Move RELEASE-NOTES-1.30 into HISTORY
[lhc/web/wiklou.git] / HISTORY
1 Change notes from older releases. For current info see RELEASE-NOTES-1.31.
2
3 = MediaWiki 1.30 =
4
5 == MediaWiki 1.30.0 ==
6
7 === Changes since MediaWiki 1.30.0-rc.0 ===
8 * Upgraded Moment.js from v2.15.0 to v2.19.3.
9 * Add ip_changes to postgres/tables.sql.
10 * Skip null shell parameters.
11 * Add wfWaitForSlaves() to maintenance/migrateComments.php.
12 * (T182245) Fix join conditions in ImageListPager.
13 * (T178626) Revert #contentSub and #jump-to-nav margin changes.
14
15 === MySQL version requirement in 1.30 ===
16 As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
17 section).
18
19 === Configuration changes in 1.30 ===
20 * The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
21 unexpected behavior when code uses locale-sensitive string comparisons. For
22 example, the Scribunto extension considers "bar" < "Foo" in most locales
23 since it ignores case.
24 * $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
25 documentation of $wgShellLocale for details.
26 * $wgShellLocale is now applied for all requests. wfInitShellLocale() is
27 deprecated and a no-op, as it is no longer needed.
28 * $wgJobClasses may now specify callback functions as an alternative to plain
29 class names. This is intended for extensions that want control over the
30 instantiation of their jobs, to allow for proper dependency injection.
31 * $wgResourceModules may now specify callback functions as an alternative
32 to plain class names, using the 'factory' key in the module description
33 array. This allows dependency injection to be used for ResourceLoader modules.
34 * $wgExceptionHooks has been removed.
35 * (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
36 of IP ranges that can be queried at Special:Contributions.
37 * (T45547) $wgUsePigLatinVariant added (off by default).
38 * (T152540) MediaWiki now supports a section ID escaping style that allows to display
39 non-Latin characters verbatim on many modern browsers. This is controlled by the
40 new configuration setting, $wgFragmentMode.
41 * $wgExperimentalHtmlIds is now deprecated and will be removed in a future version,
42 use $wgFragmentMode to migrate off it to a modern alternative.
43 * $wgExternalInterwikiFragmentMode was introduced to control how fragments in
44 sinterwikis going outside of current wiki farm are encoded.
45 * (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'.
46 This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki
47 auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly
48 requested through the configuration parameter $wgDBservers.
49 * $wgOOUIEditPage was removed, as it is now the default. This was documented as a
50 temporary variable during the migration period.
51
52 === New features in 1.30 ===
53 * (T37247) Output from Parser::parse() will now be wrapped in a div with
54 class="mw-parser-output" by default. This may be changed or disabled using
55 ParserOptions::setWrapOutputClass().
56 * (T163562) Added ability to search for contributions within an IP ranges
57 at Special:Contributions.
58 * Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
59 specific tags to be added by users.
60 * Added a 'ParserOptionsRegister' hook to allow extensions to register
61 additional parser options.
62 * (T45547) Included Pig Latin, a language game in English, as a
63 LanguageConverter variant. This allows English-speaking developers
64 to develop and test LanguageConverter more easily. Pig Latin can be
65 enabled by setting $wgUsePigLatinVariant to true.
66 * Added RecentChangesPurgeRows hook to allow extensions to purge data that
67 depends on the recentchanges table.
68 * Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
69 * (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
70 'watchlistunwatchlinks' preference option is enabled). With JavaScript
71 enabled, these links toggle so the user can also re-watch pages that have
72 just been unwatched.
73 * Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
74 MediaHandlerFactory for parser tests.
75 * Edit summaries, block reasons, and other "comments" are now stored in a
76 separate database table. Use the CommentFormatter class to access them.
77 ** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
78 can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
79 soon as any necessary extensions are updated.
80 * (T138166) Added ability for users to prohibit other users from sending them
81 emails with Special:Emailuser. Can be enabled by setting
82 $wgEnableUserEmailBlacklist to true.
83 * (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect.
84 Instead, users using browsers that do not support Unicode will be unable to edit
85 and should upgrade to a modern browser instead.
86
87 === External library changes in 1.30 ===
88
89 ==== Upgraded external libraries ====
90 * Updated justinrainbow/json-schema from v3.0 to v5.2.
91 * Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
92 * Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
93 * Updated wikimedia/relpath from v1.0.3 to v2.0.0.
94 * Updated OOjs from v2.0.0 to v2.1.0.
95 * Updated OOUI from v0.21.1 to v0.23.0.
96 * Updated QUnit from v1.23.1 to v2.4.0.
97 * Updated phpunit/phpunit from v4.8.35 to v4.8.36.
98 * Upgraded Moment.js from v2.15.0 to v2.19.3.
99
100 ==== New external libraries ====
101 * The class \TestingAccessWrapper has been moved to the external library
102 wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
103 * Purtle, a fast, lightweight RDF generator.
104
105 ==== Removed and replaced external libraries ====
106 * …
107
108 === Bug fixes in 1.30 ===
109 * (T151633) Ordered list items use now Devanagari digits in Nepalese
110 (thanks to Sfic)
111
112 === Action API changes in 1.30 ===
113 * (T37247) action=parse output will be wrapped in a div with
114 class="mw-parser-output" by default. This may be changed or disabled using
115 the new 'wrapoutputclass' parameter.
116 * When errorformat is not 'bc', abort reasons from action=login will be
117 formatted as specified by the error formatter parameters.
118 * action=compare can now handle arbitrary text, deleted revisions, and
119 returning users and edit comments.
120 * (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
121 'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
122 parameters to prop=revisions are deprecated, as are the similarly named
123 parameters to prop=deletedrevisions, list=allrevisions, and
124 list=alldeletedrevisions. Use action=compare, action=parse, or
125 action=expandtemplates instead.
126
127 === Action API internal changes in 1.30 ===
128 * ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
129 deprecated. The existing message should be split between "apihelp-*-summary"
130 and "apihelp-*-extended-description".
131 * (T123931) Individual values of multi-valued parameters can now be marked as
132 deprecated.
133
134 === Languages updated in 1.30 ===
135 MediaWiki supports over 350 languages. Many localisations are updated
136 regularly. Below only new and removed languages are listed, as well as
137 changes to languages because of Phabricator reports.
138
139 * Added: kbp (Kabɩyɛ / Kabiyè)
140 * Added: skr (Saraiki, سرائیکی)
141 * Added: tay (Tayal / Atayal)
142 * Removed: tokipona (Toki Pona)
143
144 ==== Pig Latin added ====
145 * (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
146 for easier variant development and testing. Disabled by default. It can be
147 enabled by setting $wgUsePigLatinVariant to true.
148
149 === Other changes in 1.30 ===
150 * The use of an associative array for $wgProxyList, where the IP address is in
151 the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
152 Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
153 * mw.user.bucket (deprecated in 1.23) was removed.
154 * LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
155 deprecated. There are no known callers.
156 * File::getStreamHeaders() was deprecated.
157 * MediaHandler::getStreamHeaders() was deprecated.
158 * Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
159 used instead.
160 * MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
161 should be used instead.
162 * The ExtractThumbParameters hook (deprecated in 1.21) was removed.
163 * The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
164 deprecated in 1.24) were removed.
165 * wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
166 BagOStuff::makeGlobalKey() should be used instead.
167 * (T146304) Preprocessor handling of LanguageConverter markup has been improved.
168 As a result of the new uniform handling, '-{' may need to be escaped
169 (for example, as '-<nowiki/>{') where it occurs inside template arguments
170 or wikilinks.
171 * (T163966) Page moves are now counted as edits for the purposes of
172 autopromotion, i.e., they increment the user_editcount field in the database.
173 * Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
174 manipulating Special:Log and Special:NewPages lines.
175 * The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
176 PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding
177 hooks have an additional parameter, for manipulating HTML data attributes of
178 RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the
179 $data['attribs'] subarray.
180 * (T130632) The OutputPage::enableTOC() method was removed.
181 * WikiPage::getParserOutput() will now throw an exception if passed
182 ParserOptions that would pollute the parser cache. Callers should use
183 WikiPage::makeParserOptions() to create the ParserOptions object and only
184 change options that affect the parser cache key.
185 * Article::viewRedirect() is deprecated.
186 * IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
187 * DeprecatedGlobal no longer supports passing in a direct value, it requires a
188 callable factory function or a class name.
189 * The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton()
190 are all deprecated. The main ParserCache instance should be obtained from
191 MediaWikiServices instead. Access to the underlying BagOStuff is possible
192 through the new ParserCache::getCacheStorage() method.
193 * .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
194 * Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
195 escapeIdForLink() or escapeIdForExternalInterwiki() instead.
196 * Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
197 Sanitizer functions or, if possible, Title::getFragmentForURL().
198 * Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
199 nothing and is deprecated.
200 * mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
201 escapeIdForLink().
202 * MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
203 * WikiImporter now requires the second parameter to be an instance of the Config,
204 class. Prior to that, the Config parameter was optional (a behavior deprecated in
205 1.25).
206 * Removed 'jquery.mwExtension' module. (deprecated since 1.26)
207 * mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
208 any more.
209 * CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
210 The namespaced classes in the Cdb namespace should be used instead.
211 * IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
212 should be used instead.
213 * RunningStat class (deprecated in 1.27) was removed. The namespaced
214 RunningStat\RunningStat should be used instead.
215 * MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed.
216 The MemcachedClient class should be used instead.
217 * EditPage underwent some refactoring and deprecations:
218 * EditPage::isOouiEnabled() is deprecated and will always return true.
219 * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please
220 use ::getSummaryInputWidget() instead.
221 * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
222 use ::getCheckboxesWidget() instead.
223 * Creating an EditPage instance without calling EditPage::setContextTitle() should
224 be avoided and will be deprecated in a future release.
225 * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
226 * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The
227 corresponding methods from Title should be used instead.
228 * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
229 * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters
230 ::getArticle() and ::getTitle() should be used instead.
231 * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut,
232 and $wgLang is no longer supported and won't work. The IContextSource returned from
233 EditPage::getContext() must be modified instead.
234 * Parser::getRandomString() (deprecated in 1.26) was removed.
235 * Parser::uniqPrefix() (deprecated in 1.26) was removed.
236 * Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
237 $uniq_prefix was deprecated in 1.26 and has now been removed.
238 * (T172514) The following tables have had their UNIQUE indexes turned into proper
239 PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks,
240 langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats,
241 templatelinks, text, transcache, user_former_groups, user_properties.
242 * IDatabase::nextSequenceValue() is no longer needed by any database backends
243 (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
244 * (T146591) The lc_lang_key index on the l10n_cache table has been changed into a
245 PRIMARY KEY.
246 * (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
247 page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
248 user_properties.up_user have all been made unsigned on MySQL.
249 * DB_SLAVE is deprecated. DB_REPLICA should be used instead.
250 * wfUsePHP() is deprecated.
251 * wfFixSessionID() was removed.
252 * wfShellExec() and related functions are deprecated, use Shell::command(). This also
253 slightly changes the behavior of how execution time limits are calculated when only
254 some of defaults are overridden per-call. When in doubt, always override both wall
255 clock and CPU time.
256 * (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending
257 user object. Using the method without the second argument is deprecated.
258 * (T67297) Browsers that don't support Unicode will have their edits rejected.
259 * (T178450) The module 'jquery.badge' is deprecated and will be removed in a future
260 release. For notifying the user of an event, the Notifications ("Echo") system
261 should be used instead.
262 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
263 sends non-standard url escaping.
264 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
265
266 = MediaWiki 1.29 =
267
268 == MediaWiki 1.29.2 ==
269
270 This is a security and maintenance release of the MediaWiki 1.29 branch.
271
272 === Changes since 1.29.1 ===
273 * (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
274 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
275 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
276 * Fixed login button label to accept RawMessage.
277 * Fixed case of SpecialRecentChanges class usage.
278 * (T174255) Declare uploadCount property in importDump.php.
279 * (T163646) Pass a string not an int to mysql_real_escape_string().
280 * (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
281 * Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
282 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
283 sends non-standard url escaping.
284 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
285 * (T128209) SECURITY: Reflected File Download from api.php.
286 * (T134100) SECURITY: Do not reveal if user exists during login failure.
287 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
288 * (T125163) SECURITY: Make anchor for headlines escape > and <.
289 * (T180237) SECURITY: Protect vendor folder with .htaccess.
290 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
291 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
292 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
293 * (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
294 branches in the previous security release.
295
296 == MediaWiki 1.29.1 ==
297
298 This is a maintenance release of the MediaWiki 1.29 branch.
299
300 The SpamBlacklist and PdfHandler extensions were missing from the generated
301 packages.
302
303 === Changes since 1.29.1 ===
304 * (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
305 * (T172061) Fix fatal when passing a category to refreshLinks.php.
306
307 == MediaWiki 1.29.0 ==
308
309 === Configuration changes in 1.29 ===
310 * Default cookie expiration time has been reduced to 30 days. Login cookie
311 expiration time is kept at 180 days.
312 * A new configuration variable has been added: $wgCookieSetOnAutoblock. This
313 determines whether to set a cookie when a user is autoblocked. Doing so means
314 that a blocked user, even after logging out and moving to a new IP address,
315 will still be blocked.
316 * The resetpassword right and associated password reset capture feature has
317 been removed.
318 * The $error parameter to the EmailUser hook should be set to a Status object
319 or boolean false. This should be compatible with at least MediaWiki 1.23 if
320 not earlier. Returning a raw HTML string is now deprecated.
321 * The $message parameter to the ApiCheckCanExecute hook should be set to an
322 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
323 code for ApiBase::parseMsg() will no longer work.
324 * ApiBase::$messageMap is no longer public. Code attempting to access it will
325 result in a PHP fatal error.
326 * $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
327 policies.
328 * Subpages are now enabled by default in the Template namespace. Set
329 $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
330 * $wgRunJobsAsync is now false by default (T142751). This change only affects
331 wikis with $wgJobRunRate > 0.
332 * (T158474) "Unknown user" has been added to $wgReservedUsernames.
333 * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
334 * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
335 added to $wgExtraLanguageCodes instead.
336 * (T161453) LocalisationCache will no longer use the temporary directory in it's
337 fallback chain when trying to work out where to write the cache.
338 * The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
339 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
340
341 === New features in 1.29 ===
342 * (T5233) A cookie can now be set when a user is autoblocked, to track that user
343 if they move to a new IP address. This is disabled by default.
344 * Added ILocalizedException interface to standardize the use of localized
345 exceptions, largely so the API can handle them more sensibly.
346 * Blocks created automatically by MediaWiki, such as for configured proxies or
347 dnsbls, are now indicated as such and use a new i18n message when displayed.
348 * Added new $wgHTTPImportTimeout setting. Sets timeout for
349 downloading the XML dump during a transwiki import in seconds.
350 * Parser limit report is now available in machine-readable format to JavaScript
351 via mw.config.get('wgPageParseReport').
352 * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
353 from certain IP ranges (e.g. private IPs).
354 * (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
355 of the page being parsed.
356 * HTML5 form validation attributes will no longer be suppressed. Originally
357 browsers had poor support for them, but modern browsers handle them fine.
358 This might affect some forms that used them and only worked because the
359 attributes were not actually being set.
360 * Expiry times can now be specified when users are added to user groups.
361 * Completely new user interface for the RecentChanges page, which
362 structures filters into user-friendly groups. This has corresponding
363 changes to how filters are registered by core and extensions.
364 * The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
365 Because this change can cause problems for extensions and on-wiki
366 scripts depending on the exact HTML, the old version is still available
367 and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
368 This will be removed later and OOjs UI will become the only option.
369 To make testing easier, users can also force either mode by adding
370 &ooui=true or &ooui=false to the action=edit URL.
371
372 === External library changes in 1.29 ===
373
374 ==== Upgraded external libraries ====
375 * Updated QUnit from v1.22.0 to v1.23.1.
376 * Updated cssjanus from v1.1.2 to v1.2.0.
377 * Updated psr/log from v1.0.0 to v1.0.2.
378 * Update Moment.js from v2.8.4 to v2.15.0.
379 * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
380 * Updated monolog from v1.18.2 to 1.22.1.
381 * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
382 * Updated OOjs from v1.1.10 to v2.0.0.
383 * Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
384
385 ==== New external libraries ====
386 * Added wikimedia/timestamp v1.0.0.
387 * Added wikimedia/remex-html v1.0.1.
388
389 ==== Removed and replaced external libraries ====
390
391 === Bug fixes in 1.29 ===
392 * (T62604) Core parser functions returning a number now format the number according
393 to the page content language, not wiki content language.
394 * (T27187) Search suggestions based on jquery.suggestions will now correctly only
395 highlight prefix matches in the results.
396 * (T157035) "new mw.Uri()" was ignoring options when using default URI.
397 * Special:Allpages can no longer be filtered by redirect in miser mode.
398 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
399 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
400 to interwiki links.
401 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
402 $wgAdvancedSearchHighlighting is true.
403 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
404 their values out of the logs.
405 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
406 token.
407 * (T156184) SECURITY: Escape content model/format url parameter in message.
408 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
409 declaration.
410 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
411 in it's fallback chain when trying to work out where to write the cache.
412 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
413 syntax's link parameter.
414 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
415 it.
416
417 === Action API changes in 1.29 ===
418 * Submitting sensitive authentication request parameters to action=login,
419 action=clientlogin, action=createaccount, action=linkaccount, and
420 action=changeauthenticationdata in the query string is now an error. They
421 should be submitted in the POST body instead.
422 * The capture option for action=resetpassword has been removed
423 * action=clearhasmsg now requires a POST.
424 * (T47843) API errors and warnings may be requested in non-English languages
425 using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
426 * API error codes may have changed. Most notably, errors from modules using
427 parameter prefixes (e.g. all query submodules) will no longer be prefixed.
428 * ApiPageSet-using modules will report the 'invalidreason' using the specified
429 'errorformat'.
430 * action=emailuser may return a "Warnings" status, and now returns 'warnings' and
431 'errors' subelements (as applicable) instead of 'message'.
432 * action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
433 * action=move now reports errors when moving the talk page as an array under
434 key 'talkmove-errors', rather than using 'talkmove-error-code' and
435 'talkmove-error-info'. The format for subpage move errors has also changed.
436 * action=revisiondelete no longer includes a "rendered" property on warnings
437 and errors for each item. Use errorformat=wikitext if you're wanting parsed
438 output.
439 * action=rollback no longer returns a "messageHtml" property. Use
440 errorformat=html if you're wanting HTML formatting of error messages.
441 * action=upload now reports optional stash failures as an array under key
442 'stasherrors' rather than a 'stashfailed' text string.
443 * action=watch reports 'errors' and 'warnings' instead of a single 'error', and
444 no longer returns a 'message' on success.
445 * Added action=validatepassword to validate passwords for the account creation
446 and password change forms.
447 * action=purge now requires a POST.
448 * There is a new `languagevariants` siprop for action=query&meta=siteinfo,
449 which returns a list of languages with active LanguageConverter instances.
450 * action=query&query=allpages will no longer filter redirects using a database
451 query in miser mode. This may result in less results being returned than were
452 requested.
453
454 === Action API internal changes in 1.29 ===
455 * New methods were added to ApiBase to handle errors and warnings using i18n
456 keys. Methods for using hard-coded English messages were deprecated:
457 * ApiBase::dieUsage() was deprecated
458 * ApiBase::dieUsageMsg() was deprecated
459 * ApiBase::dieUsageMsgOrDebug() was deprecated
460 * ApiBase::getErrorFromStatus() was deprecated
461 * ApiBase::parseMsg() was deprecated
462 * ApiBase::setWarning() was deprecated
463 * ApiBase::$messageMap is no longer public. Code attempting to access it will
464 result in a PHP fatal error.
465 * The $message parameter to the ApiCheckCanExecute hook should be set to an
466 ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
467 code for ApiBase::parseMsg() will no longer work.
468 * UsageException is deprecated in favor of ApiUsageException. For the time
469 being ApiUsageException is a subclass of UsageException to allow things that
470 catch only UsageException to still function properly.
471 * If, for some strange reason, code was using an ApiErrorFormatter instead of
472 ApiErrorFormatter_BackCompat, note that the result format has changed and
473 various methods now take a module path rather than a module name.
474 * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
475 from the message key, and maps some message keys for backwards compatibility.
476 * API parameters may now be marked as "sensitive" to keep their values out of
477 the logs.
478
479 === Languages updated in 1.29 ===
480
481 MediaWiki supports over 350 languages. Many localisations are updated
482 regularly. Below only new and removed languages are listed, as well as
483 changes to languages because of Phabricator reports.
484
485 * Based as always on linguistic studies on intelligibility and language
486 knowledge by geography, language fallbacks have been expanded. When a
487 translation is missing in the user's preferred interface language, the
488 corresponding translation for the fallback language will be used instead.
489 English will only be used as last resort when there are no translations.
490 Some configurations (such as date formats and gender namespaces) have also
491 been updated when using the fallback language's configuration was inadequate.
492 The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
493 ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
494 sh → bs, sr-el, hr.
495 * (T137376) New language support: Atikamekw (atj).
496 * (T163600) New language support: Dinka (din).
497 * (T155957) Talk Namespaces for Javanese language (jv) have been updated.
498
499 ==== No fallback for Ukrainian ====
500 * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
501 language will now use the default fallback language: English. When a translation
502 to Ukrainian is not available, an English string will be shown.
503
504 === Other changes in 1.29 ===
505 * Database::getSearchEngine() (deprecated in 1.28) was removed. Use
506 SearchEngineFactory::getSearchEngineClass() instead.
507 * $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
508 required as all sessions are stored in Object Cache now.
509 * MWHttpRequest::execute() should be considered to return a StatusValue; the
510 Status return type is deprecated.
511 * User::edits() (deprecated in 1.21) was removed.
512 * Xml::escapeJsString() (deprecated in 1.21) was removed.
513 * Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
514 were removed.
515 * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
516 were removed.
517 * Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
518 instead.
519 * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
520 * Class RevisiondeleteAction (deprecated in 1.25) was removed.
521 * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
522 * WikiPage::getText() (deprecated in 1.21) was removed.
523 * Article::fetchContent() (deprecated in 1.21) was removed.
524 * User::getPassword() (deprecated in 1.27) was removed.
525 * User::getTemporaryPassword() (deprecated in 1.27) was removed.
526 * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
527 * Class FSRepo (deprecated in 1.19) was removed.
528 * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
529 \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
530 * Class ImageGallery (deprecated in 1.22) was removed.
531 Use ImageGalleryBase::factory instead.
532 * Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
533 * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
534 emit warnings). Create a subclass of Action and add it to $wgActions instead.
535 * WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
536 * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
537 * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
538 * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
539 * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
540 * RedisConnectionPool::handleException (deprecated since 1.23) was removed.
541 * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
542 and outdated lists of errors/warnings returned by the API, are now deprecated.
543 * wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
544 URLs to continue to work, set up redirects. In Apache, this can be done by enabling
545 mod_rewrite and adding the following rules to your configuration:
546
547 RewriteEngine On
548 RewriteBase /
549 RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
550 * Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
551 Use ArticleAfterFetchContentObject instead.
552 * Hook ArticleInsertComplete (deprecated in 1.21) was removed.
553 Use PageContentInsertComplete instead.
554 * Hook ArticleSave (deprecated in 1.21) was removed.
555 Use PageContentSave instead.
556 * Hook ArticleSaveComplete (deprecated in 1.21) was removed.
557 Use PageContentSaveComplete instead.
558 * Hook EditFilterMerged (deprecated in 1.21) was removed.
559 Use EditFilterMergedContent instead.
560 * Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
561 Use EditPageGetPreviewContent instead.
562 * Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
563 Use ContentHandlerDefaultModelFor instead.
564 * Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
565 Use ContentHandlerDefaultModelFor instead.
566 * Article::getContent() (deprecated in 1.21) was removed.
567 * Revision::getText() (deprecated in 1.21) was removed.
568 * Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
569 * Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
570 * Article::doEditContent() was marked as deprecated, to be removed in 1.30
571 or later.
