Release 1.5.5

IMPORTANT: Security release, please update your instances!

This is another security release, the exploit is documented as CVE-2015-3297 — If a specifically formatted URL is used to access Etherpad a file can be read from the filesystem. This issue has existed in Etherpad since 2012 so pretty much all deployments will be effected.

We have been doing a lot of security releases lately as we complete our third security audit. Our apologies for creating such a fire under admins to update so frequently lately.

SECURITY: Traversing URL exploit
NEW: Default Pad options can now be defined in settings.json, see the Etherpad Template file for reference.
NEW: sessionKey is now automatically generated and stored in the file system.
NEW: Logic for handling pad creation with illegal characters
FIX: IE10 now works
FIX: html10n missing semicolons, prevents warnings
FIX: Importing of Large .Etherpad files no longer crashes the server
UPDATES: Update all stuck dependencies (Inc underscore)
UPDATES: Update to Express 4
UPDATES: We no longer support IE8

Release 1.5.3

Etherpad 1.5.3 is with us.. This release is a security release. The security issue is a big one so please do update…


Don’t allow read files on directory traversal (CVE due very shortly)


Accessibility support for Screen readers, includes new fonts and keyboard shortcuts


API endpoint for Append Chat Message and Chat backend tests
Error messages displayed on load are included in Default Pad Text (can be suppressed)

Methods and functions

Content Collector can handle key values
getAttributesOnPosition Method returns applied attributes on a position


Firefox keeps attributes (bold etc) on cut/copy -> paste
URL Parameter showControls=false now works
Cut and Paste works again…

Grab the latest Etherpad now

Accessibility in Etherpad – a11n

Accessibility Screen shot

Today we’re proud to announce that Etherpad is now accessibility enabled.


  • Screen readers are fully supported
  • Keyboard shortcuts are now available for the pad and timeslider pages
  • Various new fonts available in core (only changes viewers experience)
  • High contrast user experience now available (see ep_themes plugin)
  • Control Shift 2 shows author information pop-up for currently selected line
  • Quick links

  • Accessibility and keyboard shortcut documentation
  • The pull request with a plethora of comments and thoughts
  • A testing environment to play around with
  • Special thanks to

    Our sponsor: TBA
    pvagner for all his input and testing..
    W3 for their work on ARIA

    Some quick win shortcuts you should know about

    Alt F9 brings up the context menu, Alt F9 and Escape returns focus back to the pad.
    Alt C brings up chat
    Arrow keys navigate most things

    I spotted something that’s wrong or I think it can be made better, how can I tell you?

    Either create an issue on github and/or use our idea informer which doesn’t require any sign up or registration to post :)

    When will see accessibility land in a major release?

    We’re hours away from starting our 2015 hackathon which should bare the fruits of a major release so hopefully a major release will land within 48 hours of this blog post however if you are itching to get your mitts on Accessibility features simply checkout the Etherpad develop branch.

    Rewriting Server Name in Nginx

    Nginx by Default with Etherpad will display the Nginx Server name value and not forward the Etherpad Server name value. This is a problem as it means your Etherpad version is not available in the Headers which makes debug more difficult among other things.

    To solve this add the below your Nginx config and you are done :)

    proxy_pass_header Server;

    Check by restarting Etherpad and checking your headers.

    Academic writing requirements

    Here’s some plugins you can use to enable Etherpad to be useful for academic writing. All founds on the Etherpad plugin page with minimal effort.

    Rights Mgmt: Etherpad Admin Pads
    Privacy: Take your pick from the plugin page.
    Footnotes: Use ep_foot_note plugin
    Tables: Use the Etherpad Tables plugin
    Images: Use the Etherpad images plugin
    Formulas: Use the Etherpad Mathjax plugin
    Comments: Use the Etherpad Comments plugin
    References: Use the Etherpad Reference plugin
    Import/Export: Extend import/export support with various options from The plugin page
    Offline Support: Use the Offline Edit plugin
    Usability: Extend usability with various options from the plugin page

    Update your Etherpad

    Periodically we sweep through sites that run Etherpad and check for any instances that are out of date.. This time we were alarmed by the number of out of date instances that contain security issues..

    Please update your instances.. This is the list of URLS of out of date instances that contain security issues.



    · (pads removed after 30 days of inactivity)





    · (Tor hidden service, pads removed after 30 days of inactivity)




    · (Demo and FAQ:








    · (Email-Notification,SSL coming next, running in Austria)


    Etherpad CLI Client

    Interact with Pad contents in real time from within Node and from your CLI.

    Screenshot from 2015-03-02 13:03:14
    The CLI can be used to catch edit events from Etherpad. Changes are sent as Changesets so there is no performance drop or additional bandwidth required. We use the fastest possible method to reflected changes of a pad.

    The CLI Client can also be used to append content to a pad.

    5 seconds getting started…

    sudo npm install -g etherpad-cli-client

    See what else the Etherpad CLI Client can do!

    The CLI Client was developed as part of our new load testing tool that we hope to release within the coming weeks. Development was funded by UCI & Primary Technology Ltd.

    Etherpad v1.5.1 – “We’d rather die standing than live on our knees” edition

    What’s new TLDR;

    Mostly bugfixes, one security/privacy fix. One UI feature (Chat and Users always on screen)

    Screenshot from 2015-01-24 18:14:11

    NEW: High resolution Icon
    NEW: Use HTTPS for plugins.json download
    NEW: Add ‘last update’ column
    NEW: Show users and chat at the same time (try it)
    NEW: Support io.js
    Fix: removeAttributeOnLine now works properly
    Fix: Plugin search and list
    Fix: Issue where unauthed request could cause error
    Fix: Privacy issue with .etherpad export
    Fix: Freeze deps to improve bisectability
    Fix: IE, everything. IE is so broken.
    Fix: Timeslider proxy
    Fix: All backend tests pass
    Fix: Timeslider stars
    Fix: Translation update
    Fix: Check filesystem if Abiword exists
    Fix: Docs formatting
    Fix: Move Save Revision notification to a gritter message
    Fix: UeberDB MySQL Timeout issue
    Fix: Indented +9 list items
    Fix: Don’t paste on middle click of
    SECURITY Fix: Issue where a malformed URL could cause EP to disclose installation location

    Push file changes to your editbar with this nifty plugin!

    This nifty plugin will push contents straight from a file to your editbar.

    Consider you have HTML that is written from a third party application to a file. When that file is updated your editbar reflects the changes in real time.


    In this picture you can see some output from Mumble showing the Server users is reflected in the Pad Editbar.

    Super simple yet super useful! What will you use ep_filemon for?


    Get every new post on this blog delivered to your Inbox.

    Join other followers: