We are pleased to announce the release of cloudscribe v8.6, which includes important security improvements, new features, enhancements, and critical bug fixes - particularly around reCAPTCHA support and multi-tenancy improvements.

Breaking Changes

TalkAbout Comments System - Summernote Editor Migration

  • Change: Replaced Markdown editor with Summernote HTML editor in commenting system
  • Impact: Requires manual updates to local partial view overrides (CommentWrapperPartial.cshtml, CommentScriptsPartial.cshtml, CommentStylePartial.cshtml) and appsettings.json configuration
  • Data Migration: Legacy Markdown comments are preserved and automatically converted to HTML on first edit (one-way migration)
  • Architecture Change: CommentThread table now central to comment organization
  • Deprecation: Bootstrap4 views deprecated
  • Fixed: PostgreSQL/MySQL/SQLite migration issues
  • Upgrade Effort: Expect approximately half-day manual work for sites with custom comment view overrides
  • Documentation: See upgrade documentation for detailed partial view changes required
  • Issues: TalkAbout #85 & #90

Security Improvements

Server-Side Posting Protection

  • Enhancement: Added server-side enforcement of configuration parameters to prevent unauthorized comment and forum posting
  • Protection: Ensures anonymous users cannot bypass client-side restrictions to post when anonymous posting is disabled
  • Testing: Includes unit tests for validation logic
  • Security Review: Reviewed EF Core usage to ensure protection against SQL injection in posted comment data
  • Issue: TalkAbout #98

New Features

Forms & Surveys reCAPTCHA Support

  • Feature: Added reCAPTCHA validation to Forms & Surveys system
  • Configuration: Each form can be configured to require reCAPTCHA for unauthenticated users
  • Integration: Respects site-wide cloudscribe Core reCAPTCHA settings for both visible and invisible modes
  • Benefit: Addresses spam prevention in public-facing forms
  • Issue: Commerce #82

Comment Administration Dashboard

  • Feature: Added comprehensive administrative page for viewing and managing all comments across the site
  • Location: New dashboard available at /talkadmin/administercomments
  • Functionality:
    • View all comments with sorting and filtering options
    • Search capabilities to find specific comments
    • Direct links to the page/post where each comment was made
    • Default sorting by date (most recent first)
  • Authorization: Protected by CommentModerationPolicy authorization policy
  • Workflow: Edit and delete operations are performed on the original page where the comment was posted, maintaining context
  • Issue: TalkAbout #53

Email Comment Authors

  • Feature: Added ability for moderators to email users directly from the comment administration page
  • Functionality: New "Email user" button in /talkadmin/administercomments allows moderators to compose and send plain-text emails to comment authors
  • Context: Includes contextual link back to the original comment page (when approved)
  • Authorization: Respects per-project moderator authorization policies
  • Localization: Fully localized with new ResX strings
  • Issue: TalkAbout #95

Role Copying with Authorization Policies

  • Feature: Added ability to copy roles in role management
  • Policy Integration: When copying a role, any dynamic authorization policies referencing the original role are automatically updated to also reference the new role
  • Configuration: User specifies new role name during copy operation
  • Behavior: New role starts empty (no users)
  • Restrictions: Excludes system "Administrators" role from copying
  • Compatibility: Works seamlessly with or without dynamic authorization policies installed
  • Issue: #921

Enhancements

Visible reCAPTCHA Support - Commenting System

  • Enhancement: Added support for visible/checkbox reCAPTCHA in the TalkAbout commenting system
  • Previous Limitation: Only invisible reCAPTCHA was supported with hardcoded implementation
  • New Behavior: Now respects cloudscribe Core reCAPTCHA settings and supports both visible and invisible modes
  • Consistency: Matches the behavior of the core login system
  • Issue: TalkAbout #75

Visible reCAPTCHA Support - Forums System

  • Enhancement: Added support for visible/checkbox reCAPTCHA in the TalkAbout forums system
  • Previous Limitation: Forums hard-coded invisible reCAPTCHA implementation
  • New Behavior: Now respects cloudscribe Core reCAPTCHA settings for both visible and invisible modes
  • Issue: TalkAbout #79

IP Address Restrictions Authorization

  • Enhancement: Added dedicated IPAddressRestrictionPolicy to protect IP address restriction management endpoints
  • Configuration Update: Updated navigation configuration to use AdminMenuPolicy instead of AdminPolicy for IP restriction admin menu items
  • Compatibility: Tested compatibility with template systems without dynamic authorization policies installed
  • Issue: #1243