572 * ContentHandler::runLegacyHooks() was removed.
573 * refreshLinks.php now can be limited to a particular category with --category=...
574 or a tracking category with --tracking-category=...
575 * User-like objects that are passed to SpecialUserRights and its subclasses are
576 now required to have a getGroupMemberships() method. See UserRightsProxy for
577 an example.
578 * User::$mGroups (instance variable) was marked private. Use User::getGroups()
579 instead.
580 * User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
581 User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
582 Use equivalent methods on the UserGroupMembership class.
583 * Maintenance scripts and tests that call User::addGroup() must now ensure that
584 User objects have been added to the database prior to calling addGroup().
585 * Protected function UsersPager::getGroups() was removed, and protected function
586 UsersPager::buildGroupLink() was changed from a static to an instance method.
587 * The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
588 see docs/hooks.txt.
589 * User::crypt() (deprecated in 1.24) was removed.
590 * User::comparePasswords() (deprecated in 1.24) was removed.
591 * ArchivedFile::getUserText() (deprecated in 1.23) was removed.
592 * HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
593 * BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
594 and subclasses. It should only break if you call buildMainQueryConds
595 (changed to buildQuery with new signature) or doMainQuery (new
596 signature). Subclasses are likely to call at least doMainQuery
597 (possibly both), but other classes might too, because they were
598 public.
599 Also, some related hooks were deprecated, but this is not yet a
600 breaking change.
601 * Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
602 * The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
603 * WikiRevision::$fileIsTemp was deprecated.
604 * WikiRevision::$importer was deprecated.
605 * WikiRevision::$user was deprecated.
606 * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
607 WikiPage::PURGE_* constants are deprecated, and the functions will always
608 return false. They were a hack for an issue that has since been fixed.
609 * Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
610 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
611 if you don't actually care about checkboxes and just want to add some HTML
612 to the page.
613 * Selflinks are now rendered as href-less <a> tags with the class mw-selflink
614 rather than <strong> tags. The old class name, "selflink", was deprecated
615 and will be removed in a future release. (T160480)
616 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
617 * Browser support for non-ES5 JavaScript browsers, including Android 2,
618 Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
619 * Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
620 is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
621 webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
622 opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
623 ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
624 addClickHandler, removeHandler, getElementsByClassName, getInnerText,
625 setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
626 mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
627 escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
628 tooltipAccessKeyRegexp, updateTooltipAccessKeys.
629 * The ID of the <li> element containing the login link has changed from
630 'pt-login' to 'pt-login-private' in private wikis.
631 * The old, neglected "bulletin board style toolbar" in the edit form is now
632 deprecated (T30856). This old code dates from 2006, and was replaced in the
633 MediaWiki release tarball and in Wikimedia production by the WikiEditor
634 extension in 2010. It is only shown to users if no other editor was
635 installed, and leads to confusion.
636 * (T92459) Loading ResourceLoader modules containing JavaScript through
637 addModuleStyles() is deprecated and will log a warning server-side.
638
639 = MediaWiki 1.28 =
640
641 == MediaWiki 1.28.3 ==
642
643 This is a security and maintenance release of the MediaWiki 1.28 branch.
644
645 === Changes since 1.28.2 ==
646 * (T168856) Allow SVGs created by Dia to be uploaded.
647 * (T157545) Add missing doUpdates() call to refreshLinks.php.
648 * (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
649 * (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
650 * (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
651 * (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
652 * (T167798) Fix phrase search and highlighting for phrase queries.
653 * (T151136) Provide credits information to callbacks in extension registration.
654 * (T160462) Allow namespaces defined in extension.json to be overwritten locally.
655 * (T168337) Fix ErrorPageError to work from non-UI contexts.
656 * (T143788) Backports for PHP 7.0 and 7.1 support.
657 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
658 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
659 * (T174255) Declare uploadCount property in importDump.php.
660 * (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
661 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
662 sends non-standard url escaping.
663 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
664 * (T128209) SECURITY: Reflected File Download from api.php.
665 * (T134100) SECURITY: Do not reveal if user exists during login failure.
666 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
667 * (T125163) SECURITY: Make anchor for headlines escape > and <.
668 * (T180237) SECURITY: Protect vendor folder with .htaccess.
669 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
670 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
671 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
672
673 == MediaWiki 1.28.2 ==
674
675 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
676 included in the tarball version of MediaWiki 1.28.1. The version included had a
677 serious security issue in it (T158689). There was also some minor code fixes in
678 MediaWiki itself since 1.28.1, but none of them were security relevant.
679
680 == MediaWiki 1.28.1 ==
681
682 This is a security and maintenance release of the MediaWiki 1.28 branch.
683
684 === Changes since 1.28.0 ===
685
686 * $wgRunJobsAsync is now false by default (T142751). This change only affects
687 wikis with $wgJobRunRate > 0.
688 * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
689 more than one database server setup.
690 * (T152717) Better escaping for PHP mail() command,
691 * (T154670) A missing method causing the MySQL installer to fatal in rare
692 circumstances was restored.
693 * (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
694 * (T158766) Avoid SQL error on MSSQL when using selectRowCount().
695 * (T145635) Fix too long index error when installing with MSSQL.
696 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
697 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
698 * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
699 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
700 to interwiki links.
701 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
702 $wgAdvancedSearchHighlighting is true.
703 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
704 their values out of the logs.
705 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
706 token.
707 * (T156184) SECURITY: Escape content model/format url parameter in message.
708 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
709 declaration.
710 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
711 in it's fallback chain when trying to work out where to write the cache.
712 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
713 syntax's link parameter.
714 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
715 it.
716
717 == MediaWiki 1.28 ==
718
719 === Changes since 1.28.0-rc1 ===
720 * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
721 errors.
722 * (T148956) Only apply wgDBschema to postgres/mssql.
723 * (T145991) Introduce separate log action for deleting pages on move.
724 * (T141474) (T110464) Bypass login page if no user input is required.
725
726 === Changes since 1.28.0-rc0 ===
727 * (T142210) The changes to move the parser "NewPP limit report" from a HTML
728 comment to a machine-readable JavaScript config option 'wgPageParseReport'
729 have been undone. They caused the human-readable limit report to be shown
730 incompletely or not at all. ParserOutput::setLimitReportData() and
731 getLimitReportData() behave as they did in MediaWiki 1.27 again.
732 * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
733 the text of subheadings on a category page when creating it. This wasn't
734 working correctly.
735 * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
736 canonical pretty URL when a non-pretty URL is used. It resulted in redirect
737 loops in some clients and in some server configurations. This undoes a change
738 made in MediaWiki 1.26.
739 * (T149759) manifest_version: 2 was removed.
740
741 === Configuration changes in 1.28 ===
742 * $wgSend404Code now affects status code of action=history if the page is not there.
743 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
744 made by MediaWiki via a proxy. Relying on the http_proxy environment
745 variable is no longer supported.
746 * The load.php entry point now enforces the existing policy of not allowing
747 access to session data, which includes the session user and the session
748 user's language. If such access is attempted, an exception will be thrown.
749 * The number of internal PBKDF2 iterations used to derive the session secret
750 is configurable via $wgSessionPbkdf2Iterations.
751 * Upload dialog's file upload log comment can now be configured separately for
752 local and foreign uploads.
753 * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
754 signifies local uploads. A value of `[]` (empty array) now means that
755 no upload targets are allowed, effectively disabling the upload dialog.
756 * The deprecated $wgEditEncoding variable has been removed; it was only used
757 for Esperanto language character conversion. You are now recommended to use
758 input methods provided by the UniversalLanguageSelector extension.
759 * When $wgPingback is true, MediaWiki will periodically ping
760 https://www.mediawiki.org/beacon with basic information about the local
761 MediaWiki installation. This data includes, for example, the type of system,
762 PHP version, and chosen database backend. This behavior is off by default.
763 * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
764 to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
765 if false, the default, they will be "Save page"/"Save changes".
766 * The 'editcontentmodel' permission is now granted to all logged-in users ('user').
767 instead of just administrators ('sysop'). Documentation for this feature is
768 available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
769 * $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
770 * Magic links are now disabled by default, and can be re-enabled by modifying the value
771 of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
772 a tracking category will be added to help identify usage and make it easier to migrate
773 away from. If you depend upon magic link functionality, it is requested that you comment
774 on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
775 explain your use case(s).
776 * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
777 in upcoming Content-Security-Policy feature's reporting.
778
779 === New features in 1.28 ===
780 * User::isBot() method for checking if an account is a bot role account.
781 * Added a new 'slideshow' mode for galleries.
782 * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
783 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
784 interact with API parsing.
785 * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
786 upload. Unlike 'UploadVerifyFile' it provides information about upload comment
787 and the file description page, but does not run for uploads to stash.
788 * (T141604) Extensions can now provide a better error message when their
789 maintenance scripts are run without the extension being installed.
790 * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
791 to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
792 a 'numeric' collation is also available. If migrating from another
793 collation, you will need to run the updateCollation.php maintenance script.
794 * Two new codes have been added to #time parser function: "xit" for days in current
795 month, and "xiz" for days passed in the year, both in Iranian calendar.
796 * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
797 appropriate for sending multi-valued parameters. This defaults to true when
798 the mw.Api instance seems to be for the local wiki.
799 * After a client performs an action which alters a database that has replica databases,
800 MediaWiki will wait for the replica databases to synchronize with the master database
801 while it renders the HTML output. However, if the output is a redirect to another wiki
802 on the wiki farm with a different domain, MediaWiki will instead alter the redirect
803 URL to include a ?cpPosTime parameter that triggers the database synchronization when
804 the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
805 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
806 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
807 'show' parameters to existing API query modules.
808
809 === External library changes in 1.28 ===
810
811 ==== Upgraded external libraries ====
812 * Updated es5-shim from v4.1.5 to v4.5.8
813 * Updated composer/semver from v1.4.1 to v1.4.2
814 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
815
816 ==== New external libraries ====
817 * Added wikimedia/scoped-callback v1.0.0
818 * Added wikimedia/wait-condition-loop v1.0.1
819
820 === Bug fixes in 1.28 ===
821 * (T146496) action=history pages should return 404 HTTP error code if the page does not exist
822 * (T137264) SECURITY: XSS in unclosed internal links
823 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
824 * (T133147) SECURITY: Require login to preview user CSS pages
825 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
826 the top file
827 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
828 permissions
829 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
830 * (T139670) Move 'UserGetRights' call before application of
831 Session::getAllowedUserRights()
832
833 === Action API changes in 1.28 ===
834 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
835 the value of $wgMaxArticleSize.
836 * Property 'modulemessages' from action=parse&prop=modules was removed
837 (deprecated since 1.26).
838 * The following response properties from action=login, deprecated in 1.27, are
839 now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
840 to properly manage session state.
841 * Submitting the lgtoken and lgpassword parameters in the query string to
842 action=login is now deprecated and outputs a warning. They should be submitted
843 in the POST body instead.
844 * Submitting sensitive authentication request parameters to action=clientlogin,
845 action=createaccount, action=linkaccount, and action=changeauthenticationdata
846 in the query string is now deprecated and outputs a warning. They should be
847 submitted in the POST body instead.
848 * (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
849 instead of the pipe character. This will be useful if some of the multiple
850 values need to contain pipes, e.g. for action=options.
851 * The API will now warn if input is not NFC-normalized Unicode or if it
852 contains invalid characters.
853 * The 'normalized' list output by action=query and other modules that use
854 ApiPageSet may contain entries where the 'from' value is percent-encoded as
855 the raw value cannot be represented in a valid API response. These are
856 indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
857 * (T28680) action=paraminfo can now return info about all submodules of a
858 module without listing them all explicitly.
859 * (T146770) It is now possible to assert that the current user is a specific
860 named user, using the 'assertuser' parameter.
861 * (T141963) Added a 'known' property when missing-but-known titles (e.g. from
862 the 'TitleIsAlwaysKnown' hook) are output in various modules.
863
864 === Action API internal changes in 1.28 ===
865 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
866 interact with ApiParse and ApiExpandTemplates.
867 * (T139565) SECURITY: API: Generate head items in the context of the given title
868 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
869 * ApiBase::getResultData() was removed (deprecated since 1.25)
870 * ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
871 * ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
872 * ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
873 * ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
874 * ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
875 * ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
876 * ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
877 * ApiFormatBase::setHelp() was removed (deprecated since 1.25)
878 * ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
879 * ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
880 * ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
881 * ApiMain::setHelp() was removed (deprecated since 1.25)
882 * ApiResult::beginContinuation() was removed (deprecated since 1.25)
883 * ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
884 * ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
885 * ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
886 * ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
887 * ApiResult::endContinuation() was removed (deprecated since 1.25)
888 * ApiResult::getData() was removed (deprecated since 1.25)
889 * ApiResult::getIsRawMode() was removed (deprecated since 1.25)
890 * ApiResult::setContent() was removed (deprecated since 1.25)
891 * ApiResult::setContinueParam() was removed (deprecated since 1.25)
892 * ApiResult::setElement() was removed (deprecated since 1.25)
893 * ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
894 * ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
895 * ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
896 * ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
897 * ApiResult::setParsedLimit() was removed (deprecated since 1.25)
898 * ApiResult::setRawMode() was removed (deprecated since 1.25)
899 * ApiResult::size() was removed (deprecated since 1.25)
900 * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
901 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
902 'show' parameters to existing API query modules. A query module can enable
903 these hooks by passing an array for $hookData to ApiQueryBase::select() and
904 by calling ApiQueryBase->processRow() before adding a row's data to the
905 result.
906
907 === Languages updated in 1.28 ===
908
909 MediaWiki supports over 375 languages. Many localisations are updated
910 regularly. Below only new and removed languages are listed, as well as
911 changes to languages because of Phabricator reports.
912
913 * (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
914 BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
915 * (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
916 Saiddzone Saimawnkham, Saosukham, and Sengwan.
917 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
918 * (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
919
920 === Other changes in 1.28 ===
921 * (T128697) Improved handling of large diffs.
922 * [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
923 use or update a custom session provider if needed.
924 * Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
925 * The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
926 * SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
927 * The 'UserLoginComplete' hook has a new parameter to differentiate between actual
928 login and visiting the login page while already logged in.
929 * ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
930 * $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
931 * mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
932 * mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
933 * Linker::link() and Linker::linkKnown() were deprecated; please instead use
934 MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
935 were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
936 respectively. See docs/hooks.txt for the specific changes needed for those hooks.
937 * Linker::formatSize() was deprecated. Use Language::formatSize() directly.
938 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
939 * Skin::commentBlock() (use Linker::commentBlock() instead)
940 * Skin::generateRollback() (use Linker::generateRollback() instead)
941 * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
942 * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
943 * Skin::userLink() (use Linker::userLink() instead)
944 * Skin::userToolLinks() (use Linker::userToolLinks() instead)
945 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
946 disabled.
947 * DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
948 * UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
949 Use ...->stashFile()->getFileKey() instead.
950 * "Public domain" was removed as a wiki license option from the installer, in
951 favour of CC-0.
952 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
953 on requests needed by primary providers even if all primaries need them.
954 Primary providers are discouraged from returning multiple REQUIRED requests.
955 * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
956 will no longer be automatically infused. You should call `OO.ui.infuse()`
957 on them yourself from your JavaScript code.
958 * parserTests.php has moved to tests/parser/parserTests.php
959 * The command line options specific to parser tests have been removed from
960 phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
961 Instead of --keep-uploads, use the same option to parserTests.php, but you
962 must specify a directory with --upload-dir.
963 * The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
964 * IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
965 migrate to using the same functions on a ProxyLookup instance, obtainable from
966 MediaWikiServices.
967 * The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
968 ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
969 ShowRawCssJs hooks will now emit deprecation warnings if used.
970 * (T68404) CSS3 attr() function with url type is no longer allowed
971 in inline styles.
972 * Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
973 instead.
974
975 == Compatibility ==
976
977 MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
978 HHVM 3.6.5 or later.
979
980 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
981 support for them is somewhat less mature. There is experimental support for
982 Oracle and Microsoft SQL Server.
983
984 The supported versions are:
985
986 * MySQL 5.0.3 or later
987 * PostgreSQL 8.3 or later
988 * SQLite 3.3.7 or later
989 * Oracle 9.0.1 or later
990 * Microsoft SQL Server 2005 (9.00.1399)
991
992 == Upgrading ==
993
994 1.28 has several database changes since 1.27, and will not work without schema
995 updates. Note that due to changes to some very large tables like the revision
996 table, the schema update may take quite long (minutes on a medium sized site,
997 many hours on a large site).
998
999 If upgrading from before 1.11, and you are using a wiki as a commons
1000 repository, make sure that it is updated as well. Otherwise, errors may arise
1001 due to database schema changes.
1002
1003 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
1004 new database fields are filled with data.
1005
1006 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1007 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
1008 with MediaWiki 1.21.
1009
1010 Don't forget to always back up your database before upgrading!
1011
1012 See the file UPGRADE for more detailed upgrade instructions.
1013
1014 For notes on 1.27.x and older releases, see HISTORY.
1015
1016 == Online documentation ==
1017
1018 Documentation for both end-users and site administrators is available on
1019 MediaWiki.org, and is covered under the GNU Free Documentation License (except
1020 for pages that explicitly state that their contents are in the public domain):
1021
1022 https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
1023
1024 == Mailing list ==
1025
1026 A mailing list is available for MediaWiki user support and discussion:
1027
1028 https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
1029
1030 A low-traffic announcements-only list is also available:
1031
1032 https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
1033
1034 It's highly recommended that you sign up for one of these lists if you're
1035 going to run a public MediaWiki, so you can be notified of security fixes.
1036
1037 == IRC help ==
1038
1039 There's usually someone online in #mediawiki on irc.freenode.net.
1040
1041 = MediaWiki 1.27 =
1042
1043 == MediaWiki 1.27.4 ==
1044 This is a security and maintenance release of the MediaWiki 1.27 branch.
1045
1046 === Changes since 1.27.3 ===
1047 * (T100085) Better handling of jobs execution in post-connection shutdown.
1048 * (T141604) Support conditionally registered namespaces.
1049 * (T167798) Fix highlighting for phrase queries and phrase search.
1050 * (T151136) Provide credits information to callbacks.
1051 * (T160462) Allow namespaces defined in extension.json to be overwritten locally.
1052 * (T168856) Allow SVGs created by Dia to be uploaded.
1053 * (T144705) (T148662) Password reset link is no longer shown when no reset options are
1054 available.
1055 * (T143788) (T174262) Various backports for PHP 7.0 and 7.1 support.
1056 * (T66795) $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
1057 policies.
1058 * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core.
1059 * (T175439) Unbreak Postgres Updater when setting defaults for a column.
1060 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
1061 * (T142304) Allow putting the app ID in the password for bot passwords.
1062 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
1063 * (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
1064 sends non-standard url escaping.
1065 * (T165846) SECURITY: BotPassword login attempts weren't throttled.
1066 * (T128209) SECURITY: Reflected File Download from api.php.
1067 * (T134100) SECURITY: Do not reveal if user exists during login failure.
1068 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
1069 * (T125163) SECURITY: Make anchor for headlines escape > and <.
1070 * (T180237) SECURITY: Protect vendor folder with .htaccess.
1071 * (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
1072 * (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
1073 * (T119158) SECURITY: Handle -{}- syntax in attributes safely.
1074
1075 == MediaWiki 1.27.3 ==
1076 Due to a packaging error, the wrong version of the SyntaxHighlight extension was
1077 included in the tarball version of MediaWiki 1.27.2. The version included had a
1078 serious security issue in it (T158689). There was also some minor code fixes in
1079 MediaWiki itself since 1.27.2, but none of them were security relevant.
1080
1081 === Changes since 1.27.2 ===
1082 * (T145664) Fix broken wincache merge() implementation
1083 * (T163434) Add wikimedia/testing-access-wrapper for forwards compatibility
1084 * (T153505) Fix php warnings on php 7.1 due to use of &$this
1085
1086 == MediaWiki 1.27.2 ==
1087 This is a security and maintenance release of the MediaWiki 1.27 branch.
1088
1089 ApiCreateAccount was removed in 1.27.0. It was incorrectly still marked as
1090 deprecated (rather than already removed) in the RELEASE-NOTES at the point 1.27.0
1091 was released.
1092
1093 === Changes since 1.27.1 ===
1094
1095 * (T68404) CSS3 attr() function with url type argument is no longer allowed
1096 in inline styles.
1097 * $wgRunJobsAsync is now false by default (T142751). This change only affects
1098 wikis with $wgJobRunRate > 0.
1099 * (T152717) Better escaping for PHP mail() command
1100 * Submitting the lgtoken and lgpassword parameters in the query string to
1101 action=login is now deprecated and outputs a warning. They should be submitted
1102 in the POST body instead.
1103 * Submitting sensitive authentication request parameters to action=clientlogin,
1104 action=createaccount, action=linkaccount, and action=changeauthenticationdata
1105 in the query string is now deprecated and outputs a warning. They should be
1106 submitted in the POST body instead.
1107 * (T158766) Avoid SQL error on MSSQL when using selectRowCount()
1108 * (T145635) Fix too long index error when installing with MSSQL.
1109 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
1110 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
1111 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
1112 to interwiki links.
1113 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
1114 $wgAdvancedSearchHighlighting is true.
1115 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
1116 their values out of the logs.
1117 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
1118 token.
1119 * (T156184) SECURITY: Escape content model/format url parameter in message.
1120 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
1121 declaration.
1122 * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
1123 in it's fallback chain when trying to work out where to write the cache.
1124 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
1125 syntax's link parameter.
1126 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
1127 it.
1128
1129 == MediaWiki 1.27.1 ==
1130
1131 This is a maintenance release of the MediaWiki 1.27 branch.
1132
1133 === Changes since 1.27.0 ===
1134 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
1135 made by MediaWiki via a proxy. Relying on the http_proxy environment
1136 variable is no longer supported.
1137 * (T139565) SECURITY: API: Generate head items in the context of the given title
1138 * (T137264) SECURITY: XSS in unclosed internal links
1139 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
1140 * (T133147) SECURITY: Require login to preview user CSS pages
1141 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
1142 the top file
1143 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
1144 permissions
1145 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
1146 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
1147 * (T57548) Remove support for $wgWellFormedXml = false, all output is now well formed
1148 * (T139670) Move 'UserGetRights' call before application of Session::getAllowedUserRights()
1149
1150 == MediaWiki 1.27.0 ==
1151
1152 === PHP version requirement in 1.27 ===
1153 As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
1154 section). Additionally, the following PHP extensions are required:
1155 * ctype
1156 * iconv
1157 * json
1158 * mbstring (new requirement in 1.27)
1159 * xml
1160 The following PHP extensions are strongly recommended:
1161 * openssl
1162
1163 === Configuration changes in 1.27 ===
1164 * $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
1165 now always enabled. If you use RDFa on your wiki, you now have to explicitly
1166 set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
1167 * $wgUseLinkNamespaceDBFields was removed.
1168 * Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
1169 $wgResourceLoaderMinifierMaxLineLength, because there was little value in
1170 making the behavior configurable. The default values (`false` for the former,
1171 1000 for the latter) are now hard-coded.
1172 * $wgDebugDumpSqlLength was removed (deprecated in 1.24).
1173 * $wgDebugDBTransactions was removed (deprecated in 1.20).
1174 * $wgUseXVO has been removed, as it provides functionality only used by
1175 custom Wikimedia patches against Squid 2.x that probably noone uses in
1176 production anymore. There is now $wgUseKeyHeader that provides similar
1177 functionality but instead of the MediaWiki-specific X-Vary-Options header,
1178 uses the draft Key header standard.
1179 * $wgScriptExtension (and support for '.php5' entry points) was removed. See the
1180 deprecation notice in the release notes for version 1.25 for advice on how to
1181 preserve support for '.php5' entry points via URL rewriting.
1182 * Password handling via the User object has been deprecated and partially
1183 removed, pending the future introduction of AuthManager. In particular:
1184 ** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
1185 getPasswordExpired() have been removed. They were unused outside of core.
1186 ** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
1187 now private and will be removed in the future.
