Notepad++ v8.8.9: Vulnerability-fix

donho

@Denny-89 said in Notepad++ v8.8.9: Vulnerability-fix:

I’ve updated from v8.8.8 to v8.8.9 and suddenly the change history bar (or whatever it’s called) became white. Not a big issue, but extremely annoying. I’ve looked through the settings and couldn’t find anything specific to the history bar except turning it off all together which i don’t want. I’m using Win11 (3840x2160, 200% scaling) and the default Notepad++ dark theme.

I cannot reproduce it.
It could be caused by
8. Add ability to update users’ langs.xml & stylers.xml from model XML files.
By implementing this feature, the darkmode may not be considered and that makes this side effect.
@PeterJones can you confirm it?

cr0wm4n

@donho This looks better thankyou :)

donho

@cr0wm4n Thank you for your confirmation.

FYI, fixed MSI has been updated in downloaded page, as well for its GPG signature and its sha-256 hash.

Denny-89

@donho If it maybe helps - the files did indeed change. I’ve tried to temporary replace the newer ones with the old ones as a test, but langs.xml got immediately updated when i ran Notepad++ 8.8.9; stylers.xml surprisingly stayed the same old version.

Here’s a screenshot with the file properties from a 1 week old backup:
Screenshot 2025-12-10 173517.png

PeterJones

@Denny-89 said,

I’ve looked through the settings and couldn’t find anything specific to the history bar except turning it off all together which i don’t want.

Settings > Style Configurator > Language: Global Styles > Style: Change History margin and related. Searching the user manual page about Preferences for “change history” will find first the on/off control description, then the description of how to change the colors.

@donho said in Notepad++ v8.8.9: Vulnerability-fix:

By implementing this feature, the darkmode may not be considered and that makes this side effect.
@PeterJones can you confirm it?

There are two ways to handle bringing in the new style entries from stylers.model.xml: either I could just bring in the entire entry, so that all themes that are missing a given entry will then inherit the same color that is in stylers.model.xml (which will make the new entries stick out like a sore thumb, but that might nudge the user to go find all those new jarring colors, and assign values that are more to their liking); or, if the active theme has a dark background by default I could look up the Default Style’s foreground and background for that theme, and assign those as the foreground and background colors for all new style entries (so that all the new styles will be completely unnoticed by the user, and they won’t ever notice that the feature brought in the new styles).

So the first makes it jarring, but noticeable; the second won’t be as jarring, but people might not know that they’ve got a lot of new style colors that they could set to their liking to get better highlighting in many languages (and a few new GUI colors).

Right now, it’s implemented as the first. If you want, I could change it to the second: it’s a bit more effort, but it’s doable.

PeterJones

@Denny-89 said in Notepad++ v8.8.9: Vulnerability-fix:

stylers.xml surprisingly stayed the same old version.

Not surprising, to me. The new feature updates the just the active theme, so if you’ve got any theme other than Default (stylers.xml) chosen, any changes will have been saved in the themes\XYZ.xml file, not in stylers.xml. Since you are using one of the dark themes, you would have to look at that theme’s file for the change date, not stylers.xml.

Denny-89

@PeterJones said in Notepad++ v8.8.9: Vulnerability-fix:

@Denny-89 said in Notepad++ v8.8.9: Vulnerability-fix:

stylers.xml surprisingly stayed the same old version.

Not surprising, to me. The new feature updates the just the active theme, so if you’ve got any theme other than Default (stylers.xml) chosen, any changes will have been saved in the themes\XYZ.xml file, not in stylers.xml. Since you are using one of the dark themes, you would have to look at that theme’s file for the change date, not stylers.xml.

Thank you. I didn’t know the default dark theme is treated like a custom theme instead as a native color scheme like in other light/dark mode software, so i didn’t check the Style Configurator menu.

First i’ve changed just the history margin color, but then just decided to replace the whole themes folder with the one from 8.8.9 portable because there may be even more changes since May 2021 when my old DarkModeDefault.xml was created.

Coises

@donho said in Notepad++ v8.8.9: Vulnerability-fix:

Update to nlohman json 3.11.3. (Update #15041 )

I wondered why you updated to an out-of-date version…

You actually updated to 3.12, in #17242.

fuba82

~~Hi there, same bug here!~~

~~My own theme file is overwritten every time I load it…~~
~~This just happens since Notepad++ was updated to 8.8.9.~~

~~It worked flawless 8.8.9!~~
~~Means my own theme does no longer work with 8.8.9?~~

Nevermind, it works now!
Sorry for bothering you!

