Change notes from older releases. For current info see RELEASE-NOTES-1.30. = MediaWiki 1.29 = == MediaWiki 1.29.0 == === Configuration changes in 1.29 === * Default cookie expiration time has been reduced to 30 days. Login cookie expiration time is kept at 180 days. * A new configuration variable has been added: $wgCookieSetOnAutoblock. This determines whether to set a cookie when a user is autoblocked. Doing so means that a blocked user, even after logging out and moving to a new IP address, will still be blocked. * The resetpassword right and associated password reset capture feature has been removed. * The $error parameter to the EmailUser hook should be set to a Status object or boolean false. This should be compatible with at least MediaWiki 1.23 if not earlier. Returning a raw HTML string is now deprecated. * The $message parameter to the ApiCheckCanExecute hook should be set to an ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a code for ApiBase::parseMsg() will no longer work. * ApiBase::$messageMap is no longer public. Code attempting to access it will result in a PHP fatal error. * $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC policies. * Subpages are now enabled by default in the Template namespace. Set $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior. * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0. * (T158474) "Unknown user" has been added to $wgReservedUsernames. * (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs. * $wgDummyLanguageCodes is deprecated. Additional language code mappings may be added to $wgExtraLanguageCodes instead. * (T161453) LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache. * The user right 'editusercssjs' (deprecated in 1.16) was removed. Use 'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead. === New features in 1.29 === * (T5233) A cookie can now be set when a user is autoblocked, to track that user if they move to a new IP address. This is disabled by default. * Added ILocalizedException interface to standardize the use of localized exceptions, largely so the API can handle them more sensibly. * Blocks created automatically by MediaWiki, such as for configured proxies or dnsbls, are now indicated as such and use a new i18n message when displayed. * Added new $wgHTTPImportTimeout setting. Sets timeout for downloading the XML dump during a transwiki import in seconds. * Parser limit report is now available in machine-readable format to JavaScript via mw.config.get('wgPageParseReport'). * Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits from certain IP ranges (e.g. private IPs). * (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code of the page being parsed. * HTML5 form validation attributes will no longer be suppressed. Originally browsers had poor support for them, but modern browsers handle them fine. This might affect some forms that used them and only worked because the attributes were not actually being set. * Expiry times can now be specified when users are added to user groups. * Completely new user interface for the RecentChanges page, which structures filters into user-friendly groups. This has corresponding changes to how filters are registered by core and extensions. * The edit form now uses pretty OOjs UI buttons, checkboxes and summary input. Because this change can cause problems for extensions and on-wiki scripts depending on the exact HTML, the old version is still available and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php. This will be removed later and OOjs UI will become the only option. To make testing easier, users can also force either mode by adding &ooui=true or &ooui=false to the action=edit URL. === External library changes in 1.29 === ==== Upgraded external libraries ==== * Updated QUnit from v1.22.0 to v1.23.1. * Updated cssjanus from v1.1.2 to v1.2.0. * Updated psr/log from v1.0.0 to v1.0.2. * Update Moment.js from v2.8.4 to v2.15.0. * Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14. * Updated monolog from v1.18.2 to 1.22.1. * Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0. * Updated OOjs from v1.1.10 to v2.0.0. * Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0). ==== New external libraries ==== * Added wikimedia/timestamp v1.0.0. * Added wikimedia/remex-html v1.0.1. ==== Removed and replaced external libraries ==== === Bug fixes in 1.29 === * (T62604) Core parser functions returning a number now format the number according to the page content language, not wiki content language. * (T27187) Search suggestions based on jquery.suggestions will now correctly only highlight prefix matches in the results. * (T157035) "new mw.Uri()" was ignoring options when using default URI. * Special:Allpages can no longer be filtered by redirect in miser mode. * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token. * (T156184) SECURITY: Escape content model/format url parameter in message. * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration. * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache. * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter. * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against it. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now an error. They should be submitted in the POST body instead. * The capture option for action=resetpassword has been removed * action=clearhasmsg now requires a POST. * (T47843) API errors and warnings may be requested in non-English languages using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters. * API error codes may have changed. Most notably, errors from modules using parameter prefixes (e.g. all query submodules) will no longer be prefixed. * ApiPageSet-using modules will report the 'invalidreason' using the specified 'errorformat'. * action=emailuser may return a "Warnings" status, and now returns 'warnings' and 'errors' subelements (as applicable) instead of 'message'. * action=imagerotate returns an 'errors' subelement rather than 'errormessage'. * action=move now reports errors when moving the talk page as an array under key 'talkmove-errors', rather than using 'talkmove-error-code' and 'talkmove-error-info'. The format for subpage move errors has also changed. * action=revisiondelete no longer includes a "rendered" property on warnings and errors for each item. Use errorformat=wikitext if you're wanting parsed output. * action=rollback no longer returns a "messageHtml" property. Use errorformat=html if you're wanting HTML formatting of error messages. * action=upload now reports optional stash failures as an array under key 'stasherrors' rather than a 'stashfailed' text string. * action=watch reports 'errors' and 'warnings' instead of a single 'error', and no longer returns a 'message' on success. * Added action=validatepassword to validate passwords for the account creation and password change forms. * action=purge now requires a POST. * There is a new `languagevariants` siprop for action=query&meta=siteinfo, which returns a list of languages with active LanguageConverter instances. * action=query&query=allpages will no longer filter redirects using a database query in miser mode. This may result in less results being returned than were requested. === Action API internal changes in 1.29 === * New methods were added to ApiBase to handle errors and warnings using i18n keys. Methods for using hard-coded English messages were deprecated: * ApiBase::dieUsage() was deprecated * ApiBase::dieUsageMsg() was deprecated * ApiBase::dieUsageMsgOrDebug() was deprecated * ApiBase::getErrorFromStatus() was deprecated * ApiBase::parseMsg() was deprecated * ApiBase::setWarning() was deprecated * ApiBase::$messageMap is no longer public. Code attempting to access it will result in a PHP fatal error. * The $message parameter to the ApiCheckCanExecute hook should be set to an ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a code for ApiBase::parseMsg() will no longer work. * UsageException is deprecated in favor of ApiUsageException. For the time being ApiUsageException is a subclass of UsageException to allow things that catch only UsageException to still function properly. * If, for some strange reason, code was using an ApiErrorFormatter instead of ApiErrorFormatter_BackCompat, note that the result format has changed and various methods now take a module path rather than a module name. * ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes from the message key, and maps some message keys for backwards compatibility. * API parameters may now be marked as "sensitive" to keep their values out of the logs. === Languages updated in 1.29 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * Based as always on linguistic studies on intelligibility and language knowledge by geography, language fallbacks have been expanded. When a translation is missing in the user's preferred interface language, the corresponding translation for the fallback language will be used instead. English will only be used as last resort when there are no translations. Some configurations (such as date formats and gender namespaces) have also been updated when using the fallback language's configuration was inadequate. The new or reinstated language fallbacks are (after cs ↔ sk in 1.28): ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro; sh → bs, sr-el, hr. * (T137376) New language support: Atikamekw (atj). * (T163600) New language support: Dinka (din). * (T155957) Talk Namespaces for Javanese language (jv) have been updated. ==== No fallback for Ukrainian ==== * (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian language will now use the default fallback language: English. When a translation to Ukrainian is not available, an English string will be shown. === Other changes in 1.29 === * Database::getSearchEngine() (deprecated in 1.28) was removed. Use SearchEngineFactory::getSearchEngineClass() instead. * $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is required as all sessions are stored in Object Cache now. * MWHttpRequest::execute() should be considered to return a StatusValue; the Status return type is deprecated. * User::edits() (deprecated in 1.21) was removed. * Xml::escapeJsString() (deprecated in 1.21) was removed. * Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21) were removed. * Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21) were removed. * Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom instead. * Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed. * Class RevisiondeleteAction (deprecated in 1.25) was removed. * WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed. * WikiPage::getText() (deprecated in 1.21) was removed. * Article::fetchContent() (deprecated in 1.21) was removed. * User::getPassword() (deprecated in 1.27) was removed. * User::getTemporaryPassword() (deprecated in 1.27) was removed. * User::isPasswordReminderThrottled() (deprecated in 1.27) was removed. * Class FSRepo (deprecated in 1.19) was removed. * WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead. * Class ImageGallery (deprecated in 1.22) was removed. Use ImageGalleryBase::factory