IP Address Restrictions Configuration

  • Feature: Added ability to enable or disable IP address restriction feature via configuration
  • Configuration: New SiteConfigOptions.EnableIpAddressRestrictions setting in appsettings.json
  • Benefit: Allows administrators to disable the feature when not needed
  • Default: Defaults to enabled (true) for backward compatibility
  • Issue: #1241

Bug Fixes

reCAPTCHA Validation - Commenting System

  • Fixed: Missing server-side reCAPTCHA verification when anonymous users submit comments
  • Impact: Ensures proper validation to prevent spam attempts
  • Additional Fix: Resolved race condition issues in reCAPTCHA initialization
  • Issue: TalkAbout #74

reCAPTCHA Validation - Forums System

  • Fixed: Missing server-side reCAPTCHA verification for anonymous forum posts
  • Impact: Analogous fix to comment system to ensure proper spam prevention
  • Issue: TalkAbout #80

Duplicate CommentSystemSettings Records

  • Fixed: Issue where duplicate rows were incorrectly created in csta_CommentSystemSettings table
  • Root Cause: Confusion between Id, ProjectId, and TenantId fields
  • Solution: Lookups now consistently use TenantId
  • Impact: Prevents creation of hundreds/thousands of duplicate configuration rows while preserving existing comment data
  • Issue: TalkAbout #67

Newsletter Sign-up Widget reCAPTCHA

  • Fixed: Hard-coded invisible reCAPTCHA in newsletter sign-up widget
  • Solution: Widget now respects cloudscribe Core settings for both visible and invisible reCAPTCHA modes
  • Issue: Messaging #81

Role Removal from Policies

  • Fixed: UI bug where roles could not be reliably removed from authorization policies
  • Root Cause: Indexing issue that caused sporadic failures when de-selecting roles and saving policy changes
  • Issue: dynamic-authorization-policy #30

IP Address Restrictions Multi-Tenancy

  • Fixed: Critical bug where first tenant's IP restrictions would incorrectly apply to all tenants
  • Root Cause: Cache key missing tenant ID component
  • Additional Fix: Resolved thread locking issue caused by synchronous data access in constructor
  • Service Change: Service changed from Transient to Scoped registration
  • Impact: IP restrictions now work independently per tenant
  • Issue: #1245

IP Restriction UI Address Display

  • Fixed: Incorrect IP address display in IP restriction admin UI
  • Previous Behavior: Used historical login data from cs_user_location table which could be outdated or wrong when users switch devices, VPNs, or have dynamic IP changes
  • Solution: Now retrieves current IP address directly from HTTPContext for accurate real-time display
  • Issue: #1197

UI/UX Improvements

User Display Name Editing

  • Feature: Added ability for users to edit their display name on the /manage/userinfo page
  • Previous Limitation: Users could only edit first and last name, but display name (used throughout the system including TalkAbout comments) was only editable by administrators
  • Validation: Includes uniqueness enforcement per tenant, character validation with international character support, and HTML sanitization
  • Issue: #1058

Developer Tools & Features

Policy Definition Documentation

  • Enhancement: Clarified the relationship between Roles and Claims in policy definitions
  • Documentation: Now explicitly states that:
    • Roles use OR logic (user needs ANY role)
    • Claims use AND logic (user needs ALL claims)
    • When both are specified, users must satisfy both requirements (be in ANY role AND have ALL claims)
  • Issue: dynamic-authorization-policy #46

IdentityServer Integration Tests

  • Feature: Added comprehensive integration tests for IdentityServer4 authentication and authorization
  • Coverage: Tests cover client credentials grant type flow, JWT token validation, and role-based authorization
  • Modernization: Updated to use modern Microsoft.AspNetCore.Authentication.JwtBearer (v8.x) library instead of deprecated IdentityServer4.AccessTokenValidation (v3)
  • Test Harness: Includes published test harness page for live validation testing
  • Issue: #1231

Upgrading to v8.6

To upgrade your cloudscribe installation to version 8.6:

  1. Update all cloudscribe package references in your .csproj files to version 8.6.*
  2. If using TalkAbout Comments: Review the breaking changes documentation for required partial view updates if you have custom view overrides. The migration from Markdown to Summernote editor requires manual updates to CommentWrapperPartial.cshtml, CommentScriptsPartial.cshtml, and CommentStylePartial.cshtml files.
  3. If using IP Address Restrictions: The critical multi-tenancy bug fix (#1245) may affect how IP restrictions behave in multi-tenant environments. Test thoroughly in a staging environment before production deployment.
  4. Optional Configuration: If you want to disable the IP Address Restrictions feature, add SiteConfigOptions.EnableIpAddressRestrictions: false to your appsettings.json
  5. Run your application and verify all features are working as expected, paying special attention to:
    • reCAPTCHA functionality on forms, comments, and forums
    • IP address restrictions (if enabled and in multi-tenant mode)
    • TalkAbout comment submission and display

Important: This release includes breaking changes for TalkAbout Comments users with custom view overrides. We strongly recommend testing the upgrade in a development environment and reviewing the upgrade documentation before deploying to production.

