Add ->text() to prevent double HTML escaping

[lhc/web/wiklou.git] / RELEASE-NOTES-1.29

== MediaWiki 1.29 ==

THIS IS NOT A RELEASE YET

MediaWiki 1.29 is an alpha-quality branch and is not recommended for use in
production.

=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie expiration time is
  kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
  determines whether to set a cookie when a user is autoblocked. Doing so means
  that a blocked user, even after logging out and moving to a new IP address,
  will still be blocked.
* The resetpassword right and associated password reset capture feature has
  been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
  or boolean false. This should be compatible with at least MediaWiki 1.23 if
  not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC policies.
* Subpages are now enabled by default in the Template namespace. Set
  $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.

=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user if
  they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
  exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
  dnsbls, are now indicated as such and use a new i18n message when displayed.

=== External library changes in 1.29 ===

==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.

==== New external libraries ====

==== Removed and replaced external libraries ====

=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
  to the page content language, not wiki content language.

=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=clientlogin,
  action=createaccount, action=linkaccount, and action=changeauthenticationdata
  in the query string is now an error. They should be submitted in the POST
  body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
  using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
  parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
  'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
  'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
  key 'talkmove-errors', rather than using 'talkmove-error-code' and
  'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
  and errors for each item. Use errorformat=wikitext if you're wanting parsed
  output.
* action=rollback no longer returns a "messageHtml" property. Use
  errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
  'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
  no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
  and password change forms.

=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
  keys. Methods for using hard-coded English messages were deprecated:
  * ApiBase::dieUsage() was deprecated
  * ApiBase::dieUsageMsg() was deprecated
  * ApiBase::dieUsageMsgOrDebug() was deprecated
  * ApiBase::getErrorFromStatus() was deprecated
  * ApiBase::parseMsg() was deprecated
  * ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
  being ApiUsageException is a subclass of UsageException to allow things that
  catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
  ApiErrorFormatter_BackCompat, note that the result format has changed and
  various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
  from the message key, and maps some message keys for backwards compatibility.

=== Languages updated in 1.29 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Based as always on linguistic studies on intelligibility and language
  knowledge by geography, language fallbacks have been expanded. When a
  translation is missing in the user's preferred interface language, the
  corresponding translation for the fallback language will be used instead.
  English will only be used as last resort when there are no translations.
  Some configurations (such as date formats and gender namespaces) have also
  been updated when using the fallback language's configuration was inadequate.
  The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
  hsb ↔ dsb, io → eo, mdf → ru, pnt → el, roa-tara → it.

==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
  language will now use the default fallback language: English. When a translation
  to Ukrainian is not available, an English string will be shown.

=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
  SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
  required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
  Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
  were removed.
* Article::getAutosummary() and WikiPage::getAutosummary (deprecated in 1.21)
  were removed.
* Hooks ArticleViewCustom, EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21)
  were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* FSRepo (deprecated in 1.19) was removed.

== Compatibility ==

MediaWiki 1.29 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.29 has several database changes since 1.28, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.28.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.