Change notes from older releases. For current info see RELEASE-NOTES-1.34.
= MediaWiki 1.33 =
=== Upgrading notes for 1.33 ===
1.33 has several database changes since 1.32, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.
Some specific notes for MediaWiki 1.33 upgrades are below:
* Some external link searches will not work correctly until update.php (or
refreshExternallinksIndex.php) is run. These include searches for links using
IP addresses, internationalized domain names, and possibly mailto links.
* If you ran migrateActors.php using an older version of MediaWiki and want to
run your wiki with $wgActorTableSchemaMigrationStage SCHEMA_COMPAT_READ_OLD,
note that log_search rows needed to find revision deletions by target user
were incorrectly deleted. See T215464 for details.
* If revision deletions were performed when the wiki was configured with
$wgActorTableSchemaMigrationStage SCHEMA_COMPAT_WRITE_BOTH and without
migrateActors.php having been run, the log_search table may contain rows with
empty values for "target_author_actor" which will prevent log searches for
revision deletions by target user from finding those log entries. These rows
may be corrected by (re-)running migrateActors.php.
For notes on 1.32.x and older releases, see HISTORY.
== MediaWiki 1.33.0 ==
=== Changes since MediaWiki 1.33.0-rc.0 ===
* (T225558) Update installer link to PHP intl.
* (T225901) Only attempt to deduplicate if there is data in archive and revision
tables.
* (T225564) Fetch tag ID before calling undefineTag().
* (T225496) Detect APC for MainCacheType in CLI installer.
* Call unpack() with correct parameters in MimeAnalyzer.php for PHP 7.0 support.
* (T212613) Style change tags correctly on Special:Newpages.
* (T202211) Fix SQLite patch-(page|template)links-fix-pk.sql column order.
== MediaWiki 1.33.0-rc.0 ==
=== Configuration changes for system administrators in 1.33 ===
==== New configuration ====
* $wgEnablePartialBlocks – This enables the Partial Blocks feature, which gives
accounts with block permissions the ability to block users, IPs, and IP ranges
from editing specific pages, while allowing them to edit the rest of the wiki.
It is a temporary setting for gradual enablement, current default to `false`,
and will be set to `true` and then removed once initial development completes.
==== Changed configuration ====
* $wgChangeTagsSchemaMigrationStage (T193868) — This temporary setting, added in
MediaWiki 1.32, now defaults to MIGRATION_NEW instead of MIGRATION_WRITE_BOTH.
* $wgPasswordPolicy – There is a new password policy to check that the account's
password is not in the large blacklist. This is enabled by default for the
built-in user groups bureaucrat, sysop, interface-admin, and bot. To configure
this for other user groups, set the `PasswordNotInLargeBlacklist` flag `true`.
* $wgPasswordDefault – There is a new password type configuration using Argon2
password hashing (which requires PHP 7.2 and above). It's designed to resist
timing attacks, and (on systems with PHP 7.3+) GPU hacking; if you configure
argon2 to be used, by default, it will automatically choose the best available
algorithm depending on which version of PHP you have available. To use this,
you can set `$wgPasswordDefault = 'argon2';`.
* $wgActorTableSchemaMigrationStage now defaults to reading the new schema.
update.php will back-populate the new database fields due to the changed
setting, which may take some time on large wikis. You can avoid downtime by
following a process like that described in T188327.
==== Removed configuration ====
* $wgTagStatisticsNewTable (T199334) — This temporary setting, added in
MediaWiki 1.32, has now been removed. When loading Special:Tags, MediaWiki
will now always use the `change_tag_def` instead of the `change_tag` table.
* $wgUseTidy, $wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and
$wgDebugTidy – These options, all deprecated since 1.26, have now all been
removed, as MediaWiki now always tidies user output. The $wgTidyConfig setting
remains only for experimental features and debugging, and should not be used.
* $wgEnableParserCache – This setting has been deprecated since 1.26, has now
been removed. If you still desire to disable the parser cache, instead you can
set `$wgParserCacheType = CACHE_NONE;`.
* $wgCommentTableSchemaMigrationStage – This temporary migration setting has now
been removed. Code finding it unset should treat it as being MIGRATION_NEW.
* $wgAuth – This old setting, deprecated in 1.27, has been removed as part of
the removal of AuthPlugin.
* $wgSitesCacheFile – This configuration was introduced in 1.25 with the intent
to allow sites to configure a file in which to cache the SiteStore database
table, but it was never used. SiteStore already caches its information by
default using BagOStuff (e.g. Memcached or APC).
* $wgClockSkewFudge – This setting was used by User.php to let sites adjust by
how much MediaWiki would fudge when trying to minimize the chances of a
user.user_touched database update to the "current" timestamp being before the
value already there (e.g. due to clock skew between different servers). This
is no longer a problem, because the code now ensures the timestamp is always
higher than the previous one. The writes are guarded with CAS logic (check
and set), which prevents updates that would overlap.
* $wgDBmysql5 (T196185) - This experimental setting, deprecated in 1.31, has
been removed.
=== New user-facing features in 1.33 ===
* (T96041) __EXPECTUNUSEDCATEGORY__ on a category page causes the category
to be hidden on Special:UnusedCategories.
* (T210814) SVGs are now by default displayed in wiki language on image
pages.
* Special:CreateAccount now warns the user if their chosen username has to be
normalized.
* (T205040) Multilingual images are now be displayed in the current parse
language where available.
* Special:ActiveUsers will no longer filter out users who became inactive since
the last time the active users query cache was updated.
* (T215675) RecentChange and ManualLogEntry implement new Taggable interface.
* (T215675) Added a hook, ManualLogEntryBeforePublish, to allow extensions
to modify (example: add tags) log entries.
=== New developer features in 1.33 ===
* The AuthManagerLoginAuthenticateAudit hook has a new parameter for
additional information about the authentication event.
* TextContent::getText() was introduced as a replacement for
Content::getNativeData() for text-based content models.
* (T214706) LinksUpdate::getAddedExternalLinks() and
LinksUpdate::getRemovedExternalLinks() were introduced.
* (T213893) Added 'MaintenanceUpdateAddParams' hook
* (T219655) The MarkPatrolled hook has a new parameter for the tags
associated with this entry in the patrol log.
* (T212472) Extensions can now specify platform abilities they require to work,
limited to shell access for now.
=== External library changes in 1.33 ===
==== New external libraries ====
* Added wikimedia/password-blacklist 0.1.4.
* Added guzzlehttp/guzzle 6.3.3.
==== Changed external libraries ====
* Updated OOUI from v0.29.2 to v0.31.3.
* Updated OOjs Router from pre-release to v0.2.0.
* Updated moment from v2.19.3 to v2.24.0.
* Updated wikimedia/xmp-reader from 0.6.0 to 0.6.2.
* Updated wikimedia/scoped-callback from 2.0.0 to 3.0.0.
* Updated jquery-client from 2.0.1 to 2.0.2.
* Updated pear/net_smtp from 1.8.0 to 1.8.1.
* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
* Updated wikimedia/php-session-serializer from 1.0.6 to 1.0.7.
==== Removed external libraries ====
* (T219403) jquery.ui.spinner, deprecated since 1.31, was removed.
=== Developer library changes in 1.33 ===
==== New developer libraries ====
* Added jakub-onderka/php-console-highlighter 0.3.2 explicitly (dev-only).
* Added mediawiki/mediawiki-phan-config 0.5.0 (dev-only).
==== Changed developer libraries ====
* Updated wikimedia/ip-set from 1.3.0 to 2.0.1.
* The deprecated IPSet\IPSet alias was removed, Wikimedia\IPSet must be
used instead.
* Updated psy/psysh from 0.9.6 to 0.9.9 (dev-only).
* Updated nikic/php-parser from 3.1.3 to 3.1.5 (dev-only).
* Updated mediawiki/mediawiki-codesniffer from 22.0.0 to 25.0.0 (dev-only).
* Updated qunitjs from 2.6.2 to 2.9.1.
==== Removed developer libraries ====
* The jetbrains/phpstorm-stubs repository was removed in favour of the minimal
stubs we need, which are kept in the new `.phan/internal_stubs` directory
(dev-only).
=== Bug fixes in 1.33 ===
* (T164211) Special:UserRights could sometimes fail with a
"conflict detected" error when there weren't any conflicts.
* (T216029) Chrome redirects to Special:BadTitle after editing a section with
a non-Latin name on a page with non-Latin characters in title.
* (T222385) resourceloader: Use AND instead of OR for upsert conds in
saveFileDependencies().
=== Action API changes in 1.33 ===
* (T198913) Added 'ApiOptions' hook.
* The JSON formatversion=2 is no longer experimental.
* Internal API errors (those with code beginning "internal_api_error") will
include the exception class name in a data field named "errorclass".
* Class names are not guaranteed to remain stable, and in particular database
exceptions will now include the "Wikimedia\Rdbms\" prefix in the class name.
* The code including an exception class name is deprecated. In the future,
all internal errors will use code "internal_api_error".
* (T212356) When using action=delete on pages with many revisions, the module
may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
deletion will be processed via the job queue.
* action=setnotificationtimestamp will now update the watchlist asynchronously
if entirewatchlist is set, so updates may not be visible immediately
* Block info will be added to "blocked" errors from more modules.
* (T216245) Autoblocks will now be spread by action=edit and action=move.
* action=query&meta=userinfo has a new uiprop, 'latestcontrib', that returns
the date of user's latest contribution.
* (T25227) action=logout now requires to be posted and have a csrf token.
=== Action API internal changes in 1.33 ===
* A number of deprecated methods for API documentation, intended for overriding
by extensions, are no longer called by MediaWiki, and will emit deprecation
notices if your extension attempts to use them:
* ApiBase::getDescription() (deprecated in 1.25)
* ApiBase::getParamDescription() (deprecated in 1.25)
* ApiBase::getExamples() (deprecated in 1.25)
* ApiBase::getDescriptionMessage() (deprecated in 1.30)
Additionally, the 'APIGetDescription' and 'APIGetParamDescription' hooks have
been removed, as their only use was to let extensions override values returned
by getDescription() and getParamDescription(), respectively.