instead. * Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead. * Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now emit warnings). Create a subclass of Action and add it to $wgActions instead. * WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated. * Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed. * Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed. * Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed. * Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed. * RedisConnectionPool::handleException (deprecated since 1.23) was removed. * The static properties mw.Api.errors and mw.Api.warnings, containing incomplete and outdated lists of errors/warnings returned by the API, are now deprecated. * wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can be done by enabling mod_rewrite and adding the following rules to your configuration: RewriteEngine On RewriteBase / RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L] * Hook ArticleAfterFetchContent (deprecated in 1.21) was removed. Use ArticleAfterFetchContentObject instead. * Hook ArticleInsertComplete (deprecated in 1.21) was removed. Use PageContentInsertComplete instead. * Hook ArticleSave (deprecated in 1.21) was removed. Use PageContentSave instead. * Hook ArticleSaveComplete (deprecated in 1.21) was removed. Use PageContentSaveComplete instead. * Hook EditFilterMerged (deprecated in 1.21) was removed. Use EditFilterMergedContent instead. * Hook EditPageGetPreviewText (deprecated in 1.21) was removed. Use EditPageGetPreviewContent instead. * Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed. Use ContentHandlerDefaultModelFor instead. * Hook TitleIsWikitextPage (deprecated in 1.21) was removed. Use ContentHandlerDefaultModelFor instead. * Article::getContent() (deprecated in 1.21) was removed. * Revision::getText() (deprecated in 1.21) was removed. * Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed. * Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed. * Article::doEditContent() was marked as deprecated, to be removed in 1.30 or later. * ContentHandler::runLegacyHooks() was removed. * refreshLinks.php now can be limited to a particular category with --category=... or a tracking category with --tracking-category=... * User-like objects that are passed to SpecialUserRights and its subclasses are now required to have a getGroupMemberships() method. See UserRightsProxy for an example. * User::$mGroups (instance variable) was marked private. Use User::getGroups() instead. * User::getGroupName(), User::getGroupMember(), User:getGroupPage(), User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated. Use equivalent methods on the UserGroupMembership class. * Maintenance scripts and tests that call User::addGroup() must now ensure that User objects have been added to the database prior to calling addGroup(). * Protected function UsersPager::getGroups() was removed, and protected function UsersPager::buildGroupLink() was changed from a static to an instance method. * The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed; see docs/hooks.txt. * User::crypt() (deprecated in 1.24) was removed. * User::comparePasswords() (deprecated in 1.24) was removed. * ArchivedFile::getUserText() (deprecated in 1.23) was removed. * HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed. * BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage and subclasses. It should only break if you call buildMainQueryConds (changed to buildQuery with new signature) or doMainQuery (new signature). Subclasses are likely to call at least doMainQuery (possibly both), but other classes might too, because they were public. Also, some related hooks were deprecated, but this is not yet a breaking change. * Removed 'jquery.arrowSteps' module. (deprecated since 1.28) * The 'jquery.autoEllipsis' ResourceLoader module is now deprecated. * WikiRevision::$fileIsTemp was deprecated. * WikiRevision::$importer was deprecated. * WikiRevision::$user was deprecated. * Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the WikiPage::PURGE_* constants are deprecated, and the functions will always return false. They were a hack for an issue that has since been fixed. * Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook 'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options' if you don't actually care about checkboxes and just want to add some HTML to the page. * Selflinks are now rendered as href-less tags with the class mw-selflink rather than tags. The old class name, "selflink", was deprecated and will be removed in a future release. (T160480) * (T156184) $wgRawHtml will no longer apply to internationalization messages. * Browser support for non-ES5 JavaScript browsers, including Android 2, Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C. * Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755): is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari, webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs, opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera, ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent, addClickHandler, removeHandler, getElementsByClassName, getInnerText, setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons, mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes, escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix, tooltipAccessKeyRegexp, updateTooltipAccessKeys. * The ID of the
