1f30b7068e494fb1673e8853aeb5e943185c0420
[lhc/web/wiklou.git] / HISTORY
1 Change notes from older releases. For current info see RELEASE-NOTES-1.30.
2
3 = MediaWiki 1.29 =
4
5 == MediaWiki 1.29.2 ==
6
7 This is a security and maintenance release of the MediaWiki 1.29 branch.
8
9 === Changes since 1.29.1 ===
10 * (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
11 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
12 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
13 * Fixed login button label to accept RawMessage.
14 * Fixed case of SpecialRecentChanges class usage.
15 * (T174255) Declare uploadCount property in importDump.php.
16 * (T163646) Pass a string not an int to mysql_real_escape_string().
17 * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
18 * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
19 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
20 sends non-standard url escaping.
21 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
22 * (T128209) SECURITY: Reflected File Download from api.php.
23 * (T134100) SECURITY: Do not reveal if user exists during login failure.
24 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
25 * (T125163) SECURITY: Make anchor for headlines escape > and <.
26 * (T180237) SECURITY: Protect vendor folder with .htaccess.
27 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
28 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
29 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
30 * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
31 branches in the previous security release.
32
33 == MediaWiki 1.29.1 ==
34
35 This is a maintenance release of the MediaWiki 1.29 branch.
36
37 The SpamBlacklist and PdfHandler extensions were missing from the generated
38 packages.
39
40 === Changes since 1.29.1 ===
41 * (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
42 * (T172061) Fix fatal when passing a category to refreshLinks.php.
43
44 == MediaWiki 1.29.0 ==
45
46 === Configuration changes in 1.29 ===
47 * Default cookie expiration time has been reduced to 30 days. Login cookie
48 expiration time is kept at 180 days.
49 * A new configuration variable has been added: $wgCookieSetOnAutoblock. This
50 determines whether to set a cookie when a user is autoblocked. Doing so means
51 that a blocked user, even after logging out and moving to a new IP address,
52 will still be blocked.
53 * The resetpassword right and associated password reset capture feature has
54 been removed.
55 * The $error parameter to the EmailUser hook should be set to a Status object
56 or boolean false. This should be compatible with at least MediaWiki 1.23 if
57 not earlier. Returning a raw HTML string is now deprecated.
58 * The $message parameter to the ApiCheckCanExecute hook should be set to an
59 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
60 code for ApiBase::parseMsg() will no longer work.
61 * ApiBase::$messageMap is no longer public. Code attempting to access it will
62 result in a PHP fatal error.
63 * $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
64 policies.
65 * Subpages are now enabled by default in the Template namespace. Set
66 $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
67 * $wgRunJobsAsync is now false by default (T142751). This change only affects
68 wikis with $wgJobRunRate > 0.
69 * (T158474) "Unknown user" has been added to $wgReservedUsernames.
70 * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
71 * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
72 added to $wgExtraLanguageCodes instead.
73 * (T161453) LocalisationCache will no longer use the temporary directory in it's
74 fallback chain when trying to work out where to write the cache.
75 * The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
76 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
77
78 === New features in 1.29 ===
79 * (T5233) A cookie can now be set when a user is autoblocked, to track that user
80 if they move to a new IP address. This is disabled by default.
81 * Added ILocalizedException interface to standardize the use of localized
82 exceptions, largely so the API can handle them more sensibly.
83 * Blocks created automatically by MediaWiki, such as for configured proxies or
84 dnsbls, are now indicated as such and use a new i18n message when displayed.
85 * Added new $wgHTTPImportTimeout setting. Sets timeout for
86 downloading the XML dump during a transwiki import in seconds.
87 * Parser limit report is now available in machine-readable format to JavaScript
88 via mw.config.get('wgPageParseReport').
89 * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
90 from certain IP ranges (e.g. private IPs).
91 * (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
92 of the page being parsed.
93 * HTML5 form validation attributes will no longer be suppressed. Originally
94 browsers had poor support for them, but modern browsers handle them fine.
95 This might affect some forms that used them and only worked because the
96 attributes were not actually being set.
97 * Expiry times can now be specified when users are added to user groups.
98 * Completely new user interface for the RecentChanges page, which
99 structures filters into user-friendly groups. This has corresponding
100 changes to how filters are registered by core and extensions.
101 * The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
102 Because this change can cause problems for extensions and on-wiki
103 scripts depending on the exact HTML, the old version is still available
104 and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
105 This will be removed later and OOjs UI will become the only option.
106 To make testing easier, users can also force either mode by adding
107 &ooui=true or &ooui=false to the action=edit URL.
108
109 === External library changes in 1.29 ===
110
111 ==== Upgraded external libraries ====
112 * Updated QUnit from v1.22.0 to v1.23.1.
113 * Updated cssjanus from v1.1.2 to v1.2.0.
114 * Updated psr/log from v1.0.0 to v1.0.2.
115 * Update Moment.js from v2.8.4 to v2.15.0.
116 * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
117 * Updated monolog from v1.18.2 to 1.22.1.
118 * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
119 * Updated OOjs from v1.1.10 to v2.0.0.
120 * Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
121
122 ==== New external libraries ====
123 * Added wikimedia/timestamp v1.0.0.
124 * Added wikimedia/remex-html v1.0.1.
125
126 ==== Removed and replaced external libraries ====
127
128 === Bug fixes in 1.29 ===
129 * (T62604) Core parser functions returning a number now format the number according
130 to the page content language, not wiki content language.
131 * (T27187) Search suggestions based on jquery.suggestions will now correctly only
132 highlight prefix matches in the results.
133 * (T157035) "new mw.Uri()" was ignoring options when using default URI.
134 * Special:Allpages can no longer be filtered by redirect in miser mode.
135 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
136 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
137 to interwiki links.
138 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
139 $wgAdvancedSearchHighlighting is true.
140 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
141 their values out of the logs.
142 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
143 token.
144 * (T156184) SECURITY: Escape content model/format url parameter in message.
145 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
146 declaration.
147 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
148 in it's fallback chain when trying to work out where to write the cache.
149 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
150 syntax's link parameter.
151 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
152 it.
153
154 === Action API changes in 1.29 ===
155 * Submitting sensitive authentication request parameters to action=login,
156 action=clientlogin, action=createaccount, action=linkaccount, and
157 action=changeauthenticationdata in the query string is now an error. They
158 should be submitted in the POST body instead.
159 * The capture option for action=resetpassword has been removed
160 * action=clearhasmsg now requires a POST.
161 * (T47843) API errors and warnings may be requested in non-English languages
162 using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
163 * API error codes may have changed. Most notably, errors from modules using
164 parameter prefixes (e.g. all query submodules) will no longer be prefixed.
165 * ApiPageSet-using modules will report the 'invalidreason' using the specified
166 'errorformat'.
167 * action=emailuser may return a "Warnings" status, and now returns 'warnings' and
168 'errors' subelements (as applicable) instead of 'message'.
169 * action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
170 * action=move now reports errors when moving the talk page as an array under
171 key 'talkmove-errors', rather than using 'talkmove-error-code' and
172 'talkmove-error-info'. The format for subpage move errors has also changed.
173 * action=revisiondelete no longer includes a "rendered" property on warnings
174 and errors for each item. Use errorformat=wikitext if you're wanting parsed
175 output.
176 * action=rollback no longer returns a "messageHtml" property. Use
177 errorformat=html if you're wanting HTML formatting of error messages.
178 * action=upload now reports optional stash failures as an array under key
179 'stasherrors' rather than a 'stashfailed' text string.
180 * action=watch reports 'errors' and 'warnings' instead of a single 'error', and
181 no longer returns a 'message' on success.
182 * Added action=validatepassword to validate passwords for the account creation
183 and password change forms.
184 * action=purge now requires a POST.
185 * There is a new `languagevariants` siprop for action=query&meta=siteinfo,
186 which returns a list of languages with active LanguageConverter instances.
187 * action=query&query=allpages will no longer filter redirects using a database
188 query in miser mode. This may result in less results being returned than were
189 requested.
190
191 === Action API internal changes in 1.29 ===
192 * New methods were added to ApiBase to handle errors and warnings using i18n
193 keys. Methods for using hard-coded English messages were deprecated:
194 * ApiBase::dieUsage() was deprecated
195 * ApiBase::dieUsageMsg() was deprecated
196 * ApiBase::dieUsageMsgOrDebug() was deprecated
197 * ApiBase::getErrorFromStatus() was deprecated
198 * ApiBase::parseMsg() was deprecated
199 * ApiBase::setWarning() was deprecated
200 * ApiBase::$messageMap is no longer public. Code attempting to access it will
201 result in a PHP fatal error.
202 * The $message parameter to the ApiCheckCanExecute hook should be set to an
203 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
204 code for ApiBase::parseMsg() will no longer work.
205 * UsageException is deprecated in favor of ApiUsageException. For the time
206 being ApiUsageException is a subclass of UsageException to allow things that
207 catch only UsageException to still function properly.
208 * If, for some strange reason, code was using an ApiErrorFormatter instead of
209 ApiErrorFormatter_BackCompat, note that the result format has changed and
210 various methods now take a module path rather than a module name.
211 * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
212 from the message key, and maps some message keys for backwards compatibility.
213 * API parameters may now be marked as "sensitive" to keep their values out of
214 the logs.
215
216 === Languages updated in 1.29 ===
217
218 MediaWiki supports over 350 languages. Many localisations are updated
219 regularly. Below only new and removed languages are listed, as well as
220 changes to languages because of Phabricator reports.
221
222 * Based as always on linguistic studies on intelligibility and language
223 knowledge by geography, language fallbacks have been expanded. When a
224 translation is missing in the user's preferred interface language, the
225 corresponding translation for the fallback language will be used instead.
226 English will only be used as last resort when there are no translations.
227 Some configurations (such as date formats and gender namespaces) have also
228 been updated when using the fallback language's configuration was inadequate.
229 The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
230 ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
231 sh → bs, sr-el, hr.
232 * (T137376) New language support: Atikamekw (atj).
233 * (T163600) New language support: Dinka (din).
234 * (T155957) Talk Namespaces for Javanese language (jv) have been updated.
235
236 ==== No fallback for Ukrainian ====
237 * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
238 language will now use the default fallback language: English. When a translation
239 to Ukrainian is not available, an English string will be shown.
240
241 === Other changes in 1.29 ===
242 * Database::getSearchEngine() (deprecated in 1.28) was removed. Use
243 SearchEngineFactory::getSearchEngineClass() instead.
244 * $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
245 required as all sessions are stored in Object Cache now.
246 * MWHttpRequest::execute() should be considered to return a StatusValue; the
247 Status return type is deprecated.
248 * User::edits() (deprecated in 1.21) was removed.
249 * Xml::escapeJsString() (deprecated in 1.21) was removed.
250 * Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
251 were removed.
252 * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
253 were removed.
254 * Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
255 instead.
256 * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
257 * Class RevisiondeleteAction (deprecated in 1.25) was removed.
258 * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
259 * WikiPage::getText() (deprecated in 1.21) was removed.
260 * Article::fetchContent() (deprecated in 1.21) was removed.
261 * User::getPassword() (deprecated in 1.27) was removed.
262 * User::getTemporaryPassword() (deprecated in 1.27) was removed.
263 * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
264 * Class FSRepo (deprecated in 1.19) was removed.
265 * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
266 \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
267 * Class ImageGallery (deprecated in 1.22) was removed.
268 Use ImageGalleryBase::factory instead.
269 * Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
270 * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
271 emit warnings). Create a subclass of Action and add it to $wgActions instead.
272 * WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
273 * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
274 * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
275 * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
276 * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
277 * RedisConnectionPool::handleException (deprecated since 1.23) was removed.
278 * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
279 and outdated lists of errors/warnings returned by the API, are now deprecated.
280 * wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
281 URLs to continue to work, set up redirects. In Apache, this can be done by enabling
282 mod_rewrite and adding the following rules to your configuration:
283
284 RewriteEngine On
285 RewriteBase /
286 RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
287 * Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
288 Use ArticleAfterFetchContentObject instead.
289 * Hook ArticleInsertComplete (deprecated in 1.21) was removed.
290 Use PageContentInsertComplete instead.
291 * Hook ArticleSave (deprecated in 1.21) was removed.
292 Use PageContentSave instead.
293 * Hook ArticleSaveComplete (deprecated in 1.21) was removed.
294 Use PageContentSaveComplete instead.
295 * Hook EditFilterMerged (deprecated in 1.21) was removed.
296 Use EditFilterMergedContent instead.
297 * Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
298 Use EditPageGetPreviewContent instead.
299 * Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
300 Use ContentHandlerDefaultModelFor instead.
301 * Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
302 Use ContentHandlerDefaultModelFor instead.
303 * Article::getContent() (deprecated in 1.21) was removed.
304 * Revision::getText() (deprecated in 1.21) was removed.
305 * Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
306 * Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
307 * Article::doEditContent() was marked as deprecated, to be removed in 1.30
308 or later.
309 * ContentHandler::runLegacyHooks() was removed.
310 * refreshLinks.php now can be limited to a particular category with --category=...
311 or a tracking category with --tracking-category=...
312 * User-like objects that are passed to SpecialUserRights and its subclasses are
313 now required to have a getGroupMemberships() method. See UserRightsProxy for
314 an example.
315 * User::$mGroups (instance variable) was marked private. Use User::getGroups()
316 instead.
317 * User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
318 User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
319 Use equivalent methods on the UserGroupMembership class.
320 * Maintenance scripts and tests that call User::addGroup() must now ensure that
321 User objects have been added to the database prior to calling addGroup().
322 * Protected function UsersPager::getGroups() was removed, and protected function
323 UsersPager::buildGroupLink() was changed from a static to an instance method.
324 * The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
325 see docs/hooks.txt.
326 * User::crypt() (deprecated in 1.24) was removed.
327 * User::comparePasswords() (deprecated in 1.24) was removed.
328 * ArchivedFile::getUserText() (deprecated in 1.23) was removed.
329 * HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
330 * BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
331 and subclasses. It should only break if you call buildMainQueryConds
332 (changed to buildQuery with new signature) or doMainQuery (new
333 signature). Subclasses are likely to call at least doMainQuery
334 (possibly both), but other classes might too, because they were
335 public.
336 Also, some related hooks were deprecated, but this is not yet a
337 breaking change.
338 * Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
339 * The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
340 * WikiRevision::$fileIsTemp was deprecated.
341 * WikiRevision::$importer was deprecated.
342 * WikiRevision::$user was deprecated.
343 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
344 WikiPage::PURGE_* constants are deprecated, and the functions will always
345 return false. They were a hack for an issue that has since been fixed.
346 * Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
347 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
348 if you don't actually care about checkboxes and just want to add some HTML
349 to the page.
350 * Selflinks are now rendered as href-less <a> tags with the class mw-selflink
351 rather than <strong> tags. The old class name, "selflink", was deprecated
352 and will be removed in a future release. (T160480)
353 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
354 * Browser support for non-ES5 JavaScript browsers, including Android 2,
355 Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
356 * Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
357 is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
358 webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
359 opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
360 ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
361 addClickHandler, removeHandler, getElementsByClassName, getInnerText,
362 setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
363 mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
364 escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
365 tooltipAccessKeyRegexp, updateTooltipAccessKeys.
366 * The ID of the <li> element containing the login link has changed from
367 'pt-login' to 'pt-login-private' in private wikis.
368 * The old, neglected "bulletin board style toolbar" in the edit form is now
369 deprecated (T30856). This old code dates from 2006, and was replaced in the
370 MediaWiki release tarball and in Wikimedia production by the WikiEditor
371 extension in 2010. It is only shown to users if no other editor was
372 installed, and leads to confusion.
373 * (T92459) Loading ResourceLoader modules containing JavaScript through
374 addModuleStyles() is deprecated and will log a warning server-side.
375
376 = MediaWiki 1.28 =
377
378 == MediaWiki 1.28.3 ==
379
380 This is a security and maintenance release of the MediaWiki 1.28 branch.
381
382 === Changes since 1.28.2 ==
383 * (T168856) Allow SVGs created by Dia to be uploaded.
384 * (T157545) Add missing doUpdates() call to refreshLinks.php.
385 * (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
386 * (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
387 * (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
388 * (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
389 * (T167798) Fix phrase search and highlighting for phrase queries.
390 * (T151136) Provide credits information to callbacks in extension registration.
391 * (T160462) Allow namespaces defined in extension.json to be overwritten locally.
392 * (T168337) Fix ErrorPageError to work from non-UI contexts.
393 * (T143788) Backports for PHP 7.0 and 7.1 support.
394 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
395 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
396 * (T174255) Declare uploadCount property in importDump.php.
397 * (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
398 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
399 sends non-standard url escaping.
400 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
401 * (T128209) SECURITY: Reflected File Download from api.php.
402 * (T134100) SECURITY: Do not reveal if user exists during login failure.
403 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
404 * (T125163) SECURITY: Make anchor for headlines escape > and <.
405 * (T180237) SECURITY: Protect vendor folder with .htaccess.
406 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
407 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
408 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
409
410 == MediaWiki 1.28.2 ==
411
412 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
413 included in the tarball version of MediaWiki 1.28.1. The version included had a
414 serious security issue in it (T158689). There was also some minor code fixes in
415 MediaWiki itself since 1.28.1, but none of them were security relevant.
416
417 == MediaWiki 1.28.1 ==
418
419 This is a security and maintenance release of the MediaWiki 1.28 branch.
420
421 === Changes since 1.28.0 ===
422
423 * $wgRunJobsAsync is now false by default (T142751). This change only affects
424 wikis with $wgJobRunRate > 0.
425 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
426 more than one database server setup.
427 * (T152717) Better escaping for PHP mail() command,
428 * (T154670) A missing method causing the MySQL installer to fatal in rare
429 circumstances was restored.
430 * (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
431 * (T158766) Avoid SQL error on MSSQL when using selectRowCount().
432 * (T145635) Fix too long index error when installing with MSSQL.
433 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
434 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
435 * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
436 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
437 to interwiki links.
438 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
439 $wgAdvancedSearchHighlighting is true.
440 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
441 their values out of the logs.
442 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
443 token.
444 * (T156184) SECURITY: Escape content model/format url parameter in message.
445 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
446 declaration.
447 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
448 in it's fallback chain when trying to work out where to write the cache.
449 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
450 syntax's link parameter.
451 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
452 it.
453
454 == MediaWiki 1.28 ==
455
456 === Changes since 1.28.0-rc1 ===
457 * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
458 errors.
459 * (T148956) Only apply wgDBschema to postgres/mssql.
460 * (T145991) Introduce separate log action for deleting pages on move.
461 * (T141474) (T110464) Bypass login page if no user input is required.
462
463 === Changes since 1.28.0-rc0 ===
464 * (T142210) The changes to move the parser "NewPP limit report" from a HTML
465 comment to a machine-readable JavaScript config option 'wgPageParseReport'
466 have been undone. They caused the human-readable limit report to be shown
467 incompletely or not at all. ParserOutput::setLimitReportData() and
468 getLimitReportData() behave as they did in MediaWiki 1.27 again.
469 * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
470 the text of subheadings on a category page when creating it. This wasn't
471 working correctly.
472 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
473 canonical pretty URL when a non-pretty URL is used. It resulted in redirect
474 loops in some clients and in some server configurations. This undoes a change
475 made in MediaWiki 1.26.
476 * (T149759) manifest_version: 2 was removed.
477
478 === Configuration changes in 1.28 ===
479 * $wgSend404Code now affects status code of action=history if the page is not there.
480 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
481 made by MediaWiki via a proxy. Relying on the http_proxy environment
482 variable is no longer supported.
483 * The load.php entry point now enforces the existing policy of not allowing
484 access to session data, which includes the session user and the session
485 user's language. If such access is attempted, an exception will be thrown.
486 * The number of internal PBKDF2 iterations used to derive the session secret
487 is configurable via $wgSessionPbkdf2Iterations.
488 * Upload dialog's file upload log comment can now be configured separately for
489 local and foreign uploads.
490 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
491 signifies local uploads. A value of `[]` (empty array) now means that
492 no upload targets are allowed, effectively disabling the upload dialog.
493 * The deprecated $wgEditEncoding variable has been removed; it was only used
494 for Esperanto language character conversion. You are now recommended to use
495 input methods provided by the UniversalLanguageSelector extension.
496 * When $wgPingback is true, MediaWiki will periodically ping
497 https://www.mediawiki.org/beacon with basic information about the local
498 MediaWiki installation. This data includes, for example, the type of system,
499 PHP version, and chosen database backend. This behavior is off by default.
500 * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
501 to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
502 if false, the default, they will be "Save page"/"Save changes".
503 * The 'editcontentmodel' permission is now granted to all logged-in users ('user').
504 instead of just administrators ('sysop'). Documentation for this feature is
505 available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
506 * $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
507 * Magic links are now disabled by default, and can be re-enabled by modifying the value
508 of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
509 a tracking category will be added to help identify usage and make it easier to migrate
510 away from. If you depend upon magic link functionality, it is requested that you comment
511 on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
512 explain your use case(s).
513 * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
514 in upcoming Content-Security-Policy feature's reporting.
515
516 === New features in 1.28 ===
517 * User::isBot() method for checking if an account is a bot role account.
518 * Added a new 'slideshow' mode for galleries.
519 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
520 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
521 interact with API parsing.
522 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
523 upload. Unlike 'UploadVerifyFile' it provides information about upload comment
524 and the file description page, but does not run for uploads to stash.
525 * (T141604) Extensions can now provide a better error message when their
526 maintenance scripts are run without the extension being installed.
527 * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
528 to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
529 a 'numeric' collation is also available. If migrating from another
530 collation, you will need to run the updateCollation.php maintenance script.
531 * Two new codes have been added to #time parser function: "xit" for days in current
532 month, and "xiz" for days passed in the year, both in Iranian calendar.
533 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
534 appropriate for sending multi-valued parameters. This defaults to true when
535 the mw.Api instance seems to be for the local wiki.
536 * After a client performs an action which alters a database that has replica databases,
537 MediaWiki will wait for the replica databases to synchronize with the master database
538 while it renders the HTML output. However, if the output is a redirect to another wiki
539 on the wiki farm with a different domain, MediaWiki will instead alter the redirect
540 URL to include a ?cpPosTime parameter that triggers the database synchronization when
541 the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
542 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
543 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
544 'show' parameters to existing API query modules.
545
546 === External library changes in 1.28 ===
547
548 ==== Upgraded external libraries ====
549 * Updated es5-shim from v4.1.5 to v4.5.8
550 * Updated composer/semver from v1.4.1 to v1.4.2
551 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
552
553 ==== New external libraries ====
554 * Added wikimedia/scoped-callback v1.0.0
555 * Added wikimedia/wait-condition-loop v1.0.1
556
557 === Bug fixes in 1.28 ===
558 * (T146496) action=history pages should return 404 HTTP error code if the page does not exist
559 * (T137264) SECURITY: XSS in unclosed internal links
560 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
561 * (T133147) SECURITY: Require login to preview user CSS pages
562 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
563 the top file
564 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
565 permissions
566 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
567 * (T139670) Move 'UserGetRights' call before application of
568 Session::getAllowedUserRights()
569
570 === Action API changes in 1.28 ===
571 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
572 the value of $wgMaxArticleSize.
573 * Property 'modulemessages' from action=parse&prop=modules was removed
574 (deprecated since 1.26).
575 * The following response properties from action=login, deprecated in 1.27, are
576 now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
577 to properly manage session state.
578 * Submitting the lgtoken and lgpassword parameters in the query string to
579 action=login is now deprecated and outputs a warning. They should be submitted
580 in the POST body instead.
581 * Submitting sensitive authentication request parameters to action=clientlogin,
582 action=createaccount, action=linkaccount, and action=changeauthenticationdata
583 in the query string is now deprecated and outputs a warning. They should be
584 submitted in the POST body instead.
585 * (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
586 instead of the pipe character. This will be useful if some of the multiple
587 values need to contain pipes, e.g. for action=options.
588 * The API will now warn if input is not NFC-normalized Unicode or if it
589 contains invalid characters.
590 * The 'normalized' list output by action=query and other modules that use
591 ApiPageSet may contain entries where the 'from' value is percent-encoded as
592 the raw value cannot be represented in a valid API response. These are
593 indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
594 * (T28680) action=paraminfo can now return info about all submodules of a
595 module without listing them all explicitly.
596 * (T146770) It is now possible to assert that the current user is a specific
597 named user, using the 'assertuser' parameter.
598 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from
599 the 'TitleIsAlwaysKnown' hook) are output in various modules.
600
601 === Action API internal changes in 1.28 ===
602 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
603 interact with ApiParse and ApiExpandTemplates.
604 * (T139565) SECURITY: API: Generate head items in the context of the given title
605 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
606 * ApiBase::getResultData() was removed (deprecated since 1.25)
607 * ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
608 * ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
609 * ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
610 * ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
611 * ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
612 * ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
613 * ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
614 * ApiFormatBase::setHelp() was removed (deprecated since 1.25)
615 * ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
616 * ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
617 * ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
618 * ApiMain::setHelp() was removed (deprecated since 1.25)
619 * ApiResult::beginContinuation() was removed (deprecated since 1.25)
620 * ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
621 * ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
622 * ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
623 * ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
624 * ApiResult::endContinuation() was removed (deprecated since 1.25)
625 * ApiResult::getData() was removed (deprecated since 1.25)
626 * ApiResult::getIsRawMode() was removed (deprecated since 1.25)
627 * ApiResult::setContent() was removed (deprecated since 1.25)
628 * ApiResult::setContinueParam() was removed (deprecated since 1.25)
629 * ApiResult::setElement() was removed (deprecated since 1.25)
630 * ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
631 * ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
632 * ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
633 * ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
634 * ApiResult::setParsedLimit() was removed (deprecated since 1.25)
635 * ApiResult::setRawMode() was removed (deprecated since 1.25)
636 * ApiResult::size() was removed (deprecated since 1.25)
637 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
638 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
639 'show' parameters to existing API query modules. A query module can enable
640 these hooks by passing an array for $hookData to ApiQueryBase::select() and
641 by calling ApiQueryBase->processRow() before adding a row's data to the
642 result.
643
644 === Languages updated in 1.28 ===
645
646 MediaWiki supports over 375 languages. Many localisations are updated
647 regularly. Below only new and removed languages are listed, as well as
648 changes to languages because of Phabricator reports.
649
650 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
651 BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
652 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
653 Saiddzone Saimawnkham, Saosukham, and Sengwan.
654 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
655 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
656
657 === Other changes in 1.28 ===
658 * (T128697) Improved handling of large diffs.
659 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
660 use or update a custom session provider if needed.
661 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
662 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
663 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
664 * The 'UserLoginComplete' hook has a new parameter to differentiate between actual
665 login and visiting the login page while already logged in.
666 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
667 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
668 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
669 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
670 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
671 MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
672 were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
673 respectively. See docs/hooks.txt for the specific changes needed for those hooks.
674 * Linker::formatSize() was deprecated. Use Language::formatSize() directly.
675 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
676 * Skin::commentBlock() (use Linker::commentBlock() instead)
677 * Skin::generateRollback() (use Linker::generateRollback() instead)
678 * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
679 * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
680 * Skin::userLink() (use Linker::userLink() instead)
681 * Skin::userToolLinks() (use Linker::userToolLinks() instead)
682 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
683 disabled.
684 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
685 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
686 Use ...->stashFile()->getFileKey() instead.
687 * "Public domain" was removed as a wiki license option from the installer, in
688 favour of CC-0.
689 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
690 on requests needed by primary providers even if all primaries need them.
691 Primary providers are discouraged from returning multiple REQUIRED requests.
692 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
693 will no longer be automatically infused. You should call `OO.ui.infuse()`
694 on them yourself from your JavaScript code.
695 * parserTests.php has moved to tests/parser/parserTests.php
696 * The command line options specific to parser tests have been removed from
697 phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
698 Instead of --keep-uploads, use the same option to parserTests.php, but you
699 must specify a directory with --upload-dir.
700 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
701 * IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
702 migrate to using the same functions on a ProxyLookup instance, obtainable from
703 MediaWikiServices.
704 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
705 ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
706 ShowRawCssJs hooks will now emit deprecation warnings if used.
707 * (T68404) CSS3 attr() function with url type is no longer allowed
708 in inline styles.
709 * Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
710 instead.
711
712 == Compatibility ==
713
714 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
715 HHVM 3.6.5 or later.
716
717 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
718 support for them is somewhat less mature. There is experimental support for
719 Oracle and Microsoft SQL Server.
720
721 The supported versions are:
722
723 * MySQL 5.0.3 or later
724 * PostgreSQL 8.3 or later
725 * SQLite 3.3.7 or later
726 * Oracle 9.0.1 or later
727 * Microsoft SQL Server 2005 (9.00.1399)
728
729 == Upgrading ==
730
731 1.28 has several database changes since 1.27, and will not work without schema
732 updates. Note that due to changes to some very large tables like the revision
733 table, the schema update may take quite long (minutes on a medium sized site,
734 many hours on a large site).
735
736 If upgrading from before 1.11, and you are using a wiki as a commons
737 repository, make sure that it is updated as well. Otherwise, errors may arise
738 due to database schema changes.
739
740 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
741 new database fields are filled with data.
742
743 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
744 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
745 with MediaWiki 1.21.
746
747 Don't forget to always back up your database before upgrading!
748
749 See the file UPGRADE for more detailed upgrade instructions.
750
751 For notes on 1.27.x and older releases, see HISTORY.
752
753 == Online documentation ==
754
755 Documentation for both end-users and site administrators is available on
756 MediaWiki.org, and is covered under the GNU Free Documentation License (except
757 for pages that explicitly state that their contents are in the public domain):
758
759 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
760
761 == Mailing list ==
762
763 A mailing list is available for MediaWiki user support and discussion:
764
765 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
766
767 A low-traffic announcements-only list is also available:
768
769 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
770
771 It's highly recommended that you sign up for one of these lists if you're
772 going to run a public MediaWiki, so you can be notified of security fixes.
773
774 == IRC help ==
775
776 There's usually someone online in #mediawiki on irc.freenode.net.
777
778 = MediaWiki 1.27 =
779
780 == MediaWiki 1.27.4 ==
781 This is a security and maintenance release of the MediaWiki 1.27 branch.
782
783 === Changes since 1.27.3 ===
784 * (T100085) Better handling of jobs execution in post-connection shutdown.
785 * (T141604) Support conditionally registered namespaces.
786 * (T167798) Fix highlighting for phrase queries and phrase search.
787 * (T151136) Provide credits information to callbacks.
788 * (T160462) Allow namespaces defined in extension.json to be overwritten locally.