* API error codes may only contain ASCII letters, numbers, underscore, and
hyphen. Methods such as ApiBase::dieWithError() and
ApiMessageTrait::setApiCode() will throw an InvalidArgumentException if
passed a bad code.
* ApiBase::checkTitleUserPermissions() now takes an options array as its third
parameter. Passing a User object or null is deprecated.
* The api-feature-usage log channel now has log context. The text message is
deprecated and will be removed in the future.
=== Languages updated in 1.33 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.
* (T203908) Added language support for Eastern Pwo (kjp).
* (T213717) Fixed a translation error on Goan Konkani (gom-deva) translations
for NS_TEMPLATE.
* (T212221) Added $digitTransformTable for Santali (sat).
* (T216479) Added language support for Saisiyat (xsy).
* (T219728) Added support for new Japanese era name "Reiwa"
=== Breaking changes in 1.33 ===
* The parameteter $lang in DifferenceEngine::setTextLanguage must be of type
Language. Other types are deprecated since 1.32.
* Skin::doEditSectionLink requires type Language for the parameter $lang.
The parameters $tooltip and $lang are mandatory. Omitting the parameters is
deprecated since 1.32.
* Language::truncate(), deprecated in 1.31, has been removed.
* UtfNormal, deprecated in 1.25, was removed. Use UtfNormal\Validator directly
instead.
* (T197179) In OOUI HTMLForm fields, the parameters 'notice', 'notice-messages',
and 'notice-message', which were deprecated in 1.32, were removed. Instead,
use 'help', 'help-message', and 'help-messages'.
* (T197179) HTMLFormField::getNotices(), deprecated in 1.32, was removed.
* The "Parsoid v1" compatibility mappings in ParsoidVirtualRESTService and
RestbaseVirtualRESTService, deprecated since 1.26, have been removed.
Use the RESTBase v1 or Parsoid v3 API instead.
* ParserOptions defaults 'tidy' to true now, since the untidy modes of the
parser are being deprecated and ParserOptions::getCanonicalOverrides()
has always been true at any rate.
* Support for disabling tidy and external tidy implementations has been removed.
This was deprecated in 1.32. The pure PHP Remex tidy implementation is now
used and no configuration is necessary.
* A number of deprecated methods for API documentation, intended for overriding
by extensions, are no longer called by MediaWiki, and will emit deprecation
notices if your extension attempts to use them:
* ApiBase::getDescription() (deprecated in 1.25)
* ApiBase::getParamDescription() (deprecated in 1.25)
* ApiBase::getExamples() (deprecated in 1.25)
* ApiBase::getDescriptionMessage() (deprecated in 1.30)
Additionally, the 'APIGetDescription' and 'APIGetParamDescription' hooks have
been removed, as their only use was to let extensions override values returned
by getDescription() and getParamDescription(), respectively.
* The authentication hooks 'AbortAutoAccount' 'AbortNewAccount', 'AbortLogin',
'LoginUserMigrated', 'UserCreateForm', and 'UserLoginForm', all deprecated by
the creation of AuthManager in 1.27, have been removed. This also means that
the FakeAuthTemplate and LoginForm classes are removed, that FakeAuthTemplate
is no longer passed into LoginSignupSpecialPage->getFieldDefinitions(), and
that LoginSignupSpecialPage->getBCFieldDefinitions() is removed.
* The 'jquery.localize' module, deprecated in 1.32, has been removed. Instead,
use 'jquery.i18n'.
* The hooks LanguageGetSpecialPageAliases and LanguageGetMagic, deprecated since
1.16, have now been removed. Instead, use $specialPageAliases or $magicWords
respectively in a $wgExtensionMessagesFiles file.
* The following methods of the Preferences class, deprecated in 1.31, have been
removed:
* getSaveBlacklist()
* loadPreferenceValues()
* getOptionFromUser()
* profilePreferences()
* skinPreferences()
* filesPreferences()
* datetimePreferences()
* renderingPreferences()
* editingPreferences()
* rcPreferences()
* watchlistPreferences()
* searchPreferences()
* miscPreferences()
* generateSkinOptions()
* getDateOptions()
* getImageSizes()
* getThumbSizes()
* validateSignature()
* cleanSignature()
* getTimezoneOptions()
* filterIntval()
* filterTimezoneInput()
* getTimeZoneList()
* mw.util.jsMessage(), deprecated in 1.20, was removed. Use mw.notify instead.
* (T61113) User::EDIT_TOKEN_SUFFIX was removed. It was deprecated since 1.27.
* The 'mediawiki.api' module aliases, deprecated in 1.32, have been removed.
Specifically: mediawiki.api.category, mediawiki.api.edit,
mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
mediawiki.api.messages, and mediawiki.api.rollback.
* The 'jquery.byteLimit' module alias for 'jquery.lengthLimit',
deprecated in 1.31, was removed.
* Revision::fetchRevision(), deprecated in 1.28, was removed.
* Class SquidUpdate, deprecated in 1.27, was removed.
* Title->getSquidURLs(), deprecated in 1.27, was removed. Instead, use
Title->getCdnUrls().
* Title::escapeFragmentForURL(), deprecated in 1.30, was removed. Use
Sanitizer::escapeIdForLink() or escapeIdForExternalInterwiki() instead.
* Title->canTalk(), deprecated in 1.30, was removed. Instead, use
Title->canHaveTalkPage().
* Title's methods for site and user page related to CSS and JS, deprecated in
1.31, were removed:
* Title->isCssOrJsPage() — Use Title->isSiteConfigPage()
* Title->isCssJsSubpage() – Use Title->isUserConfigPage()
* Title->getSkinFromCssJsSubpage() – Use Title->getSkinFromConfigSubpage()
* Title->isCssSubpage() – Use Title->isUserCssConfigPage()
* Title->isJsSubpage() – Use Title->isUserJsConfigPage()
* SiteSQLStore, deprecated in 1.27 and whose only method, ::newInstance(),
would return the global SiteStore instance, has been removed. You can get to
this via MediaWiki\MediaWikiServices::getInstance()->getSiteStore() directly.
* Linker::formatSize, deprecated in 1.28, has been removed (with DummyLinker's).
Instead, use Language->formatSize() with the relevant Language object.
* Linker::formatTemplates, deprecated in 1.28, has been removed (along with the
version in DummyLinker). You can use TemplatesOnThisPageFormatter directly.
* EventRelayerGroup::singleton(), deprecated in 1.27, has been removed. You can
use MediaWikiServices::getInstance()->getEventRelayerGroup() directly.
* LinkCache->addLink(), deprecated in 1.27, has been removed. It is thought to
be unused, and is distinct from OutputPage->addLink(), which remains.
* JsonContent->getJsonData(), deprecated in 1.25, has been removed. Instead, use
JsonContent->getData().
* MWExceptionHandler::getLogId(), deprecated in 1.27, has been removed, as the
exception ID is the same as the request ID, from WebRequest::getRequestId().
* SearchEngine::getNearMatchResultSet(), deprecated in 1.27, has been removed.
You can use SearchEngine::getNearMatcher() instead.
* EmailNotification::updateWatchlistTimestamp, deprecated in 1.27, has been
removed. Instead, use WatchedItemStore::updateNotificationTimestamp directly.
* User::getGroupName() and ::getGroupMember(), both deprecated in 1.29, have
been removed. Instead, please use UserGroupMembership::getGroupName() and
UserGroupMembership::getGroupMemberName().
* Backwards compatibility for setting wgSessionsInObjectCache to false or using
wgSessionHandler, both of which were deprecated in 1.27 with the introduction
of SessionManager, has been removed.
* SessionManager::autoCreateUser, deprecated in 1.27, has been removed. Use
MediaWiki\Auth\AuthManager::autoCreateUser instead.
* The mw.libs.jpegmeta property, deprecated in 1.31, was removed.
Use require( 'mediawiki.libs.jpegmeta' ) instead.
* The mw.user.stickyRandomId() method, deprecated in 1.32, was removed.
Use mw.user.getPageviewToken() instead.
* Removed deprecated class property WikiRevision::$importer.
* ResourceLoaderFileModule::readStyleFiles() now requires its $context
parameter.
* The ChangeList::insertArticleLink() method, that was deprecated in 1.27, has
been removed.
* MessageBlobStore::__construct() now requires its $rl parameter.
* Second parameter to Sanitizer::escapeIdReferenceList() (deprecated in 1.31)
has been removed.
* The 'jquery.xmldom' module has been removed.
* The 'jquery.mockjax' module has been removed.
* The 'jquery.hidpi' module, deprecated in 1.32, has been removed.
* AuthPlugin and related code, deprecated in 1.27, has been removed. Extensions
should instead use AuthManager. The following no longer exist:
* The AuthPlugin class itself and the related AuthPluginUser class and i18n
* The AuthPluginSetup and AuthPluginAutoCreate hooks
* The transitional wrapper classes AuthPluginPrimaryAuthenticationProvider,
AuthManagerAuthPlugin, and AuthManagerAuthPluginUser.
* The $wgAuth configuration setting and its use in Setup.php and unit tests
* (T217772) The 'wgAvailableSkins' mw.config key in JavaScript, was removed.
* Language::markNoConversion, deprecated in 1.32, has been removed. Use
LanguageConverter::markNoConversion instead.
* BagOStuff::modifySimpleRelayEvent() method has been removed.
* ParserOutput::getLegacyOptions, deprecated in 1.30, has been removed.
Use ParserOutput::allCacheVaryingOptions instead.
* CdnCacheUpdate::newSimplePurge, deprecated in 1.27, has been removed.
Use CdnCacheUpdate::newFromTitles() instead.
* Handling of multiple arguments by the Block constructor, deprecated in 1.26,
has been removed.
