Allow specifying OutputPage object in Skin::subPageSubtitle parameters

[lhc/web/wiklou.git] / HISTORY

diff --git a/HISTORY b/HISTORY
index 9cb5399..868b21a 100644 (file)
--- a/HISTORY
+++ b/HISTORY
@@ -1,6 +1,623 @@
-Change notes from older releases. For current info see RELEASE-NOTES-1.27.
+Change notes from older releases. For current info see RELEASE-NOTES-1.28.
+
+= MediaWiki 1.27 =
+
+== MediaWiki 1.27.0 ==
+
+=== PHP version requirement in 1.27 ===
+As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
+section). Additionally, the following PHP extensions are required:
+* ctype
+* iconv
+* json
+* mbstring (new requirement in 1.27)
+* xml
+The following PHP extensions are strongly recommended:
+* openssl
+
+=== Configuration changes in 1.27 ===
+* $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
+  now always enabled. If you use RDFa on your wiki, you now have to explicitly
+  set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
+* $wgUseLinkNamespaceDBFields was removed.
+* Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
+  $wgResourceLoaderMinifierMaxLineLength, because there was little value in
+  making the behavior configurable. The default values (`false` for the former,
+  1000 for the latter) are now hard-coded.
+* $wgDebugDumpSqlLength was removed (deprecated in 1.24).
+* $wgDebugDBTransactions was removed (deprecated in 1.20).
+* $wgUseXVO has been removed, as it provides functionality only used by
+  custom Wikimedia patches against Squid 2.x that probably noone uses in
+  production anymore. There is now $wgUseKeyHeader that provides similar
+  functionality but instead of the MediaWiki-specific X-Vary-Options header,
+  uses the draft Key header standard.
+* $wgScriptExtension (and support for '.php5' entry points) was removed. See the
+  deprecation notice in the release notes for version 1.25 for advice on how to
+  preserve support for '.php5' entry points via URL rewriting.
+* Password handling via the User object has been deprecated and partially
+  removed, pending the future introduction of AuthManager. In particular:
+** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
+   getPasswordExpired() have been removed. They were unused outside of core.
+** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
+   now private and will be removed in the future.
+** The getPassword() and getTemporaryPassword() methods now throw
+   BadMethodCallException and will be removed in the future.
+** The ability to pass 'password' and 'newpassword' to createNew() has been
+   removed. The only users of it seem to have been using it to set invalid
+   passwords, and so shouldn't be greatly affected.
+** setPassword(), setInternalPassword(), and setNewpassword() have been
+   deprecated, pending the introduction of AuthManager.
+** User::randomPassword() is deprecated in favor of a new method
+   PasswordFactory::generateRandomPasswordString()
+** User::getPasswordFactory() is deprecated, callers should just create a
+   PasswordFactory themselves.
+** A new constructor, User::newSystemUser(), has been added to simplify the
+   creation of passwordless "system" users for logged actions.
+* $wgMaxSquidPurgeTitles was removed.
+* $wgAjaxWatch was removed. This is now enabled by default.
+* $wgUseInstantCommons now hotlinks Commons images by default instead of
+  downloading originals and thumbnailing them locally. This allows wikis to save
+  on CPU and bandwidth while reducing time to first byte for pages, even without
+  a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
+* (T27397) WebP is enabled by default as an uploadable filetype.
+* (T48998) $wgArticlePath must now be either a full url, or start with a "/".
+* $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
+* Deprecated API formats dbg, txt, and yaml have been removed.
+* CLDRPluralRule* classes have been replaced with
+  wikimedia/cldr-plural-rule-parser.
+* Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
+  $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
+  $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
+* For proper operation of LocalIdLookup with shared user tables, ensure that
+  $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
+  that all others are sharing from and that $wgLocalDatabases is set to the
+  full list of sharing wikis on all those wikis.
+* Massive overhaul to session handling:
+** $wgSessionsInObjectCache is no longer supported and must be true, due to
+   MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
+   used.
+** ObjectCacheSessionHandler is removed, replaced with
+   MediaWiki\Session\PhpSessionHandler.
+** PHP session handling in general ($_SESSION, session_id(), and so on) is
+   deprecated. Use MediaWiki\Session\SessionManager instead. A new config
+   variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
+   issue a deprecation warning or to cause most PHP session handling to throw
+   exceptions.
+** Deprecated UserSetCookies hook. Session-handling extensions should generally
+   be creating a custom subclass of CookieSessionProvider. Other extensions
+   messing with cookies can no longer count on user data being saved in cookies
+   versus other methods.
+** Deprecated UserLoadFromSession hook, extensions should create a
+   MediaWiki\Session\SessionProvider.
+** The User cannot be loaded from session until after Setup.php completes.
+   Attempts to do so will be ignored and the User will remain unloaded.
+** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
+   the MediaWiki\Session\Token class.
+* MediaWiki will now auto-create users as necessary, removing the need for
+  extensions to do so. An 'autocreateaccount' right is added to allow
+  auto-creation when 'createaccount' is not granted to all users.
+* Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
+* Most cookie-handling methods in User are deprecated.
+* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
+  experimental feature that has never worked.
+* Login and createaccount tokens now vary by timestamp.
+* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
+  return a MediaWiki\Session\Token, and tokens must be checked using that
+  class's methods.
+* $wgEnotifUseJobQ was removed and the job queue is always used.
+* The functionality of the ApiSandbox extension has been merged into core. The
+  extension should no longer be used.
+* $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
+  Extensions, skins, gadgets and scripts that use the mediawiki.util module must
+  express a dependency on it.
+* $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
+  Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
+  module should express a dependency on it.
+* Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
+  $wgFooterIcons['copyright']['copyright'] instead.
+* If the openssl and mcrypt PHP extensions are both unavailable, secure
+  session storage (used for login) will raise an exception. This exception may
+  be bypassed by setting $wgSessionInsecureSecrets = true.
+* Massive overhaul to authentication:
+** AuthPlugin and AuthPluginUser are deprecated.
+** LoginForm and associated templates are deprecated. Extensions which called
+   static LoginForm methods should be converted into authentication providers.
+** The following hooks are deprecated:
+*** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** AddNewAccount (use LocalUserCreated instead)
+*** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
+*** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
+*** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
+*** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
+** The following hooks are removed:
+*** AbortChangePassword
+*** LoginPasswordResetMessage
+*** PrefsPasswordAudit
+** The UserLoginComplete hook will no longer be called for all logins, only for
+   those via the web UI. Use UserLoggedIn if you need to do something on all
+   logins.
+** $wgRequirePasswordforEmailChange is removed.
+
+=== New features in 1.27 ===
+* $wgDataCenterUpdateStickTTL was also added. This decides how long a user
+  sticks to the primary DC (via cookies) after they make changes to the site.
+* Added a new hook, 'UserMailerTransformContent', to transform the contents
+  of an email. This is similar to the EmailUser hook but applies to all mail
+  sent via UserMailer.
+* Added a new hook, 'UserMailerTransformMessage', to transform the contents
+  of an emai after MIME encoding.
+* Added a new hook, 'UserMailerSplitTo', to control which users have to be
+  emailed separately (ie. there is a single address in the To: field) so
+  user-specific changes to the email can be applied safely.
+* $wgCdnMaxageLagged was added, which limits the CDN cache TTL
+  when any load balancer uses a DB that is lagged beyond the 'max lag'
+  setting in the relevant section of $wgLBFactoryConf.
+* User::newSystemUser() may be used to simplify the creation of passwordless
+  "system" users for logged actions from scripts and extensions.
+* Extensions can now return detailed error information via the API when
+  preventing user actions using 'getUserPermissionsErrors' and similar hooks
+  by using ApiMessage instances instead of strings for the $result value.
+* $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
+  becomes too high.
+* Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
+  and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
+  cross-browser-compatible FlexBox rules. Users will still need to add fallback
+  float rules or the like for compatibility with IE9- separately.
+* Added MWTimestamp::getTimezoneString() which returns the localized timezone
+  string, if available. To localize this string, see the comments of
+  $wgLocaltimezone in includes/DefaultSettings.php.
+* Added CentralIdLookup, a service that allows extensions needing a concept of
+  "central" users to get that without having to know about specific central
+  authentication extensions.
+* $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
+  Regular web request transactions that takes longer than this are aborted.
+* Added a new hook, 'TitleMoveCompleting', which runs before a page move is
+  committed.
+* $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
+  from CDN to mitigate DB replication lag and WAN cache purge lag.
+* (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
+  if it is available.
+* It is now possible to patrol file uploads (both for new files and new versions
+  of existing files). Special:NewFiles has gained an option to filter by patrol
+  status. This functionality can be disabled using $wgUseFilePatrol.
+* MediaWiki\Session infrastructure allows for easier use of session mechanisms
+  other than the usual cookies.
+** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
+   custom session metadata.
+* Added MWGrants and associated configuration settings $wgGrantPermissions and
+  $wgGrantPermissionGroups to hold configuration for authentication features
+  such as OAuth that want to allow restricting the user rights a user may make
+  use of.
+** If you're already using the OAuth extension, these new variables are
+   identical to (and will replace) $wgMWOAuthGrantPermissions and
+   $wgMWOAuthGrantPermissionGroups.
+* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
+  to assert that the request comes from a particular IP range.
+* Added bot passwords, a rights-restricted login mechanism for API-using bots.
+* Whitelisted the following HTML attributes for all elements in wikitext:
+  aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
+* Removed "presentation" restriction on the HTML role attribute in wikitext.
+  All values are now allowed for the role attribute.
+* $wgContentHandlers now also supports callbacks to create an instance of the
+  appropriate ContentHandler subclass.
+* Added $wgAuthenticationTokenVersion, which if non-null prevents the
+  user_token database field from being exposed in cookies. Setting this would
+  be a good idea, but will log out all current sessions.
+* $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
+  specifically for reliable CDN url purges.
+* Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
+  MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
+  generated 24-character string. This request ID is used to annotate log records
+  and error messages. It is available client-side via mw.config.get( 'wgRequestId' ).
+  The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId()
+  is deprecated.
+* (T33313) Add a preference for watching uploads by default, also applies
+  to API-based upload tools.
+* $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
+  thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
+  savings versus the previous behavior on many files.
+* MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
+  configuration of multiple authentication pieces that was possible with
+  AuthPlugin. For example, it's now easy to plug in second-factor
+  authentication, or add additional checks to the login process, or to support
+  multiple login methods at once, or to support non-password-based login methods.
+** Providers are configured via the global setting $wgAuthManagerConfig.
+** A global, $wgDisableAuthManager, is temporarily available to disable
+   AuthManager until extensions are ready to support it.
+** New hook, AuthChangeFormFields, to adjust the form fields on
+   AuthManager-related special pages.
+** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
+   AuthManager-related authentication requests.
+** New hook, ChangeAuthenticationDataAudit, for additional logging of
+   AuthManager-related authentication data changes.
+** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
+   for requiring a recent login before taking security-sensitive operations
+   like changing a password.
+** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist
+   can be used to prevent the web UI and the API changing certain authentication data.
+* The file upload dialog (available if you install WikiEditor or VisualEditor)
+  can now be configured using $wgUploadDialog.
+
+=== External library changes in 1.27 ===