789 * (T168856) Allow SVGs created by Dia to be uploaded.
790 * (T144705) (T148662) Password reset link is no longer shown when no reset options are
791 available.
792 * (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
793 * (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
794 policies.
795 * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core.
796 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
797 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
798 * (T142304) Allow putting the app ID in the password for bot passwords.
799 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
800 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
801 sends non-standard url escaping.
802 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
803 * (T128209) SECURITY: Reflected File Download from api.php.
804 * (T134100) SECURITY: Do not reveal if user exists during login failure.
805 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
806 * (T125163) SECURITY: Make anchor for headlines escape > and <.
807 * (T180237) SECURITY: Protect vendor folder with .htaccess.
808 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
809 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
810 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
811
812 == MediaWiki 1.27.3 ==
813 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
814 included in the tarball version of MediaWiki 1.27.2. The version included had a
815 serious security issue in it (T158689). There was also some minor code fixes in
816 MediaWiki itself since 1.27.2, but none of them were security relevant.
817
818 === Changes since 1.27.2 ===
819 * (T145664) Fix broken wincache merge() implementation
820 * (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility
821 * (T153505) Fix php warnings on php 7.1 due to use of &$this
822
823 == MediaWiki 1.27.2 ==
824 This is a security and maintenance release of the MediaWiki 1.27 branch.
825
826 ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
827 deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0
828 was released.
829
830 === Changes since 1.27.1 ===
831
832 * (T68404) CSS3 attr() function with url type argument is no longer allowed
833 in inline styles.
834 * $wgRunJobsAsync is now false by default (T142751). This change only affects
835 wikis with $wgJobRunRate > 0.
836 * (T152717) Better escaping for PHP mail() command
837 * Submitting the lgtoken and lgpassword parameters in the query string to
838 action=login is now deprecated and outputs a warning. They should be submitted
839 in the POST body instead.
840 * Submitting sensitive authentication request parameters to action=clientlogin,
841 action=createaccount, action=linkaccount, and action=changeauthenticationdata
842 in the query string is now deprecated and outputs a warning. They should be
843 submitted in the POST body instead.
844 * (T158766) Avoid SQL error on MSSQL when using selectRowCount()
845 * (T145635) Fix too long index error when installing with MSSQL.
846 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
847 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
848 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
849 to interwiki links.
850 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
851 $wgAdvancedSearchHighlighting is true.
852 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
853 their values out of the logs.
854 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
855 token.
856 * (T156184) SECURITY: Escape content model/format url parameter in message.
857 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
858 declaration.
859 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
860 in it's fallback chain when trying to work out where to write the cache.
861 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
862 syntax's link parameter.
863 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
864 it.
865
866 == MediaWiki 1.27.1 ==
867
868 This is a maintenance release of the MediaWiki 1.27 branch.
869
870 === Changes since 1.27.0 ===
871 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
872 made by MediaWiki via a proxy. Relying on the http_proxy environment
873 variable is no longer supported.
874 * (T139565) SECURITY: API: Generate head items in the context of the given title
875 * (T137264) SECURITY: XSS in unclosed internal links
876 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
877 * (T133147) SECURITY: Require login to preview user CSS pages
878 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
879 the top file
880 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
881 permissions
882 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
883 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
884 * (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
885 * (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()
886
887 == MediaWiki 1.27.0 ==
888
889 === PHP version requirement in 1.27 ===
890 As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
891 section). Additionally, the following PHP extensions are required:
892 * ctype
893 * iconv
894 * json
895 * mbstring (new requirement in 1.27)
896 * xml
897 The following PHP extensions are strongly recommended:
898 * openssl
899
900 === Configuration changes in 1.27 ===
901 * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
902 now always enabled. If you use RDFa on your wiki, you now have to explicitly
903 set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
904 * $wgUseLinkNamespaceDBFields was removed.
905 * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
906 $wgResourceLoaderMinifierMaxLineLength, because there was little value in
907 making the behavior configurable. The default values (`false` for the former,
908 1000 for the latter) are now hard-coded.
909 * $wgDebugDumpSqlLength was removed (deprecated in 1.24).
910 * $wgDebugDBTransactions was removed (deprecated in 1.20).
911 * $wgUseXVO has been removed, as it provides functionality only used by
912 custom Wikimedia patches against Squid 2.x that probably noone uses in
913 production anymore. There is now $wgUseKeyHeader that provides similar
914 functionality but instead of the MediaWiki-specific X-Vary-Options header,
915 uses the draft Key header standard.
916 * $wgScriptExtension (and support for '.php5' entry points) was removed. See the
917 deprecation notice in the release notes for version 1.25 for advice on how to
918 preserve support for '.php5' entry points via URL rewriting.
919 * Password handling via the User object has been deprecated and partially
920 removed, pending the future introduction of AuthManager. In particular:
921 ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
922 getPasswordExpired() have been removed. They were unused outside of core.
923 ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
924 now private and will be removed in the future.
925 ** The getPassword() and getTemporaryPassword() methods now throw
926 BadMethodCallException and will be removed in the future.
927 ** The ability to pass 'password' and 'newpassword' to createNew() has been
928 removed. The only users of it seem to have been using it to set invalid
929 passwords, and so shouldn't be greatly affected.
930 ** setPassword(), setInternalPassword(), and setNewpassword() have been
931 deprecated, pending the introduction of AuthManager.
932 ** User::randomPassword() is deprecated in favor of a new method
933 PasswordFactory::generateRandomPasswordString()
934 ** User::getPasswordFactory() is deprecated, callers should just create a
935 PasswordFactory themselves.
936 ** A new constructor, User::newSystemUser(), has been added to simplify the
937 creation of passwordless "system" users for logged actions.
938 * $wgMaxSquidPurgeTitles was removed.
939 * $wgAjaxWatch was removed. This is now enabled by default.
940 * $wgUseInstantCommons now hotlinks Commons images by default instead of
941 downloading originals and thumbnailing them locally. This allows wikis to save
942 on CPU and bandwidth while reducing time to first byte for pages, even without
943 a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
944 * (T27397) WebP is enabled by default as an uploadable filetype.
945 * (T48998) $wgArticlePath must now be either a full url, or start with a "/".
946 * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
947 * Deprecated API formats dbg, txt, and yaml have been removed.
948 * CLDRPluralRule* classes have been replaced with
949 wikimedia/cldr-plural-rule-parser.
950 * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
951 $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
952 $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
953 * For proper operation of LocalIdLookup with shared user tables, ensure that
954 $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
955 that all others are sharing from and that $wgLocalDatabases is set to the
956 full list of sharing wikis on all those wikis.
957 * Massive overhaul to session handling:
958 ** $wgSessionsInObjectCache is no longer supported and must be true, due to
959 MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
960 used.
961 ** ObjectCacheSessionHandler is removed, replaced with
962 MediaWiki\Session\PhpSessionHandler.
963 ** PHP session handling in general ($_SESSION, session_id(), and so on) is
964 deprecated. Use MediaWiki\Session\SessionManager instead. A new config
965 variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
966 issue a deprecation warning or to cause most PHP session handling to throw
967 exceptions.
968 ** Deprecated UserSetCookies hook. Session-handling extensions should generally
969 be creating a custom subclass of CookieSessionProvider. Other extensions
970 messing with cookies can no longer count on user data being saved in cookies
971 versus other methods.
972 ** Deprecated UserLoadFromSession hook, extensions should create a
973 MediaWiki\Session\SessionProvider.
974 ** The User cannot be loaded from session until after Setup.php completes.
975 Attempts to do so will be ignored and the User will remain unloaded.
976 ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
977 the MediaWiki\Session\Token class.
978 * MediaWiki will now auto-create users as necessary, removing the need for
979 extensions to do so. An 'autocreateaccount' right is added to allow
980 auto-creation when 'createaccount' is not granted to all users.
981 * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
982 * Most cookie-handling methods in User are deprecated.
983 * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
984 experimental feature that has never worked.
985 * Login and createaccount tokens now vary by timestamp.
986 * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
987 return a MediaWiki\Session\Token, and tokens must be checked using that
988 class's methods.
989 * $wgEnotifUseJobQ was removed and the job queue is always used.
990 * The functionality of the ApiSandbox extension has been merged into core. The
991 extension should no longer be used.
992 * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
993 Extensions, skins, gadgets and scripts that use the mediawiki.util module must
994 express a dependency on it.
995 * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
996 Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
997 module should express a dependency on it.
998 * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
999 $wgFooterIcons['copyright']['copyright'] instead.
1000 * If the openssl and mcrypt PHP extensions are both unavailable, secure
1001 session storage (used for login) will raise an exception. This exception may
1002 be bypassed by setting $wgSessionInsecureSecrets = true.
1003 * Massive overhaul to authentication:
1004 ** AuthPlugin and AuthPluginUser are deprecated.
1005 ** LoginForm and associated templates are deprecated. Extensions which called
1006 static LoginForm methods should be converted into authentication providers.
1007 ** The following hooks are deprecated:
1008 *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1009 *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1010 *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1011 *** AddNewAccount (use LocalUserCreated instead)
1012 *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
1013 *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
1014 *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1015 *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
1016 *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
1017 ** The following hooks are removed:
1018 *** AbortChangePassword
1019 *** LoginPasswordResetMessage
1020 *** PrefsPasswordAudit
1021 ** The UserLoginComplete hook will no longer be called for all logins, only for
1022 those via the web UI. Use UserLoggedIn if you need to do something on all
1023 logins.
1024 ** $wgRequirePasswordforEmailChange is removed.
1025
1026 === New features in 1.27 ===
1027 * $wgDataCenterUpdateStickTTL was also added. This decides how long a user
1028 sticks to the primary DC (via cookies) after they make changes to the site.
1029 * Added a new hook, 'UserMailerTransformContent', to transform the contents
1030 of an email. This is similar to the EmailUser hook but applies to all mail
1031 sent via UserMailer.
1032 * Added a new hook, 'UserMailerTransformMessage', to transform the contents
1033 of an emai after MIME encoding.
1034 * Added a new hook, 'UserMailerSplitTo', to control which users have to be
1035 emailed separately (ie. there is a single address in the To: field) so
1036 user-specific changes to the email can be applied safely.
1037 * $wgCdnMaxageLagged was added, which limits the CDN cache TTL
1038 when any load balancer uses a DB that is lagged beyond the 'max lag'
1039 setting in the relevant section of $wgLBFactoryConf.
1040 * User::newSystemUser() may be used to simplify the creation of passwordless
1041 "system" users for logged actions from scripts and extensions.
1042 * Extensions can now return detailed error information via the API when
1043 preventing user actions using 'getUserPermissionsErrors' and similar hooks
1044 by using ApiMessage instances instead of strings for the $result value.
1045 * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
1046 becomes too high.
1047 * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
1048 and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
1049 cross-browser-compatible FlexBox rules. Users will still need to add fallback
1050 float rules or the like for compatibility with IE9- separately.
1051 * Added MWTimestamp::getTimezoneString() which returns the localized timezone
1052 string, if available. To localize this string, see the comments of
1053 $wgLocaltimezone in includes/DefaultSettings.php.
1054 * Added CentralIdLookup, a service that allows extensions needing a concept of
1055 "central" users to get that without having to know about specific central
1056 authentication extensions.
1057 * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
1058 Regular web request transactions that takes longer than this are aborted.
1059 * Added a new hook, 'TitleMoveCompleting', which runs before a page move is
1060 committed.
1061 * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
1062 from CDN to mitigate DB replication lag and WAN cache purge lag.
1063 * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
1064 if it is available.
1065 * It is now possible to patrol file uploads (both for new files and new versions
1066 of existing files). Special:NewFiles has gained an option to filter by patrol
1067 status. This functionality can be disabled using $wgUseFilePatrol.
1068 * MediaWiki\Session infrastructure allows for easier use of session mechanisms
1069 other than the usual cookies.
1070 ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
1071 custom session metadata.
1072 * Added MWGrants and associated configuration settings $wgGrantPermissions and
1073 $wgGrantPermissionGroups to hold configuration for authentication features
1074 such as OAuth that want to allow restricting the user rights a user may make
1075 use of.
1076 ** If you're already using the OAuth extension, these new variables are
1077 identical to (and will replace) $wgMWOAuthGrantPermissions and
1078 $wgMWOAuthGrantPermissionGroups.
1079 * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
1080 to assert that the request comes from a particular IP range.
1081 * Added bot passwords, a rights-restricted login mechanism for API-using bots.
1082 * Whitelisted the following HTML attributes for all elements in wikitext:
1083 aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
1084 * Removed "presentation" restriction on the HTML role attribute in wikitext.
1085 All values are now allowed for the role attribute.
1086 * $wgContentHandlers now also supports callbacks to create an instance of the
1087 appropriate ContentHandler subclass.
1088 * Added $wgAuthenticationTokenVersion, which if non-null prevents the
1089 user_token database field from being exposed in cookies. Setting this would
1090 be a good idea, but will log out all current sessions.
1091 * $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
1092 specifically for reliable CDN url purges.
1093 * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
1094 MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
1095 generated 24-character string. This request ID is used to annotate log records
1096 and error messages. It is available client-side via mw.config.get( 'wgRequestId' ).
1097 The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId()
1098 is deprecated.
1099 * (T33313) Add a preference for watching uploads by default, also applies
1100 to API-based upload tools.
1101 * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
1102 thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
1103 savings versus the previous behavior on many files.
1104 * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
1105 configuration of multiple authentication pieces that was possible with
1106 AuthPlugin. For example, it's now easy to plug in second-factor
1107 authentication, or add additional checks to the login process, or to support
1108 multiple login methods at once, or to support non-password-based login methods.
1109 ** Providers are configured via the global setting $wgAuthManagerConfig.
1110 ** A global, $wgDisableAuthManager, is temporarily available to disable
1111 AuthManager until extensions are ready to support it.
1112 ** New hook, AuthChangeFormFields, to adjust the form fields on
1113 AuthManager-related special pages.
1114 ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
1115 AuthManager-related authentication requests.
1116 ** New hook, ChangeAuthenticationDataAudit, for additional logging of
1117 AuthManager-related authentication data changes.
1118 ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
1119 for requiring a recent login before taking security-sensitive operations
1120 like changing a password.
1121 ** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist
1122 can be used to prevent the web UI and the API changing certain authentication data.
1123 * The file upload dialog (available if you install WikiEditor or VisualEditor)
1124 can now be configured using $wgUploadDialog.
1125
1126 === External library changes in 1.27 ===
1127
1128 ==== Upgraded external libraries ====
1129 * Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
1130 * Updated composer/semver from v1.0.0 to v1.2.0.
1131 * Updated liuggio/statsd-php-client to 1.0.18.
1132 * Updated QUnit from v1.18.0 to v1.22.0.
1133
1134 ==== New external libraries ====
1135 * Added wikimedia/base-convert v1.0.1.
1136 * Added wikimedia/cldr-plural-rule-parser v1.0.0.
1137 * Added wikimedia/relpath v1.0.3.
1138 * Added wikimedia/running-stat v1.1.0.
1139 * Added wikimedia/php-session-serializer v1.0.3.
1140
1141 ==== Removed and replaced external libraries ====
1142
1143 === Bug fixes in 1.27 ===
1144 * Special:Upload will now display correct maximum allowed file size when running
1145 under HHVM (T116347).
1146 * (T54077) The APIEditBeforeSave hook will once again give only the content of
1147 the section being edited, rather than the whole revision. This reverts the
1148 change made in MediaWiki 1.22.
1149
1150 === Action API changes in 1.27 ===
1151 * Added list=allrevisions.
1152 * generator=recentchanges now has the option to generate revids.
1153 * ApiPageSet::setRedirectMergePolicy() was added. This allows generator
1154 modules to define how generator data for a redirect source gets merged
1155 into the redirect destination.
1156 * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
1157 "was-deleted" warning.
1158 * Added difftotextpst to query=revisions which preforms a pre-save transform on
1159 the text before diffing it.
1160 * Deprecated formats dbg, txt, and yaml have been removed.
1161 * (T47988) The protect log event details now use new-style formatting.
1162 * The following response properties from action=login are deprecated, and may
1163 be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
1164 handle cookies to properly manage session state.
1165 * action=login transparently allows login using bot passwords. Clients should
1166 merely need to change the username and password used after setting up a bot
1167 password.
1168 * action=upload no longer understands statuskey, asyncdownload or leavemessage.
1169 * Several changes when $wgDisableAuthManager is false:
1170 ** action=login is deprecated for uses other than bot passwords.
1171 ** list=users can now indicate if a missing username is creatable.
1172 ** action=createaccount is changed in a non-backwards-compatible manner.
1173 ** Added action=query&meta=authmanagerinfo.
1174 ** Added action=clientlogin to be used to log into the main account instead of
1175 action=login.
1176 ** Added action=linkaccount.
1177 ** Added action=unlinkaccount.
1178 ** Added action=changeauthenticationdata.
1179 ** Added action=removeauthenticationdata.
1180 ** Added action=resetpassword.
1181
1182 === Action API internal changes in 1.27 ===
1183 * ApiQueryORM removed.
1184 * The following classes have been removed:
1185 ** ApiFormatDbg
1186 ** ApiFormatTxt
1187 ** ApiFormatYaml
1188 * ApiBase::addTokenProperties() was removed (deprecated since 1.24).
1189 * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
1190 * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
1191 * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24).
1192 * ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
1193 * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24).
1194 * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24).
1195 * ApiBase::getResultProperties() was removed (deprecated since 1.24).
1196 * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
1197 * ApiBase::parseErrors() was removed (deprecated since 1.24).
1198 * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
1199 ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
1200 * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
1201 * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
1202 * ApiQuery::getGenerators() was removed (deprecated since 1.21).
1203 * ApiQuery::getModules() was removed (deprecated since 1.21).
1204 * ApiQuery::getModuleType() was removed (deprecated since 1.21).
1205 * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
1206 * ApiMain::getModules() was removed (deprecated since 1.21).
1207 * ApiBase::getVersion() was removed (deprecated since 1.21).
1208 * ApiMain::getShowVersions() was removed (deprecated in 1.21).
1209 * ApiMain::addModule() was removed (deprecated in 1.21).
1210 * ApiMain::addFormat() was removed (deprecated in 1.21).
1211 * ApiMain::getFormats() was removed (deprecated in 1.21).
1212 * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
1213 * ApiCreateAccount was removed.
1214
1215 === Languages updated in 1.27 ===
1216
1217 MediaWiki supports over 350 languages. Many localisations are updated
1218 regularly. Below only new and removed languages are listed, as well as
1219 changes to languages because of Phabricator reports.
1220
1221 * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
1222 * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
1223
1224 === Other changes in 1.27 ===
1225 * Added dependency injection (DI) infrastructure, see docs/injection.txt for details.
1226 It is planned to incrementally move MediaWiki code towards using DI, using the
1227 service locator (SL) pattern as a stepping stone.
1228 * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
1229 * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
1230 ignore the 2nd and 3rd arguments (formerly $id and $commit).
1231 * Removed "loaderScripts" option from ResourceLoaderFileModule class.
1232 * Removed ORM-like wrapper added in 1.20.
1233 * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
1234 (deprecated in 1.26).
1235 * WikiPage::doQuickEdit() was removed (deprecated since 1.21).
1236 * Removed SiteObject and SiteArray classes (deprecated in 1.21).
1237 * MessageBlobStore::getInstance() was removed (deprecated since 1.25).
1238 * (T84937) Free external links ("autolinked" urls) will now be terminated
1239 by &nbsp; and HTML entity encodings of &nbsp, <, and >.
1240 * (T36948) The default file revert message's timestamp is now in
1241 $wgLocaltimezone, instead of UTC.
1242 * The default name of the 'suppress' group page has been changed from
1243 'Project:Oversight' to 'Project:Suppress'.
1244 * DatabaseBase::resultObject() is now protected (use outside Database classes
1245 not necessary since 1.11).
1246 * Calling ResourceLoaderFileModule::readStyleFiles() without a
1247 ResourceLoaderContext instance is deprecated.
1248 * ResourceLoader::getLessCompiler() now takes an optional parameter of
1249 additional LESS variables to set for the compiler.
1250 * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
1251 instead.
1252 * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
1253 were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
1254 * Removed msg_resource_links database table and associated code.
1255 * Removed msg_resource database table and associated code.
1256 * Skin::getNamespaceNotice() was removed.
1257 * wfIsConfiguredProxy() was removed (deprecated since 1.24).
1258 * wfDebugTimer() was removed (deprecated since 1.25).
1259 * wfIsTrustedProxy() was removed (deprecated since 1.24).
1260 * wfGetIP() was removed (deprecated since 1.19).
1261 * MWHookException was removed.
1262 * OutputPage::appendSubtitle() was removed (deprecated since 1.19).
1263 * OutputPage::loginToUse() was removed (deprecated since 1.19).
1264 * Article::loadContent() was removed (deprecated since 1.19).
1265 * User::editToken() was removed (deprecated since 1.19).
1266 * Removed --force-normal option of dumpBackup.php, as it no longer served
1267 any useful purpose since 1.22.
1268 * The functions processOption() and processArgs() on the BackupDumper and
1269 TextPassDumper classes have been removed.
1270 * The maintenance/backupTextPass.inc file was deleted. You should include
1271 maintenance/dumpTextPass.php instead.
1272 * WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
1273 * wfEmptyMsg() was removed (deprecated since 1.18).
1274 * OutputPage::permissionRequired() was removed (deprecated since 1.18).
1275 * OutputPage::blockedPage() was removed (deprecated since 1.18).
1276 * User::getSkin() was removed (deprecated since 1.18).
1277 * OutputPage::includeJQuery() was removed (deprecated since 1.17).
1278 * WikiPage::updateRestrictions() was removed (deprecated since 1.19).
1279 * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
1280 * LogPage::logName() was removed (deprecated since 1.19).
1281 * LogPage::logHeader() was removed (deprecated since 1.19).
1282 * wfCheckLimits() was removed (deprecated since 1.24).
1283 * Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
1284 * Linker::makeLinkObj() was removed (deprecated since 1.16).
1285 * wfMsgForContentNoTrans() was removed (deprecated since 1.18).
1286 * ChangesList::usePatrol was removed (deprecated since 1.22).
1287 * wfMsgNoTrans() was removed (deprecated since 1.18).
1288 * Linker::makeImageLink2 was removed (deprecated since 1.20).
1289 * Title::userIsWatching() was removed (deprecated since 1.20).
1290 * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
1291 database function directly instead.
1292 * wfMsg() was removed (deprecated since 1.18).
1293 * wfMsgForContent() was removed (deprecated since 1.18).
1294 * wfMsgReal() was removed (deprecated since 1.18).
1295 * wfMsgGetKey() was removed (deprecated since 1.18).
1296 * wfMsgHtml() was removed (deprecated since 1.18).
1297 * wfMsgWikiHtml() was removed (deprecated since 1.18).
1298 * wfMsgExt() was removed (deprecated since 1.18).
1299 * Language::armourMath() was removed (deprecated since 1.22).
1300 * LanguageConverter::armourMath() was removed (deprecated since 1.22).
1301 * FakeConverter::armourMath() was removed (deprecated since 1.22).
1302 * The unused jquery.validate ResourceLoader module was removed.
1303 * FileRepo::getRootUrl() was removed (deprecated since 1.20).
1304 * User::generateToken() was removed (deprecated since 1.20).
1305 * WikiPage::getRawText() was removed (deprecated since 1.21).
1306 * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
1307 * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
1308 * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
1309 * Gallery images with multiple caption pipes no longer concatenate them all
1310 together but instead pick the final one, similar to image syntax.
1311 * XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
1312 rather than consume everything until the end of the page.
1313 * New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
1314 a user forgot password/account was stolen.
1315 * wfCheckEntropy() was removed (deprecated in 1.27).
1316 * Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
1317 * ContentHandler::supportsCategories method added. Default is true.
1318 CategoryMembershipChangeJob updates are skipped for content that
1319 does not support categories.
1320 * wikidiff difference engine is no longer supported, anyone still using it are encouraged
1321 to upgrade to wikidiff2 which is actively maintained and has better package availability.
1322 * Database logic was removed from WatchedItem and a WatchedItemStore was created:
1323 ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated.
1324 User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
1325 ** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
1326 ** WatchedItem::resetNotificationTimestamp was deprecated.
1327 ** WatchedItem::batchAddWatch was deprecated.
1328 ** WatchedItem::addWatch was deprecated.
1329 ** WatchedItem::removeWatch was deprecated.
1330 ** WatchedItem::isWatched was deprecated.
1331 ** WatchedItem::duplicateEntries was deprecated.
1332 ** EmailNotification::updateWatchlistTimestamp was deprecated.
1333 ** User::getWatchedItem was removed.
1334 * Unit tests don't work with external PHPUnit anymore, Composer is now the only supported
1335 way. Run `composer install` to install it and other dev dependencies to run unit tests.
1336 * wl_id field added to the watchlist table.
1337 * Revision::getRawText() was removed (deprecated since 1.21).
1338 * WikiPage::replaceSection() was removed (deprecated since 1.21).
1339 * Article::replaceSection() was removed (deprecated since 1.21).
1340 * Language::getLangObj() was removed (deprecated since 1.24).
1341 * Language::getLanguageName() was removed (deprecated since 1.20).
1342 * Language::getLanguageNames() was removed (deprecated since 1.20).
1343 * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
1344 * Language::specialPage() was removed (deprecated since 1.24).
1345 * MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
1346 * OutputPage::getHeadItems() was removed (deprecated since 1.24).
1347 * OutputPage::getScript() was removed (deprecated since 1.24).
1348 * OutputPage::out() was removed (deprecated since 1.22).
1349 * OutputPage::setAllowedModules() was removed (deprecated since 1.24).
1350 * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
1351 * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
1352 * Title::newFromRedirect() was removed (deprecated since 1.21).
1353 * Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
1354 * Skin::getCommonStylePath() was removed (deprecated since 1.24).
1355 * Skin::newFromKey() was removed (deprecated since 1.24).
1356 * Skin::getUsableSkins() was removed (deprecated since 1.23).
1357 * LoadBalancer::pickRandom() was removed (deprecated in 1.21).
1358 * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since
1359 1.21).
1360 * DifferenceEngine::setText() was removed (deprecated in 1.21).
1361 * Title::newFromRedirectArray() was removed (deprecated in 1.21).
1362 * UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType
1363 as the 6th. These must be passed in the options array now.
1364 * Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
1365 * Skin::accesskey was removed (deprecated since 1.21).
1366 * Skin::blockLink was removed (deprecated since 1.21).
1367 * Skin::buildRollbackLink was removed (deprecated since 1.21).
1368 * Skin::emailLink was removed (deprecated since 1.21).
1369 * Skin::formatComment was removed (deprecated since 1.21).
1370 * Skin::formatHiddenCategories was removed (deprecated since 1.21).
1371 * Skin::formatLinksInComment was removed (deprecated since 1.21).
1372 * Skin::formatRevisionSize was removed (deprecated since 1.21).
1373 * Skin::formatSize was removed (deprecated since 1.21).
1374 * Skin::formatTemplates was removed (deprecated since 1.21).
1375 * Skin::generateTOC was removed (deprecated since 1.21).
1376 * Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
1377 * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
1378 * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
1379 * Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
1380 * Skin::getLinkColour was removed (deprecated since 1.21).
1381 * Skin::getRevDeleteLink was removed (deprecated since 1.21).
1382 * Skin::getRollbackEditCount was removed (deprecated since 1.21).
1383 * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
1384 * Skin::makeCommentLink was removed (deprecated since 1.21).
1385 * Skin::makeExternalImage was removed (deprecated since 1.21).
1386 * Skin::makeExternalLink was removed (deprecated since 1.21).
1387 * Skin::makeHeadline was removed (deprecated since 1.21).
1388 * Skin::makeImageLink was removed (deprecated since 1.21).
1389 * Skin::makeMediaLinkFile was removed (deprecated since 1.21).
1390 * Skin::makeMediaLinkObj was removed (deprecated since 1.21).
1391 * Skin::makeSelfLinkObj was removed (deprecated since 1.21).
1392 * Skin::makeThumbLink2 was removed (deprecated since 1.21).
1393 * Skin::makeThumbLinkObj was removed (deprecated since 1.21).
1394 * Skin::normaliseSpecialPage was removed (deprecated since 1.21).
1395 * Skin::normalizeSubpageLink was removed (deprecated since 1.21).
1396 * Skin::processResponsiveImages was removed (deprecated since 1.21).
1397 * Skin::revComment was removed (deprecated since 1.21).
1398 * Skin::revDeleteLink was removed (deprecated since 1.21).
1399 * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
1400 * Skin::revUserLink was removed (deprecated since 1.21).
1401 * Skin::revUserTools was removed (deprecated since 1.21).
1402 * Skin::specialLink was removed (deprecated since 1.21).
1403 * Skin::splitTrail was removed (deprecated since 1.21).
1404 * Skin::titleAttrib was removed (deprecated since 1.21).
1405 * Skin::tocIndent was removed (deprecated since 1.21).
1406 * Skin::tocLine was removed (deprecated since 1.21).
1407 * Skin::tocLineEnd was removed (deprecated since 1.21).
1408 * Skin::tocList was removed (deprecated since 1.21).
1409 * Skin::tocUnindent was removed (deprecated since 1.21).
1410 * Skin::tooltip was removed (deprecated since 1.21).
1411 * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
1412 * Skin::userTalkLink was removed (deprecated since 1.21).
1413 * Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
1414 * wikidiff3 is now the default and only PHP diff engine. It provides improved diff
1415 performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore
1416 makes no difference now. Users are still recommended to use wikidiff2 if possible,
1417 though.
1418 * User::addNewUserLogEntry() was deprecated.
1419 * User::addNewUserLogEntryAutoCreate() was deprecated.
1420 * User::isPasswordReminderThrottled() was deprecated.
1421 * Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck)
1422 were removed.
1423 * Installer can now be customized without patching MediaWiki code, see
1424 mw-config/overrides/README for details.
1425
1426 === Compatibility ===
1427
1428 MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
1429 HHVM 3.6.5 or later.
1430
1431 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
1432 support for them is somewhat less mature. There is experimental support for
1433 Oracle and Microsoft SQL Server.
1434
1435 The supported versions are:
1436
1437 * MySQL 5.0.3 or later
1438 * PostgreSQL 8.3 or later
1439 * SQLite 3.3.7 or later
1440 * Oracle 9.0.1 or later
1441 * Microsoft SQL Server 2005 (9.00.1399)
1442
1443 === Upgrading ===
1444
1445 1.27 has several database changes since 1.26, and will not work without schema
1446 updates. Note that due to changes to some very large tables like the revision
1447 table, the schema update may take quite long (minutes on a medium sized site,
1448 many hours on a large site).
