input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
- MediaWiki installation. This data includes, for example, the type of system,
+ MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.
+* When $EditSubmitButtonLabelPublish is true, MediaWiki will label the button
+ to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
+ if false, the default, they will be "Save page"/"Save changes".
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
upload. Unlike 'UploadVerifyFile' it provides information about upload comment
and the file description page, but does not run for uploads to stash.
+* (T141604) Extensions can now provide a better error message when their
+ maintenance scripts are run without the extension being installed.
+* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
+ to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
+ a 'numeric' collation is also available. If migrating from another
+ collation, you will need to run the updateCollation.php maintenance script.
+* Two new codes have been added to #time parser function: "xit" for days in current
+ month, and "xiz" for days passed in the year, both in Iranian calendar.
+* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
+ appropriate for sending multi-valued parameters. This defaults to true when
+ the mw.Api instance seems to be for the local wiki.
=== External library changes in 1.28 ===
==== Removed and replaced external libraries ====
=== Bug fixes in 1.28 ===
+* (T137264) SECURITY: XSS in unclosed internal links
+* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
+* (T133147) SECURITY: Require login to preview user CSS pages
+* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
+ the top file
+* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
+ permissions
+* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
+* (T139670) Move 'UserGetRights' call before application of
+ Session::getAllowedUserRights()
=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
(deprecated since 1.26).
+* The following response properties from action=login, deprecated in 1.27, are
+ now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
+ to properly manage session state.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+ action=login is now deprecated and outputs a warning. They should be submitted
+ in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+ action=createaccount, action=linkaccount, and action=changeauthenticationdata
+ in the query string is now deprecated and outputs a warning. They should be
+ submitted in the POST body instead.
+* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
+ instead of the pipe character. This will be useful if some of the multiple
+ values need to contain pipes, e.g. for action=options.
+* The API will now warn if input is not NFC-normalized Unicode or if it
+ contains invalid characters.
+* The 'normalized' list output by action=query and other modules that use
+ ApiPageSet may contain entries where the 'from' value is percent-encoded as
+ the raw value cannot be represented in a valid API response. These are
+ indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
+* (T28680) action=paraminfo can now return info about all submodules of a
+ module without listing them all explicitly.
=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with ApiParse and ApiExpandTemplates.
+* (T139565) SECURITY: API: Generate head items in the context of the given title
+* (T115333) SECURITY: Check read permission when loading page content in ApiParse
=== Languages updated in 1.28 ===
BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
Saiddzone Saimawnkham, Saosukham, and Sengwan.
+* Czech (cs) and Slovak (sk) set as reciprocal fallbacks
=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
-* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
+* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
+* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
+* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
+* Linker::link() and Linker::linkKnown() were deprecated; please instead use
+ MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
+ were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
+ respectively. See docs/hooks.txt for the specific changes needed for those hooks.
+* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
+ * Skin::commentBlock() (use Linker::commentBlock() instead)
+ * Skin::generateRollback() (use Linker::generateRollback() instead)
+ * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
+ * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
+ * Skin::userLink() (use Linker::userLink() instead)
+ * Skin::userToolLinks() (use Linker::userToolLinks() instead)
+* The 'ParserLimitReportFormat' hook was removed.
+* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
+ disabled.
+* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
+* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
+ Use ...->stashFile()->getFileKey() instead.
+* "Public domain" was removed as a wiki license option from the installer, in
+ favour of CC-0.
+* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
+ on requests needed by primary providers even if all primaries need them.
+ Primary providers are discouraged from returning multiple REQUIRED requests.
+* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
+ will no longer be automatically infused. You should call `OO.ui.infuse()`
+ on them yourself from your JavaScript code.
== Compatibility ==
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
- https://www.mediawiki.org/wiki/Documentation
+ https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
== Mailing list ==
dépôts / lhc / web / wiklou.git / blobdiff