instance's checkup page.S

    To do so:

    1. Stop your server ✅ 2. Get the latest code with git ⚡ī¸ 3. Install the latest dependencies with bower update and npm i
    2. Restart your server ✅ 5. Review your instance's checkup page to ensure that you are passing all tests
  • v4.14.0 Changes


    🚀 Our main goal for this release was to follow up on some of the findings of the Intigriti bug bounty program that was sponsored by the European Commission. We also aimed to deploy some features that we want to have in place before the deployment of our upcoming 5.0 release and a corresponding update to our project site ( You can read more about all of this in our latest blog post.

    ⚡ī¸ Update notes

    đŸ’Ĩ This release includes BREAKING CHANGES, especially if you have not configured your instance correctly. We advise that you read the following section carefully and follow its recommendations as closely as possible if you operate your own CryptPad instance.

    🚀 First, some review: CryptPad is designed to be deployed using two domains. One is the primary domain which users enter into their address bar, while the second is a "sandbox" that is loaded indirectly. Sensitive operations like cryptographic key management are performed in the scope of the primary domain, while the sandbox is used to load the majority of the platform's UI. If there is a vulnerability in the sandbox, it is at least limited in scope because of measures we've taken to prevent it from accessing user accounts' keys. We initially introduced this system nearly five years ago, it is described in our admin installation guide, and we've done our best to make sure admins are aware of its importance. Even so, only a small number of our admins follow our recommendations.

    Since we've tried every other option we could think of to inform administrators of the risks of storing sensitive data on a misconfigured CryptPad instance, we are now adopting a more drastic policy where correct behaviour is enforced in the code itself. What that means for admins is that if you fail to implement configuration parameters which we consider essential, then various parts of the codebase will detect this and refuse to operate.

    If your instance is configured correctly, then this shouldn't impact you at all. If you're worried that you might be impacted, then the best course of action is to update to 4.13.0 (the previous release, if you aren't already running it) and to follow its recommendation to review the checkup page and ensure that your instance passes its self-diagnostic tests. 4.14.0 introduces a large number of new tests, but those that were already present in 4.13.0 should identify the major issues that will prevent your instance from loading after the update.

    Now, a bit about the situations in which CryptPad will fail to load:

    • 🔧 if CryptPad is loaded via any origin that does not match its configured httpUnsafeOrigin, then it will abort.
      • hint: for, this value is
    • if CryptPad's sandbox does not correctly block the use of eval, then it will abort.
      • the use of eval is blocked by the recommended Content-Security-Policy headers. These strict headers are applied to most resources loaded from the sandbox origin.
      • hint: for the httpSafeOrigin is, while our NGINX sets $sandbox_domain to
    • 🔒 if CryptPad is loaded in a browser that does not enforce Content-Security-Policy (such as Internet Explorer or any other browser using a non-compliant configuration) then it will abort.
    • if CryptPad is embedded within an iframe and you have not explicitly enabled embedding via the admin panel (more on that later) it will abort.
    • if any CryptPad application that requires special permissions (drive, calendar, sheet, doc, presentation) is loaded in an iframe then it will abort.

    🔋 The reasons for blocking embedding will be described in the Features section below, so keep reading if you're curious.

    ⚡ī¸ We're also recommending a few more updates, but we don't expect that these will stop the service from loading:

    • NodeJS v12.14.0 (which we have recommended for some time) will be considered End-Of-Life as of April 30th.
      • We recommend updating to NodeJS v16.14.2 via NVM.
      • The API server will check the version of its runtime when it launches. It will print a warning to your server logs and set a public flag in /api/config indicating that it should be updated. There is a corresponding test on the checkup page which checks for the presence of this flag for admins that aren't in the habit of reviewing their logs.
    • ✅ The recommended NGINX config file also includes some minor changes. You can compare the current version (in cryptpad/docs/example.nginx.conf) against your live config with a diff tool. There are also new tests on the checkup page which will identify whether the newly changed headers have been correctly applied.
    • ⚡ī¸ There are updates to our dependencies using both npm and bower.
    • 🔧 There are a number of new configuration parameters that can be customized via application_config.js. Some are optional. A number of other parameters, such as URLs for a privacy policy and terms of service, will be expected if your instance permits registration. The checkup page will display warnings if these are absent. Configuration via application_config.js is described in our docs.

    We've also made a number of changes and additions to the instance admin panel:

    • 👉 controls for archiving and restoring documents can now be found under User storage, rather General.
      • Both sections now include an optional "note" field, allowing admins to specify the reason why a document was archived/restored. This value will be included in the server's logs.
    • 🐎 the Performance tab now includes two new settings which permit admins to enable a new API endpoint (/api/profiling) which exposes some live performance data as JSON endpoint. If you don't know what this means you probably don't need it.
    • 👍 The admin support ticket panel now responds somewhat more quickly thanks to some sorting optimizations.
    • The General tab now includes three new fields (instance name, instance description, hosting location).
      • These are primarily intended for admins who have opted in to inclusion in the directory of public instances which we plan to deploy along with our next release.
      • In the future we hope to use these values on the home page as well, making it easier to customize your instance.

    ⚡ī¸ To update from 4.13.0 to 4.14.0:

    ⚡ī¸ 0. Before updating, review your instance's checkup page to see whether you have any unresolved issues

    1. Install NodeJS v16.14.2 ⚡ī¸ 2. Update your systemd service file (or whatever method you use to launch CryptPad) to use the newer NodeJS version ⚡ī¸ 3. Update your NGINX configuration file to match the provided example
    2. Stop your server ✅ 5. Get the latest code with git ⚡ī¸ 6. Install the latest dependencies with bower update and npm i
    3. Restart your server ✅ 8. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