1449
1450 If upgrading from before 1.11, and you are using a wiki as a commons
1451 repository, make sure that it is updated as well. Otherwise, errors may arise
1452 due to database schema changes.
1453
1454 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
1455 new database fields are filled with data.
1456
1457 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1458 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
1459 with MediaWiki 1.21.
1460
1461 Don't forget to always back up your database before upgrading!
1462
1463 See the file UPGRADE for more detailed upgrade instructions.
1464
1465 For notes on 1.26.x and older releases, see HISTORY.
1466
1467
1468 = MediaWiki 1.26 =
1469
1470 == MediaWiki 1.26.4 ==
1471
1472 This is a maintenance release of the MediaWiki 1.26 branch.
1473
1474 === Changes since 1.26.3 ===
1475 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
1476 made by MediaWiki via a proxy. Relying on the http_proxy environment
1477 variable is no longer supported.
1478 * (T124163) Fixed fatal error in DifferenceEngine under HHVM.
1479 * (T139565) SECURITY: API: Generate head items in the context of the given title
1480 * (T137264) SECURITY: XSS in unclosed internal links
1481 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
1482 * (T133147) SECURITY: Require login to preview user CSS pages
1483 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
1484 the top file
1485 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
1486 permissions
1487 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
1488 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
1489 * Remove support for $wgWellFormedXml = false, all output is now well formed
1490
1491 == MediaWiki 1.26.3 ==
1492
1493 This is a maintenance release of the MediaWiki 1.26 branch.
1494
1495 === Changes since 1.26.2 ===
1496 * (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
1497 * (T123166) Fix fatal error when importing pages to titles which cannot be
1498 created, such as invalid titles or titles the user is not allowed to edit.
1499 * (T122056) Old tokens are remaining valid within a new session
1500 * (T127114) Login throttle can be tricked using non-canonicalized usernames
1501 * (T123653) Cross-domain policy regexp is too narrow
1502 * (T123071) Incorrectly identifying http link in a's href attributes, due to
1503 m modifier in regex
1504 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
1505 * (T125283) Users occasionally logged in as different users after
1506 SessionManager deployment
1507 * (T103239) Patrol allows click catching and patrolling of any page
1508 * (T122807) [tracking] Check php crypto primatives
1509 * (T98313) Graphs can leak tokens, leading to CSRF
1510 * (T130947) Diff generation should use PoolCounter
1511 * (T133507) Careless use of $wgExternalLinkTarget is insecure
1512 * (T132874) API action=move is not rate limited
1513 * (T110143) strip markers can be used to get around html attribute escaping in
1514 (many?) parser tags
1515 * (T116030) Increase pbkdf2 parameter strengths
1516 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
1517 * (T126685) Globally throttle password attempts
1518
1519 == MediaWiki 1.26.2 ==
1520
1521 This is a maintenance release of the MediaWiki 1.26 branch.
1522
1523 === Changes since 1.26.1 ===
1524 * (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
1525
1526 == MediaWiki 1.26.1 ==
1527
1528 This is a maintenance release of the MediaWiki 1.26 branch.
1529
1530 === Changes since 1.26.0 ===
1531 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
1532 that do not begin with a slash. This enabled trivial XSS attacks.
1533 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
1534 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
1535 error.
1536 * (T119309) SECURITY: Use hash_compare() for edit token comparison
1537 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
1538 with '@' as file uploads
1539 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
1540 longer be shorter than $wgMinimalPasswordLength
1541 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
1542 result in improper blocks being issued
1543 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
1544 and related pages no longer use HTTP redirects and are now redirected by
1545 MediaWiki
1546 * Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
1547 * Fixed stray literal \n in Special:Search.
1548 * Fix issue that breaks HHVM Repo Authorative mode.
1549 * (T120267) Work around APCu memory corruption bug
1550
1551 == MediaWiki 1.26.0 ==
1552
1553 === Configuration changes in 1.26 ===
1554 * $wgPasswordResetRoutes['email'] = true by default.
1555 * $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
1556 instead if you want to disable the parser cache.
1557 * New-style continuation is now the default for API action=continue. Clients may
1558 use the 'rawcontinue' parameter to receive raw query-continue data, but the
1559 new style is encouraged as it's harder to implement incorrectly.
1560 * Deprecated API formats dump and wddx have been completely removed.
1561 * (T7645) The "Signature" button on the edit toolbar is now hidden by default
1562 in non-talk namespaces. A new configuration variable,
1563 $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
1564 the "Signature" button on the edit toolbar will be displayed.
1565 * $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
1566 feature that was never enabled by default.
1567 * $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
1568 This experimental feature was never enabled by default and is obsolete as of
1569 MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
1570 * $wgMasterWaitTimeout was removed (deprecated in 1.24).
1571 * Fields in ParserOptions are now private. Use the accessors instead.
1572 * Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
1573 in extension.json) have been removed, after being deprecated in 1.24.
1574 * $wgAlwaysUseTidy has been removed.
1575 * ResetSessionID hook has been removed. Nothing seems to use it.
1576 * Certain AuthPlugin methods are deprecated in favor of new hooks:
1577 ** AuthPlugin::initUser() is replaced by LocalUserCreated.
1578 ** AuthPlugin::updateUser() is replaced by UserLoggedIn.
1579 ** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
1580 ** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
1581 ** AuthPluginUser::isHidden() is replaced by UserIsHidden.
1582 ** AuthPluginUser::isLocked() is replaced by UserIsLocked.
1583 * The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
1584 * AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
1585 the passed User object.
1586 * $wgBlockAllowsUTEdit is now set to true by default. This allows
1587 blocked users to edit their talk pages unless explicitly disabled
1588 when they are being blocked.
1589
1590 === New features in 1.26 ===
1591 * (T51506) Now action=info gives estimates of actual watchers for a page.
1592 See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
1593 to learn how to configure if needed.
1594 * Change tags can now be hidden in the interface by disabling the associated
1595 "tag-<id>" interface message.
1596 * ':' (colon) is now invalid in usernames for new accounts. Existing accounts
1597 are not affected.
1598 * Added a new hook, 'LogException', to log exceptions in nonstandard ways.
1599 * Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
1600 search results are rendered. The initial use case is to append a "give us
1601 feedback" link beneath the search results.
1602 * Added a new hook, 'RejectParserCacheValue', which allows extensions to
1603 reject an otherwise-successful parser cache lookup. The intent is to allow
1604 extensions to manage the eviction of archaic HTML output from the cache.
1605 * (T68699) The expiration of the UserID and Token login cookies
1606 ($wgExtendedLoginCookieExpiration) can be configured independently of the
1607 expiration of all other cookies ($wgCookieExpiration).
1608 * (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
1609 if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
1610 of WebP images still disabled by default. Add $wgFileExtensions[] =
1611 'webp'; to LocalSettings.php to enable uploading of WebP images.
1612 * Added new hooks 'EnhancedChangesListModifyLineData' &
1613 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
1614 lines in enhanced recentchanges and watchlist.
1615 * Caches that need purging ability now use the WANObjectCache interface.
1616 This corresponds to a new $wgMainWANCache setting, which defaults to using
1617 the $wgMainCacheType settings.
1618 * Callers needing fast light-weight data stores use $wgMainStash to select
1619 the store type from $wgObjectCaches. The default is the local database.
1620 * Interface message overrides in the MediaWiki namespace will now be cached in
1621 memcached and APC (if available), rather than memcached and local files.
1622 * Added a new hook, 'RandomPageQuery', to allow modification of the query used
1623 by Special:Random to select random pages.
1624 * $wgTransactionalTimeLimit was added, which controls the request time limit
1625 for potentially slow POST requests that need to be as atomic as possible.
1626 * ResourceLoader now loads all scripts asynchronously. The top-queue and
1627 startup modules are no longer synchronously loaded.
1628 * 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
1629 page. During the deprecation period, the styles will only be loaded on pages
1630 which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
1631 only be loaded if explicitly required.
1632 * If search returns zero results and current search engine has a "did you mean"
1633 suggestion, results for suggestion will be shown. Can be disabled by setting
1634 $wgSearchRunSuggestedQuery to false.
1635 * Added several JavaScript libraries for uploading files to MediaWiki
1636 from the client-side. See documentation for mw.Upload and its
1637 subclasses for more information.
1638 * Added OOUI dialogs and layout for file upload interfaces. See
1639 documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
1640 subclasses for more information.
1641
1642 === extension.json changes in 1.26 ===
1643 * (T99344) The extension.json schema is now versioned. All extensions
1644 and skins should set a "manifest_version" property corresponding to
1645 the schema version they were written for. The only supported version
1646 currently is "1".
1647 * (T102523) The error message if a non-array attribute is set was improved.
1648 * (T107646) Configuration settings can now specify how they should be merged,
1649 which is necessary for arrays using integer keys.
1650 * (T110389) Adding namespaces through extension.json now actually works
1651 * $wgNamespaceProtection can now be set in extension.json.
1652 * $wgCapitalLinkOverrides can now be set in extension.json.
1653 * (T97186) Extensions using a custom prefix for their configuration settings
1654 can now set a "_prefix" key to override the default of "wg".
1655 * (T99084) Extensions can now specify what MediaWiki core versions they
1656 depend upon.
1657 * (T105236) The extension.json schema now validates custom classes in
1658 the "ResourceModules" property properly.
1659
1660 === External library changes in 1.26 ===
1661 ==== Upgraded external libraries ====
1662 * Updated es5-shim from v4.0.0 to v4.1.5.
1663 * Updated json2 from revision 2014-02-04 to 2015-05-03.
1664 * Updated Sinon.JS from 1.10.3 to 1.15.4.
1665 * Updated jQuery Client from v1.0.0 to v2.0.0.
1666 * Updated QUnit from v1.17.1 to v1.18.0.
1667 * Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
1668 * Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
1669 * Updated wikimedia/cdb from v1.0.1 to v1.3.0.
1670 * Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
1671 * Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
1672 * Updated zordius/lightncandy from v0.18 to v0.21.
1673
1674 ==== New external libraries ====
1675 * Added composer/semver v1.0.0.
1676 * Added mediawiki/at-ease v1.1.0.
1677 * Added wikimedia/assert v0.2.2.
1678 * Added wikimedia/ip-set v1.0.1.
1679 * Added wikimedia/wrappedstring v2.0.0.
1680
1681 ==== Removed and replaced external libraries ====
1682 * Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
1683
1684 === Bug fixes in 1.26 ===
1685 * (T53283) load.php sometimes sends 304 response without full headers
1686 * (T65198) Talk page tabs now have a "rel=discussion" attribute
1687 * (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
1688 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
1689 value if set to an empty string.
1690
1691 === Action API changes in 1.26 ===
1692 * New-style continuation is now the default for action=continue. Clients may
1693 use the 'rawcontinue' parameter to receive raw query-continue data, but the
1694 new style is encouraged as it's harder to implement incorrectly.
1695 * Deprecated API formats dump and wddx have been completely removed.
1696 * API action=query&list=tags: The displayname can now be boolean false if the
1697 tag is meant to be hidden from user interfaces.
1698 * action=import no longer allows both the namespace= and rootpage= parameters
1699 to be set. If they are both set, the value of rootpage= will be ignored.
1700 * prop=revision output in enum mode is now sorted by timestamp rather than
1701 revision ID. This usually won't make any difference.
1702 * (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
1703 with formatversion=2.
1704 * Various other output from meta=siteinfo will now always be arrays instead of
1705 sometimes being numerically-indexed objects with formatversion=2.
1706 * When errors about users being blocked are returned, they now include
1707 information about the relevant block.
1708 * (T99926) list=random has higher limits, in line with other API modules.
1709 * list=random's rnredirect parameter is deprecated in favor of a new
1710 rnfilterredir parameter that also allows for listing both redirects and
1711 non-redirects.
1712 * list=random now supports continuation.
1713 * API responses to GET requests may now include ETag and Last-Modified headers,
1714 and will honor corresponding If-None-Match and If-Modified-Since on such
1715 requests.
1716
1717 === Action API internal changes in 1.26 ===
1718 * New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
1719 into the value when the value is an assoc.
1720 * API action modules may now provide values for the RFC 7232 ETag and
1721 Last-Modified headers. The API will check these against If-None-Match and
1722 If-Modified-Since request headers on GET requests and avoid executing the
1723 module when appropriate.
1724
1725 === Languages updated in 1.26 ===
1726
1727 MediaWiki supports over 350 languages. Many localisations are updated
1728 regularly. Below only new and removed languages are listed, as well as
1729 changes to languages because of Phabricator reports.
1730
1731 * Languages added:
1732 ** ase (American sign language), thanks to translator Icemandeaf
1733 ** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
1734 मेश सिंह बोहरा, and राम प्रसाद जोशी
1735 ** luz (لئری دوٙمینی / Southern Luri)
1736 ** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
1737 Ilja.mos, and Mashoi7
1738
1739 === Other changes in 1.26 ===
1740 * ChangeTags::tagDescription() will return false if the interface message
1741 for the tag is disabled.
1742 * Added PageHistoryPager::doBatchLookups hook.
1743 * Added $wikiId parameter to FormatAutocomments hook.
1744 * Added ParserCacheSaveComplete to ParserCache
1745 * supportsDirectEditing and supportsDirectApiEditing methods added to
1746 ContentHandler, to provide a way for ApiEditPage and EditPage to check
1747 if direct editing of content is allowed. These methods return false,
1748 by default for the ContentHandler base class and true for TextContentHandler
1749 and it's derivative classes (everything in core). For Content types that
1750 do not support direct editing, an alternative mechanism should be provided
1751 for editing, such as action overrides or specific api modules.
1752 * mediaWiki.confirmCloseWindow now returns an object of functions, instead of
1753 one function. The callback can't be called directly any more. The callback
1754 function is replaced with confirmCloseWindow.release().
1755 * BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
1756 ResourceLoaderModule::getDependencies(). Extension classes that override that
1757 method should be updated. If they aren't updated, PHP Strict standards
1758 warnings will appear when E_STRICT error reporting is enabled. Note: in the
1759 near future, this parameter will probably become non-optional.
1760 * Removed maintenance script deleteImageMemcached.php.
1761 * MWFunction::newObj() was removed (deprecated in 1.25).
1762 ObjectFactory::getObjectFromSpec() should be used instead.
1763 * The parser will no longer randomize the string it uses to mark the place of
1764 items that were stripped during parsing. It will use a fixed string instead.
1765 This causes the parser to re-use the regular expressions it uses to search
1766 and replace markers rather than generate novel expressions on each parse.
1767 Re-using regular expressions will improve performance on HHVM and the
1768 forthcoming PHP 7. The interfaces changes accompanying this change are:
1769 - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
1770 - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
1771 $prefix argument for StripState::_construct() are deprecated and their
1772 value is ignored.
1773 * wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
1774 mediawiki/at-ease, and are now deprecated. Callers should use
1775 MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
1776 * The Block class constructor now takes an associative array of parameters
1777 instead of many optional positional arguments. Calling the constructor the old
1778 way will issue a deprecation warning.
1779 * The jquery.mwExtension module was deprecated.
1780 * $wgSpecialPageGroups was removed (deprecated in 1.21).
1781 * SpecialPageFactory::setGroup was removed (deprecated in 1.21).
1782 * SpecialPageFactory::getGroup was removed (deprecated in 1.21).
1783 * DatabaseBase::ignoreErrors() is now protected.
1784 * BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
1785 a lengthy deprecation period.
1786 * The ScopedPHPTimeout class was removed.
1787 * Removed maintenance script fixSlaveDesync.php.
1788 * Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
1789 are deprecated. Applications using those can work via the OAuth
1790 extension instead. New tokens types should not be added.
1791 * DatabaseBase::errorCount() was removed (unused).
1792 * $wgDeferredUpdateList was removed.
1793 * DeferredUpdates::addHTMLCacheUpdate() was removed.
1794
1795 = MediaWiki 1.25 =
1796
1797 == MediaWiki 1.25.6 ==
1798
1799 This is a maintenance release of the MediaWiki 1.25 branch.
1800
1801 === Changes since 1.25.5 ===
1802 * (T123166) Fix fatal error when importing pages to titles which cannot be
1803 created, such as invalid titles or titles the user is not allowed to edit.
1804 * (T122056) Old tokens are remaining valid within a new session
1805 * (T127114) Login throttle can be tricked using non-canonicalized usernames
1806 * (T123653) Cross-domain policy regexp is too narrow
1807 * (T123071) Incorrectly identifying http link in a's href attributes, due to
1808 m modifier in regex
1809 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
1810 * (T125283) Users occasionally logged in as different users after
1811 SessionManager deployment
1812 * (T103239) Patrol allows click catching and patrolling of any page
1813 * (T122807) [tracking] Check php crypto primatives
1814 * (T98313) Graphs can leak tokens, leading to CSRF
1815 * (T130947) Diff generation should use PoolCounter
1816 * (T133507) Careless use of $wgExternalLinkTarget is insecure
1817 * (T132874) API action=move is not rate limited
1818 * (T110143) strip markers can be used to get around html attribute escaping in
1819 (many?) parser tags
1820 * (T116030) Increase pbkdf2 parameter strengths
1821 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
1822 * (T126685) Globally throttle password attempts
1823
1824 == MediaWiki 1.25.5 ==
1825
1826 This is a maintenance release of the MediaWiki 1.25 branch.
1827
1828 === Changes since 1.25.4 ===
1829 * (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
1830
1831 == MediaWiki 1.25.4 ==
1832
1833 This is a security and maintenance release of the MediaWiki 1.25 branch.
1834
1835 === Changes since 1.25.3 ===
1836 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
1837 that do not begin with a slash. This enabled trivial XSS attacks.
1838 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
1839 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
1840 error.
1841 * (T119309) SECURITY: Use hash_compare() for edit token comparison
1842 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
1843 with '@' as file uploads
1844 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
1845 longer be shorter than $wgMinimalPasswordLength
1846 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
1847 result in improper blocks being issued
1848 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
1849 and related pages no longer use HTTP redirects and are now redirected by
1850 MediaWiki
1851 * (T103237) $wgUseGzip had no effect when using file cache.
1852 * (T114606) mw.notify was not correctly fixed to the page if
1853 initialized while not at the top of the page.
1854 * Fix issue that breaks HHVM Repo Authorative mode.
1855
1856 == MediaWiki 1.25.3 ==
1857
1858 This is a security and maintenance release of the MediaWiki 1.25 branch.
1859
1860 === Changes since 1.25.2 ===
1861
1862 * (T98975) Fix having multiple callbacks for a single hook.
1863 * (T107632) maintenance/refreshLinks.php did not always remove all links
1864 pointing to nonexistent pages.
1865 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
1866 value if set to an empty string.
1867 * (T62174) Provide fallbacks for use of mb_convert_encoding() in
1868 HtmlFormatter. It was causing an error when accessing the api help page
1869 if the mbstring PHP extension was not installed.
1870 * (T105896) Confirmation emails would sometimes contain invalid codes.
1871 * (T105597) Fixed edit stash inclusion queries.
1872 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
1873 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
1874 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
1875 first
1876 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
1877
1878 == MediaWiki 1.25.2 ==
1879
1880 This is a security and maintenance release of the MediaWiki 1.25 branch.
1881
1882 === Changes since 1.25.1 ===
1883
1884 * (T94116) SECURITY: Compare API watchlist token in constant time
1885 * (T97391) SECURITY: Escape error message strings in thumb.php
1886 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
1887 Special:DeletedContributions
1888 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
1889 policy of Wikimedia Commons.
1890 * (T100767) Setting a configuration setting for skin or extension to
1891 false in LocalSettings.php was not working.
1892 * (T100635) API action=opensearch json output no longer breaks when
1893 $wgDebugToolbar is enabled.
1894 * (T102522) Using an extension.json or skin.json file which has
1895 a "manifest_version" property for 1.26 compatability will no longer
1896 trigger warnings.
1897 * (T86156) Running updateSearchIndex.php will not throw an error as
1898 page_restrictions has been added to the locked table list.
1899 * Special:Version would throw notices if using SVN due to an incorrectly
1900 named variable. Add an additional check that an index is defined.
1901
1902 == MediaWiki 1.25.1 ==
1903
1904 This is a bug fix release of the MediaWiki 1.25 branch.
1905
1906 === Changes since 1.25 ===
1907 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
1908
1909 == MediaWiki 1.25.0 ==
1910
1911 === Configuration changes in 1.25 ===
1912 * $wgPageShowWatchingUsers was removed.
1913 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
1914 * $wgAntiLockFlags was removed.
1915 * $wgJavaScriptTestConfig was removed.
1916 * Edit tokens returned from User::getEditToken may change on every call. Token
1917 validity must be checked by passing the user-supplied token to
1918 User::matchEditToken rather than by testing for equality with a
1919 newly-generated token.
1920 * (T74951) The UserGetLanguageObject hook may be passed any IContextSource
1921 for its $context parameter. Formerly it was documented as receiving a
1922 RequestContext specifically.
1923 * Profiling was restructured and $wgProfiler now requires an 'output' parameter.
1924 See StartProfiler.sample for details.
1925 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
1926 might be a flash policy directive configurable.
1927 * ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
1928 longer be used. If extracts and page images are desired, the TextExtracts and
1929 PageImages extensions are required.
1930 * $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
1931 * Edits are now prepared via AJAX as users type edit summaries. This behavior
1932 can be disabled via $wgAjaxEditStash.
1933 * (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
1934 with the jQuery Migrate library, as indicated when this option was provided in
1935 MediaWiki 1.24.
1936 * ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
1937 StartProfiler.php config is updated to reflect this. Xhprof is available
1938 for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
1939 * Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
1940 rather than 'rsvg'.
1941 * Default value of $wgSVGConverters['ImageMagick'] now uses transparent
1942 background with white fallback color, rather than just white background.
1943 * MediaWikiBagOStuff class removed, make sure any object cache config
1944 uses SqlBagOStuff instead.
1945 * The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
1946 job queues. This means that mediawiki/services/jobrunner service has to
1947 be installed and running for any such queues to work.
1948 * $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
1949 compatibility, any 'view' event triggers will still trigger on 'edit'.
1950 * $wgExtensionDirectory was added for when your extensions directory is somewhere
1951 other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
1952
1953 === New features in 1.25 ===
1954 * (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
1955 for plural forms in Russian, Prussian, Tagalog, Manx and several languages
1956 that fall back to Russian.
1957 * (T60139) ResourceLoaderFileModule now supports language fallback
1958 for 'languageScripts'.
1959 * Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
1960 parser output for a content object before links update.
1961 * (T37785) Enhanced recent changes and extended watchlist are now default.
1962 Documentation: https://meta.wikimedia.org/wiki/Special:MyLanguage/Help:Enhanced_recent_changes
1963 and https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:$wgDefaultUserOptions.
1964 * (T69341) SVG images will no longer be base64-encoded when being embedded
1965 in CSS. This results in slight size increase before gzip compression (due to
1966 percent-encoding), but up to 20% decrease after it.
1967 * Update jStorage to v0.4.12.
1968 * MediaWiki now natively supports page status indicators: icons (or short text
1969 snippets) usually displayed in the top-right corner of the page. They have
1970 been in use on Wikipedia for a long time, implemented using templates and CSS
1971 absolute positioning.
1972 - Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
1973 - Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
1974 - Adjusting custom skins to support indicators:
1975 https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Skinning#Page_status_indicators
1976 * Edit tokens may now be time-limited: passing a maximum age to
1977 User::matchEditToken will reject any older tokens.
1978 * The debug logging internals have been overhauled, and are now using the
1979 PSR-3 interfaces.
1980 * Update CSSJanus to v1.1.1.
1981 * Update lessphp to v0.5.0.
1982 * Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
1983 and images for ApiOpenSearch output. The semantics are identical to the
1984 "OpenSearchXml" hook provided by the OpenSearchXml extension.
1985 * PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
1986 this allows for pagination of prefix results. Extensions using this hook
1987 should implement supporting behavior. Not doing so can result in undefined
1988 behavior from API clients trying to continue through prefix results.
1989 * Update jQuery from v1.11.1 to v1.11.3.
1990 * External libraries installed via composer will now be displayed
1991 on Special:Version in their own section. Extensions or skins that are
1992 installed via composer will not be shown in this section as it is assumed
1993 they will add the proper credits to the skins or extensions section. They
1994 can also be accessed through the API via the new siprop=libraries to
1995 ApiQuerySiteInfo.
1996 * Update QUnit from v1.14.0 to v1.16.0.
1997 * Update Moment.js from v2.8.3 to v2.8.4.
1998 * Special:Tags now allows for manipulating the list of user-modifiable change
1999 tags.
2000 * Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
2001 and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
2002 tags.
2003 * Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
2004 "active" formerly conflated by the 'ListDefinedTags' hook.
2005 * Added TemplateParser class that provides a server-side interface to cachable
2006 dynamically-compiled Mustache templates (currently uses lightncandy library).
2007 * Clickable anchors for each section heading in the content are now generated
2008 and appear in the gutter on hovering over the heading.
2009 * Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
2010 to allow extensions to override how links to pages are rendered within NS_CATEGORY
2011 * (T19665) Special:WantedPages only lists page which having at least one red link
2012 pointing to it.
2013 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
2014 used for conditional registration of API modules.
2015 * New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
2016 links of a group of changes in EnhancedChangesList.
2017 * A full interface for StatsD metric reporting has been added to the context
2018 interface, reachable via IContextSource::getStats().
2019 * Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
2020 proper, published library, which is now tagged as v1.0.0.
2021 * A new message (defaulting to blank), 'editnotice-notext', can be shown to users
2022 when they are editing if no edit notices apply to the page being edited.
2023 * (T94536) You can now make the sitenotice appear to logged-in users only by
2024 editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
2025 "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
2026 * Modifying the tagging of a revision or log entry is now available via
2027 Special:EditTags, generally accessed via the revision-deletion-like interface
2028 on history pages and Special:Log is likely to be more useful.
2029 * Added 'applychangetags' and 'changetags' user rights.
2030 * (T35235) LogFormatter subclasses are now responsible for formatting the
2031 parameters for API log event output. Extensions should implement the new
2032 getParametersForApi() method in their log formatters.
2033
2034 ==== External libraries ====
2035 * MediaWiki now requires certain external libraries to be installed. In the past
2036 these were bundled inside the Git repository of MediaWiki core, but now they
2037 need to be installed separately. For users using the tarball, this will be taken
2038 care of and no action will be required. Users using Git will either need to use
2039 composer to fetch dependencies or use the mediawiki/vendor repository which includes
2040 all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
2041 instructions can be found at:
2042 https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
2043 * The following libraries are now required:
2044 ** psr/log
2045 This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
2046 which are used by MediaWiki internally via the
2047 MediaWiki\Logger\LoggerFactory class.
2048 See the structured logging RfC (https://www.mediawiki.org/wiki/Special:MyLanguage/Requests_for_comment/Structured_logging)
2049 for more background information.
2050 ** cssjanus/cssjanus
2051 This library was formerly bundled with MediaWiki core and has been removed.
2052 It automatically flips CSS for RTL support.
2053 ** leafo/lessphp
2054 This library was formerly bundled with MediaWiki core and has been removed.
2055 It compiles LESS files into CSS.
2056 ** wikimedia/cdb
2057 This library was formerly a part of MediaWiki core, and has been moved into a separate library.
2058 It provides CDB functions which are used in the Interwiki and Localization caches.
2059 More information about the library can be found at https://www.mediawiki.org/wiki/Special:MyLanguage/CDB.
2060 ** liuggio/statsd-php-client
2061 This library provides a StatsD client API for logging application metrics to a remote server.
2062
2063 === Bug fixes in 1.25 ===
2064 * (T73003) No additional code will be generated to try to load CSS-embedded
2065 SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
2066 * (T69021) On Special:BookSources, corrected validation of ISBNs (both
2067 10- and 13-digit forms) containing "X".
2068 * Page moving was refactored into a MovePage class. As part of that:
2069 ** The AbortMove hook was removed.
2070 ** MovePageIsValidMove is for extensions to specify whether a page
2071 cannot be moved for technical reasons, and should not be overridden.
2072 ** MovePageCheckPermissions is for checking whether the given user is
2073 allowed to make the move.
2074 ** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
2075 ** Title::moveTo() was deprecated. Use the MovePage class instead.
2076 ** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
2077 and MovePage::checkPermissions().
2078 * (T18530) Multiple autocomments are now formatted in an edit summary.
2079 * (T70361) Autocomments containing "/*" are parsed correctly.
2080 * The Special:WhatLinksHere page linked from 'Number of redirects to this page'
2081 on action=info about a file page does not list file links anymore.
2082 * (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
2083 * (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
2084 * (T85192) Captcha position modified in Usercreate template. As a result:
2085 ** extrafields parameter added to Usercreate.php to insert additional data
2086 ** 'extend' method added to QuickTemplate to append additional values to any field of data array
2087 * (T86974) Several Title methods now load from the database when necessary
2088 (instead of returning incorrect results) even when the page ID is known.
2089 * (T74070) Duplicate search for archived files on file upload now omits the extension.
2090 This requires the fa_sha1 field being populated.
2091 * Removed rel="archives" from the "View history" link, as it did not pass
2092 HTML validation.
2093 * $wgUseTidy is now set when parserTests are run with the tidy option to match
2094 output on wiki.
2095 * (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
2096 * (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
2097
2098 === Action API changes in 1.25 ===
2099 * (T67403) XML tag highlighting is now only performed for formats
2100 "xmlfm" and "wddxfm".
2101 * action=paraminfo supports generalized submodules (modules=query+value),
2102 querymodules and formatmodules are deprecated
2103 * action=paraminfo no longer outputs descriptions and other help text by
2104 default. If needed, it may be requested using the new 'helpformat' parameter.
2105 * action=help has been completely rewritten, and outputs help in HTML
2106 rather than plain text.
2107 * Hitting api.php without specifying an action now displays only the help for
2108 the main module, with links to submodule help.
2109 * API help is no longer displayed on errors.
2110 * 'uselang' is now a recognized API parameter; "uselang=user" may be used to
2111 explicitly select the language from the current user's preferences, and
2112 "uselang=content" may be used to select the wiki's content language.
2113 * Default output format for the API is now jsonfm.
2114 * Simplified continuation will return a "batchcomplete" property in the result
2115 when a batch of pages is complete.
2116 * Pretty-printed HTML output now has nicer formatting and (if available)
2117 better syntax highlighting.
2118 * Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
2119 list=alldeletedrevisions.
2120 * prop=revisions will gracefully continue when given too many revids or titles,
2121 rather than just ignoring the extras.
2122 * prop=revisions will no longer die if rvcontentformat doesn't match a
2123 revision's content model; it will instead warn and omit the content.
2124 * If the user has the 'deletedhistory' right, action=query's revids parameter
2125 will now recognize deleted revids.
2126 * prop=revisions may be used as a generator, generating revids.
2127 * (T68776) format=json results will no longer be corrupted when
2128 $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
2129 error instead of returning invalid serialized data.
2130 * Generators may now return data for the generated pages when used with
2131 action=query.
2132 * Query page data for generator=search and generator=prefixsearch will now
2133 include an "index" field, which may be used by the client for sorting the
2134 search results.
2135 * ApiOpenSearch now supports XML output.
2136 * ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
2137 in JSON format.
2138 * (T76051) list=tags will now continue correctly.
2139 * (T76052) list=tags can now indicate whether a tag is defined.
2140 * (T75522) list=prefixsearch now supports continuation
2141 * (T78737) action=expandtemplates can now return page properties.
2142 * (T78690) list=allimages now accepts multiple pipe-separated values
2143 for the 'aimime' parameter.
2144 * prop=info with inprop=protections will now return applicable protection types
2145 with the 'restrictiontypes' key.
2146 * (T85417) When resolving redirects, ApiPageSet will now add the targets of
2147 interwiki redirects to the list of interwiki titles.
2148 * (T85417) When outputting the list of redirect titles, a 'tointerwiki'
2149 property (like the existing 'tofragment' property) will be set.
2150 * Added action=managetags to allow for managing the list of
2151 user-modifiable change tags. Actually modifying the tagging of a revision or
2152 log entry is not implemented yet.
2153 * list=tags has additional properties to indicate 'active' status and tag
2154 sources.
2155 * siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
2156 * (T88010) Added action=checktoken, to test a CSRF token's validity.
2157 * (T88010) Added intestactions to prop=info, to allow querying of
2158 Title::userCan() via the API.
2159 * Default type param for query list=watchlist and list=recentchanges has
2160 been changed from all types (e.g. including 'external') to 'edit|new|log'.
2161 * Added formatversion to format=json. Still "experimental" as further changes
2162 to the output formatting might still be made.
2163 * (T73020) Log event details are now always under a 'params' subkey for
2164 list=logevents, and a 'logparams' subkey for list=watchlist and
2165 list=recentchanges.
2166 * Log event details are changing formatting:
2167 * block events now report flags as an array rather than as a comma-separated
2168 list.
2169 * patrol events now report the 'auto' flag as a boolean (absent/empty string
2170 for BC formats) rather than as an integer.
2171 * rights events now report the old and new group lists as arrays rather than
2172 as comma-separated lists.
2173 * merge events use new-style formatting.
2174 * delete/event and delete/revision events use new-style formatting.
2175 * The root node and various other nodes will now always be an object in formats
2176 such as json that distinguish between arrays and objects.
2177 * Except for action=opensearch where the spec requires an array.
2178
2179 === Action API internal changes in 1.25 ===
2180 * ApiHelp has been rewritten to support i18n and paginated HTML output.
2181 Most existing modules should continue working without changes, but should do
2182 the following:
2183 * Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
2184 * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
2185 to replace getParamDescription(). If necessary, the settings array returned
2186 by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
2187 message.
2188 * Implement getExamplesMessages() to replace getExamples().
2189 * Modules with submodules (like action=query) must have their submodules
2190 override ApiBase::getParent() to return the correct parent object.
2191 * The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
2192 and will have no effect for modules using i18n messages. Use
2193 'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
2194 * Api formatters will no longer be asked to display the help screen on errors.
2195 * ApiMain::getCredits() was removed. The credits are available in the
2196 'api-credits' i18n message.
2197 * ApiFormatBase has been changed to support i18n and syntax highlighting via
2198 extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
2199 has been removed.
2200 * ApiFormatBase now always buffers. Output is done when
2201 ApiFormatBase::closePrinter is called.
2202 * Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
2203 * The 'revids' parameter supplied by ApiPageSet will now count deleted
2204 revisions as "good" if the user has the 'deletedhistory' right. New methods
2205 ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
2206 provided to access just the live or just the deleted revids.
2207 * Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
2208 to allow generators to include data in the action=query result.
2209 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
2210 used for conditional registration of API modules.
2211 * Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
2212 the current request was sent with the 'callback' parameter (or any future
2213 method that breaks the same-origin policy).
2214 * Profiling methods in ApiBase are deprecated and no longer need to be called.
2215 * ApiResult was greatly overhauled. See inline documentation for details.
2216 * ApiResult will automatically convert objects to strings or arrays (depending
2217 on whether a __toString() method exists on the object), and will refuse to
2218 add unsupported value types.
2219 * An informal interface, ApiSerializable, exists to override the default
2220 object conversion.
2221 * ApiResult/ApiFormatBase "raw mode" is deprecated.
2222 * ApiFormatXml now assumes defaults and so on instead of throwing errors when
2223 metadata isn't set.
2224 * (T35235) LogFormatter subclasses are now responsible for formatting log event
2225 parameters for the API.
2226 * Many modules have changed result data formats. While this shouldn't affect
2227 clients not using the experimental formatversion=2, code using
2228 ApiResult::getResultData() without the transformations for backwards
2229 compatibility may need updating, as will code that wasn't following the old
2230 conventions for API boolean output.
2231 * The following methods have been deprecated and may be removed in a future
2232 release:
2233 * ApiBase::getDescription
2234 * ApiBase::getParamDescription
2235 * ApiBase::getExamples
2236 * ApiBase::makeHelpMsg
2237 * ApiBase::makeHelpArrayToString
2238 * ApiBase::makeHelpMsgParameters
2239 * ApiBase::getModuleProfileName
2240 * ApiBase::profileIn
2241 * ApiBase::profileOut
2242 * ApiBase::safeProfileOut
2243 * ApiBase::getProfileTime
2244 * ApiBase::profileDBIn
2245 * ApiBase::profileDBOut
2246 * ApiBase::getProfileDBTime
2247 * ApiBase::getResultData
2248 * ApiFormatBase::setUnescapeAmps
2249 * ApiFormatBase::getWantsHelp
2250 * ApiFormatBase::setHelp
2251 * ApiFormatBase::formatHTML
2252 * ApiFormatBase::setBufferResult
2253 * ApiFormatBase::getDescription
2254 * ApiFormatBase::getNeedsRawData
2255 * ApiMain::setHelp
2256 * ApiMain::reallyMakeHelpMsg
2257 * ApiMain::makeHelpMsgHeader
2258 * ApiResult::setRawMode
2259 * ApiResult::getIsRawMode
2260 * ApiResult::getData
2261 * ApiResult::setElement
2262 * ApiResult::setContent
2263 * ApiResult::setIndexedTagName_recursive
2264 * ApiResult::setIndexedTagName_internal
2265 * ApiResult::setParsedLimit
2266 * ApiResult::beginContinuation
2267 * ApiResult::setContinueParam
2268 * ApiResult::setGeneratorContinueParam
2269 * ApiResult::endContinuation
2270 * ApiResult::size
2271 * ApiResult::convertStatusToArray
2272 * ApiQueryImageInfo::getPropertyDescriptions
2273 * ApiQueryLogEvents::addLogParams
2274 * The following classes have been deprecated and may be removed in a future
2275 release:
2276 * ApiQueryDeletedrevs
2277
2278 === Languages updated in 1.25 ===
2279
2280 MediaWiki supports over 350 languages. Many localisations are updated
2281 regularly. Below only new and removed languages are listed, as well as
2282 changes to languages because of Bugzilla reports.
2283
2284 * Languages added:
2285 ** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
2286 ** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
2287 Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
2288 ** ses (Koyraboro Senni), thanks to translator Songhay.
2289 * (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
2290 interface language to kk where unexpected.
2291 * The Chinese conversion table was substantially updated to fix a lot of
2292 bugs and ensure better reading experience for different variants.
2293
2294 === Other changes in 1.25 ===
2295 * (T45591) Links to MediaWiki.org translatable help were added to indicators,
2296 mostly in special pages. Local custom target titles can be placed in the
2297 relevant '(namespace-X|action name|special page name)-helppage' system
2298 message. Extensions can use the addHelpLink() function to do the same.
2299 * The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
2300 removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
2301 migration guide for creators and users of custom skins that relied on it.
2302 * Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
2303 available on Special:Upload.
2304 * (T58257) Set site logo from mediawiki.skinning.interface module instead of
2305 inline styles in the HTML.
2306 * Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
2307 * Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
2308 * Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
2309 * Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
2310 * Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
2311 * Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
2312 since 1.20)
2313 * Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
2314 since 1.20)
2315 * Removed 'jquery.json' module. (deprecated since 1.24)
2316 Use the 'json' module and global JSON object instead.
2317 * Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
2318 Also, the former will now throw an MWException if called with one or more
2319 arguments.
2320 * Removed hitcounters and associated code.
2321 * The "temp" zone of the upload respository is now considered private. If it
2322 already exists (such as under the images/ directory), please make sure that
2323 the directory is not web readable (e.g. via a .htaccess file).
2324 * BREAKING CHANGE: In the XML dump format used by Special:Export and
2325 dumpBackup.php, the <model> and <format> tags now apprear before the <text>
2326 tag, instead of after the <text> and <sha1> tags.
2327 The new schema version is 0.10, the new schema URI is:
2328 https://www.mediawiki.org/xml/export-0.10.xsd
2329 * MWFunction::call() and MWFunction::callArray() were removed, having being
2330 deprecated in 1.22.
2331 * Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
2332 and getInternalLinkAttributes methods in Linker, and removed
2333 getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
2334 * Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
2335 * Added wgRelevantArticleId to the client-side config, for use on special pages.
2336 * Deprecated the TitleIsCssOrJsPage hook. Superseded by the
2337 ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
2338 * Deprecated the TitleIsWikitextPage hook. Superseded by the
2339 ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
2340 * Changed parsing of variables in schema (.sql) files:
2341 ** The substituted values are no longer parsed. (Formerly, several passes
2342 were made for each variable, so depending on the order in which variables
2343 were defined, variables might have been found inside encoded values. This
2344 is no longer the case.)
2345 ** Variables are no longer string encoded when the /*$var*/ syntax is used.
2346 If string encoding is necessary, use the '{$var}' syntax instead.
2347 ** Variable names must only consist of one or more of the characters
2348 "A-Za-z0-9_".
2349 ** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
2350 does not exist yet variable B does, the latter may not be replaced.
2351 However, this difference is unlikely to arise in practice.
2352 * (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
2353 characters on both sides.
2354 * The FormatAutocomments hook will now receive $pre and $post as booleans,
2355 rather than as strings that must be prepended or appended to $comment.
2356 * (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
2357 newlines; but they can contain &nbsp; and other non-newline whitespace.
2358 * The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
2359 toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
2360 relied on this behavior, update your scripts' dependencies.
2361 * HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
2362 * HTMLForm::isVForm() is now deprecated.
2363 * You can no longer do this:
2364 $form = new HTMLForm( … );
2365 $form->setDisplayFormat( 'vform' ); // throws exception
2366 Instead, do this:
2367 $form = HTMLForm::factory( 'vform', … );
2368 * Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
2369 * BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
2370 The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
2371 * (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
2372 renders them incorrectly when combined with border-radius or background-size.
2373 * Removed maintenance script dumpSisterSites.php.
2374 * DatabaseBase class constructors must be called using the array argument style.
2375 Ideally, DatabaseBase:factory() should be used instead in most cases.
2376 * Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
2377 This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
2378 addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
2379 since they interfere with caching of ParserOutput objects.
2380 * Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
2381 * Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
2382 updates when a page is re-rendered.
2383 * EditPage::attemptSave has been modified not to call handleStatus itself and
2384 instead just returns the Status object. Extension calling it should be aware of
2385 this.
2386 * Removed class DBObject. (unused since 1.10)
2387 * wfDiff() is deprecated.
2388 * The -m (maximum replication lag) option of refreshLinks.php was removed.
2389 It had no effect since MediaWiki 1.18 and should be removed from any cron
2390 jobs or similar scripts you may have set up.
2391 * (T85864) The following messages no longer support raw html: redirectto,
2392 thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
2393 retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
2394 protect-summary-cascade
2395 * All BloomCache related code has been removed. This was largely experimental.
2396 * $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
2397 can only be set for the entire skin.
2398 * Removed global function swap(). (deprecated since 1.24)
2399 * Deprecated the ".php5" file extension entry points and the $wgScriptExtension
2400 configuration variable. Refer to the ".php" files instead. If you want
2401 ".php5" URLs to continue to work, set up redirects. In Apache, this can be
2402 done by enabling mod_rewrite and adding the following rules to your
2403 configuration:
2404
2405 RewriteEngine On
2406 RewriteBase /
2407 RewriteRule ^(.*)\.php5 $1.php [R=301,L]
2408
2409 * The global importScriptURI and importStylesheetURI functions, as well as the
2410 loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
2411 warnings through mw.log.warn when accessed.
2412
2413 = MediaWiki 1.24 =
2414
2415 == MediaWiki 1.24.6 ==
2416
2417 This is a maintenance release of the MediaWiki 1.24 branch.
2418
2419 === Changes since 1.24.5 ===
2420 * (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
2421
2422 == MediaWiki 1.24.5 ==
2423
2424 This is a security and maintenance release of the MediaWiki 1.23 branch.
2425
2426 === Changes since 1.24.4 ===
2427 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
2428 that do not begin with a slash. This enabled trivial XSS attacks.
2429 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
2430 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
2431 error.
2432 * (T119309) SECURITY: Use hash_compare() for edit token comparison
2433 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
2434 with '@' as file uploads
2435 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
2436 longer be shorter than $wgMinimalPasswordLength
2437 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
2438 result in improper blocks being issued
2439 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
2440 and related pages no longer use HTTP redirects and are now redirected by
2441 MediaWiki
2442 * (T103237) $wgUseGzip had no effect when using file cache.
2443
2444 == MediaWiki 1.24.4 ==
2445
2446 This is a security and maintenance release of the MediaWiki 1.24 branch.
2447
2448 === Changes since 1.24.3 ===
2449
2450 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
2451 * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
2452 update.php to fix.
2453 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
2454 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
2455 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
2456 first
2457 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
2458
2459 == MediaWiki 1.24.3 ==
2460
2461 This is a security and maintenance release of the MediaWiki 1.24 branch.
2462
2463 === Changes since 1.24.2 ===
2464
2465 * (T94116) SECURITY: Compare API watchlist token in constant time
2466 * (T97391) SECURITY: Escape error message strings in thumb.php
2467 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
2468 Special:DeletedContributions
2469 * Update jQuery from v1.11.2 to v1.11.3.
2470 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
2471 policy of Wikimedia Commons.
2472
2473 == MediaWiki 1.24.2 ==
2474
2475 This is a security and maintenance release of the MediaWiki 1.24 branch.
2476
2477 === Changes since 1.24.1 ===
2478
2479 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
2480 to prevent various DoS attacks.
2481 * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
2482 likelihood of DoS.
2483 * (T88310) SECURITY: Always expand xml entities when checking SVG's.
2484 * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
2485 * (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
2486 * (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
2487 using PBKDF2.
2488 * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
2489 prevent XSS and protect viewer's privacy.
2490 * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
2491 loading these special pages when $wgAutoloadAttemptLowercase is false.
2492 * (bug T70087) Fix Special:ActiveUsers page for installations using
2493 PostgreSQL.
2494 * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
2495 and running update.php to fix.
2496
2497 == MediaWiki 1.24.1 ==
2498
2499 This is a security and maintenance release of the MediaWiki 1.24 branch.
2500
2501 === Changes since 1.24.0 ===
2502
2503 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
2504 could lead to xss. Permission to edit MediaWiki namespace is required to
2505 exploit this.
2506 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
2507 $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
2508 part of its name.
2509 * (bug T74222) The original patch for T74222 was reverted as unnecessary.
2510 * Fixed a couple of entries in RELEASE-NOTES-1.24.
2511 * (bug T76168) OutputPage: Add accessors for some protected properties.
2512 * (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
2513
2514 == MediaWiki 1.24.0 ==
2515
2516 === Configuration changes in 1.24 ===
2517 * MediaWiki will no longer run if register_globals is enabled. It has been
2518 deprecated for 5 years now, and was removed in PHP 5.4. For more information
2519 about why, see <https://www.mediawiki.org/wiki/register_globals>.
2520 * MediaWiki now requires PHP's iconv extension. openSUSE users may need to
2521 install the php5-iconv package. Users of other systems may need to add
2522 extension=iconv.so to php.ini or recompile PHP without --without-iconv.
2523 * MediaWiki will no longer function if magic quotes are enabled. It has
2524 been deprecated for 5 years now, and was removed in PHP 5.4.
2525 * The server's canonical hostname is available as $wgServerName, which is
2526 exposed in both mw.config and ApiQuerySiteInfo.
2527 * Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
2528 for using the old schema of the page_props table, in case the respective
2529 schema update was not applied.
2530 * $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything'
2531 user option was removed. Use $wgNamespacesToBeSearchedDefault instead or
2532 if you used to have $wgDefaultUserOptions['searcheverything'] = 1.
2533 * $wgMasterWaitTimeout has been deprecated.
2534 * $wgDBClusterTimeout has been removed.
2535 * $wgProxyKey has been removed. It is no longer used by MediaWiki core.
2536 Ensure $wgSecretKey is set in LocalSettings.php.
2537 * $wgExtraInterlanguageLinkPrefixes is a new configuration variable that
2538 contains an array of interwiki prefixes that should be treated as language
2539 prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set
2540 to true).
2541 * $wgParserTestRemote has been removed.
2542 * $wgCountTotalSearchHits has been removed. If you're concerned about efficiency
2543 of search, you should use something like CirrusSearch instead of built in
2544 search.
2545 * Users in the 'sysop' group have access to Special:MergeHistory by default.
2546 * $wgFileStore was removed after having been deprecated in 1.17. Alternative
2547 configurations are $wgDeletedDirectory and $wgHashedUploadDirectory.
2548 * The deprecated $wgUseCommaCount variable has been removed.
2549 * $wgEnableSorbs and $wgSorbsUrl have been removed.
2550 * The UserCryptPassword and UserComparePassword hooks are no longer called.
2551 Any extensions using them must be updated to use the Password Hashing API.
2552 * $wgCompiledFiles has been removed.
2553 * $wgSortSpecialPages was removed, the listing on Special:SpecialPages is
2554 now always sorted.
2555 * $wgSpecialPages may now use callback functions as an alternative to plain class names.
2556 This allows more control over constructor parameters.
2557 * $wgHTCPMulticastAddress, $wgHTCPMulticastRouting and $wgHTCPPort were removed.
2558 * $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort
2559 and $wgRC2UDPPrefix have been removed.
2560 * The default password type for MediaWiki has been changed from MD5 to PBKDF2.
2561 Password hashes will automatically be updated as users log in. If necessary, the
2562 old MD5 hashing can be restored by changing $wgPasswordDefault to 'B'. In addition,
2563 there is a maintenance script wrapOldPassword.php that can wrap all passwords in
2564 PBKDF2 (or the hashing algorithm of your choice) if you don't want to wait for your
2565 users to log in.
2566 * $wgImportSources can now either be a regular array, or an associative map
2567 specifying subprojects on the interwiki map of the target wiki, or a mix of
2568 the two. Existing configurations will still work.
2569 * Users must be able to edit through a page's protection to be able to delete it.
2570 * The default thumb size ($wgDefaultUserOptions['thumbsize']) is now 300px, up from
2571 180px. If you have altered the number of entries in $wgThumbLimits for your wiki, you
2572 may need to adjust your default user settings to compensate for the index change.
2573 * $wgDeferredUpdateList is now deprecated, you should use DeferredUpdates::addUpdate()
2574 instead.
2575 * $wgCanonicalLanguageLinks has been removed. Per Google recommendations, we
2576 will not send a rel=canonical pointing to a variant-neutral page, however
2577 we will send rel=alternate.
2578 * $wgResourceLoaderLESSFunctions has been deprecated and will be removed in the future.
2579 * $wgGoToEdit has been removed. Use the SpecialSearchNogomatch hook for similar
2580 functionality.
2581
2582 === New features in 1.24 ===
2583 * Added new hook WatchlistEditorBeforeFormRender, allowing subscribers to
2584 manipulate the list of pages and/or preload lots of data at once.
2585 * Added new argument &$link in hook WatchlistEditorBuildRemoveLine, allowing the
2586 link to the title to be changed.
2587 * Added a new hook, "WhatLinksHereProps", to allow extensions to annotate
2588 WhatLinksHere entries.
2589 * Added a new hook, "ContentGetParserOutput", to customize parser output for
2590 a given content object.
2591 * Deprecated the hook "ShowRawCssJs", use "ContentGetParserOutput" instead.
2592 * HTMLForm's HTMLTextField now supports the 'url' type.
2593 * HTMLForm fields may now be dynamically hidden based on the values of other
2594 fields in the form.
2595 * HTMLForm now supports multiple copies of an input field or set of input
2596 fields, e.g. the form may request "one or more usernames" without having to
2597 have the user enter delimited list of names into a text field.
2598 * Added a new hook, "SidebarBeforeOutput", to allow to edit the structure of
2599 the sidebar just before its display.
2600 * (bug 49156) Added the mediawiki.cookie ResourceLoader module, which wraps
2601 jquery.cookie so that getting/setting a cookie is syntactically and
2602 functionally similar to using the WebRequest::getCookie() and
2603 WebResponse::setcookie() methods.
2604 * (bug 44740) jQuery upgraded from 1.8.3 to 1.11.1. A new configuration option,
2605 $wgIncludejQueryMigrate, also loads the jQuery Migrate hack to let extensions
2606 and gadgets use the long-deprecated functions that were removed in jQuery 1.9.
2607 This option is turned off by default, and will be removed in MediaWiki 1.25.
2608 * (bug 47076) jQuery UI upgraded from 1.8.24 to 1.9.2.
2609 * Changes to content typography (fonts, etc.). See
2610 https://www.mediawiki.org/wiki/Typography_refresh for further information.
2611 * WikitextContent will now render redirects with the expected "redirect"
2612 header, rather than as an ordered list. Code calling Article::viewRedirect
2613 can probably be changed to no longer special-case redirects.
2614 * Header font set to a serif font stack. See
2615 https://www.mediawiki.org/wiki/Typography_refresh for further information.
2616 * (bug 65567) Added a new hook, "BeforeHttpsRedirect", to allow cancellation of
2617 the HTTP to HTTPS redirect due to forceHTTPS cookie, userRequires, etc. This
2618 is only for page views, since this hook doesn't affect UserLogin, OAuth,
2619 CentralAuth, etc. ATTENTION: This hook is likely to be removed soon due to
2620 overall design of the system.
2621 * (bug 17367) It is now possible to add pages to your watchlist from
2622 Special:UnwatchedPages without reloading the special page.
2623 * New methods setVolatile and isVolatile are added to PPFrame, so that
2624 extensions such as Cite.php can mark that their output is volatile and
2625 shouldn't be cached.
2626 * (bug 52817) Advanced search options are now saved on the search page itself,
2627 rather than in a dedicated pane in the preferences panel.
2628 * (bug 44591) The dropdown actions menu (little triangle next to page tabs) in
2629 the Vector skin has gained a label that should make it more discoverable.
2630 * MWCryptHKDF added for fast, cryptographically secure random number generation
2631 that won't deplete openssl's entropy pool.
2632 * ResourceLoader: File modules can now provide a skip function that uses an
2633 inline feature test to bypass loading of the module.
2634 * (bug 20210) Special pages may now provide autocompletion of their subpage
2635 names in search suggestions. Right now the only useful implementation is in
2636 Special:Log, but more are to come.
2637 * Special:MostLinkedTemplates is no longer limited to transclusions from the
2638 Template namespace.
2639 * Skins can now use 'remoteSkinPath' when defining ResourceLoader modules.
2640 This works the same as 'remoteExtPath' but is relative to the skins/ folder
2641 instead of the extensions/ folder.
2642 * Added the json2.js polyfill for the ES5 JSON.stringify and JSON.parse methods.
2643 Exposed as module "json" with a skip function to optimise loading.
2644 * Extensions and skins may now use 'namemsg' in $wgExtensionCredits in addition
2645 to 'name', to allow for the name to be localizable. 'name' should still be
2646 specified for backwards-compatibility and to define the path Special:Version
2647 uses to find extension license information.
2648 * Browser tests are now included to verify basic wiki functionality in developer
2649 environments. For details on running tests, see tests/browser/README.mediawiki.
2650 * Upgrade jStorage to v0.4.10.
2651 * {{!}} is now a magic word that produces the | character. This removes the need
2652 for Template:! for purposes such as passing pipes inside of parameters.
2653 * (bug 20790) The block log snippet on Special:Contributions and while
2654 editing user and user talk pages now works for IP range blocks.
2655 * (bug 9360) Added ability to change the page language for MediaWiki pages using
2656 Special:PageLanguage. All pages are set to wiki language by default.
2657 The feature needs to be enabled with $wgPageLanguageUseDB=true and
2658 permission needs to be set for 'pagelang'.
2659 * Upgrade Moment.js to v2.8.3.
2660 * (bug 67042) Added support for the HTML5 <rtc> tag for East Asian typography.
2661 * Upgrade Sinon.JS to 1.10.3.
2662 * Added the es5-shim polyfill for older or non-compliant javascript engines.
2663 * Upgrade jQuery Cookie to v1.3.1.
2664 * (bug 20476) Add a "viewsuppressed" user right to be able to view
2665 suppressed content but not suppress it ("suppressrevision" right).
2666 * (bug 66440) The MediaWiki web installer will now allow you to choose the skins
2667 to enable (from the ones included in download tarball) and decide which one
2668 should be the default.
2669 * (bug 68085, 68802) Links like [[localInterwikiPrefix:languageCode:pageTitle]],
2670 where localInterwikiPrefix is a member of the $wgLocalInterwikis array, will
2671 no longer be displayed in the sidebar when $wgInterwikiMagic is true. In a
2672 similar way, links like [[localInterwikiPrefix:File:Image.png]] and
2673 [[localInterwikiPrefix:Category:Hello]] will now render as regular links, and
2674 will not include the file or add the page to the category.
2675 * New special page, MyLanguage, to redirect users to subpages with localised
2676 versions of a page. (Integrated from Extension:Translate)
2677 * MediaWiki now supports multiple password types, including bcrypt and PBKDF2.
2678 The default type can be changed with $wgPasswordDefault and the type
2679 configurations can be changed with $wgPasswordConfig.
2680 * Skins can now define custom styles for default ResourceLoader modules using
2681 the $wgResourceModuleSkinStyles global. See the Vector skin for examples.
2682 * (bug 4488) There is now a preference to watch pages where the user has
2683 rollbacked an edit by default.
2684 * (bug 15484) Users will now be redirected to the login page when they need to
2685 log in, rather than being shown a page asking them to log in and having to click
2686 another link to actually get to the login page.
2687 * A JsonContent and JsonContentHandler were added for extensions to extend.
2688 * (bug 35045) Redirects to sections will now update the URL in browser's address
2689 bar using the HTML5 History API. When [[Dog]] redirects to [[Animals#Dog]],
2690 the user will now see "Animals#Dog" in their browser instead of "Dog#Dog".
2691 * API token handling has been rewritten. Any API module using tokens will need
2692 to be updated. See the entry below under "Action API internal changes".
2693 * Added HTMLAutoCompleteSelectField.
2694 * Added a new hook, "SkinPreloadExistence", to allow extensions to add titles to
2695 link existence cache before the page is rendered.
2696 * Config::set() was moved to its own interface, MutableConfig. GlobalVarConfig::set()
2697 is now deprecated, does not implement MutableConfig.
2698 * A MutableConfig named HashConfig was added, that stores an array of configuration
2699 settings.
2700 * (bug 69418) A MultiConfig implementation was added that supports fallback
2701 to multiple Config instances.
2702 * Update CSSJanus to v1.1.0.
2703 * Added FormatJson::parse() returning status with result or localized error message
2704 * Added DeletedContribsPager::reallyDoQuery hook allowing extensions to data to
2705 Special:DeletedContributions
2706 * Added DeletedContributionsLineEnding hook allowing extensions to format
2707 Special:DeletedContributions lines
2708 * (T69525) You can now make MediaWiki speed up its thumbnail rendering by using
2709 intermediary thumbnails. $wgThumbnailBuckets must be set to a list of target
2710 thumbnail widths; when a new thumbnail needs to be rendered, MediaWiki will
2711 find the smallest bucket smaller than the original but larger than the target
2712 width + $wgThumbnailMinimumBucketDistance, and it will scale that thumbnail,
2713 rather than the original, down to the target size at greater speed in return
2714 for minor loss of fidelity.
2715
2716 === Bug fixes in 1.24 ===
2717 * (bug 50572) MediaWiki:Blockip should support gender
2718 * (bug 49116) Footer copyright notice is now always displayed in user language
2719 rather than content language (same as copyright notice for editing interface).
2720 * (bug 62258) A bug was fixed in File::getUnscaledThumb when a height
2721 restriction was present in the parameters. Images with both the "frame"
2722 option and a size specification set will now always ignore the provided
2723 size and display an unscaled image, as the documentation has always
2724 claimed it would.
2725 * (bug 39035) Improved Vector skin performance by removing collapsibleNav,
2726 which used to collapse some sidebar elements by default.
2727 This removes -list id suffixes like p-lang-list: instead of using things like
2728 #p-lang-list, you can do #p-lang .body ul.
2729 * (bug 890) Links in Special:RecentChanges and Special:Watchlist no longer
2730 follow redirects to their target pages.
2731 * Parser now dies early if called recursively, instead of producing subtle bugs.
2732 * (bug 14323) Redirect pages, when viewed with redirect=no, no longer hide the
2733 remaining page content.
2734 * (bug 52587) Maintenance script deleteBatch.php no longer follows redirects
2735 in the file namespace and delete the file on the target page. It will still
2736 however delete the redirect page.
2737 * (bug 22683) {{msgnw:}} and other uses of PPFrame::RECOVER_ORIG will correctly
2738 recover the original code of extension tags.
2739 * (bug 65757) MSSQL: Update script drops unnamed constraints to be prepared
2740 for future updates. Because it's doing so heuristically, it may fail or drop
2741 wrong constraints.
2742 * (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
2743 * $wgRunJobsAsync now works with private wikis (e.g. read requires login).
2744 * (bugs 57238, 65206) Blank pages can now be directly created.
2745 * (bug 69789) Title::getContentModel() now loads from the database when
2746 necessary instead of incorrectly returning the default content model.