PeterJones

@fuba82 said in Notepad++ v8.8.9: Vulnerability-fix:

My own theme file is overwritten every time I load it…
This just happens since Notepad++ was updated to 8.8.9.

Could you be more specific? v8.8.9 should update your theme to include any styles it is missing, but it does not delete any of your customizations.

But just to make sure, please explain in detail what your problem is: is your “own theme” just a customized version of one of the built-in themes? Do you put it in the AppData hierarchy, or in the Program Files hierarchy? Could you share your Debug Info? If it’s losing any of your custom colors that you’ve defined, could you show us the “before” and “after” – the whole file is too big to paste here, obviously… but if you can show us the section where your information was lost (so show what it was in the old theme, and then what it became in the overwritten theme), that would be helpful.

fuba82

@PeterJones
Oh my… BIG sorry…

My Theme’s file size changed and my “first” load, however, displayed the “default” style and this confused/shocked me!
I copied over a backup of my Theme, the file size changed again, but now it works…

All fine now, it seems.
Sorry for my false positive!

donho

@PeterJones said in Notepad++ v8.8.9: Vulnerability-fix:

if the active theme has a dark background by default I could look up the Default Style’s foreground and background for that theme, and assign those as the foreground and background colors for all new style entries (so that all the new styles will be completely unnoticed by the user, and they won’t ever notice that the feature brought in the new styles).

I think it’s “the way to go”.

So the first makes it jarring, but noticeable; the second won’t be as jarring, but people might not know that they’ve got a lot of new style colors that they could set to their liking to get better highlighting in many languages (and a few new GUI colors).

The reason of “the way to go” is, if users don’t need to change anything, just let these features sleep.
As I said, a good tool is a tool transparent: user opens it, get jobs done, then closes it, without noticing or being bothered by anything unsual.

I could change it to the second: it’s a bit more effort, but it’s doable.

Thank you. Then it’ll be in the next release.

donho

@Coises said in Notepad++ v8.8.9: Vulnerability-fix:

I wondered why you updated to an out-of-date version…

You actually updated to 3.12, in #17242 .

I don’t really understand how/why I did this error.
It’s too late for the release note, but at least it’s fixed in both:
https://notepad-plus-plus.org/downloads/v8.8.9/
&
https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix

Thank you for your heads up.

Saquib Akhtar

@donho After recent update there is some issue with Theme or Style as now, I see 1 White Column additionally between Margin & Line Number separator. Please see image. It actually makes look like as if something is missing & distracts attention.

KleinerDickerTiger

@donho

I also have problems with the styles here, depending on which file was opened (e.g., ps1):

Screenshot 2025-12-12 133421.png

To be safe, I unpacked the portable version on a clean reference system, and the effect was immediately there. So it wasn’t an upgrade. The only style that works is ‘DarkModeDefault’

Replacing any files didn’t help. Even if I replace all files except for notepad.exe, nothing changes.

It seems there is no way to solve the problem on my part; in any case, I can’t think of any further solution.

Have a nice day.

PeterJones

@Saquib-Akhtar said in Notepad++ v8.8.9: Vulnerability-fix:

@donho After recent update there is some issue with Theme or Style as now, I see 1 White Column additionally between Margin & Line Number separator. Please see image. It actually makes look like as if something is missing & distracts attention.

It’s actually two columns (Bookmark margin and Change History margin), and it was missing information in your theme file; v8.8.9 tried to fill in the missing information, but I made a bad decision on what color values to use to populate the missing information for v8.8.9. (In the next version, it will hopefully make default color decisions that will be less annoying to people… but that won’t help anyone who has already run v8.8.9).

For your issue, the fix is easy enough: it looks like you are on khaki theme, so I will give example colors accordingly. The quick thing for those two columns is to go to Settings > Style Configurator, leave Language at Global Styles, and the Style: box,

scroll down to Bookmark Margin, click on Background Color and More Colors, and set the colors to Red=175, Green=175, Blue=135, then OK
scroll down to Change History Margin, click on Background Color and More Colors, and set the colors to Red=175, Green=175, Blue=135, then OK

But since there might be other colors missing from yours that might be jarring later, if you haven’t done a lot of color or user-keyword customization, what I recommend is to exit Notepad++, then use Explorer to go to %AppData%\Notepad++\: If there’s a themes\ subdirectory, delete khaki.xml from %AppData%\Notepad++\themes\. When you restart Notepad++, it will use the version of khaki.xml from the installation directory rather than from your AppData hierarchy, )(Notepad++'s installer overwrites the installation\themes*.xml when you install or upgrade, so that one should be up-to-date and include the correct values for those margins.)

