Whitelist a bunch of url protocols.

[lhc/web/wiklou.git] / RELEASE-NOTES-1.22

Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.

== MediaWiki 1.22 ==

THIS IS NOT A RELEASE YET

MediaWiki 1.22 is an alpha-quality branch and is not recommended for use in
production.

=== Configuration changes in 1.22 ===
* $wgRedirectScript was removed. It was unused.
* Removed $wgLocalMessageCacheSerialized, it is now always true.
* When $wgUseVFormUserLogin is true, the redesign of Special:UserLogin is
  activated; when $wgUseVFormCreateAccount is true, the redesign of
  Special:UserLogin/signup is activated.
* $wgVectorUseIconWatch is now enabled by default.
* $wgCascadingRestrictionLevels was added.
* ftps, ssh, sftp, xmpp, sip, sips, tel, sms, bitcoin, magnet, urn, and geo
  have been whitelisted inside of $wgUrlProtocols.

=== New features in 1.22 ===
* (bug 44525) mediawiki.jqueryMsg can now parse (whitelisted) HTML elements and attributes.
* (bug 33454) Language::sprintfDate now has a timezone parameter, and supports
  the "eIOPTZ" formatting characters.
* EditWarning: A warning is shown when an editor leaves the edit form without
  saving (enabled by default, users can opt-out via the 'useeditwarning'
  preference). This feature was moved from the Vector extension, and is now part
  of core for all skins. Take care when upgrading that you don't use an older
  version of the Vector extension as this feature may conflict.
* New 'mediawiki.ui' CSS module providing mw-ui-* styles for buttons and a
  compact vertical form layout.
* New versions of login (Special:UserLogin) and create account
  (Special:UserLogin/signup) forms. They are opt-in for now, controlled by
  the $wgUseVFormUserLogin and $wgUseVFormCreateAccount settings or a 'useNew'
  URL parameter trigger.
* (bug 23343) Implemented ability to apply IP blocks to the contents of X-Forwarded-For headers
  by adding a new configuration variable $wgApplyIpBlocksToXff (disabled by default).
* The new hook 'APIGetPossibleErrors' to modify the list of possible errors was
  added.
* (bug 25592) LogEventsList::showLogExtract() will now ignore various
  Pager-related WebRequest parameters by default, as this is overwhelmingly
  likely to be what was intended by users of the method. If any caller wishes
  to use these parameters, the new param 'useRequestParams' may be set to true.
* mw.util.addPortletLink: Tooltip is no longer required to be plain (without
  an accesskey in it already). As such it now rountrips. Creating a link with a
  message as tooltip, grabbing the title attribute and using it to create
  another portlet will work as expected.
* (bug 6747) {{ROOTPAGENAME}} introduced, contains the name of the topmost
  page without namespace.
* BREAKING CHANGE: (bug 41729) Display editsection links next to headings. Also
  change their class name from .editsection to .mw-editsection and place them at
  the end of the heading element instead of the beginning. Client-side code and
  screen-scrapers will have to be adjusted to handle both cases (old HTML will
  still be visible on cached page renders until they are purged); extensions
  using the DoEditSectionLink or EditSectionLink hooks might need adjustments as
  well.
* (bug 45535) introduced the new 'LanguageLinks' hook for manipulating the
  language links associated with a page before display.
* Chosen (http://harvesthq.github.io/chosen/) was added as module 'jquery.chosen'
* HTMLForm will turn multiselect checkboxes into a Chosen interface when setting cssclass 'mw-chosen'
* rebuildLocalisationCache learned --lang option. Let you rebuild l10n caches
  of the specified languages instead of all of them.
* New GetNewMessagesAlert hook allowing extensions to disable or modify the new
  messages alert
* New wgUserNewMsgRevisionId JS global for logged in users. This will be null
  if the user has no new talk page messages. Otherwise it will be set to the
  revision ID of the oldest new talk page message. This will allow gadgets and
  extensions to create their own new message alerts on the client side.
* mediawiki.log: Added log.warn wrapper (uses console.warn and console.trace).
* mediawiki.log: Implemented log.deprecate. This method defines a property and
  uses ES5 getter/setter to emit a warning when they are used.
* $wgCascadingRestrictionLevels was added, allowing one to specify restriction levels
  which can be cascading (previously 'sysop' was hard-coded as the only one).