2747 * (bug 69249) wfBaseConvert() now works around PHP Bug #50175 when using GMP.
2748 * (bug 57909) URLs in the externallinks table will no longer have certain
2749 characters decoded in the query string.
2750 * (bug 67368) LESS mixins like .background-image() correctly flip image
2751 references for RTL stylesheets now.
2752
2753 === Action API changes in 1.24 ===
2754 * action=parse API now supports prop=modules, which provides the list of
2755 ResourceLoader modules that should be used to enhance the parsed content.
2756 * action=query&meta=siteinfo&siprop=interwikimap returns a new "protorel"
2757 field which is true if protocol-relative urls can be used to access
2758 a particular interwiki map entry.
2759 * list=logevents now provides logpage, which is the page ID from the
2760 logging table, if ids are requested and the user has the permissions.
2761 * action=edit now requires that appendtext, prependtext, or section=new be used
2762 when using the 'redirect' parameter, to prevent clients accidentally
2763 overwriting the target page with the content of the redirect.
2764 * list=logevents will now return an error if both letitle and leprefix are
2765 specified.
2766 * list=logevents has a new parameter, lenamespace, to allow filtering by
2767 namespace.
2768 * action=expandtemplates has a new parameter, prop, and a new output format.
2769 The old format is still used if prop isn't provided, but this is deprecated.
2770 * meta=userinfo can now return the count of unread pages on the watchlist.
2771 * list=watchlist can now filter by unread status.
2772 * The deprecated action=parse&prop=languageshtml has been removed.
2773 * (bug 48071) action=setnotificationtimestamp no longer throws PHP or database
2774 errors when no pages are given.
2775 * (bug 60734) Actions that use ApiPageSet (e.g. purge, watch,
2776 setnotificationtimestamp) will now include continuation information when
2777 using a generator.
2778 * Removed 'props' and 'errors' from action=paraminfo, as they have extremely
2779 limited use and are generally inaccurate, unmaintained, and impossible to
2780 properly maintain.
2781 * Formats dbg, dump, txt, wddx, and yaml are now deprecated.
2782 * action=paraminfo now indicates when a parameter is specifying a submodule.
2783 * The iwurl parameter to prop=iwlinks is deprecated in favor of iwprop=url, for
2784 parallelism with prop=langlinks.
2785 * All tokens should be fetched from action=query&meta=tokens; all other methods
2786 of fetching tokens are deprecated. The value needed for meta=tokens's 'type'
2787 parameter for each module is documented in the action=help output and is
2788 returned from action=paraminfo.
2789 * New action ClearHasMsg that can be used to clear HasMsg flag.
2790 * The cmstartsortkey and cmendsortkey parameters to list=categorymembers are
2791 deprecated in favor of cmstarthexsortkey and cmendhexsortkey.
2792 * (bug 63326) Add blockedtimestamp field to output of blockinfo property for
2793 the list=allusers and list=users modules.
2794 * prop=imageinfo no longer requires iiurlwidth to be set when using iiurlparam.
2795 * Added prop=linkshere, prop=fileusage, and prop=transcludedin, which are
2796 roughly equivalent to list=backlinks, list=imageusage, and list=embeddedin
2797 but can work on a list of titles (including titles from a generator).
2798 * prop=redirects can now filter returned redirects by namespace.
2799
2800 === Action API internal changes in 1.24 ===
2801 * Methods for handling continuation are added to ApiResult, so actions other
2802 than query that use generators can easily support continuation.
2803 * $wgAPIModules (and the related $wgAPIFormatModules, $wgAPIMetaModules,
2804 $wgAPIPropModules, and $wgAPIListModules settings) now allow API modules
2805 to be specified using a "module spec" array instead of a plain class name.
2806 A "module spec" is an associative array containing at least the 'class' key
2807 for the module's class, and optionally a 'factory' key for the factory function
2808 to use for the module. This is intended for extensions that want control over
2809 the instantiation of their API modules, to allow for proper dependency
2810 injection.
2811 * A new param type 'submodule' is available. Parameters of this type will take
2812 the list of valid values from the module's ApiModuleManager for the group
2813 corresponding to the parameter name.
2814 * The 'APIGetPossibleErrors' and 'APIGetResultProperties' hooks are no longer used.
2815 * API token handling has been rewritten. Any API module using tokens will need
2816 to be updated:
2817 * ApiBase::needsToken now returns a token type instead of boolean true when a
2818 token is needed. Returning true will throw an exception. See documentation
2819 of that method for details.
2820 * Information for the 'token' parameter is automatically set by ApiBase
2821 getFinalParams and getFinalParamDescription.
2822 * ApiBase::getTokenSalt has been removed.
2823 * The hooks APIQueryInfoTokens, APIQueryRevisionsTokens,
2824 APIQueryRecentChangesTokens, APIQueryUsersTokens, and
2825 ApiTokensGetTokenTypes are deprecated, but are still called to support
2826 backwards-compatible token access.
2827 * ApiBase::validateLimit and ApiBase::validateTimestamp are now protected.
2828 * ApiQueryRedirects was removed; prop=redirects is now implemented by
2829 ApiQueryBacklinksProp along with the newly-added prop modules.
2830 * The following methods have been deprecated and may be removed in a future
2831 release:
2832 * ApiBase::getResultProperties
2833 * ApiBase::getFinalResultProperties
2834 * ApiBase::addTokenProperties
2835 * ApiBase::getRequireOnlyOneParameterErrorMessages
2836 * ApiBase::getRequireMaxOneParameterErrorMessages
2837 * ApiBase::getRequireAtLeastOneParameterErrorMessages
2838 * ApiBase::getTitleOrPageIdErrorMessage
2839 * ApiBase::getPossibleErrors
2840 * ApiBase::getFinalPossibleErrors
2841 * ApiBase::parseErrors
2842 * ApiQuery::setGeneratorContinue
2843 * ApiQueryBase::checkRowCount
2844 * ApiQueryBase::titleToKey
2845 * ApiQueryBase::keyToTitle
2846 * ApiQueryBase::keyPartToTitle
2847 * ApiQueryInfo::getTokenFunctions
2848 * ApiQueryInfo::resetTokenCache
2849 * ApiQueryInfo::getEditToken
2850 * ApiQueryInfo::getDeleteToken
2851 * ApiQueryInfo::getProtectToken
2852 * ApiQueryInfo::getMoveToken
2853 * ApiQueryInfo::getBlockToken
2854 * ApiQueryInfo::getUnblockToken
2855 * ApiQueryInfo::getEmailToken
2856 * ApiQueryInfo::getImportToken
2857 * ApiQueryInfo::getWatchToken
2858 * ApiQueryInfo::getOptionsToken
2859 * ApiQueryRecentChanges::getTokenFunctions
2860 * ApiQueryRecentChanges::getPatrolToken
2861 * ApiQueryRevisions::getTokenFunctions
2862 * ApiQueryRevisions::getRollbackToken
2863 * ApiQueryUsers::getTokenFunctions
2864 * ApiQueryUsers::getUserrightsToken
2865 * The following classes have been deprecated and may be removed in a future
2866 release:
2867 * ApiFormatDbg
2868 * ApiFormatDump
2869 * ApiFormatTxt
2870 * ApiFormatWddx
2871 * ApiFormatYaml
2872 * ApiTokens
2873 * The following class constants have been deprecated and may be removed in a
2874 future release:
2875 * ApiBase::PROP_ROOT
2876 * ApiBase::PROP_LIST
2877 * ApiBase::PROP_TYPE
2878 * ApiBase::PROP_NULLABLE
2879
2880 === Languages updated in 1.24 ===
2881
2882 MediaWiki supports over 350 languages. Many localisations are updated
2883 regularly. Below only new and removed languages are listed, as well as
2884 changes to languages because of Bugzilla reports.
2885
2886 === Other changes in 1.24 ===
2887 * The deprecated jquery.delayedBind ResourceLoader module was removed.
2888 * The deprecated function mw.util.toggleToc was removed.
2889 * The Special:Search hooks SpecialSearchGo and SpecialSearchResultsAppend
2890 were removed as they were unused.
2891 * (bug 65477) User::pingLimiter() now has an additional profile point varying
2892 by action being used.
2893 * mediawiki.util.$content no longer supports old versions of the Vector,
2894 Monobook, Modern and CologneBlue skins that don't yet implement the "mw-body"
2895 and/or "mw-body-primary" class name in their html.
2896 * Added pp_sortkey column to page_props table, so pages can be efficiently
2897 queried and sorted by property value (bug 58032).
2898 See $wgPagePropsHaveSortkey if you want to postpone the schema change.
2899 * BREAKING CHANGE: All four built-in MediaWiki skins (Vector, MonoBook, Modern
2900 and Cologne Blue) were moved out of MediaWiki core to their own respective
2901 repositories. They will be installed with the release tarball, but you must
2902 install them separately if installing MediaWiki from source code. A warning
2903 message displayed until you do it should guide you through the process. See
2904 also <https://www.mediawiki.org/wiki/Manual:Skin_configuration>.
2905 * BREAKING CHANGE: Skins built for MediaWiki 1.15 and earlier that do not use
2906 the "headelement" template key are no longer supported. Setting
2907 $useHeadElement = false; is no longer supported and will not cause old keys
2908 like "headlinks", "skinnameclass", etc. to be defined.
2909 * BREAKING CHANGE: The files commonElements.css, commonContent.css and
2910 commonInterface.css (in skins/common/) have been removed. Skins may no longer
2911 rely on their presence and include them in their style modules. ResourceLoader
2912 modules introduced in MediaWiki 1.23 should be loaded instead:
2913 - skins/common/commonElements.css → 'mediawiki.skinning.elements' module
2914 - skins/common/commonContent.css → 'mediawiki.skinning.content' module
2915 - skins/common/commonInterface.css → 'mediawiki.skinning.interface' module
2916 * The deprecated 'SpecialVersionExtensionTypes' hook was removed.
2917 * (bug 63891) Add 'X-Robots-Tag: noindex' header in action=render pages.
2918 * SpecialPage no longer supports the syntax for invoking wfSpecial*() functions.
2919 Special pages should subclass SpecialPage and implement the execute() method.
2920 * (bug 63755) The deprecated constants RC_MOVE and RC_MOVE_OVER_REDIRECT were
2921 removed.
2922 * Special:MostLinkedTemplates has been renamed to Special:MostTranscludedPages.
2923 * The skin autodiscovery mechanism has been deprecated and will be removed in
2924 MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
2925 for migration guide for creators and users of custom skins that relied on it.
2926 * ResourceLoaderFileModule#getAllStyleFiles now returns all style files and all
2927 skin style files used by the module.
2928 * Removed getLang() from IContextSource and subclasses. (deprecated since 1.19)
2929 * Removed setLang() from subclasses of IContextSource. (deprecated since 1.19)
2930 * Removed WebRequest::escapeAppendQuery(). (deprecated since 1.20)
2931 * Removed info(), purge(), revert() and rollback() from the Article class; they
2932 have since become subclasses of the Action class. (deprecated since 1.19)
2933 * SearchEngineReplacePrefixesComplete hook was removed.
2934 * The "jquery.json" module has been deprecated. Use the "json" module instead.
2935 * Removed HTMLForm::addJS(). (deprecated since 1.18)
2936 * Removed LogEventsList::showHeader(). (deprecated since 1.19)
2937 * Removed ImageGalleryBase::useSkin(). (deprecated since 1.18)
2938 * Removed DatabaseMysqlBase::getLagFromProcesslist(). (deprecated since 1.19)
2939 * Removed LoadBalancer::closeConnecton(). (deprecated since 1.18)
2940 * Removed ApiBase::createContext(). (deprecated since 1.19)
2941 * BREAKING CHANGE: The undocumented Special{$this->getName()}BeforeFormDisplay
2942 set of hooks has been removed and replaced by a single new hook
2943 SpecialPageBeforeFormDisplay.
2944 * (bug 65781) Removed block warning on included {{Special:Contributions}}
2945 * Removed Skin::makeGlobalVariablesScript(). (deprecated since 1.19)
2946 * Removed MWNamespace::isMain(). (deprecated since 1.19)
2947 * Removed Preferences::loadOldSearchNs(). (deprecated since 1.19)
2948 * Removed OutputPage::getStatusMessage(). (deprecated since 1.18)
2949 * Removed OutputPage::isUserJsAllowed(). (deprecated since 1.18)
2950 * Removed Title::updateTitleProtection(). (deprecated since 1.19)
2951 * Removed ParserOptions::setSkin(). (deprecated since 1.19)
2952 * Removed Title::escapeCanonicalURL(). (deprecated since 1.19)
2953 * Removed Title::escapeLocalURL(). (deprecated since 1.19)
2954 * Removed Title::escapeFullURL(). (deprecated since 1.19)
2955 * Removed User::isValidEmailAddr(). (deprecated since 1.18)
2956 * Removed Title::getEscapedText(). (deprecated since 1.19)
2957 * Removed Language::getFallbackLanguageCode(). (deprecated since 1.19)
2958 * Removed WikiPage::isBigDeletion(). (deprecated since 1.19)
2959 * Removed MWInit class which contained functions related to a now discontinued
2960 PHP compiler called hphpc. (deprecated since 1.22)
2961 * ApiResult::enableSizeCheck() and disableSizeCheck() are now obsolete.
2962 * Removed ResourceLoaderGetStartupModules hook. (deprecated since 1.23)
2963 * Removed getFormFields(), onSubmit() and onSuccess() from FormlessAction, as
2964 these were meant specifically for FormAction instead.
2965 * Removed Action::execute().
2966 * Removed AjaxAddScript which has been obsolete since ResourceLoader and
2967 is unused by any modern extension.
2968 * Removed maintenance/nextJobDB.php; no longer in use.
2969 * Removed global function wfViewPrevNext(). (deprecated since 1.19)
2970 * Removed global function xmlsafe() from Export.php. (moved to OAIRepo extension)
2971 * Removed Title::userCanRead(). (deprecated since 1.19)
2972 * Removed maintenance script importTextFile.php. Use edit.php script instead.
2973 * A _from_namespace field has been added to the templatelinks, pagelinks,
2974 and filelinks tables. Run update.php to apply this change to the schema.
2975 * Removed File::sha1Base36(). (deprecated since 1.19)
2976 * Removed File::getPropsFromPath(). (deprecated since 1.19)
2977 * Removed functions blockedPage(), noCreatePermission(), readOnlyPage() and
2978 userNotLoggedInPage() from EditPage.php. (deprecated since 1.19)
2979 * Removed functions getContent(), getPreloadedText(), mergeChangesInto() and
2980 setPreloadedText() from EditPage.php. (deprecated since 1.21)
2981 * Removed global functions wfArrayLookup(), wfArrayMerge(), wfDebugDieBacktrace()
2982 and wfTime(). (deprecated since 1.22)
2983 * Browser support for Internet Explorer 6 and 7 lowered from Grade A to Grade C,
2984 meaning that JavaScript is no longer executed in these browser versions.
2985 * Browser support for Opera 11 lowered from Grade A to Grade C.
2986 * Removed IEFixes module which existed purely to provide support for MSIE versions
2987 below 7 (conditionally loaded only for those browsers).
2988 * Deprecated SpecialPageFactory::getList() in favor of
2989 SpecialPageFactory::getNames()
2990 * Action::checkCanExecute() no longer has a return value.
2991 * Removed cleanupForIRC(), loadFromCurRow(), newFromCurRow(), notifyRC2UDP()
2992 and sendToUDP() from RecentChange.php. (deprecated since 1.22)
2993 * Removed EnhancedChangesList::arrow(), sideArrow(), downArrow(), spacerArrow().
2994 * Removed Xml::namespaceSelector(). (deprecated since 1.19)
2995 * Removed WikiPage::estimateRevisionCount(). (deprecated since 1.19)
2996 * MYSQL: Enum item added to "major MIME type" columns.
2997 Running update.php on MySQL < v5.1 may result in heavy processing.
2998 * RSS and Atom feeds generated by MediaWiki no longer include a fallback
2999 stylesheet. It was ignored by most browsers these days anyway.
3000 * SpecialSearchNoResults hook has been removed. SpecialSearchResults is now
3001 called unconditionally.
3002 * TablePager::getBody() is now 'final' and can't be overridden in subclasses.
3003 * TablePager::getBody() is deprecated, use getBodyOutput() or getFullOutput().
3004 * Added $outputPage parameter to the SkinTemplateGetLanguageLink hook.
3005 * log_page for move log entries store the original page ID, rather than that
3006 of the new redirect page. This is not retroactive.
3007 * LCStoreAccel was removed. $wgLocalisationCacheConf can no longer be set to
3008 use this store class.
3009 * Html::infoBox() no longer accepts paths relative to skins/common/images/.
3010 * Deprecated defunct Skin::getCommonStylePath().
3011 * Some extensions had their ResourceLoader modules depend on the "mediawiki"
3012 and "jquery" modules. In the past, this behavior was undefined, now it will
3013 throw an error.
3014 * Removed BagOStuff::replace(). (deprecated since 1.23)
3015 * In Linker.php, link(), linkText() and makeBrokenImageLinkObj() now display
3016 warnings if their first parameter is not a Title object. Also makeImageLink()
3017 now requires a Parser as its first parameter.
3018 * (bug 67368) LESS functions embed() and embeddable(), added in MediaWiki 1.23
3019 and broken by design, have been removed. Use appropriate LESS mixins instead.
3020 * Removed cssjanus.py from maintenance directory as it was unused.
3021 * Removed maintenance/purgeOldText.inc and the PurgeRedundantText() function
3022 it contained (superseded by Maintenance::purgeRedundantText() in 1.16).
3023 The purgeOldText.php maintenance script has been retained.
3024 * PHPUnit tests can be found by directory discovery, by adding the directory
3025 path from your UnitTestsList callback. Older versions of MediaWiki core will
3026 barf at this usage.
3027
3028 ==== Renamed classes ====
3029 * CLDRPluralRuleConverter_Expression to CLDRPluralRuleConverterExpression
3030 * CLDRPluralRuleConverter_Fragment to CLDRPluralRuleConverterFragment
3031 * CLDRPluralRuleConverter_Operator to CLDRPluralRuleConverterOperator
3032 * CLDRPluralRuleEvaluator_Range to CLDRPluralRuleEvaluatorRange
3033 * CSSJanus_Tokenizer to CSSJanusTokenizer
3034 * MediaWiki_I18N to MediaWikiI18N
3035 * Parser_DiffTest to ParserDiffTest
3036 * RevDel_ArchiveItem to RevDelArchiveItem
3037 * RevDel_ArchiveList to RevDelArchiveList
3038 * RevDel_ArchivedFileItem to RevDelArchivedFileItem
3039 * RevDel_ArchivedFileList to RevDelArchivedFileList
3040 * RevDel_ArchivedRevisionItem to RevDelArchivedRevisionItem
3041 * RevDel_FileItem to RevDelFileItem
3042 * RevDel_FileList to RevDelFileList
3043 * RevDel_Item to RevDelItem
3044 * RevDel_List to RevDelList
3045 * RevDel_LogItem to RevDelLogItem
3046 * RevDel_LogList to RevDelLogList
3047 * RevDel_RevisionItem to RevDelRevisionItem
3048 * RevDel_RevisionList to RevDelRevisionList
3049 * WebInstaller_Complete to WebInstallerComplete
3050 * WebInstaller_Copying to WebInstallerCopying
3051 * WebInstaller_DBConnect to WebInstallerDBConnect
3052 * WebInstaller_DBSettings to WebInstallerDBSettings
3053 * WebInstaller_Document to WebInstallerDocument
3054 * WebInstaller_ExistingWiki to WebInstallerExistingWiki
3055 * WebInstaller_Install to WebInstallerInstall
3056 * WebInstaller_Language to WebInstallerLanguage
3057 * WebInstaller_Name to WebInstallerName
3058 * WebInstaller_Options to WebInstallerOptions
3059 * WebInstaller_Readme to WebInstallerReadme
3060 * WebInstaller_ReleaseNotes to WebInstallerReleaseNotes
3061 * WebInstaller_Restart to WebInstallerRestart
3062 * WebInstaller_Upgrade to WebInstallerUpgrade
3063 * WebInstaller_UpgradeDoc to WebInstallerUpgradeDoc
3064 * WebInstaller_Welcome to WebInstallerWelcome
3065
3066 ==== Removed classes ====
3067 * IPBlockForm - Use SpecialBlock directly
3068 * WatchlistEditor - Use SpecialEditWatchlist directly
3069 * FormatExif - Use FormatMetadata directly
3070 * RevertFileAction - Use RevertAction directly
3071 * HistoryPage - Use HistoryAction directly
3072 * RawPage - Use RawAction directly
3073 * StubContLang - Use Language::factory() instead
3074 * XMLReader2 - Use XMLReader directly
3075 * ResourceLoaderLESSFunctions - No longer in use, not intended for public usage
3076
3077 ==== Removed files ====
3078 The skins/common/ directory, previously containing some assets intended to be
3079 used by skins and a number of legacy styles and scripts, has been removed. Its
3080 contents have been deleted or relocated into the resources/ directory. Full list
3081 of files that are no longer available follows.
3082
3083 * skins/common/ajax.js
3084 * skins/common/commonContent.css
3085 * skins/common/commonElements.css
3086 * skins/common/commonInterface.css
3087 * skins/common/commonPrint.css
3088 * skins/common/config-cc.css
3089 * skins/common/config.css
3090 * skins/common/config.js
3091 * skins/common/feed.css
3092 * skins/common/IEFixes.js
3093 * skins/common/oldshared.css
3094 * skins/common/protect.js
3095 * skins/common/shared.css
3096 * skins/common/upload.js
3097 * skins/common/wikibits.js
3098 * skins/common/images/add.png
3099 * skins/common/images/ajax-loader.gif
3100 * skins/common/images/arrow_disabled_first_25.png
3101 * skins/common/images/arrow_disabled_last_25.png
3102 * skins/common/images/arrow_disabled_left_25.png
3103 * skins/common/images/arrow_disabled_right_25.png
3104 * skins/common/images/arrow_first_25.png
3105 * skins/common/images/arrow_last_25.png
3106 * skins/common/images/arrow_left_25.png
3107 * skins/common/images/arrow_right_25.png
3108 * skins/common/images/Arr_.png
3109 * skins/common/images/Arr_d.png
3110 * skins/common/images/Arr_l.png
3111 * skins/common/images/Arr_r.png
3112 * skins/common/images/Arr_u.png
3113 * skins/common/images/bullet.gif
3114 * skins/common/images/button_bold.png
3115 * skins/common/images/button_extlink.png
3116 * skins/common/images/button_headline.png
3117 * skins/common/images/button_hr.png
3118 * skins/common/images/button_image.png
3119 * skins/common/images/button_italic.png
3120 * skins/common/images/button_link.png
3121 * skins/common/images/button_media.png
3122 * skins/common/images/button_nowiki.png
3123 * skins/common/images/button_sig.png
3124 * skins/common/images/button_template.png
3125 * skins/common/images/cc-0.png
3126 * skins/common/images/cc-by-nc-sa.png
3127 * skins/common/images/cc-by-sa.png
3128 * skins/common/images/cc-by.png
3129 * skins/common/images/Checker-16x16.png
3130 * skins/common/images/closewindow.png
3131 * skins/common/images/closewindow19x19.png
3132 * skins/common/images/critical-32.png
3133 * skins/common/images/diffunderline.gif
3134 * skins/common/images/download-32.png
3135 * skins/common/images/feed-icon.png
3136 * skins/common/images/feed-icon.svg
3137 * skins/common/images/gnu-fdl.png
3138 * skins/common/images/help-question-hover.gif
3139 * skins/common/images/help-question.gif
3140 * skins/common/images/info-32.png
3141 * skins/common/images/link_icon.gif
3142 * skins/common/images/magnify-clip-rtl.png
3143 * skins/common/images/magnify-clip.png
3144 * skins/common/images/mediawiki.png
3145 * skins/common/images/nextredirectltr.png
3146 * skins/common/images/nextredirectrtl.png
3147 * skins/common/images/poweredby_mediawiki_88x31.png
3148 * skins/common/images/public-domain.png
3149 * skins/common/images/question-small.png
3150 * skins/common/images/question.svg
3151 * skins/common/images/redirectltr.png
3152 * skins/common/images/redirectrtl.png
3153 * skins/common/images/remove.png
3154 * skins/common/images/spinner.gif
3155 * skins/common/images/tick-32.png
3156 * skins/common/images/tipsy-arrow.gif
3157 * skins/common/images/tooltip_icon.png
3158 * skins/common/images/warning-32.png
3159 * skins/common/images/wiki.png
3160 * skins/common/images/Zoom_sans.gif
3161 * skins/common/images/ar/button_bold.png
3162 * skins/common/images/ar/button_headline.png
3163 * skins/common/images/ar/button_italic.png
3164 * skins/common/images/ar/button_link.png
3165 * skins/common/images/ar/button_nowiki.png
3166 * skins/common/images/be-tarask/button_bold.png
3167 * skins/common/images/be-tarask/button_italic.png
3168 * skins/common/images/be-tarask/button_link.png
3169 * skins/common/images/cyrl/button_bold.png
3170 * skins/common/images/cyrl/button_italic.png
3171 * skins/common/images/cyrl/button_link.png
3172 * skins/common/images/de/button_bold.png
3173 * skins/common/images/de/button_italic.png
3174 * skins/common/images/fa/button_bold.png
3175 * skins/common/images/fa/button_headline.png
3176 * skins/common/images/fa/button_italic.png
3177 * skins/common/images/fa/button_link.png
3178 * skins/common/images/fa/button_nowiki.png
3179 * skins/common/images/icons/fileicon-c.png
3180 * skins/common/images/icons/fileicon-cpp.png
3181 * skins/common/images/icons/fileicon-deb.png
3182 * skins/common/images/icons/fileicon-djvu.png
3183 * skins/common/images/icons/fileicon-djvu.xcf
3184 * skins/common/images/icons/fileicon-dvi.png
3185 * skins/common/images/icons/fileicon-exe.png
3186 * skins/common/images/icons/fileicon-h.png
3187 * skins/common/images/icons/fileicon-html.png
3188 * skins/common/images/icons/fileicon-iso.png
3189 * skins/common/images/icons/fileicon-java.png
3190 * skins/common/images/icons/fileicon-mid.png
3191 * skins/common/images/icons/fileicon-mov.png
3192 * skins/common/images/icons/fileicon-o.png
3193 * skins/common/images/icons/fileicon-ogg.png
3194 * skins/common/images/icons/fileicon-ogg.xcf
3195 * skins/common/images/icons/fileicon-pdf.png
3196 * skins/common/images/icons/fileicon-ps.png
3197 * skins/common/images/icons/fileicon-psd.png
3198 * skins/common/images/icons/fileicon-rm.png
3199 * skins/common/images/icons/fileicon-rpm.png
3200 * skins/common/images/icons/fileicon-svg.png
3201 * skins/common/images/icons/fileicon-tar.png
3202 * skins/common/images/icons/fileicon-tex.png
3203 * skins/common/images/icons/fileicon-ttf.png
3204 * skins/common/images/icons/fileicon-txt.png
3205 * skins/common/images/icons/fileicon.png
3206 * skins/common/images/ksh/button_S_italic.png
3207
3208 = MediaWiki 1.23 =
3209
3210 == MediaWiki 1.23.16 ==
3211 This is a security and maintenance release of the MediaWiki 1.23 branch.
3212
3213 === Changes since 1.23.15 ===
3214 * (T68404) CSS3 attr() function with url type is no longer allowed
3215 in inline styles.
3216 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
3217 * Submitting the lgtoken and lgpassword parameters in the query string to
3218 action=login is now deprecated and outputs a warning. They should be submitted
3219 in the POST body instead.
3220 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
3221 to interwiki links.
3222 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
3223 $wgAdvancedSearchHighlighting is true.
3224 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
3225 their values out of the logs.
3226 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
3227 token.
3228 * (T156184) SECURITY: Escape content model/format url parameter in message.
3229 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
3230 declaration.
3231 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
3232 syntax's link parameter.
3233 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
3234 it.
3235
3236 == MediaWiki 1.23.15 ==
3237
3238 This is a maintenance release of the MediaWiki 1.23 branch.
3239
3240 === Changes since 1.23.14 ===
3241 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
3242 made by MediaWiki via a proxy. Relying on the http_proxy environment
3243 variable is no longer supported.
3244 * (T139565) SECURITY: API: Generate head items in the context of the given title
3245 * (T137264) SECURITY: XSS in unclosed internal links
3246 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
3247 * (T133147) SECURITY: Require login to preview user CSS pages
3248 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
3249 the top file
3250 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
3251 permissions
3252 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
3253 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
3254 * Remove support for $wgWellFormedXml = false, all output is now well formed
3255
3256 == MediaWiki 1.23.13 ==
3257
3258 This is a maintenance release of the MediaWiki 1.23 branch.
3259
3260 === Changes since 1.23.12 ===
3261 * (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
3262
3263 == MediaWiki 1.23.12 ==
3264
3265 This is a security and maintenance release of the MediaWiki 1.23 branch.
3266
3267 === Changes since 1.23.11 ===
3268 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3269 that do not begin with a slash. This enabled trivial XSS attacks.
3270 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3271 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3272 error.
3273 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3274 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3275 with '@' as file uploads
3276 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3277 longer be shorter than $wgMinimalPasswordLength
3278 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3279 result in improper blocks being issued
3280 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3281 and related pages no longer use HTTP redirects and are now redirected by
3282 MediaWiki
3283
3284 == MediaWiki 1.23.11 ==
3285
3286 This is a security and maintenance release of the MediaWiki 1.23 branch.
3287
3288 === Changes since 1.23.10 ===
3289
3290 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
3291 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
3292 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
3293
3294 == MediaWiki 1.23.10 ==
3295
3296 This is a security and maintenance release of the MediaWiki 1.23 branch.
3297
3298 === Changes since 1.23.9 ===
3299
3300 * (T94116) SECURITY: Compare API watchlist token in constant time
3301 * (T97391) SECURITY: Escape error message strings in thumb.php
3302 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
3303 Special:DeletedContributions
3304 * (bug 67644) Make AutoLoaderTest handle namespaces
3305 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
3306 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
3307 policy of Wikimedia Commons.
3308
3309 == MediaWiki 1.23.9 ==
3310
3311 This is a security and maintenance release of the MediaWiki 1.23 branch.
3312
3313 === Changes since 1.23.8 ===
3314
3315 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
3316 to prevent various DoS attacks.
3317 * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
3318 likelihood of DoS.
3319 * (T88310) SECURITY: Always expand xml entities when checking SVG's.