[those instructions assume you have a “normal installation”, using the %AppData% hierarchy for settings and c:\program files\notepad++ for your installation directory; if you have a non-standard installation, files will be in a different location, and I’d need to see your full ?-menu’s Debug Info to give customized instructions.]

PeterJones

@KleinerDickerTiger said in Notepad++ v8.8.9: Vulnerability-fix:

To be safe, I unpacked the portable version on a clean reference system, and the effect was immediately there. So it wasn’t an upgrade. The only style that works is ‘DarkModeDefault’

Replacing any files didn’t help. Even if I replace all files except for notepad.exe, nothing changes.

Only 12 of the 22 themes have Powershell defined: DansLeRuSH-Dark, DarkModeDefault, HotFudgeSundae, khaki, Monokai, MossyLawn, Navajo, Obsidian, Plastic Code Wrap, Solarized-light, Solarized, and Zenburn. So in the portable version 8.8.9, andy of those 12 should be colored reasonably.

Here are a few examples of powershell highlighting working in the portable:

But as you can tell by the entries, even in those screenshots, even if the theme defines powershell, it doesn’t always have all its styles defined for that language, and the v8.8.9 theme updater grabbed the colors from the default stylers.xml for the missing colors, which makes it jarring for many of the themes. (As I said, it was a bad decision on my part, and the next release should use a better default color, so things at least blend in.)

But all the style entries are there for you now, so you should be able to choose the theme you want to use when editing Powershell files, then go through each of the Style entries for Language: PowerShell: any that have a Background colour of White, you could either manually set to a color that fits with your theme, or you can right-click the Background colour box, and it will inherit the backgroud color from the theme’s Default background, which will be less jarring.

PeterJones

@donho said in Notepad++ v8.8.9: Vulnerability-fix:

Add ability to update users’ langs.xml & stylers.xml from model XML files.

Sorry for the mess it has created. I highly recommend not triggering auto-update on this one.

I should have the a PR today or tomorrow which will fix #17289

KleinerDickerTiger

@PeterJones

Thank you for your reply. I understand what you wrote, but that still doesn’t explain the problem. PowerShell was just an example. This also applies to other languages, like Python. But anyway. Up to version 8.8.8, this problem didn’t exist. In this version, only ‘Black board’ causes problems, but all the other styles look good and don’t have the issues that were present in version 8.8.9.

PeterJones

@KleinerDickerTiger said in Notepad++ v8.8.9: Vulnerability-fix:

I understand what you wrote, but that still doesn’t explain the problem.

If it doesn’t explain the problem to you, then either you didn’t understand or I didn’t say enough.

PowerShell was just an example.

As it was for me.

Many of the themes are missing many of the languages, including Powershell. And even on the languages they do have, over time, new styles have been added to some of those languages. So your themes were missing many languages and many styles that Notepad++ supports. The reason that you didn’t notice in v8.8.8 and earlier is because the older versions of Notepad++ would just use the theme’s default FG/BG colors on any style or language that wasn’t defined… but it wouldn’t allow you to change them in the Style Configurator, because they would’t even be listed there. (For example, if you had originally installed v8.3.1 a couple years ago, and had upgraded through v8.8.8, you would not be able to use Style Configurator to set the IDENTIFIER or FUNCTION colors in Powershell, even though Notepad++ has supported those colors for a long time now.)

The new feature in v8.8.9 adds in those missing languages and missing styles, and that is working as designed. And with that, you can now set those colors to anything you want in the Style Configurator, as designed. The problem is that when it adds in the missing languages and styles, it had to pick a color of some sort… and I foolishly chose to set the colors to be the same colors that would be used in stylers.xml (ie, it matches the default light theme of Notepad++): this makes the jarring black-text-on-white-background for any of the languages or styles that were added into the theme by the new v8.8.9 feature.

Starting in the next version, if it finds a language or style entry that is missing from your theme, instead of using the light-theme’s equivalent color, it will populate any missing colors using your theme’s default FG/BG colors, so it will behave more like v8.8.8-and-earlier, but with the improvement that you will now be able to edit those previously-missing colors in the Style Configurator, and they will be saved in the theme file going forward (neither of which v8.8.8-and-earlier did for you).