 
 

-== MediaWiki 1.26 ==
+==== Upgraded external libraries ====
+* Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
+* Updated composer/semver from v1.0.0 to v1.2.0.
+* Updated liuggio/statsd-php-client to 1.0.18.
+* Updated QUnit from v1.18.0 to v1.22.0.
+
+==== New external libraries ====
+* Added wikimedia/base-convert v1.0.1.
+* Added wikimedia/cldr-plural-rule-parser v1.0.0.
+* Added wikimedia/relpath v1.0.3.
+* Added wikimedia/running-stat v1.1.0.
+* Added wikimedia/php-session-serializer v1.0.3.
+
+==== Removed and replaced external libraries ====
+
+=== Bug fixes in 1.27 ===
+* Special:Upload will now display correct maximum allowed file size when running
+  under HHVM (T116347).
+* (T54077) The APIEditBeforeSave hook will once again give only the content of
+  the section being edited, rather than the whole revision. This reverts the
+  change made in MediaWiki 1.22.
+
+=== Action API changes in 1.27 ===
+* Added list=allrevisions.
+* generator=recentchanges now has the option to generate revids.
+* ApiPageSet::setRedirectMergePolicy() was added. This allows generator
+  modules to define how generator data for a redirect source gets merged
+  into the redirect destination.
+* prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
+  "was-deleted" warning.
+* Added difftotextpst to query=revisions which preforms a pre-save transform on
+  the text before diffing it.
+* Deprecated formats dbg, txt, and yaml have been removed.
+* (T47988) The protect log event details now use new-style formatting.
+* The following response properties from action=login are deprecated, and may
+  be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
+  handle cookies to properly manage session state.
+* action=login transparently allows login using bot passwords. Clients should
+  merely need to change the username and password used after setting up a bot
+  password.
+* action=upload no longer understands statuskey, asyncdownload or leavemessage.
+* Several changes when $wgDisableAuthManager is false:
+** action=login is deprecated for uses other than bot passwords.
+** list=users can now indicate if a missing username is creatable.
+** action=createaccount is changed in a non-backwards-compatible manner.
+** Added action=query&meta=authmanagerinfo.
+** Added action=clientlogin to be used to log into the main account instead of
+   action=login.
+** Added action=linkaccount.
+** Added action=unlinkaccount.
+** Added action=changeauthenticationdata.
+** Added action=removeauthenticationdata.
+** Added action=resetpassword.
+
+=== Action API internal changes in 1.27 ===
+* ApiQueryORM removed.
+* The following classes have been removed:
+** ApiFormatDbg
+** ApiFormatTxt
+** ApiFormatYaml
+* ApiBase::addTokenProperties() was removed (deprecated since 1.24).
+* ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
+* ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
+* ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24).
+* ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
+* ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24).
+* ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24).
+* ApiBase::getResultProperties() was removed (deprecated since 1.24).
+* ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
+* ApiBase::parseErrors() was removed (deprecated since 1.24).
+* ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
+  ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
+* ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
+* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
+* ApiQuery::getGenerators() was removed (deprecated since 1.21).
+* ApiQuery::getModules() was removed (deprecated since 1.21).
+* ApiQuery::getModuleType() was removed (deprecated since 1.21).
+* ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
+* ApiMain::getModules() was removed (deprecated since 1.21).
+* ApiBase::getVersion() was removed (deprecated since 1.21).
+* ApiMain::getShowVersions() was removed (deprecated in 1.21).
+* ApiMain::addModule() was removed (deprecated in 1.21).
+* ApiMain::addFormat() was removed (deprecated in 1.21).
+* ApiMain::getFormats() was removed (deprecated in 1.21).
+* ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
+* ApiCreateAccount is deprecated, and will be removed soon.
+
+=== Languages updated in 1.27 ===
+
+MediaWiki supports over 350 languages. Many localisations are updated
+regularly. Below only new and removed languages are listed, as well as
+changes to languages because of Phabricator reports.
+
+* (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
+* (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
+
+=== Other changes in 1.27 ===
+* Added dependency injection (DI) infrastructure, see docs/injection.txt for details.
+  It is planned to incrementally move MediaWiki code towards using DI, using the
+  service locator (SL) pattern as a stepping stone.
+* ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
+* WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
+  ignore the 2nd and 3rd arguments (formerly $id and $commit).
+* Removed "loaderScripts" option from ResourceLoaderFileModule class.
+* Removed ORM-like wrapper added in 1.20.
+* LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
+  (deprecated in 1.26).
+* WikiPage::doQuickEdit() was removed (deprecated since 1.21).
+* Removed SiteObject and SiteArray classes (deprecated in 1.21).
+* MessageBlobStore::getInstance() was removed (deprecated since 1.25).
+* (T84937) Free external links ("autolinked" urls) will now be terminated
+  by &nbsp; and HTML entity encodings of &nbsp, <, and >.
+* (T36948) The default file revert message's timestamp is now in
+  $wgLocaltimezone, instead of UTC.
+* The default name of the 'suppress' group page has been changed from
+  'Project:Oversight' to 'Project:Suppress'.
+* DatabaseBase::resultObject() is now protected (use outside Database classes
+  not necessary since 1.11).
+* Calling ResourceLoaderFileModule::readStyleFiles() without a
+  ResourceLoaderContext instance is deprecated.
+* ResourceLoader::getLessCompiler() now takes an optional parameter of
+  additional LESS variables to set for the compiler.
+* wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
+  instead.
+* Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
+  were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
+* Removed msg_resource_links database table and associated code.
+* Removed msg_resource database table and associated code.
+* Skin::getNamespaceNotice() was removed.
+* wfIsConfiguredProxy() was removed (deprecated since 1.24).
+* wfDebugTimer() was removed (deprecated since 1.25).
+* wfIsTrustedProxy() was removed (deprecated since 1.24).
+* wfGetIP() was removed (deprecated since 1.19).
+* MWHookException was removed.
+* OutputPage::appendSubtitle() was removed (deprecated since 1.19).
+* OutputPage::loginToUse() was removed (deprecated since 1.19).
+* Article::loadContent() was removed (deprecated since 1.19).
+* User::editToken() was removed (deprecated since 1.19).
+* Removed --force-normal option of dumpBackup.php, as it no longer served
+  any useful purpose since 1.22.
+* The functions processOption() and processArgs() on the BackupDumper and
+  TextPassDumper classes have been removed.
+* The maintenance/backupTextPass.inc file was deleted. You should include
+  maintenance/dumpTextPass.php instead.
+* WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
+* wfEmptyMsg() was removed (deprecated since 1.18).
+* OutputPage::permissionRequired() was removed (deprecated since 1.18).
+* OutputPage::blockedPage() was removed (deprecated since 1.18).
+* User::getSkin() was removed (deprecated since 1.18).
+* OutputPage::includeJQuery() was removed (deprecated since 1.17).
+* WikiPage::updateRestrictions() was removed (deprecated since 1.19).
+* WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
+* LogPage::logName() was removed (deprecated since 1.19).
+* LogPage::logHeader() was removed (deprecated since 1.19).
+* wfCheckLimits() was removed (deprecated since 1.24).
+* Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
+* Linker::makeLinkObj() was removed (deprecated since 1.16).
+* wfMsgForContentNoTrans() was removed (deprecated since 1.18).
+* ChangesList::usePatrol was removed (deprecated since 1.22).
+* wfMsgNoTrans() was removed (deprecated since 1.18).
+* Linker::makeImageLink2 was removed (deprecated since 1.20).
+* Title::userIsWatching() was removed (deprecated since 1.20).
+* Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
+  database function directly instead.
+* wfMsg() was removed (deprecated since 1.18).
+* wfMsgForContent() was removed (deprecated since 1.18).
+* wfMsgReal() was removed (deprecated since 1.18).
+* wfMsgGetKey() was removed (deprecated since 1.18).
+* wfMsgHtml() was removed (deprecated since 1.18).
+* wfMsgWikiHtml() was removed (deprecated since 1.18).
+* wfMsgExt() was removed (deprecated since 1.18).
+* Language::armourMath() was removed (deprecated since 1.22).
+* LanguageConverter::armourMath() was removed (deprecated since 1.22).
+* FakeConverter::armourMath() was removed (deprecated since 1.22).
