-== MediaWiki 1.28 ==
-
-THIS IS NOT A RELEASE YET
-
-MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in
-production.
-
-=== Changes since 1.28.0rc0 ===
-* (T142210) The changes to move the parser "NewPP limit report" from a HTML
- comment to a machine-readable JavaScript config option 'wgPageParseReport'
- have been undone. They caused the human-readable limit report to be shown
- incompletely or not at all. ParserOutput::setLimitReportData() and
- getLimitReportData() behave as they did in MediaWiki 1.27 again.
-* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
- the text of subheadings on a category page when creating it. This wasn't
- working correctly.
-* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
- canonical pretty URL when a non-pretty URL is used. It resulted in redirect
- loops in some clients and in some server configurations. This undoes a change
- made in MediaWiki 1.26.
-
-=== Configuration changes in 1.28 ===
-* $wgSend404Code now affects status code of action=history if the page is not there.
-* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
- made by MediaWiki via a proxy. Relying on the http_proxy environment
- variable is no longer supported.
-* The load.php entry point now enforces the existing policy of not allowing
- access to session data, which includes the session user and the session
- user's language. If such access is attempted, an exception will be thrown.
-* The number of internal PBKDF2 iterations used to derive the session secret
- is configurable via $wgSessionPbkdf2Iterations.
-* Upload dialog's file upload log comment can now be configured separately for
- local and foreign uploads.
-* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
- signifies local uploads. A value of `[]` (empty array) now means that
- no upload targets are allowed, effectively disabling the upload dialog.
-* The deprecated $wgEditEncoding variable has been removed; it was only used
- for Esperanto language character conversion. You are now recommended to use
- input methods provided by the UniversalLanguageSelector extension.
-* When $wgPingback is true, MediaWiki will periodically ping
- https://www.mediawiki.org/beacon with basic information about the local
- MediaWiki installation. This data includes, for example, the type of system,
- PHP version, and chosen database backend. This behavior is off by default.
-* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
- to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
- if false, the default, they will be "Save page"/"Save changes".
-* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
- instead of just administrators ('sysop'). Documentation for this feature is
- available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
-* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
-* Magic links are now disabled by default, and can be re-enabled by modifying the value
- of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
- a tracking category will be added to help identify usage and make it easier to migrate
- away from. If you depend upon magic link functionality, it is requested that you comment
- on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
- explain your use case(s).
-* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
- in upcoming Content-Security-Policy feature's reporting.
-
-=== New features in 1.28 ===
-* User::isBot() method for checking if an account is a bot role account.
-* Added a new 'slideshow' mode for galleries.
-* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
-* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
- interact with API parsing.
-* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
- upload. Unlike 'UploadVerifyFile' it provides information about upload comment
- and the file description page, but does not run for uploads to stash.
-* (T141604) Extensions can now provide a better error message when their
- maintenance scripts are run without the extension being installed.
-* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
- to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
- a 'numeric' collation is also available. If migrating from another
- collation, you will need to run the updateCollation.php maintenance script.
-* Two new codes have been added to #time parser function: "xit" for days in current
- month, and "xiz" for days passed in the year, both in Iranian calendar.
-* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
- appropriate for sending multi-valued parameters. This defaults to true when
- the mw.Api instance seems to be for the local wiki.
-* After a client performs an action which alters a database that has replica databases,
- MediaWiki will wait for the replica databases to synchronize with the master database
- while it renders the HTML output. However, if the output is a redirect to another wiki
- on the wiki farm with a different domain, MediaWiki will instead alter the redirect
- URL to include a ?cpPosTime parameter that triggers the database synchronization when
- the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
-* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
- 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
- 'show' parameters to existing API query modules.
-
-=== External library changes in 1.28 ===
-
-==== Upgraded external libraries ====
-* Updated es5-shim from v4.1.5 to v4.5.8
-* Updated composer/semver from v1.4.1 to v1.4.2
-* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
-
-==== New external libraries ====
-* Added wikimedia/scoped-callback v1.0.0
-* Added wikimedia/wait-condition-loop v1.0.1
-
-==== Removed and replaced external libraries ====
-
-=== Bug fixes in 1.28 ===
-* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
-* (T137264) SECURITY: XSS in unclosed internal links
-* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
-* (T133147) SECURITY: Require login to preview user CSS pages
-* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
- the top file
-* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
- permissions
-* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
-* (T139670) Move 'UserGetRights' call before application of
- Session::getAllowedUserRights()
-
-=== Action API changes in 1.28 ===
-* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
- the value of $wgMaxArticleSize.
-* Property 'modulemessages' from action=parse&prop=modules was removed
- (deprecated since 1.26).
-* The following response properties from action=login, deprecated in 1.27, are
- now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
- to properly manage session state.
-* Submitting the lgtoken and lgpassword parameters in the query string to
- action=login is now deprecated and outputs a warning. They should be submitted
- in the POST body instead.
-* Submitting sensitive authentication request parameters to action=clientlogin,
- action=createaccount, action=linkaccount, and action=changeauthenticationdata
- in the query string is now deprecated and outputs a warning. They should be
- submitted in the POST body instead.
-* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
- instead of the pipe character. This will be useful if some of the multiple
- values need to contain pipes, e.g. for action=options.
-* The API will now warn if input is not NFC-normalized Unicode or if it
- contains invalid characters.
-* The 'normalized' list output by action=query and other modules that use
- ApiPageSet may contain entries where the 'from' value is percent-encoded as
- the raw value cannot be represented in a valid API response. These are
- indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
-* (T28680) action=paraminfo can now return info about all submodules of a
- module without listing them all explicitly.
-* (T146770) It is now possible to assert that the current user is a specific
- named user, using the 'assertuser' parameter.
-* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
- the 'TitleIsAlwaysKnown' hook) are output in various modules.
-
-=== Action API internal changes in 1.28 ===
-* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
- interact with ApiParse and ApiExpandTemplates.
-* (T139565) SECURITY: API: Generate head items in the context of the given title
-* (T115333) SECURITY: Check read permission when loading page content in ApiParse
-* ApiBase::getResultData() was removed (deprecated since 1.25)
-* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
-* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
-* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
-* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
-* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
-* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
-* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
-* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
-* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
-* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
-* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
-* ApiMain::setHelp() was removed (deprecated since 1.25)
-* ApiResult::beginContinuation() was removed (deprecated since 1.25)
-* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
-* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
-* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
-* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
-* ApiResult::endContinuation() was removed (deprecated since 1.25)
-* ApiResult::getData() was removed (deprecated since 1.25)
-* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
-* ApiResult::setContent() was removed (deprecated since 1.25)
-* ApiResult::setContinueParam() was removed (deprecated since 1.25)
-* ApiResult::setElement() was removed (deprecated since 1.25)
-* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
-* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
-* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
-* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
-* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
-* ApiResult::setRawMode() was removed (deprecated since 1.25)
-* ApiResult::size() was removed (deprecated since 1.25)
-* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
- 'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
- 'show' parameters to existing API query modules. A query module can enable
- these hooks by passing an array for $hookData to ApiQueryBase::select() and
- by calling ApiQueryBase->processRow() before adding a row's data to the
- result.
-
-=== Languages updated in 1.28 ===
-
-MediaWiki supports over 350 languages. Many localisations are updated
-regularly. Below only new and removed languages are listed, as well as
-changes to languages because of Phabricator reports.
-
-* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
- BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
-* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
- Saiddzone Saimawnkham, Saosukham, and Sengwan.
-* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
-* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.
-* Karelian (krl), thanks to translators Flrn, Ilja.mos, Likopiän tyttö, Mashoi7, Matma Rex,
- Ontoi, Theunitedstatesofme, and Varvana.
-* Gorontalo (gor), thanks to translators Ilham, Lukman Tomayahu, Marwan Mohamad, Matma Rex,
- NoiX180, and Zhoelyakin.
-
-=== Other changes in 1.28 ===
-* (T128697) Improved handling of large diffs.
-* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
- use or update a custom session provider if needed.
-* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
-* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
-* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
-* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
- login and visiting the login page while already logged in.
-* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
-* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
-* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
-* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
-* Linker::link() and Linker::linkKnown() were deprecated; please instead use
- MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
- were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
- respectively. See docs/hooks.txt for the specific changes needed for those hooks.
-* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
-* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
- * Skin::commentBlock() (use Linker::commentBlock() instead)
- * Skin::generateRollback() (use Linker::generateRollback() instead)
- * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
- * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
- * Skin::userLink() (use Linker::userLink() instead)
- * Skin::userToolLinks() (use Linker::userToolLinks() instead)
-* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
- disabled.
-* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
-* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
- Use ...->stashFile()->getFileKey() instead.
-* "Public domain" was removed as a wiki license option from the installer, in
- favour of CC-0.
-* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
- on requests needed by primary providers even if all primaries need them.
- Primary providers are discouraged from returning multiple REQUIRED requests.
-* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
- will no longer be automatically infused. You should call `OO.ui.infuse()`
- on them yourself from your JavaScript code.
-* parserTests.php has moved to tests/parser/parserTests.php
-* The command line options specific to parser tests have been removed from
- phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
- Instead of --keep-uploads, use the same option to parserTests.php, but you
- must specify a directory with --upload-dir.
-* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
-* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
- migrate to using the same functions on a ProxyLookup instance, obtainable from
- MediaWikiServices.
-* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
- ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
- ShowRawCssJs hooks will now emit deprecation warnings if used.
-* (T68404) CSS3 attr() function with url type is no longer allowed
- in inline styles.
-
-== Compatibility ==
-
-MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for
-HHVM 3.6.5 or later.
-
-MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
-support for them is somewhat less mature. There is experimental support for
-Oracle and Microsoft SQL Server.
-
-The supported versions are:
-
-* MySQL 5.0.3 or later
-* PostgreSQL 8.3 or later
-* SQLite 3.3.7 or later
-* Oracle 9.0.1 or later
-* Microsoft SQL Server 2005 (9.00.1399)
-
-== Upgrading ==
-
-1.28 has several database changes since 1.27, and will not work without schema
-updates. Note that due to changes to some very large tables like the revision
-table, the schema update may take quite long (minutes on a medium sized site,
-many hours on a large site).
-
-If upgrading from before 1.11, and you are using a wiki as a commons
-repository, make sure that it is updated as well. Otherwise, errors may arise
-due to database schema changes.
-
-If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
-new database fields are filled with data.
-
-If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
-1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
-with MediaWiki 1.21.
-
-Don't forget to always back up your database before upgrading!
-
-See the file UPGRADE for more detailed upgrade instructions.
-
-For notes on 1.27.x and older releases, see HISTORY.
-
-== Online documentation ==
-
-Documentation for both end-users and site administrators is available on
-MediaWiki.org, and is covered under the GNU Free Documentation License (except
-for pages that explicitly state that their contents are in the public domain):
-
- https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
-
-== Mailing list ==
-
-A mailing list is available for MediaWiki user support and discussion:
-
- https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
-
-A low-traffic announcements-only list is also available:
-
- https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
-
-It's highly recommended that you sign up for one of these lists if you're
-going to run a public MediaWiki, so you can be notified of security fixes.
-
-== IRC help ==
-
-There's usually someone online in #mediawiki on irc.freenode.net.