3320 * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
3321 * (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
3322 * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
3323 prevent XSS and protect viewer's privacy.
3324 * (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
3325 update.php to fix.
3326 * (bug T70087) Fix Special:ActiveUsers page for installations using
3327 PostgreSQL.
3328
3329 == MediaWiki 1.23.8 ==
3330
3331 This is a security and maintenance release of the MediaWiki 1.23 branch.
3332
3333 === Changes since 1.23.7 ===
3334
3335 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
3336 could lead to xss. Permission to edit MediaWiki namespace is required to
3337 exploit this.
3338 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
3339 $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
3340 part of its name.
3341 * (bug T74222) The original patch for T74222 was reverted as unnecessary.
3342
3343 == MediaWiki 1.23.7 ==
3344
3345 This is a security and maintenance release of the MediaWiki 1.23 branch.
3346
3347 === Changes since 1.23.6 ===
3348
3349 * (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
3350 into API clients that used format=php to process pages that underwent flash
3351 policy mangling. This was fixed along with improving how the mangling was done
3352 for format=json, and allowing sites to disable the mangling using
3353 $wgMangleFlashPolicy.
3354 * (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
3355 the content model for a page could allow an unprivileged attacker to edit
3356 another user's common.js under certain circumstances. The user right
3357 "editcontentmodel" was added, and is needed to change a revision's content
3358 model.
3359 * (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
3360 HTML, it is not safe to preview wikitext coming from an untrusted source such
3361 as a cross-site request. Thus add an edit token to the form, and when raw HTML
3362 is allowed, ensure the token is provided before showing the preview. This
3363 check is not performed on wikis that both allow raw HTML and anonymous
3364 editing, since there are easier ways to exploit that scenario.
3365 * (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
3366 DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
3367 public RFC about the desired functionality. This issue was reported by user
3368 Bawolff.
3369 * (bug 71621) Make allowing site-wide styles on restricted special pages a
3370 config option.
3371 * (bug 42723) Added updated version history from 1.19.2 to 1.22.13
3372 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
3373 might be a flash policy directive configurable.
3374
3375 == MediaWiki 1.23.6 ==
3376
3377 This is a maintenance release of the MediaWiki 1.23 branch.
3378
3379 === Changes since 1.23.5 ===
3380 * (Bug 72274) Job queue not running (HTTP 411) due to missing
3381 Content-Length: header
3382 * (Bug 67440) Allow classes to be registered properly from installer
3383
3384 == MediaWiki 1.23.5 ==
3385
3386 This is a security release of the MediaWiki 1.23 branch.
3387
3388 === Changes since 1.23.4 ===
3389 * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
3390 allowance.
3391
3392 == MediaWiki 1.23.4 ==
3393
3394 This is a security and maintenance release of the MediaWiki 1.23 branch.
3395
3396 === Changes since 1.23.3 ===
3397
3398 * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
3399 elements; normalize style elements and attributes before filtering; add
3400 checks for attributes that contain css; add unit tests for html5sec and
3401 reported bugs.
3402 * (bug 65998) Make MySQLi work with non-standard socket.
3403 * (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
3404 settings.
3405
3406 == MediaWiki 1.23.3 ==
3407
3408 This is a maintenance release of the MediaWiki 1.23 branch.
3409
3410 === Changes since 1.23.2 ===
3411
3412 * (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
3413 * (bug 64970) Fix support for blobs on DatabaseOracle::update.
3414 * (bug 66574) Display MediaWiki:Loginprompt on the login page.
3415 * (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
3416 * (bug 60629) Handle invalid language code gracefully in
3417 Language::fetchLanguageNames.
3418 * (bug 62017) Restore the number of rows shown on Special:Watchlist.
3419 * Check for boolean false result from database query in SqlBagOStuff.
3420
3421 == MediaWiki 1.23.2 ==
3422
3423 This is a security and maintenance release of the MediaWiki 1.23 branch.
3424
3425 === Changes since 1.23.1 ===
3426
3427 * (bug 68187) SECURITY: Prepend jsonp callback with comment.
3428 * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
3429 for loading a new page in Javascript,instead of relying on the URL in the link
3430 that has been clicked.
3431 * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
3432 ParserOutput.
3433 * (bug 68313) Preferences: Turn stubthreshold back into a combo box.
3434 * (bug 65214) Fix initSiteStats.php maintenance script.
3435 * (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
3436
3437 == MediaWiki 1.23.1 ==
3438
3439 This is a security and maintenance release of the MediaWiki 1.23 branch.
3440
3441 === Changes since 1.23.0 ===
3442
3443 * (bug 65839) SECURITY: Prevent external resources in SVG files.
3444 * (bug 67025) Special:Watchlist: Don't try to render empty row.
3445 * (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
3446 * (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
3447 * (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
3448 like only extracting the tail of the file partially or not at all.
3449 * (bug 66182) Removed -x flag on some php files.
3450
3451 == MediaWiki 1.23.0 ==
3452
3453 === Configuration changes in 1.23 ===
3454 * (bug 13250) Restored method for clearing a watchlist in web UI
3455 so that users with large watchlists don't have to perform
3456 contortions to clear them.
3457 * When $wgJobRunRate is higher than zero, jobs are now executed via an
3458 asynchronous HTTP request to a MediaWiki entry point. This may require
3459 increasing the number of server worker threads. $wgRunJobsAsync has been
3460 added to disable this feature if needed, falling back to executing the job
3461 on the same process but making the execution synchronously.
3462 * $wgDebugLogGroups values may be set to an associative array with a
3463 'destination' key specifying the log destination. The array may also contain
3464 a 'sample' key with a positive integer value N indicating that the log group
3465 should be sampled by dispatching one in every N messages on average. The
3466 sampling is random.
3467 * In addition to the current exception log format, MediaWiki now serializes
3468 exception metadata to JSON and logs it to the 'exception-json' log group.
3469 This makes MediaWiki easier to integrate with log aggregation and analysis
3470 tools.
3471 * $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
3472 Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
3473 addresses that should be trusted to provide X-Forwarded-For headers.
3474 * Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add
3475 pages I create and files I upload to my watchlist", "Add pages and files I
3476 edit to my watchlist", "Email me when a page or file on my watchlist is
3477 changed") are now enabled by default. In addition new user accounts' personal
3478 and talk pages are now watched by them by default.
3479 * $wgLBFactoryConf: Class names have had underscores removed. The configuration
3480 should be updated if LBFactory_Simple or LBFactory_Multi is configured.
3481 * $wgPasswordSenderName has been removed and is no longer functional. To set a
3482 custom mailer name, the system message 'emailsender' should be modified
3483 (default: "{{SITENAME}}").
3484 * (bug 63269) Email notifications were not correctly handling the
3485 [[MediaWiki:Helppage]] message being set to a full URL (the default).
3486 If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
3487 you'll need to edit it locally to include the URL via the new variable
3488 $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
3489 you don't have to do anything.
3490 * $wgDBAhandler was removed as the only class using it was also removed
3491 * The 'max threads' setting was removed from $wgDBservers.
3492 * Support for AdminSettings.php has been completely removed. All configuration
3493 belongs in LocalSettings.php.
3494 * $wgSkipSkin, which has been replaceable by $wgSkipSkins since 2005 (r9249), is
3495 now formally deprecated.
3496 * Removed deprecated $wgDisabledActions as it is hardly used anywhere.
3497 * $wgRateLimitLog has been deprecated and replaced by
3498 $wgDebugLogGroup['ratelimit'].
3499 * $wgLocalInterwikis is an array containing multiple local interwiki prefixes
3500 (interwiki prefixes that point back to the current wiki). This effectively
3501 allows more than one value of $wgLocalInterwiki to be specified and
3502 understood by the parser. The value of $wgLocalInterwiki is automatically
3503 prepended to the start of this array.
3504 * $wgQueryPages has been removed. Query Pages should be added to by using the
3505 wgQueryPages hook.
3506 * $wgHttpOnlyBlacklist has been removed.
3507 * $wgLicenseTerms has been removed as it was unused.
3508 * $wgProfileOnly is now deprecated; set the log file in
3509 $wgDebugLogGroups['profileoutput'] to replace it.
3510 * $wgMaxBacklinksInvalidate was removed; use $wgJobBackoffThrottling instead
3511 * Deprecated ResourceLoaderGetStartupModules hook.
3512
3513 === New features in 1.23 ===
3514 * ResourceLoader can utilize the Web Storage API to cache modules client-side.
3515 Compared to the browser cache, caching in Web Storage allows ResourceLoader
3516 to be more granular about evicting stale modules from the cache while
3517 retaining the ability to retrieve multiple modules in a single HTTP request.
3518 This capability can be enabled by setting $wgResourceLoaderStorageEnabled to
3519 true. This feature is currently considered experimental and should only be
3520 enabled with care.
3521 * (bug 6092) Add expensive parser functions {{REVISIONID:}}, {{REVISIONUSER:}}
3522 and {{REVISIONTIMESTAMP:}} (with friends).
3523 * Add "wgRelevantUserName" to mw.config containing the current
3524 Skin::getRelevantUser value.
3525 * (bug 56033) Add content model to the page information.
3526 * Added Article::MissingArticleConditions hook to give extensions a chance to
3527 hide their (unrelated) log entries.
3528 * Added LonelyPagesQuery hook to let extensions modify the query used to
3529 generate Special:LonelyPages.
3530 * Added $wgOpenSearchDefaultLimit defining the default number of entries to show
3531 on action=opensearch API call.
3532 * For namespaces with $wgNamespaceProtection (including the MediaWiki
3533 namespace), the "protect" tab will be shown only if there are restriction
3534 levels available that would restrict editing beyond what
3535 $wgNamespaceProtection already applies. The protection form will offer only
3536 those protection levels.
3537 * Added $wgAPIFormatModules, allowing extensions to add additional output
3538 formatting modules for the API.
3539 * (bug 47812) The MediaWiki:Group-user.{css,js} pages can now be used to add
3540 custom CSS or JavaScript enabled only for registered users.
3541 * (bug 52005) Special pages RecentChanges, RecentChangesLinked and Watchlist
3542 now include a legend describing the symbols used in lists of changes.
3543 * Improved the accessibility of the tabs in Special:Preferences.
3544 * Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook:
3545 it's called after everything is set up but before any major processing
3546 happens.
3547 * The jquery.client module now performs a component-wise version comparison in
3548 its #test method when strings are used in the browser map: version '1.10' is
3549 now correctly considered larger than '1.2'. Using numbers in the version map
3550 is not affected.
3551 * All API modules now support an assert parameter, which can either be
3552 'user' or 'bot'. The API will throw an error if the user is not logged
3553 in (user) or does not have the 'bot' userright (bot). Based off of the
3554 AssertEdit extension by Steve Sanbeg.
3555 * [[Special:Diff]] was added, allowing users to create internal links to
3556 revision comparison pages using syntax such as [[Special:Diff/12345]],
3557 [[Special:Diff/12345/prev]] or [[Special:Diff/12345/98765]].
3558 * New user accounts' personal and talk pages are now watched by them by default.
3559 * Added SkinTemplateGetLanguageLink hook to allow changing the html of language
3560 links.
3561 * Added MessageCache::get hook as a new way to customize messages across
3562 multiple sites.
3563 * Added jquery.throttle-debounce ResourceLoader module to limit the number of
3564 callbacks for frequently occurring events.
3565 * Special:ProtectedPages shows now a table. The timestamp, the reason and
3566 the protecting user are also shown.
3567 * Added experimental support for using Microsoft SQL Server as the database
3568 backend.
3569 ** Added new Microsoft SQL Server-specific configuration variable
3570 $wgDBWindowsAuthentication, which makes the web server authenticate against
3571 the database server using Integrated Windows Authentication instead of
3572 $wgDBuser/$wgDBpassword.
3573 * HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and
3574 'radio' fields can now use message keys as labels via the 'options-messages'
3575 parameter, which overrides the 'options' parameter.
3576 * Admins can expire users passwords manually, or on a schedule using the
3577 $wgPasswordExpirationDays configuration setting.
3578 * Add new hook SendWatchlistEmailNotification, this will be used to determine
3579 whether to send a watchlist email notification.
3580 * (bug 42026) Special:Contributions now includes an option to filter page
3581 creations, similar to the topOnly option.
3582 * Add mediawiki.ui.button styling to all pages so wiki content can use styled
3583 buttons.
3584 * Special:UserLogin/signup now does AJAX checks for invalid and taken usernames,
3585 displaying the error live.
3586 * Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
3587 * Support has been added for a JSON based localisation file format. The
3588 installer has been updated to use it.
3589 * Changes to content typography (colors, line-height etc.). See
3590 https://www.mediawiki.org/wiki/Typography_refresh for further information.
3591 * The Vector skin's visual treatment of external links has been simplified to a
3592 single icon (from nine). This should not affect local rules unless they were
3593 re-using these icons, which have now been deleted.
3594 * ResourceLoader: mw.loader.using() now implements a Promise interface.
3595 * Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows.
3596 If called by the ChangesList consumer this gives extensions a chance to batch
3597 process the result set prior to rendering.
3598 * A PoolCounterRedis class was added which can be make use of in $wgPoolCounterConf.
3599 This requires at least one Redis 2.6+ server.
3600 * $wgProfileToDatabase was removed. Set $wgProfiler to ProfilerSimpleDB
3601 in StartProfiler.php instead of using this.
3602 * (bug 63444) Made it possible to change the indent string (default: 4 spaces)
3603 used by FormatJson::encode().
3604
3605 === Bug fixes in 1.23 ===
3606 * (bug 41759) The "updated since last visit" markers (on history pages, recent
3607 changes and watchlist) and the talk page message indicator are now correctly
3608 updated when the user is viewing old revisions of pages, instead of always
3609 acting as if the latest revision was being viewed.
3610 * (bug 56443) Special:ConfirmEmail no longer shows a "Mail a confirmation code"
3611 when the email address is already confirmed. Also, consistently use
3612 "confirmed", rather than "authenticated", when messaging whether or not the
3613 user has confirmed an email address.
3614 * (bug 19415) action=render no longer shows section edit links. This affects
3615 behavior of several other features where (bogus) section edit links will
3616 disappear, such as file description pages loaded via $wgUseInstantCommons or
3617 pages transcluded cross-wiki via $wgEnableScaryTranscluding.
3618 * (bug 56912) Show correct link color on cached result of Special:DeadendPages.
3619 * Classes TitleListDependency and TitleDependency have been removed, as they
3620 have been found unused in core and extensions for a long time.
3621 * (bug 57098) SpecialPasswordReset now obeys returnto parameter
3622 * (bug 37812) ResourceLoader will notice when a module's definition changes and
3623 recompile it accordingly.
3624 * (bug 57201) SpecialRecentChangesFilters hook is now executed for feeds.
3625 * (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
3626 to appear blank or with missing text.
3627 * (bug 56931) Updated the plural rules to CLDR 24. They are in new format
3628 which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as
3629 the JavaScript evaluator were updated to support the new format. Plural rules
3630 for some languages have changed, most notably Russian. Affected software
3631 messages have been updated and marked for review at translatewiki.net.
3632 * (bug 23542) imagelinks now stores both the redirect and target (as
3633 templatelinks does).
3634 * (bug 58167) The web installer no longer throws an exception when PHP is
3635 compiled without support for MySQL yet with support for another DBMS.
3636 * (bug 56199) Raw option of parser functions must now match complete word,
3637 to take effect.
3638 * (bug 60543) Special:PrefixIndex forgot stripprefix=1 for "Next page" link
3639 * (bug 29762) Undoing an already-undone edit will now display an appropriate
3640 message instead of leading the user to make a null edit.
3641 * (bug 52659) mediawiki.notification: Notification area remained visible when
3642 empty and thus was stealing pointer events from links on the page.
3643 * (bug 26811) When a DBUnexpectedError occurs, DB server hostnames are now
3644 hidden unless $wgShowExceptionDetails is true, and $wgShowDBErrorBacktrace
3645 no longer applies in such cases.
3646 * (bug 60960) Avoid doing file_exist() checks on data: URIs, as they cause
3647 warnings to be printed on Windows due to large path length.
3648 * (bug 48084) Fixed a bug in the installer that could cause $wgLogo to hold
3649 the wrong path to the placeholder logo (skins/common/images/wiki.png).
3650 * (bug 64289) jquery.textSelection: Don't throw errors on empty collections.
3651
3652 === Web API changes in 1.23 ===
3653 * (bug 54884) action=parse&prop=categories now indicates hidden and missing
3654 categories.
3655 * action=query&meta=filerepoinfo now returns additional information for each
3656 repo.
3657 * action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in
3658 MediaWiki 1.24.
3659 * action=parse now has disabletoc flag to disable table of contents in output.
3660 * (bug 25702) list=allcategories, list=allimages, list=alllinks, list=allpages,
3661 list=deletedrevs and list=filearchive did not handle case-sensitivity
3662 properly for all parameters.
3663 * ApiQueryBase::titlePartToKey allows an extra parameter that indicates the
3664 namespace in order to properly capitalize the title part.
3665 * (bug 57874) action=feedcontributions no longer has one item more than limit.
3666 * All API modules now support an assert parameter. See the new features section
3667 for more details.
3668 * Added prop=contributors to fetch the list of contributors to the page.
3669 * The following API modules will now return entries where fields have been
3670 revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges,
3671 list=watchlist. "hidden" indicators will be included, in the same style as is
3672 already done for prop=revisions.
3673 * The following API modules will now return the content of revision-deleted
3674 fields, in addition to the "hidden" indicators, if the querying user has the
3675 necessary rights: list=logevents, list=usercontribs, prop=imageinfo,
3676 prop=revisions.
3677 * The above modules, where applicable, will now return entries filtered by
3678 revision-deleted fields if the querying user has the necessary rights. For
3679 example, prop=revisions with rvuser or rvexcludeuser will no longer skip
3680 revisions where the user was revision-deleted if the current user has the
3681 deletedhistory right.
3682 * The 'hideuser' right, used when blocking, is no longer necessary or
3683 sufficient for seeing contributions with revision-deleted in
3684 list=usercontribs.
3685 * list=watchlist now uses the querying user's rights rather than the wlowner's
3686 rights when checking whether wlprop=patrol is allowed.
3687 * (bug 32151) ApiWatch now has pageset capabilities (titles/pageids/generators).
3688 Title parameter is now deprecated.
3689 * (bug 23005) Added action=revisiondelete.
3690 * Added siprop=restrictions to API action=query&meta=siteinfo for querying
3691 possible page restriction (protection) levels and types.
3692 * Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
3693 * (bug 58627) Provide language names on action=parse&prop=langlinks.
3694 * Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
3695 * Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
3696 * prop=redirects is added, to return redirects to the pages in the query.
3697 * list=allredirects is added, to list all redirects pointing to a namespace.
3698 * (bug 42026) Added ucshow={new,!new,top,!top} to list=usercontribs.
3699 Also added newonly to action=feedcontributions.
3700 * (bug 42026) Deprecated uctoponly in favor of ucshow=top.
3701 * list=search no longer has a "srredirects" parameter. Redirects are now
3702 included in all searches.
3703 * Added list=prefixsearch that works like action=opensearch but can be used as
3704 a generator.
3705 * (bug 24782) Various modules will now use unique continuation parameters.
3706 * (bug 63249) Cache RecentChanges Atom feed in varnish for 15 seconds.
3707
3708 === Languages updated in 1.23 ===
3709
3710 MediaWiki supports over 350 languages. Many localisations are updated
3711 regularly. Below only new and removed languages are listed, as well as
3712 changes to languages because of Bugzilla reports.
3713
3714 * Support was added for Algerian Spoken Arabic (arq).
3715 * Support was added for Riograndenser Hunsrückisch (hrx).
3716 * Support was added for Northern Luri (lrc).
3717
3718 === Other changes in 1.23 ===
3719 * The rc_type field in the recentchanges table has been superseded by a new
3720 rc_source field. The rc_source field is a string representation of the
3721 change type where rc_type was a numeric constant. This field is not yet
3722 queried but will be in a future release.
3723 ** Utilize update.php to create and populate this new field. On larger wikis
3724 which do not wish to update recentchanges table in one large update please
3725 review the SQL and comments in maintenance/archives/patch-rc_source.sql.
3726 ** The rc_type field of recentchanges will be deprecated in a future release.
3727 * The global variable $wgArticle has been removed after a lengthy deprecation.
3728 * The global functions addButton and insertTags (for mw.toolbar.addButton and
3729 mw.toolbar.insertTags) now emits mw.log.warn when accessed.
3730 * The ExpandTemplates extension has been moved into MediaWiki core.
3731 * (bug 52812) Removed "Disable search suggestions" from Preference.
3732 * (bug 52809) Removed "Disable browser page caching" from Preference.
3733 * Three new modules intended for use by custom skins were added:
3734 'mediawiki.skinning.elements', 'mediawiki.skinning.content', and
3735 'mediawiki.skinning.interface', representing three levels of standard
3736 MediaWiki styling. Previously skin creators wishing to use them had to refer
3737 to the file names of appropriate files directly, which is now discouraged.
3738 * The modules 'skins.vector' and 'skins.monobook' have been renamed to
3739 'skins.vector.styles' and 'skins.monobook.styles', respectively,
3740 and their definition was changed not to include the common*.css files;
3741 the two skins now load the 'mediawiki.skinning.interface' module instead.
3742 * A page_links_updated field has been added to the page table.
3743 * SpecialPage::getTitle has been deprecated in favor of
3744 SpecialPage::getPageTitle.
3745 * BREAKING CHANGE: Two potentially backwards-incompatible changes have been made
3746 to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make
3747 the hook more consistent with the 'SpecialRecentChangesQuery' one:
3748 ** Several array keys have been renamed: hideMinor → hideminor,
3749 hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu,
3750 hidePatrolled → hidepatrolled, hideOwn → hidemyself.
3751 ** The parameter value is now a FormOptions object, not a plain array (array
3752 access operators should continue to work, as it implements the ArrayAccess
3753 interface).
3754 * Option to mark hooks as deprecated has been added.
3755 * (bug 52811) Preference "Enable section editing via [edit] links" was removed.
3756 * (bug 52813) Preference "Show table of contents (for pages with more than
3757 3 headings)" was removed.
3758 * (bug 52810) Preference "Justify paragraphs" was removed.
3759 * OutputPage::showErrorPage raises a notice if arguments are incoherent.
3760 * Thumbnails that keep failing to render in thumb.php will be rate-limited
3761 against further render attempts for 1 hour. $wgAttemptFailureEpoch can be
3762 altered to reset all rate-limited thumbnails at once.
3763 * (bug 56572) Builds of the OOjs and OOjs UI libraries are now available.
3764 * mw.loader.go and mw.loader.version have been removed.
3765 * (bug 52815) Preference "Enable simplified search bar (Vector skin only)"
3766 was removed.
3767 * A user_password_expires column has been added to the user table. The User
3768 object expects this column to exist. Use update.php to create this new field.
3769 * The jquery.delayedBind ResourceLoader module was deprecated in favor of the
3770 jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
3771 * mw.user.bucket has been deprecated.
3772 * On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to
3773 table.mw-prefixindex-list-table to avoid duplicate ids when the special page
3774 is transcluded.
3775 * (bug 62198) window.$j has been deprecated.
3776 * Preference "Disable link title conversion" was removed.
3777 * SpecialRecentChanges no longer includes any functionality for generating feeds
3778 - it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new
3779 ones.
3780 * RecentChange::mExtra['lang'] is no longer set and should no longer be used.
3781 Extensions should read from other configuration variables, including
3782 $wgLocalInterwikis, to identify the current wiki.
3783 * Sections in the parser test framework have been renamed and the old
3784 section names are deprecated. Please use "!!wikitext" and "!!html"
3785 (or "!!html/php") instead of "!!input" and "!!result". This allows
3786 us to extend parser tests to accommodate additional input/output
3787 pairs, such as "!!html/parsoid" (for the output of the Parsoid
3788 parser, where it differs from the PHP parser).
3789 * Special:Search no longer has an "include redirects" option on the advanced
3790 tab. Redirects are now included in all searches.
3791 * mediawiki.api.category's getCategories() 'async' parameter was deprecated.
3792 * The locations of resources have been split between upstream libraries, now in
3793 resources/lib/, local libaries in resources/src/, and local forks of upstream
3794 libraries, also in resources/src/.
3795 * BREAKING CHANGE: The automatically-generated function closure with which
3796 ResourceLoader wraps all modules' JavaScript code now binds the identifier
3797 names 'jQuery' and '$' to the jQuery object of the version of jQuery that is
3798 bundled with MediaWiki. If you bind these names to other objects in global
3799 scope (like Zepto.js or document.querySelectorAll, for example) you will need
3800 to use different names to or re-bind them at the top of each
3801 ResourceLoader-loaded module.
3802 * (bug 52342) Preference "Remember my login" was removed.
3803 * The skin autodiscovery mechanism has been deprecated and will be removed in
3804 MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
3805 for migration guide for creators and users of custom skins that relied on it.
3806
3807 ==== Removed classes ====
3808 * FakeMemCachedClient (deprecated in 1.18)
3809 * RdfMetaData (unused)
3810 * TitleDependency (unused)
3811 * TitleListDependency (unused)
3812 * WikiError (deprecated in 1.17)
3813 * WikiXmlError (deprecated in 1.17)
3814 * WikiErrorMsg (deprecated in 1.17)
3815
3816 ==== Renamed classes ====
3817 * CdbReader_DBA to CdbReaderDBA
3818 * CdbReader_PHP to CdbReaderPHP
3819 * CdbWriter_DBA to CdbWriterDBA
3820 * CdbWriter_PHP to CdbWriterPHP
3821 * DiffOp_Add to DiffOpAdd
3822 * DiffOp_Change to DiffOpChange
3823 * DiffOp_Copy to DiffOpCopy
3824 * DiffOp_Delete to DiffOpDelete
3825 * HWLDF_WordAccumulator to HWLDFWordAccumulator
3826 * LBFactory_Fake to LBFactoryFake
3827 * LBFactory_Multi to LBFactoryMulti
3828 * LBFactory_Simple to LBFactorySimple
3829 * LBFactory_Single to LBFactorySingle
3830 * LCStore_Accel to LCStoreAccel
3831 * LCStore_CDB to LCStoreCDB
3832 * LCStore_DB to LCStoreDB
3833 * LCStore_Null to LCStoreNull
3834 * LoadBalancer_Single to LoadBalancerSingle
3835 * LoadMonitor_MySQL to LoadMonitorMySQL
3836 * LoadMonitor_Null to LoadMonitorNull
3837 * LocalisationCache_BulkLoad to LocalisationCacheBulkLoad
3838 * csvStatsOutput to CsvStatsOutput
3839 * extensionLanguages to ExtensionLanguages
3840 * languages to Languages
3841 * statsOutput to StatsOutput
3842 * textStatsOutput to TextStatsOutput
3843 * wikiStatsOutput to WikiStatsOutput
3844
3845 ==== Removed methods ====
3846 * ApiBase::getValidNamespaces() (deprecated in 1.17)
3847 * ApiMain::setCachePrivate() (deprecated in 1.17)
3848 * ApiMain::setVaryCookie (deprecated in 1.17)
3849 * Article::doRedirect() (deprecated in 1.18)
3850 * Article::doUnwatch() (deprecated in 1.18)
3851 * Article::doWatch() (deprecated in 1.18)
3852 * Article::forUpdate() (deprecated in 1.18)
3853 * Article::markpatrolled() (deprecated in 1.18)
3854 * Article::unwatch() (deprecated in 1.18)
3855 * Article::watch() (deprecated in 1.18)
3856 * Block::clear() (deprecated in 1.18)
3857 * Block::decodeExpiry() (deprecated in 1.18)
3858 * Block::encodeExpiry() (deprecated in 1.18)
3859 * Block::forUpdate() (deprecated in 1.18)
3860 * Block::infinity() (deprecated in 1.18)
3861 * Block::load() (deprecated in 1.18)
3862 * Block::newFromDB() (deprecated in 1.18)
3863 * Block::normaliseRange() (deprecated in 1.18)
3864 * Block::parseExpiryInput() (deprecated in 1.18)
3865 * CategoryViewer::addSubcategory() (deprecated in 1.17)
3866 * EditPage::spamPage() (deprecated since 1.17)
3867 * Exif::getFormattedData() (deprecated in 1.18)
3868 * Exif::makeFormattedData() (deprecated in 1.18)
3869 * in_string (deprecated in 1.21)
3870 * Language::convertLinkToAllVariants() (deprecated in 1.17)
3871 * LanguageConverter::convertLinkToAllVariants() (deprecated in 1.17)
3872 * Linker::makeBrokenLink() (deprecated in 1.16)
3873 * Linker::makeBrokenLinkObj() (deprecated in 1.16)
3874 * Linker::makeColouredLinkObj() (deprecated in 1.16)
3875 * Linker::makeSizeLinkObj() (deprecated in 1.17)
3876 * MediaWiki::articleFromTitle() (deprecated in 1.18)
3877 * ParserOptions::getkin() (deprecated 1.18)
3878 * ProfilerSimple::getCpuTime (deprecated in 1.20)
3879 * Revision::revText() (deprecated in 1.17)
3880 * SkinTemplate::jstext() (deprecated in 1.21)
3881 * SpecialPage::__call() (deprecated in 1.17)
3882 * SpecialPage::executePath() (deprecated in 1.18)
3883 * SpecialPage::exists() (deprecated in 1.18)
3884 * SpecialPage::file() (deprecated in 1.18)
3885 * SpecialPage::func() (deprecated in 1.18)
3886 * SpecialPage::getGroup() (deprecated in 1.18)
3887 * SpecialPage::getPage() (deprecated in 1.18)
3888 * SpecialPage::getPageByAlias() (deprecated in 1.18)
3889 * SpecialPage::getLocalNameFor() (deprecated in 1.18)
3890 * SpecialPage::getRegularPages() (deprecated in 1.18)
3891 * SpecialPage::getRestrictedPages() (deprecated in 1.18)
3892 * SpecialPage::getTitleForAlias() (deprecated in 1.18)
3893 * SpecialPage::getUsablePages() (deprecated in 1.18)
3894 * SpecialPage::includable() (deprecated in 1.18)
3895 * SpecialPage::init()
3896 * SpecialPage::initAliasList() (deprecated in 1.18)
3897 * SpecialPage::initList() (deprecated in 1.18)
3898 * SpecialPage::name() (deprecated in 1.18)
3899 * SpecialPage::removePage() (deprecated in 1.18)
3900 * SpecialPage::resolveAlias() (deprecated in 1.18)
3901 * SpecialPage::resolveAliasWithSubpage() (deprecated in 1.18)
3902 * SpecialPage::restriction() (deprecated in 1.18)
3903 * SpecialPage::setGroup() (deprecated in 1.18)
3904 * SpecialRecentChanges::feedSetup()
3905 * SpecialRevisionDelete::extractBitField() (deprecated in 1.22)
3906 * User::getPageRenderingHash() (deprecated in 1.17)
3907 * WebRequest::getFileSize() (deprecated in 1.17)
3908 * WebRequest::isPathInfoBad() (deprecated in 1.17)
3909 * wfGenerateToken (deprecated in 1.20)
3910 * wfStreamFile (deprecated in 1.19)
3911 * wfUILang (deprecated in 1.18)
3912 * WikiPage::createUpdates() (deprecated in 1.18)
3913 * WikiPage::quickEdit() (deprecated in 1.18)
3914 * WikiPage::useParserCache() (deprecated in 1.18)
3915 * WikiPage::viewUpdates() (deprecated in 1.18)
3916
3917 ==== Removed globals ====
3918 * $wgBetterDirectionality (deprecated in 1.18)
3919
3920 = MediaWiki 1.22 =
3921
3922 == MediaWiki 1.22.15 ==
3923
3924 This is a security and maintenance release of the MediaWiki 1.22 branch.
3925
3926 === Changes since 1.22.14 ===
3927
3928 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
3929 could lead to xss. Permission to edit MediaWiki namespace is required to
3930 exploit this.