    🔋 Features

    • 0ī¸âƒŖ Embedding of CryptPad in iframes on third-party websites is now disabled by default because doing so prevents a number of possible attacks in cases of overly permissive HTTP headers.
      • CryptPad's editors will only load properly if the instance is explicitly configured via the admin panel to permit this behaviour.
      • Even where embedding is enabled, the properties, share, access, and insert menus are disabled. Attempts to use them cause a dialog to open which prompts users to open the current document/page in a dedicated tab/window.
      • The embed tab of the share menu (which generates code for embedding CryptPad documents in third-party sites) is only shown if the instance administrators have enabled embedding.
    • More information about the host instance is included in the About CryptPad dialog which can be opened via the account administration menu in the top-right corner of the screen.
      • specifically: it now displays the same configurable instance description which is displayed on the home page, as well as links to the instance's terms of service and source code (if they are available).
    • 👍 The support page has a number of new features:
      • A new tab is accessible via the left sidebar which displays a preview of the metadata which is included along with support tickets.
      • We revised the ticket categories which are listed in the dropdown menu. Users are prompted to choose a category. Once a category is chosen, more specific information is automatically requested with links to the relevant documentation.
    • The login page now features a reminder that administrators cannot reset passwords or recover accounts.
    • 🚚 Tracking parameters are automatically removed from the address bar after the page loads for cases where a third-party tool automatically added them.
    • Calendars in the sidebar of the calendar app are now sorted according to their title.
    • ✅ The checkup page features many new tests and improvements:
      • Errors are now sorted above warnings.
      • Errors and warnings are each sorted according to their test number.
      • In cases where multiple tests need to inspect the HTTP headers of a common resource, the resource is only requested once and subsequent requests access it from a cache, speeding up loading time and reducing network usage.
      • The Server header is displayed in the page summary if it is available.
      • The tests for CSP headers now describe the failures of each misconfigured CSP directive, rather than just the first one to fail.
      • Warnings are displayed for each of several important resources (privacy policy, terms of service, etc) when the instance allows registration but has not provided this information for new users.
      • Our test runner catches synchronously thrown errors and tries to display helpful messages.
      • Tests will time out after 25 seconds to ensure that the set of tests eventually completes.
      • A new script is executed before CryptPad's bootloader which should detect and handle bootloader errors such as missing dependencies or unreachable API endpoints.

    🐛 Bug fixes

    • 📜 The checkup page now handles and error that occurred when trying to parse CSP headers that were not provided (trying to parse null as a string).
    • The form app allowed authors to specify links (via markdown) in questions' descriptions and the form's submit message, but none of these links used CryptPad's typical link click handler. As a result these links failed to open.
    • Links specified on users' profile pages are opened via the bounce app, which warns users when a link will navigate outside CryptPad and blocks links which are clearly malicious in nature (trying to execute code).
    • 🛠 We discovered and fixed a deadlock that occurred in cases where users tried to download a folder that contained multiple Office documents.
    • The drive's history mode now displays the appropriate document id in the properties menu in cases where an earlier version of a document had a different id (due to a password change).
    • During development of a new feature we discovered that the server could respond to HTTP requests with stack traces in cases where the request triggered an error. These responses could contain information about the server's directory structure, so we now handle these errors and send the client a page indicating that there was an internal server error.
    • Attempting to convert office documents could mistakenly trigger two concurrent downloads of the client-side conversion engine. Now it is only downloaded once, so conversion should be roughly twice as fast for cases where the WebAssembly blob was not already cached.
    • A number of users reported various actions which could cause documents in their team drives to be duplicated. These duplicated entries are references to the same document as the original, not complete copies, so care should be taken not to use the destroy option when removing them from your drive. If a user accidentally destroys a document then it should be possible for an administrator to restore its content via the admin panel if the user can provide a safe link that they can find using the drive's history mode.
  • v4.13.0 Changes


    🚀 For this release we set aside time to update a number of our software dependencies and to investigate a variety of bugs that had been reported in support tickets.

    🚀 We have also been coordinating with security researchers through a bug bounty program hosted by and sponsored by the European Commission. This release includes security fixes and a number of new tests on the checkup page to help ensure that your instance is configured in the most secure manner possible. We recommend you read these notes thoroughly to ensure you update correctly.

    ⚡ī¸ Update notes

    🔒 4.13.0 includes significant changes to the Content-Security-Policy found in the example NGINX configuration which we recommend (available on GitHub). The updated policy only allows client behaviour which is strictly necessary for clients to work correctly, and is intended to be resilient against misconfiguration beyond the scope of this file. For instance, rather than simply allowing clients to connect to a list of permitted domains we are now explicit that those domains should only be accessible via HTTPS, in case the administrator was incorrectly serving unencrypted content over the same domain. These changes will need to be applied manually.

    🔒 Several of the new tests on the checkup page ( evaluate the host instance's CSP headers and are very strict about what is considered correct. These settings are a core part of CryptPad's security model, and failing to configure them correctly can undermine its encryption by putting users at risk of cross-site-scripting (XSS) vulnerabilities.

    ⚡ī¸ To update from 4.12.0 or 4.12.1 to 4.13.0:

    ⚡ī¸ 0. Before updating, review your instance's checkup page to see whether you have any unresolved issues ⚡ī¸ 1. Update your NGINX configuration file to match the provided example

    1. Stop your server ✅ 3. Get the latest code with git ⚡ī¸ 3. Install the latest dependencies with bower update and npm i
    2. Restart your server ✅ 5. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

    🔋 Features

    • 🚀 This release updates OnlyOffice to v6.4.2, which includes a wide variety of improvements and bug fixes, such as:
      • dark mode
      • conditional formatting in sheets
      • fixes for various font and scaling issues
      • numerous other issues mentioned in OnlyOffice's changelog
    • 🔒 We switched from using our fork of Fabricjs back to the latest version of the upstream branch, since the maintainers had resolved the cause of an incompatibility with our strict Content Security Policy settings. Among other things, this brought improved support for a variety of pressure-sensitive drawing tablets when using our whiteboard app.
    • ⚡ī¸ Mermaidjs ( has been updated to the version (8.13.10) which:
      • includes fixes a number of possible security flaws which should not have had any effect due to our CSP settings
      • introduces support for several new diagram types (entity relationship, requirement diagrams, user journeys)
      • adds support for dark mode and more modern styles
    • 🔧 We've begun to experiment with additional iframe sandboxing features to further isolate common platform features (sharing, access controls, media transclusion, upload) from the apps that can trigger their display. These measures should be mostly redundant on CryptPad instances with correctly configured sandboxes, but may help mitigate unexpected risks in other circumstances.
      • these improvements were disabled because they were handled incorrectly by Safari
    • We've added the ability for guests to edit calendars when they have the appropriate editing rights
    • 💅 A number of groups and individuals volunteered to help translate CryptPad into more languages or complete translations of languages that had fallen out of date. We are happy to say that CryptPad is now fully translated in Russian, Brazilian Portuguese, Czech, and Polish.