  • element containing the login link has changed from 'pt-login' to 'pt-login-private' in private wikis. * The old, neglected "bulletin board style toolbar" in the edit form is now deprecated (T30856). This old code dates from 2006, and was replaced in the MediaWiki release tarball and in Wikimedia production by the WikiEditor extension in 2010. It is only shown to users if no other editor was installed, and leads to confusion. * (T92459) Loading ResourceLoader modules containing JavaScript through addModuleStyles() is deprecated and will log a warning server-side. = MediaWiki 1.28 = == MediaWiki 1.28.1 == This is a security and maintenance release of the MediaWiki 1.28 branch. === Changes since 1.28.0 === * $wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0. * Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup. * (T152717) Better escaping for PHP mail() command, * (T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored. * (T154672) Un-deprecate ArticleAfterFetchContentObject hook. * (T158766) Avoid SQL error on MSSQL when using selectRowCount(). * (T145635) Fix too long index error when installing with MSSQL. * (T156184) $wgRawHtml will no longer apply to internationalization messages. * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. * (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs. * (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links. * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. * (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token. * (T156184) SECURITY: Escape content model/format url parameter in message. * (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration. * (T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache. * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter. * (T108138) SECURITY: Sysops can undelete pages, although the page is protected against it. == MediaWiki 1.28 == === Changes since 1.28.0-rc1 === * (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db errors. * (T148956) Only apply wgDBschema to postgres/mssql. * (T145991) Introduce separate log action for deleting pages on move. * (T141474) (T110464) Bypass login page if no user input is required. === Changes since 1.28.0-rc0 === * (T142210) The changes to move the parser "NewPP limit report" from a HTML comment to a machine-readable JavaScript config option 'wgPageParseReport' have been undone. They caused the human-readable limit report to be shown incompletely or not at all. ParserOutput::setLimitReportData() and getLimitReportData() behave as they did in MediaWiki 1.27 again. * (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for the text of subheadings on a category page when creating it. This wasn't working correctly. * (T106793) MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26. * (T149759) manifest_version: 2 was removed. === Configuration changes in 1.28 === * $wgSend404Code now affects status code of action=history if the page is not there. * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported. * The load.php entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user's language. If such access is attempted, an exception will be thrown. * The number of internal PBKDF2 iterations used to derive the session secret is configurable via $wgSessionPbkdf2Iterations. * Upload dialog's file upload log comment can now be configured separately for local and foreign uploads. * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog. * The deprecated $wgEditEncoding variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension. * When $wgPingback is true, MediaWiki will periodically ping https://www.mediawiki.org/beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default. * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes". * The 'editcontentmodel' permission is now granted to all logged-in users ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at . * $wgRevisionCacheExpiry is now set to one week by default instead of being disabled. * Magic links are now disabled by default, and can be re-enabled by modifying the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled, a tracking category will be added to help identify usage and make it easier to migrate away from. If you depend upon magic link functionality, it is requested that you comment on and explain your use case(s). * New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore in upcoming Content-Security-Policy feature's reporting. === New features in 1.28 === * User::isBot() method for checking if an account is a bot role account. * Added a new 'slideshow' mode for galleries. * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot. * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with API parsing. * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash. * (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed. * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script. * Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar. * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki. * After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie. * Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules. === External library changes in 1.28 === ==== Upgraded external libraries ==== * Updated es5-shim from v4.1.5 to v4.5.8 * Updated composer/semver from v1.4.1 to v1.4.2 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4 ==== New external libraries ==== * Added wikimedia/scoped-callback v1.0.0 * Added wikimedia/wait-condition-loop v1.0.1 === Bug fixes in 1.28 === * (T146496) action=history pages should return 404 HTTP error code if the page does not exist * (T137264) SECURITY: XSS in unclosed internal links * (T133147) SECURITY: Escape '<' and ']]>' in inline