1188 ** The getPassword() and getTemporaryPassword() methods now throw
1189 BadMethodCallException and will be removed in the future.
1190 ** The ability to pass 'password' and 'newpassword' to createNew() has been
1191 removed. The only users of it seem to have been using it to set invalid
1192 passwords, and so shouldn't be greatly affected.
1193 ** setPassword(), setInternalPassword(), and setNewpassword() have been
1194 deprecated, pending the introduction of AuthManager.
1195 ** User::randomPassword() is deprecated in favor of a new method
1196 PasswordFactory::generateRandomPasswordString()
1197 ** User::getPasswordFactory() is deprecated, callers should just create a
1198 PasswordFactory themselves.
1199 ** A new constructor, User::newSystemUser(), has been added to simplify the
1200 creation of passwordless "system" users for logged actions.
1201 * $wgMaxSquidPurgeTitles was removed.
1202 * $wgAjaxWatch was removed. This is now enabled by default.
1203 * $wgUseInstantCommons now hotlinks Commons images by default instead of
1204 downloading originals and thumbnailing them locally. This allows wikis to save
1205 on CPU and bandwidth while reducing time to first byte for pages, even without
1206 a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
1207 * (T27397) WebP is enabled by default as an uploadable filetype.
1208 * (T48998) $wgArticlePath must now be either a full url, or start with a "/".
1209 * $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
1210 * Deprecated API formats dbg, txt, and yaml have been removed.
1211 * CLDRPluralRule* classes have been replaced with
1212 wikimedia/cldr-plural-rule-parser.
1213 * Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
1214 $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
1215 $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
1216 * For proper operation of LocalIdLookup with shared user tables, ensure that
1217 $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
1218 that all others are sharing from and that $wgLocalDatabases is set to the
1219 full list of sharing wikis on all those wikis.
1220 * Massive overhaul to session handling:
1221 ** $wgSessionsInObjectCache is no longer supported and must be true, due to
1222 MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
1223 used.
1224 ** ObjectCacheSessionHandler is removed, replaced with
1225 MediaWiki\Session\PhpSessionHandler.
1226 ** PHP session handling in general ($_SESSION, session_id(), and so on) is
1227 deprecated. Use MediaWiki\Session\SessionManager instead. A new config
1228 variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
1229 issue a deprecation warning or to cause most PHP session handling to throw
1230 exceptions.
1231 ** Deprecated UserSetCookies hook. Session-handling extensions should generally
1232 be creating a custom subclass of CookieSessionProvider. Other extensions
1233 messing with cookies can no longer count on user data being saved in cookies
1234 versus other methods.
1235 ** Deprecated UserLoadFromSession hook, extensions should create a
1236 MediaWiki\Session\SessionProvider.
1237 ** The User cannot be loaded from session until after Setup.php completes.
1238 Attempts to do so will be ignored and the User will remain unloaded.
1239 ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
1240 the MediaWiki\Session\Token class.
1241 * MediaWiki will now auto-create users as necessary, removing the need for
1242 extensions to do so. An 'autocreateaccount' right is added to allow
1243 auto-creation when 'createaccount' is not granted to all users.
1244 * Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
1245 * Most cookie-handling methods in User are deprecated.
1246 * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
1247 experimental feature that has never worked.
1248 * Login and createaccount tokens now vary by timestamp.
1249 * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
1250 return a MediaWiki\Session\Token, and tokens must be checked using that
1251 class's methods.
1252 * $wgEnotifUseJobQ was removed and the job queue is always used.
1253 * The functionality of the ApiSandbox extension has been merged into core. The
1254 extension should no longer be used.
1255 * $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
1256 Extensions, skins, gadgets and scripts that use the mediawiki.util module must
1257 express a dependency on it.
1258 * $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
1259 Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
1260 module should express a dependency on it.
1261 * Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
1262 $wgFooterIcons['copyright']['copyright'] instead.
1263 * If the openssl and mcrypt PHP extensions are both unavailable, secure
1264 session storage (used for login) will raise an exception. This exception may
1265 be bypassed by setting $wgSessionInsecureSecrets = true.
1266 * Massive overhaul to authentication:
1267 ** AuthPlugin and AuthPluginUser are deprecated.
1268 ** LoginForm and associated templates are deprecated. Extensions which called
1269 static LoginForm methods should be converted into authentication providers.
1270 ** The following hooks are deprecated:
1271 *** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1272 *** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1273 *** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1274 *** AddNewAccount (use LocalUserCreated instead)
1275 *** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
1276 *** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
1277 *** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
1278 *** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
1279 *** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
1280 ** The following hooks are removed:
1281 *** AbortChangePassword
1282 *** LoginPasswordResetMessage
1283 *** PrefsPasswordAudit
1284 ** The UserLoginComplete hook will no longer be called for all logins, only for
1285 those via the web UI. Use UserLoggedIn if you need to do something on all
1286 logins.
1287 ** $wgRequirePasswordforEmailChange is removed.
1288
1289 === New features in 1.27 ===
1290 * $wgDataCenterUpdateStickTTL was also added. This decides how long a user
1291 sticks to the primary DC (via cookies) after they make changes to the site.
1292 * Added a new hook, 'UserMailerTransformContent', to transform the contents
1293 of an email. This is similar to the EmailUser hook but applies to all mail
1294 sent via UserMailer.
1295 * Added a new hook, 'UserMailerTransformMessage', to transform the contents
1296 of an emai after MIME encoding.
1297 * Added a new hook, 'UserMailerSplitTo', to control which users have to be
1298 emailed separately (ie. there is a single address in the To: field) so
1299 user-specific changes to the email can be applied safely.
1300 * $wgCdnMaxageLagged was added, which limits the CDN cache TTL
1301 when any load balancer uses a DB that is lagged beyond the 'max lag'
1302 setting in the relevant section of $wgLBFactoryConf.
1303 * User::newSystemUser() may be used to simplify the creation of passwordless
1304 "system" users for logged actions from scripts and extensions.
1305 * Extensions can now return detailed error information via the API when
1306 preventing user actions using 'getUserPermissionsErrors' and similar hooks
1307 by using ApiMessage instances instead of strings for the $result value.
1308 * $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
1309 becomes too high.
1310 * Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
1311 and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
1312 cross-browser-compatible FlexBox rules. Users will still need to add fallback
1313 float rules or the like for compatibility with IE9- separately.
1314 * Added MWTimestamp::getTimezoneString() which returns the localized timezone
1315 string, if available. To localize this string, see the comments of
1316 $wgLocaltimezone in includes/DefaultSettings.php.
1317 * Added CentralIdLookup, a service that allows extensions needing a concept of
1318 "central" users to get that without having to know about specific central
1319 authentication extensions.
1320 * $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
1321 Regular web request transactions that takes longer than this are aborted.
1322 * Added a new hook, 'TitleMoveCompleting', which runs before a page move is
1323 committed.
1324 * $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
1325 from CDN to mitigate DB replication lag and WAN cache purge lag.
1326 * (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
1327 if it is available.
1328 * It is now possible to patrol file uploads (both for new files and new versions
1329 of existing files). Special:NewFiles has gained an option to filter by patrol
1330 status. This functionality can be disabled using $wgUseFilePatrol.
1331 * MediaWiki\Session infrastructure allows for easier use of session mechanisms
1332 other than the usual cookies.
1333 ** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
1334 custom session metadata.
1335 * Added MWGrants and associated configuration settings $wgGrantPermissions and
1336 $wgGrantPermissionGroups to hold configuration for authentication features
1337 such as OAuth that want to allow restricting the user rights a user may make
1338 use of.
1339 ** If you're already using the OAuth extension, these new variables are
1340 identical to (and will replace) $wgMWOAuthGrantPermissions and
1341 $wgMWOAuthGrantPermissionGroups.
1342 * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
1343 to assert that the request comes from a particular IP range.
1344 * Added bot passwords, a rights-restricted login mechanism for API-using bots.
1345 * Whitelisted the following HTML attributes for all elements in wikitext:
1346 aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
1347 * Removed "presentation" restriction on the HTML role attribute in wikitext.
1348 All values are now allowed for the role attribute.
1349 * $wgContentHandlers now also supports callbacks to create an instance of the
1350 appropriate ContentHandler subclass.
1351 * Added $wgAuthenticationTokenVersion, which if non-null prevents the
1352 user_token database field from being exposed in cookies. Setting this would
1353 be a good idea, but will log out all current sessions.
1354 * $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
1355 specifically for reliable CDN url purges.
1356 * Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
1357 MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
1358 generated 24-character string. This request ID is used to annotate log records
1359 and error messages. It is available client-side via mw.config.get( 'wgRequestId' ).
1360 The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId()
1361 is deprecated.
1362 * (T33313) Add a preference for watching uploads by default, also applies
1363 to API-based upload tools.
1364 * $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
1365 thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
1366 savings versus the previous behavior on many files.
1367 * MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
1368 configuration of multiple authentication pieces that was possible with
1369 AuthPlugin. For example, it's now easy to plug in second-factor
1370 authentication, or add additional checks to the login process, or to support
1371 multiple login methods at once, or to support non-password-based login methods.
1372 ** Providers are configured via the global setting $wgAuthManagerConfig.
1373 ** A global, $wgDisableAuthManager, is temporarily available to disable
1374 AuthManager until extensions are ready to support it.
1375 ** New hook, AuthChangeFormFields, to adjust the form fields on
1376 AuthManager-related special pages.
1377 ** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
1378 AuthManager-related authentication requests.
1379 ** New hook, ChangeAuthenticationDataAudit, for additional logging of
1380 AuthManager-related authentication data changes.
1381 ** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
1382 for requiring a recent login before taking security-sensitive operations
1383 like changing a password.
1384 ** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist
1385 can be used to prevent the web UI and the API changing certain authentication data.
1386 * The file upload dialog (available if you install WikiEditor or VisualEditor)
1387 can now be configured using $wgUploadDialog.
1388
1389 === External library changes in 1.27 ===
1390
1391 ==== Upgraded external libraries ====
1392 * Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
1393 * Updated composer/semver from v1.0.0 to v1.2.0.
1394 * Updated liuggio/statsd-php-client to 1.0.18.
1395 * Updated QUnit from v1.18.0 to v1.22.0.
1396
1397 ==== New external libraries ====
1398 * Added wikimedia/base-convert v1.0.1.
1399 * Added wikimedia/cldr-plural-rule-parser v1.0.0.
1400 * Added wikimedia/relpath v1.0.3.
1401 * Added wikimedia/running-stat v1.1.0.
1402 * Added wikimedia/php-session-serializer v1.0.3.
1403
1404 ==== Removed and replaced external libraries ====
1405
1406 === Bug fixes in 1.27 ===
1407 * Special:Upload will now display correct maximum allowed file size when running
1408 under HHVM (T116347).
1409 * (T54077) The APIEditBeforeSave hook will once again give only the content of
1410 the section being edited, rather than the whole revision. This reverts the
1411 change made in MediaWiki 1.22.
1412
1413 === Action API changes in 1.27 ===
1414 * Added list=allrevisions.
1415 * generator=recentchanges now has the option to generate revids.
1416 * ApiPageSet::setRedirectMergePolicy() was added. This allows generator
1417 modules to define how generator data for a redirect source gets merged
1418 into the redirect destination.
1419 * prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
1420 "was-deleted" warning.
1421 * Added difftotextpst to query=revisions which preforms a pre-save transform on
1422 the text before diffing it.
1423 * Deprecated formats dbg, txt, and yaml have been removed.
1424 * (T47988) The protect log event details now use new-style formatting.
1425 * The following response properties from action=login are deprecated, and may
1426 be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
1427 handle cookies to properly manage session state.
1428 * action=login transparently allows login using bot passwords. Clients should
1429 merely need to change the username and password used after setting up a bot
1430 password.
1431 * action=upload no longer understands statuskey, asyncdownload or leavemessage.
1432 * Several changes when $wgDisableAuthManager is false:
1433 ** action=login is deprecated for uses other than bot passwords.
1434 ** list=users can now indicate if a missing username is creatable.
1435 ** action=createaccount is changed in a non-backwards-compatible manner.
1436 ** Added action=query&meta=authmanagerinfo.
1437 ** Added action=clientlogin to be used to log into the main account instead of
1438 action=login.
1439 ** Added action=linkaccount.
1440 ** Added action=unlinkaccount.
1441 ** Added action=changeauthenticationdata.
1442 ** Added action=removeauthenticationdata.
1443 ** Added action=resetpassword.
1444
1445 === Action API internal changes in 1.27 ===
1446 * ApiQueryORM removed.
1447 * The following classes have been removed:
1448 ** ApiFormatDbg
1449 ** ApiFormatTxt
1450 ** ApiFormatYaml
1451 * ApiBase::addTokenProperties() was removed (deprecated since 1.24).
1452 * ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
1453 * ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
1454 * ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24).
1455 * ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
1456 * ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24).
1457 * ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24).
1458 * ApiBase::getResultProperties() was removed (deprecated since 1.24).
1459 * ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
1460 * ApiBase::parseErrors() was removed (deprecated since 1.24).
1461 * ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
1462 ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
1463 * ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
1464 * ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
1465 * ApiQuery::getGenerators() was removed (deprecated since 1.21).
1466 * ApiQuery::getModules() was removed (deprecated since 1.21).
1467 * ApiQuery::getModuleType() was removed (deprecated since 1.21).
1468 * ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
1469 * ApiMain::getModules() was removed (deprecated since 1.21).
1470 * ApiBase::getVersion() was removed (deprecated since 1.21).
1471 * ApiMain::getShowVersions() was removed (deprecated in 1.21).
1472 * ApiMain::addModule() was removed (deprecated in 1.21).
1473 * ApiMain::addFormat() was removed (deprecated in 1.21).
1474 * ApiMain::getFormats() was removed (deprecated in 1.21).
1475 * ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
1476 * ApiCreateAccount was removed.
1477
1478 === Languages updated in 1.27 ===
1479
1480 MediaWiki supports over 350 languages. Many localisations are updated
1481 regularly. Below only new and removed languages are listed, as well as
1482 changes to languages because of Phabricator reports.
1483
1484 * (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
1485 * (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
1486
1487 === Other changes in 1.27 ===
1488 * Added dependency injection (DI) infrastructure, see docs/injection.txt for details.
1489 It is planned to incrementally move MediaWiki code towards using DI, using the
1490 service locator (SL) pattern as a stepping stone.
1491 * ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
1492 * WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
1493 ignore the 2nd and 3rd arguments (formerly $id and $commit).
1494 * Removed "loaderScripts" option from ResourceLoaderFileModule class.
1495 * Removed ORM-like wrapper added in 1.20.
1496 * LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
1497 (deprecated in 1.26).
1498 * WikiPage::doQuickEdit() was removed (deprecated since 1.21).
1499 * Removed SiteObject and SiteArray classes (deprecated in 1.21).
1500 * MessageBlobStore::getInstance() was removed (deprecated since 1.25).
1501 * (T84937) Free external links ("autolinked" urls) will now be terminated
1502 by &nbsp; and HTML entity encodings of &nbsp, <, and >.
1503 * (T36948) The default file revert message's timestamp is now in
1504 $wgLocaltimezone, instead of UTC.
1505 * The default name of the 'suppress' group page has been changed from
1506 'Project:Oversight' to 'Project:Suppress'.
1507 * DatabaseBase::resultObject() is now protected (use outside Database classes
1508 not necessary since 1.11).
1509 * Calling ResourceLoaderFileModule::readStyleFiles() without a
1510 ResourceLoaderContext instance is deprecated.
1511 * ResourceLoader::getLessCompiler() now takes an optional parameter of
1512 additional LESS variables to set for the compiler.
1513 * wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
1514 instead.
1515 * Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
1516 were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
1517 * Removed msg_resource_links database table and associated code.
1518 * Removed msg_resource database table and associated code.
1519 * Skin::getNamespaceNotice() was removed.
1520 * wfIsConfiguredProxy() was removed (deprecated since 1.24).
1521 * wfDebugTimer() was removed (deprecated since 1.25).
1522 * wfIsTrustedProxy() was removed (deprecated since 1.24).
1523 * wfGetIP() was removed (deprecated since 1.19).
1524 * MWHookException was removed.
1525 * OutputPage::appendSubtitle() was removed (deprecated since 1.19).
1526 * OutputPage::loginToUse() was removed (deprecated since 1.19).
1527 * Article::loadContent() was removed (deprecated since 1.19).
1528 * User::editToken() was removed (deprecated since 1.19).
1529 * Removed --force-normal option of dumpBackup.php, as it no longer served
1530 any useful purpose since 1.22.
1531 * The functions processOption() and processArgs() on the BackupDumper and
1532 TextPassDumper classes have been removed.
1533 * The maintenance/backupTextPass.inc file was deleted. You should include
1534 maintenance/dumpTextPass.php instead.
1535 * WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
1536 * wfEmptyMsg() was removed (deprecated since 1.18).
1537 * OutputPage::permissionRequired() was removed (deprecated since 1.18).
1538 * OutputPage::blockedPage() was removed (deprecated since 1.18).
1539 * User::getSkin() was removed (deprecated since 1.18).
1540 * OutputPage::includeJQuery() was removed (deprecated since 1.17).
1541 * WikiPage::updateRestrictions() was removed (deprecated since 1.19).
1542 * WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
1543 * LogPage::logName() was removed (deprecated since 1.19).
1544 * LogPage::logHeader() was removed (deprecated since 1.19).
1545 * wfCheckLimits() was removed (deprecated since 1.24).
1546 * Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
1547 * Linker::makeLinkObj() was removed (deprecated since 1.16).
1548 * wfMsgForContentNoTrans() was removed (deprecated since 1.18).
1549 * ChangesList::usePatrol was removed (deprecated since 1.22).
1550 * wfMsgNoTrans() was removed (deprecated since 1.18).
1551 * Linker::makeImageLink2 was removed (deprecated since 1.20).
1552 * Title::userIsWatching() was removed (deprecated since 1.20).
1553 * Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
1554 database function directly instead.
1555 * wfMsg() was removed (deprecated since 1.18).
1556 * wfMsgForContent() was removed (deprecated since 1.18).
1557 * wfMsgReal() was removed (deprecated since 1.18).
1558 * wfMsgGetKey() was removed (deprecated since 1.18).
1559 * wfMsgHtml() was removed (deprecated since 1.18).
1560 * wfMsgWikiHtml() was removed (deprecated since 1.18).
1561 * wfMsgExt() was removed (deprecated since 1.18).
1562 * Language::armourMath() was removed (deprecated since 1.22).
1563 * LanguageConverter::armourMath() was removed (deprecated since 1.22).
1564 * FakeConverter::armourMath() was removed (deprecated since 1.22).
1565 * The unused jquery.validate ResourceLoader module was removed.
1566 * FileRepo::getRootUrl() was removed (deprecated since 1.20).
1567 * User::generateToken() was removed (deprecated since 1.20).
1568 * WikiPage::getRawText() was removed (deprecated since 1.21).
1569 * ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
1570 * ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
1571 * ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
1572 * Gallery images with multiple caption pipes no longer concatenate them all
1573 together but instead pick the final one, similar to image syntax.
1574 * XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
1575 rather than consume everything until the end of the page.
1576 * New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
1577 a user forgot password/account was stolen.
1578 * wfCheckEntropy() was removed (deprecated in 1.27).
1579 * Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
1580 * ContentHandler::supportsCategories method added. Default is true.
1581 CategoryMembershipChangeJob updates are skipped for content that
1582 does not support categories.
1583 * wikidiff difference engine is no longer supported, anyone still using it are encouraged
1584 to upgrade to wikidiff2 which is actively maintained and has better package availability.
1585 * Database logic was removed from WatchedItem and a WatchedItemStore was created:
1586 ** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated.
1587 User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
1588 ** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
1589 ** WatchedItem::resetNotificationTimestamp was deprecated.
1590 ** WatchedItem::batchAddWatch was deprecated.
1591 ** WatchedItem::addWatch was deprecated.
1592 ** WatchedItem::removeWatch was deprecated.
1593 ** WatchedItem::isWatched was deprecated.
1594 ** WatchedItem::duplicateEntries was deprecated.
1595 ** EmailNotification::updateWatchlistTimestamp was deprecated.
1596 ** User::getWatchedItem was removed.
1597 * Unit tests don't work with external PHPUnit anymore, Composer is now the only supported
1598 way. Run `composer install` to install it and other dev dependencies to run unit tests.
1599 * wl_id field added to the watchlist table.
1600 * Revision::getRawText() was removed (deprecated since 1.21).
1601 * WikiPage::replaceSection() was removed (deprecated since 1.21).
1602 * Article::replaceSection() was removed (deprecated since 1.21).
1603 * Language::getLangObj() was removed (deprecated since 1.24).
1604 * Language::getLanguageName() was removed (deprecated since 1.20).
1605 * Language::getLanguageNames() was removed (deprecated since 1.20).
1606 * Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
1607 * Language::specialPage() was removed (deprecated since 1.24).
1608 * MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
1609 * OutputPage::getHeadItems() was removed (deprecated since 1.24).
1610 * OutputPage::getScript() was removed (deprecated since 1.24).
1611 * OutputPage::out() was removed (deprecated since 1.22).
1612 * OutputPage::setAllowedModules() was removed (deprecated since 1.24).
1613 * UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
1614 * MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
1615 * Title::newFromRedirect() was removed (deprecated since 1.21).
1616 * Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
1617 * Skin::getCommonStylePath() was removed (deprecated since 1.24).
1618 * Skin::newFromKey() was removed (deprecated since 1.24).
1619 * Skin::getUsableSkins() was removed (deprecated since 1.23).
1620 * LoadBalancer::pickRandom() was removed (deprecated in 1.21).
1621 * Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since
1622 1.21).
1623 * DifferenceEngine::setText() was removed (deprecated in 1.21).
1624 * Title::newFromRedirectArray() was removed (deprecated in 1.21).
1625 * UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType
1626 as the 6th. These must be passed in the options array now.
1627 * Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
1628 * Skin::accesskey was removed (deprecated since 1.21).
1629 * Skin::blockLink was removed (deprecated since 1.21).
1630 * Skin::buildRollbackLink was removed (deprecated since 1.21).
1631 * Skin::emailLink was removed (deprecated since 1.21).
1632 * Skin::formatComment was removed (deprecated since 1.21).
1633 * Skin::formatHiddenCategories was removed (deprecated since 1.21).
1634 * Skin::formatLinksInComment was removed (deprecated since 1.21).
1635 * Skin::formatRevisionSize was removed (deprecated since 1.21).
1636 * Skin::formatSize was removed (deprecated since 1.21).
1637 * Skin::formatTemplates was removed (deprecated since 1.21).
1638 * Skin::generateTOC was removed (deprecated since 1.21).
1639 * Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
1640 * Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
1641 * Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
1642 * Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
1643 * Skin::getLinkColour was removed (deprecated since 1.21).
1644 * Skin::getRevDeleteLink was removed (deprecated since 1.21).
1645 * Skin::getRollbackEditCount was removed (deprecated since 1.21).
1646 * Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
1647 * Skin::makeCommentLink was removed (deprecated since 1.21).
1648 * Skin::makeExternalImage was removed (deprecated since 1.21).
1649 * Skin::makeExternalLink was removed (deprecated since 1.21).
1650 * Skin::makeHeadline was removed (deprecated since 1.21).
1651 * Skin::makeImageLink was removed (deprecated since 1.21).
1652 * Skin::makeMediaLinkFile was removed (deprecated since 1.21).
1653 * Skin::makeMediaLinkObj was removed (deprecated since 1.21).
1654 * Skin::makeSelfLinkObj was removed (deprecated since 1.21).
1655 * Skin::makeThumbLink2 was removed (deprecated since 1.21).
1656 * Skin::makeThumbLinkObj was removed (deprecated since 1.21).
1657 * Skin::normaliseSpecialPage was removed (deprecated since 1.21).
1658 * Skin::normalizeSubpageLink was removed (deprecated since 1.21).
1659 * Skin::processResponsiveImages was removed (deprecated since 1.21).
1660 * Skin::revComment was removed (deprecated since 1.21).