    🐛 Bug fixes

    • 🔒 4.13.0 fixes a number of security issues:
      • There were several instances where unsanitized user input was display as HTML in the UI. This had no effect on instances with correctly configured CSP headers, but could have been leveraged by attackers to run scripts on other users devices where these protections were not applied.
      • The 'bounce' page (which handles navigation from a CryptPad document to another page) didn't warn users when they were leaving CryptPad (a flaw known as an 'open redirect'). We now detect and warn users of redirection to untrusted pages, reducing the risk of phishing attacks. Some users have complained that they find this new behaviour annoying, but it's there to make the platform safer by default.
      • We've updated the protocol through which our cross-domain sandboxing system communicates with content served on the main domain so that it completely ignores messages from untrusted sources and refuses to communicate to other contexts unless they are explicitly trusted by the platform. Because of these restrictions it is possible that misconfigured instances will fail to load or otherwise behave incorrectly. Once again, there are tests on the checkup page designed to help identify these configuration issues, so please do take advantage of them.
    • Some code which was intended to prompt guests to log in or register when viewing a shared folder stopped working due to some changes in a past release. We now correctly identify when these guests have edit rights, and instead of simply displaying the text READ ONLY we prompt them with instructions on how to make full use of the rights they've been given.
    • 💅 We fixed some border styles on the horizontal dividers that are sometimes shown in dropdown menus such that consecutive dividers beyond the first are hidden.
    • ⚡ī¸ One of our developer dependencies (json-schema) has been updated to fix a prototype pollution bug which should not have had any impact on anyone in practice.
    • A user reported that including __proto__ as the language in fenced code blocks in a markdown document triggered an error, so we now guard against this case.
    • 🛠 We've fixed a few issues related to templates:
      • after creating a template in a team drive, clicking the store button would store it in your own drive
      • the creation of a template from a password-protected sheet did not correctly use the source sheet's password
    • Thanks to some user reports we discovered some possible type errors that could occur when migrating some account data to a newer internal version.
    • 👀 We disabled some unmaintained client-side tests after discovering that they were throwing errors under certain conditions, seemingly due to some browser regressions.
    • ⚡ī¸ We updated some code to handle uploading dropped folders in the drive. Unfortunately this type of "drop" event has to be handled differently than when a folder is uploaded through other means, and Opera browser doesn't support the required APIs, so this is only supported in Firefox and Chromium-based browsers.
    • 👍 When previewing uploaded media we now supply the file object rather than its raw buffer contents which were not supported for all media types.
    • 🛠 We've fixed numerous issues with forms:
      • layout issues with buttons displayed in forms' author mode
      • the configured options for certain types of questions are reprocessed when you convert between related question types (multi-checkbox, multi-radio) with options being set back to their defaults when configurations are rendered invalid
      • editing status is recovered whenever possible if autosave interrupts user activity
    • 🛠 Finally, we've fixed a number of issues specific to our integration of OnlyOffice's editors:
      • we now guard against some possible type errors if the metadata required for sharing cursor and selection data is absent or poorly formed
      • we do our best to recover your old cursor position if the document needs to be reloaded after a checkpoint
      • some special cases of image inclusion are now handled in the presentation editor
      • we ensure that images are correctly loaded when exporting, including embedded media and theme backgrounds in presentations
      • the chart and table buttons were temporarily disabled in OnlyOffice's toolbar due to some incompatibilities which have since been resolved
      • we now avoid creating duplicated network handlers when reconnecting to an office editing session
  • v4.12.1 Changes

    🚀 This minor release contains a few bug fixes based on feedback we received and adjustments to prepare for the update to OnlyOffice 6.4.

    • 🚀 We noticed that charts and tables in the Document and Presentation (early access) applications cause conflicts with the upcoming OnlyOffice update. They are now disabled until the next release.
    • We found that the button to export form results to a CryptPad sheet was empty so we added the missing text.
    • 🛠 Several issues were reported with the Forms application and are now fixed. This patch will prevent conditional sections from losing their content (questions and conditions) while editing the form. The "max options" selector won't be displayed anymore when converting "checkbox" questions to other types. The first two lines of a "choice grid" weren't always registered when submitting a form and this patch fixes it for newly created choice grids.
    • Some calendars created with external tools couldn't be imported in CryptPad due to notifications settings. We've changed the "import" script to make sure the event could still be imported but without the problematic notification.
    • 0ī¸âƒŖ We've received conflicting feedback about the privacy settings in forms. In the existing system, the users had to untick a box to submit with their name but, depending on the context, it's not always a good solution to make a form result anonymous by default. Similarly submitting form results with the username by default isn't privacy-friendly. We implemented a new system to prompt users to choose between submitting anonymously or with their name (unless one of the options is disabled).
  • v4.12.0 Changes


    🚀 Our primary goal for this release was to improve support for office file formats in CryptPad by

    1. integrating OnlyOffice's word processor and presentation editor and
    2. introducing more intuitive workflows that allow users to convert and open uploaded office files directly from their drives

    ⚡ī¸ Update notes

    🚀 This release requires configuration changes to work correctly. We've updated our example NGINX config file to apply the required HTTP headers where appropriate.

    ⚡ī¸ You can compare the updated example against that of a previous CryptPad version by running something like git diff -U2 4.11.0 docs/ to generate a diff:

    diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
    index 14a3d4fc2..ea21e3ba7 100644
    --- a/docs/example.nginx.conf
    +++ b/docs/example.nginx.conf
    @@ -65,5 +65,5 @@ server {
         set $coop '';
    -    if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
    +    #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
         # Enable SharedArrayBuffer in Firefox (for .xlsx export)
    @@ -91,5 +91,5 @@ server {
         # connect-src restricts URLs which can be loaded using script interfaces
    -    set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
    +    set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
         # fonts can be loaded from data-URLs or the main domain
    @@ -121,8 +121,13 @@ server {
         # they unfortunately still require exceptions to the sandboxing to work correctly.
         if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
    -    if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
    +    if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
         # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
         if ($host != $sandbox_domain) { set $unsafe 0; }
    +    # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
    +    # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
    +    # the use of some modern APIs that we require when javascript is run in a cross-origin context.
    +    # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
    +    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
         # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied

    ⚡ī¸ We've also updated the checkup page to test for the expected server behaviour and suggest helpful steps for correcting misconfiguration issues. You can access this diagnostic page at https://<your-cryptpad-domain>/checkup/.

    Our team has limited resources, so we've chosen to introduce the new (and experimental) office editors gradually to avoid getting overwhelmed by support tickets as was the case when we introduced the current spreadsheet editor in 2019. In order to support this we've implemented an early access system which optionally restricts the use of these editors to premium subscribers. We will enable this system on, but admins of independent instances can enable them at their discretion.

    📄 To enable the use of the OnlyOffice Document and Presentation editor for everyone on your instance, edit your customize/application_config.js file to include AppConfig.enableEarlyAccess = true;.

    👍 If you wish to avoid a rush of support tickets from your users by limiting early access to users with custom quota increases, add another line like so Constants.earlyAccessApps = ['doc', 'presentation'];.

    0ī¸âƒŖ As these editors become more stable we plan to enable them by default on third-party instances. Keep in mind, these editors may be unstable and users may lose their work. Our team will fix bugs given sufficient information to reproduce them, but we will not take the time to help you recover lost data unless you have taken a support contract with us.

    ⚡ī¸ To update from 4.11.0 to 4.12.0:

    1. Stop your server ✅ 2. Get the latest code with git
    2. Apply the recommended changes to your NGINX config (don't forget to reload NGINX)
      • optionally edit your application_config.js file to enable early access apps. restart your server or use the admin panel's Flush cache button for this to take effect. ⚡ī¸ 4. Install the latest dependencies with bower update and npm i
    3. Restart your server ✅ 6. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

    🔋 Features

    • â†Ē It took a lot of experimentation, reading of specification documents, and reverse-engineering of undocumented workarounds to avoid browser-specific regressions, but we've gotten our client-side engine for office file format conversion to work as intended in the context of user or team drives. This means that as long as you are using a relatively modern browser (not Safari or anything on iOS) you should be able to do things like:
      • right-click and open uploaded XLSX or ODS files in our OnlyOffice Sheet integration,
      • implicitly convert editable sheets to XLSX individually (using the download option) or as part of a collection when you download your full drive or one of its subtrees,
      • perform similar workflows with DOCX, ODT, PPT, and ODP files.
    • As mentioned above, admins that enable early access editors will be able try out the word processor and presentation editor. These editors use OnlyOffice client-side components, but have had their server-side components completely replaced, just as with our Sheet integration. Nobody else has packaged OnlyOffice's editors in this manner, so this is experimental technology and we recommend that you back up your documents regularly!
    • The form app now includes an option to open collected results in a new spreadsheet for advanced analysis.

    🐛 Bug fixes

    • We finally tracked down a sneaky bug that was responsible for scrambling users' spreadsheets. The issue was triggered when they were disconnected and reconnected after editing the sheet by themself, usually for an extended period. A bug in the reconnection logic caused their earlier changes to the sheet to be replayed a second time, typically to disastrous effect if they had inserted rows in the meantime. A minor patch guards against this possibility, making sheets (and the newer office editors) far more stable.
    • 🖨 We noticed that the OnlyOffice editors' print to PDF functionality behaved differently depending on the user's preferences for downloads and file-type handling. In some cases the resulting PDF would be opened in an invisible iframe. In addition to the intentional download prompt we meant to trigger, some users would be implicitly shown a second prompt to download the contents of the iframe. We suppressed the creation of the hidden iframe and now download the generated PDF directly using a single, more modern method.
    • ✅ It was reported that responses to conditional sections of forms were not included in their results. Our patch has been tested in production and has been verified to correct the issue.
    • The recently introduced file upload preview was capable of throwing an error under certain circumstances when previewing text files, which prevented them from being uploaded. We now guard against these errors and fall back to no preview.
    • The chat box in pads failed to load for guests using the no-drive mode which we introduced as an optimization to reduce load time for one-time visitors. An attempt to access a data structure that did not exist caused a type error, which resulted in the chat interface appearing to load indefinitely.
    • Loading a shared folder by its link now causes it to be displayed in the context of your drive, rather than loading it in the background but displaying your last accessed folder instead.
    • We now guard against DOMException errors whenever we try to write data into localStorage, as this is capable of triggering a QuotaExceeded error which we has been observed to occur more frequently lately.
    • When attempting to use an editor's Insert menu to embed uploaded media in a document, we now wait until all thumbnails are loaded before displaying the menu. This is intended to avoid circumstances where the user attempts to click the menu's upload button but accidentally chooses a previously uploaded media file when the position of the button changes.
  • v4.11.0 Changes


    🚀 Our main goal for this release was to update our Forms app to address feedback gathered in the research we conducted over the summer (survey and one-on-one interviews with volunteers). Many of these points were limited to forms itself, but some were closely related with some other concepts in the platform and prompted us to make some considerable changes throughout.

    ⚡ī¸ Update notes

    🚀 As of this release we are dropping support for Internet Explorer 11 we learned that even Microsoft stopped supporting it in their own Office 365 platform. This means that we can finally start using some newer browser features that are available in every other modern browser and simplify parts of our code, making it smaller and faster to load for everyone else.

    🚀 4.11 doesn't require any manual configuration if you're updating from 4.10, so this should be a fairly simple release. There is a new customization option that is described in the following features section, however, this is entirely optional.

    ⚡ī¸ To update from 4.10.0 to 4.11.0:

    1. Stop your server ✅ 2. Get the latest code with git ⚡ī¸ 3. Install the latest dependencies with bower update and npm i
      • this release requires new client-side dependencies, so don't forget this step
    2. Restart your server ✅ 5. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