=== Bug fixes in 1.22 ===
* Disable Special:PasswordReset when $wgEnableEmail. Previously one could still
  navigate to the page by entering the URL directly.
* (bug 47138) Fixed a fatal error when a blocked user tries to automatically
  create an account on login due external authentication in some circumstances.
* (bug 23393) HTML <hN> headings containing line breaks are now handled
  correctly.
* (bug 45803) Whitespace within == Headline == syntax and within <hN> headings
  is now non-significant and not preserved in the HTML output.
* (bug 47218) Special:BlockList now handles correctly user names with spaces
  when passed as subpage.
* Pager's properly validate which fields are allowed to be sorted on.
* mw.util.tooltipAccessKeyRegexp: The regex now matches "option-" as well.
  Support for Mac "option" was added in 1.16, but the regex was never updated.
* (bug 46768) Usernames of blocking users now display correctly, even if numeric.
* (bug 39590) {{PAGESIZE}} for the current page and self-transclusions now
  show the most up to date result always instead of being a revision behind.
* A bias in wfRandomString() toward digits 1-7 has been corrected. Generated
  strings will now start with digits 0 and 8-f as often as they should.
* (bug 45371) Removed Parser_LinkHooks and CoreLinkFunctions classes.

=== API changes in 1.22 ===
* (bug 46626) xmldoublequote parameter was removed. Because of a bug, the
  parameter has had no effect since MediaWiki 1.16, and so its removal is
  unlikely to impact existing clients.
* (bug 25325) Added support for wlshow filtering (bots/anon/minor/patrolled)
  to action=feedwatchlist.
* WDDX formatted output will actually be formatted (and normal output will no
  longer be), and will no longer choke on booleans.
* action=opensearch no longer silently ignores the format parameter.
* action=opensearch now supports format=jsonfm.
* list=usercontribs&ucprop=ids will now include the parent revision id.
* BREAKING CHANGE: action=parse no longer returns all langlinks for the page
  with prop=langlinks by default. The new effectivelanglinks parameter will
  request that the LanguageLinks hook be called to determine the effective
  language links.
* BREAKING CHANGE: list=allpages, list=langbacklinks, and prop=langlinks do not
  apply the new LanguageLinks hook, and thus only consider language links
  stored in the database.
* (bug 47219) Allow specifying change type of Wikipedia feed items
* prop=imageinfo now allows setting iiurlheight without setting iiurlwidth
* prop=info now adds the content model of the title.
* New upload log entries will now contain information on the relavent
  image (sha1 and timestamp).

=== Languages updated in 1.22===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.

* (bug 46751) Made Buryat (Russia) (буряад) (bxr) fallback to Russian.

=== Other changes in 1.22 ===
* redirect.php was removed. It was unused.
* ClickTracking integration was dropped from the mediaWiki.user.bucket
  JavaScript function. The 'tracked' option is now ignored.
* BREAKING CHANGE: Legacy skins Simple, MySkin, Chick, Standard and Nostalgia
  were all removed. (Nostalgia was moved to an extension.) The SkinLegacy and
  LegacyTemplate classes that supported them were removed as well and are now a
  part of the Nostalgia extension.
* Event namespace used by jquery.makeCollapsible has been changed from
  'mw-collapse' to 'mw-collapsible' for consistency with the module name.
* BREAKING CHANGE: The "ExternalAuth" authentication subsystem was removed, along
  with its associated globals of $wgExternalAuthType, $wgExternalAuthConf,
  $wgAutocreatePolicy and $wgAllowPrefChange. Affected users are encouraged to
  use AuthPlugin for external authentication/authorization needs.
* The Quickbar feature of the legacy skin model and the last remnants of it
  throughout the code base have been removed.
* Externaledit/externaldiff preference was removed. Very few users used this
  feature, and improper configuration can actually prevent a user from editing
* Calling Linker methods using a skin will now output deprecation warnings.
* (bug 46680) "Return to" links are no longer tagged with rel="next".
* BREAKING CHANGE: mw.util.tooltipAccessKeyRegexp: The match group for the
  accesskey character is now $6 instead of $5.
* HipHop compiler (hphpc) support was removed. HipHop VM support (hhvm) was
  added.
* A new Special:Redirect page was added, providing lookup by revision ID,
  user ID, or file name.  The old Special:Filepath page was reimplemented
  to redirect through Special:Redirect.
* Monobook: Removed the old conditional stylesheets for Opera 6, 7 and 9.

== Compatibility ==

MediaWiki 1.22 requires PHP 5.3.2 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle.

The supported versions are:

* MySQL 5.0.2 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later

== Upgrading ==

1.22 has several database changes since 1.21, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.21.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

        https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

        https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

        https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.