1661 * Skin::revDeleteLink was removed (deprecated since 1.21).
1662 * Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
1663 * Skin::revUserLink was removed (deprecated since 1.21).
1664 * Skin::revUserTools was removed (deprecated since 1.21).
1665 * Skin::specialLink was removed (deprecated since 1.21).
1666 * Skin::splitTrail was removed (deprecated since 1.21).
1667 * Skin::titleAttrib was removed (deprecated since 1.21).
1668 * Skin::tocIndent was removed (deprecated since 1.21).
1669 * Skin::tocLine was removed (deprecated since 1.21).
1670 * Skin::tocLineEnd was removed (deprecated since 1.21).
1671 * Skin::tocList was removed (deprecated since 1.21).
1672 * Skin::tocUnindent was removed (deprecated since 1.21).
1673 * Skin::tooltip was removed (deprecated since 1.21).
1674 * Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
1675 * Skin::userTalkLink was removed (deprecated since 1.21).
1676 * Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
1677 * wikidiff3 is now the default and only PHP diff engine. It provides improved diff
1678 performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore
1679 makes no difference now. Users are still recommended to use wikidiff2 if possible,
1680 though.
1681 * User::addNewUserLogEntry() was deprecated.
1682 * User::addNewUserLogEntryAutoCreate() was deprecated.
1683 * User::isPasswordReminderThrottled() was deprecated.
1684 * Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck)
1685 were removed.
1686 * Installer can now be customized without patching MediaWiki code, see
1687 mw-config/overrides/README for details.
1688
1689 === Compatibility ===
1690
1691 MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
1692 HHVM 3.6.5 or later.
1693
1694 MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
1695 support for them is somewhat less mature. There is experimental support for
1696 Oracle and Microsoft SQL Server.
1697
1698 The supported versions are:
1699
1700 * MySQL 5.0.3 or later
1701 * PostgreSQL 8.3 or later
1702 * SQLite 3.3.7 or later
1703 * Oracle 9.0.1 or later
1704 * Microsoft SQL Server 2005 (9.00.1399)
1705
1706 === Upgrading ===
1707
1708 1.27 has several database changes since 1.26, and will not work without schema
1709 updates. Note that due to changes to some very large tables like the revision
1710 table, the schema update may take quite long (minutes on a medium sized site,
1711 many hours on a large site).
1712
1713 If upgrading from before 1.11, and you are using a wiki as a commons
1714 repository, make sure that it is updated as well. Otherwise, errors may arise
1715 due to database schema changes.
1716
1717 If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
1718 new database fields are filled with data.
1719
1720 If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1721 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
1722 with MediaWiki 1.21.
1723
1724 Don't forget to always back up your database before upgrading!
1725
1726 See the file UPGRADE for more detailed upgrade instructions.
1727
1728 For notes on 1.26.x and older releases, see HISTORY.
1729
1730
1731 = MediaWiki 1.26 =
1732
1733 == MediaWiki 1.26.4 ==
1734
1735 This is a maintenance release of the MediaWiki 1.26 branch.
1736
1737 === Changes since 1.26.3 ===
1738 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
1739 made by MediaWiki via a proxy. Relying on the http_proxy environment
1740 variable is no longer supported.
1741 * (T124163) Fixed fatal error in DifferenceEngine under HHVM.
1742 * (T139565) SECURITY: API: Generate head items in the context of the given title
1743 * (T137264) SECURITY: XSS in unclosed internal links
1744 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
1745 * (T133147) SECURITY: Require login to preview user CSS pages
1746 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
1747 the top file
1748 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
1749 permissions
1750 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
1751 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
1752 * Remove support for $wgWellFormedXml = false, all output is now well formed
1753
1754 == MediaWiki 1.26.3 ==
1755
1756 This is a maintenance release of the MediaWiki 1.26 branch.
1757
1758 === Changes since 1.26.2 ===
1759 * (T116266) Fixed undefined property notices in DairikiDiff under HHVM.
1760 * (T123166) Fix fatal error when importing pages to titles which cannot be
1761 created, such as invalid titles or titles the user is not allowed to edit.
1762 * (T122056) Old tokens are remaining valid within a new session
1763 * (T127114) Login throttle can be tricked using non-canonicalized usernames
1764 * (T123653) Cross-domain policy regexp is too narrow
1765 * (T123071) Incorrectly identifying http link in a's href attributes, due to
1766 m modifier in regex
1767 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
1768 * (T125283) Users occasionally logged in as different users after
1769 SessionManager deployment
1770 * (T103239) Patrol allows click catching and patrolling of any page
1771 * (T122807) [tracking] Check php crypto primatives
1772 * (T98313) Graphs can leak tokens, leading to CSRF
1773 * (T130947) Diff generation should use PoolCounter
1774 * (T133507) Careless use of $wgExternalLinkTarget is insecure
1775 * (T132874) API action=move is not rate limited
1776 * (T110143) strip markers can be used to get around html attribute escaping in
1777 (many?) parser tags
1778 * (T116030) Increase pbkdf2 parameter strengths
1779 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
1780 * (T126685) Globally throttle password attempts
1781
1782 == MediaWiki 1.26.2 ==
1783
1784 This is a maintenance release of the MediaWiki 1.26 branch.
1785
1786 === Changes since 1.26.1 ===
1787 * (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
1788
1789 == MediaWiki 1.26.1 ==
1790
1791 This is a maintenance release of the MediaWiki 1.26 branch.
1792
1793 === Changes since 1.26.0 ===
1794 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
1795 that do not begin with a slash. This enabled trivial XSS attacks.
1796 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
1797 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
1798 error.
1799 * (T119309) SECURITY: Use hash_compare() for edit token comparison
1800 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
1801 with '@' as file uploads
1802 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
1803 longer be shorter than $wgMinimalPasswordLength
1804 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
1805 result in improper blocks being issued
1806 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
1807 and related pages no longer use HTTP redirects and are now redirected by
1808 MediaWiki
1809 * Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
1810 * Fixed stray literal \n in Special:Search.
1811 * Fix issue that breaks HHVM Repo Authorative mode.
1812 * (T120267) Work around APCu memory corruption bug
1813
1814 == MediaWiki 1.26.0 ==
1815
1816 === Configuration changes in 1.26 ===
1817 * $wgPasswordResetRoutes['email'] = true by default.
1818 * $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
1819 instead if you want to disable the parser cache.
1820 * New-style continuation is now the default for API action=continue. Clients may
1821 use the 'rawcontinue' parameter to receive raw query-continue data, but the
1822 new style is encouraged as it's harder to implement incorrectly.
1823 * Deprecated API formats dump and wddx have been completely removed.
1824 * (T7645) The "Signature" button on the edit toolbar is now hidden by default
1825 in non-talk namespaces. A new configuration variable,
1826 $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
1827 the "Signature" button on the edit toolbar will be displayed.
1828 * $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
1829 feature that was never enabled by default.
1830 * $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
1831 This experimental feature was never enabled by default and is obsolete as of
1832 MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
1833 * $wgMasterWaitTimeout was removed (deprecated in 1.24).
1834 * Fields in ParserOptions are now private. Use the accessors instead.
1835 * Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
1836 in extension.json) have been removed, after being deprecated in 1.24.
1837 * $wgAlwaysUseTidy has been removed.
1838 * ResetSessionID hook has been removed. Nothing seems to use it.
1839 * Certain AuthPlugin methods are deprecated in favor of new hooks:
1840 ** AuthPlugin::initUser() is replaced by LocalUserCreated.
1841 ** AuthPlugin::updateUser() is replaced by UserLoggedIn.
1842 ** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
1843 ** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
1844 ** AuthPluginUser::isHidden() is replaced by UserIsHidden.
1845 ** AuthPluginUser::isLocked() is replaced by UserIsLocked.
1846 * The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
1847 * AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
1848 the passed User object.
1849 * $wgBlockAllowsUTEdit is now set to true by default. This allows
1850 blocked users to edit their talk pages unless explicitly disabled
1851 when they are being blocked.
1852
1853 === New features in 1.26 ===
1854 * (T51506) Now action=info gives estimates of actual watchers for a page.
1855 See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
1856 to learn how to configure if needed.
1857 * Change tags can now be hidden in the interface by disabling the associated
1858 "tag-<id>" interface message.
1859 * ':' (colon) is now invalid in usernames for new accounts. Existing accounts
1860 are not affected.
1861 * Added a new hook, 'LogException', to log exceptions in nonstandard ways.
1862 * Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
1863 search results are rendered. The initial use case is to append a "give us
1864 feedback" link beneath the search results.
1865 * Added a new hook, 'RejectParserCacheValue', which allows extensions to
1866 reject an otherwise-successful parser cache lookup. The intent is to allow
1867 extensions to manage the eviction of archaic HTML output from the cache.
1868 * (T68699) The expiration of the UserID and Token login cookies
1869 ($wgExtendedLoginCookieExpiration) can be configured independently of the
1870 expiration of all other cookies ($wgCookieExpiration).
1871 * (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
1872 if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
1873 of WebP images still disabled by default. Add $wgFileExtensions[] =
1874 'webp'; to LocalSettings.php to enable uploading of WebP images.
1875 * Added new hooks 'EnhancedChangesListModifyLineData' &
1876 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
1877 lines in enhanced recentchanges and watchlist.
1878 * Caches that need purging ability now use the WANObjectCache interface.
1879 This corresponds to a new $wgMainWANCache setting, which defaults to using
1880 the $wgMainCacheType settings.
1881 * Callers needing fast light-weight data stores use $wgMainStash to select
1882 the store type from $wgObjectCaches. The default is the local database.
1883 * Interface message overrides in the MediaWiki namespace will now be cached in
1884 memcached and APC (if available), rather than memcached and local files.
1885 * Added a new hook, 'RandomPageQuery', to allow modification of the query used
1886 by Special:Random to select random pages.
1887 * $wgTransactionalTimeLimit was added, which controls the request time limit
1888 for potentially slow POST requests that need to be as atomic as possible.
1889 * ResourceLoader now loads all scripts asynchronously. The top-queue and
1890 startup modules are no longer synchronously loaded.
1891 * 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
1892 page. During the deprecation period, the styles will only be loaded on pages
1893 which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
1894 only be loaded if explicitly required.
1895 * If search returns zero results and current search engine has a "did you mean"
1896 suggestion, results for suggestion will be shown. Can be disabled by setting
1897 $wgSearchRunSuggestedQuery to false.
1898 * Added several JavaScript libraries for uploading files to MediaWiki
1899 from the client-side. See documentation for mw.Upload and its
1900 subclasses for more information.
1901 * Added OOUI dialogs and layout for file upload interfaces. See
1902 documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
1903 subclasses for more information.
1904
1905 === extension.json changes in 1.26 ===
1906 * (T99344) The extension.json schema is now versioned. All extensions
1907 and skins should set a "manifest_version" property corresponding to
1908 the schema version they were written for. The only supported version
1909 currently is "1".
1910 * (T102523) The error message if a non-array attribute is set was improved.
1911 * (T107646) Configuration settings can now specify how they should be merged,
1912 which is necessary for arrays using integer keys.
1913 * (T110389) Adding namespaces through extension.json now actually works
1914 * $wgNamespaceProtection can now be set in extension.json.
1915 * $wgCapitalLinkOverrides can now be set in extension.json.
1916 * (T97186) Extensions using a custom prefix for their configuration settings
1917 can now set a "_prefix" key to override the default of "wg".
1918 * (T99084) Extensions can now specify what MediaWiki core versions they
1919 depend upon.
1920 * (T105236) The extension.json schema now validates custom classes in
1921 the "ResourceModules" property properly.
1922
1923 === External library changes in 1.26 ===
1924 ==== Upgraded external libraries ====
1925 * Updated es5-shim from v4.0.0 to v4.1.5.
1926 * Updated json2 from revision 2014-02-04 to 2015-05-03.
1927 * Updated Sinon.JS from 1.10.3 to 1.15.4.
1928 * Updated jQuery Client from v1.0.0 to v2.0.0.
1929 * Updated QUnit from v1.17.1 to v1.18.0.
1930 * Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
1931 * Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
1932 * Updated wikimedia/cdb from v1.0.1 to v1.3.0.
1933 * Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
1934 * Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
1935 * Updated zordius/lightncandy from v0.18 to v0.21.
1936
1937 ==== New external libraries ====
1938 * Added composer/semver v1.0.0.
1939 * Added mediawiki/at-ease v1.1.0.
1940 * Added wikimedia/assert v0.2.2.
1941 * Added wikimedia/ip-set v1.0.1.
1942 * Added wikimedia/wrappedstring v2.0.0.
1943
1944 ==== Removed and replaced external libraries ====
1945 * Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
1946
1947 === Bug fixes in 1.26 ===
1948 * (T53283) load.php sometimes sends 304 response without full headers
1949 * (T65198) Talk page tabs now have a "rel=discussion" attribute
1950 * (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
1951 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
1952 value if set to an empty string.
1953
1954 === Action API changes in 1.26 ===
1955 * New-style continuation is now the default for action=continue. Clients may
1956 use the 'rawcontinue' parameter to receive raw query-continue data, but the
1957 new style is encouraged as it's harder to implement incorrectly.
1958 * Deprecated API formats dump and wddx have been completely removed.
1959 * API action=query&list=tags: The displayname can now be boolean false if the
1960 tag is meant to be hidden from user interfaces.
1961 * action=import no longer allows both the namespace= and rootpage= parameters
1962 to be set. If they are both set, the value of rootpage= will be ignored.
1963 * prop=revision output in enum mode is now sorted by timestamp rather than
1964 revision ID. This usually won't make any difference.
1965 * (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
1966 with formatversion=2.
1967 * Various other output from meta=siteinfo will now always be arrays instead of
1968 sometimes being numerically-indexed objects with formatversion=2.
1969 * When errors about users being blocked are returned, they now include
1970 information about the relevant block.
1971 * (T99926) list=random has higher limits, in line with other API modules.
1972 * list=random's rnredirect parameter is deprecated in favor of a new
1973 rnfilterredir parameter that also allows for listing both redirects and
1974 non-redirects.
1975 * list=random now supports continuation.
1976 * API responses to GET requests may now include ETag and Last-Modified headers,
1977 and will honor corresponding If-None-Match and If-Modified-Since on such
1978 requests.
1979
1980 === Action API internal changes in 1.26 ===
1981 * New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
1982 into the value when the value is an assoc.
1983 * API action modules may now provide values for the RFC 7232 ETag and
1984 Last-Modified headers. The API will check these against If-None-Match and
1985 If-Modified-Since request headers on GET requests and avoid executing the
1986 module when appropriate.
1987
1988 === Languages updated in 1.26 ===
1989
1990 MediaWiki supports over 350 languages. Many localisations are updated
1991 regularly. Below only new and removed languages are listed, as well as
1992 changes to languages because of Phabricator reports.
1993
1994 * Languages added:
1995 ** ase (American sign language), thanks to translator Icemandeaf
1996 ** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
1997 मेश सिंह बोहरा, and राम प्रसाद जोशी
1998 ** luz (لئری دوٙمینی / Southern Luri)
1999 ** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
2000 Ilja.mos, and Mashoi7
2001
2002 === Other changes in 1.26 ===
2003 * ChangeTags::tagDescription() will return false if the interface message
2004 for the tag is disabled.
2005 * Added PageHistoryPager::doBatchLookups hook.
2006 * Added $wikiId parameter to FormatAutocomments hook.
2007 * Added ParserCacheSaveComplete to ParserCache
2008 * supportsDirectEditing and supportsDirectApiEditing methods added to
2009 ContentHandler, to provide a way for ApiEditPage and EditPage to check
2010 if direct editing of content is allowed. These methods return false,
2011 by default for the ContentHandler base class and true for TextContentHandler
2012 and it's derivative classes (everything in core). For Content types that
2013 do not support direct editing, an alternative mechanism should be provided
2014 for editing, such as action overrides or specific api modules.
2015 * mediaWiki.confirmCloseWindow now returns an object of functions, instead of
2016 one function. The callback can't be called directly any more. The callback
2017 function is replaced with confirmCloseWindow.release().
2018 * BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
2019 ResourceLoaderModule::getDependencies(). Extension classes that override that
2020 method should be updated. If they aren't updated, PHP Strict standards
2021 warnings will appear when E_STRICT error reporting is enabled. Note: in the
2022 near future, this parameter will probably become non-optional.
2023 * Removed maintenance script deleteImageMemcached.php.
2024 * MWFunction::newObj() was removed (deprecated in 1.25).
2025 ObjectFactory::getObjectFromSpec() should be used instead.
2026 * The parser will no longer randomize the string it uses to mark the place of
2027 items that were stripped during parsing. It will use a fixed string instead.
2028 This causes the parser to re-use the regular expressions it uses to search
2029 and replace markers rather than generate novel expressions on each parse.
2030 Re-using regular expressions will improve performance on HHVM and the
2031 forthcoming PHP 7. The interfaces changes accompanying this change are:
2032 - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
2033 - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
2034 $prefix argument for StripState::_construct() are deprecated and their
2035 value is ignored.
2036 * wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
2037 mediawiki/at-ease, and are now deprecated. Callers should use
2038 MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
2039 * The Block class constructor now takes an associative array of parameters
2040 instead of many optional positional arguments. Calling the constructor the old
2041 way will issue a deprecation warning.
2042 * The jquery.mwExtension module was deprecated.
2043 * $wgSpecialPageGroups was removed (deprecated in 1.21).
2044 * SpecialPageFactory::setGroup was removed (deprecated in 1.21).
2045 * SpecialPageFactory::getGroup was removed (deprecated in 1.21).
2046 * DatabaseBase::ignoreErrors() is now protected.
2047 * BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
2048 a lengthy deprecation period.
2049 * The ScopedPHPTimeout class was removed.
2050 * Removed maintenance script fixSlaveDesync.php.
2051 * Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
2052 are deprecated. Applications using those can work via the OAuth
2053 extension instead. New tokens types should not be added.
2054 * DatabaseBase::errorCount() was removed (unused).
2055 * $wgDeferredUpdateList was removed.
2056 * DeferredUpdates::addHTMLCacheUpdate() was removed.
2057
2058 = MediaWiki 1.25 =
2059
2060 == MediaWiki 1.25.6 ==
2061
2062 This is a maintenance release of the MediaWiki 1.25 branch.
2063
2064 === Changes since 1.25.5 ===
2065 * (T123166) Fix fatal error when importing pages to titles which cannot be
2066 created, such as invalid titles or titles the user is not allowed to edit.
2067 * (T122056) Old tokens are remaining valid within a new session
2068 * (T127114) Login throttle can be tricked using non-canonicalized usernames
2069 * (T123653) Cross-domain policy regexp is too narrow
2070 * (T123071) Incorrectly identifying http link in a's href attributes, due to
2071 m modifier in regex
2072 * (T129506) MediaWiki:Gadget-popups.js isn't renderable
2073 * (T125283) Users occasionally logged in as different users after
2074 SessionManager deployment
2075 * (T103239) Patrol allows click catching and patrolling of any page
2076 * (T122807) [tracking] Check php crypto primatives
2077 * (T98313) Graphs can leak tokens, leading to CSRF
2078 * (T130947) Diff generation should use PoolCounter
2079 * (T133507) Careless use of $wgExternalLinkTarget is insecure
2080 * (T132874) API action=move is not rate limited
2081 * (T110143) strip markers can be used to get around html attribute escaping in
2082 (many?) parser tags
2083 * (T116030) Increase pbkdf2 parameter strengths
2084 * (T127420) Pbkdf2Password does not check if hash_pbkdf2() succeeded
2085 * (T126685) Globally throttle password attempts
2086
2087 == MediaWiki 1.25.5 ==
2088
2089 This is a maintenance release of the MediaWiki 1.25 branch.
2090
2091 === Changes since 1.25.4 ===
2092 * (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
2093
2094 == MediaWiki 1.25.4 ==
2095
2096 This is a security and maintenance release of the MediaWiki 1.25 branch.
2097
2098 === Changes since 1.25.3 ===
2099 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
2100 that do not begin with a slash. This enabled trivial XSS attacks.
2101 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
2102 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
2103 error.
2104 * (T119309) SECURITY: Use hash_compare() for edit token comparison
2105 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
2106 with '@' as file uploads
2107 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
2108 longer be shorter than $wgMinimalPasswordLength
2109 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
2110 result in improper blocks being issued
2111 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
2112 and related pages no longer use HTTP redirects and are now redirected by
2113 MediaWiki
2114 * (T103237) $wgUseGzip had no effect when using file cache.
2115 * (T114606) mw.notify was not correctly fixed to the page if
2116 initialized while not at the top of the page.
2117 * Fix issue that breaks HHVM Repo Authorative mode.
2118
2119 == MediaWiki 1.25.3 ==
2120
2121 This is a security and maintenance release of the MediaWiki 1.25 branch.
2122
2123 === Changes since 1.25.2 ===
2124
2125 * (T98975) Fix having multiple callbacks for a single hook.
2126 * (T107632) maintenance/refreshLinks.php did not always remove all links
2127 pointing to nonexistent pages.
2128 * (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
2129 value if set to an empty string.
2130 * (T62174) Provide fallbacks for use of mb_convert_encoding() in
2131 HtmlFormatter. It was causing an error when accessing the api help page
2132 if the mbstring PHP extension was not installed.
2133 * (T105896) Confirmation emails would sometimes contain invalid codes.
2134 * (T105597) Fixed edit stash inclusion queries.
2135 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
2136 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
2137 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
2138 first
2139 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
2140
2141 == MediaWiki 1.25.2 ==
2142
2143 This is a security and maintenance release of the MediaWiki 1.25 branch.
2144
2145 === Changes since 1.25.1 ===
2146
2147 * (T94116) SECURITY: Compare API watchlist token in constant time
2148 * (T97391) SECURITY: Escape error message strings in thumb.php
2149 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
2150 Special:DeletedContributions
2151 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
2152 policy of Wikimedia Commons.
2153 * (T100767) Setting a configuration setting for skin or extension to
2154 false in LocalSettings.php was not working.
2155 * (T100635) API action=opensearch json output no longer breaks when
2156 $wgDebugToolbar is enabled.
2157 * (T102522) Using an extension.json or skin.json file which has
2158 a "manifest_version" property for 1.26 compatability will no longer
2159 trigger warnings.
2160 * (T86156) Running updateSearchIndex.php will not throw an error as
2161 page_restrictions has been added to the locked table list.
2162 * Special:Version would throw notices if using SVN due to an incorrectly
2163 named variable. Add an additional check that an index is defined.
2164
2165 == MediaWiki 1.25.1 ==
2166
2167 This is a bug fix release of the MediaWiki 1.25 branch.
2168
2169 === Changes since 1.25 ===
2170 * (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
2171
2172 == MediaWiki 1.25.0 ==
2173
2174 === Configuration changes in 1.25 ===
2175 * $wgPageShowWatchingUsers was removed.
2176 * $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
2177 * $wgAntiLockFlags was removed.
2178 * $wgJavaScriptTestConfig was removed.
2179 * Edit tokens returned from User::getEditToken may change on every call. Token
2180 validity must be checked by passing the user-supplied token to
2181 User::matchEditToken rather than by testing for equality with a
2182 newly-generated token.
2183 * (T74951) The UserGetLanguageObject hook may be passed any IContextSource
2184 for its $context parameter. Formerly it was documented as receiving a
2185 RequestContext specifically.
2186 * Profiling was restructured and $wgProfiler now requires an 'output' parameter.
2187 See StartProfiler.sample for details.
2188 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
2189 might be a flash policy directive configurable.
2190 * ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
2191 longer be used. If extracts and page images are desired, the TextExtracts and
2192 PageImages extensions are required.
2193 * $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
2194 * Edits are now prepared via AJAX as users type edit summaries. This behavior
2195 can be disabled via $wgAjaxEditStash.
2196 * (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
2197 with the jQuery Migrate library, as indicated when this option was provided in
2198 MediaWiki 1.24.
2199 * ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
2200 StartProfiler.php config is updated to reflect this. Xhprof is available
2201 for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
2202 * Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
2203 rather than 'rsvg'.