    🔋 Features

    • 0ī¸âƒŖ We've changed the platform's default display name from "Anonymous" to "Guest" and have also replaced existing mentions of "Unregistered" or "Non-registered" users with this terminology.
      • The term "Anonymous" was only ever intended to convey the classical sense of the word ("without name or attribution") rather than the stricter modern sense "indistinguishable from a meaningfully large set of other individuals". To be clear, this is a change of terminology, not behaviour. To prevent your IP address from being revealed to the host server while using CryptPad the best option has always been, and continues to be Tor browser.
      • Going forward, if you see "anonymize" in CryptPad (such as in forms), you can take it to mean that extra efforts are being taken to make protocol-level metadata indistinguishable from that of other users, while "Guest" means only that you haven't registered or have removed your display name.
    • While we were reconsidering the notion of guest accounts we decided that it would be useful to be able to distinguish one guest from another. We decided to implement this by hooking into the existing system for displaying users' profile pictures by mapping a list of emojis to guests' randomly generated identifiers.
      • We chose a list of emojis that we hoped nobody would find objectionable ('🙈 đŸĻ€ 🐞 đŸĻ‹ đŸŦ 🐋 đŸĸ đŸĻ‰ đŸĻ† 🐧 đŸĻĄ đŸĻ˜ đŸĻ¨ đŸĻĻ đŸĻĨ đŸŧ đŸģ đŸĻ đŸĻ“ 🐄 💮ī¸ 🐙ī¸ 🌸ī¸ đŸŒģī¸ 🐝ī¸ 🐐 đŸĻ™ đŸĻ’ 🐘 đŸĻ 🐁 🐹 🐰 đŸĻĢ đŸĻ” 🐨 🐱 đŸē đŸ‘ē 👹 đŸ‘Ŋ 👾 🤖'), but we realize that cultures and contexts differ widely. As such, we've made this configurable on a per-instance basis. A custom list of emojis can be set in customize/application_config.js as an array of single-emoji strings (AppConfig.emojiAvatars = ['đŸĨĻ', '🧄', '🍄', 'đŸŒļī¸'];) or as an empty array if you prefer not to display any emojis (AppConfig.emojiAvatars = [];). See our admin docs for more info on customization.
      • Users can edit their display name inline in the user list or on their settings page, in which case their avatar will be one or two letters from their name (their first two initials if their name contains at least one space, otherwise the first two letters of their name).
      • Once these initial improvements had been made to the user list, the lack of support for emoji avatars in a number of places felt very conspicuous, so we've done our best to implement them consistently across every social aspect of the platform. Default emoji avatars are also displayed in comments in the rich text editor, in authorship data in our code/markdown editor, in tooltips when you hover over the marker for remote users' cursor location, in the "currently editing" indicator for Kanban cards, in the share and access menus, and in the "contacts" app.
    • 📇 The file upload dialog now includes a preview of the media that you are about to upload (as long as it's something CryptPad is capable of displaying) as well as a text field for describing the media. Descriptive text is added to the file's encrypted metadata and is applied to rendered media as alt or title attributes wherever applicable. This coincides with a broader effort to improve keyboard navigation and add support for screen-readers.
    • đŸ’ģ The link creation UI from 4.9.0 now highlights the URL input field as you type to indicate whether the current URL value is valid, rather than simply displaying an error when you submit.
    • 🐎 The 'Performance' tab of the admin panel has reused the bar chart UI we added for displaying the results of forms.
    • 🚀 We've written a small script to help us identify translated strings that are consistently duplicated across the four languages into which CryptPad has been fully translated (English, French, German, Japanese). We plan to use this to remove unnecessary strings in an upcoming release and make it easier to translate the platform into new languages.
    • đŸ’ģ The "share" menu now makes its primary actions more clear, with explicit text ("copy link" instead of just "copy") on its main buttons, as well as icons that better match button UI on the rest of the platform.
    • 🚀 Finally, this release introduces our "v2" forms update with many usability enhancements:
      • Forms can now include questions which are displayed based on the condition of participants' earlier answers.
      • The participant view of forms no longer displays CryptPad's toolbar and popups and instead uses a full-page view. CryptPad's logo is included at the bottom of the page and acts as a link to the home page.
      • Form authors can set a custom message to be displayed to participants once they have submitted a response.
      • Some more advanced form settings are available for authors, and we've clarified the descriptions of existing options ("Anonymize responses", "Guest access", "Editing after submission").
      • Form authorship supports real-time editing more broadly than before:
      • Changes are saved as you type, so you no longer need to manually save each question.
      • Multiple authors can edit edit the same question concurrently without overwriting each other's work.
      • We avoid redrawing active parts of the UI when other authors make a change, so remote actions won't interfere with your local date-picker, dropdown selections, etc.
      • The UI is redrawn no more than once every 500ms for performance reasons.
      • We do our best to preserve current scroll position when other users make changes so authors don't accidentally click on the wrong elements.
      • Authors have easier access to basic functionality in the left sidebar that allows them to preview a form, copy the participant link, and view existing responses with a single click.
      • The form creation presents better default options (placeholders instead of pre-filled fields for text inputs) and offers intuitive controls, such as "enter" to create a new field, "esc" to clear an empty field, and "tab" to navigate with just the keyboard.
      • The summary of existing responses is presented more intuitively:
      • The tally of empty responses is now displayed at the top of each question's summary rather than the bottom.
      • Bar charts are used throughout, wherever applicable.
      • Options with no answers are still displayed with zero results in the summary rather than not being displayed at all.
      • Options are displayed according to the order of their appearance in the original question, rather than according to the order in which participants chose them.
      • Form authors can conveniently change a question's type wherever its content can be automatically converted to a related format (radio, checkbox, ranked choices).
      • There are more options for form validation, such as required questions and new types of questions with automatic validation. Invalid answers are summarized at the bottom of the form. Clicking summaries jumps to the relevant question.
      • CryptPad logo is included at the bottom of the participant page and links to the home page so that participants can create their own forms or learn more about how data is encrypted.
      • We now pre-fill some options in our "simple scheduling poll" template, suggesting some basic options for the upcoming week and better indicating how the poll is intended to be used.
      • Lastly, authors can assign color themes to their form for some basic visual customization.

    🐛 Bug fixes

    • ✅ While implementing and testing the display of emojis as avatars for guests we found several instances (in teams, chat, and the contacts app) where the UI did not fall back to the default display name.
    • 👍 We've clarified a comment in our example NGINX file which recommended that admins contact us if they are using CryptPad in a production environment. It now indicates that they should do so if they require professional support.
    • We now handle an edge case in ICS import to calendars where DTEND was not defined. When a duration is specified we calculate the end of the event relative to the provided start time, and otherwise consider it a "full-day" event as per the ICS specification.
    • 💅 Users can share links directly with contacts, but we noticed that the color of the previewed link was overridden by some styles from bootstrap, resulting in very low contrast. We now use a standard CryptPad color which is clearly legible in both light and dark mode.
    • Finally, we've applied some stricter validation to the encrypted content of team invite links which could have previously resulted in type errors.
  • v4.10.0 Changes


    August is typically a quiet month for CryptPad's development team, as members of our team and many of our users take their (northern hemisphere) summer holidays. We took the opportunity to catch up on some regular maintentance and to review and some prototype branches of our code that had been ready for integration for some time.

    👀 It seems that some browser developers thought to do the same thing, because we noticed some significant regressions in some APIs that we rely on. Some of our time went towards addressing the resulting bugs and restructuring some code to avoid future regressions for browser behaviour that seem likely to be changed again in the near future.

    ⚡ī¸ Update notes

    đŸ’ģ 4.10.0 includes some minor changes to the checkup page. Some admins have included screenshots of this page in bug reports or requests for support along with details of problems they suspect of being related. Because we've observed that the root of many issues is the browser (sometimes in addition to the server) we have decided to include details about the browser in this page's summary.

    🔧 Up until now the checkup page only tested observable behaviour of the server such as HTTP headers on particular resources, configuration parameters distributed to the client, and the availability of essential resources. This practice meant that a report for an instance should have been the same regardless of the device that was used to generate the report. In light of a serious regression in Chrome (and all its derivatives) we decided that objectiveness was less important than utility and introduced some tests which check whether the client running the diagnostics interprets the provided server configuration. Terrible browsers (ie. every browser that is available on iOS) will fail these tests every time because they don't implement the expected APIs, but we've tried to detect these cases and warn that they are expected.

