-Change notes from older releases. For current info see RELEASE-NOTES-1.29.
+Change notes from older releases. For current info see RELEASE-NOTES-1.30.
+
+= MediaWiki 1.29 =
+
+== MediaWiki 1.29.0 ==
+
+=== Configuration changes in 1.29 ===
+* Default cookie expiration time has been reduced to 30 days. Login cookie
+ expiration time is kept at 180 days.
+* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
+ determines whether to set a cookie when a user is autoblocked. Doing so means
+ that a blocked user, even after logging out and moving to a new IP address,
+ will still be blocked.
+* The resetpassword right and associated password reset capture feature has
+ been removed.
+* The $error parameter to the EmailUser hook should be set to a Status object
+ or boolean false. This should be compatible with at least MediaWiki 1.23 if
+ not earlier. Returning a raw HTML string is now deprecated.
+* The $message parameter to the ApiCheckCanExecute hook should be set to an
+ ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
+ code for ApiBase::parseMsg() will no longer work.
+* ApiBase::$messageMap is no longer public. Code attempting to access it will
+ result in a PHP fatal error.
+* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
+ policies.
+* Subpages are now enabled by default in the Template namespace. Set
+ $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
+* $wgRunJobsAsync is now false by default (T142751). This change only affects
+ wikis with $wgJobRunRate > 0.
+* (T158474) "Unknown user" has been added to $wgReservedUsernames.
+* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
+* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
+ added to $wgExtraLanguageCodes instead.
+* (T161453) LocalisationCache will no longer use the temporary directory in it's
+ fallback chain when trying to work out where to write the cache.
+* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
+ 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
+
+=== New features in 1.29 ===
+* (T5233) A cookie can now be set when a user is autoblocked, to track that user
+ if they move to a new IP address. This is disabled by default.
+* Added ILocalizedException interface to standardize the use of localized
+ exceptions, largely so the API can handle them more sensibly.
+* Blocks created automatically by MediaWiki, such as for configured proxies or
+ dnsbls, are now indicated as such and use a new i18n message when displayed.
+* Added new $wgHTTPImportTimeout setting. Sets timeout for
+ downloading the XML dump during a transwiki import in seconds.
+* Parser limit report is now available in machine-readable format to JavaScript
+ via mw.config.get('wgPageParseReport').
+* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
+ from certain IP ranges (e.g. private IPs).
+* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
+ of the page being parsed.
+* HTML5 form validation attributes will no longer be suppressed. Originally
+ browsers had poor support for them, but modern browsers handle them fine.
+ This might affect some forms that used them and only worked because the
+ attributes were not actually being set.
+* Expiry times can now be specified when users are added to user groups.
+* Completely new user interface for the RecentChanges page, which
+ structures filters into user-friendly groups. This has corresponding
+ changes to how filters are registered by core and extensions.
+* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
+ Because this change can cause problems for extensions and on-wiki
+ scripts depending on the exact HTML, the old version is still available
+ and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
+ This will be removed later and OOjs UI will become the only option.
+ To make testing easier, users can also force either mode by adding
+ &ooui=true or &ooui=false to the action=edit URL.
+
+=== External library changes in 1.29 ===
+
+==== Upgraded external libraries ====
+* Updated QUnit from v1.22.0 to v1.23.1.
+* Updated cssjanus from v1.1.2 to v1.2.0.
+* Updated psr/log from v1.0.0 to v1.0.2.
+* Update Moment.js from v2.8.4 to v2.15.0.
+* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
+* Updated monolog from v1.18.2 to 1.22.1.
+* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
+* Updated OOjs from v1.1.10 to v2.0.0.
+* Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
+
+==== New external libraries ====
+* Added wikimedia/timestamp v1.0.0.
+* Added wikimedia/remex-html v1.0.1.
+
+==== Removed and replaced external libraries ====
+
+=== Bug fixes in 1.29 ===
+* (T62604) Core parser functions returning a number now format the number according
+ to the page content language, not wiki content language.
+* (T27187) Search suggestions based on jquery.suggestions will now correctly only
+ highlight prefix matches in the results.
+* (T157035) "new mw.Uri()" was ignoring options when using default URI.
+* Special:Allpages can no longer be filtered by redirect in miser mode.
+* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
+* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
+ to interwiki links.
+* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
+ $wgAdvancedSearchHighlighting is true.
+* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
+ their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+ token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
+* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
+ declaration.
+* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
+ in it's fallback chain when trying to work out where to write the cache.
+* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
+ syntax's link parameter.
+* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
+ it.
+
+=== Action API changes in 1.29 ===
+* Submitting sensitive authentication request parameters to action=login,
+ action=clientlogin, action=createaccount, action=linkaccount, and
+ action=changeauthenticationdata in the query string is now an error. They
+ should be submitted in the POST body instead.
+* The capture option for action=resetpassword has been removed
+* action=clearhasmsg now requires a POST.
+* (T47843) API errors and warnings may be requested in non-English languages
+ using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
+* API error codes may have changed. Most notably, errors from modules using
+ parameter prefixes (e.g. all query submodules) will no longer be prefixed.
+* ApiPageSet-using modules will report the 'invalidreason' using the specified
+ 'errorformat'.
+* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
+ 'errors' subelements (as applicable) instead of 'message'.
+* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
+* action=move now reports errors when moving the talk page as an array under
+ key 'talkmove-errors', rather than using 'talkmove-error-code' and
+ 'talkmove-error-info'. The format for subpage move errors has also changed.
+* action=revisiondelete no longer includes a "rendered" property on warnings
+ and errors for each item. Use errorformat=wikitext if you're wanting parsed
+ output.
+* action=rollback no longer returns a "messageHtml" property. Use
+ errorformat=html if you're wanting HTML formatting of error messages.
+* action=upload now reports optional stash failures as an array under key
+ 'stasherrors' rather than a 'stashfailed' text string.
+* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
+ no longer returns a 'message' on success.
+* Added action=validatepassword to validate passwords for the account creation
+ and password change forms.
+* action=purge now requires a POST.
+* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
+ which returns a list of languages with active LanguageConverter instances.
+* action=query&query=allpages will no longer filter redirects using a database
+ query in miser mode. This may result in less results being returned than were
+ requested.
+
+=== Action API internal changes in 1.29 ===
+* New methods were added to ApiBase to handle errors and warnings using i18n
+ keys. Methods for using hard-coded English messages were deprecated:
+ * ApiBase::dieUsage() was deprecated
+ * ApiBase::dieUsageMsg() was deprecated
+ * ApiBase::dieUsageMsgOrDebug() was deprecated
+ * ApiBase::getErrorFromStatus() was deprecated
+ * ApiBase::parseMsg() was deprecated
+ * ApiBase::setWarning() was deprecated
+* ApiBase::$messageMap is no longer public. Code attempting to access it will
+ result in a PHP fatal error.
+* The $message parameter to the ApiCheckCanExecute hook should be set to an
+ ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
+ code for ApiBase::parseMsg() will no longer work.
+* UsageException is deprecated in favor of ApiUsageException. For the time
+ being ApiUsageException is a subclass of UsageException to allow things that
+ catch only UsageException to still function properly.
+* If, for some strange reason, code was using an ApiErrorFormatter instead of
+ ApiErrorFormatter_BackCompat, note that the result format has changed and
+ various methods now take a module path rather than a module name.
+* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
+ from the message key, and maps some message keys for backwards compatibility.
+* API parameters may now be marked as "sensitive" to keep their values out of
+ the logs.
+
+=== Languages updated in 1.29 ===
+
+MediaWiki supports over 350 languages. Many localisations are updated
+regularly. Below only new and removed languages are listed, as well as
+changes to languages because of Phabricator reports.
+
+* Based as always on linguistic studies on intelligibility and language
+ knowledge by geography, language fallbacks have been expanded. When a
+ translation is missing in the user's preferred interface language, the
+ corresponding translation for the fallback language will be used instead.
+ English will only be used as last resort when there are no translations.
+ Some configurations (such as date formats and gender namespaces) have also
+ been updated when using the fallback language's configuration was inadequate.
+ The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
+ ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
+ sh → bs, sr-el, hr.
+* (T137376) New language support: Atikamekw (atj).
+* (T163600) New language support: Dinka (din).
+* (T155957) Talk Namespaces for Javanese language (jv) have been updated.
+
+==== No fallback for Ukrainian ====
+* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
+ language will now use the default fallback language: English. When a translation
+ to Ukrainian is not available, an English string will be shown.