+* The unused jquery.validate ResourceLoader module was removed.
+* FileRepo::getRootUrl() was removed (deprecated since 1.20).
+* User::generateToken() was removed (deprecated since 1.20).
+* WikiPage::getRawText() was removed (deprecated since 1.21).
+* ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
+* ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
+* ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
+* Gallery images with multiple caption pipes no longer concatenate them all
+  together but instead pick the final one, similar to image syntax.
+* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
+  rather than consume everything until the end of the page.
+* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
+  a user forgot password/account was stolen.
+* wfCheckEntropy() was removed (deprecated in 1.27).
+* Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
+* ContentHandler::supportsCategories method added. Default is true.
+  CategoryMembershipChangeJob updates are skipped for content that
+  does not support categories.
+* wikidiff difference engine is no longer supported, anyone still using it are encouraged
+  to upgrade to wikidiff2 which is actively maintained and has better package availability.
+* Database logic was removed from WatchedItem and a WatchedItemStore was created:
+** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated.
+   User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
+** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
+** WatchedItem::resetNotificationTimestamp was deprecated.
+** WatchedItem::batchAddWatch was deprecated.
+** WatchedItem::addWatch was deprecated.
+** WatchedItem::removeWatch was deprecated.
+** WatchedItem::isWatched was deprecated.
+** WatchedItem::duplicateEntries was deprecated.
+** EmailNotification::updateWatchlistTimestamp was deprecated.
+** User::getWatchedItem was removed.
+* Unit tests don't work with external PHPUnit anymore, Composer is now the only supported
+  way. Run `composer install` to install it and other dev dependencies to run unit tests.
+* wl_id field added to the watchlist table.
+* Revision::getRawText() was removed (deprecated since 1.21).
+* WikiPage::replaceSection() was removed (deprecated since 1.21).
+* Article::replaceSection() was removed (deprecated since 1.21).
+* Language::getLangObj() was removed (deprecated since 1.24).
+* Language::getLanguageName() was removed (deprecated since 1.20).
+* Language::getLanguageNames() was removed (deprecated since 1.20).
+* Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
+* Language::specialPage() was removed (deprecated since 1.24).
+* MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
+* OutputPage::getHeadItems() was removed (deprecated since 1.24).
+* OutputPage::getScript() was removed (deprecated since 1.24).
+* OutputPage::out() was removed (deprecated since 1.22).
+* OutputPage::setAllowedModules() was removed (deprecated since 1.24).
+* UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
+* MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
+* Title::newFromRedirect() was removed (deprecated since 1.21).
+* Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
+* Skin::getCommonStylePath() was removed (deprecated since 1.24).
+* Skin::newFromKey() was removed (deprecated since 1.24).
+* Skin::getUsableSkins() was removed (deprecated since 1.23).
+* LoadBalancer::pickRandom() was removed (deprecated in 1.21).
+* Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since
+  1.21).
+* DifferenceEngine::setText() was removed (deprecated in 1.21).
+* Title::newFromRedirectArray() was removed (deprecated in 1.21).
+* UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType
+  as the 6th. These must be passed in the options array now.
+* Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
+* Skin::accesskey was removed (deprecated since 1.21).
+* Skin::blockLink was removed (deprecated since 1.21).
+* Skin::buildRollbackLink was removed (deprecated since 1.21).
+* Skin::emailLink was removed (deprecated since 1.21).
+* Skin::formatComment was removed (deprecated since 1.21).
+* Skin::formatHiddenCategories was removed (deprecated since 1.21).
+* Skin::formatLinksInComment was removed (deprecated since 1.21).
+* Skin::formatRevisionSize was removed (deprecated since 1.21).
+* Skin::formatSize was removed (deprecated since 1.21).
+* Skin::formatTemplates was removed (deprecated since 1.21).
+* Skin::generateTOC was removed (deprecated since 1.21).
+* Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
+* Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
+* Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
+* Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
+* Skin::getLinkColour was removed (deprecated since 1.21).
+* Skin::getRevDeleteLink was removed (deprecated since 1.21).
+* Skin::getRollbackEditCount was removed (deprecated since 1.21).
+* Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
+* Skin::makeCommentLink was removed (deprecated since 1.21).
+* Skin::makeExternalImage was removed (deprecated since 1.21).
+* Skin::makeExternalLink was removed (deprecated since 1.21).
+* Skin::makeHeadline was removed (deprecated since 1.21).
+* Skin::makeImageLink was removed (deprecated since 1.21).
+* Skin::makeMediaLinkFile was removed (deprecated since 1.21).
+* Skin::makeMediaLinkObj was removed (deprecated since 1.21).
+* Skin::makeSelfLinkObj was removed (deprecated since 1.21).
+* Skin::makeThumbLink2 was removed (deprecated since 1.21).
+* Skin::makeThumbLinkObj was removed (deprecated since 1.21).
+* Skin::normaliseSpecialPage was removed (deprecated since 1.21).
+* Skin::normalizeSubpageLink was removed (deprecated since 1.21).
+* Skin::processResponsiveImages was removed (deprecated since 1.21).
+* Skin::revComment was removed (deprecated since 1.21).
+* Skin::revDeleteLink was removed (deprecated since 1.21).
+* Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
+* Skin::revUserLink was removed (deprecated since 1.21).
+* Skin::revUserTools was removed (deprecated since 1.21).
+* Skin::specialLink was removed (deprecated since 1.21).
+* Skin::splitTrail was removed (deprecated since 1.21).
+* Skin::titleAttrib was removed (deprecated since 1.21).
+* Skin::tocIndent was removed (deprecated since 1.21).
+* Skin::tocLine was removed (deprecated since 1.21).
+* Skin::tocLineEnd was removed (deprecated since 1.21).
+* Skin::tocList was removed (deprecated since 1.21).
+* Skin::tocUnindent was removed (deprecated since 1.21).
+* Skin::tooltip was removed (deprecated since 1.21).
+* Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
+* Skin::userTalkLink was removed (deprecated since 1.21).
+* Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
+* wikidiff3 is now the default and only PHP diff engine. It provides improved diff
+  performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore
+  makes no difference now. Users are still recommended to use wikidiff2 if possible,
+  though.
+* User::addNewUserLogEntry() was deprecated.
+* User::addNewUserLogEntryAutoCreate() was deprecated.
+* User::isPasswordReminderThrottled() was deprecated.
+* Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck)
+  were removed.
+* Installer can now be customized without patching MediaWiki code, see
+  mw-config/overrides/README for details.
+
+=== Compatibility ===
+
+MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
+HHVM 3.6.5 or later.
+
+MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
+support for them is somewhat less mature. There is experimental support for
+Oracle and Microsoft SQL Server.
+
+The supported versions are:
+
+* MySQL 5.0.3 or later
+* PostgreSQL 8.3 or later
+* SQLite 3.3.7 or later
+* Oracle 9.0.1 or later
+* Microsoft SQL Server 2005 (9.00.1399)
+
+=== Upgrading ===
+
+1.27 has several database changes since 1.26, and will not work without schema
+updates. Note that due to changes to some very large tables like the revision
+table, the schema update may take quite long (minutes on a medium sized site,
+many hours on a large site).
+
+If upgrading from before 1.11, and you are using a wiki as a commons
+repository, make sure that it is updated as well. Otherwise, errors may arise
+due to database schema changes.
+
+If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
+new database fields are filled with data.
+
+If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
+1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
+with MediaWiki 1.21.
+
+Don't forget to always back up your database before upgrading!
+
+See the file UPGRADE for more detailed upgrade instructions.
+
+For notes on 1.26.x and older releases, see HISTORY.
+
+
+= MediaWiki 1.26 =
+
+== MediaWiki 1.26.2 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.1 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
+
+== MediaWiki 1.26.1 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.0 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
+* Fixed stray literal \n in Special:Search.
+* Fix issue that breaks HHVM Repo Authorative mode.
+* (T120267) Work around APCu memory corruption bug
+
+== MediaWiki 1.26.0 ==