    🚀 For the most part you (as an admin) will not need to do anything special for this release as a result. If you notice weird issues on particular browsers in the future, however, it might be helpful to view this page from the affected browser/device and include any information that is provided in bug reports.

    ⚡ī¸ To update from 4.9.0 to 4.10.0:

    1. Stop your server ✅ 2. Get the latest code with git ⚡ī¸ 3. Install the latest dependencies with bower update and npm i
    2. Restart your server ✅ 5. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

    🔋 Features

    🚧 As noted above, web standards and the browsers that implement them are constantly changing. Web applications like CryptPad which use new and advanced browser features are particularly prone to regressions even when we use browser features exactly as intended and advertized. The "Features" section of each release's notes typically highlights visible things, like clickable buttons or improvements to the interface. This point is included as a reminder that regular maintenance is at least as important to an open-source software project, even though it gets little attention and far less funding. The funding bodies that have generously supported our work typically award grants for research and the development of novel features, but we are sorely in need of increased support to allow us the flexibility to deal with unanticipated problems as they arise. If you are fortunate enough to have some disposable income and value the work that keeps CryptPad functional we would greatly appreciate a one-time or recurring donation to our OpenCollative campaign.

    • This release coincided the yearly seminar of XWiki (our parent organization) which always features a day-long hackathon. This year our team was joined by @aemi-dev who has been working as an intern within XWiki's product team. Together we worked on adding some data visualization to our recently introduced Form app. The improvements include a timeline to visualize how many responses were submitted to the form during each day and bar charts for a variety of question types to complement the existing tally of results. There's still more work to be done in this direction, but we established some useful foundations during our relatively short session.
    • Frequent users of small screens will be pleased to hear that CryptPad's app toolbar now includes a button to collapse the upper segment of the toolbar which includes CryptPad's logo, the current document's title, status indicator (saved, editing, disconnected, etc.), and the user administration menu.
    • Likewise, Kanban users may note that the app's toolbar also features a "Tools" menu (like that in the markdown editor) which toggles display of the controls which filter board items by tag and select view state (detailed or brief).
    • đŸ’ģ Password fields that are specific to files and documents now have the autocomplete="new-password" attribute applied to prevent browsers and integrated password managers from suggesting that users enter their account password. This lowers the risk that users will inadvertently reveal their account password in the future. Additionally, Firefox will now prompt users to use a high-entropy password instead.
    • 🚀 Our integrated support ticket functionality automatically includes some commonly needed information about the user's account and browser. As of this release this data will also include the browser's vendor and appVersion, which are useful hints about the host browser and OS (which we almost always have to ask about when the ticket is for a bug report). This data will also include the browser's current width and height, as some issues only occur at particular resolutions and can otherwise be difficult to reproduce.
    • ⚡ī¸ We reviewed a range of third-party dependencies that are included in our repository and updated cryptpad/www/lib/ to better indicate their exact version, source, and any CryptPad-specific modifications we've made to them.
      • We found less.js had been duplicated, with one version (provided by bower) being used for custom styles in our slide editor while the rest of the platform used a custom version that fixed an apparent bug in the reference import syntax. We've standardized on our custom version and removed the alternative from our bower.json file.
      • We also identified a few files that were no longer in use and removed them. There's still more work to be done to document the exact versions and source of some dependencies, so we've made this process a part of our regular release checklist.
    • 🚀 During a manual review we noticed some inconsistencies between different translations of CryptPad and have automated these checks by adding them to a script which we use to review translations before each release. These have helped us standardize things like the capitalization of "CryptPad", the syntax for some basic markup like <br> tags, and the consistent use of both dialect-specific suffixes in English and punctuation rules in French. We have only added tests for languages in which members of our team are fluent, so if you maintain a translation in another language and can suggest additional qualities we could test we would welcome your suggestions.
    • 🔒 The improved consistency of our translations has also enabled us to construct some translated UI components programmatically without directly using their inline HTML. This provides an extra layer of security in the event that
      1. malicious code was included in a translation file
      2. our tests failed to identify the code before it was included in a release
      3. the release was deployed by an admin that had failed to take advantage of the sandboxing system that prevents the injection of scripts into the UI

    🐛 Bug fixes

    • â†Ē The Chrome development team made some changes related to the availability of the SharedArrayBuffer API in cross-site-isolated contexts such as that of our sandboxing system which resulted in it being disabled despite the fact that our usage conformed to a specification that should have been supported. We use this modern browser feature (where available) to convert spreadsheets between different formats in the browser itself, whereas other services (even those advertizing their use of encryption for documents) send users' content to their server for conversion. Since Chrome's engine is used as the basis for a wide variety of other browsers, this broke sheet export everywhere except Firefox (which correctly implements the specification). Luckily, we found a simple workaround to use the same underlying feature using an alternate syntax that they had failed to disable. This is only a short-term solution as we have no expectation that it will continue to work, so we are actively investigating making this conversion a trusted process that will be run outside of our sandboxing system.
    • On the topic of spreadsheet conversion, we updated our translations of the warning that is displayed in our conversion UI when the required browser features are not available. Rather than referring to "Microsoft Office formats" we now refer to "Office formats" since we offer support for ODS in addition to XLSX.
    • 👀 We found that CSV export mysteriously stopped working as well (seemingly everywhere, not just Chrome and derivatives). We're still not sure why this is the case, but the option is disabled in the UI until we can find and fix the problem.
    • The drive app includes a button that lets guest users wipe their personal data from their browser's session. We noticed that this button did nothing after approximately 50% of page loads in Firefox, suggesting there was an unpredictable quality related to either how the button was being created or how "click handlers" were declared. We traced it back to the jQuery library and rewrote the handler to use "VanillaJS". We don't have the time or budget to dig into why it stopped working, so unless someone else can figure it out for us then you, dear reader, may never learn the answer to this mystery.
    • While investigating the drive we also added some guards against some possible type errors.
    • ⚡ī¸ We noticed that the loginToken attribute was not correctly removed from clients' localStorage when they deleted their account. The value of this token is random and is of no use to attackers (especially when the token belongs to a deleted account), but it was a cause of some inconvenience to us when testing account deletion, as the mismatch between the token stored locally and in accounts (after login) required us to login in a second time before. We've updated the related code to:
      1. correctly delete the token when you delete an account from the settings page
      2. ensure that no such token is present when logging in
    • 📌 Document ids with invalid lengths are excluded from accounts' lists of "pinned documents" (those which should not be deleted from the server). We recently implemented a similar fix, but found that this list could be constructed in more than one way depending on the context.
    • 🛠 We identified and fixed two problems with our "history trim" functionality (accessible via documents' "Properties" menu):
      1. In the extremely unlikely event that a user requested that the server trim the history of a document and its metadata failed to load, the server would respond to the user with an error but did not correctly abort from the subsequent process to trim the document's history. In theory this could have been used by non-owners to archive parts of the documents history, however, we have no reason to believe that this was possible in practice. In any case, the flaw has been corrected.
      2. Complex documents like spreadsheets that use more than one channel to store different types of content would trim their respective histories in parallel, however, in such cases any errors were returned to the calling function as a list of warnings rather than a singular error. This format was not handled by the UI, resulting in an apparent success in cases of a partial or complete failure for such document types.
  • v4.9.0 Changes