2204 * Default value of $wgSVGConverters['ImageMagick'] now uses transparent
2205 background with white fallback color, rather than just white background.
2206 * MediaWikiBagOStuff class removed, make sure any object cache config
2207 uses SqlBagOStuff instead.
2208 * The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
2209 job queues. This means that mediawiki/services/jobrunner service has to
2210 be installed and running for any such queues to work.
2211 * $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
2212 compatibility, any 'view' event triggers will still trigger on 'edit'.
2213 * $wgExtensionDirectory was added for when your extensions directory is somewhere
2214 other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
2215
2216 === New features in 1.25 ===
2217 * (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
2218 for plural forms in Russian, Prussian, Tagalog, Manx and several languages
2219 that fall back to Russian.
2220 * (T60139) ResourceLoaderFileModule now supports language fallback
2221 for 'languageScripts'.
2222 * Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
2223 parser output for a content object before links update.
2224 * (T37785) Enhanced recent changes and extended watchlist are now default.
2225 Documentation: https://meta.wikimedia.org/wiki/Special:MyLanguage/Help:Enhanced_recent_changes
2226 and https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:$wgDefaultUserOptions.
2227 * (T69341) SVG images will no longer be base64-encoded when being embedded
2228 in CSS. This results in slight size increase before gzip compression (due to
2229 percent-encoding), but up to 20% decrease after it.
2230 * Update jStorage to v0.4.12.
2231 * MediaWiki now natively supports page status indicators: icons (or short text
2232 snippets) usually displayed in the top-right corner of the page. They have
2233 been in use on Wikipedia for a long time, implemented using templates and CSS
2234 absolute positioning.
2235 - Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
2236 - Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
2237 - Adjusting custom skins to support indicators:
2238 https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Skinning#Page_status_indicators
2239 * Edit tokens may now be time-limited: passing a maximum age to
2240 User::matchEditToken will reject any older tokens.
2241 * The debug logging internals have been overhauled, and are now using the
2242 PSR-3 interfaces.
2243 * Update CSSJanus to v1.1.1.
2244 * Update lessphp to v0.5.0.
2245 * Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
2246 and images for ApiOpenSearch output. The semantics are identical to the
2247 "OpenSearchXml" hook provided by the OpenSearchXml extension.
2248 * PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
2249 this allows for pagination of prefix results. Extensions using this hook
2250 should implement supporting behavior. Not doing so can result in undefined
2251 behavior from API clients trying to continue through prefix results.
2252 * Update jQuery from v1.11.1 to v1.11.3.
2253 * External libraries installed via composer will now be displayed
2254 on Special:Version in their own section. Extensions or skins that are
2255 installed via composer will not be shown in this section as it is assumed
2256 they will add the proper credits to the skins or extensions section. They
2257 can also be accessed through the API via the new siprop=libraries to
2258 ApiQuerySiteInfo.
2259 * Update QUnit from v1.14.0 to v1.16.0.
2260 * Update Moment.js from v2.8.3 to v2.8.4.
2261 * Special:Tags now allows for manipulating the list of user-modifiable change
2262 tags.
2263 * Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
2264 and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
2265 tags.
2266 * Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
2267 "active" formerly conflated by the 'ListDefinedTags' hook.
2268 * Added TemplateParser class that provides a server-side interface to cachable
2269 dynamically-compiled Mustache templates (currently uses lightncandy library).
2270 * Clickable anchors for each section heading in the content are now generated
2271 and appear in the gutter on hovering over the heading.
2272 * Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
2273 to allow extensions to override how links to pages are rendered within NS_CATEGORY
2274 * (T19665) Special:WantedPages only lists page which having at least one red link
2275 pointing to it.
2276 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
2277 used for conditional registration of API modules.
2278 * New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
2279 links of a group of changes in EnhancedChangesList.
2280 * A full interface for StatsD metric reporting has been added to the context
2281 interface, reachable via IContextSource::getStats().
2282 * Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
2283 proper, published library, which is now tagged as v1.0.0.
2284 * A new message (defaulting to blank), 'editnotice-notext', can be shown to users
2285 when they are editing if no edit notices apply to the page being edited.
2286 * (T94536) You can now make the sitenotice appear to logged-in users only by
2287 editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
2288 "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
2289 * Modifying the tagging of a revision or log entry is now available via
2290 Special:EditTags, generally accessed via the revision-deletion-like interface
2291 on history pages and Special:Log is likely to be more useful.
2292 * Added 'applychangetags' and 'changetags' user rights.
2293 * (T35235) LogFormatter subclasses are now responsible for formatting the
2294 parameters for API log event output. Extensions should implement the new
2295 getParametersForApi() method in their log formatters.
2296
2297 ==== External libraries ====
2298 * MediaWiki now requires certain external libraries to be installed. In the past
2299 these were bundled inside the Git repository of MediaWiki core, but now they
2300 need to be installed separately. For users using the tarball, this will be taken
2301 care of and no action will be required. Users using Git will either need to use
2302 composer to fetch dependencies or use the mediawiki/vendor repository which includes
2303 all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
2304 instructions can be found at:
2305 https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
2306 * The following libraries are now required:
2307 ** psr/log
2308 This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
2309 which are used by MediaWiki internally via the
2310 MediaWiki\Logger\LoggerFactory class.
2311 See the structured logging RfC (https://www.mediawiki.org/wiki/Special:MyLanguage/Requests_for_comment/Structured_logging)
2312 for more background information.
2313 ** cssjanus/cssjanus
2314 This library was formerly bundled with MediaWiki core and has been removed.
2315 It automatically flips CSS for RTL support.
2316 ** leafo/lessphp
2317 This library was formerly bundled with MediaWiki core and has been removed.
2318 It compiles LESS files into CSS.
2319 ** wikimedia/cdb
2320 This library was formerly a part of MediaWiki core, and has been moved into a separate library.
2321 It provides CDB functions which are used in the Interwiki and Localization caches.
2322 More information about the library can be found at https://www.mediawiki.org/wiki/Special:MyLanguage/CDB.
2323 ** liuggio/statsd-php-client
2324 This library provides a StatsD client API for logging application metrics to a remote server.
2325
2326 === Bug fixes in 1.25 ===
2327 * (T73003) No additional code will be generated to try to load CSS-embedded
2328 SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
2329 * (T69021) On Special:BookSources, corrected validation of ISBNs (both
2330 10- and 13-digit forms) containing "X".
2331 * Page moving was refactored into a MovePage class. As part of that:
2332 ** The AbortMove hook was removed.
2333 ** MovePageIsValidMove is for extensions to specify whether a page
2334 cannot be moved for technical reasons, and should not be overridden.
2335 ** MovePageCheckPermissions is for checking whether the given user is
2336 allowed to make the move.
2337 ** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
2338 ** Title::moveTo() was deprecated. Use the MovePage class instead.
2339 ** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
2340 and MovePage::checkPermissions().
2341 * (T18530) Multiple autocomments are now formatted in an edit summary.
2342 * (T70361) Autocomments containing "/*" are parsed correctly.
2343 * The Special:WhatLinksHere page linked from 'Number of redirects to this page'
2344 on action=info about a file page does not list file links anymore.
2345 * (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
2346 * (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
2347 * (T85192) Captcha position modified in Usercreate template. As a result:
2348 ** extrafields parameter added to Usercreate.php to insert additional data
2349 ** 'extend' method added to QuickTemplate to append additional values to any field of data array
2350 * (T86974) Several Title methods now load from the database when necessary
2351 (instead of returning incorrect results) even when the page ID is known.
2352 * (T74070) Duplicate search for archived files on file upload now omits the extension.
2353 This requires the fa_sha1 field being populated.
2354 * Removed rel="archives" from the "View history" link, as it did not pass
2355 HTML validation.
2356 * $wgUseTidy is now set when parserTests are run with the tidy option to match
2357 output on wiki.
2358 * (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
2359 * (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
2360
2361 === Action API changes in 1.25 ===
2362 * (T67403) XML tag highlighting is now only performed for formats
2363 "xmlfm" and "wddxfm".
2364 * action=paraminfo supports generalized submodules (modules=query+value),
2365 querymodules and formatmodules are deprecated
2366 * action=paraminfo no longer outputs descriptions and other help text by
2367 default. If needed, it may be requested using the new 'helpformat' parameter.
2368 * action=help has been completely rewritten, and outputs help in HTML
2369 rather than plain text.
2370 * Hitting api.php without specifying an action now displays only the help for
2371 the main module, with links to submodule help.
2372 * API help is no longer displayed on errors.
2373 * 'uselang' is now a recognized API parameter; "uselang=user" may be used to
2374 explicitly select the language from the current user's preferences, and
2375 "uselang=content" may be used to select the wiki's content language.
2376 * Default output format for the API is now jsonfm.
2377 * Simplified continuation will return a "batchcomplete" property in the result
2378 when a batch of pages is complete.
2379 * Pretty-printed HTML output now has nicer formatting and (if available)
2380 better syntax highlighting.
2381 * Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
2382 list=alldeletedrevisions.
2383 * prop=revisions will gracefully continue when given too many revids or titles,
2384 rather than just ignoring the extras.
2385 * prop=revisions will no longer die if rvcontentformat doesn't match a
2386 revision's content model; it will instead warn and omit the content.
2387 * If the user has the 'deletedhistory' right, action=query's revids parameter
2388 will now recognize deleted revids.
2389 * prop=revisions may be used as a generator, generating revids.
2390 * (T68776) format=json results will no longer be corrupted when
2391 $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
2392 error instead of returning invalid serialized data.
2393 * Generators may now return data for the generated pages when used with
2394 action=query.
2395 * Query page data for generator=search and generator=prefixsearch will now
2396 include an "index" field, which may be used by the client for sorting the
2397 search results.
2398 * ApiOpenSearch now supports XML output.
2399 * ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
2400 in JSON format.
2401 * (T76051) list=tags will now continue correctly.
2402 * (T76052) list=tags can now indicate whether a tag is defined.
2403 * (T75522) list=prefixsearch now supports continuation
2404 * (T78737) action=expandtemplates can now return page properties.
2405 * (T78690) list=allimages now accepts multiple pipe-separated values
2406 for the 'aimime' parameter.
2407 * prop=info with inprop=protections will now return applicable protection types
2408 with the 'restrictiontypes' key.
2409 * (T85417) When resolving redirects, ApiPageSet will now add the targets of
2410 interwiki redirects to the list of interwiki titles.
2411 * (T85417) When outputting the list of redirect titles, a 'tointerwiki'
2412 property (like the existing 'tofragment' property) will be set.
2413 * Added action=managetags to allow for managing the list of
2414 user-modifiable change tags. Actually modifying the tagging of a revision or
2415 log entry is not implemented yet.
2416 * list=tags has additional properties to indicate 'active' status and tag
2417 sources.
2418 * siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
2419 * (T88010) Added action=checktoken, to test a CSRF token's validity.
2420 * (T88010) Added intestactions to prop=info, to allow querying of
2421 Title::userCan() via the API.
2422 * Default type param for query list=watchlist and list=recentchanges has
2423 been changed from all types (e.g. including 'external') to 'edit|new|log'.
2424 * Added formatversion to format=json. Still "experimental" as further changes
2425 to the output formatting might still be made.
2426 * (T73020) Log event details are now always under a 'params' subkey for
2427 list=logevents, and a 'logparams' subkey for list=watchlist and
2428 list=recentchanges.
2429 * Log event details are changing formatting:
2430 * block events now report flags as an array rather than as a comma-separated
2431 list.
2432 * patrol events now report the 'auto' flag as a boolean (absent/empty string
2433 for BC formats) rather than as an integer.
2434 * rights events now report the old and new group lists as arrays rather than
2435 as comma-separated lists.
2436 * merge events use new-style formatting.
2437 * delete/event and delete/revision events use new-style formatting.
2438 * The root node and various other nodes will now always be an object in formats
2439 such as json that distinguish between arrays and objects.
2440 * Except for action=opensearch where the spec requires an array.
2441
2442 === Action API internal changes in 1.25 ===
2443 * ApiHelp has been rewritten to support i18n and paginated HTML output.
2444 Most existing modules should continue working without changes, but should do
2445 the following:
2446 * Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
2447 * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
2448 to replace getParamDescription(). If necessary, the settings array returned
2449 by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
2450 message.
2451 * Implement getExamplesMessages() to replace getExamples().
2452 * Modules with submodules (like action=query) must have their submodules
2453 override ApiBase::getParent() to return the correct parent object.
2454 * The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
2455 and will have no effect for modules using i18n messages. Use
2456 'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
2457 * Api formatters will no longer be asked to display the help screen on errors.
2458 * ApiMain::getCredits() was removed. The credits are available in the
2459 'api-credits' i18n message.
2460 * ApiFormatBase has been changed to support i18n and syntax highlighting via
2461 extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
2462 has been removed.
2463 * ApiFormatBase now always buffers. Output is done when
2464 ApiFormatBase::closePrinter is called.
2465 * Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
2466 * The 'revids' parameter supplied by ApiPageSet will now count deleted
2467 revisions as "good" if the user has the 'deletedhistory' right. New methods
2468 ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
2469 provided to access just the live or just the deleted revids.
2470 * Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
2471 to allow generators to include data in the action=query result.
2472 * New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
2473 used for conditional registration of API modules.
2474 * Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
2475 the current request was sent with the 'callback' parameter (or any future
2476 method that breaks the same-origin policy).
2477 * Profiling methods in ApiBase are deprecated and no longer need to be called.
2478 * ApiResult was greatly overhauled. See inline documentation for details.
2479 * ApiResult will automatically convert objects to strings or arrays (depending
2480 on whether a __toString() method exists on the object), and will refuse to
2481 add unsupported value types.
2482 * An informal interface, ApiSerializable, exists to override the default
2483 object conversion.
2484 * ApiResult/ApiFormatBase "raw mode" is deprecated.
2485 * ApiFormatXml now assumes defaults and so on instead of throwing errors when
2486 metadata isn't set.
2487 * (T35235) LogFormatter subclasses are now responsible for formatting log event
2488 parameters for the API.
2489 * Many modules have changed result data formats. While this shouldn't affect
2490 clients not using the experimental formatversion=2, code using
2491 ApiResult::getResultData() without the transformations for backwards
2492 compatibility may need updating, as will code that wasn't following the old
2493 conventions for API boolean output.
2494 * The following methods have been deprecated and may be removed in a future
2495 release:
2496 * ApiBase::getDescription
2497 * ApiBase::getParamDescription
2498 * ApiBase::getExamples
2499 * ApiBase::makeHelpMsg
2500 * ApiBase::makeHelpArrayToString
2501 * ApiBase::makeHelpMsgParameters
2502 * ApiBase::getModuleProfileName
2503 * ApiBase::profileIn
2504 * ApiBase::profileOut
2505 * ApiBase::safeProfileOut
2506 * ApiBase::getProfileTime
2507 * ApiBase::profileDBIn
2508 * ApiBase::profileDBOut
2509 * ApiBase::getProfileDBTime
2510 * ApiBase::getResultData
2511 * ApiFormatBase::setUnescapeAmps
2512 * ApiFormatBase::getWantsHelp
2513 * ApiFormatBase::setHelp
2514 * ApiFormatBase::formatHTML
2515 * ApiFormatBase::setBufferResult
2516 * ApiFormatBase::getDescription
2517 * ApiFormatBase::getNeedsRawData
2518 * ApiMain::setHelp
2519 * ApiMain::reallyMakeHelpMsg
2520 * ApiMain::makeHelpMsgHeader
2521 * ApiResult::setRawMode
2522 * ApiResult::getIsRawMode
2523 * ApiResult::getData
2524 * ApiResult::setElement
2525 * ApiResult::setContent
2526 * ApiResult::setIndexedTagName_recursive
2527 * ApiResult::setIndexedTagName_internal
2528 * ApiResult::setParsedLimit
2529 * ApiResult::beginContinuation
2530 * ApiResult::setContinueParam
2531 * ApiResult::setGeneratorContinueParam
2532 * ApiResult::endContinuation
2533 * ApiResult::size
2534 * ApiResult::convertStatusToArray
2535 * ApiQueryImageInfo::getPropertyDescriptions
2536 * ApiQueryLogEvents::addLogParams
2537 * The following classes have been deprecated and may be removed in a future
2538 release:
2539 * ApiQueryDeletedrevs
2540
2541 === Languages updated in 1.25 ===
2542
2543 MediaWiki supports over 350 languages. Many localisations are updated
2544 regularly. Below only new and removed languages are listed, as well as
2545 changes to languages because of Bugzilla reports.
2546
2547 * Languages added:
2548 ** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
2549 ** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
2550 Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
2551 ** ses (Koyraboro Senni), thanks to translator Songhay.
2552 * (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
2553 interface language to kk where unexpected.
2554 * The Chinese conversion table was substantially updated to fix a lot of
2555 bugs and ensure better reading experience for different variants.
2556
2557 === Other changes in 1.25 ===
2558 * (T45591) Links to MediaWiki.org translatable help were added to indicators,
2559 mostly in special pages. Local custom target titles can be placed in the
2560 relevant '(namespace-X|action name|special page name)-helppage' system
2561 message. Extensions can use the addHelpLink() function to do the same.
2562 * The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
2563 removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
2564 migration guide for creators and users of custom skins that relied on it.
2565 * Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
2566 available on Special:Upload.
2567 * (T58257) Set site logo from mediawiki.skinning.interface module instead of
2568 inline styles in the HTML.
2569 * Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
2570 * Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
2571 * Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
2572 * Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
2573 * Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
2574 * Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
2575 since 1.20)
2576 * Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
2577 since 1.20)
2578 * Removed 'jquery.json' module. (deprecated since 1.24)
2579 Use the 'json' module and global JSON object instead.
2580 * Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
2581 Also, the former will now throw an MWException if called with one or more
2582 arguments.
2583 * Removed hitcounters and associated code.
2584 * The "temp" zone of the upload respository is now considered private. If it
2585 already exists (such as under the images/ directory), please make sure that
2586 the directory is not web readable (e.g. via a .htaccess file).
2587 * BREAKING CHANGE: In the XML dump format used by Special:Export and
2588 dumpBackup.php, the <model> and <format> tags now apprear before the <text>
2589 tag, instead of after the <text> and <sha1> tags.
2590 The new schema version is 0.10, the new schema URI is:
2591 https://www.mediawiki.org/xml/export-0.10.xsd
2592 * MWFunction::call() and MWFunction::callArray() were removed, having being
2593 deprecated in 1.22.
2594 * Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
2595 and getInternalLinkAttributes methods in Linker, and removed
2596 getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
2597 * Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
2598 * Added wgRelevantArticleId to the client-side config, for use on special pages.
2599 * Deprecated the TitleIsCssOrJsPage hook. Superseded by the
2600 ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
2601 * Deprecated the TitleIsWikitextPage hook. Superseded by the
2602 ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
2603 * Changed parsing of variables in schema (.sql) files:
2604 ** The substituted values are no longer parsed. (Formerly, several passes
2605 were made for each variable, so depending on the order in which variables
2606 were defined, variables might have been found inside encoded values. This
2607 is no longer the case.)
2608 ** Variables are no longer string encoded when the /*$var*/ syntax is used.
2609 If string encoding is necessary, use the '{$var}' syntax instead.
2610 ** Variable names must only consist of one or more of the characters
2611 "A-Za-z0-9_".
2612 ** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
2613 does not exist yet variable B does, the latter may not be replaced.
2614 However, this difference is unlikely to arise in practice.
2615 * (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
2616 characters on both sides.
2617 * The FormatAutocomments hook will now receive $pre and $post as booleans,
2618 rather than as strings that must be prepended or appended to $comment.
2619 * (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
2620 newlines; but they can contain &nbsp; and other non-newline whitespace.
2621 * The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
2622 toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
2623 relied on this behavior, update your scripts' dependencies.
2624 * HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
2625 * HTMLForm::isVForm() is now deprecated.
2626 * You can no longer do this:
2627 $form = new HTMLForm( … );
2628 $form->setDisplayFormat( 'vform' ); // throws exception
2629 Instead, do this:
2630 $form = HTMLForm::factory( 'vform', … );
2631 * Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
2632 * BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
2633 The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
2634 * (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
2635 renders them incorrectly when combined with border-radius or background-size.
2636 * Removed maintenance script dumpSisterSites.php.
2637 * DatabaseBase class constructors must be called using the array argument style.
2638 Ideally, DatabaseBase:factory() should be used instead in most cases.
2639 * Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
2640 This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
2641 addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
2642 since they interfere with caching of ParserOutput objects.
2643 * Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
2644 * Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
2645 updates when a page is re-rendered.
2646 * EditPage::attemptSave has been modified not to call handleStatus itself and
2647 instead just returns the Status object. Extension calling it should be aware of
2648 this.
2649 * Removed class DBObject. (unused since 1.10)
2650 * wfDiff() is deprecated.
2651 * The -m (maximum replication lag) option of refreshLinks.php was removed.
2652 It had no effect since MediaWiki 1.18 and should be removed from any cron
2653 jobs or similar scripts you may have set up.
2654 * (T85864) The following messages no longer support raw html: redirectto,
2655 thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
2656 retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
2657 protect-summary-cascade
2658 * All BloomCache related code has been removed. This was largely experimental.
2659 * $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
2660 can only be set for the entire skin.
2661 * Removed global function swap(). (deprecated since 1.24)
2662 * Deprecated the ".php5" file extension entry points and the $wgScriptExtension
2663 configuration variable. Refer to the ".php" files instead. If you want
2664 ".php5" URLs to continue to work, set up redirects. In Apache, this can be
2665 done by enabling mod_rewrite and adding the following rules to your
2666 configuration:
2667
2668 RewriteEngine On
2669 RewriteBase /
2670 RewriteRule ^(.*)\.php5 $1.php [R=301,L]
2671
2672 * The global importScriptURI and importStylesheetURI functions, as well as the
2673 loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
2674 warnings through mw.log.warn when accessed.
2675
2676 = MediaWiki 1.24 =
2677
2678 == MediaWiki 1.24.6 ==
2679
2680 This is a maintenance release of the MediaWiki 1.24 branch.
2681
2682 === Changes since 1.24.5 ===
2683 * (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
2684
2685 == MediaWiki 1.24.5 ==
2686
2687 This is a security and maintenance release of the MediaWiki 1.23 branch.
2688
2689 === Changes since 1.24.4 ===
2690 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
2691 that do not begin with a slash. This enabled trivial XSS attacks.
2692 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
2693 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
2694 error.
2695 * (T119309) SECURITY: Use hash_compare() for edit token comparison
2696 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
2697 with '@' as file uploads
2698 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
2699 longer be shorter than $wgMinimalPasswordLength
2700 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
2701 result in improper blocks being issued
2702 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
2703 and related pages no longer use HTTP redirects and are now redirected by
2704 MediaWiki
2705 * (T103237) $wgUseGzip had no effect when using file cache.
2706
2707 == MediaWiki 1.24.4 ==
2708
2709 This is a security and maintenance release of the MediaWiki 1.24 branch.
2710
2711 === Changes since 1.24.3 ===
2712
2713 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
2714 * (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
2715 update.php to fix.
2716 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
2717 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
2718 * (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
2719 first
2720 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
2721
2722 == MediaWiki 1.24.3 ==
2723
2724 This is a security and maintenance release of the MediaWiki 1.24 branch.
2725
2726 === Changes since 1.24.2 ===
2727
2728 * (T94116) SECURITY: Compare API watchlist token in constant time
2729 * (T97391) SECURITY: Escape error message strings in thumb.php
2730 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
2731 Special:DeletedContributions
2732 * Update jQuery from v1.11.2 to v1.11.3.
2733 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
2734 policy of Wikimedia Commons.
2735
2736 == MediaWiki 1.24.2 ==
2737
2738 This is a security and maintenance release of the MediaWiki 1.24 branch.
2739
2740 === Changes since 1.24.1 ===
2741
2742 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
2743 to prevent various DoS attacks.
2744 * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
2745 likelihood of DoS.
2746 * (T88310) SECURITY: Always expand xml entities when checking SVG's.