* The translation of main page in Sardinian (sc) was changed from "Pàgina Base"
to "Pàgina printzipale". Existing wikis using this content language need to
move the main page or change the name through MediaWiki:Mainpage page.
* wfSplitWikiID(), deprecated in 1.32, has been removed.
* MessageBlobStore::getBlob(), deprecated in 1.27, has been removed.
Use ::getBlobs() instead.
* The .background-size() LESS mixin, deprecated in 1.27, has been removed.
* ReadOnlyMode::clearCache() and ConfiguredReadOnlyMode::clearCache() have been
removed. Use MediaWikiTestCase::overrideMwServices() instead.
=== Deprecations in 1.33 ===
* The configuration option $wgUseESI has been deprecated, and is expected
to be removed in a future release.
* The configuration option $wgSquidPurgeUseHostHeader has been deprecated,
and is expected to be removed in a future release.
* The configuration options $wgFixArabicUnicode and $wgFixMalayalamUnicode,
introduced in MW 1.17, have been deprecated. These fixes will always be
applied for Arabic and Malayalam in the future. Please enable these on
your local wiki (if you have them explicitly set to false) and run
maintenance/cleanupTitles.php to fix any existing page titles.
* The LegacyHookPreAuthenticationProvider class, deprecated since its creation
in 1.27 as part of the AuthManager re-write, now emits deprecation warnings.
This will help identify the issue if you added it to $wgAuthManagerConfig.
* wfSplitWikiId() is now deprecated. Cache key generation should have the wiki
domain ID as a key component and use makeGlobalKey().
* (T202094) Title::getUserCaseDBKey() is deprecated; instead, please use
Title::getDBKey(), which doesn't vary case.
* User::getPasswordValidity() is now deprecated. User::checkPasswordValidity()
returns the same information in a more useful format.
* For Linker::generateTOC() and Linker::tocList(), passing strings or booleans
as the $lang parameter was deprecated. The same applies to DummyLinker.
* The PasswordPolicy 'PasswordCannotBePopular' has been deprecated. To
follow best practices, it is reccommended to use 'PasswordNotInLargeBlacklist'
instead which blacklists 100,000 commonly used passwords.
* (T208862) Action::requiresUnblock() is now called from
Title::getUserPermissionsErrors() and Title::userCan(). Previously, the method
was only called in Action::checkCanExecute(). Actions should ensure that their
requiresUnblock() returns the proper result (the default is `true`).
* (T211608) The MediaWiki\Services namespace has been renamed to
Wikimedia\Services. The old name is still supported, but deprecated.
* (T155582) Content::getNativeData has been deprecated. Please use model-
specific getters, such as TextContent::getText().
* The class WebInstallerOutput is now marked as @private.
* (T209699) The jquery.async module has been deprecated. JavaScript code that
needs asynchronous behaviour should use Promises.
* Password::equals() is deprecated, use verify().
* BaseTemplate::msgWiki() and QuickTemplate::msgWiki() will be removed. Use
other means to fetch a properly escaped message string or Message object.
* (T126091) The 'ResourceLoaderTestModules' hook, which lets you declare QUnit
testing code for your JavaScript modules, is deprecated. Instead, you can now
use the new extension registration key 'QUnitTestModule'.
* (T213426) The jquery.throttle-debounce module has been deprecated. JavaScript
code that needs this behaviour should use OO.ui.debounce/throttle.
* The mw.language.specialCharacters property from the
'mediawiki.language.specialCharacters' module has been deprecated.
Use require( 'mediawiki.language.specialCharacters' ) instead.
* ChangeTags::purgeTagUsageCache() has been deprecated, and is expected to be
removed in a future release.
* Passing a User object or null as the third parameter to
ApiBase::checkTitleUserPermissions() has been deprecated. Pass an array
[ 'user' => $user ] instead.
* (T211578) Block::prevents is deprecated. Use Block::isEmailBlocked,
Block::isCreateAccountBlocked and Block::isUsertalkEditAllowed to get and set
block properties; use Block::appliesToRight and Block::appliesToUsertalk to
check block behaviour.
* The api-feature-usage log channel now has log context. The text message is
deprecated and will be removed in the future.
* The FileBasedSiteLookup class has been deprecated. For a cacheable SiteLookup
implementation, use CachingSiteStore instead.
* Language::viewPrevNext function is deprecated, use
SpecialPage::buildPrevNextNavigation instead
* ManualLogEntry::setTags() is deprecated, use ManualLogEntry::addTags()
instead. The setTags() method was overriding the tags, addTags() doesn't
override, only adds new tags.
* Block::isValid is deprecated, since it is no longer needed in core.
* Calling Maintenance::hasArg() as well as Maintenance::getArg() with no
parameter has been deprecated. Please pass the argument number 0.
* ResourceLoaderContext::expandModuleNames has been deprecated.
Use ResourceLoader::expandModuleNames instead.
=== Other changes in 1.33 ===
* (T201747) Html::openElement() warns if given an element name with a space
in it.
* The implementation of buildStringCast() in Wikimedia\Rdbms\Database has
changed to explicitly cast. Subclasses relying on the base-class
implementation should check whether they need to override it now.
* BagOStuff::add is now abstract and must explicitly be defined in subclasses.
* LinksDeletionUpdate is now a subclass of LinksUpdate. As a consequence,
the following hooks will now be triggered upon page deletion in addition
to page updates: LinksUpdateConstructed, LinksUpdate, LinksUpdateComplete.
LinksUpdateAfterInsert is not triggered since deletions do not cause
insertions into links tables.
* Category::newFromID( $id )->getID() will now return $id without any
validation, to avoid a mostly unnecessary DB query.
* On Special:Version, the name for an extension can no longer be arbitrary
html when no link is specified.
= MediaWiki 1.32 =
== MediaWiki 1.32.3 ==
This is a maintenance release of the MediaWiki 1.32 branch.
=== Changes since MediaWiki 1.32.2 ===
* (T225558) Update installer link to PHP intl.
* (T225496) Detect APC for MainCacheType in CLI installer.
* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.
== MediaWiki 1.32.2 ==
This is a security and maintenance release of the MediaWiki 1.32 branch.
=== Changes since MediaWiki 1.32.1 ===
* (T204423) Backport support for hyphenated DB names in JobQueueGroup.
* (T216968) Return pageid as int in both list=iwbacklinks and
list=langbacklinks.
* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
$wgBlockDisablesLogin is true.
* (T216029) Chrome redirects to Special:BadTitle after editing a section with
a non-Latin name on a page with non-Latin characters in title.
* Unbreak language related maintenance scripts that use StaticArrayWriter.
* (T219728) Added support for new Japanese era name "Reiwa".
* (T25227) SECURITY: action=logout now requires to be posted and have a csrf
token.
* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
* (T221045) Remove orphaned code from ConfigRepository.
* (T222385) resourceloader: Use AND instead of OR for upsert conds in
saveFileDependencies().
* (T224374) Fix message parameters so that the message that says SQLite is
out of date makes sense.
* (T200471) Prevent LBFactorySimple breaking ExternalStorage, when trying to
connect to external server with local database name.
* (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
* (T208881) SECURITY: blacklist CSS var().
* (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
* (T222036, T222038) SECURITY: Add permission check for user is permitted to
view the log type.
* (T221739) SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358.
== MediaWiki 1.32.1 ==
=== Changes since MediaWiki 1.32.0 ===
* (T213577) rdbms: avoid transaction status errors from ping() in rollback().
* rdbms: Pass required parameter.
* rdbms: do not treat SAVEPOINT and RELEASE SAVEPOINT as write queries.
* (T204531) rdbms: reduce LoadBalancer replication log spam.
* (T213489) Avoid session double-start in Setup.php.
* (T213717) Correct namespace 'Template' for gom-deva
* (T198054) Fix login page crash caused by unknown language via ?uselang
* (T215324) (T210937) list=users mistakenly reports user as missing.
* (T209483) Add ILBFactory::redefineLocalDomain method. This is intended for
use with scripts like addWiki.php to avoid mismatched domain errors.
* (T208871) The hard-coded Google search form on the database error page was
removed.
* (T204800) Fix Title::getFragmentForURL for bad interwiki prefix
* (T215566) Fix installer being unable to determine if the database exists
during a fresh installation.
== MediaWiki 1.32.0 ==
=== Changes since MediaWiki 1.32.0-rc.2 ===
* (T188327) Fix slow queries in migrateActors.php.
* (T102320) Fix $magicWords for the Sanskrit language.
=== Changes since MediaWiki 1.32.0-rc.1 ===
* Fix addition of ug_expiry column to user_groups table on MSSQL.
* (T210307) Fix the cache timestamp for forced updates.
* (T210621) User: Bypass repeatable-read when creating an actor_id.
* (T197535) Extensions can now specify PHP versions and PHP extensions they
depend on.
* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
* (T212356) When using action=delete on pages with many revisions, the module
may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
deletion will be processed via the job queue.
* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
recentchanges.rc_cur_time from the PostgreSQL schema.
=== Changes since MediaWiki 1.32.0-rc.0 ===
* (T209885) Prevent populateSearchIndex.php from breaking once actor migration
has been started.
* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
if --lang is used with the command-line installer (install.php).
=== Configuration changes in 1.32 ===
==== New configuration ====
* $wgJpegQuality – The quality of JPEG thumbnails is now configurable through
this setting. The default is 80, which matches the quality of JPEG thumbnails
previously generated by ImageMagick. The quality of JPEG thumbnails generated
by GD was previously 95, but now uses the $wgJpegQuality setting as well.
* $wgCookieSetOnIpBlock - This determines whether to set a cookie when an IP
user is blocked. Doing so means that a blocked user, even after moving to a
new IP address, will still be blocked.
* $wgRawHtmlMessages – This new configuration setting is added for listing
messages which are displayed as raw HTML.
