== MediaWiki 1.28 == THIS IS NOT A RELEASE YET MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in production. === Configuration changes in 1.28 === * $wgSend404Code now affects status code of action=history if the page is not there. * BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported. * The load.php entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user's language. If such access is attempted, an exception will be thrown. * The number of internal PBKDF2 iterations used to derive the session secret is configurable via $wgSessionPbkdf2Iterations. * Upload dialog's file upload log comment can now be configured separately for local and foreign uploads. * $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog. * The deprecated $wgEditEncoding variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension. * When $wgPingback is true, MediaWiki will periodically ping https://www.mediawiki.org/beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default. * When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes". * The 'editcontentmodel' permission is now granted to all logged-in users ('user'). instead of just administrators ('sysop'). Documentation for this feature is available at . * $wgRevisionCacheExpiry is now set to one week by default instead of being disabled. === New features in 1.28 === * User::isBot() method for checking if an account is a bot role account. * Added a new 'slideshow' mode for galleries. * Added a new hook, 'UserIsBot', to aid in determining if a user is a bot. * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better interact with API parsing. * Added a new hook, 'UploadVerifyUpload', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash. * (T141604) Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed. * (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the updateCollation.php maintenance script. * Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar. * mw.Api has a new option, useUS, to use U+001F (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the mw.Api instance seems to be for the local wiki. * After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie. === External library changes in 1.28 === ==== Upgraded external libraries ==== * Updated es5-shim from v4.1.5 to v4.5.8 * Updated composer/semver from v1.4.1 to v1.4.2 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4 ==== New external libraries ==== * Added wikimedia/scoped-callback v1.0.0 * Added wikimedia/wait-condition-loop v1.0.1 ==== Removed and replaced external libraries ==== === Bug fixes in 1.28 === * (T146496) action=history pages should return 404 HTTP error code if the page does not exist * (T137264) SECURITY: XSS in unclosed internal links * (T133147) SECURITY: Escape '<' and ']]>' in inline