input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
- MediaWiki installation. This data includes, for example, the type of system,
+ MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.
+* When $EditSubmitButtonLabelPublish is true, MediaWiki will label the button
+ to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
+ if false, the default, they will be "Save page"/"Save changes".
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* (T141604) Extensions can now provide a better error message when their
maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
- to uca-default-u-kn or uca-<langcode>-u-kn. If migrating from another
+ to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
+ a 'numeric' collation is also available. If migrating from another
collation, you will need to run the updateCollation.php maintenance script.
+* Two new codes have been added to #time parser function: "xit" for days in current
+ month, and "xiz" for days passed in the year, both in Iranian calendar.
+* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
+ appropriate for sending multi-valued parameters. This defaults to true when
+ the mw.Api instance seems to be for the local wiki.
=== External library changes in 1.28 ===
==== Removed and replaced external libraries ====
=== Bug fixes in 1.28 ===
+* (T137264) SECURITY: XSS in unclosed internal links
+* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
+* (T133147) SECURITY: Require login to preview user CSS pages
+* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
+ the top file
+* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
+ permissions
+* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
+* (T139670) Move 'UserGetRights' call before application of
+ Session::getAllowedUserRights()
=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
* The following response properties from action=login, deprecated in 1.27, are
now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
to properly manage session state.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+ action=login is now deprecated and outputs a warning. They should be submitted
+ in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+ action=createaccount, action=linkaccount, and action=changeauthenticationdata
+ in the query string is now deprecated and outputs a warning. They should be
+ submitted in the POST body instead.
+* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
+ instead of the pipe character. This will be useful if some of the multiple
+ values need to contain pipes, e.g. for action=options.
=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with ApiParse and ApiExpandTemplates.
+* (T139565) SECURITY: API: Generate head items in the context of the given title
+* (T115333) SECURITY: Check read permission when loading page content in ApiParse
=== Languages updated in 1.28 ===
=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
-* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
+* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
on requests needed by primary providers even if all primaries need them.
Primary providers are discouraged from returning multiple REQUIRED requests.
+* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
+ will no longer be automatically infused. You should call `OO.ui.infuse()`
+ on them yourself from your JavaScript code.
== Compatibility ==