* $wgCSPHeader and $wgCSPReportOnlyHeader – You can now define a
"Content Security Policy" for your wiki. This adds a defense-in-depth feature
to stop an attacker who has found a bug in the parser allowing them to insert
malicious attributes. Disabled by default. (T135963)
* $wgGroupPermissions – A new user group, 'interface-admin', is added for
controlling access to sitewide CSS/JS (and editing other users' CSS/JS). No
other group has 'editsitecss', 'editusercss', 'editsitejs' or 'edituserjs'
by default.
* $wgGrantPermissions – A new grant group, 'editsiteconfig', is added for
granting the above rights.
* $wgDBDefaultGroup – A default database group for use by maintenance scripts.
* $wgResourceLoaderEnableJSProfiler – This new configuration setting lets you
enable client-side profiling of JavaScript modules; it is off by default.
* (T193868) $wgChangeTagsSchemaMigrationStage — This temporary configuration
setting allows sysadmins to gradually migrate the database table schema for
how change tags are stored.
* (T199334) $wgTagStatisticsNewTable — This temporary configuration setting
allows sysadmins to enable the caching of Special:Tags via the new
change_tag_def table.
==== Changed configuration ====
* $wgUseAjax – This setting, deprecated in 1.31, is now ignored.
* $wgDefaultUserOptions – The default watchlist view time (watchlistdays) has
been increased from 3 to 7 days. (T194414)
* $wgGroupPermissions – The right to edit sitewide Javascript
(e.g. MediaWiki:Common.js), CSS or JSON was separated from 'editinterface'
and is available under 'editsitejs'/'editsitecss'/'editsitejson'. Having
'editinterface' is still necessary to edit such pages.
* $wgMultiContentRevisionSchemaMigrationStage now defaults to writing both the
old and the new schema, but reading the new schema, so Multi-Content Revisions
(MCR) are now functional per default. The new default value of the setting is
SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW.
* $wgActorTableSchemaMigrationStage no longer accepts MIGRATION_WRITE_BOTH or
MIGRATION_WRITE_NEW. It instead uses SCHEMA_COMPAT_WRITE_BOTH |
SCHEMA_COMPAT_READ_OLD and SCHEMA_COMPAT_WRITE_BOTH | SCHEMA_COMPAT_READ_NEW
for intermediate stages of migration.
* $wgDBTableOptions – The default table options now use the binary charset. The
default was already overridden in the installer-generated LocalSettings.php,
and so is always set to binary after the installer UI option was removed. The
default value is only used when the installer installs an extension.
* $wgPopularPasswordFile — The location of the default popular passwords file
has been moved to be in line with other non-PHP files used by libraries and
classes.
* $wgEnableImageWhitelist is now disabled by default, as it opens up a hole for
potential privacy leaks by administrators. You can check
"MediaWiki:External image whitelist" on your wiki to see whether the feature
was ever used, and whether it needs to be re-enabled.
==== Removed configuration ====
* $wgEnableAPI and $wgEnableWriteAPI – These settings, deprecated in 1.31,
have been removed. (T115414)
* $wgSiteSupportPage – This setting, unused since 1.5, was removed.
* $wgBrowserBlacklist – This setting, deprecated in 1.30, was removed.
* $wgExperimentalHtmlIds – This setting, deprecated since 1.30, was removed.
The 'html5-legacy' value for $wgFragmentMode is no longer accepted.
* $wgPasswordSenderName - This setting, ignored since 1.23 by MediaWiki and
most extensions, is no longer set. Instead, you can modify the system
message `emailsender`.
* $wgTidyConfig – The experimental Html5Internal and Html5Depurate tidy drivers
were removed. RemexHtml, which is the default, should be used instead.
* (T181318) The $wgStyleVersion setting and its appendage to various script and
style URLs in OutputPage, deprecated in 1.31, was removed.
* (T140807) The wgResourceLoaderLESSImportPaths configuration option was removed
from ResourceLoader. Instead, use `@import` statements in LESS to import
files directly from nearby directories within the same project.
* (T140804) The wgResourceLoaderLESSVars configuration option, deprecated
since 1.30, was removed. Instead, to expose variables from PHP to LESS, use
the ResourceLoaderModule::getLessVars() method.
* $wgResourceLoaderValidateStaticJS – This setting, unused since MediaWiki 1.18,
was removed.
* Two temporary variables for deploying the feature of filters on change lists,
$wgStructuredChangeFiltersShowPreference introduced in MediaWiki 1.30 and
$wgStructuredChangeFiltersOnWatchlist in 1.31, were removed.
=== New features in 1.32 ===
* (T112474) Generalized the ResourceLoader mechanism for overriding modules
using a particular page during edit previews.
* (T12331) You can now log page creation events by setting $wgPageCreationLog
to true.
* Added 'ApiParseMakeOutputPage' hook.
* (T174313) Added checkbox on Special:ListUsers to display only users in
temporary user groups.
* (T152462) A cookie can now be set when an IP user is blocked to track that
user if they move to a new IP address. This is disabled by default.
* (T194950) Added 'ApiMaxLagInfo' hook.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
getLoginSecurityLevel() returns non-false.
* The 'ImageBeforeProduceHTML' hook is now passed three new parameters, $parser,
&$query and &$widthOption, allowing extensions even finer control over the
resulting HTML code.
* Added new 'ArticleShowPatrolFooter' hook, which allows extensions to determine
if the [mark as patrolled] link should be shown at the footer of patrollable
pages.
* The array of hidden options ($opts) passed to the 'SpecialSearchPowerBox' hook
is now passed by reference, allowing extensions to modify or even unset it.
* Added new 'OutputPageAfterGetHeadLinksArray' hook, allowing extensions to
modify the return value of OutputPage#getHeadLinksArray in order to add,
remove or otherwise alter the elements to be output in the page
.
* (T28934) The 'HistoryPageToolLinks' hook allows extensions to append
additional links to the subtitle of a history page.
* The 'GetLinkColours' hook now receives an additional $title parameter,
the Title object of the page being parsed, on which the links will be shown.
* (T194731) DifferenceEngine supports multiple slots. Added SlotDiffRenderer to
render diffs between two Content objects, and DifferenceEngine::setRevisions()
to render diffs between two custom (potentially multi-content) revisions.
Added GetSlotDiffRenderer hook which works like GetDifferenceEngine for slots.
* Added a temporary action=mcrundo to the web UI, as the normal undo logic
can't yet handle MCR and deadlines are forcing is to put off fixing that.
This action should be considered deprecated and should not be used directly.
* Extensions overriding ContentHandler::getUndoContent() will need to be
updated for the changed method signature.
* Added a new hook, 'UserGetRightsRemove', which can be used to remove rights
from user. Unlike the 'UserGetRights' it will ensure that removed rights
will not be reinserted.
* (T197535) Extensions can now specify PHP versions and PHP extensions they
depend on.
=== External library changes in 1.32 ===
==== New external libraries ====
* Added pear/Net_SMTP v1.8.0.
* Added wikimedia/xmp-reader v0.6.0.
* Added cache/integration-tests v0.16.0 (dev-only).
* Added giorgiosironi/eris v0.10.0 (dev-only).
* Added seld/jsonlint v1.7.1 (dev-only).
* Added EasyDeflate (unversioned).
==== Changed external libraries ====
* Updated OOUI from v0.26.3 to v0.29.2.
* Updated wikimedia/base-convert from v1.0.1 to v2.0.0.
* Updated wikimedia/remex-html from v1.0.3 to v2.0.1.
* Updated wikimedia/scoped-callback from v1.0.0 to v2.0.0.
** ScopedCallback objects can no longer be serialized.
* Updated wikimedia/timestamp from v1.0.0 to v2.2.0.
* Updated wikimedia/wrappedstring from v2.3.0 to v3.0.1.
* oyejorge/less.php replaced with our fork wikimedia/less.php
* Updated wikimedia/ip-set from v1.2.0 to v1.3.0.
* Updated composer/spdx-licenses from v1.3.0 to v1.4.0 (dev-only).
* Updated mediawiki/mediawiki-codesniffer from v18.0.0 to v22.0.0 (dev-only).
* Updated psy/psysh from v0.8.11 to v0.9.6 (dev-only).
* Updated CLDRPluralRuleParser from v0.1.0 to v1.3.2-pre.
* Updated jquery from v3.2.1 to v3.3.1.
* Updated jquery.client from v2.0.0 to v2.0.1.
* Updated jquery.i18n from v1.0.4 to v1.0.5.
* Updated mustache.js from v0.8.2-d9aa703 to v1.0.0.
* Updated OOjs from v2.2.0 to v2.2.2.
* Updated qunitjs from v2.4.0 to v2.6.2.
* Updated sinonjs from v1.17.3 to v1.17.7.
==== Removed external libraries ====
* pear/mail_mime-decode was removed.
=== Bug fixes in 1.32 ===
* SpecialPage::execute() will now only call checkLoginSecurityLevel() if
getLoginSecurityLevel() returns non-false.
* (T43720, T46197) Improved page display title handling for category pages
* (T65080) Fixed resetting options of some types via API action=options.
=== Action API changes in 1.32 ===
* Added templated parameters.
* A module can define a templated parameter like "{fruit}-quantity", where
the actual parameters recognized correspond to the values of a multi-valued
parameter. Then clients can make requests like
"fruits=apples|bananas&apples-quantity=1&bananas-quantity=5".
* action=paraminfo will return templated parameter definitions separately
from normal parameters. All parameter definitions now include an "index"
key to allow clients to maintain parameter ordering when merging normal and
templated parameters.
* It is now an error to submit too many values for a multi-valued parameter.
This has generated a warning since MediaWiki 1.14.
* Assertion failures from the 'assert' and 'assertuser' parameters will no
longer use the action module's custom response format, for the few modules
that use custom formatters that handle errors.
* (T198935) User list preferences such as `email-blacklist` and similar
extension preferences are no longer represented as arrays when returned by
action=query&meta=userinfo&uiprop=options.
