X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=RELEASE-NOTES-1.27;h=d9b6dd54dac83191c457d790f9e16a573b7aa5f3;hb=1159454506b6809c340d999461be8cf1a7e39d4f;hp=f56651870504fc331c71c6294165f4353e1a5459;hpb=df0b1deaec388fde05d0c38fc80eb8ec5eb66b9e;p=lhc%2Fweb%2Fwiklou.git diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index f566518705..d9b6dd54da 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -81,6 +81,8 @@ production. MediaWiki\Session\SessionProvider. ** The User cannot be loaded from session until after Setup.php completes. Attempts to do so will be ignored and the User will remain unloaded. +** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses + the MediaWiki\Session\Token class. * MediaWiki will now auto-create users as necessary, removing the need for extensions to do so. An 'autocreateaccount' right is added to allow auto-creation when 'createaccount' is not granted to all users. @@ -88,6 +90,10 @@ production. * Most cookie-handling methods in User are deprecated. * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an experimental feature that has never worked. +* Login and createaccount tokens now vary by timestamp. +* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken() + return a MediaWiki\Session\Token, and tokens must be checked using that + class's methods. === New features in 1.27 === * $wgDataCenterId and $wgDataCenterRoles where added, which will serve as @@ -146,6 +152,10 @@ production. * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g. to assert that the request comes from a particular IP range. * Added bot passwords, a rights-restricted login mechanism for API-using bots. +* Whitelisted the following HTML attributes for all elements in wikitext: + aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns. +* Removed "presentation" restriction on the HTML role attribute in wikitext. + All values are now allowed for the role attribute. === External library changes in 1.27 === @@ -292,6 +302,8 @@ changes to languages because of Phabricator reports. * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25). * Gallery images with multiple caption pipes no longer concatenate them all together but instead pick the final one, similar to image syntax. +* XML-like parser tags (such as ), when unclosed, will be left unparsed + rather than consume everything until the end of the page. == Compatibility ==