Community and Support

We appreciate the continued support and feedback from the cloudscribe community. For questions or issues related to this release, please visit our GitHub repository or join the discussion in our community forums.

Thank you for using cloudscribe!

We are pleased to announce the release of cloudscribe v8.5, which includes important changes to licensing, plus some new features, enhancements and bug fixes.

Major Licensing Change

Commercial Components Now Free

  • Announcement: All cloudscribe commercial components are now available for free use
  • Components Included:
    • TalkAbout Commenting System
    • TalkAbout Forums
    • Membership Paywall
    • Newsletter Management
    • Forms and Surveys
    • Stripe Payment Integration
  • Impact: License key requirements have been completely removed for all commercial components
  • Source Code: Components remain proprietary (subject to potential future open-sourcing)
  • Benefit: Full cloudscribe ecosystem now accessible without licensing barriers

New Features

Admin Application Restart

  • Feature: Added capability for administrators to restart the application directly from the cloudscribe admin interface
  • Benefit: Eliminates need for direct server access when application restart is required
  • Configuration: Controlled via appsettings.json configuration boolean for security
  • Issue: #1102

Enhanced Summernote Editor - Element Path Display

  • Feature: New element path breadcrumb display showing current cursor position in DOM hierarchy (similar to CKEditor)
  • Functionality: Real-time updates with clickable breadcrumbs for easy navigation
  • Implementation: Custom Summernote plugin with comprehensive HTML5 tag support
  • Issue: #1208

Enhanced Summernote Editor - Improved Link Behavior

  • Change: Hyperlinks no longer open in new windows by default
  • Configuration: Controlled via linkTargetBlank: false in summernote-config.json
  • Issue: #1209

RSS Feed Styling Support

  • Feature: Added ability to style RSS feeds with custom CSS stylesheets
  • Implementation: Support for XML stylesheet meta tags in RSS feeds
  • Functionality: Automatic XSL and CSS file deployment with user override protection
  • Benefit: RSS feeds can now match site branding and provide better user experience
  • Documentation: New documentation available at https://www.cloudscribe.com/cloudscribesyndication
  • Issue: cloudscribe.Syndication #7

Enhancements

Enhanced Auto-Logout System

  • Improvement: Resolved session timeout issues for users actively using JavaScript API endpoints
  • Features:
    • Server-side middleware for intelligent session activity tracking
    • Client-side JavaScript for cross-tab session management
    • Configurable timeout thresholds
  • Benefit: Prevents unexpected logouts during active user workflows while maintaining security
  • Issue: #1204

System Information Improvements

  • Enhancement: Updated System Information page to include previously missing packages
  • Added: Compiled views, static files, integration packages, and Bootstrap components
  • Fixed: Removed duplicate "cloudscribe.Email.Templating.Web" entry
  • Benefit: Improved visibility for troubleshooting and support scenarios
  • Issue: #698

Bug Fixes

IdentityServer4 Support Resolution

  • Fixed: Resolved token creation issues caused by dependency version conflicts
  • Root Cause: System.IdentityModel.Tokens.Jwt version 8.2.* breaking changes
  • Solution: Updated dependency chain management and explicit package references
  • Impact: Restored proper JWT signature validation and metadata endpoint functionality
  • Issue: #1205

Email Queue Background Task Exception Handling

  • Fixed: Resolved cancellation exception thrown during app pool recycling
  • Error: "A task was canceled" in EmailQueueBackgroundTask.ExecuteAsync
  • Solution: Improved cancellation token handling in background services
  • Impact: Eliminates log noise during normal application lifecycle events
  • Issue: cloudscribe.Messaging #13

Upgrading to v8.5

To upgrade your cloudscribe installation to version 8.5:

  1. Update all cloudscribe package references in your .csproj files to version 8.5.*
  2. If you want to include the new Application Restart button in your administration interface, you need to add a new flag to your appsettings.json configuration file as documented
  3. If you want to include links in your Administration menu to cloudscribe's recently added tools for blocking access by IP address (see v8.3 release notes) - then you can add these to your navigation.xml file as documented.
  4. Run your application and verify all features are working as expected

Note: As always, we recommend testing the upgrade in a development environment before deploying to production.