* 'missingparam' errors will now use the prefixed parameter name in the code
and error text, e.g. "noxxfoo" and "The 'xxfoo' parameter must be set" rather
than "nofoo" and "The 'foo' parameter must be set".
* action=query&prop=revisions now takes a 'rvslots' parameter to indicate the
multi-content revision slots for which content should be returned. It also
has a new rvprop, 'roles', to indicate which roles have slots. A deprecation
warning will be issued if rvprop=content or rvprop=contentmodel are used
without rvslots.
* The rvcontentformat parameter to action=query&prop=revisions has been
deprecated. Clients should be prepared to deal with the default format for
relevant models.
* Use of the deprecated parameters rvexpandtemplates, rvgeneratexml, rvparse,
rvdiffto, rvdifftotext, rvdifftotextpst, rvcontentformat, or the deprecated
rvprop=parsetree is forbidden with the new 'rvslots' parameter.
* action=query&prop=deletedrevisions, action=query&list=allrevisions, and
action=query&list=alldeletedrevisions are changed similarly to
&prop=revisions (see the three previous items).
* (T174032) action=compare now supports multi-content revisions.
* It has a 'slots' parameter to select diffing of individual slots. The
default behavior is to return one combined diff.
* The 'fromtext', 'fromsection', 'fromcontentmodel', 'fromcontentformat',
'totext', 'tosection', 'tocontentmodel', and 'tocontentformat' parameters
are deprecated. Specify the new 'fromslots' and 'toslots' to identify which
slots have text supplied and the corresponding templated parameters for
each slot.
* The behavior of 'fromsection' and 'tosection' of extracting one section's
content is not being preserved. 'fromsection-{slot}' and 'tosection-{slot}'
instead expand the given text as if for a section edit. This effectively
declines T183823 in favor of T185723.
* (T198214) The 'disabletidy' parameter to action=parse has been
deprecated; untidy output will not be supported by future wikitext
parsers.
* Added intestactionsdetail to action=query&prop=info to allow retrieving the
reasons an action is not allowed.
* Deprecated action=query&prop=info inprop=readable in favor of
intestactions=read.
* (T212356) When using action=delete on pages with many revisions, the module
may return a boolean-true 'scheduled' and no 'logid'. This signifies that the
deletion will be processed via the job queue.
=== Action API internal changes in 1.32 ===
* Added 'ApiParseMakeOutputPage' hook.
* Parameter names may no longer contain '{' or '}', as these are now used for
templated parameters.
* (T194950) Added 'ApiMaxLagInfo' hook.
* The following methods now take a RevisionRecord rather than a Revision. No
external callers are known.
* ApiFeedContributions::feedItemAuthor()
* ApiFeedContributions::feedItemDesc()
* ApiQueryRevisionsBase::extractRevisionInfo()
* The following deprecated methods have been removed:
* ApiBase::profileIn() (deprecated in 1.25)
* ApiBase::profileOut() (deprecated in 1.25)
* ApiBase::safeProfileOut() (deprecated in 1.25)
* ApiBase::profileDBIn() (deprecated in 1.25)
* ApiBase::profileDBOut() (deprecated in 1.25)
* ApiBase::dieUsage() (deprecated in 1.29)
* ApiBase::dieUsageMsg() (deprecated in 1.29)
* ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
* ApiBase::getErrorFromStatus() (deprecated in 1.29)
* ApiBase::parseMsg() (deprecated in 1.29)
* ApiBase::setWarning() (deprecated in 1.29)
* ApiPageSet::getInvalidTitles() (deprecated in 1.26)
* ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
* ApiUsageException::getCodeString() (deprecated in 1.29)
* ApiUsageException::getMessageArray() (deprecated in 1.29)
* Class UsageException, deprecated in 1.29, has been removed.
* ApiErrorFormatter: Added getFormat() and newWithFormat(). In particular, you
can now easily test $formatter->getFormat() === 'bc', and then call
$formatter->newWithFormat( 'plaintext' ) to get a non-BC formatter.
=== Languages updated in 1.32 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.
* (T193566) Added language support for Ambonese Malay (abs).
* (T194047) Added language support for Shawiya, Latin script (shy-latn).
* (T195940) Added language support for Batak Mandailing (btm).
* (T137491) Added language support for Standard Moroccan Amazigh (zgh).
* (T198132) Added language support for Manipuri (mni).
* (T201276) Added language support for Western Armenian (hyw).
* (T201583) Added language support for Mon (mnw).
=== Breaking changes in 1.32 ===
* $wgRequestTime, deprecated in 1.25, was removed. Use
$_SERVER['REQUEST_TIME_FLOAT'] or WebRequest::getElapsedTime() instead.
* The MediaWikiI18N class, deprecated in 1.31, was removed.
* QuickTemplate::setTranslator(), deprecated in 1.31, was removed. Use
Skin::msg() instead.
* wfInitShellLocale(), deprecated in 1.30, was removed.
* wfShellExecDisabled(), deprecated in 1.30, was removed.
* The type string for the parameter $lang of DateFormatter::getInstance,
deprecated in 1.31, was removed.
* The EDIT_TOKEN_SUFFIX constant deprecated in 1.27, was removed. Use
MediaWiki\Session\Token::SUFFIX instead.
* EditPage::isOouiEnabled() deprecated in 1.30, was removed.
* mw.util.wikiGetlink(), deprecated in 1.23, was removed. Use mw.util.getUrl()
instead.
* (T61113) The following methods and constants from the Revision class, which
were deprecated in 1.25, have now been removed:
* Revision::getRawUser()
* Revision::getRawUserText()
* Revision::getRawComment()
* window.gM() from mediawiki.jqueryMsg, deprecated in 1.23, was removed. Use
mw.msg() or mw.message() instead.
* mw.util.escapeId(), deprecated in 1.30, was removed. Use
mw.util.escapeIdForAttribute or mw.util.escapeIdForLink instead.
* mw.util.updateTooltipAccessKeys(), deprecated in 1.24, was removed. Use
jquery.accessKeyLabel instead.
* The SqlDataUpdate class, deprecated in 1.28, has been removed.
* The Html5Internal and Html5Depurate tidy driver classes were removed, along
with the Balancer tidy implementation. Both implementations were experimental,
and were replaced by RemexHtml.
* (T179624) Job::insert() and ::batchInsert(), deprecated in 1.21, were both
removed. Use JobQueueGroup::singleton()->push() instead.
* The jquery.footHovzer module, for mediawiki.debug, was removed.
* The es5-shim module, empty and deprecated since 1.29, was removed.
* the dom-level2-shim module, empty and deprecated since 1.29, was removed.
* the json module, empty and deprecated since 1.29, was removed.
* The mediawiki.widgets.visibleByteLimit module alias, deprecated in 1.32, was
removed. Use mediawiki.widgets.visibleLengthLimit instead.
* The jquery.farbtastic module, unused since 1.18, was removed.
* The 'jquery.expandableField' module, unused since 1.22, was removed.
* The hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend' may provide
any HTMLForm object rather than PreferencesForm.
* The non namespaced TimestampException class, deprecated in 1.29, was removed.
Use Wikimedia\Timestamp\TimestampException instead.
* The global functions codepointToUtf8, hexSequenceToUtf8, utf8ToHexSequence,
utf8ToCodepoint, and escapeSingleString (deprecated in 1.25) were removed.
The UtfNormal\Utils class from the utfnormal library should be used instead.
* The deprecated UTF8_ and UNICODE_ constants were removed. The class constants
from the UtfNormal\Constants class from the utfnormal library should be used
* The protected methods PHPSessionHandler::returnSuccess() and returnFailure(),
only needed for PHP5 compatibility, have been removed. It now uses the boolean
values `true` and `false` respectively.
* The $parserMemc global and wfGetParserCacheStorage(), deprecated since 1.30,
were removed. Use the ParserCache class instead.
* ScopedCallback (deprecated in 1.28) was removed. Use Wikimedia\ScopedCallback
instead.
* Support for ResourceLoaderModule::getModifiedTime() and getModifiedHash(),
deprecated since 1.26, was removed. Use getDefinitionSummary() instead.
* (T195256) Skins are recommended not to rely on JavaScript for the "mw-jump"
and "jump-to-nav" accessibility links. To this end, the "jquery.mw-jump"
is no longer loaded by default. The Vector and MonoBook skins have made a
minor change to implement the toggle feature with CSS instead. To restore
prior functionality, either explicitly load "jquery.mw-jump" in your skin
or refer to T195256 for details on how to make the same change.
* Hook 'EditPageBeforeEditChecks' was removed;
use 'EditPageGetCheckboxesDefinition' instead.
* Linker::getLinkColour() and DummyLinker::getLinkColour(), deprecated since
1.28, were removed. LinkRenderer::getLinkClasses() should be used instead.
* Wikimedia\Rdbms\LoadBalancer::getLaggedSlaveMode(), deprecated in 1.28, has
been removed. Use Wikimedia\Rdbms\LoadBalancer::getLaggedReplicaMode()
instead.
* mw.widgets.CategoryMultiselectWidget now uses TagMultiselectWidget instead of
CapsuleMultiselectWidget. The following methods may no longer be used:
* setItemsFromData: Use setValue instead
* getItemsData: Use getItems instead and get the data property
* Two OutputPage methods, addMetadataLink() and getMetadataAttribute(), were
removed. Use addLink() instead.
* Another two OutputPage methods, setPageTitleActionText() and
getPageTitleActionText(), were removed. They did nothing since 1.15 (almost
ten years). Use setHTMLTitle() directly.
* The return value of OutputPage::adaptCdnTTL() has been removed. The
value returned was misleading and probably not what any caller would
have wanted.
* All MagicWord static member variables have been removed. Use appropriate
hooks or MagicWordFactory methods instead.
* MagicWord::clearCache() has been removed. Instead, create a new
MagicWordFactory, such as by calling
resetServiceForTesting( 'MagicWordFactory' ) on a MediaWikiServices.