    Goals and announcements

    🚀 We allocated most of this release cycle towards a schedule of one-on-one user interviews and some broad usage studies leveraging our new Form app. The remainder of our time was spent on some minor improvements. We'll continue at a slightly slower pace of implementation for the coming weeks while we complete our scheduled interviews and take some much-needed vacations.

    ⚡ī¸ Update notes

    🚀 It appears our promotion of the checkup page through our recent release notes and the inclusion of a link to it from the instance admin have been moderately successful. We've observed that more instance admins are noticing and fixing some common configuration issues.

    This release features some minor changes to one instance configuration test which incorrectly provided an exemption for the use of http://localhost:3000 as an httpUnsafeOrigin value. This exemption was provided because this value is valid for local development. However, it suppressed errors when this configuration was used for production instances where it could cause a variety of problems. As usual, we recommend checking your instance's admin page after updating to confirm that you are passing the latest tests. Information about the checkup page is included in our documentation.

    ⚡ī¸ To update from 4.8.0 to 4.9.0:

    1. Stop your server ✅ 2. Get the latest code with git ⚡ī¸ 3. Install the latest dependencies with bower update and npm i
    2. Restart your server ✅ 5. Confirm that your instance is passing all the tests included on the /checkup/ page

    🔋 Features

    • We've added the ability to store URLs in user and team drives as requested in a private support ticket and this issue. Links can be shared directly with contacts. Unlike pads, links are not collaborative objects, so updating a link's name will not update the entry in another user's drive if you've already shared it with them. Links are integrated into our apps' insert menu to facilitate quick insertion of links you've stored into your documents. We're interested in measuring how this functionality is used in practice so we can decide whether it's worth spending more time on it. We have added some telemetry to measure (in aggregate) how often its components are used. We anonymize IP addresses in the logs for, but as always, you can disable telemetry via your settings panel.
    • 👍 Our rich text editor now supports indentation with the tab key, as per issue #634.
    • 💅 Forms received another round of improvements to styles, workflows, and some basic survey functionality to yield more accurate results.
      • Ordered lists are now shuffled for each survey participant so that their initial order has less effect on the final results.
      • CSV export now uses one column for each option in polls, making them easier to read.
      • Unregistered users can now add a name to their response.
      • Form results are displayed automatically (when available) to those who have answered.
      • Authors and auditors can now click on usernames in polls to jump directly to other answers from the same user.
    • 👉 Users with very large drives might notice that their account loads slightly faster now, due to some minor optimizations in an integrity check that the client performs when loading accounts.

    🐛 Bugs

    • We've added a guard against a type error that could be triggered when loading teams under certain rare conditions.
    • đŸ’ģ Unregistered users' drives now show the "bread-crumb" UI for navigating between folders when viewing a shared folder in read-only mode. We've also suppressed the "Files" button for displaying the tree view which was non-functional for such users.
    • 🛠 A change in the format of support tickets caused tickets recently created by premium users to not be recognized as such. We've fixed the categorization in the admin panel's support ticket view.
    • 🛠 We've fixed a number of minor issues with forms:
      • The maximum number of selectable choices for checkbox questions can no longer exceed the number of available choices.
      • We guard against a type error that could occur when parsing dates.
      • Forms imported from templates now have their initial title corrected.
      • We've disabled the use of our indexedDB caching system for form results, since it was quietly dropping older responses when more than 100 responses had been submitted. We plan to re-enable caching for results once we've updated the eviction metric to better handle the response format.
  • v4.8.0 Changes


    This release cycle we decided to give people a chance to try our forms app and provide feedback before we begin developing its second round of major features and improvements. In the meantime we planned to work mostly on the activities of our NGI DAPSI project which concerns client-side file format conversions. Otherwise, we dedicated some of our independently funded time towards some internal code review and security best-practices as a follow-up to the recent quick-scan performed by Radically Open Security that was funded by NLnet as a part of our now-closing CryptPad for Communities project.

    ⚡ī¸ Update notes

    We are still accepting feedback concerning our Form application via a form hosted on We will accept feedback here until July 12th, 2021, so if you'd like your opinions to be represented in the app's second round of development act quickly!

    Following our last release we sent out an email to the admins of each outdated instance that had included their addresses in the server's daily telemetry. This appears to have been successful, as more than half of the 700+ instances that provide this telemetry are now running 4.7.0. Previously, only 15% of instances were running the latest version. It's worth noting that of those admins that are hosting the latest version, less than 10% have opted into future emails warning them of security issues. In case you missed it, this can be done on the admin panel's Network tab. Unlike most companies, we consider excess data collection a liability rather than an asset. As such, administrator emails are no longer included in server telemetry unless the admin has consented to be contacted.

    The same HTTP request that communicates server telemetry will soon begin responding with the URL of our latest release notes if it is detected that the remote instance is running an older version. The admin panel's Network tab for instances running 4.7.0 or later will begin prompting admins to view the release notes and update once 4.8.0 is available.

    The Network tab now includes a multiple choice form as well. If you have not disabled your instance's telemetry you can use this field to answer why you run your instance (for a business, an academic institution, personal use, etc.). We intend to use this data to inform our development roadmap, though as always, the fastest way to get us to prioritize your needs is to contact us for a support contract ([email protected]).

    đŸŗ Server telemetry will also include an installMethod property. By default this is "unspecified", but we are planning to work with packagers of alternate install methods to modify this property in their installation scripts. This will help us assess what proportion of instances are installed via the steps included in our installation guide vs other methods such as the various docker images. We hope that it will also allow us to determine the source of some common misconfigurations so we can propose some improvements to the root cause.