2747 * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
2748 * (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
2749 * (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
2750 using PBKDF2.
2751 * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
2752 prevent XSS and protect viewer's privacy.
2753 * Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
2754 loading these special pages when $wgAutoloadAttemptLowercase is false.
2755 * (bug T70087) Fix Special:ActiveUsers page for installations using
2756 PostgreSQL.
2757 * (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
2758 and running update.php to fix.
2759
2760 == MediaWiki 1.24.1 ==
2761
2762 This is a security and maintenance release of the MediaWiki 1.24 branch.
2763
2764 === Changes since 1.24.0 ===
2765
2766 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
2767 could lead to xss. Permission to edit MediaWiki namespace is required to
2768 exploit this.
2769 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
2770 $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
2771 part of its name.
2772 * (bug T74222) The original patch for T74222 was reverted as unnecessary.
2773 * Fixed a couple of entries in RELEASE-NOTES-1.24.
2774 * (bug T76168) OutputPage: Add accessors for some protected properties.
2775 * (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
2776
2777 == MediaWiki 1.24.0 ==
2778
2779 === Configuration changes in 1.24 ===
2780 * MediaWiki will no longer run if register_globals is enabled. It has been
2781 deprecated for 5 years now, and was removed in PHP 5.4. For more information
2782 about why, see <https://www.mediawiki.org/wiki/register_globals>.
2783 * MediaWiki now requires PHP's iconv extension. openSUSE users may need to
2784 install the php5-iconv package. Users of other systems may need to add
2785 extension=iconv.so to php.ini or recompile PHP without --without-iconv.
2786 * MediaWiki will no longer function if magic quotes are enabled. It has
2787 been deprecated for 5 years now, and was removed in PHP 5.4.
2788 * The server's canonical hostname is available as $wgServerName, which is
2789 exposed in both mw.config and ApiQuerySiteInfo.
2790 * Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
2791 for using the old schema of the page_props table, in case the respective
2792 schema update was not applied.
2793 * $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything'
2794 user option was removed. Use $wgNamespacesToBeSearchedDefault instead or
2795 if you used to have $wgDefaultUserOptions['searcheverything'] = 1.
2796 * $wgMasterWaitTimeout has been deprecated.
2797 * $wgDBClusterTimeout has been removed.
2798 * $wgProxyKey has been removed. It is no longer used by MediaWiki core.
2799 Ensure $wgSecretKey is set in LocalSettings.php.
2800 * $wgExtraInterlanguageLinkPrefixes is a new configuration variable that
2801 contains an array of interwiki prefixes that should be treated as language
2802 prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set
2803 to true).
2804 * $wgParserTestRemote has been removed.
2805 * $wgCountTotalSearchHits has been removed. If you're concerned about efficiency
2806 of search, you should use something like CirrusSearch instead of built in
2807 search.
2808 * Users in the 'sysop' group have access to Special:MergeHistory by default.
2809 * $wgFileStore was removed after having been deprecated in 1.17. Alternative
2810 configurations are $wgDeletedDirectory and $wgHashedUploadDirectory.
2811 * The deprecated $wgUseCommaCount variable has been removed.
2812 * $wgEnableSorbs and $wgSorbsUrl have been removed.
2813 * The UserCryptPassword and UserComparePassword hooks are no longer called.
2814 Any extensions using them must be updated to use the Password Hashing API.
2815 * $wgCompiledFiles has been removed.
2816 * $wgSortSpecialPages was removed, the listing on Special:SpecialPages is
2817 now always sorted.
2818 * $wgSpecialPages may now use callback functions as an alternative to plain class names.
2819 This allows more control over constructor parameters.
2820 * $wgHTCPMulticastAddress, $wgHTCPMulticastRouting and $wgHTCPPort were removed.
2821 * $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort
2822 and $wgRC2UDPPrefix have been removed.
2823 * The default password type for MediaWiki has been changed from MD5 to PBKDF2.
2824 Password hashes will automatically be updated as users log in. If necessary, the
2825 old MD5 hashing can be restored by changing $wgPasswordDefault to 'B'. In addition,
2826 there is a maintenance script wrapOldPassword.php that can wrap all passwords in
2827 PBKDF2 (or the hashing algorithm of your choice) if you don't want to wait for your
2828 users to log in.
2829 * $wgImportSources can now either be a regular array, or an associative map
2830 specifying subprojects on the interwiki map of the target wiki, or a mix of
2831 the two. Existing configurations will still work.
2832 * Users must be able to edit through a page's protection to be able to delete it.
2833 * The default thumb size ($wgDefaultUserOptions['thumbsize']) is now 300px, up from
2834 180px. If you have altered the number of entries in $wgThumbLimits for your wiki, you
2835 may need to adjust your default user settings to compensate for the index change.
2836 * $wgDeferredUpdateList is now deprecated, you should use DeferredUpdates::addUpdate()
2837 instead.
2838 * $wgCanonicalLanguageLinks has been removed. Per Google recommendations, we
2839 will not send a rel=canonical pointing to a variant-neutral page, however
2840 we will send rel=alternate.
2841 * $wgResourceLoaderLESSFunctions has been deprecated and will be removed in the future.
2842 * $wgGoToEdit has been removed. Use the SpecialSearchNogomatch hook for similar
2843 functionality.
2844
2845 === New features in 1.24 ===
2846 * Added new hook WatchlistEditorBeforeFormRender, allowing subscribers to
2847 manipulate the list of pages and/or preload lots of data at once.
2848 * Added new argument &$link in hook WatchlistEditorBuildRemoveLine, allowing the
2849 link to the title to be changed.
2850 * Added a new hook, "WhatLinksHereProps", to allow extensions to annotate
2851 WhatLinksHere entries.
2852 * Added a new hook, "ContentGetParserOutput", to customize parser output for
2853 a given content object.
2854 * Deprecated the hook "ShowRawCssJs", use "ContentGetParserOutput" instead.
2855 * HTMLForm's HTMLTextField now supports the 'url' type.
2856 * HTMLForm fields may now be dynamically hidden based on the values of other
2857 fields in the form.
2858 * HTMLForm now supports multiple copies of an input field or set of input
2859 fields, e.g. the form may request "one or more usernames" without having to
2860 have the user enter delimited list of names into a text field.
2861 * Added a new hook, "SidebarBeforeOutput", to allow to edit the structure of
2862 the sidebar just before its display.
2863 * (bug 49156) Added the mediawiki.cookie ResourceLoader module, which wraps
2864 jquery.cookie so that getting/setting a cookie is syntactically and
2865 functionally similar to using the WebRequest::getCookie() and
2866 WebResponse::setcookie() methods.
2867 * (bug 44740) jQuery upgraded from 1.8.3 to 1.11.1. A new configuration option,
2868 $wgIncludejQueryMigrate, also loads the jQuery Migrate hack to let extensions
2869 and gadgets use the long-deprecated functions that were removed in jQuery 1.9.
2870 This option is turned off by default, and will be removed in MediaWiki 1.25.
2871 * (bug 47076) jQuery UI upgraded from 1.8.24 to 1.9.2.
2872 * Changes to content typography (fonts, etc.). See
2873 https://www.mediawiki.org/wiki/Typography_refresh for further information.
2874 * WikitextContent will now render redirects with the expected "redirect"
2875 header, rather than as an ordered list. Code calling Article::viewRedirect
2876 can probably be changed to no longer special-case redirects.
2877 * Header font set to a serif font stack. See
2878 https://www.mediawiki.org/wiki/Typography_refresh for further information.
2879 * (bug 65567) Added a new hook, "BeforeHttpsRedirect", to allow cancellation of
2880 the HTTP to HTTPS redirect due to forceHTTPS cookie, userRequires, etc. This
2881 is only for page views, since this hook doesn't affect UserLogin, OAuth,
2882 CentralAuth, etc. ATTENTION: This hook is likely to be removed soon due to
2883 overall design of the system.
2884 * (bug 17367) It is now possible to add pages to your watchlist from
2885 Special:UnwatchedPages without reloading the special page.
2886 * New methods setVolatile and isVolatile are added to PPFrame, so that
2887 extensions such as Cite.php can mark that their output is volatile and
2888 shouldn't be cached.
2889 * (bug 52817) Advanced search options are now saved on the search page itself,
2890 rather than in a dedicated pane in the preferences panel.
2891 * (bug 44591) The dropdown actions menu (little triangle next to page tabs) in
2892 the Vector skin has gained a label that should make it more discoverable.
2893 * MWCryptHKDF added for fast, cryptographically secure random number generation
2894 that won't deplete openssl's entropy pool.
2895 * ResourceLoader: File modules can now provide a skip function that uses an
2896 inline feature test to bypass loading of the module.
2897 * (bug 20210) Special pages may now provide autocompletion of their subpage
2898 names in search suggestions. Right now the only useful implementation is in
2899 Special:Log, but more are to come.
2900 * Special:MostLinkedTemplates is no longer limited to transclusions from the
2901 Template namespace.
2902 * Skins can now use 'remoteSkinPath' when defining ResourceLoader modules.
2903 This works the same as 'remoteExtPath' but is relative to the skins/ folder
2904 instead of the extensions/ folder.
2905 * Added the json2.js polyfill for the ES5 JSON.stringify and JSON.parse methods.
2906 Exposed as module "json" with a skip function to optimise loading.
2907 * Extensions and skins may now use 'namemsg' in $wgExtensionCredits in addition
2908 to 'name', to allow for the name to be localizable. 'name' should still be
2909 specified for backwards-compatibility and to define the path Special:Version
2910 uses to find extension license information.
2911 * Browser tests are now included to verify basic wiki functionality in developer
2912 environments. For details on running tests, see tests/browser/README.mediawiki.
2913 * Upgrade jStorage to v0.4.10.
2914 * {{!}} is now a magic word that produces the | character. This removes the need
2915 for Template:! for purposes such as passing pipes inside of parameters.
2916 * (bug 20790) The block log snippet on Special:Contributions and while
2917 editing user and user talk pages now works for IP range blocks.
2918 * (bug 9360) Added ability to change the page language for MediaWiki pages using
2919 Special:PageLanguage. All pages are set to wiki language by default.
2920 The feature needs to be enabled with $wgPageLanguageUseDB=true and
2921 permission needs to be set for 'pagelang'.
2922 * Upgrade Moment.js to v2.8.3.
2923 * (bug 67042) Added support for the HTML5 <rtc> tag for East Asian typography.
2924 * Upgrade Sinon.JS to 1.10.3.
2925 * Added the es5-shim polyfill for older or non-compliant javascript engines.
2926 * Upgrade jQuery Cookie to v1.3.1.
2927 * (bug 20476) Add a "viewsuppressed" user right to be able to view
2928 suppressed content but not suppress it ("suppressrevision" right).
2929 * (bug 66440) The MediaWiki web installer will now allow you to choose the skins
2930 to enable (from the ones included in download tarball) and decide which one
2931 should be the default.
2932 * (bug 68085, 68802) Links like [[localInterwikiPrefix:languageCode:pageTitle]],
2933 where localInterwikiPrefix is a member of the $wgLocalInterwikis array, will
2934 no longer be displayed in the sidebar when $wgInterwikiMagic is true. In a
2935 similar way, links like [[localInterwikiPrefix:File:Image.png]] and
2936 [[localInterwikiPrefix:Category:Hello]] will now render as regular links, and
2937 will not include the file or add the page to the category.
2938 * New special page, MyLanguage, to redirect users to subpages with localised
2939 versions of a page. (Integrated from Extension:Translate)
2940 * MediaWiki now supports multiple password types, including bcrypt and PBKDF2.
2941 The default type can be changed with $wgPasswordDefault and the type
2942 configurations can be changed with $wgPasswordConfig.
2943 * Skins can now define custom styles for default ResourceLoader modules using
2944 the $wgResourceModuleSkinStyles global. See the Vector skin for examples.
2945 * (bug 4488) There is now a preference to watch pages where the user has
2946 rollbacked an edit by default.
2947 * (bug 15484) Users will now be redirected to the login page when they need to
2948 log in, rather than being shown a page asking them to log in and having to click
2949 another link to actually get to the login page.
2950 * A JsonContent and JsonContentHandler were added for extensions to extend.
2951 * (bug 35045) Redirects to sections will now update the URL in browser's address
2952 bar using the HTML5 History API. When [[Dog]] redirects to [[Animals#Dog]],
2953 the user will now see "Animals#Dog" in their browser instead of "Dog#Dog".
2954 * API token handling has been rewritten. Any API module using tokens will need
2955 to be updated. See the entry below under "Action API internal changes".
2956 * Added HTMLAutoCompleteSelectField.
2957 * Added a new hook, "SkinPreloadExistence", to allow extensions to add titles to
2958 link existence cache before the page is rendered.
2959 * Config::set() was moved to its own interface, MutableConfig. GlobalVarConfig::set()
2960 is now deprecated, does not implement MutableConfig.
2961 * A MutableConfig named HashConfig was added, that stores an array of configuration
2962 settings.
2963 * (bug 69418) A MultiConfig implementation was added that supports fallback
2964 to multiple Config instances.
2965 * Update CSSJanus to v1.1.0.
2966 * Added FormatJson::parse() returning status with result or localized error message
2967 * Added DeletedContribsPager::reallyDoQuery hook allowing extensions to data to
2968 Special:DeletedContributions
2969 * Added DeletedContributionsLineEnding hook allowing extensions to format
2970 Special:DeletedContributions lines
2971 * (T69525) You can now make MediaWiki speed up its thumbnail rendering by using
2972 intermediary thumbnails. $wgThumbnailBuckets must be set to a list of target
2973 thumbnail widths; when a new thumbnail needs to be rendered, MediaWiki will
2974 find the smallest bucket smaller than the original but larger than the target
2975 width + $wgThumbnailMinimumBucketDistance, and it will scale that thumbnail,
2976 rather than the original, down to the target size at greater speed in return
2977 for minor loss of fidelity.
2978
2979 === Bug fixes in 1.24 ===
2980 * (bug 50572) MediaWiki:Blockip should support gender
2981 * (bug 49116) Footer copyright notice is now always displayed in user language
2982 rather than content language (same as copyright notice for editing interface).
2983 * (bug 62258) A bug was fixed in File::getUnscaledThumb when a height
2984 restriction was present in the parameters. Images with both the "frame"
2985 option and a size specification set will now always ignore the provided
2986 size and display an unscaled image, as the documentation has always
2987 claimed it would.
2988 * (bug 39035) Improved Vector skin performance by removing collapsibleNav,
2989 which used to collapse some sidebar elements by default.
2990 This removes -list id suffixes like p-lang-list: instead of using things like
2991 #p-lang-list, you can do #p-lang .body ul.
2992 * (bug 890) Links in Special:RecentChanges and Special:Watchlist no longer
2993 follow redirects to their target pages.
2994 * Parser now dies early if called recursively, instead of producing subtle bugs.
2995 * (bug 14323) Redirect pages, when viewed with redirect=no, no longer hide the
2996 remaining page content.
2997 * (bug 52587) Maintenance script deleteBatch.php no longer follows redirects
2998 in the file namespace and delete the file on the target page. It will still
2999 however delete the redirect page.
3000 * (bug 22683) {{msgnw:}} and other uses of PPFrame::RECOVER_ORIG will correctly
3001 recover the original code of extension tags.
3002 * (bug 65757) MSSQL: Update script drops unnamed constraints to be prepared
3003 for future updates. Because it's doing so heuristically, it may fail or drop
3004 wrong constraints.
3005 * (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
3006 * $wgRunJobsAsync now works with private wikis (e.g. read requires login).
3007 * (bugs 57238, 65206) Blank pages can now be directly created.
3008 * (bug 69789) Title::getContentModel() now loads from the database when
3009 necessary instead of incorrectly returning the default content model.
3010 * (bug 69249) wfBaseConvert() now works around PHP Bug #50175 when using GMP.
3011 * (bug 57909) URLs in the externallinks table will no longer have certain
3012 characters decoded in the query string.
3013 * (bug 67368) LESS mixins like .background-image() correctly flip image
3014 references for RTL stylesheets now.
3015
3016 === Action API changes in 1.24 ===
3017 * action=parse API now supports prop=modules, which provides the list of
3018 ResourceLoader modules that should be used to enhance the parsed content.
3019 * action=query&meta=siteinfo&siprop=interwikimap returns a new "protorel"
3020 field which is true if protocol-relative urls can be used to access
3021 a particular interwiki map entry.
3022 * list=logevents now provides logpage, which is the page ID from the
3023 logging table, if ids are requested and the user has the permissions.
3024 * action=edit now requires that appendtext, prependtext, or section=new be used
3025 when using the 'redirect' parameter, to prevent clients accidentally
3026 overwriting the target page with the content of the redirect.
3027 * list=logevents will now return an error if both letitle and leprefix are
3028 specified.
3029 * list=logevents has a new parameter, lenamespace, to allow filtering by
3030 namespace.
3031 * action=expandtemplates has a new parameter, prop, and a new output format.
3032 The old format is still used if prop isn't provided, but this is deprecated.
3033 * meta=userinfo can now return the count of unread pages on the watchlist.
3034 * list=watchlist can now filter by unread status.
3035 * The deprecated action=parse&prop=languageshtml has been removed.
3036 * (bug 48071) action=setnotificationtimestamp no longer throws PHP or database
3037 errors when no pages are given.
3038 * (bug 60734) Actions that use ApiPageSet (e.g. purge, watch,
3039 setnotificationtimestamp) will now include continuation information when
3040 using a generator.
3041 * Removed 'props' and 'errors' from action=paraminfo, as they have extremely
3042 limited use and are generally inaccurate, unmaintained, and impossible to
3043 properly maintain.
3044 * Formats dbg, dump, txt, wddx, and yaml are now deprecated.
3045 * action=paraminfo now indicates when a parameter is specifying a submodule.
3046 * The iwurl parameter to prop=iwlinks is deprecated in favor of iwprop=url, for
3047 parallelism with prop=langlinks.
3048 * All tokens should be fetched from action=query&meta=tokens; all other methods
3049 of fetching tokens are deprecated. The value needed for meta=tokens's 'type'
3050 parameter for each module is documented in the action=help output and is
3051 returned from action=paraminfo.
3052 * New action ClearHasMsg that can be used to clear HasMsg flag.
3053 * The cmstartsortkey and cmendsortkey parameters to list=categorymembers are
3054 deprecated in favor of cmstarthexsortkey and cmendhexsortkey.
3055 * (bug 63326) Add blockedtimestamp field to output of blockinfo property for
3056 the list=allusers and list=users modules.
3057 * prop=imageinfo no longer requires iiurlwidth to be set when using iiurlparam.
3058 * Added prop=linkshere, prop=fileusage, and prop=transcludedin, which are
3059 roughly equivalent to list=backlinks, list=imageusage, and list=embeddedin
3060 but can work on a list of titles (including titles from a generator).
3061 * prop=redirects can now filter returned redirects by namespace.
3062
3063 === Action API internal changes in 1.24 ===
3064 * Methods for handling continuation are added to ApiResult, so actions other
3065 than query that use generators can easily support continuation.
3066 * $wgAPIModules (and the related $wgAPIFormatModules, $wgAPIMetaModules,
3067 $wgAPIPropModules, and $wgAPIListModules settings) now allow API modules
3068 to be specified using a "module spec" array instead of a plain class name.
3069 A "module spec" is an associative array containing at least the 'class' key
3070 for the module's class, and optionally a 'factory' key for the factory function
3071 to use for the module. This is intended for extensions that want control over
3072 the instantiation of their API modules, to allow for proper dependency
3073 injection.
3074 * A new param type 'submodule' is available. Parameters of this type will take
3075 the list of valid values from the module's ApiModuleManager for the group
3076 corresponding to the parameter name.
3077 * The 'APIGetPossibleErrors' and 'APIGetResultProperties' hooks are no longer used.
3078 * API token handling has been rewritten. Any API module using tokens will need
3079 to be updated:
3080 * ApiBase::needsToken now returns a token type instead of boolean true when a
3081 token is needed. Returning true will throw an exception. See documentation
3082 of that method for details.
3083 * Information for the 'token' parameter is automatically set by ApiBase
3084 getFinalParams and getFinalParamDescription.
3085 * ApiBase::getTokenSalt has been removed.
3086 * The hooks APIQueryInfoTokens, APIQueryRevisionsTokens,
3087 APIQueryRecentChangesTokens, APIQueryUsersTokens, and
3088 ApiTokensGetTokenTypes are deprecated, but are still called to support
3089 backwards-compatible token access.
3090 * ApiBase::validateLimit and ApiBase::validateTimestamp are now protected.
3091 * ApiQueryRedirects was removed; prop=redirects is now implemented by
3092 ApiQueryBacklinksProp along with the newly-added prop modules.
3093 * The following methods have been deprecated and may be removed in a future
3094 release:
3095 * ApiBase::getResultProperties
3096 * ApiBase::getFinalResultProperties
3097 * ApiBase::addTokenProperties
3098 * ApiBase::getRequireOnlyOneParameterErrorMessages
3099 * ApiBase::getRequireMaxOneParameterErrorMessages
3100 * ApiBase::getRequireAtLeastOneParameterErrorMessages
3101 * ApiBase::getTitleOrPageIdErrorMessage
3102 * ApiBase::getPossibleErrors
3103 * ApiBase::getFinalPossibleErrors
3104 * ApiBase::parseErrors
3105 * ApiQuery::setGeneratorContinue
3106 * ApiQueryBase::checkRowCount
3107 * ApiQueryBase::titleToKey
3108 * ApiQueryBase::keyToTitle
3109 * ApiQueryBase::keyPartToTitle
3110 * ApiQueryInfo::getTokenFunctions
3111 * ApiQueryInfo::resetTokenCache
3112 * ApiQueryInfo::getEditToken
3113 * ApiQueryInfo::getDeleteToken
3114 * ApiQueryInfo::getProtectToken
3115 * ApiQueryInfo::getMoveToken
3116 * ApiQueryInfo::getBlockToken
3117 * ApiQueryInfo::getUnblockToken
3118 * ApiQueryInfo::getEmailToken
3119 * ApiQueryInfo::getImportToken
3120 * ApiQueryInfo::getWatchToken
3121 * ApiQueryInfo::getOptionsToken
3122 * ApiQueryRecentChanges::getTokenFunctions
3123 * ApiQueryRecentChanges::getPatrolToken
3124 * ApiQueryRevisions::getTokenFunctions
3125 * ApiQueryRevisions::getRollbackToken
3126 * ApiQueryUsers::getTokenFunctions
3127 * ApiQueryUsers::getUserrightsToken
3128 * The following classes have been deprecated and may be removed in a future
3129 release:
3130 * ApiFormatDbg
3131 * ApiFormatDump
3132 * ApiFormatTxt
3133 * ApiFormatWddx
3134 * ApiFormatYaml
3135 * ApiTokens
3136 * The following class constants have been deprecated and may be removed in a
3137 future release:
3138 * ApiBase::PROP_ROOT
3139 * ApiBase::PROP_LIST
3140 * ApiBase::PROP_TYPE
3141 * ApiBase::PROP_NULLABLE
3142
3143 === Languages updated in 1.24 ===
3144
3145 MediaWiki supports over 350 languages. Many localisations are updated
3146 regularly. Below only new and removed languages are listed, as well as
3147 changes to languages because of Bugzilla reports.
3148
3149 === Other changes in 1.24 ===
3150 * The deprecated jquery.delayedBind ResourceLoader module was removed.
3151 * The deprecated function mw.util.toggleToc was removed.
3152 * The Special:Search hooks SpecialSearchGo and SpecialSearchResultsAppend
3153 were removed as they were unused.
3154 * (bug 65477) User::pingLimiter() now has an additional profile point varying
3155 by action being used.
3156 * mediawiki.util.$content no longer supports old versions of the Vector,
3157 Monobook, Modern and CologneBlue skins that don't yet implement the "mw-body"
3158 and/or "mw-body-primary" class name in their html.
3159 * Added pp_sortkey column to page_props table, so pages can be efficiently
3160 queried and sorted by property value (bug 58032).