3931 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
3932 $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
3933 part of its name.
3934 * (bug T74222) The original patch for T74222 was reverted as unnecessary.
3935
3936 == MediaWiki 1.22.14 ==
3937
3938 This is a security and maintenance release of the MediaWiki 1.22 branch.
3939
3940 === Changes since 1.22.13 ===
3941
3942 * (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
3943 into API clients that used format=php to process pages that underwent flash
3944 policy mangling. This was fixed along with improving how the mangling was done
3945 for format=json, and allowing sites to disable the mangling using
3946 $wgMangleFlashPolicy.
3947 * (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
3948 the content model for a page could allow an unprivileged attacker to edit
3949 another user's common.js under certain circumstances. The user right
3950 "editcontentmodel" was added, and is needed to change a revision's content
3951 model.
3952 * (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
3953 DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
3954 public RFC about the desired functionality. This issue was reported by user
3955 Bawolff.
3956 * (bug 71621) Make allowing site-wide styles on restricted special pages a
3957 config option.
3958 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
3959 might be a flash policy directive configurable.
3960
3961 == MediaWiki 1.22.13 ==
3962 This is a maintenance release of the MediaWiki 1.22 branch.
3963
3964 === Changes since 1.22.12 ===
3965 * (bug 67440) Allow classes to be registered properly from installer
3966
3967 == MediaWiki 1.22.12 ==
3968 This is a security release of the MediaWiki 1.22 branch.
3969
3970 === Changes since 1.22.11 ===
3971 * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
3972
3973 == MediaWiki 1.22.11 ==
3974 This is a security release of the MediaWiki 1.22 branch.
3975
3976 === Changes since 1.22.10 ===
3977 * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
3978
3979 == MediaWiki 1.22.10 ==
3980 This is a maintenance release of the MediaWiki 1.22 branch.
3981
3982 === Changes since 1.22.9 ===
3983 * (bug 64970) Fix support for blobs on DatabaseOracle::update
3984 * (bug 60719) In MediaWiki 1.22, the job queue execution on each page request was changed (Gerrit change 59797) so, instead of executing the job inside the same PHP process that's rendering the page, a new PHP cli command is spawned to execute runJobs.php in the background. It will only work if $wgPhpCli is set to an actual path or safe mode is off, otherwise, the old method will be used. https://www.mediawiki.org/wiki/Manual:Job_queue#Changes_introduced_in_MediaWiki_1.22 for more infomation. This change was in earlier releases of 1.22 but was not noted here until now.
3985
3986 == MediaWiki 1.22.9 ==
3987 This is a security and maintenance release of the MediaWiki 1.22 branch.
3988
3989 === Changes since 1.22.8 ===
3990 * (bug 68187) SECURITY: Prepend jsonp callback with comment.
3991 * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in Javascript,instead of relying on the URL in the link that has been clicked.
3992 * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
3993 * (bug 59147) The img_metadata field was not being decoded from bytea into text.
3994
3995 == MediaWiki 1.22.8 ==
3996 This is a security and maintenance release of the MediaWiki 1.22 branch.
3997
3998 === Changes since 1.22.7 ===
3999 * (bug 65839) SECURITY: Prevent external resources in SVG files.
4000 * (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
4001
4002 == MediaWiki 1.22.7 ==
4003 This is a security and maintenance release of the MediaWiki 1.22 branch.
4004
4005 === Changes since 1.22.6 ===
4006 * (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
4007 * (bug 36356) Add space between two feed links.
4008 * (bug 63269) Email notifications were not correctly handling the MediaWiki:Helppage message being set to a full URL. This is a regression from the 1.22.5 point release, which made the default value for it a URL. If you customized MediaWiki:Enotif body (the text of email notifications), you'll need to edit it locally to include the URL via the new variable $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise you don't have to do anything.
4009 Add missing uploadstash.us_props for PostgreSQL.
4010 * (bug 56047) Fixed stream wrapper in PhpHttpRequest.
4011
4012 == MediaWiki 1.22.6 ==
4013 This is a security release of the MediaWiki 1.22 branch.
4014
4015 === Changes since 1.22.5 ===
4016 * (bug 63251) SECURITY: Escape sortKey in pageInfo.
4017
4018 == MediaWiki 1.22.5 ==
4019 This is a security and maintenance release of the MediaWiki 1.22 branch.
4020
4021 === Changes since 1.22.4 ===
4022 * (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
4023 * (bug 62467) Set a title for the context during import on the cli.
4024 * Fix custom local MediaWiki:Helppage values.
4025 * mediawiki.js: Fix documentation breakage.
4026 * (bug 58153) Make MySQLi work with non standard port.
4027 * (bug 53887) Reintroduced a link to help pages in the default sidebar, that any sysop can customize by editing MediaWiki:Sidebar locally. The link now points to a mediawiki.org page which is guaranteed to exist. Nothing needs to be done on your end, but remember to adjust MediaWiki:Sidebar for the needs of your wikis. Everyone can help with the shared documentation by translating: https://www.mediawiki.org/wiki/Special:Translate/agg-Help_pages .
4028 * (bug 53888) Corrected a regression in 1.22 which introduced red links on the login page. If you previously installed 1.22.x and have created a local page to make the red link blue, write its title as in MediaWiki:helplogin-url if you didn't already. Otherwise, you don't need to do anything, but you can translate the help page at https://www.mediawiki.org/wiki/Help:Logging_in .
4029
4030 == MediaWiki 1.22.4 ==
4031 This is a maintenance release of the MediaWiki 1.22 branch.
4032
4033 === Changes since 1.22.3 ===
4034 * Use the correct branch of the extensions' git repositories.
4035
4036 == MediaWiki 1.22.3 ==
4037 This is a security and bugfix release of the MediaWiki 1.22 branch.
4038
4039 === Changes since 1.22.2 ===
4040 * (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. * User will get an error including the namespace name if they use a non- whitelisted namespace.
4041 * (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
4042 * (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
4043 * (bug 53710) Add sequence support for upsert in DatabaseOracle in the same way as in selectInsert
4044 * (bug 60231, bug 58719) Various fixes to job running code in Wiki.php: Make it async on Windows. Fixed possible "invalid filename" errors on Windows. Redirect output to dev/null to avoid hanging PHP.
4045 * (bug 60083) Correct sequence name for fresh Postgres installation. Spotted by gebhkla
4046 * (bug 60531) Avoid variable naming conflicts in DatabasePostgres::selectSQLText. Spotted by gebhkla
4047 * (bug 60094) Fix rebuildall.php fatal error with PostgreSQL.
4048 * (bug 43817) Add error handling if descriptionmsg isn't defined for extension.
4049 * (bug 60543) Special:PrefixIndex omits stripprefix=1 for "Next page" link.
4050
4051 == MediaWiki 1.22.2 ==
4052 This is a security and bugfix release of the MediaWiki 1.22 branch.
4053
4054 === Changes since 1.22.1 ===
4055 * (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
4056 * (bug 58253) Check for very old PCRE versions in installer and updater
4057 * (bug 60054) Make WikiPage::$mPreparedEdit public
4058
4059 == MediaWiki 1.22.1 ==
4060 This is a security and maintenance release of the MediaWiki 1.22 branch.
4061
4062 === Changes since 1.22.0 ===
4063 * (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
4064 * (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
4065 * (bug 58472) SECURITY: Disallow -o-link in styles
4066 * (bug 58553) SECURITY: Return error on invalid XML for SVG Uploads
4067 * (bug 58699) SECURITY: Fix RevDel log entry information leaks
4068 * (bug 58178) Restore compatibility with curl < 7.16.2.
4069 * (bug 56931) Updated the plural rules to CLDR 24. They are in new format which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the JavaScript evaluator were updated to support the new format. Plural rules for some languages have changed, most notably Russian. Affected software messages have been updated and marked for review at translatewiki.net. This change is backported from the development branch of MediaWiki 1.23.
4070 * (bug 58434) The broken installer for database backend Oracle was fixed.
4071 * (bug 58167) The web installer no longer throws an exception when PHP is compiled without support for MySQL yet with support for another DBMS.
4072 * (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
4073 * (bug 47055) Changed FOR UPDATE handling in Postgresql
4074 * (bug 57026) Avoid extra parsing in prepareContentForEdit()
4075
4076 == MediaWiki 1.22.0 ==
4077
4078 === Configuration changes in 1.22 ===
4079 * $wgRedirectScript was removed. It was unused.
4080 * Removed $wgLocalMessageCacheSerialized, it is now always true.
4081 * $wgVectorUseIconWatch is now enabled by default.
4082 * $wgCascadingRestrictionLevels was added.
4083 * ftps, ssh, sftp, xmpp, sip, sips, tel, sms, bitcoin, magnet, urn, and geo
4084 have been whitelisted inside of $wgUrlProtocols.
4085 * $wgDocType and $wgDTD have been removed and are no longer used for the DOCTYPE.
4086 * $wgHtml5 is no longer used by core. Setting it to false will no longer disable HTML5.
4087 It is still set to true for extension compatibility but doing so in extensions is deprecated.
4088 * $wgXhtmlDefaultNamespace is no longer used by core. Setting it will no longer change the
4089 xmlns used by MediaWiki. Reliance on this variable by extensions is deprecated.
4090 * $wgHandheldStyle was removed.
4091 * $wgHandheldForIPhone was removed.
4092 * $wgJsMimeType is no longer used by core. Most usage has been removed since
4093 HTML output is now exclusively HTML5.
4094 * $wgDBOracleDRCP added. True enables persistent connection with DRCP on Oracle.
4095 * $wgLogAutopatrol added to allow disabling logging of autopatrol edits in the logging table.
4096 Default for $wgLogAutopatrol is true.
4097 * The 'edit' right no longer allows for editing a user's own CSS and JS.
4098 * New rights 'editmyusercss', 'editmyuserjs', 'viewmywatchlist',
4099 'editmywatchlist', 'viewmyprivateinfo', 'editmyprivateinfo', and
4100 'editmyoptions' restrict actions that were formerly allowed by default. They
4101 have been added to the default for $wgGroupPermissions['*'].
4102 * The 'editprotected' right no longer allows bypassing of all page protection
4103 restrictions. Any group using it for this purpose will now need to have all
4104 the individual rights listed in $wgRestrictionTypes for the same effect.
4105 * The 'protect' and 'autoconfirmed' rights are no longer used for the default
4106 page protection levels. The rights 'editprotected' and 'editsemiprotected'
4107 are now used for this purpose instead.
4108 * (bug 40866) wgOldChangeTagsIndex removed.
4109 * $wgNoFollowDomainExceptions now only matches entire domains. For example,
4110 an entry for 'bar.com' will still match 'foo.bar.com' but not 'foobar.com'.
4111 * $wgCopyUploadTimeout and $wgCopyUploadAsyncTimeout added to change the timeout times for
4112 fetching the file during upload by url.
4113 * New key added to $wgGalleryOptions - $wgGalleryOptions['mode'] to set
4114 default gallery mode.
4115 * New hook 'GalleryGetModes' to allow extensions to make new gallery modes.
4116 * The checkbox for staying in HTTPS displayed on the login form when $wgSecureLogin is
4117 enabled has been removed. Instead, whether the user stays in HTTPS will be determined
4118 based on the user's preferences, and whether they came from HTTPS or not.
4119 * $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort,
4120 and $wgRC2UDPPrefix configuration options have been deprecated in favor of a
4121 $wgRCFeeds configuration array. $wgRCFeeds makes both the format and
4122 destination of recent change notifications customizable, and allows for
4123 multiple destinations to be specified.
4124 * (bug 53862) portal-url, currentevents-url and helppage have been removed from the
4125 default Sidebar.
4126 * The 'vector-simplesearch' preference is now enabled by default. Previously
4127 it was only enabled if the Vector extension was installed.
4128 * The precise format of metric datagrams produced by the UDP profiler and stats counter
4129 may now be specified as $wgUDPProfilerFormatString and $wgStatsFormatString,
4130 respectively.
4131 * (bug 54597) $wgBlockOpenProxies, $wgProxyPorts, $wgProxyScriptPath, and
4132 $wgProxyMemcExpiry have been removed, along with the open proxy scanner
4133 script they were added for.
4134 * Default value of $wgMaxShellMemory has been tripled (it's now 300 MB).
4135
4136 === New features in 1.22 ===
4137 * You can now install extensions using Composer.
4138 See https://www.mediawiki.org/wiki/Composer
4139 * (bug 44525) mediawiki.jqueryMsg can now parse (whitelisted) HTML elements and attributes.
4140 * (bug 33454) Language::sprintfDate now has a timezone parameter, and supports
4141 the "eIOPTZ" formatting characters.
4142 * EditWarning: A warning is shown when an editor leaves the edit form without
4143 saving (enabled by default, users can opt-out via the 'useeditwarning'
4144 preference). This feature was moved from the Vector extension, and is now part
4145 of core for all skins. Take care when upgrading that you don't use an older
4146 version of the Vector extension as this feature may conflict.
4147 * New 'mediawiki.ui' CSS module providing mw-ui-* styles for buttons and a
4148 compact vertical form layout.
4149 * HTMLForm supports a new display format 'vform' which applies this compact vertical
4150 layout and button styling. Special:PasswordReset uses this format.
4151 * New versions of login (Special:UserLogin) and create account
4152 (Special:UserLogin/signup) forms using the "vform" compact vertical form layout.
4153 These forms use new messages that assume a "Help logging in" link, see
4154 https://www.mediawiki.org/wiki/Manual:Page_customizations;
4155 https://www.mediawiki.org/wiki/Account_creation_user_experience/Strings lists the
4156 message key changes.
4157 * (bug 23343) Implemented ability to apply IP blocks to the contents of X-Forwarded-For headers
4158 by adding a new configuration variable $wgApplyIpBlocksToXff (disabled by default).
4159 * The new hook 'APIGetPossibleErrors' to modify the list of possible errors was
4160 added.
4161 * (bug 25592) LogEventsList::showLogExtract() will now ignore various
4162 Pager-related WebRequest parameters by default, as this is overwhelmingly
4163 likely to be what was intended by users of the method. If any caller wishes
4164 to use these parameters, the new param 'useRequestParams' may be set to true.
4165 * mw.util.addPortletLink: Tooltip is no longer required to be plain (without
4166 an accesskey in it already). As such it now rountrips. Creating a link with a
4167 message as tooltip, grabbing the title attribute and using it to create
4168 another portlet will work as expected.
4169 * (bug 6747) {{ROOTPAGENAME}} introduced, contains the name of the topmost
4170 page without namespace.
4171 * BREAKING CHANGE: (bug 41729) Display editsection links next to headings. Also
4172 change their class name from .editsection to .mw-editsection and place them at
4173 the end of the heading element instead of the beginning. Client-side code and
4174 screen-scrapers will have to be adjusted to handle both cases (old HTML will
4175 still be visible on cached page renders until they are purged); extensions
4176 using the DoEditSectionLink or EditSectionLink hooks might need adjustments as
4177 well.
4178 * (bug 45535) introduced the new 'LanguageLinks' hook for manipulating the
4179 language links associated with a page before display.
4180 * Chosen (http://harvesthq.github.io/chosen/) was added as module 'jquery.chosen'
4181 * HTMLForm will turn multiselect checkboxes into a Chosen interface when setting cssclass 'mw-chosen'
4182 * rebuildLocalisationCache learned --lang option. Let you rebuild l10n caches
4183 of the specified languages instead of all of them.
4184 * New GetNewMessagesAlert hook allowing extensions to disable or modify the new
4185 messages alert
4186 * New wgUserNewMsgRevisionId JS global for logged in users. This will be null
4187 if the user has no new talk page messages. Otherwise it will be set to the
4188 revision ID of the oldest new talk page message. This will allow gadgets and
4189 extensions to create their own new message alerts on the client side.
4190 * mediawiki.log: Added log.warn wrapper (uses console.warn and console.trace).
4191 * mediawiki.log: Implemented log.deprecate. This method defines a property and
4192 uses ES5 getter/setter to emit a warning when they are used.
4193 * $wgCascadingRestrictionLevels was added, allowing one to specify restriction levels
4194 which can be cascading (previously 'sysop' was hard-coded as the only one).
4195 * XHTML5 support has been improved. If you set $wgMimeType = 'application/xhtml+xml'
4196 MediaWiki will try outputting markup according to XHTML5 rules.
4197 * Altered hook 'ProtectionForm::save', adding the reason page protection is
4198 changed as third parameter.
4199 * New hook 'TitleSquidURLs' for manipulating the list of URLs to be purged from
4200 HTTP caches when a page is changed.
4201 * Changed the patrolling system to always show the link for patrolling in case the
4202 current revision is patrollable. This also removed the usage of the rcid URI parameters.
4203 * Oracle DB backend now supports Database Resident Connection Pooling (DRCP).
4204 Can be enabled by setting $wgDBOracleDRCP=true.
4205 Requires Oracle DB 11gR1 or above, enabled DRCP inside the DB itself and a
4206 propper connect string.
4207 More about DRCP can be found at:
4208 http://www.oracle-base.com/articles/11g/database-resident-connection-pool-11gr1.php
4209 * Add a new parameter $patrolFooterShown to hook ArticleViewFooter so the hook
4210 handlers can take further action based on the status of the patrol footer
4211 * A new hook TitleQuickPermissions was added to allow overriding of quick
4212 permissions in the Title class.
4213 * LinkCache singleton can now be altered or cleared, letting one to specify
4214 another instance that does not rely on a database backend.
4215 * MediaWiki's PHPUnit tests can now use PHPUnit installed using composer --dev.
4216 * (bug 43689) The lists of templates used on the page and hidden categories it
4217 is a member of, shown below the edit form, are now collapsible (and collapsed
4218 by default).
4219 * Parser profiling data, formerly only available in the "NewPP limit report"
4220 HTML comment, is now also displayed at the bottom of page previews.
4221 * Added ParserLimitReportPrepare and ParserLimitReportFormat hooks, deprecated
4222 ParserLimitReport hook.
4223 * New user rights have been added to increase granularity in rights management
4224 for extensions such as OAuth:
4225 ** editmyusercss controls whether a user may edit their own CSS subpages.
4226 ** editmyuserjs controls whether a user may edit their own JS subpages.
4227 ** viewmywatchlist controls whether a user may view their watchlist.
4228 ** editmywatchlist controls whether a user may edit their watchlist.
4229 ** viewmyprivateinfo controls whether a user may access their private
4230 information (e.g. registered email address, real name).
4231 ** editmyprivateinfo controls whether a user may change their private
4232 information.
4233 ** editmyoptions controls whether a user may change their preferences.
4234 * Add new hook AbortTalkPageEmailNotification, this will be used to determine
4235 whether to send the regular talk page email notification
4236 * Action classes registered in $wgActions are now also supported in the form of
4237 a callback (which returns an instance of Action) instead of providing the name
4238 of a subclass of Action.
4239 * (bug 46513) Vector: Add the collapsibleTabs script from the Vector extension.
4240 * Added $wgRecentChangesFlags for defining new flags for RecentChanges and
4241 watchlists.
4242 * (bug 40518) mw.toolbar: Implemented mw.toolbar.addButtons for adding multiple
4243 button objects in one call.
4244 * Rights used for the default protection levels ('sysop' and 'autoconfirmed')
4245 are now used just for that purpose, instead of overloading other rights. This
4246 allows easy granting of the ability to edit sysop-protected pages without
4247 also granting the ability to protect and unprotect.
4248 * (bug 48256) Make brackets in section edit links accessible to CSS.
4249 They are now wrapped in <span class="mw-editsection-bracket" />.
4250 * (bug 8480) Allow handler specific parameters in galleries (like page number)
4251 * jquery.client: Add detection for Opera 15 and Internet Explorer 11.
4252 * Change tags (used by the AbuseFilter extension) are now shown on diff pages.
4253 * Change tag lists (shown on recent changes, watchlist, user contributions,
4254 history pages, diff pages) now include a link to Special:Tags to distinguish
4255 them from edit summaries.
4256 * Added a new method and hook, User::isEveryoneAllowed() and
4257 UserIsEveryoneAllowed, for use in situations where a "does everyone have this
4258 right?" check is used to avoid more expensive checks.
4259 * (bug 14431) Display "(No difference)" instead of an empty diff (when comparing
4260 revisions in the history or when previewing changes while editing).
4261 * New hook 'IsUploadAllowedFromUrl' is added which can be used to intercept uploads by
4262 URL, useful for blacklisting specific URLs
4263 * (bug 21912) Watchlist token implementation has been refactored and
4264 Special:ResetTokens was added to allow users to reset their tokens
4265 instead of presenting them in Preferences.
4266 * Special:PrefixIndex now lets you strip the searched prefix from the displayed
4267 titles. Given a list of articles named Bug1, Bug2, you can now transclude the
4268 list of bug numbers using: {{Special:PrefixIndex/Bug|stripprefix=1}}.
4269 The special page form received a new checkbox matching that option.
4270 * (bug 23580) Implement javascript callback interface "mw.hook".
4271 * (bug 30713) New mw.hook "wikipage.content".
4272 * (bug 40430) jquery.placeholder gets a new parameter to set the attribute value
4273 to be used.
4274 * $wgHTCPMulticastRouting renamed $wgHTCPRouting since it accepts unicast.
4275 * $wgHTCPRouting rules can now be passed an array of hosts/ports to send purge
4276 too. Can be used whenever several multicast group could be interested by a
4277 specific purge.
4278 * (bug 25931) Add Special:RandomInCategory.
4279 * mediawiki.util: addPortletLink now supports passing a jQuery object as nextnode.
4280 * <wbr> can now be used inside WikiText.
4281 * WebResponse::setcookie is much more featureful. Callers using PHP's
4282 setcookie() or setrawcookie() should begin using this instead.
4283 * New hook WebResponseSetCookie, called from WebResponse::setcookie().
4284 * New hook ResetSessionID, called when the session id is reset.
4285 * Add a mode parameter to <gallery> tag with potential options of "traditional",
4286 "nolines", "packed", "packed-overlay", or "packed-hover".
4287 * (bug 47399) A success message is now displayed after changing the password.
4288 * Make thumb.php give HTTP redirects for file redirects
4289 * (bug 30607) Special:ListFiles can now show old versions of files. Additionally
4290 Special:AllMyUploads was introduced so the user can get a list of all things
4291 they have ever uploaded, even if it was subsequently overridden.
4292 * Introduced Special:MyFiles and Special:AllMyFiles as an alias for Special:MyUploads
4293 and Special:AllMyUploads respectively.
4294 * IPv6 addresses in X-Forwarded-For headers are now normalised before checking
4295 against allowed proxy lists.
4296 * Add deferrable update support for callback/closure.
4297 * Add TitleMove hook before page renames.
4298 * Revision deletion backend code is moved out of SpecialRevisiondelete
4299 * Added {{REVISIONSIZE}} variable to get the current size of a revision.
4300 * Add support for the LESS stylesheet language to ResourceLoader. LESS is a
4301 stylesheet language that compiles into CSS. ResourceLoader file modules may
4302 include LESS style files; ResourceLoader will compile these files into CSS
4303 before sending them to the client.
4304 ** The $wgResourceLoaderLESSVars configuration variable is an associative array
4305 mapping variable names to string CSS values. These variables are considered
4306 declared for all LESS files. Additional variables may be registered by
4307 adding keys to the array.
4308 ** $wgResourceLoaderLESSFunctions is an associative array of custom LESS
4309 function names to PHP callables. See <http://leafo.net/lessphp/docs/#custom_functions>
4310 for more details regarding custom functions.
4311 ** $wgResourceLoaderLESSImportPaths is an array of file system paths. Files
4312 referenced in LESS '@import' statements are looked up here first.
4313 * ResourceLoader supports hashes as module cache invalidation trigger (instead
4314 of or in addition to timestamps).
4315 * Added $wgExtensionEntryPointListFiles for use in mergeMessageFileList.php.
4316 * Added a hook, APIQuerySiteInfoStatisticsInfo, to allow extensions to modify
4317 the output of the API query meta=siteinfo&siprop=statistics
4318 * Primary keys have been added to both the archive table and the externallinks
4319 tables.
4320 * Added $wgEnableParserLimitReporting to control whether the NewPP limit report is
4321 output in a HTML comment.
4322 * The 'UnwatchArticle' and 'WatchArticle' hooks now support a Status object
4323 instead of just a boolean return value to abort the hook.
4324 * Added a hook, SpecialWatchlistGetNonRevisionTypes, to allow extensions
4325 with custom recentchanges entries to hook into the Watchlist without
4326 clobbering each other.
4327 * A hidden, empty input field was added to the edit form, and any edit that fills
4328 it in will be rejected. This prevents against the simplest form of spambots.
4329 Previously in the "SimpleAntiSpam" extension by Ryan Schmidt.
4330 * populateRevisionLength.php maintenance script updated to also populate
4331 archive.ar_len field.
4332 * (bug 43571) DatabaseMySQLBase learned to list views, optionally filtered by a
4333 prefix. Also fixed PHPUnit test suite when using a MySQL backend containing
4334 views.
4335
4336 === Bug fixes in 1.22 ===
4337 * (bug 47271) $wgContentHandlerUseDB should be set to false during the upgrade
4338 * Disable Special:PasswordReset when $wgEnableEmail is false. Previously one
4339 could still navigate to the page by entering the URL directly.
4340 * (bug 47138) Fixed a fatal error when a blocked user tries to automatically
4341 create an account on login due external authentication in some circumstances.
4342 * (bug 23393) HTML <hN> headings containing line breaks are now handled
4343 correctly.
4344 * (bug 45803) Whitespace within == Headline == syntax and within <hN> headings
4345 is now non-significant and not preserved in the HTML output.
4346 * (bug 47218) Special:BlockList now handles correctly user names with spaces
4347 when passed as subpage.
4348 * Pager's properly validate which fields are allowed to be sorted on.
4349 * mw.util.tooltipAccessKeyRegexp: The regex now matches "option-" as well.
4350 Support for Mac "option" was added in 1.16, but the regex was never updated.
4351 * (bug 46768) Usernames of blocking users now display correctly, even if numeric.
4352 * (bug 39590) Self-transclusions now show the most up to date result always
4353 after save instead of being a revision behind.
4354 * A bias in wfRandomString() toward digits 1-7 has been corrected. Generated
4355 strings will now start with digits 0 and 8-f as often as they should.
4356 * (bug 45371) Removed Parser_LinkHooks and CoreLinkFunctions classes.
4357 * (bug 41545) Allow <kbd>, <samp>, and <var> to be nested like allowed in html.
4358 * PLURAL magic word no longer causes a PHP notice when no matching form exists.
4359 * (bug 36641) Patrol page links no longer show on non-existent revisions.
4360 * (bug 35810) Pages not linked from Special:RecentChanges or Special:NewPages
4361 are patrollable now.
4362 * (bug 30213) JavaScript for search suggestions is now disabled when the API
4363 is disabled, and AJAX patrolling and watching are now disabled when use of
4364 the write API is not allowed.
4365 * (bug 48294) API: Fix chunk upload async mode.
4366 * (bug 46749) Broken files tracking category removed from pages if an image
4367 with that name is uploaded.
4368 * (bug 14176) System messages that are empty were previously incorrectly treated
4369 as non-existent, causing a fallback to the default. This stopped users from
4370 overriding system messages to make them blank.
4371 * (bug 48319) action=parse no longer returns an error if passed none of 'oldid',
4372 'pageid', 'page', 'title', and 'text' (e.g. if only passed 'summary'). A
4373 warning will instead be issued if 'title' is non-default, unless no props are
4374 requested.
4375 * Special:Recentchangeslinked will now include upload log entries
4376 * (bug 41281) Fixed ugly output if file size could not be extracted for multi-page media.
4377 * (bug 50315) list=logevents API module will now output log entries by anonymous users.
4378 * (bug 38911) Handle headers with rowspan in jquery.tablesorter
4379 * (bug 658) Converted the table of contents on wiki pages from <table> to <div>
4380 and adjusted skin CSS accordingly. The CSS was carefully crafted to be
4381 backwards-compatible in all reasonable cases (uses of the __TOC__ magic word,
4382 the #toc CSS id and the .toc CSS class). However, particularly bad abuse of
4383 the id or the class can possibly break.
4384 * CSSJanus now supports rgb, hsl, rgba, and hsla color syntaxes.
4385 * Special:Listfiles can no longer be sorted by image name when filtering
4386 by user in miser mode.
4387 * (bug 49074) CSSJanus: Handle values of border-radius correctly.
4388 * Handle relative inclusions ({{../name}}) in main namespace with subpages
4389 enabled correctly (previously MediaWiki tried to include Template:Parent/name
4390 instead of just Parent/name).
4391 * Added $wgAPIUselessQueryPages to allow extensions to flag their query pages
4392 for non-inclusion in ApiQueryQueryPages.
4393 * (bug 50870) mediawiki.notification: Notification area should remain visible
4394 when scrolled down.
4395 * (bug 13438) Special:MIMESearch no longer an expensive special page.
4396 * (bug 48342) Fixed a fatal error when $wgValidateAllHtml is set to true and
4397 the function apache_request_headers() function is not available.
4398 * (bug 33399) LivePreview: Re-run wikipage content handlers
4399 (jquery.makeCollapsible, jquery.tablesorter) after preview content is loaded.