    ✂ Getting off the topic of telemetry: two types of data that were previously deleted outright (pin logs and login blocks) are now archived when the client sends a remove command. This provides for the ability to restore old user credentials in cases where users claim that their new credentials do not work following a password change. Some discretion is required in such cases as a user might have intentionally invalidated their old credentials due to shoulder-surfing or the breach of another service's database where they'd reused credentials. Neither of these types of data are currently included in the scripts which evict old data as they are not likely to consume a significant amount of storage space. In any case, CryptPad's data is stored on the filesystem, so it's always possible to remove outdated files by removing them from cryptpad/data/archive/* or whatever path you've configured for your archives.

    🚀 This release introduces some minor changes to the provided NGINX configuration file to enable support for WebAssembly where it is required for client-side file format conversions. We've added some new tests on the /checkup/ page that determine whether these changes have been applied. This page can be found via a button on the admin panel.

    ⚡ī¸ To update from 4.7.0 to 4.8.0:

    🔧 1. Apply the documented NGINX configuration

    1. Stop your server ✅ 3. Get the latest code with git ⚡ī¸ 4. Install the latest dependencies with bower update and npm i
    2. Restart your server ✅ 6. Confirm that your instance is passing all the tests included on the /checkup/ page

    🔋 Features

    • 🌐 Those who prefer using tools localized in Japanese can thank @Suguru for completing the Japanese translation of the platform's text! CryptPad is a fairly big platform with a lot of text to translate, so we really appreciate how much effort went into this.
      • While we're on the topic, CryptPad's Deutsch translation is kept up to date largely by a single member of the German Pirate Party (Piratenpartei Deutschland). This is a huge job and we appreciate your work too!
      • Anyone else who wishes to give back to the project by doing the same can contribute translations on an ongoing basis through our Weblate instance.
    • We've implemented a new app for file format conversions as a part of our INTEROFFICE project. At this point this page is largely a test-case for the conversion engine that we hope to integrate more tightly into the rest of the platform. It allows users to load a variety of file formats into their browser and convert to any other format that has a defined conversion process from the original format. What's special about this is that files are converted entirely in your browser, unlike other platforms which do so in the cloud and expose their contents in the process. Currently we support conversion between the following formats in every browser that supports modern web standards (ie. not safari):
      • XLSX and ODS
      • DOCX and ODT and TXT
      • PPTX and ODP
    • 👍 In addition to the /convert/ page which supports office file formats, we also put some time into improving interoperability for our existing apps. We're introducing the ability to export rich text documents as Markdown (via the turndown library), to import trello's JSON format into our Kanban app (with some loss of attributes because we don't support all the same features), and to export form summaries as CSV files.
    • 🔒 We've added another extension to our customized markdown renderer which replaces markdown images with a warning that CryptPad blocks remote content to prevent malicious users from tracking visitors to certain pages. Such images should already be blocked by our strict use of Content-Security-Policy headers, but this will provide a better indication why images are failing to load on instances that are correctly configured and a modest improvement to users' privacy on instances that aren't.
    • 🔋 Up until now it was possible to include style tags in markdown documents, which some of our more advanced users used in order to customize the appearance of their rendered documents. Unfortunately, these styles were not applied strictly to the markdown preview window, but to the page as a whole, making it possible to break the platform's interface (for that pad) through the use of overly broad and powerful style rules. As of this release style tags are now treated as special elements, such that their contents are compiled as LESS within a scope that is only applied to the preview pane. This was intended as a bug fix, but it's included here as a feature because advanced users might see it as such and use it to do neat things. We have no funding for further work in this direction, however, and presently have no intent of providing documentation about this behaviour.
    • ✅ The checkup page uses some slightly nicer methods of displaying values returned by tests when the expected value of true is not returned. Some tests have been revised to return the problematic value instead of false when the test fails, since there were some cases where it was not clear why the test was failing, such as when a header was present but duplicated.
    • 📌 We've made some server requests related to pinning files moderately faster by skipping an expensive calculation and omitting the value it returned. This value was meant to be used as a checksum to ensure that all of a user's documents were included in the list which should be associated with their account, however, clients used a separate command to fetch this checksum. The value provided in response to the other commands was never used by the client.
    • We've implemented a system on the client for defining default templates for particular types of documents across an entire instance in addition to the use of documents in the templates section of the users drive (or that of their teams). This is intended more as a generic system for us to reuse throughout the platform's source than an API for instance admins to use. If there is sufficient interest (and funding) from other admins we'll implement this as an instance configuration point. We now provide a poll template to replicate the features of our old poll app which has been deprecated in favour of forms.
    • 👍 We've included some more non-sensitive information about users' teams to the debugging data to which is automatically submitted along with support tickets, such as the id of the team's drive, roster, and how large the drive's contents are.
    • 🌲 The Log out everywhere option that is displayed in the user admin menu in the top-right corner of the page for logged-in users now displays a confirmation before terminating all remote sessions.

    🐛 Bug fixes

    • ⚡ī¸ It was brought to our attention that the registration page was not trimming leading and trailing whitespace from usernames as intended. We've updated the page to do so, however, accounts created with such characters in their username field must enter their credentials exactly as they were at registration time in order to log in. We have no means of detecting such accounts on the server, as usernames are not visible to server admins. We'll consider this behaviour in the future if we introduce an option to change usernames as we do with passwords.
    • đŸ’ģ We now double-check that login blocks (account credentials encrypted with a key derived from a username and password) can be accessed by the client when registering or changing passwords. It should be sufficient to rely on the server to report whether the encrypted credentials were stored successfully when uploading them, but in instances where these resources don't load due to a misbehaving browser extension it's better that we detect it at registration time rather than after the user creates content that will be difficult to access without assistance determining which extension or browser customization is to blame.
    • 👀 We learned that the Javascript engine used on iOS has trouble parsing an alternative representation of data strings that every other platform seems to handle. This caused calendars to display incorrect data. Because Apple prevents third-party browsers from including their own JavaScript engines this means that users were affected by this Safari bug regardless of whether they used browsers branded as Safari, Firefox, Chrome, or otherwise.
    • 🔒 After some internal review we now guard against a variety of cases where user-crafted input could trigger a DOMException error and prevent a whole page worth of markdown content to fail to render. While there is no impact for users' privacy or security in this bug, a malicious user could exploit it to be annoying.
    • 🚀 Shortly after our last release a user reported being unable to access their account due to a typeError which we were able to guard against.
    • Images appearing in the 'lightbox' preview modal no longer appear stretched.
    • Before applying actions that modify the team's membership we now confirm that server-enforced permissions match our local state.