 
 === Configuration changes in 1.26 ===
 * $wgPasswordResetRoutes['email'] = true by default.
 
 === Configuration changes in 1.26 ===
 * $wgPasswordResetRoutes['email'] = true by default.


@@ -91,7 +708,7 @@ Change notes from older releases. For current info see RELEASE-NOTES-1.27.
   documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
   subclasses for more information.
 
   documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
   subclasses for more information.
 

-== extension.json changes in 1.26 ==
+=== extension.json changes in 1.26 ===

 * (T99344) The extension.json schema is now versioned. All extensions
   and skins should set a "manifest_version" property corresponding to
   the schema version they were written for. The only supported version
 * (T99344) The extension.json schema is now versioned. All extensions
   and skins should set a "manifest_version" property corresponding to
   the schema version they were written for. The only supported version


@@ -244,7 +861,39 @@ changes to languages because of Phabricator reports.
 * $wgDeferredUpdateList was removed.
 * DeferredUpdates::addHTMLCacheUpdate() was removed.
 
 * $wgDeferredUpdateList was removed.
 * DeferredUpdates::addHTMLCacheUpdate() was removed.
 

-== MediaWiki 1.25 ==
+= MediaWiki 1.25 =
+
+== MediaWiki 1.25.5 ==
+
+This is a maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.4 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
+
+== MediaWiki 1.25.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.3 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
+* (T114606) mw.notify was not correctly fixed to the page if
+  initialized while not at the top of the page.
+* Fix issue that breaks HHVM Repo Authorative mode.

 
 == MediaWiki 1.25.3 ==
 
 
 == MediaWiki 1.25.3 ==
 


@@ -299,6 +948,8 @@ This is a bug fix release of the MediaWiki 1.25 branch.
 === Changes since 1.25 ===
 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
 
 === Changes since 1.25 ===
 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
 

+== MediaWiki 1.25.0 ==
+

 === Configuration changes in 1.25 ===
 * $wgPageShowWatchingUsers was removed.
 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
 === Configuration changes in 1.25 ===
 * $wgPageShowWatchingUsers was removed.
 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.


@@ -801,55 +1452,42 @@ changes to languages because of Bugzilla reports.
   loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
   warnings through mw.log.warn when accessed.
 
   loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
   warnings through mw.log.warn when accessed.
 

+= MediaWiki 1.24 =

 
 

-== Compatibility ==
-
-MediaWiki 1.25 requires PHP 5.3.3 or later. There is experimental support for
-HHVM 3.3.0.
-
-MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
-support for them is somewhat less mature. There is experimental support for
-Oracle and Microsoft SQL Server.
-
-The supported versions are:
-
-* MySQL 5.0.3 or later
-* PostgreSQL 8.3 or later
-* SQLite 3.3.7 or later
-* Oracle 9.0.1 or later
-* Microsoft SQL Server 2005 (9.00.1399)
+== MediaWiki 1.24.6 ==

 
 

-== Upgrading ==
+This is a maintenance release of the MediaWiki 1.24 branch.

 
 

-1.25 has several database changes since 1.24, and will not work without schema
-updates. Note that due to changes to some very large tables like the revision
-table, the schema update may take quite long (minutes on a medium sized site,
-many hours on a large site).
+=== Changes since 1.24.5 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.

 
 

-If upgrading from before 1.11, and you are using a wiki as a commons
-repository, make sure that it is updated as well. Otherwise, errors may arise
-due to database schema changes.
+== MediaWiki 1.24.5 ==

 
 

-If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
-new database fields are filled with data.
-
-If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
-1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
-with MediaWiki 1.21.
-
-Don't forget to always back up your database before upgrading!
-
-See the file UPGRADE for more detailed upgrade instructions.
-
-For notes on 1.24.x and older releases, see HISTORY.
+This is a security and maintenance release of the MediaWiki 1.23 branch.

 
 

-== MediaWiki 1.24 ==
+=== Changes since 1.24.4 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.

 
 == MediaWiki 1.24.4 ==
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 
 == MediaWiki 1.24.4 ==
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 

-== Changes since 1.24.3 ==
+=== Changes since 1.24.3 ===

 
 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
 * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
 
 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
 * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running


@@ -864,7 +1502,7 @@ This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 

-== Changes since 1.24.2 ==
+=== Changes since 1.24.2 ===

 
 * (T94116) SECURITY: Compare API watchlist token in constant time
 * (T97391) SECURITY: Escape error message strings in thumb.php
 
 * (T94116) SECURITY: Compare API watchlist token in constant time
 * (T97391) SECURITY: Escape error message strings in thumb.php


@@ -878,7 +1516,7 @@ This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 

-== Changes since 1.24.1 ==
+=== Changes since 1.24.1 ===

 
 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
   to prevent various DoS attacks.
 
 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
   to prevent various DoS attacks.


@@ -902,7 +1540,7 @@ This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.24 branch.
 