3161 See $wgPagePropsHaveSortkey if you want to postpone the schema change.
3162 * BREAKING CHANGE: All four built-in MediaWiki skins (Vector, MonoBook, Modern
3163 and Cologne Blue) were moved out of MediaWiki core to their own respective
3164 repositories. They will be installed with the release tarball, but you must
3165 install them separately if installing MediaWiki from source code. A warning
3166 message displayed until you do it should guide you through the process. See
3167 also <https://www.mediawiki.org/wiki/Manual:Skin_configuration>.
3168 * BREAKING CHANGE: Skins built for MediaWiki 1.15 and earlier that do not use
3169 the "headelement" template key are no longer supported. Setting
3170 $useHeadElement = false; is no longer supported and will not cause old keys
3171 like "headlinks", "skinnameclass", etc. to be defined.
3172 * BREAKING CHANGE: The files commonElements.css, commonContent.css and
3173 commonInterface.css (in skins/common/) have been removed. Skins may no longer
3174 rely on their presence and include them in their style modules. ResourceLoader
3175 modules introduced in MediaWiki 1.23 should be loaded instead:
3176 - skins/common/commonElements.css → 'mediawiki.skinning.elements' module
3177 - skins/common/commonContent.css → 'mediawiki.skinning.content' module
3178 - skins/common/commonInterface.css → 'mediawiki.skinning.interface' module
3179 * The deprecated 'SpecialVersionExtensionTypes' hook was removed.
3180 * (bug 63891) Add 'X-Robots-Tag: noindex' header in action=render pages.
3181 * SpecialPage no longer supports the syntax for invoking wfSpecial*() functions.
3182 Special pages should subclass SpecialPage and implement the execute() method.
3183 * (bug 63755) The deprecated constants RC_MOVE and RC_MOVE_OVER_REDIRECT were
3184 removed.
3185 * Special:MostLinkedTemplates has been renamed to Special:MostTranscludedPages.
3186 * The skin autodiscovery mechanism has been deprecated and will be removed in
3187 MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
3188 for migration guide for creators and users of custom skins that relied on it.
3189 * ResourceLoaderFileModule#getAllStyleFiles now returns all style files and all
3190 skin style files used by the module.
3191 * Removed getLang() from IContextSource and subclasses. (deprecated since 1.19)
3192 * Removed setLang() from subclasses of IContextSource. (deprecated since 1.19)
3193 * Removed WebRequest::escapeAppendQuery(). (deprecated since 1.20)
3194 * Removed info(), purge(), revert() and rollback() from the Article class; they
3195 have since become subclasses of the Action class. (deprecated since 1.19)
3196 * SearchEngineReplacePrefixesComplete hook was removed.
3197 * The "jquery.json" module has been deprecated. Use the "json" module instead.
3198 * Removed HTMLForm::addJS(). (deprecated since 1.18)
3199 * Removed LogEventsList::showHeader(). (deprecated since 1.19)
3200 * Removed ImageGalleryBase::useSkin(). (deprecated since 1.18)
3201 * Removed DatabaseMysqlBase::getLagFromProcesslist(). (deprecated since 1.19)
3202 * Removed LoadBalancer::closeConnecton(). (deprecated since 1.18)
3203 * Removed ApiBase::createContext(). (deprecated since 1.19)
3204 * BREAKING CHANGE: The undocumented Special{$this->getName()}BeforeFormDisplay
3205 set of hooks has been removed and replaced by a single new hook
3206 SpecialPageBeforeFormDisplay.
3207 * (bug 65781) Removed block warning on included {{Special:Contributions}}
3208 * Removed Skin::makeGlobalVariablesScript(). (deprecated since 1.19)
3209 * Removed MWNamespace::isMain(). (deprecated since 1.19)
3210 * Removed Preferences::loadOldSearchNs(). (deprecated since 1.19)
3211 * Removed OutputPage::getStatusMessage(). (deprecated since 1.18)
3212 * Removed OutputPage::isUserJsAllowed(). (deprecated since 1.18)
3213 * Removed Title::updateTitleProtection(). (deprecated since 1.19)
3214 * Removed ParserOptions::setSkin(). (deprecated since 1.19)
3215 * Removed Title::escapeCanonicalURL(). (deprecated since 1.19)
3216 * Removed Title::escapeLocalURL(). (deprecated since 1.19)
3217 * Removed Title::escapeFullURL(). (deprecated since 1.19)
3218 * Removed User::isValidEmailAddr(). (deprecated since 1.18)
3219 * Removed Title::getEscapedText(). (deprecated since 1.19)
3220 * Removed Language::getFallbackLanguageCode(). (deprecated since 1.19)
3221 * Removed WikiPage::isBigDeletion(). (deprecated since 1.19)
3222 * Removed MWInit class which contained functions related to a now discontinued
3223 PHP compiler called hphpc. (deprecated since 1.22)
3224 * ApiResult::enableSizeCheck() and disableSizeCheck() are now obsolete.
3225 * Removed ResourceLoaderGetStartupModules hook. (deprecated since 1.23)
3226 * Removed getFormFields(), onSubmit() and onSuccess() from FormlessAction, as
3227 these were meant specifically for FormAction instead.
3228 * Removed Action::execute().
3229 * Removed AjaxAddScript which has been obsolete since ResourceLoader and
3230 is unused by any modern extension.
3231 * Removed maintenance/nextJobDB.php; no longer in use.
3232 * Removed global function wfViewPrevNext(). (deprecated since 1.19)
3233 * Removed global function xmlsafe() from Export.php. (moved to OAIRepo extension)
3234 * Removed Title::userCanRead(). (deprecated since 1.19)
3235 * Removed maintenance script importTextFile.php. Use edit.php script instead.
3236 * A _from_namespace field has been added to the templatelinks, pagelinks,
3237 and filelinks tables. Run update.php to apply this change to the schema.
3238 * Removed File::sha1Base36(). (deprecated since 1.19)
3239 * Removed File::getPropsFromPath(). (deprecated since 1.19)
3240 * Removed functions blockedPage(), noCreatePermission(), readOnlyPage() and
3241 userNotLoggedInPage() from EditPage.php. (deprecated since 1.19)
3242 * Removed functions getContent(), getPreloadedText(), mergeChangesInto() and
3243 setPreloadedText() from EditPage.php. (deprecated since 1.21)
3244 * Removed global functions wfArrayLookup(), wfArrayMerge(), wfDebugDieBacktrace()
3245 and wfTime(). (deprecated since 1.22)
3246 * Browser support for Internet Explorer 6 and 7 lowered from Grade A to Grade C,
3247 meaning that JavaScript is no longer executed in these browser versions.
3248 * Browser support for Opera 11 lowered from Grade A to Grade C.
3249 * Removed IEFixes module which existed purely to provide support for MSIE versions
3250 below 7 (conditionally loaded only for those browsers).
3251 * Deprecated SpecialPageFactory::getList() in favor of
3252 SpecialPageFactory::getNames()
3253 * Action::checkCanExecute() no longer has a return value.
3254 * Removed cleanupForIRC(), loadFromCurRow(), newFromCurRow(), notifyRC2UDP()
3255 and sendToUDP() from RecentChange.php. (deprecated since 1.22)
3256 * Removed EnhancedChangesList::arrow(), sideArrow(), downArrow(), spacerArrow().
3257 * Removed Xml::namespaceSelector(). (deprecated since 1.19)
3258 * Removed WikiPage::estimateRevisionCount(). (deprecated since 1.19)
3259 * MYSQL: Enum item added to "major MIME type" columns.
3260 Running update.php on MySQL < v5.1 may result in heavy processing.
3261 * RSS and Atom feeds generated by MediaWiki no longer include a fallback
3262 stylesheet. It was ignored by most browsers these days anyway.
3263 * SpecialSearchNoResults hook has been removed. SpecialSearchResults is now
3264 called unconditionally.
3265 * TablePager::getBody() is now 'final' and can't be overridden in subclasses.
3266 * TablePager::getBody() is deprecated, use getBodyOutput() or getFullOutput().
3267 * Added $outputPage parameter to the SkinTemplateGetLanguageLink hook.
3268 * log_page for move log entries store the original page ID, rather than that
3269 of the new redirect page. This is not retroactive.
3270 * LCStoreAccel was removed. $wgLocalisationCacheConf can no longer be set to
3271 use this store class.
3272 * Html::infoBox() no longer accepts paths relative to skins/common/images/.
3273 * Deprecated defunct Skin::getCommonStylePath().
3274 * Some extensions had their ResourceLoader modules depend on the "mediawiki"
3275 and "jquery" modules. In the past, this behavior was undefined, now it will
3276 throw an error.
3277 * Removed BagOStuff::replace(). (deprecated since 1.23)
3278 * In Linker.php, link(), linkText() and makeBrokenImageLinkObj() now display
3279 warnings if their first parameter is not a Title object. Also makeImageLink()
3280 now requires a Parser as its first parameter.
3281 * (bug 67368) LESS functions embed() and embeddable(), added in MediaWiki 1.23
3282 and broken by design, have been removed. Use appropriate LESS mixins instead.
3283 * Removed cssjanus.py from maintenance directory as it was unused.
3284 * Removed maintenance/purgeOldText.inc and the PurgeRedundantText() function
3285 it contained (superseded by Maintenance::purgeRedundantText() in 1.16).
3286 The purgeOldText.php maintenance script has been retained.
3287 * PHPUnit tests can be found by directory discovery, by adding the directory
3288 path from your UnitTestsList callback. Older versions of MediaWiki core will
3289 barf at this usage.
3290
3291 ==== Renamed classes ====
3292 * CLDRPluralRuleConverter_Expression to CLDRPluralRuleConverterExpression
3293 * CLDRPluralRuleConverter_Fragment to CLDRPluralRuleConverterFragment
3294 * CLDRPluralRuleConverter_Operator to CLDRPluralRuleConverterOperator
3295 * CLDRPluralRuleEvaluator_Range to CLDRPluralRuleEvaluatorRange
3296 * CSSJanus_Tokenizer to CSSJanusTokenizer
3297 * MediaWiki_I18N to MediaWikiI18N
3298 * Parser_DiffTest to ParserDiffTest
3299 * RevDel_ArchiveItem to RevDelArchiveItem
3300 * RevDel_ArchiveList to RevDelArchiveList
3301 * RevDel_ArchivedFileItem to RevDelArchivedFileItem
3302 * RevDel_ArchivedFileList to RevDelArchivedFileList
3303 * RevDel_ArchivedRevisionItem to RevDelArchivedRevisionItem
3304 * RevDel_FileItem to RevDelFileItem
3305 * RevDel_FileList to RevDelFileList
3306 * RevDel_Item to RevDelItem
3307 * RevDel_List to RevDelList
3308 * RevDel_LogItem to RevDelLogItem
3309 * RevDel_LogList to RevDelLogList
3310 * RevDel_RevisionItem to RevDelRevisionItem
3311 * RevDel_RevisionList to RevDelRevisionList
3312 * WebInstaller_Complete to WebInstallerComplete
3313 * WebInstaller_Copying to WebInstallerCopying
3314 * WebInstaller_DBConnect to WebInstallerDBConnect
3315 * WebInstaller_DBSettings to WebInstallerDBSettings
3316 * WebInstaller_Document to WebInstallerDocument
3317 * WebInstaller_ExistingWiki to WebInstallerExistingWiki
3318 * WebInstaller_Install to WebInstallerInstall
3319 * WebInstaller_Language to WebInstallerLanguage
3320 * WebInstaller_Name to WebInstallerName
3321 * WebInstaller_Options to WebInstallerOptions
3322 * WebInstaller_Readme to WebInstallerReadme
3323 * WebInstaller_ReleaseNotes to WebInstallerReleaseNotes
3324 * WebInstaller_Restart to WebInstallerRestart
3325 * WebInstaller_Upgrade to WebInstallerUpgrade
3326 * WebInstaller_UpgradeDoc to WebInstallerUpgradeDoc
3327 * WebInstaller_Welcome to WebInstallerWelcome
3328
3329 ==== Removed classes ====
3330 * IPBlockForm - Use SpecialBlock directly
3331 * WatchlistEditor - Use SpecialEditWatchlist directly
3332 * FormatExif - Use FormatMetadata directly
3333 * RevertFileAction - Use RevertAction directly
3334 * HistoryPage - Use HistoryAction directly
3335 * RawPage - Use RawAction directly
3336 * StubContLang - Use Language::factory() instead
3337 * XMLReader2 - Use XMLReader directly
3338 * ResourceLoaderLESSFunctions - No longer in use, not intended for public usage
3339
3340 ==== Removed files ====
3341 The skins/common/ directory, previously containing some assets intended to be
3342 used by skins and a number of legacy styles and scripts, has been removed. Its
3343 contents have been deleted or relocated into the resources/ directory. Full list
3344 of files that are no longer available follows.
3345
3346 * skins/common/ajax.js
3347 * skins/common/commonContent.css
3348 * skins/common/commonElements.css
3349 * skins/common/commonInterface.css
3350 * skins/common/commonPrint.css
3351 * skins/common/config-cc.css
3352 * skins/common/config.css
3353 * skins/common/config.js
3354 * skins/common/feed.css
3355 * skins/common/IEFixes.js
3356 * skins/common/oldshared.css
3357 * skins/common/protect.js
3358 * skins/common/shared.css
3359 * skins/common/upload.js
3360 * skins/common/wikibits.js
3361 * skins/common/images/add.png
3362 * skins/common/images/ajax-loader.gif
3363 * skins/common/images/arrow_disabled_first_25.png
3364 * skins/common/images/arrow_disabled_last_25.png
3365 * skins/common/images/arrow_disabled_left_25.png
3366 * skins/common/images/arrow_disabled_right_25.png
3367 * skins/common/images/arrow_first_25.png
3368 * skins/common/images/arrow_last_25.png
3369 * skins/common/images/arrow_left_25.png
3370 * skins/common/images/arrow_right_25.png
3371 * skins/common/images/Arr_.png
3372 * skins/common/images/Arr_d.png
3373 * skins/common/images/Arr_l.png
3374 * skins/common/images/Arr_r.png
3375 * skins/common/images/Arr_u.png
3376 * skins/common/images/bullet.gif
3377 * skins/common/images/button_bold.png
3378 * skins/common/images/button_extlink.png
3379 * skins/common/images/button_headline.png
3380 * skins/common/images/button_hr.png
3381 * skins/common/images/button_image.png
3382 * skins/common/images/button_italic.png
3383 * skins/common/images/button_link.png
3384 * skins/common/images/button_media.png
3385 * skins/common/images/button_nowiki.png
3386 * skins/common/images/button_sig.png
3387 * skins/common/images/button_template.png
3388 * skins/common/images/cc-0.png
3389 * skins/common/images/cc-by-nc-sa.png
3390 * skins/common/images/cc-by-sa.png
3391 * skins/common/images/cc-by.png
3392 * skins/common/images/Checker-16x16.png
3393 * skins/common/images/closewindow.png
3394 * skins/common/images/closewindow19x19.png
3395 * skins/common/images/critical-32.png
3396 * skins/common/images/diffunderline.gif
3397 * skins/common/images/download-32.png
3398 * skins/common/images/feed-icon.png
3399 * skins/common/images/feed-icon.svg
3400 * skins/common/images/gnu-fdl.png
3401 * skins/common/images/help-question-hover.gif
3402 * skins/common/images/help-question.gif
3403 * skins/common/images/info-32.png
3404 * skins/common/images/link_icon.gif
3405 * skins/common/images/magnify-clip-rtl.png
3406 * skins/common/images/magnify-clip.png
3407 * skins/common/images/mediawiki.png
3408 * skins/common/images/nextredirectltr.png
3409 * skins/common/images/nextredirectrtl.png
3410 * skins/common/images/poweredby_mediawiki_88x31.png
3411 * skins/common/images/public-domain.png
3412 * skins/common/images/question-small.png
3413 * skins/common/images/question.svg
3414 * skins/common/images/redirectltr.png
3415 * skins/common/images/redirectrtl.png
3416 * skins/common/images/remove.png
3417 * skins/common/images/spinner.gif
3418 * skins/common/images/tick-32.png
3419 * skins/common/images/tipsy-arrow.gif
3420 * skins/common/images/tooltip_icon.png
3421 * skins/common/images/warning-32.png
3422 * skins/common/images/wiki.png
3423 * skins/common/images/Zoom_sans.gif
3424 * skins/common/images/ar/button_bold.png
3425 * skins/common/images/ar/button_headline.png
3426 * skins/common/images/ar/button_italic.png
3427 * skins/common/images/ar/button_link.png
3428 * skins/common/images/ar/button_nowiki.png
3429 * skins/common/images/be-tarask/button_bold.png
3430 * skins/common/images/be-tarask/button_italic.png
3431 * skins/common/images/be-tarask/button_link.png
3432 * skins/common/images/cyrl/button_bold.png
3433 * skins/common/images/cyrl/button_italic.png
3434 * skins/common/images/cyrl/button_link.png
3435 * skins/common/images/de/button_bold.png
3436 * skins/common/images/de/button_italic.png
3437 * skins/common/images/fa/button_bold.png
3438 * skins/common/images/fa/button_headline.png
3439 * skins/common/images/fa/button_italic.png
3440 * skins/common/images/fa/button_link.png
3441 * skins/common/images/fa/button_nowiki.png
3442 * skins/common/images/icons/fileicon-c.png
3443 * skins/common/images/icons/fileicon-cpp.png
3444 * skins/common/images/icons/fileicon-deb.png
3445 * skins/common/images/icons/fileicon-djvu.png
3446 * skins/common/images/icons/fileicon-djvu.xcf
3447 * skins/common/images/icons/fileicon-dvi.png
3448 * skins/common/images/icons/fileicon-exe.png
3449 * skins/common/images/icons/fileicon-h.png
3450 * skins/common/images/icons/fileicon-html.png
3451 * skins/common/images/icons/fileicon-iso.png
3452 * skins/common/images/icons/fileicon-java.png
3453 * skins/common/images/icons/fileicon-mid.png
3454 * skins/common/images/icons/fileicon-mov.png
3455 * skins/common/images/icons/fileicon-o.png
3456 * skins/common/images/icons/fileicon-ogg.png
3457 * skins/common/images/icons/fileicon-ogg.xcf
3458 * skins/common/images/icons/fileicon-pdf.png
3459 * skins/common/images/icons/fileicon-ps.png
3460 * skins/common/images/icons/fileicon-psd.png
3461 * skins/common/images/icons/fileicon-rm.png
3462 * skins/common/images/icons/fileicon-rpm.png
3463 * skins/common/images/icons/fileicon-svg.png
3464 * skins/common/images/icons/fileicon-tar.png
3465 * skins/common/images/icons/fileicon-tex.png
3466 * skins/common/images/icons/fileicon-ttf.png
3467 * skins/common/images/icons/fileicon-txt.png
3468 * skins/common/images/icons/fileicon.png
3469 * skins/common/images/ksh/button_S_italic.png
3470
3471 = MediaWiki 1.23 =
3472
3473 == MediaWiki 1.23.16 ==
3474 This is a security and maintenance release of the MediaWiki 1.23 branch.
3475
3476 === Changes since 1.23.15 ===
3477 * (T68404) CSS3 attr() function with url type is no longer allowed
3478 in inline styles.
3479 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
3480 * Submitting the lgtoken and lgpassword parameters in the query string to
3481 action=login is now deprecated and outputs a warning. They should be submitted
3482 in the POST body instead.
3483 * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
3484 to interwiki links.
3485 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
3486 $wgAdvancedSearchHighlighting is true.
3487 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
3488 their values out of the logs.
3489 * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
3490 token.
3491 * (T156184) SECURITY: Escape content model/format url parameter in message.
3492 * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
3493 declaration.
3494 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
3495 syntax's link parameter.
3496 * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
3497 it.
3498
3499 == MediaWiki 1.23.15 ==
3500
3501 This is a maintenance release of the MediaWiki 1.23 branch.
3502
3503 === Changes since 1.23.14 ===
3504 * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
3505 made by MediaWiki via a proxy. Relying on the http_proxy environment
3506 variable is no longer supported.
3507 * (T139565) SECURITY: API: Generate head items in the context of the given title
3508 * (T137264) SECURITY: XSS in unclosed internal links
3509 * (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
3510 * (T133147) SECURITY: Require login to preview user CSS pages
3511 * (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
3512 the top file
3513 * (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
3514 permissions
3515 * (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
3516 * (T115333) SECURITY: Check read permission when loading page content in ApiParse
3517 * Remove support for $wgWellFormedXml = false, all output is now well formed
3518
3519 == MediaWiki 1.23.13 ==
3520
3521 This is a maintenance release of the MediaWiki 1.23 branch.
3522
3523 === Changes since 1.23.12 ===
3524 * (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
3525
3526 == MediaWiki 1.23.12 ==
3527
3528 This is a security and maintenance release of the MediaWiki 1.23 branch.
3529
3530 === Changes since 1.23.11 ===
3531 * (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
3532 that do not begin with a slash. This enabled trivial XSS attacks.
3533 Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
3534 "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
3535 error.
3536 * (T119309) SECURITY: Use hash_compare() for edit token comparison
3537 * (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
3538 with '@' as file uploads
3539 * (T115522) SECURITY: Passwords generated by User::randomPassword() can no
3540 longer be shorter than $wgMinimalPasswordLength
3541 * (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
3542 result in improper blocks being issued
3543 * (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
3544 and related pages no longer use HTTP redirects and are now redirected by
3545 MediaWiki
3546
3547 == MediaWiki 1.23.11 ==
3548
3549 This is a security and maintenance release of the MediaWiki 1.23 branch.
3550
3551 === Changes since 1.23.10 ===
3552
3553 * (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
3554 * (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
3555 * (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
3556
3557 == MediaWiki 1.23.10 ==
3558
3559 This is a security and maintenance release of the MediaWiki 1.23 branch.
3560
3561 === Changes since 1.23.9 ===
3562
3563 * (T94116) SECURITY: Compare API watchlist token in constant time
3564 * (T97391) SECURITY: Escape error message strings in thumb.php
3565 * (T106893) SECURITY: Don't leak autoblocked IP addresses on
3566 Special:DeletedContributions
3567 * (bug 67644) Make AutoLoaderTest handle namespaces
3568 * (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
3569 * (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
3570 policy of Wikimedia Commons.
3571
3572 == MediaWiki 1.23.9 ==
3573
3574 This is a security and maintenance release of the MediaWiki 1.23 branch.
3575
3576 === Changes since 1.23.8 ===
3577
3578 * (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
3579 to prevent various DoS attacks.
3580 * (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
3581 likelihood of DoS.
3582 * (T88310) SECURITY: Always expand xml entities when checking SVG's.
3583 * (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
3584 * (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
3585 * (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
3586 prevent XSS and protect viewer's privacy.
3587 * (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
3588 update.php to fix.
3589 * (bug T70087) Fix Special:ActiveUsers page for installations using
3590 PostgreSQL.
3591
3592 == MediaWiki 1.23.8 ==
3593
3594 This is a security and maintenance release of the MediaWiki 1.23 branch.
3595
3596 === Changes since 1.23.7 ===
3597
3598 * (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
3599 could lead to xss. Permission to edit MediaWiki namespace is required to
3600 exploit this.
3601 * (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
3602 $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
3603 part of its name.
3604 * (bug T74222) The original patch for T74222 was reverted as unnecessary.
3605
3606 == MediaWiki 1.23.7 ==
3607
3608 This is a security and maintenance release of the MediaWiki 1.23 branch.
3609
3610 === Changes since 1.23.6 ===
3611
3612 * (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
3613 into API clients that used format=php to process pages that underwent flash
3614 policy mangling. This was fixed along with improving how the mangling was done
3615 for format=json, and allowing sites to disable the mangling using
3616 $wgMangleFlashPolicy.
3617 * (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
3618 the content model for a page could allow an unprivileged attacker to edit
3619 another user's common.js under certain circumstances. The user right
3620 "editcontentmodel" was added, and is needed to change a revision's content
3621 model.