+
+=== Other changes in 1.29 ===
+* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
+ SearchEngineFactory::getSearchEngineClass() instead.
+* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
+ required as all sessions are stored in Object Cache now.
+* MWHttpRequest::execute() should be considered to return a StatusValue; the
+ Status return type is deprecated.
+* User::edits() (deprecated in 1.21) was removed.
+* Xml::escapeJsString() (deprecated in 1.21) was removed.
+* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
+ were removed.
+* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
+ were removed.
+* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
+ instead.
+* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
+* Class RevisiondeleteAction (deprecated in 1.25) was removed.
+* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
+* WikiPage::getText() (deprecated in 1.21) was removed.
+* Article::fetchContent() (deprecated in 1.21) was removed.
+* User::getPassword() (deprecated in 1.27) was removed.
+* User::getTemporaryPassword() (deprecated in 1.27) was removed.
+* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
+* Class FSRepo (deprecated in 1.19) was removed.
+* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
+ \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
+* Class ImageGallery (deprecated in 1.22) was removed.
+ Use ImageGalleryBase::factory instead.
+* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
+* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
+ emit warnings). Create a subclass of Action and add it to $wgActions instead.
+* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
+* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
+* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
+* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
+* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
+* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
+* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
+ and outdated lists of errors/warnings returned by the API, are now deprecated.
+* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
+ URLs to continue to work, set up redirects. In Apache, this can be done by enabling
+ mod_rewrite and adding the following rules to your configuration:
+
+ RewriteEngine On
+ RewriteBase /
+ RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
+* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
+ Use ArticleAfterFetchContentObject instead.
+* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
+ Use PageContentInsertComplete instead.
+* Hook ArticleSave (deprecated in 1.21) was removed.
+ Use PageContentSave instead.
+* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
+ Use PageContentSaveComplete instead.
+* Hook EditFilterMerged (deprecated in 1.21) was removed.
+ Use EditFilterMergedContent instead.
+* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
+ Use EditPageGetPreviewContent instead.
+* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
+ Use ContentHandlerDefaultModelFor instead.
+* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
+ Use ContentHandlerDefaultModelFor instead.
+* Article::getContent() (deprecated in 1.21) was removed.
+* Revision::getText() (deprecated in 1.21) was removed.
+* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
+* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
+* Article::doEditContent() was marked as deprecated, to be removed in 1.30
+ or later.
+* ContentHandler::runLegacyHooks() was removed.
+* refreshLinks.php now can be limited to a particular category with --category=...
+ or a tracking category with --tracking-category=...
+* User-like objects that are passed to SpecialUserRights and its subclasses are
+ now required to have a getGroupMemberships() method. See UserRightsProxy for
+ an example.
+* User::$mGroups (instance variable) was marked private. Use User::getGroups()
+ instead.
+* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
+ User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
+ Use equivalent methods on the UserGroupMembership class.
+* Maintenance scripts and tests that call User::addGroup() must now ensure that
+ User objects have been added to the database prior to calling addGroup().
+* Protected function UsersPager::getGroups() was removed, and protected function
+ UsersPager::buildGroupLink() was changed from a static to an instance method.
+* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
+ see docs/hooks.txt.
+* User::crypt() (deprecated in 1.24) was removed.
+* User::comparePasswords() (deprecated in 1.24) was removed.
+* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
+* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
+* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
+ and subclasses. It should only break if you call buildMainQueryConds
+ (changed to buildQuery with new signature) or doMainQuery (new
+ signature). Subclasses are likely to call at least doMainQuery
+ (possibly both), but other classes might too, because they were
+ public.
+ Also, some related hooks were deprecated, but this is not yet a
+ breaking change.
+* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
+* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
+* WikiRevision::$fileIsTemp was deprecated.
+* WikiRevision::$importer was deprecated.
+* WikiRevision::$user was deprecated.
+* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
+ WikiPage::PURGE_* constants are deprecated, and the functions will always
+ return false. They were a hack for an issue that has since been fixed.
+* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
+ 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
+ if you don't actually care about checkboxes and just want to add some HTML
+ to the page.
+* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
+ rather than <strong> tags. The old class name, "selflink", was deprecated
+ and will be removed in a future release. (T160480)
+* (T156184) $wgRawHtml will no longer apply to internationalization messages.