Community and Support

We appreciate the continued support and feedback from the cloudscribe community. For questions or issues related to this release, please visit our GitHub repository or join the discussion in our community forums.

Thank you for using cloudscribe!

We are pleased to announce the release of cloudscribe v8.4, which includes important security updates, enhanced cookie consent management, improved localization, and numerous bug fixes and UI improvements.

This release focuses on strengthening security, improving the developer experience, and enhancing the overall stability of the platform.

Principal Changes

  • Enhanced Cookie Consent System - Implemented a sophisticated three-state cookie consent system (undecided/accepted/declined) allowing users to dismiss cookie banners without fully accepting cookies
  • CSP-Compliant JavaScript in Developer Tools - Added ability to incorporate JavaScript directly into pages while maintaining Content Security Policy compliance through tag helpers, enabling developers to add custom scripts without violating security policies
  • Comprehensive Localization Improvements - Standardized ResX string references throughout core views using consistent snake_case resource keys
  • Security Updates - Updated critical dependencies including EntityFramework and jQuery.validate to address security vulnerabilities

Release Notes

Breaking Changes

  • #748: Enhanced Cookie Consent System - Breaking change for sites with local view overrides. Two key files were modified in the Bootstrap5 template. See the documentation for migration details.
  • #1182: Localization Improvements - Breaking change for sites implementing two factor authentication. Management screens will require the addition of some new entries into your existing ResX resource files, listed here.

Security Improvements

  • #1054: Updated Microsoft.EntityFrameworkCore dependencies to address security vulnerabilities in transitive dependencies
  • #1113: Updated jQuery.validate library to address security vulnerability discovered during penetration testing
  • #1125: Improved cookie security configuration by addressing SameSite cookie settings for better protection

Bug Fixes

  • #1150: Fixed Summernote editor issue where HTML code entered in raw HTML view was not retained when saving unless user switched back to WYSIWYG mode first
  • #1177: Fixed API authentication bug in EnforceSiteRulesMiddleware that incorrectly started HTTP responses for Terms & Conditions violations on API routes
  • #1169: Re-wrote IP address blocking/permitting logic to ensure "Permitted" rules consistently take precedence over "Blocked" rules when dealing with IP address ranges
  • #500: Fixed scrolling issue in SimpleContent Page Manager where selecting a page would auto-scroll to top with misplaced context menu

UI/UX Improvements

  • #1157: Added CSS override to ensure Summernote editor maintains consistent black-on-white appearance across different themes
  • #639: Moved page metadata below child page menu in SimpleContent for improved layout and user experience
  • #501: Improved unauthorized access handling in SimpleContent with proper redirects to login/access denied pages instead of generic 404 errors
  • #1134: Modified user interface to clarify the purpose of a confusing checkbox on "/siteadmin/registerpageinfo" page

Developer Tools & Features

  • #482: Added mechanism in Developer Tools to allow adding JavaScript directly to pages with Content Security Policy compliance through tag helpers
  • #1194 & #45: Added event handler for post-user deletion to clean up remaining Key-Value Pair (KVP) data from deleted users
  • #55: Added conditional UserExportPartial to KVP views to ensure compatibility with different versions of cloudscribe.Core.CompiledViews.Bootstrap5

Code Cleanup

  • #1138 & #1160: Removed outdated Bootstrap3 and deprecated .pgsql libraries across cloudscribe solutions to improve maintainability
  • #1163: Fixed and reorganized unit test infrastructure with new working tests

Upgrading to v8.4

To upgrade your cloudscribe installation to version 8.4:

  1. Update all cloudscribe package references in your .csproj files to version 8.4.*
  2. If you have local view overrides for the cookie consent system, review the cookie consent documentation for required changes
  3. If your site uses two-factor authentication, add the required ResX entries to your localization files
  4. Review and test IP blocking/permitting rules if you use this feature, as the logic has been updated
  5. Run your application and verify all features are working as expected

Note: As always, we recommend testing the upgrade in a development environment before deploying to production.

Looking Ahead

With the removal of Bootstrap3 views and deprecated PostgreSQL libraries in this release, we continue to modernize the cloudscribe platform. Future releases will focus on further performance improvements, enhanced security features, and improved developer experience.

Community and Support

We appreciate the continued support and feedback from the cloudscribe community. For questions or issues related to this release, please visit our GitHub repository or join the discussion in our community forums.

Thank you for using cloudscribe!

We are pleased to announce a new release of cloudscribe at version 8.3. (Version 8.2 was superseded and skipped from the release cycle.)

The principal change in this minor version release is to move away from the use of ckEditor for embedded HTML editing, replacing it now with Summernote.