* mw.util.init() has been removed. This function is not needed anymore and was
a no-op function since 1.30.
* SpecialPageFactory::resetList() is a no-op. Call overrideMwServices()
instead.
* MediaWiki no longer supports a StartProfiler.php file. Instead, you can set
$wgProfiler and $wgEnableProfileInfo.
* The mw.loader.addSource() is now considered a private method, and no longer
supports the `id, url` signature. Use the `Object` parameter instead.
* The backwards-compatibility code in HTMLForm to add a drop-down control to an
option that is not set to be a drop-down if the "mw-chosen" class is present,
is now removed.
* Several collations were removed. They were workarounds for bugs in the ICU
library and they are no longer needed (as of ICU 57.1):
* 'uppercase-se' (NorthernSamiUppercaseCollation) - use 'uca-se' instead
* 'xx-uca-et' (CollationEt) - use 'uca-et' instead
* 'xx-uca-fa' (CollationFa) - use 'uca-fa' instead
* LanguageCode::bcp47() now always returns a valid BCP 47 code. This means
that some MediaWiki-specific language codes, such as `simple`, are mapped
into valid BCP 47 codes (eg `en-simple`).
* The hooks 'SpecialRecentChangesFilters' & 'SpecialWatchlistFilters' deprecated
in 1.23 were removed. Instead, use 'ChangesListSpecialPageStructuredFilters'.
The ChangesListSpecialPage code for these legacy hooks, and their use in
SpecialRecentchanges.php and SpecialWatchlist, was also removed:
* ChangesListSpecialPage->getCustomFilters()
* ChangesListSpecialPage->getFilterGroupDefinitionFromLegacyCustomFilters()
* ChangesListSpecialPage::customFilters
* The global function wfUseMW, deprecated since 1.26, has now been removed. Use
the "requires" property of static extension registration instead.
* $wgSpecialPages no longer accepts array syntax, deprecated since 1.18.
* The MailAddress constructor can no longer be called with a User object,
behaviour which has been deprecated since 1.24.
* LBFactory, deprecated since 1.28, has been removed. Instead, use
Wikimedia\Rdbms\LBFactory.
* The MimeMagic class, deprecated since 1.28 has been removed. Get a
MimeAnalyzer instance from MediaWikiServices instead.
* The '--tidy' option to maintenance/parse.php has been removed. Tidying
the output is now the default. Use '--no-tidy' to bypass the tidy
phase.
* The global function wfErrorLog, deprecated since 1.25, has now been removed.
Use MWLoggerLegacyLogger::emit or UDPTransport.
* The hooks 'SpecialRecentChangesQuery' & 'SpecialWatchlistQuery', deprecated in
1.23, were removed. Instead, use ChangesListSpecialPageStructuredFilters or
ChangesListSpecialPageQuery.
* The global function wfUsePHP, deprecated since 1.30, has now been removed. To
assert a newer version of PHP than MediaWiki does, use extension registration.
* The hook 'ChangesListSpecialPageFilters', deprecated in 1.29, has now been
removed. Use the 'ChangesListSpecialPageStructuredFilters' hook instead.
* DeferredUpdates::setImmediateMode(), deprecated since 1.29, has been removed.
* File / MediaHandler::getStreamHeaders(), deprecated since 1.30, was removed.
* The hook 'DoEditSectionLink', deprecated since 1.25, has been removed. Use
the hook 'SkinEditSectionLinks' instead.
* The hook 'UserGetImplicitGroups', deprecated since 1.25, has been removed.
* The global function wfRunHooks, deprecated since 1.25, has now been removed.
Use Hooks::run().
* The hook 'UnknownAction', deprecated since 1.19, has now been removed.
* The hook 'ParserLimitReport', deprecated since 1.22, has been removed. Use
the hooks 'ParserLimitReportPrepare' and 'ParserLimitReportFormat' instead.
* The following deprecated API methods have been removed:
* ApiBase::profileIn() (deprecated in 1.25)
* ApiBase::profileOut() (deprecated in 1.25)
* ApiBase::safeProfileOut() (deprecated in 1.25)
* ApiBase::profileDBIn() (deprecated in 1.25)
* ApiBase::profileDBOut() (deprecated in 1.25)
* ApiBase::dieUsage() (deprecated in 1.29)
* ApiBase::dieUsageMsg() (deprecated in 1.29)
* ApiBase::dieUsageMsgOrDebug() (deprecated in 1.29)
* ApiBase::getErrorFromStatus() (deprecated in 1.29)
* ApiBase::parseMsg() (deprecated in 1.29)
* ApiBase::setWarning() (deprecated in 1.29)
* ApiPageSet::getInvalidTitles() (deprecated in 1.26)
* ApiQueryLogEvents::addLogParams() (deprecated in 1.25)
* ApiUsageException::getCodeString() (deprecated in 1.29)
* ApiUsageException::getMessageArray() (deprecated in 1.29)
* Class UsageException, deprecated in 1.29, has been removed.
* MediaWiki no longer has a 'JavaScript-powered' wikitext toolbar built in. The
old "bulletin board style toolbar", known as "the 2006 wikitext editor", has
been removed, and instead sysadmins will be required to choose one (or more)
of the several extensions available for this purpose if they need the
functionality. The MediaWiki "tarball" releases have included the replacement
extension for this, the WikiEditor extension aka "the 2010 wikitext editor",
for many years now. As part of this, several parts of MediaWiki have been
removed or simplified:
* The user option 'showtoolbar' (shown as "Show edit toolbar") is no longer
available; if an extension adds a toolbar via the EditPageBeforeEditToolbar
hook, it will be shown; extensions should provide a specific user preference
to disable themselves as needed.
* The public methods Language::getImageFile() and ::getImageFiles(), and the
related specification of $imageFiles within individual languages' code file,
as well as the referenced static media assets, all of which were only used
inside MediaWiki itself for providing the icons for the old toolbar, have
been removed without explicit deprecation.
* The internal ResourceLoader module "mediawiki.toolbar", which is unused
except by MediaWiki itself and back-compatibility code, has been removed.
* The internal ResourceLoaderEditToolbarModule class has been removed.
=== Deprecations in 1.32 ===
* HTMLForm::setSubmitProgressive() is deprecated. No need to call it. Submit
button is already marked as progressive.
* Skin::setupSkinUserCss() is deprecated. Adding of modules to load
has been centralised to Skin::getDefaultModules(), which is now capable
of queueing style modules as well.
* OutputPage::addModuleScripts() and ParserOutput::addModuleScripts are
deprecated. Use addModules() instead.
* Overriding SearchEngine::{searchText,searchTitle,searchArchiveTitle}
in extending classes is deprecated. Extend related doSearch* methods
instead.
* The following 'mediawiki.api' plugin modules were merged into mediawiki.api
and deprecated: mediawiki.api.category, mediawiki.api.edit,
mediawiki.api.login, mediawiki.api.options, mediawiki.api.parse,
mediawiki.api.upload, mediawiki.api.user, mediawiki.api.watch,
mediawiki.api.messages, and mediawiki.api.rollback.
* ApiBase::truncateArray() is deprecated. No replacement, as nothing is known
to use it.
* WatchAction::getUnwatchToken is deprecated. Use WatchAction::getWatchToken
with the 'unwatch' action parameter instead.
* IcuCollation::getICUVersion() is deprecated, as you can just use the PHP
constant INTL_ICU_VERSION directly in all versions that MediaWiki supports.
* Parser::fetchFile() is deprecated. Use ::fetchFileAndTitle() instead.
* The ApiQueryContributions class has been renamed to ApiQueryUserContribs.
* The XMPInfo, XMPReader, and XMPValidate classes have been deprecated in favor
of the namespaced classes provided by the wikimedia/xmp-reader library.
* SearchResultSet::{next,rewind} are deprecated. Calling code should
use foreach on the SearchResultSet, or the extractResults method. Extending
code should override extractResults.
* Instantiating SearchResultSet directly is deprecated. SearchEngine
implementations must subclass SearchResultSet for their purposes.
* SearchResult::setExtensionData argument has been changed from accepting an
array to accepting a Closure that returns the array when called.
* Class CryptRand, everything in MWCryptRand except generateHex() and function
MediaWikiServices::getInstance()->getCryptRand() are deprecated, use
random_bytes() to generate cryptographically secure random byte sequences.
* Parser::getConverterLanguage() is deprecated. Use ::getTargetLanguage()
instead.
* Language::markNoConversion() is deprecated. It confused readers because
it had unexpected behavior (only marking text if it looked like a URL)
and was only used in a single place in the code. Use
LanguageConverter::markNoConversion() instead.
* (T197492) Language::truncate() was soft deprecated in 1.31 and is
hard deprecated in this release. It has been split into two similar
methods, Language::truncateForVisual() and Language::truncateForDatabase(),
which measure length in characters and bytes, respectively. Use
Language::truncateForVisual() when possible to provide equity to users
of multibyte scripts.
* (T176526) EditPage::getContextTitle() falling back to $wgTitle when the
context title is unset is now deprecated; anything creating an EditPage
instance should set the context title via ::setContextTitle().
* The 'jquery.hidpi' module (polyfill for IMG srcset) is deprecated.
* ResourceLoaderStartUpModule::getStartupModules() and ::getLegacyModules()
are deprecated. These concepts are obsolete and have no replacement.
* String type for $lang of DifferenceEngine::setTextLanguage is deprecated.
* The following methods of OutputPage are now deprecated in favour
of using showFatalError directly: OutputPage::showFileDeleteError()
OutputPage::showFileNotFoundError(), OutputPage::showFileRenameError()
OutputPage::showFileCopyError() and OutputPage::showUnexpectedValueError().
* The Replacer, DoubleReplacer, HashtableReplacer, and RegexlikeReplacer
classes are now deprecated. Use a Closure instead.