+* Browser support for non-ES5 JavaScript browsers, including Android 2,
+ Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
+* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
+ is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
+ webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
+ opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
+ ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
+ addClickHandler, removeHandler, getElementsByClassName, getInnerText,
+ setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
+ mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
+ escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
+ tooltipAccessKeyRegexp, updateTooltipAccessKeys.
+* The ID of the <li> element containing the login link has changed from
+ 'pt-login' to 'pt-login-private' in private wikis.
+* The old, neglected "bulletin board style toolbar" in the edit form is now
+ deprecated (T30856). This old code dates from 2006, and was replaced in the
+ MediaWiki release tarball and in Wikimedia production by the WikiEditor
+ extension in 2010. It is only shown to users if no other editor was
+ installed, and leads to confusion.
+* (T92459) Loading ResourceLoader modules containing JavaScript through
+ addModuleStyles() is deprecated and will log a warning server-side.
+
+= MediaWiki 1.28 =
+
+== MediaWiki 1.28.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.28 branch.
+
+=== Changes since 1.28.0 ===
+
+* $wgRunJobsAsync is now false by default (T142751). This change only affects
+ wikis with $wgJobRunRate > 0.
+* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
+ more than one database server setup.
+* (T152717) Better escaping for PHP mail() command,
+* (T154670) A missing method causing the MySQL installer to fatal in rare
+ circumstances was restored.
+* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
+* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
+* (T145635) Fix too long index error when installing with MSSQL.
+* (T156184) $wgRawHtml will no longer apply to internationalization messages.
+* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
+* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
+* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
+ to interwiki links.
+* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
+ $wgAdvancedSearchHighlighting is true.
+* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
+ their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+ token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
+* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
+ declaration.
+* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
+ in it's fallback chain when trying to work out where to write the cache.
+* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
+ syntax's link parameter.
+* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
+ it.
== MediaWiki 1.28 ==
= MediaWiki 1.27 =
+== MediaWiki 1.27.2 ==
+This is a security and maintenance release of the MediaWiki 1.27 branch.
+
+ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
+deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0
+was released.
+
+=== Changes since 1.27.1 ===
+
+* (T68404) CSS3 attr() function with url type argument is no longer allowed
+ in inline styles.
+* $wgRunJobsAsync is now false by default (T142751). This change only affects
+ wikis with $wgJobRunRate > 0.
+* (T152717) Better escaping for PHP mail() command
+* Submitting the lgtoken and lgpassword parameters in the query string to
+ action=login is now deprecated and outputs a warning. They should be submitted
+ in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+ action=createaccount, action=linkaccount, and action=changeauthenticationdata
+ in the query string is now deprecated and outputs a warning. They should be
+ submitted in the POST body instead.
+* (T158766) Avoid SQL error on MSSQL when using selectRowCount()
+* (T145635) Fix too long index error when installing with MSSQL.
+* (T156184) $wgRawHtml will no longer apply to internationalization messages.
+* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
+* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
+ to interwiki links.
+* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
+ $wgAdvancedSearchHighlighting is true.
+* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
+ their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+ token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
+* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
+ declaration.
+* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
+ in it's fallback chain when trying to work out where to write the cache.
+* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
+ syntax's link parameter.
+* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
+ it.
+
== MediaWiki 1.27.1 ==
This is a maintenance release of the MediaWiki 1.27 branch.
* ApiMain::addFormat() was removed (deprecated in 1.21).
* ApiMain::getFormats() was removed (deprecated in 1.21).
* ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
-* ApiCreateAccount is deprecated, and will be removed soon.
+* ApiCreateAccount was removed.
=== Languages updated in 1.27 ===
= MediaWiki 1.23 =
+== MediaWiki 1.23.16 ==
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.15 ===
+* (T68404) CSS3 attr() function with url type is no longer allowed
+ in inline styles.
+* (T156184) $wgRawHtml will no longer apply to internationalization messages.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+ action=login is now deprecated and outputs a warning. They should be submitted
+ in the POST body instead.
+* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
+ to interwiki links.
+* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
+ $wgAdvancedSearchHighlighting is true.
+* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
+ their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+ token.
+* (T156184) SECURITY: Escape content model/format url parameter in message.
+* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
+ declaration.
+* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
+ syntax's link parameter.
+* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
+ it.
+
== MediaWiki 1.23.15 ==
This is a maintenance release of the MediaWiki 1.23 branch.