Change notes from older releases. For current info see RELEASE-NOTES-1.29. == MediaWiki 1.28 == === Changes since 1.28.0-rc1 === * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db errors. * (T148956) Only apply wgDBschema to postgres/mssql. * (T145991) Introduce separate log action for deleting pages on move. * (T141474) (T110464) Bypass login page if no user input is required. === Changes since 1.28.0-rc0 === * (T142210) The changes to move the parser "NewPP limit report" from a HTML comment to a machine-readable JavaScript config option 'wgPageParseReport' have been undone. They caused the human-readable limit report to be shown incompletely or not at all. ParserOutput::setLimitReportData() and getLimitReportData() behave as they did in MediaWiki 1.27 again. * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for the text of subheadings on a category page when creating it. This wasn't working correctly. * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26. * (T149759) manifest_version: 2 was removed. === Configuration changes in 1.28 === * $wgSend404Code now affects status code of action=history if the page is not there. * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported. * The load.php entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user's language. If such access is attempted, an exception will be thrown. * The number of internal PBKDF2 iterations used to derive the session secret is configurable via $wgSessionPbkdf2Iterations. * Upload dialog's file upload log comment can now be configured separately for local and foreign uploads. * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog. * The deprecated $wgEditEncoding variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension. * When $wgPingback is true, MediaWiki will periodically ping https://www.mediawiki.org/beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default. * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes". * The 'editcontentmodel' permission is now granted to all logged-in users ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at . * $wgRevisionCacheExpiry is now set to one week by default instead of being disabled. * Magic links are now disabled by default, and can be re-enabled by modifying the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled, a tracking category will be added to help identify usage and make it easier to migrate away from. If you depend upon magic link functionality, it is requested that you comment on and explain your use case(s). * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore in upcoming Content-Security-Policy feature's reporting. === New features in 1.28 === * User::isBot() method for checking if an account is a bot role account. * Added a new 'slideshow' mode for galleries. * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot. * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with API parsing. * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash. * (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed. * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script. * Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar. * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki. * After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie. * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. === External library changes in 1.28 === ==== Upgraded external libraries ==== * Updated es5-shim from v4.1.5 to v4.5.8 * Updated composer/semver from v1.4.1 to v1.4.2 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4 ==== New external libraries ==== * Added wikimedia/scoped-callback v1.0.0 * Added wikimedia/wait-condition-loop v1.0.1 === Bug fixes in 1.28 === * (T146496) action=history pages should return 404 HTTP error code if the page does not exist * (T137264) SECURITY: XSS in unclosed internal links * (T133147) SECURITY: Escape '<' and ']]>' in inline