-== Changes since 1.24.0 ==
+=== Changes since 1.24.0 ===

 
 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
   could lead to xss. Permission to edit MediaWiki namespace is required to
 
 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
   could lead to xss. Permission to edit MediaWiki namespace is required to


@@ -915,6 +1553,8 @@ This is a security and maintenance release of the MediaWiki 1.24 branch.
 * (bug T76168) OutputPage: Add accessors for some protected properties.
 * (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
 
 * (bug T76168) OutputPage: Add accessors for some protected properties.
 * (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
 

+== MediaWiki 1.24.0 ==
+

 === Configuration changes in 1.24 ===
 * MediaWiki will no longer run if register_globals is enabled. It has been
   deprecated for 5 years now, and was removed in PHP 5.4. For more information
 === Configuration changes in 1.24 ===
 * MediaWiki will no longer run if register_globals is enabled. It has been
   deprecated for 5 years now, and was removed in PHP 5.4. For more information


@@ -1607,14 +2247,41 @@ of files that are no longer available follows.
 * skins/common/images/icons/fileicon.png
 * skins/common/images/ksh/button_S_italic.png
 
 * skins/common/images/icons/fileicon.png
 * skins/common/images/ksh/button_S_italic.png
 

+= MediaWiki 1.23 =

 
 

-== MediaWiki 1.23 ==
+== MediaWiki 1.23.13 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.12 ===
+* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
+
+== MediaWiki 1.23.12 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.11 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+  that do not begin with a slash. This enabled trivial XSS attacks.
+  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+  error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+  with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+  longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+  result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+  and related pages no longer use HTTP redirects and are now redirected by
+  MediaWiki

 
 == MediaWiki 1.23.11 ==
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 
 == MediaWiki 1.23.11 ==
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 

-== Changes since 1.23.10 ==
+=== Changes since 1.23.10 ===

 
 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
 
 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading


@@ -1624,7 +2291,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 

-== Changes since 1.23.9 ==
+=== Changes since 1.23.9 ===

 
 * (T94116) SECURITY: Compare API watchlist token in constant time
 * (T97391) SECURITY: Escape error message strings in thumb.php
 
 * (T94116) SECURITY: Compare API watchlist token in constant time
 * (T97391) SECURITY: Escape error message strings in thumb.php


@@ -1639,7 +2306,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 

-== Changes since 1.23.8 ==
+=== Changes since 1.23.8 ===

 
 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
   to prevent various DoS attacks.
 
 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
   to prevent various DoS attacks.


@@ -1652,14 +2319,14 @@ This is a security and maintenance release of the MediaWiki 1.23 branch.
   prevent XSS and protect viewer's privacy.
 * (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
   update.php to fix.
   prevent XSS and protect viewer's privacy.
 * (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
   update.php to fix.

-* (bug T70087) Fix Special:ActiveUsers page for installations using 
+* (bug T70087) Fix Special:ActiveUsers page for installations using

   PostgreSQL.
 
 == MediaWiki 1.23.8 ==
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 
   PostgreSQL.
 
 == MediaWiki 1.23.8 ==
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 

-== Changes since 1.23.7 ==
+=== Changes since 1.23.7 ===

 
 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
   could lead to xss. Permission to edit MediaWiki namespace is required to
 
 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
   could lead to xss. Permission to edit MediaWiki namespace is required to


@@ -1673,7 +2340,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.23 branch.
 

-== Changes since 1.23.6 ==
+=== Changes since 1.23.6 ===

 
 * (bugs 66776, 71478) SECURITY:  User PleaseStand reported a way to inject code
   into API clients that used format=php to process pages that underwent flash
 
 * (bugs 66776, 71478) SECURITY:  User PleaseStand reported a way to inject code
   into API clients that used format=php to process pages that underwent flash


@@ -1777,6 +2444,7 @@ This is a security and maintenance release of the MediaWiki 1.23 branch.
   like only extracting the tail of the file partially or not at all.
 * (bug 66182) Removed -x flag on some php files.
 
   like only extracting the tail of the file partially or not at all.
 * (bug 66182) Removed -x flag on some php files.
 

+== MediaWiki 1.23.0 ==

 
 === Configuration changes in 1.23 ===
 * (bug 13250) Restored method for clearing a watchlist in web UI
 
 === Configuration changes in 1.23 ===
 * (bug 13250) Restored method for clearing a watchlist in web UI


@@ -2245,7 +2913,7 @@ changes to languages because of Bugzilla reports.
 ==== Removed globals ====
 * $wgBetterDirectionality (deprecated in 1.18)
 
 ==== Removed globals ====
 * $wgBetterDirectionality (deprecated in 1.18)
 

-== MediaWiki 1.22 ==
+= MediaWiki 1.22 =

 
 == MediaWiki 1.22.15 ==
 
 
 == MediaWiki 1.22.15 ==
 


@@ -2401,6 +3069,8 @@ This is a security and maintenance release of the MediaWiki 1.22 branch.
 * (bug 47055) Changed FOR UPDATE handling in Postgresql
 * (bug 57026) Avoid extra parsing in prepareContentForEdit()
 
 * (bug 47055) Changed FOR UPDATE handling in Postgresql
 * (bug 57026) Avoid extra parsing in prepareContentForEdit()
 

+== MediaWiki 1.22.0 ==
+

 === Configuration changes in 1.22 ===
 * $wgRedirectScript was removed. It was unused.
 * Removed $wgLocalMessageCacheSerialized, it is now always true.
 === Configuration changes in 1.22 ===
 * $wgRedirectScript was removed. It was unused.
 * Removed $wgLocalMessageCacheSerialized, it is now always true.


@@ -2810,7 +3480,7 @@ This is a security and maintenance release of the MediaWiki 1.22 branch.
   file repositories, and related ForeignAPIRepo methods getInfo and getApiUrl.
 * The new query module list=allfileusages to enumerate file usages was added.
 
   file repositories, and related ForeignAPIRepo methods getInfo and getApiUrl.
 * The new query module list=allfileusages to enumerate file usages was added.
 

-=== Languages updated in 1.22===
+=== Languages updated in 1.22 ===

 
 MediaWiki supports over 350 languages. Many localisations are updated
 regularly. Below only new and removed languages are listed, as well as
 
 MediaWiki supports over 350 languages. Many localisations are updated
 regularly. Below only new and removed languages are listed, as well as


@@ -2928,7 +3598,7 @@ changes to languages because of Bugzilla reports.
 * mediawiki.util: mw.util.wikiGetlink has been renamed to getUrl. (The old name
   still works, but is deprecated.)
 
 * mediawiki.util: mw.util.wikiGetlink has been renamed to getUrl. (The old name
   still works, but is deprecated.)
 