However, any cloudscribe simplecontent users who have built their own custom page/post templates making use of the old support for ckEditor should find that these templates continue to work.

The release also brings a new administrative feature: the ability to block access to cloudscribe sites to specific IP addresses/ranges, and conversely the ability to allow access only to specific IP addresses/ranges - see details.

The release also addresses some minor bugs (see notes below).

See also the known issues and deprecation warnings (below), for future releases.

We've released a new version of the cloudscribe Visual Studio template. Reviews are always appreciated!

We recommend that the VSIX template should be installed into Visual Studio 2022 (version 17.8 onwards).

Alternatively, you can use the 'dotnet new' command as documented.

Older versions of the VSIX template remain available here: https://github.com/cloudscribe/cloudscribe.templates/tree/master/Archive.

As always, feedback is welcome in the forums or on GitHub.

Release Notes

version 8.3.0 - July 2025

@cloudscribe/cloudscribe

  • #1099: Summernote Editor Integration - added support for the Summernote editor as a replacement for CKEditor, while retaining the option to use CKEditor if desired.

  • #1063: Fixed several issues in the "browse server" modal when invoked from the Summernote toolbar:

    • Restored the missing 'Select' button for image selection.
    • Reinstated the 'Crop' tab in the UI.
    • Corrected the modal title.
    • Addressed regressions caused by previous file manager and Summernote integration changes.

  • #1111: Fixed newsletter sign-up widget compatibility with invisible reCAPTCHA:

    • Resolved an issue where the newsletter sign-up widget would not submit when invisible reCAPTCHA was enabled.
    • Improved JavaScript handling in EmailListSignUpPartial to support async validation and proper script loading.
    • Ensured compatibility for both authenticated and unauthenticated users.

  • #918: IP Address Blocking

    • Added ability to block specific IP addresses via the admin UI.
    • Supports both individual IPs and IP ranges.

  • #1011: IP Allowlist (Single IPs & Ranges)

    • Added support to restrict site access to only permitted IP addresses.
    • Supports both individual IPs and IP ranges.

  • #1097: API Client Secret Expiry Fix (PGSQL)

    • Fixed saving API client secret expiry dates in PostgreSQL when using UTC.
    • Prevented accidental deletion of client and related data due to date handling.

Upgrading an existing cloudscribe site

We recommend manually editing the .csproj file of your solution (or each of them, if you have multiple projects), to upgrade the package references:

<PackageReference Include="cloudscribe.Core.SimpleContent" Version="8.3.*" />
<PackageReference Include="cloudscribe.SimpleContent.Web" Version="8.3.*" />
<PackageReference Include="cloudscribe.Core.SimpleContent.CompiledViews.Bootstrap5" Version="8.3.*" />

(and so on for all cloudscribe packages).

Known issues

In the new Summernote editor, any changes made to your content in its raw HTML editing mode will not be saved until/unless you toggle back out of HTML mode and into the regular visual editor. This is a known issue in Summernote, and we hope to address that in a future release.

The Summernote editor requires a recent version of JQuery (we would recommend v3.7.0 or later) - so if the editor fails to render correctly, check that version in the /wwwroot/js folder of your theme.

In some of the shared themes that are supplied with the template, the colour scheme of the Summernote editor toolbar changes so that there is insufficient colour contrast between the toolbar buttons and the background colour.

Deprecation warnings

We intend to discontinue the following legacy cloudscribe libraries and remove their projects from the main source code branches, in forthcoming releases:

  • All 'Views.Bootstrap3' and 'CompiledViews.Bootstrap3' projects (only Bootstrap5 is now actively maintained, but the Bootstrap4 views projects will be kept in place for reference for the time being).
  • All of the original legacy 'EFCore.pgsql' libraries: these have long ago been superseded by their 'EFCore.PostgreSql' counterparts, which enforce the use of snake case convention on PostgreSql database schema.

We are aware of an issue that has arisen from the recent 8.1 release, specifically around: "#798: Enhanced the file manager with the ability to move files between folders, eliminating the need to delete and re-upload files."

This has resulted in the 'Select' button not always appearing in the File Manager in some circumstances when you select an image to insert into content.

We have a fix for this which will be released soon, in the meantime you are able to override the setting yourself in order to see the 'Select' button.

How to:

  1. Add this file to your project as a view override in \Views\FileManager https://github.com/cloudscribe/cloudscribe/blob/develop/src/cloudscribe.FileManager.Web/Views/FileManager/BrowsePartial.cshtml
  2. On line 192, change 'data-can-select="false"' to be 'data-can-select="true"'
  3. Save and release to your site in the usual way