3622 * (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
3623 HTML, it is not safe to preview wikitext coming from an untrusted source such
3624 as a cross-site request. Thus add an edit token to the form, and when raw HTML
3625 is allowed, ensure the token is provided before showing the preview. This
3626 check is not performed on wikis that both allow raw HTML and anonymous
3627 editing, since there are easier ways to exploit that scenario.
3628 * (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
3629 DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
3630 public RFC about the desired functionality. This issue was reported by user
3631 Bawolff.
3632 * (bug 71621) Make allowing site-wide styles on restricted special pages a
3633 config option.
3634 * (bug 42723) Added updated version history from 1.19.2 to 1.22.13
3635 * $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
3636 might be a flash policy directive configurable.
3637
3638 == MediaWiki 1.23.6 ==
3639
3640 This is a maintenance release of the MediaWiki 1.23 branch.
3641
3642 === Changes since 1.23.5 ===
3643 * (Bug 72274) Job queue not running (HTTP 411) due to missing
3644 Content-Length: header
3645 * (Bug 67440) Allow classes to be registered properly from installer
3646
3647 == MediaWiki 1.23.5 ==
3648
3649 This is a security release of the MediaWiki 1.23 branch.
3650
3651 === Changes since 1.23.4 ===
3652 * (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
3653 allowance.
3654
3655 == MediaWiki 1.23.4 ==
3656
3657 This is a security and maintenance release of the MediaWiki 1.23 branch.
3658
3659 === Changes since 1.23.3 ===
3660
3661 * (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
3662 elements; normalize style elements and attributes before filtering; add
3663 checks for attributes that contain css; add unit tests for html5sec and
3664 reported bugs.
3665 * (bug 65998) Make MySQLi work with non-standard socket.
3666 * (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
3667 settings.
3668
3669 == MediaWiki 1.23.3 ==
3670
3671 This is a maintenance release of the MediaWiki 1.23 branch.
3672
3673 === Changes since 1.23.2 ===
3674
3675 * (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
3676 * (bug 64970) Fix support for blobs on DatabaseOracle::update.
3677 * (bug 66574) Display MediaWiki:Loginprompt on the login page.
3678 * (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
3679 * (bug 60629) Handle invalid language code gracefully in
3680 Language::fetchLanguageNames.
3681 * (bug 62017) Restore the number of rows shown on Special:Watchlist.
3682 * Check for boolean false result from database query in SqlBagOStuff.
3683
3684 == MediaWiki 1.23.2 ==
3685
3686 This is a security and maintenance release of the MediaWiki 1.23 branch.
3687
3688 === Changes since 1.23.1 ===
3689
3690 * (bug 68187) SECURITY: Prepend jsonp callback with comment.
3691 * (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
3692 for loading a new page in Javascript,instead of relying on the URL in the link
3693 that has been clicked.
3694 * (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
3695 ParserOutput.
3696 * (bug 68313) Preferences: Turn stubthreshold back into a combo box.
3697 * (bug 65214) Fix initSiteStats.php maintenance script.
3698 * (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
3699
3700 == MediaWiki 1.23.1 ==
3701
3702 This is a security and maintenance release of the MediaWiki 1.23 branch.
3703
3704 === Changes since 1.23.0 ===
3705
3706 * (bug 65839) SECURITY: Prevent external resources in SVG files.
3707 * (bug 67025) Special:Watchlist: Don't try to render empty row.
3708 * (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
3709 * (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
3710 * (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
3711 like only extracting the tail of the file partially or not at all.
3712 * (bug 66182) Removed -x flag on some php files.
3713
3714 == MediaWiki 1.23.0 ==
3715
3716 === Configuration changes in 1.23 ===
3717 * (bug 13250) Restored method for clearing a watchlist in web UI
3718 so that users with large watchlists don't have to perform
3719 contortions to clear them.
3720 * When $wgJobRunRate is higher than zero, jobs are now executed via an
3721 asynchronous HTTP request to a MediaWiki entry point. This may require
3722 increasing the number of server worker threads. $wgRunJobsAsync has been
3723 added to disable this feature if needed, falling back to executing the job
3724 on the same process but making the execution synchronously.
3725 * $wgDebugLogGroups values may be set to an associative array with a
3726 'destination' key specifying the log destination. The array may also contain
3727 a 'sample' key with a positive integer value N indicating that the log group
3728 should be sampled by dispatching one in every N messages on average. The
3729 sampling is random.
3730 * In addition to the current exception log format, MediaWiki now serializes
3731 exception metadata to JSON and logs it to the 'exception-json' log group.
3732 This makes MediaWiki easier to integrate with log aggregation and analysis
3733 tools.
3734 * $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
3735 Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
3736 addresses that should be trusted to provide X-Forwarded-For headers.
3737 * Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add
3738 pages I create and files I upload to my watchlist", "Add pages and files I
3739 edit to my watchlist", "Email me when a page or file on my watchlist is
3740 changed") are now enabled by default. In addition new user accounts' personal
3741 and talk pages are now watched by them by default.
3742 * $wgLBFactoryConf: Class names have had underscores removed. The configuration
3743 should be updated if LBFactory_Simple or LBFactory_Multi is configured.
3744 * $wgPasswordSenderName has been removed and is no longer functional. To set a
3745 custom mailer name, the system message 'emailsender' should be modified
3746 (default: "{{SITENAME}}").
3747 * (bug 63269) Email notifications were not correctly handling the
3748 [[MediaWiki:Helppage]] message being set to a full URL (the default).
3749 If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
3750 you'll need to edit it locally to include the URL via the new variable
3751 $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
3752 you don't have to do anything.
3753 * $wgDBAhandler was removed as the only class using it was also removed
3754 * The 'max threads' setting was removed from $wgDBservers.
3755 * Support for AdminSettings.php has been completely removed. All configuration
3756 belongs in LocalSettings.php.
3757 * $wgSkipSkin, which has been replaceable by $wgSkipSkins since 2005 (r9249), is
3758 now formally deprecated.
3759 * Removed deprecated $wgDisabledActions as it is hardly used anywhere.
3760 * $wgRateLimitLog has been deprecated and replaced by
3761 $wgDebugLogGroup['ratelimit'].
3762 * $wgLocalInterwikis is an array containing multiple local interwiki prefixes
3763 (interwiki prefixes that point back to the current wiki). This effectively
3764 allows more than one value of $wgLocalInterwiki to be specified and
3765 understood by the parser. The value of $wgLocalInterwiki is automatically
3766 prepended to the start of this array.
3767 * $wgQueryPages has been removed. Query Pages should be added to by using the
3768 wgQueryPages hook.
3769 * $wgHttpOnlyBlacklist has been removed.
3770 * $wgLicenseTerms has been removed as it was unused.
3771 * $wgProfileOnly is now deprecated; set the log file in
3772 $wgDebugLogGroups['profileoutput'] to replace it.
3773 * $wgMaxBacklinksInvalidate was removed; use $wgJobBackoffThrottling instead
3774 * Deprecated ResourceLoaderGetStartupModules hook.
3775
3776 === New features in 1.23 ===
3777 * ResourceLoader can utilize the Web Storage API to cache modules client-side.
3778 Compared to the browser cache, caching in Web Storage allows ResourceLoader
3779 to be more granular about evicting stale modules from the cache while
3780 retaining the ability to retrieve multiple modules in a single HTTP request.
3781 This capability can be enabled by setting $wgResourceLoaderStorageEnabled to
3782 true. This feature is currently considered experimental and should only be
3783 enabled with care.
3784 * (bug 6092) Add expensive parser functions {{REVISIONID:}}, {{REVISIONUSER:}}
3785 and {{REVISIONTIMESTAMP:}} (with friends).
3786 * Add "wgRelevantUserName" to mw.config containing the current
3787 Skin::getRelevantUser value.
3788 * (bug 56033) Add content model to the page information.
3789 * Added Article::MissingArticleConditions hook to give extensions a chance to
3790 hide their (unrelated) log entries.
3791 * Added LonelyPagesQuery hook to let extensions modify the query used to
3792 generate Special:LonelyPages.
3793 * Added $wgOpenSearchDefaultLimit defining the default number of entries to show
3794 on action=opensearch API call.
3795 * For namespaces with $wgNamespaceProtection (including the MediaWiki
3796 namespace), the "protect" tab will be shown only if there are restriction
3797 levels available that would restrict editing beyond what
3798 $wgNamespaceProtection already applies. The protection form will offer only
3799 those protection levels.
3800 * Added $wgAPIFormatModules, allowing extensions to add additional output
3801 formatting modules for the API.
3802 * (bug 47812) The MediaWiki:Group-user.{css,js} pages can now be used to add
3803 custom CSS or JavaScript enabled only for registered users.
3804 * (bug 52005) Special pages RecentChanges, RecentChangesLinked and Watchlist
3805 now include a legend describing the symbols used in lists of changes.
3806 * Improved the accessibility of the tabs in Special:Preferences.
3807 * Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook:
3808 it's called after everything is set up but before any major processing
3809 happens.
3810 * The jquery.client module now performs a component-wise version comparison in
3811 its #test method when strings are used in the browser map: version '1.10' is
3812 now correctly considered larger than '1.2'. Using numbers in the version map
3813 is not affected.
3814 * All API modules now support an assert parameter, which can either be
3815 'user' or 'bot'. The API will throw an error if the user is not logged
3816 in (user) or does not have the 'bot' userright (bot). Based off of the
3817 AssertEdit extension by Steve Sanbeg.
3818 * [[Special:Diff]] was added, allowing users to create internal links to
3819 revision comparison pages using syntax such as [[Special:Diff/12345]],
3820 [[Special:Diff/12345/prev]] or [[Special:Diff/12345/98765]].
3821 * New user accounts' personal and talk pages are now watched by them by default.
3822 * Added SkinTemplateGetLanguageLink hook to allow changing the html of language
3823 links.
3824 * Added MessageCache::get hook as a new way to customize messages across
3825 multiple sites.
3826 * Added jquery.throttle-debounce ResourceLoader module to limit the number of
3827 callbacks for frequently occurring events.
3828 * Special:ProtectedPages shows now a table. The timestamp, the reason and
3829 the protecting user are also shown.
3830 * Added experimental support for using Microsoft SQL Server as the database
3831 backend.
3832 ** Added new Microsoft SQL Server-specific configuration variable
3833 $wgDBWindowsAuthentication, which makes the web server authenticate against
3834 the database server using Integrated Windows Authentication instead of
3835 $wgDBuser/$wgDBpassword.
3836 * HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and
3837 'radio' fields can now use message keys as labels via the 'options-messages'
3838 parameter, which overrides the 'options' parameter.
3839 * Admins can expire users passwords manually, or on a schedule using the
3840 $wgPasswordExpirationDays configuration setting.
3841 * Add new hook SendWatchlistEmailNotification, this will be used to determine
3842 whether to send a watchlist email notification.
3843 * (bug 42026) Special:Contributions now includes an option to filter page
3844 creations, similar to the topOnly option.
3845 * Add mediawiki.ui.button styling to all pages so wiki content can use styled
3846 buttons.
3847 * Special:UserLogin/signup now does AJAX checks for invalid and taken usernames,
3848 displaying the error live.
3849 * Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
3850 * Support has been added for a JSON based localisation file format. The
3851 installer has been updated to use it.
3852 * Changes to content typography (colors, line-height etc.). See
3853 https://www.mediawiki.org/wiki/Typography_refresh for further information.
3854 * The Vector skin's visual treatment of external links has been simplified to a
3855 single icon (from nine). This should not affect local rules unless they were
3856 re-using these icons, which have now been deleted.
3857 * ResourceLoader: mw.loader.using() now implements a Promise interface.
3858 * Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows.
3859 If called by the ChangesList consumer this gives extensions a chance to batch
3860 process the result set prior to rendering.
3861 * A PoolCounterRedis class was added which can be make use of in $wgPoolCounterConf.
3862 This requires at least one Redis 2.6+ server.
3863 * $wgProfileToDatabase was removed. Set $wgProfiler to ProfilerSimpleDB
3864 in StartProfiler.php instead of using this.
3865 * (bug 63444) Made it possible to change the indent string (default: 4 spaces)
3866 used by FormatJson::encode().
3867
3868 === Bug fixes in 1.23 ===
3869 * (bug 41759) The "updated since last visit" markers (on history pages, recent
3870 changes and watchlist) and the talk page message indicator are now correctly
3871 updated when the user is viewing old revisions of pages, instead of always
3872 acting as if the latest revision was being viewed.
3873 * (bug 56443) Special:ConfirmEmail no longer shows a "Mail a confirmation code"
3874 when the email address is already confirmed. Also, consistently use
3875 "confirmed", rather than "authenticated", when messaging whether or not the
3876 user has confirmed an email address.
3877 * (bug 19415) action=render no longer shows section edit links. This affects
3878 behavior of several other features where (bogus) section edit links will
3879 disappear, such as file description pages loaded via $wgUseInstantCommons or
3880 pages transcluded cross-wiki via $wgEnableScaryTranscluding.
3881 * (bug 56912) Show correct link color on cached result of Special:DeadendPages.
3882 * Classes TitleListDependency and TitleDependency have been removed, as they
3883 have been found unused in core and extensions for a long time.
3884 * (bug 57098) SpecialPasswordReset now obeys returnto parameter
3885 * (bug 37812) ResourceLoader will notice when a module's definition changes and
3886 recompile it accordingly.
3887 * (bug 57201) SpecialRecentChangesFilters hook is now executed for feeds.
3888 * (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
3889 to appear blank or with missing text.
3890 * (bug 56931) Updated the plural rules to CLDR 24. They are in new format
3891 which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as
3892 the JavaScript evaluator were updated to support the new format. Plural rules
3893 for some languages have changed, most notably Russian. Affected software
3894 messages have been updated and marked for review at translatewiki.net.
3895 * (bug 23542) imagelinks now stores both the redirect and target (as
3896 templatelinks does).
3897 * (bug 58167) The web installer no longer throws an exception when PHP is
3898 compiled without support for MySQL yet with support for another DBMS.
3899 * (bug 56199) Raw option of parser functions must now match complete word,
3900 to take effect.
3901 * (bug 60543) Special:PrefixIndex forgot stripprefix=1 for "Next page" link
3902 * (bug 29762) Undoing an already-undone edit will now display an appropriate
3903 message instead of leading the user to make a null edit.
3904 * (bug 52659) mediawiki.notification: Notification area remained visible when
3905 empty and thus was stealing pointer events from links on the page.
3906 * (bug 26811) When a DBUnexpectedError occurs, DB server hostnames are now
3907 hidden unless $wgShowExceptionDetails is true, and $wgShowDBErrorBacktrace
3908 no longer applies in such cases.
3909 * (bug 60960) Avoid doing file_exist() checks on data: URIs, as they cause
3910 warnings to be printed on Windows due to large path length.
3911 * (bug 48084) Fixed a bug in the installer that could cause $wgLogo to hold
3912 the wrong path to the placeholder logo (skins/common/images/wiki.png).
3913 * (bug 64289) jquery.textSelection: Don't throw errors on empty collections.
3914
3915 === Web API changes in 1.23 ===
3916 * (bug 54884) action=parse&prop=categories now indicates hidden and missing
3917 categories.
3918 * action=query&meta=filerepoinfo now returns additional information for each
3919 repo.
3920 * action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in
3921 MediaWiki 1.24.
3922 * action=parse now has disabletoc flag to disable table of contents in output.
3923 * (bug 25702) list=allcategories, list=allimages, list=alllinks, list=allpages,
3924 list=deletedrevs and list=filearchive did not handle case-sensitivity
3925 properly for all parameters.
3926 * ApiQueryBase::titlePartToKey allows an extra parameter that indicates the
3927 namespace in order to properly capitalize the title part.
3928 * (bug 57874) action=feedcontributions no longer has one item more than limit.
3929 * All API modules now support an assert parameter. See the new features section
3930 for more details.
3931 * Added prop=contributors to fetch the list of contributors to the page.
3932 * The following API modules will now return entries where fields have been
3933 revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges,
3934 list=watchlist. "hidden" indicators will be included, in the same style as is
3935 already done for prop=revisions.
3936 * The following API modules will now return the content of revision-deleted
3937 fields, in addition to the "hidden" indicators, if the querying user has the
3938 necessary rights: list=logevents, list=usercontribs, prop=imageinfo,
3939 prop=revisions.
3940 * The above modules, where applicable, will now return entries filtered by
3941 revision-deleted fields if the querying user has the necessary rights. For
3942 example, prop=revisions with rvuser or rvexcludeuser will no longer skip
3943 revisions where the user was revision-deleted if the current user has the
3944 deletedhistory right.
3945 * The 'hideuser' right, used when blocking, is no longer necessary or
3946 sufficient for seeing contributions with revision-deleted in
3947 list=usercontribs.
3948 * list=watchlist now uses the querying user's rights rather than the wlowner's
3949 rights when checking whether wlprop=patrol is allowed.
3950 * (bug 32151) ApiWatch now has pageset capabilities (titles/pageids/generators).
3951 Title parameter is now deprecated.
3952 * (bug 23005) Added action=revisiondelete.
3953 * Added siprop=restrictions to API action=query&meta=siteinfo for querying
3954 possible page restriction (protection) levels and types.
3955 * Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
3956 * (bug 58627) Provide language names on action=parse&prop=langlinks.
3957 * Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
3958 * Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
3959 * prop=redirects is added, to return redirects to the pages in the query.
3960 * list=allredirects is added, to list all redirects pointing to a namespace.
3961 * (bug 42026) Added ucshow={new,!new,top,!top} to list=usercontribs.
3962 Also added newonly to action=feedcontributions.
3963 * (bug 42026) Deprecated uctoponly in favor of ucshow=top.
3964 * list=search no longer has a "srredirects" parameter. Redirects are now
3965 included in all searches.
3966 * Added list=prefixsearch that works like action=opensearch but can be used as
3967 a generator.
3968 * (bug 24782) Various modules will now use unique continuation parameters.
3969 * (bug 63249) Cache RecentChanges Atom feed in varnish for 15 seconds.
3970
3971 === Languages updated in 1.23 ===
3972
3973 MediaWiki supports over 350 languages. Many localisations are updated
3974 regularly. Below only new and removed languages are listed, as well as
3975 changes to languages because of Bugzilla reports.
3976
3977 * Support was added for Algerian Spoken Arabic (arq).
3978 * Support was added for Riograndenser Hunsrückisch (hrx).
3979 * Support was added for Northern Luri (lrc).
3980
3981 === Other changes in 1.23 ===
3982 * The rc_type field in the recentchanges table has been superseded by a new
3983 rc_source field. The rc_source field is a string representation of the
3984 change type where rc_type was a numeric constant. This field is not yet
3985 queried but will be in a future release.
3986 ** Utilize update.php to create and populate this new field. On larger wikis
3987 which do not wish to update recentchanges table in one large update please
3988 review the SQL and comments in maintenance/archives/patch-rc_source.sql.
3989 ** The rc_type field of recentchanges will be deprecated in a future release.
3990 * The global variable $wgArticle has been removed after a lengthy deprecation.
3991 * The global functions addButton and insertTags (for mw.toolbar.addButton and
3992 mw.toolbar.insertTags) now emits mw.log.warn when accessed.
3993 * The ExpandTemplates extension has been moved into MediaWiki core.
3994 * (bug 52812) Removed "Disable search suggestions" from Preference.
3995 * (bug 52809) Removed "Disable browser page caching" from Preference.
3996 * Three new modules intended for use by custom skins were added:
3997 'mediawiki.skinning.elements', 'mediawiki.skinning.content', and
3998 'mediawiki.skinning.interface', representing three levels of standard
3999 MediaWiki styling. Previously skin creators wishing to use them had to refer
4000 to the file names of appropriate files directly, which is now discouraged.
4001 * The modules 'skins.vector' and 'skins.monobook' have been renamed to
4002 'skins.vector.styles' and 'skins.monobook.styles', respectively,
4003 and their definition was changed not to include the common*.css files;
4004 the two skins now load the 'mediawiki.skinning.interface' module instead.
4005 * A page_links_updated field has been added to the page table.
4006 * SpecialPage::getTitle has been deprecated in favor of
4007 SpecialPage::getPageTitle.
4008 * BREAKING CHANGE: Two potentially backwards-incompatible changes have been made
4009 to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make
4010 the hook more consistent with the 'SpecialRecentChangesQuery' one:
4011 ** Several array keys have been renamed: hideMinor → hideminor,
4012 hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu,
4013 hidePatrolled → hidepatrolled, hideOwn → hidemyself.
4014 ** The parameter value is now a FormOptions object, not a plain array (array
4015 access operators should continue to work, as it implements the ArrayAccess
4016 interface).
4017 * Option to mark hooks as deprecated has been added.
4018 * (bug 52811) Preference "Enable section editing via [edit] links" was removed.
4019 * (bug 52813) Preference "Show table of contents (for pages with more than
4020 3 headings)" was removed.
4021 * (bug 52810) Preference "Justify paragraphs" was removed.
4022 * OutputPage::showErrorPage raises a notice if arguments are incoherent.
4023 * Thumbnails that keep failing to render in thumb.php will be rate-limited
4024 against further render attempts for 1 hour. $wgAttemptFailureEpoch can be
4025 altered to reset all rate-limited thumbnails at once.
4026 * (bug 56572) Builds of the OOjs and OOjs UI libraries are now available.
4027 * mw.loader.go and mw.loader.version have been removed.
4028 * (bug 52815) Preference "Enable simplified search bar (Vector skin only)"
4029 was removed.
4030 * A user_password_expires column has been added to the user table. The User
4031 object expects this column to exist. Use update.php to create this new field.
4032 * The jquery.delayedBind ResourceLoader module was deprecated in favor of the
4033 jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
4034 * mw.user.bucket has been deprecated.
4035 * On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to
4036 table.mw-prefixindex-list-table to avoid duplicate ids when the special page
4037 is transcluded.
4038 * (bug 62198) window.$j has been deprecated.
4039 * Preference "Disable link title conversion" was removed.
4040 * SpecialRecentChanges no longer includes any functionality for generating feeds
4041 - it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new
4042 ones.
4043 * RecentChange::mExtra['lang'] is no longer set and should no longer be used.
4044 Extensions should read from other configuration variables, including
4045 $wgLocalInterwikis, to identify the current wiki.
4046 * Sections in the parser test framework have been renamed and the old
4047 section names are deprecated. Please use "!!wikitext" and "!!html"
4048 (or "!!html/php") instead of "!!input" and "!!result". This allows
4049 us to extend parser tests to accommodate additional input/output
4050 pairs, such as "!!html/parsoid" (for the output of the Parsoid
4051 parser, where it differs from the PHP parser).
4052 * Special:Search no longer has an "include redirects" option on the advanced
4053 tab. Redirects are now included in all searches.
4054 * mediawiki.api.category's getCategories() 'async' parameter was deprecated.
4055 * The locations of resources have been split between upstream libraries, now in
4056 resources/lib/, local libaries in resources/src/, and local forks of upstream
4057 libraries, also in resources/src/.
4058 * BREAKING CHANGE: The automatically-generated function closure with which
4059 ResourceLoader wraps all modules' JavaScript code now binds the identifier
4060 names 'jQuery' and '$' to the jQuery object of the version of jQuery that is
4061 bundled with MediaWiki. If you bind these names to other objects in global
4062 scope (like Zepto.js or document.querySelectorAll, for example) you will need
4063 to use different names to or re-bind them at the top of each
4064 ResourceLoader-loaded module.
4065 * (bug 52342) Preference "Remember my login" was removed.
4066 * The skin autodiscovery mechanism has been deprecated and will be removed in
4067 MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
4068 for migration guide for creators and users of custom skins that relied on it.
4069
4070 ==== Removed classes ====
4071 * FakeMemCachedClient (deprecated in 1.18)
4072 * RdfMetaData (unused)
4073 * TitleDependency (unused)
4074 * TitleListDependency (unused)
4075 * WikiError (deprecated in 1.17)
4076 * WikiXmlError (deprecated in 1.17)
4077 * WikiErrorMsg (deprecated in 1.17)
4078
4079 ==== Renamed classes ====