-== MediaWiki 1.21 ==
+= MediaWiki 1.21 =

 
 == MediaWiki 1.21.11 ==
 This is a security and maintenance release of the MediaWiki 1.21 branch.
 
 == MediaWiki 1.21.11 ==
 This is a security and maintenance release of the MediaWiki 1.21 branch.


@@ -3016,6 +3686,8 @@ This is a maintenance release of the MediaWiki 1.21 branch.
 * A problem with the Oracle SQL table creation was fixed.
 * (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.
 
 * A problem with the Oracle SQL table creation was fixed.
 * (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.
 

+== MediaWiki 1.21.0 ==
+

 === Configuration changes in 1.21 ===
 * (bug 29374) $wgVectorUseSimpleSearch is now enabled by default.
 * Deprecated $wgAllowRealName is removed. Use $wgHiddenPrefs[] = 'realname'
 === Configuration changes in 1.21 ===
 * (bug 29374) $wgVectorUseSimpleSearch is now enabled by default.
 * Deprecated $wgAllowRealName is removed. Use $wgHiddenPrefs[] = 'realname'


@@ -3344,7 +4016,7 @@ changes to languages because of Bugzilla reports.
 * BREAKING CHANGE: (bug 38244) Removed the mediawiki.api.titleblacklist module
   and moved it to the TitleBlacklist extension.
 
 * BREAKING CHANGE: (bug 38244) Removed the mediawiki.api.titleblacklist module
   and moved it to the TitleBlacklist extension.
 

-== MediaWiki 1.20 ==
+= MediaWiki 1.20 =

 
 == MediaWiki 1.20.8 ==
 This is a security release of the MediaWiki 1.20 branch.
 
 == MediaWiki 1.20.8 ==
 This is a security release of the MediaWiki 1.20 branch.


@@ -3397,7 +4069,7 @@ This is a security release of the MediaWiki 1.20 branch.
 == MediaWiki 1.20.3 ==
 This is a security and maintenance release of the MediaWiki 1.20 branch.
 
 == MediaWiki 1.20.3 ==
 This is a security and maintenance release of the MediaWiki 1.20 branch.
 

-== MediaWiki 1.20.2 ==
+=== Changes since MediaWiki 1.20.2 ===

 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.)
 * (bug 44010) Context is passed to UserGetLanguageObject.
 * The recursion guard on RequestContext::getLanguage() was weakened.
 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.)
 * (bug 44010) Context is passed to UserGetLanguageObject.
 * The recursion guard on RequestContext::getLanguage() was weakened.


@@ -3411,14 +4083,14 @@ This is a security and maintenance release of the MediaWiki 1.20 branch.
 == MediaWiki 1.20.2 ==
 This is a maintenance release of the MediaWiki 1.20 branch
 
 == MediaWiki 1.20.2 ==
 This is a maintenance release of the MediaWiki 1.20 branch
 

-== MediaWiki 1.20.1 ==
+=== Changes since MediaWiki 1.20.1 ===

 * (bug 42638) Fix API action=options&reset=1 & unit tests.
 * (bug 42370) Fixed backport of 60cc060 to use mDoneWrites — caused * (bug 42592) User rights, preferences and other things are not saving in 1.20.1.
 
 == MediaWiki 1.20.1 ==
 This is a security release of the MediaWiki 1.20 branch
 
 * (bug 42638) Fix API action=options&reset=1 & unit tests.
 * (bug 42370) Fixed backport of 60cc060 to use mDoneWrites — caused * (bug 42592) User rights, preferences and other things are not saving in 1.20.1.
 
 == MediaWiki 1.20.1 ==
 This is a security release of the MediaWiki 1.20 branch
 

-Changes since 1.20
+=== Changes since 1.20.0 ===

 * (bug 42202) Validate options to prevent html injection
 * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
 * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
 * (bug 42202) Validate options to prevent html injection
 * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
 * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit


@@ -3426,9 +4098,7 @@ Changes since 1.20
 * (bug 40632) Remove CleanupPresentationalAttributes feature
 * [Database] Fixed case where trx idle callbacks might be lost.
 
 * (bug 40632) Remove CleanupPresentationalAttributes feature
 * [Database] Fixed case where trx idle callbacks might be lost.
 

-
-
-== MediaWiki 1.20 ==
+== MediaWiki 1.20.0 ==

 
 === PHP 5.3 now required ===
 Since 1.20, the lowest supported version of PHP is now 5.3.2. Please
 
 === PHP 5.3 now required ===
 Since 1.20, the lowest supported version of PHP is now 5.3.2. Please


@@ -3795,7 +4465,7 @@ changes to languages because of Bugzilla reports.
 == MediaWiki 1.19.21 ==
 This is a maintenance release of the MediaWiki 1.19 branch.
 
 == MediaWiki 1.19.21 ==
 This is a maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.20===
+=== Changes since 1.19.20 ===

 * (bug 67440) Allow classes to be registered properly from installer.
 * (bug 47281) Fixed a dumpBackup.php error with --uploads --include-filesoptions: Unable to find the wrapper "mwstore". * System administrators are encouraged to upgrade to this release or 1.22+ and produce a full data dump. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Backing_up_a_wiki
 * (bug 63049) Removed anonymous functions from ApiFormatBase, added in1.19.13 as part of the fix for bug 61362, for PHP 5.2 compatibility.
 * (bug 67440) Allow classes to be registered properly from installer.
 * (bug 47281) Fixed a dumpBackup.php error with --uploads --include-filesoptions: Unable to find the wrapper "mwstore". * System administrators are encouraged to upgrade to this release or 1.22+ and produce a full data dump. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Backing_up_a_wiki
 * (bug 63049) Removed anonymous functions from ApiFormatBase, added in1.19.13 as part of the fix for bug 61362, for PHP 5.2 compatibility.