* (T194263) ContentHandler::makeParserOptions() is deprecated. Use
WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
* (T100681) Use of the Parsoid v1 API with the VirtualRESTService, deprecated in
MediaWiki 1.26, is now hard-deprecated. All known clients were converted to
the Parsoid v3 API in May 2015.
* $input is deprecated in hook 'LogEventsListGetExtraInputs'. Use
$formDescriptor instead.
* SearchEngine::transformSearchTerm( $term ) should no longer be called prior
to running searchText. This method was mainly implemented to support the
'prefix' URI param in SpecialSearch, but there are no reasons to expose this
logic as it should be handled internally by SearchEngine implementations
supporting this feature. SearchEngine implementations should no longer
override this methods.
* SearchEngine::replacePrefixes( $query ) should no longer be called prior
to running searchText/searchTitle.
* (T199657) Messages for $wgFilterLogTypes labels should be no longer be in the
'log-show-hide-[type]' format. Instead use 'logeventslist-[type]-log'.
* Global functions wfArrayFilter() and wfArrayFilterByKey() are deprecated.
use array_filter() directly.
* The $wgShowSQLErrors global is deprecated and nonfunctional.
Set $wgShowExceptionDetails and/or $wgShowHostnames instead.
* The $wgShowDBErrorBacktrace global is deprecated and nonfunctional.
Set $wgShowExceptionDetails instead.
* Public access to the DifferenceEngine properties mOldid, mNewid, mOldRev,
mNewRev, mOldPage, mNewPage, mOldContent, mNewContent, mRevisionsLoaded,
mTextLoaded and mCacheHit is deprecated. Use getOldid() / getNewid() /
getOldRevision() / getNewRevision() for the first four (note that the
revision ones return a RevisionRecord, not a Revision), do your own lookup
for page/content.
* The $wgExternalDiffEngine value 'wikidiff2' is deprecated. To use wikidiff2
just enable the PHP extension, and it will be autodetected.
* (T194731) DifferenceEngine properties mOldContent and mNewContent and methods
setContent(), generateContentDiffBody(), generateTextDiffBody() and textDiff()
are deprecated. To interact with a single slot, use a SlotDiffRenderer (and
subclass it to customize diff rendering); to diff custom (e.g. unsaved)
content, use setRevisions(). Subclassing DifferenceEngine should only be done
to customize page-level diff properties (such as the navigation header).
* The wfUseMW function, soft-deprecated in 1.26, is now hard deprecated.
* All MagicWord static methods are now deprecated. Use the MagicWordFactory
methods instead.
* PasswordFactory::init is deprecated. To get a password factory with the
standard configuration, use
MediaWikiServices::getInstance()->getPasswordFactory.
* $wgContLang is deprecated, use
MediaWikiServices::getInstance()->getContentLanguage() instead.
* $wgParser is deprecated, use MediaWikiServices::getInstance()->getParser()
instead.
* wfGetMainCache() is deprecated, use ObjectCache::getLocalClusterInstance()
instead.
* wfGetCache() is deprecated, use ObjectCache::getInstance() instead.
* All SpecialPageFactory static methods are deprecated. Instead, call the
methods on a SpecialPageFactory instance, which may be obtained from
MediaWikiServices.
* mw.user.stickyRandomId was renamed to the more explicit
mw.user.getPageviewToken to better capture its function.
* Passing Revision objects to ContentHandler::getUndoContent() is deprecated,
Content object should be passed instead.
* (T197179) Parameters 'notice', 'notice-messages', 'notice-message',
previously used by OOUI HTMLForm fields, are now deprecated. Use
'help', 'help-message', 'help-messages' instead.
* (T197179) HTMLFormField::getNotices() is now deprecated.
* The jquery.localize module is now deprecated. Use jquery.i18n instead.
* The SecondaryDataUpdates hook was deprecated in favor of RevisionDataUpdates,
or overriding ContentHandler::getSecondaryDataUpdates (T194038).
* The WikiPageDeletionUpdates hook was deprecated in favor of
PageDeletionDataUpdates, or overriding ContentHandler::getDeletionDataUpdates
(T194038).
* Content::getSecondaryDataUpdates has been deprecated in favor of
ContentHandler::getSecondaryDataUpdates() for overriding by extensions
(T194038).
Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
* Content::getDeletionUpdates has been deprecated in favor of
ContentHandler::getDeletionUpdates() for overriding by extensions (T194038).
Application logic should call WikiPage::doSecondaryDataUpdates() (T194037).
* (T198214) Old Tidy-related configuration settings, which were soft-deprecated
in MediaWiki 1.26, have now been hard deprecated. This affects $wgUseTidy,
$wgTidyBin, $wgTidyConf, $wgTidyOpts, $wgTidyInternal, and $wgDebugTidy. Use
$wgTidyConfig instead.
* All Tidy configurations other than Remex have been hard deprecated;
future parsers will not emit compatible output for these configurations.
In particular, running MediaWiki with tidy disabled has been deprecated.
* (T198214) OutputPage::addWikiText(), OutputPage::addWikiTextWithTitle(),
and OutputPage::addWikiTextTitle() have been deprecated, since they
can result in untidy output. In addition OutputPage::addWikiTextTidy()
and OutputPage::addWikiTextTitleTidy() was deprecated to make naming new
methods consistent. Use OutputPage::addWikiTextAsInterface() or
OutputPage::addWikiTextAsContent() instead, which ensures the output is
tidy and clarifies whether content-language specific postprocessing should
be done on the text.
* OutputPage::parse() and OutputPage::parseInline() have been deprecated
due to untidy output and inconsistent handling of wrapper divs and
interface/content language defaults. Use OutputPage::parseAsContent(),
OutputPage::parseAsInterface(), or OutputPage::parseInlineAsInterface()
as appropriate.
* QuickTemplate::msgHtml() and BaseTemplate::msgHtml() have been deprecated
as they promote bad practises. I18n messages should always be properly
escaped.
* Skin::getDynamicStylesheetQuery() has been deprecated. It always
returns action=raw&ctype=text/css which callers should use directly.
* Class LegacyFormatter is deprecated.
* Use of CommentStore::insertWithTempTable() with 'img_description' is
deprecated. Use CommentStore::insert() instead.
* Language::setCode is deprecated as public function. Use Language::factory
to create a new Language object with a different language code.
* Several classes have been moved from the MediaWiki\Storage\ namespace to the
MediaWiki\Revision\ namespace. The old class names are aliased for
compatibility, but are deprecated. Classes are IncompleteRevisionException,
MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
SuppressedDataException.
* When using OOUI HTMLForm containing an 'info' field which uses the 'rawrow'
option, it is now deprecated to give its contents (the 'default' option)
as a string. They should be given as a OOUI\FieldLayout object instead.
Notably, this affects fields defined in the 'GetPreferences' hook, because
Special:Preferences uses an OOUI form now. (If possible, don't use 'rawrow'.)
* In Skin::doEditSectionLink omitting the parameters $tooltip and $lang is
deprecated. For the $lang parameter, types other than Language are
deprecated.
* The $wgUseKeyHeader configuration option and the
OutputPage::getKeyHeader() method have been deprecated; the relevant
draft IETF spec expired without becoming a standard.
* Deprecated API action=query&prop=info inprop=readable in favor of
intestactions=read.
=== Other changes in 1.32 ===
* (T198811) The following tables have had their UNIQUE indexes turned into
proper PRIMARY KEYs for increased maintainability: interwiki, page_props,
protected_titles and site_identifiers.
* OOUI HTMLForm will now display help text inline after the input field,
rather than in a popup. Previous behavior can be restored by using
`'help-inline' => false`.
* The archive table's ar_rev_id field is now unique.
* Special:BotPasswords now requires reauthentication.
* (T174023) Multi-Content Revision (MCR) capabilities were introduced into the
storage layer and have basic support for display. No user interface exists
yet for creating or managing content in slots beides the main slot. See
for more
information.
* The image_comment_temp database table has been removed. Since all access
should be mediated by the CommentStore class, this change shouldn't affect
external code.
* (T206147) Database::close() will no longer commit any open transactions.
* (T64103) Dropped columns category.cat_hidden, site_stats.ss_admins, and
recentchanges.rc_cur_time from the PostgreSQL schema.
= MediaWiki 1.31 =
== MediaWiki 1.31.3 ==
This is a maintenance release of the MediaWiki 1.31 branch.
=== Changes since MediaWiki 1.31.2 ===
* (T225558) Update installer link to PHP intl.
* (T225496) Detect APC for MainCacheType in CLI installer.
* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.
== MediaWiki 1.31.2 ==
This is a security and maintenance release of the MediaWiki 1.31 branch.
Required PHP version has been increased from 7.0.0 to 7.0.13.
=== Changes since MediaWiki 1.31.1 ===
* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
all titles when asked for none.
* (T205967) Fix syntax error typo in postgres database upgrade file.
* (T200254) Add pear/Net_SMTP 1.7.3 to composer dependencies.
* (T206765) Load installer i18n when running update.php.
* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
libraries.
[Also in the bundled composer /vendor directory.]
* Various PHP 7.2 and 7.3 compatibility fixes:
* (T200595, T206974) Fix PHP 7.3 warnings of using "continue" in some
scenarios instead of "break".
* (T206976, T206977) Also in the bundled LocalisationUpdate and
ParserFunctions extensions.
* (T206979) Fix PHP 7.3 warnings of using "compact()" when some variables may
not be set.
* (T215632) FormatMetadata and UploadStash regexes fixed to be PHP
7.3-compatible.
* Fix PHP warnings "preg_replace(): [...] invalid range in character class.
* Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable.
* Suppress "Headers already sent" in PHP 7.2 too.
* (T206476) Output only to stderr in unit tests.
* (T207112) Add session_write_close() calls to SessionManager tests.
* oyejorge/less.php replaced with our fork wikimedia/less.php
* (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0.
* (T213489) Avoid session double-start in Setup.php.
* (T206975) Switch to our fork of less.php.