4400 * (bug 51891) Fixed PHP notice on Special:PagesWithProp when no properties
4401 are defined.
4402 * (bug 52006) Corrected documentation of $wgTranscludeCacheExpiry.
4403 * (bug 52077) The APIEditBeforeSave hook is giving the content of the whole
4404 revision as second argument now, rather than just the current section.
4405 * (bug 49694) $wgSpamRegex is now also applied on the new section headline text
4406 adding a new topic on a page
4407 * (bug 41756) Improve treatment of multiple comments on a blank line.
4408 * (bug 51064) Purge upstream caches when deleting file assets.
4409 * (bug 39012) File types with a mime that we do not know the extension for
4410 can no longer be uploaded as an extension that we do know the mime type
4411 for.
4412 * (bug 51742) Add data-sort-value for better sorting of hitcounts Special:Tags
4413 * (bug 26811) On DB error pages, server hostnames are now hidden when both
4414 $wgShowHostnames and $wgShowSQLErrors are false.
4415 * (bug 6200) line breaks in <blockquote> are handled like they are in <div>
4416 * (bug 14931) Default character set now set to 'utf8' when a new MySQL
4417 database is created.
4418 * (bug 47191) Fixed "Column 'si_title' cannot be part of FULLTEXT index"
4419 MySQL error when installing using the binary character set option.
4420 * (bug 45288) Support mysqli PHP extension
4421 * (bug 55818) BREAKING CHANGE: Removed undocumented 'Debug' hook in wfDebug.
4422 This resolves an infinite loop when using $wgDebugFunctionEntry = true.
4423 * (bug 56707) Correct tooltip of "Next n results" on query special pages.
4424 * (bug 56770) mw.util.addPortletLink: Check length before access array index.
4425
4426 === API changes in 1.22 ===
4427 * (bug 25553) The JSON output formatter now leaves forward slashes unescaped
4428 to improve human readability of URLs and similar strings. Also, a "utf8"
4429 option is now provided to use UTF-8 encoding instead of hex escape codes
4430 for most non-ASCII characters.
4431 * (bug 46626) xmldoublequote parameter was removed. Because of a bug, the
4432 parameter has had no effect since MediaWiki 1.16, and so its removal is
4433 unlikely to impact existing clients.
4434 * (bug 47216) action=query&meta=siteinfo&siprop=skins will now indicate which
4435 skin is the default and which are unusable (e.g. listed in $wgSkipSkins).
4436 * (bug 25325) Added support for wlshow filtering (bots/anon/minor/patrolled)
4437 to action=feedwatchlist.
4438 * WDDX formatted output will actually be formatted (and normal output will no
4439 longer be), and will no longer choke on booleans.
4440 * action=opensearch no longer silently ignores the format parameter.
4441 * action=opensearch now supports format=jsonfm.
4442 * list=usercontribs&ucprop=ids will now include the parent revision id.
4443 * BREAKING CHANGE: action=parse no longer returns all langlinks for the page
4444 with prop=langlinks by default. The new effectivelanglinks parameter will
4445 request that the LanguageLinks hook be called to determine the effective
4446 language links.
4447 * BREAKING CHANGE: list=allpages, list=langbacklinks, and prop=langlinks do not
4448 apply the new LanguageLinks hook, and thus only consider language links
4449 stored in the database.
4450 * (bug 47219) Allow specifying change type of Wikipedia feed items
4451 * prop=imageinfo now allows setting iiurlheight without setting iiurlwidth
4452 * prop=info now adds the content model and page language of the title.
4453 * New upload log entries will now contain information on the relevant
4454 image (sha1 and timestamp).
4455 * (bug 49239) action=parse now can parse in preview and section preview modes.
4456 * (bug 49259) action=patrol now accepts revision ids.
4457 * (bug 48129) list=blocks&bkip= now correctly handles IPv6 CIDR ranges and
4458 honors $wgBlockCIDRLimit. Note any clients passing invalid values to bkip
4459 will now receive an error, rather than the previous behavior listing all
4460 user blocks.
4461 * (bug 48201) action=parse&text=foo now assumes wikitext if no title is given,
4462 rather than using the content model of the page "API".
4463 * action=watch no longer silently ignores hook abort.
4464 * (bug 50785) action=purge with forcelinkupdate=1 no longer queues refreshLinks
4465 jobs in the job queue for link table updates of pages that use the given page
4466 as a template. Instead, forcerecursivelinkupdate=1 is introduced and should
4467 be used if that behaviour is desirable.
4468 * The 'debugLog' property (enabled by $wgDebugToolbar) no longer sets the log
4469 entry values through ApiResult::content but directly. This changes the JSON
4470 output from an array of objects with content in '*' to an array of strings
4471 with the content.
4472 * (bug 51342) prop=imageinfo iicontinue now contains the dbkey, not the text
4473 version of the title.
4474 * (bug 52538) action=edit will now use empty text instead of the contents
4475 of section 0 when passed prependtext or appendtext with section=new.
4476 * Support for the 'gettoken' parameter to action=block and action=unblock,
4477 deprecated since 1.20, has been removed.
4478 * (bug 49090) Token-getting functions will fail when using jsonp callbacks.
4479 * (bug 52699) action=upload returns normalized file name on warning
4480 "exists-normalized" instead of filename to be uploaded to.
4481 * (bug 53884) action=edit will now return an error when the specified section
4482 does not exist in the page.
4483 * Added meta=filerepoinfo API module for getting information about foreign
4484 file repositories, and related ForeignAPIRepo methods getInfo and getApiUrl.
4485 * The new query module list=allfileusages to enumerate file usages was added.
4486
4487 === Languages updated in 1.22 ===
4488
4489 MediaWiki supports over 350 languages. Many localisations are updated
4490 regularly. Below only new and removed languages are listed, as well as
4491 changes to languages because of Bugzilla reports.
4492
4493 * Batak Toba (bbc-latn) added.
4494 * (bug 46751) Made Buryat (Russia) (буряад) (bxr) fallback to Russian.
4495
4496 === Other changes in 1.22 ===
4497 * BREAKING CHANGE: Implementation of MediaWiki's JS and JSON value encoding
4498 has changed:
4499 ** MediaWiki no longer supports PHP installations in which the native JSON
4500 extension is missing or disabled.
4501 ** XmlJsCode objects can no longer be nested inside objects or arrays.
4502 (For Xml::encodeJsCall(), this individually applies to each argument.)
4503 ** The sets of characters escaped by default, along with the precise escape
4504 sequences used, have changed (except for the Xml::escapeJsString()
4505 function, which is now deprecated).
4506 * BREAKING CHANGE: The Services_JSON class has been removed. If necessary,
4507 be sure to upgrade affected extensions at the same time (e.g. Collection).
4508 * redirect.php was removed. It was unused.
4509 * ClickTracking integration was dropped from the mediaWiki.user.bucket
4510 JavaScript function. The 'tracked' option is now ignored.
4511 * BREAKING CHANGE: Legacy skins Simple, MySkin, Chick, Standard and Nostalgia
4512 were all removed. (Nostalgia was moved to an extension.) The SkinLegacy and
4513 LegacyTemplate classes that supported them were removed as well and are now a
4514 part of the Nostalgia extension.
4515 * Event namespace used by jquery.makeCollapsible has been changed from
4516 'mw-collapse' to 'mw-collapsible' for consistency with the module name.
4517 * BREAKING CHANGE: The "ExternalAuth" authentication subsystem was removed, along
4518 with its associated globals of $wgExternalAuthType, $wgExternalAuthConf,
4519 $wgAutocreatePolicy and $wgAllowPrefChange. Affected users are encouraged to
4520 use AuthPlugin for external authentication/authorization needs.
4521 * The Quickbar feature of the legacy skin model and the last remnants of it
4522 throughout the code base have been removed.
4523 * Externaledit/externaldiff preference was removed. Very few users used this
4524 feature, and improper configuration can actually prevent a user from editing
4525 * Calling Linker methods using a skin will now output deprecation warnings.
4526 * (bug 46680) "Return to" links are no longer tagged with rel="next".
4527 * BREAKING CHANGE: mw.util.tooltipAccessKeyRegexp: The match group for the
4528 accesskey character is now $6 instead of $5.
4529 * HipHop compiler (hphpc) support was removed. HipHop VM support (hhvm) was
4530 added.
4531 * A new Special:Redirect page was added, providing lookup by revision ID,
4532 user ID, or file name. The old Special:Filepath page was reimplemented
4533 to redirect through Special:Redirect.
4534 * Monobook: Removed the old conditional stylesheets for Opera 6, 7 and 9.
4535 * Support for XHTML 1.0 has been removed. MediaWiki now only outputs (X)HTML5.
4536 * wikibits: User-agent related globals have been deprecated. The following
4537 properties now default to false and emit mw.log.warn: is_gecko, is_chrome_mac,
4538 is_chrome, webkit_version, is_safari_win, is_safari, webkit_match, is_ff2,
4539 ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs, opera7_bugs, opera6_bugs,
4540 is_opera_95, is_opera_preseven, is_opera, and ie6_bugs.
4541 * (bug 48276) MediaWiki will now flash a confirmation message upon successfully
4542 editing a page.
4543 * (bug 40785) mediawiki.legacy.ajax has been marked as deprecated. The following
4544 properties now emit mw.log.warn when accessed: sajax_debug, sajax_init_object,
4545 sajax_do_call and wfSupportsAjax.
4546 * BREAKING CHANGE: meta keywords are no longer supported. A <meta name="keywords"
4547 will no longer be output and OutputPage::addKeyword no longer exists.
4548 * Methods Title::userCanEditCssSubpage and Title::userCanEditJsSubpage,
4549 deprecated since 1.19, have been removed.
4550 * (bug 50134) Hook functions are no longer required to return a value. When a
4551 hook function does not return a value (or when it returns an explicit null),
4552 processing continues. To abort the hook, a hook function must return an
4553 explicit, boolean false or a string error message. Other falsey values are
4554 tantamount to a 'return true' in earlier versions of MediaWiki.
4555 * BREAKING CHANGE: The EditSectionLink hook was removed after being
4556 deprecated since MediaWiki 1.14. Use DoEditSectionLink instead.
4557 * (bug 48256) The 'editsection-brackets' optional message was removed.
4558 Section edit links' brackets can now be customized using CSS by
4559 styling span.mw-editsection-bracket.
4560 * The usePatrol function in ChangesList has been marked as deprecated.
4561 * (bug 50785) A "null edit", that is, a save action in which no changes to the
4562 page text are made and no revision recorded, will no longer send refreshLinks
4563 jobs to the job table to update pages which use the edited page as a template.
4564 * The LivePreviewPrepare and LivePreviewDone events triggered on "jQuery( mw )"
4565 have been deprecated in favour of using mw.hook.
4566 * The 'showjumplinks' user preference has been removed, jump links are now
4567 always included.
4568 * Methods RecentChange::notifyRC2UDP, RecentChange::sendToUDP, and
4569 RecentChange::cleanupForIRC have been deprecated, as it is now the
4570 responsibility of classes implementing the RCFeedFormatter and RCFeedEngine
4571 interfaces to implement the formatting and delivery for recent change
4572 notifications.
4573 * SpecialPrefixindex methods namespacePrefixForm() and showPrefixChunk() have
4574 been made protected. They were accepting form variance arguments, this is now
4575 using properties in the SpecialPrefixindex class.
4576 * (bug 50310) BREAKING CHANGE: wikibits: Drop support for mwCustomEditButtons.
4577 It defaults to an empty array and emits mw.log.warn when accessed.
4578 * BREAKING CHANGE: Special:Disambiguations has been removed from MediaWiki core.
4579 Functions related to disambiguation pages are now handled by the Disambiguator
4580 extension (https://www.mediawiki.org/wiki/Extension:Disambiguator) (bug
4581 35981).
4582 * BREAKING CHANGE: The 'mediawiki.legacy.wikiprintable' module has been removed.
4583 The skins/common/wikiprintable.css file no longer exists. Return value of
4584 Skin#commonPrintStylesheet is ignored. Please use the 'mediawiki.legacy.commonPrint'
4585 module instead or base your skin on SkinTemplate.
4586 * (bug 49629) The hook ExtractThumbParameters has been deprecated in favour
4587 of media handler overriding MediaHandler::parseParamString.
4588 * (bug 46512) The collapsibleNav feature from the Vector extension has been moved
4589 to the Vector skin in core.
4590 * SpecialRecentChanges::addRecentChangesJS() function has been renamed
4591 to addModules() and made protected.
4592 * Methods WatchAction::doWatch and WatchAction::doUnwatch now return a Status
4593 object instead of a boolean.
4594 * Information boxes (CSS classes errorbox, warningbox, successbox) have been
4595 made more subtle.
4596 * BREAKING CHANGE: The module 'mediawiki.legacy.IEFixes' has been removed as it was
4597 unused. The file skins/common/IEFixes.js remains but is only used by wikibits.
4598 The file never contained any re-usable components. To use it in a skin, load
4599 'mediawiki.legacy.wikibits' (which IEFixes depends on) and that will import
4600 IEFixes automatically if user agent conditions are met.
4601 * Code specific to the Math extension was marked as deprecated.
4602 * mediawiki.util: mw.util.wikiGetlink has been renamed to getUrl. (The old name
4603 still works, but is deprecated.)
4604
4605 = MediaWiki 1.21 =
4606
4607 == MediaWiki 1.21.11 ==
4608 This is a security and maintenance release of the MediaWiki 1.21 branch.
4609
4610 === Changes since 1.21.10 ===
4611 * (bug 65839) SECURITY: Prevent external resources in SVG files.
4612 * (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
4613
4614 == MediaWiki 1.21.10 ==
4615 This is a security and maintenance release of the MediaWiki 1.21 branch.
4616
4617 === Changes since 1.21.9 ===
4618 * (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
4619 * (bug 36356) Add space between two feed links.
4620
4621 == MediaWiki 1.21.9 ==
4622 This is a security and maintenance release of the MediaWiki 1.21 branch.
4623
4624 === Changes since 1.21.8 ===
4625 * (bug 63251) SECURITY: Escape sortKey in pageInfo.
4626 * (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
4627
4628 == MediaWiki 1.21.8 ==
4629 This is a security and maintenance release of the MediaWiki 1.21 branch.
4630
4631 === Changes since 1.21.7 ===
4632 * (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
4633 * (bug 62467) Set a title for the context during import on the cli.
4634
4635 == MediaWiki 1.21.7 ==
4636 This is a maintenance release of the MediaWiki 1.21 branch.
4637
4638 === Changes since 1.21.6 ===
4639 * Use the correct branch of the extensions' git repositories.
4640
4641 == MediaWiki 1.21.6 ==
4642 This is a security release of the MediaWiki 1.21 branch.
4643
4644 === Changes since 1.21.5 ===
4645 * (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. * User will get an error including the namespace name if they use a non- whitelisted namespace.
4646 * (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
4647 * (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
4648
4649 == MediaWiki 1.21.5 ==
4650 This is a security release of the MediaWiki 1.21 branch.
4651
4652 === Changes since 1.21.4 ===
4653 * (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
4654
4655 == MediaWiki 1.21.4 ==
4656 This is a security release of the MediaWiki 1.21 branch.
4657
4658 === Changes since 1.21.3 ===
4659 * (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
4660 * (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
4661 * (bug 58472) SECURITY: Disallow -o-link in styles
4662 * (bug 58553) SECURITY: Return error on invalid XML for SVG Uploads
4663 * (bug 58699) SECURITY: Fix RevDel log entry information leaks
4664
4665 == MediaWiki 1.21.3 ==
4666 This is a security and maintenance release of the MediaWiki 1.21 branch.
4667
4668 === Changes since 1.21.2 ===
4669 * (bug 53032) SECURITY: Don't cache when a call could autocreate
4670 * (bug 55332) SECURITY: Improve css javascript detection
4671 * (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
4672 * Fix comma errors in various js files
4673 * Translations
4674
4675 == MediaWiki 1.21.2 ==
4676 This is a security and maintenance release of the MediaWiki 1.21 branch.
4677
4678 === Changes since 1.21.1 ===
4679 * SECURITY: Fix extension detection with 2 .'s
4680 * SECURITY: Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed.
4681 * SECURITY: Sanitize ResourceLoader exception messages
4682 * Purge upstream caches when deleting file assets.
4683 * Unit test suite now runs the AutoLoader tests. Also fixed the autoloading entry for the PageORMTableForTesting class though it had no impact.
4684
4685 == MediaWiki 1.21.1 ==
4686 This is a maintenance release of the MediaWiki 1.21 branch.
4687
4688 === Changes since 1.21.0 ===
4689 * An incorrect version number was used for 1.21.0. 1.21.1 has the correct number.
4690 * A problem with the Oracle SQL table creation was fixed.
4691 * (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.
4692
4693 == MediaWiki 1.21.0 ==
4694
4695 === Configuration changes in 1.21 ===
4696 * (bug 29374) $wgVectorUseSimpleSearch is now enabled by default.
4697 * Deprecated $wgAllowRealName is removed. Use $wgHiddenPrefs[] = 'realname'
4698 instead.
4699 * (bug 39957) Added $wgUnwatchedPageThreshold, specifying minimum count
4700 of page watchers required for the number to be accessible to users
4701 without the unwatchedpages permission.
4702 * $wgBug34832TransitionalRollback has been removed.
4703 * (bug 29472) $wgUseDynamicDates has been removed and its functionality
4704 disabled.
4705
4706 === New features in 1.21 ===
4707 * (bug 38110) Schema changes (adding or dropping tables, indices and
4708 fields) can be now be done separately from other changes that
4709 update.php makes. This is useful in environments that use database
4710 permissions to restrict schema changes but allow the DB user that
4711 MediaWiki normally runs as to perform other changes that update.php
4712 makes. Schema changes can be run separately. See the file UPGRADE
4713 for more information.
4714 * (bug 34876) jquery.makeCollapsible has been improved in performance.
4715 * Added ContentHandler facility to allow extensions to support other content
4716 than wikitext. See docs/contenthandler.txt for details.
4717 * New feature was developed for showing high-DPI thumbnails for high-DPI mobile
4718 and desktop displays (configurable with $wgResponsiveImages).
4719 * Added new backend to represent and store information about sites and site
4720 specific configuration.
4721 * jQuery upgraded from 1.8.2 to 1.8.3.
4722 * jQuery UI upgraded from 1.8.23 to 1.8.24.
4723 * Added separate fa_sha1 field to filearchive table. This allows sha1
4724 searches with the api in miser mode for deleted files.
4725 * Add initial and programmatic sorting for tablesorter.
4726 * Add the event "sortEnd.tablesorter", triggered after sorting has completed.
4727 * The Job system was refactored to allow for different backing stores for
4728 queues as well as cross-wiki access to queues, among other things. The schema
4729 for the DB queue was changed to support better concurrency and reduce
4730 deadlock errors.
4731 * Added ApiQueryORM class to facilitate creation of query API modules based on
4732 tables that have a corresponding ORMTable class.
4733 * (bug 40876) Icon for PSD (Adobe Photoshop) file types.
4734 * (bug 40641) Implemented Special:Version/Credits with a list of contributors.
4735 * (bug 7851) Implemented one-click AJAX patrolling.
4736 * The <data>, <time>, <meta>, and <link> elements are allowed within WikiText
4737 for use with Microdata.
4738 * The HTML5 <mark> tag has been whitelisted.
4739 * Added ParserCloned hook for when the Parser object is cloned.
4740 * Added AlternateEditPreview hook to allow extensions to replace the page
4741 preview from the edit page.
4742 * Added EditPage::showStandardInputs:options hook to allow extensions to add
4743 new fields to the "editOptions" area of the edit form.
4744 * Upload stash DB schema altered to improve upload performance.
4745 * The following global functions are now reporting deprecated warnings in
4746 debug mode: wfMsg, wfMsgNoTrans, wfMsgForContent, wfMsgForContentNoTrans,
4747 wfMsgReal, wfMsgGetKey, wfMsgHtml, wfMsgWikiHtml, wfMsgExt, wfEmptyMsg. Use
4748 the Message class, or the global method wfMessage.
4749 * Added $wgEnableCanonicalServerLink, off by default. If enabled, a
4750 <link rel=canonical> tag is added to every page indicating the correct server
4751 to use.
4752 * Debug message emitted by wfDebugLog() will now be prefixed with the group
4753 name when its logged to the default log file. That is the case whenever the
4754 group has no key in wgDebugLogGroups, that will help triage the default log.
4755 * (bug 24620) Add types to LogFormatter.
4756 * jQuery JSON upgraded from 2.3 to 2.4.0.
4757 * Added GetDoubleUnderscoreIDs hook, for modifying the list of magic words.
4758 * DatabaseUpdater class has two new methods to ease extensions schema changes:
4759 dropExtensionIndex and renameExtensionIndex.
4760 * New preference type - 'api'. Preferences of this type are not shown on
4761 Special:Preferences, but are still available via the action=options API.
4762 * (bug 39397) Hide rollback link if a user is the only contributor of the page.
4763 * $wgPageInfoTransclusionLimit limits the list size of transcluded articles
4764 on the info action. Default is 50.
4765 * Added action=createaccount to allow user account creation.
4766 * (bug 40124) action=options API also allows for setting of arbitrary
4767 preferences, provided that their names are prefixed with 'userjs-'. This
4768 officially reenables the feature that was undocumented and defective
4769 in MW 1.20 (saving preferences using Special:Preferences cleared any
4770 additional fields) and which has been disabled in 1.20.1 as a part of
4771 a security fix (bug 42202).
4772 * Added option to specify "others" as author in extension credits using
4773 "..." as author name.
4774 * Added the ability to limit the wall clock time used by shell processes,
4775 as well as the CPU time. Configurable with $wgMaxShellWallClockTime.
4776 * Allow memory of shell subprocesses to be limited using Linux cgroups
4777 instead of ulimit -v, which tends to cause deadlocks in recent versions
4778 of ImageMagick. Configurable with $wgShellCgroup.
4779 * Added $wgWhitelistReadRegexp for regex whitelisting.
4780 * (bug 5346) Categories that are redirects will be displayed italic in
4781 the category links section at the bottom of a page.
4782 * (bug 43915) New maintenance script deleteEqualMessages.php.
4783 * You can now create checkbox option matrices through the HTMLCheckMatrix
4784 subclass in HTMLForm.
4785 * WikiText now permits the use of WAI-ARIA's role="presentation" inside of
4786 html elements and tables. This allows presentational markup, especially
4787 tables. To be marked up as such.
4788 * maintenance/sql.php learned the --cluster option. Let you run the script
4789 on some external cluster instead of the primary cluster for a given wiki.
4790 * (bug 20281) test the parsing of inline URLs.
4791 * Added Special:PagesWithProp, which lists pages using a particular page property.
4792 * Implemented language-specific collations for category sorting for 67 languages
4793 based in latin, greek and cyrillic alphabets. This allows one to *finally* get
4794 articles to be correctly sorted on category pages. They are named
4795 'uca-<langcode>', where <langcode> is one of: af, ast, az, be, bg, br, bs, ca,
4796 co, cs, cy, da, de, dsb, el, en, eo, es, et, eu, fi, fo, fr, fur, fy, ga, gd,
4797 gl, hr, hsb, hu, is, it, kk, kl, ku, ky, la, lb, lt, lv, mk, mo, mt, nl, no,
4798 oc, pl, pt, rm, ro, ru, rup, sco, sk, sl, smn, sq, sr, sv, tk, tl, tr, tt, uk,
4799 uz, vi.
4800 * Added 'CategoryAfterPageAdded' and 'CategoryAfterPageRemoved' hooks.
4801 * Added 'HistoryRevisionTools' and 'DiffRevisionTools' hooks.
4802 * Added 'SpecialSearchResultsPrepend' and 'SpecialSearchResultsAppend' hooks.
4803 * (bug 33186) Add image rotation api "imagerotate"
4804 * (bug 34040) Add "User rights management" link on user page toolbox.
4805 * (bug 45526) Add QUnit assertion helper "QUnit.assert.htmlEqual" for asserting
4806 structual equality of HTML (ignoring insignificant differences like
4807 quotmarks, order and whitespace in the attribute list).
4808 * (bug 23393) HTML <hN> headings containing line breaks are now handled
4809 correctly.
4810 * (bug 45803) Whitespace within == Headline == syntax and within <hN> headings
4811 is now non-significant and not preserved in the HTML output.
4812
4813 === Bug fixes in 1.21 ===
4814 * (bug 40353) SpecialDoubleRedirect should support interwiki redirects.
4815 * (bug 40352) fixDoubleRedirects.php should support interwiki redirects.
4816 * (bug 9237) SpecialBrokenRedirect should not list interwiki redirects.
4817 * (bug 34960) Drop unused fields rc_moved_to_ns and rc_moved_to_title from
4818 recentchanges table.
4819 * (bug 32951) Do not register internal externals with absolute protocol,
4820 when server has relative protocol.
4821 * (bug 39005) When purging proxies listed in $wgSquidServers using HTTP PURGE
4822 method requests, we now send a Host header by default, for Varnish
4823 compatibility. This also works with Squid in reverse-proxy mode. If you wish
4824 to support Squid configured in forward-proxy mode, set
4825 $wgSquidPurgeUseHostHeader to false.
4826 * (bug 37020) sql.php with readline eats semicolon.
4827 * (bug 11748) Properly handle optionally-closed HTML tags when Tidy is
4828 disabled, and don't wrap HTML-syntax definition lists in paragraphs.
4829 * (bug 41409) Diffs while editing an old revision should again diff against the
4830 current revision.
4831 * (bug 41494) Honor $wgLogExceptionBacktrace when logging non-API exceptions
4832 caught during API execution.
4833 * (bug 37963) Fixed loading process for user options.
4834 * (bug 26995) Update filename field on Upload page after having sanitized it.
4835 * (bug 41793) Contribution links to users with 0 edits on Special:ListUsers
4836 didn't show up red.
4837 * (bug 41899) A PHP notice no longer occurs when using the "rvcontinue" API
4838 parameter.
4839 * (bug 42036) Account creation emails now contain canonical (not
4840 protocol-relative) URLs.
4841 * (bug 41990) Fix regression: API edit with redirect=true and lacking
4842 starttimestamp and basetimestamp should not cause an edit conflict.
4843 * (bug 41706) EditPage: Preloaded page should be converted if possible and
4844 needed.
4845 * (bug 41886) Rowspans are no longer exploded by tablesorter until the table is
4846 actually sorted.
4847 * (bug 2865) User interface HTML elements don't use lang attribute.
4848 (completed the fix by adding the lang attribute to firstHeading).
4849 * (bug 42173) Removed namespace prefixes on Special:UncategorizedCategories.
4850 * (bug 36053) Log in "returnto" feature forgets query parameters if no
4851 title parameter was specified.
4852 * (bug 42410) API action=edit now returns correct timestamp for the new edit.
4853 * (bug 14901) Email notification mistakes log action for new page creation.
4854 Enotif no longer sends "page has been created" notifications for some log
4855 actions. The following events now have a correct message: page creation,
4856 deletion, move, restore (undeletion), change (edit). Parameter
4857 $CHANGEDORCREATED is deprecated in 'enotif_body' and scheduled for removal in
4858 MediaWiki 1.23.
4859 * (bug 457) In the sidebar of Vector, CologneBlue, Monobook, and Monobook-based
4860 skins, the heading levels have been changed from (variously per skin)
4861 <h4>, <h5> or <h6> to only <h3>s, with a <h2> hidden heading above them.
4862 If you are styling or scripting the headings in a custom way, this change
4863 will require updates to your site's CSS or JS.
4864 * (bug 41342) jquery.suggestions should cancel any active (async) fetches
4865 before it triggers another fetch.
4866 * (bug 42184) $wgUploadSizeWarning missing second variable.
4867 * (bug 34581) removeUnusedAccounts.php maintenance script now ignores newuser
4868 log when determining whether an account is used.
4869 * (bug 43379) Gracefully fail if rev_len is unavailable for a revision on the
4870 History page.
4871 * (bug 42949) API no longer assumes all exceptions are MWException.
4872 * (bug 41733) Hide "New user message" (.usermessage) element from printable view.
4873 * (bug 39062) Special:Contributions will display changes that don't have
4874 a parent id instead of just an empty bullet item.
4875 * (bug 37209) "LinkCache doesn't currently know about this title" error fixed.
4876 * wfMerge() now works if $wgDiff3 contains spaces
4877 * (bug 43052) mediawiki.action.view.dblClickEdit.dblClickEdit should trigger
4878 ca-edit click instead opening URL directly.
4879 * (bug 43964) Invalid value of "link" parameter in <gallery> no longer produces
4880 a fatal error.
4881 * (bug 44775) The username field is not pre-filled when creating an account.
4882 * (bug 45069) wfParseUrl() no longer produces a PHP notice if passed a "mailto:"
4883 URL without address
4884 * (bug 45012) Creating an account by e-mail can no longer show a
4885 "password mismatch" error.
4886 * (bug 44599) On Special:Version, HEADs for submodule checkouts (e.g. for
4887 extensions) performed using Git 1.7.8+ should now appear.
4888 * (bug 42184) $wgUploadSizeWarning missing second variable
4889 * (bug 40326) Check if files exist with a different extension during uploading
4890 * (bug 34798) Updated CSS for Atom/RSS recent changes feeds to match on-wiki diffs.
4891 * (bug 42430) Calling numRows on MySQL no longer propagates unrelated errors.
4892 * (bug 44719) Removed mention of non-existing maintenance/migrateCurStubs.php
4893 script in includes/DefaultSettings.php
4894 * (bug 45143) jquery.badge: Treat non-Latin variants of zero as zero as well.
4895 * (bug 46151) mwdocgen.php should not ignore exit code of doxygen command.
4896 * (bug 41889) Fix $.tablesorter rowspan exploding for complex cases.
4897
4898 === API changes in 1.21 ===
4899 * prop=revisions can now report the contentmodel and contentformat.
4900 See docs/contenthandler.txt.
4901 * action=edit and action=parse now support contentmodel and contentformat
4902 parameters to control the interpretation of page content.
4903 See docs/contenthandler.txt for details.
4904 * (bug 35693) ApiQueryImageInfo now suppresses errors when unserializing metadata.
4905 * (bug 40111) Disable minor edit for page/section creation by API.
4906 * (bug 41042) Revert change to action=parse&page=... behavior when the page
4907 does not exist.
4908 * (bug 27202) Add timestamp sort to list=allimages.
4909 * (bug 43137) Don't return the sha1 of revisions through the API if the content is
4910 revision-deleted.
4911 * ApiQueryImageInfo now also returns imageinfo for redirects.