@@ -3803,73 +4473,73 @@ This is a maintenance release of the MediaWiki 1.19 branch.
 == MediaWiki 1.19.20 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 == MediaWiki 1.19.20 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.19===
+=== Changes since 1.19.19 ===

 * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
 
 == MediaWiki 1.19.19 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
 
 == MediaWiki 1.19.19 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.18===
+=== Changes since 1.19.18 ===

 * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
 
 == MediaWiki 1.19.18 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
 
 == MediaWiki 1.19.18 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.17===
+=== Changes since 1.19.17 ===

 * (bug 68187) SECURITY: Prepend jsonp callback with comment.
 * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
 
 == MediaWiki 1.19.17 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 * (bug 68187) SECURITY: Prepend jsonp callback with comment.
 * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
 
 == MediaWiki 1.19.17 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.16===
+=== Changes since 1.19.16 ===

 * (bug 65839) SECURITY: Prevent external resources in SVG files.
 * (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
 
 == MediaWiki 1.19.16 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 * (bug 65839) SECURITY: Prevent external resources in SVG files.
 * (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
 
 == MediaWiki 1.19.16 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.15===
+=== Changes since 1.19.15 ===

 * (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
 
 == MediaWiki 1.19.15 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 * (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
 
 == MediaWiki 1.19.15 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.14===
+=== Changes since 1.19.14 ===

 Fixed resetting passwords.
 * (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
 
 == MediaWiki 1.19.14 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 Fixed resetting passwords.
 * (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
 
 == MediaWiki 1.19.14 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.13===
+=== Changes since 1.19.13 ===

 * (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
 * (bug 62467) Set a title for the context during import on the cli.
 
 == MediaWiki 1.19.13 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 * (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
 * (bug 62467) Set a title for the context during import on the cli.
 
 == MediaWiki 1.19.13 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.12===
+=== Changes since 1.19.12 ===

 * (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
 * Use the correct branch of the extensions' git repositories.
 
 == MediaWiki 1.19.12 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 * (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
 * Use the correct branch of the extensions' git repositories.
 
 == MediaWiki 1.19.12 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.11===
+=== Changes since 1.19.11 ===

 * (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. * User will get an error including the namespace name if they use a non- whitelisted namespace.
 * (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
 
 == MediaWiki 1.19.11 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 * (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. * User will get an error including the namespace name if they use a non- whitelisted namespace.
 * (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
 
 == MediaWiki 1.19.11 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.10===
+=== Changes since 1.19.10 ===

 * (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
 
 == MediaWiki 1.19.10 ==
 This is a security release of the MediaWiki 1.19 branch.
 
 * (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
 
 == MediaWiki 1.19.10 ==
 This is a security release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.9===
+=== Changes since 1.19.9 ===

 * (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
 * (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
 * (bug 58472) SECURITY: Disallow -o-link in styles
 * (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
 * (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
 * (bug 58472) SECURITY: Disallow -o-link in styles


@@ -3879,7 +4549,7 @@ This is a security release of the MediaWiki 1.19 branch.
 == MediaWiki 1.19.9 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 == MediaWiki 1.19.9 ==
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.8===
+=== Changes since 1.19.8 ===

 * (bug 53032) SECURITY: Don't cache when a call could autocreate
 * (bug 55332) SECURITY: Improve css javascript detection
 * (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
 * (bug 53032) SECURITY: Don't cache when a call could autocreate
 * (bug 55332) SECURITY: Improve css javascript detection
 * (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload


@@ -3890,7 +4560,7 @@ This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 
 This is a security and maintenance release of the MediaWiki 1.19 branch.
 

-=== Changes since 1.19.7===
+=== Changes since 1.19.7 ===

 * SECURITY: Sanitize ResourceLoader exception messages
 * SECURITY: Token-getting functions will fail when using jsonp callbacks.
 * SECURITY: Fix extension detection with 2 .'s
 * SECURITY: Sanitize ResourceLoader exception messages
 * SECURITY: Token-getting functions will fail when using jsonp callbacks.
 * SECURITY: Fix extension detection with 2 .'s


@@ -3903,7 +4573,7 @@ This is a security and maintenance release of the MediaWiki 1.19 branch.
 
 This is a security release of the MediaWiki 1.19 branch
 
 
 This is a security release of the MediaWiki 1.19 branch
 

-=== Changes since 1.19.6===
+=== Changes since 1.19.6 ===

 * (bug 48306) SECURITY: Run file validation checks on chunked uploads, and chunks of upload, during the upload process.
 
 == MediaWiki 1.19.6 ==
 * (bug 48306) SECURITY: Run file validation checks on chunked uploads, and chunks of upload, during the upload process.
 
 == MediaWiki 1.19.6 ==


@@ -3911,7 +4581,7 @@ This is a security release of the MediaWiki 1.19 branch
 
 This is a security and maintenance release of the MediaWiki 1.19 branch
 
 
 This is a security and maintenance release of the MediaWiki 1.19 branch
 

-=== Changes since 1.19.5===
+=== Changes since 1.19.5 ===

 * (bug 47304) SECURITY: Check SVG xml encoding against whitelist
 * (bug 46590) Added AbortChangePassword hook to allow extensions to abort password changes from Special:ChangePassword
 * Localisation updates from http://translatewiki.net.
 * (bug 47304) SECURITY: Check SVG xml encoding against whitelist
 * (bug 46590) Added AbortChangePassword hook to allow extensions to abort password changes from Special:ChangePassword
 * Localisation updates from http://translatewiki.net.


@@ -3924,7 +4594,7 @@ This is a security and maintenance release of the MediaWiki 1.19 branch
 
 This is a security and maintenance release of the MediaWiki 1.19 branch
 
 
 This is a security and maintenance release of the MediaWiki 1.19 branch
 

-=== Changes since 1.19.4===
+=== Changes since 1.19.4 ===

 * (bug 47251) SECURITY: Disable external entities in Import
 * (bug 46859) SECURITY: Disable external entities in XMLReader
 * (bug 46084) SECURITY: Sanitize $limitReport before outputting
 * (bug 47251) SECURITY: Disable external entities in Import
 * (bug 46859) SECURITY: Disable external entities in XMLReader
 * (bug 46084) SECURITY: Sanitize $limitReport before outputting


@@ -3936,7 +4606,7 @@ This is a security and maintenance release of the MediaWiki 1.19 branch
 
 This is a security release of the MediaWiki 1.19 branch
 
 
 This is a security release of the MediaWiki 1.19 branch
 

-=== Changes since 1.19.3===
+=== Changes since 1.19.3 ===

 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
 * (bug 44010) Context is passed to UserGetLanguageObject.
 * The recursion guard on RequestContext::getLanguage() was weakened.
 * New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
 * (bug 44010) Context is passed to UserGetLanguageObject.
 * The recursion guard on RequestContext::getLanguage() was weakened.


@@ -3948,7 +4618,7 @@ This is a security release of the MediaWiki 1.19 branch
 
 This is a security release of the MediaWiki 1.19 branch
 
 
 This is a security release of the MediaWiki 1.19 branch
 

-=== Changes since 1.19.2===
+=== Changes since 1.19.2 ===

 * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
 * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
 * Increase permitted runtime for testParserTest (only used for continuous integration).
 * (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
 * (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
 * Increase permitted runtime for testParserTest (only used for continuous integration).