* (T207540) Include IP address in "Login for $1 succeeded" log entry.
* (T201781) Database: Allow selectFieldValues() to accept SQL fragments.
* (T205765) installer: Don't link to the obsolete "Extension Matrix" page.
* (T206013) Update ImportableUploadRevisionImporter for interwiki usernames.
* (T207541) Pass an email address, not a MailAddress, to mail().
* (T207603) SECURITY: User JS may no longer be loaded with mime type
text/javascript if there is no account associated with the username.
* (T112937, T113042) SECURITY: Do not allow loading pages raw with a
text/javascript MIME
type if non-admins can edit the page.
* (T17491) / elements can be phrasing or flow.
* (T200827) RemexCompatMunger: Don't call endTag() in case B/b
* (T207088) Upgrade wikimedia/remex-html to 2.0.1.
[Also in the bundled composer /vendor directory.]
* (T194052) Updated wikimedia/base-convert from 1.0.1 to 2.0.0.
[Also in the bundled composer /vendor directory.]
* (T199494) Fix notices in maintenance/removeUnusuedAccounts.php.
* Require ext-fileinfo in composer.json, per PHPVersionCheck.
* (T176390) Bundled LocalisationUpdate extension: Handle exceptions from
GitHubFetcher.
* (T208255) Completion search should not change the search query.
* (T209870) Fix SQL syntax error in MS-SQL initialisation file for new wikis.
* (T185049) LogFormatter: Fail softer when trying to link an invalid titles.
* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
if --lang is used with the command-line installer (install.php).
* (T211061) ImageListPager: Actor migration for buildQueryConds().
* (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
* Fix addition of ug_expiry column to user_groups table on MSSQL.
* (T204767) Add join conditions to ActiveUsersPager.
* (T210621) User: Bypass repeatable-read when creating an actor_id.
* (T204531) rdbms: reduce LoadBalancer replication log spam.
* (T195525) Fix db error outage page.
* (T208871) The hard-coded Google search form on the database error page was
removed.
* (T176097) Fix flaky MessageBlobStoreTest assertion failures.
* (T209423) Update required PHP version to 7.0.13.
* (T209885) Prevent populateSearchIndex.php from breaking once actor migration
has been started.
* (T216968) Return pageid as int in both list=iwbacklinks and
list=langbacklinks.
* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
* (T204423) Backport support for hyphenated DB names in JobQueueGroup.
* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
$wgBlockDisablesLogin is true.
* (T216029) Chrome redirects to Special:BadTitle after editing a section with
a non-Latin name on a page with non-Latin characters in title.
* (T219728) Added support for new Japanese era name "Reiwa".
* (T25227) SECURITY: action=logout now requires to be posted and have a csrf
token.
* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
* (T222385) resourceloader: Use AND instead of OR for upsert conds in
saveFileDependencies().
* (T224374) Fix message parameters so that the message that says SQLite is out
of date makes sense.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
getLoginSecurityLevel() returns non-false.
* (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
* (T208881) SECURITY: blacklist CSS var().
* (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
* (T222036, T222038) SECURITY: Add permission check for user is permitted to
view the log type.
* (T221739) SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358.
== MediaWiki 1.31.1 ==
This is a security and maintenance release of the MediaWiki 1.31 branch.
=== Changes since MediaWiki 1.31.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
* (T197229) Bundle Nuke extension, it was accidentally omitted.
* (T193995) Fix undefined patchPath() method call in parser tests.
* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T198037) GitInfo: Don't try shelling out if it's disabled.
* (T151415) Log email changes.
* (T197206) Fix performance regression when multiple DB used without caching.
* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
* (T182377, T196793) Exif: Guard against uncountable tag values.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T200864) Fix pingback over-reporting on non-MySQL databases
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
hooks.
== MediaWiki 1.31.0 ==
=== Changes since MediaWiki 1.31.0-rc.2 ===
* (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
* (T196092) Hide MySQL binary/utf-8 charset option in the installer.
* (T196185) Don't allow setting $wgDBmysql5 in the installer.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
=== Changes since MediaWiki 1.31.0-rc.0 ===
* (T33223) Drop archive.ar_text and ar_flags.
* Add default edit rate limit of 90 edits/minute for all users.
* (T187645) Use codepoint as tiebreaker when getting first-letters in
IcuCollation.
* (T191947) Don't shell during the installer if shelling out is disabled.
* (T194319) Improve duplicate config setting exception as part of extension
registration.
* (T195211) Don't require trailing slash in PSR-4 autoloader directory.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* Do not incorrectly hide namespace input field in the installer.
* (T186456) Refactor checks looking for PEAR maik libraries to be clearer.
=== Important pre-upgrade notes for 1.31 ===
* If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
schema changes, and cannot have downtime to run migrateArchiveText.php and
apply patch-drop-ar_text.sql manually, you'll have to apply a default value
to the ar_text and ar_flags columns of the archive table or make those
columns nullable before upgrading to MediaWiki 1.31.
maintenance/archives/patch-nullable-ar_text.sql shows how to do this for
MySQL.
=== Configuration changes in 1.31 ===
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
a future version. The API is now considered to be stable, secure and
essential.
* $wgUsejQueryThree was removed, as it is now the default. This was documented
as a temporary variable during the migration period, deprecated since 1.29.
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
have the right to mark things patrolled.
* Wikis that contain imported revisions or CentralAuth global blocks should run
maintenance/cleanupUsersWithNoId.php.
* The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
$wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
are not using the latest version of the Referrer Policy specification.
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
first step of migration to human-readable section IDs that will later result
in 'html5' being the default mode.
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
as upstream is inactive and has no plans to move to PHP 7.
* The old CategorizedRecentChanges feature, including its related configuration
option $wgAllowCategorizedRecentChanges, has been removed.
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
for performance reasons, and installations with this setting will now work as
if it was configured with 'any'.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
rather than being off by default. If you wish to disable HTML tidying
entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
* $wgLogAutopatrol now defaults to false instead of true.
* $wgValidateAllHtml was removed and will be ignored.
* $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
1.25 release notes for more information.
* $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
framework that it enables. Some extensions mistakenly used this to check
whether any AJAX functionality at all should be enabled, further making this
problematic to retain.
* $wgDBmysql5 is now deprecated, and will be removed in a future version. It
has been marked as experimental ever since it was introduced.
=== New features in 1.31 ===
* (T76554) User sub-pages named ….json are now protected in the same way that
….js and ….css pages are, so that configuration options can safely be placed
there.
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
Html class now provides helper methods for messageBox, successBox, errorBox
and warningBox generation.
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
a format like "iw>Example".
* (T20209) Linker (used on history pages, log pages, and so on) will display
usernames formed like "iw>Example" as interwiki links, as if by wikitext like
[[iw:User:Example|iw>Example]].
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
users during an import.
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
the ParserOutput::getText() post-cache transformations.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
initial page text for file uploads.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
hash value in the table of basic information.
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
ParserOutput::getText() post-cache transformation. This may be disabled by
passing 'deduplicateStyles' => false to that method.
* The identity of the logged-in or IP "actor" for logged actions is being moved
into a new actor table, with the rows in tables such as revision and logging
referring to the actor ID instead of storing the user ID and name/IP in
every row.
* This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
soon as any necessary extensions are updated.
* Most code accessing rows for logged actions from the database should use
the relevant getQueryInfo() methods to get the information needed to build
the SQL query. The ActorMigration class may also be used to get feature
-flagged information needed to access actor-related fields during the
migration period.
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
section without having to roll back the whole transaction.
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
and non-MySQL ::replace() and ::upsert() no longer roll back the whole
transaction on failure.
* (T189785) Added a monthly heartbeat ping to the pingback feature.
* The CLI installer (maintenance/install.php) learned to detect and include
extensions. Pass --with-extensions to enable that feature.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
"1" for manually patrolled and "2" for autopatrolled actions.
* Extensions can now set their type to "editor" if they provide an editor or
enhance the editing experience.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
property in extension.json. See the documentation at
for more details and an example.
* (T19099) Tabs which link to pages that don't exist (like those to uncreated
discussion pages) now have a tooltip to indicate state, not just colour.
=== External library changes in 1.31 ===
* pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
suggested to required. These packages now must be installed via composer
and not via PEAR itself.
==== Upgraded external libraries ====
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.
==== New external libraries ====
* Added wikimedia/object-factory 1.0.0
==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
'mediawiki.viewport' module instead.
* mediawiki/at-ease was replaced with wikimedia/at-ease.
=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor.
* (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
space.
* (T2087, T10897, T87753, T174639) Whitespace created by category and language
links is now stripped rather than leaving blank lines in odd places.
* (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
=== Action API changes in 1.31 ===
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
removed. It has never made a difference in the output, the name was always
returned regardless.
* The 'watch' and 'unwatch' parameters for action=move have been removed. They
were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
'watchlist' instead.
=== Action API internal changes in 1.31 ===
* ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
* ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
* ApiBase::getProfileTime, deprecated since 1.25, was removed.
=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
* (T182305) New language support: Nyungar (nys).
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
* (T186635) New language support: Guianan Creole (gcr).
* (T186647) New language support: Kumyk [къумукъ] (kum).
* (T187750) New language support: Spanish formal address (es-formal).
* (T187824) New language support: Hungarian formal address (hu-formal).
* (T189127) New language support: Gorontalo (gor).
=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
* The OutputPage class constructor now requires a context parameter.
Instantiating without context was deprecated in 1.18.
* The mw.page JavaScript singleton, deprecated in 1.30, was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
::onArticleEdit() methods, deprecated in 1.24, were removed.
* Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
removed. Use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
'byText' or ->setBlocker(). Callers should either ensure the blocker exists
locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were
deprecated in 1.27, have been removed:
* WatchedItem::getTitle()
* WatchedItem::fromUserTitle()
* WatchedItem::addWatch()
* WatchedItem::removeWatch()
* WatchedItem::isWatched()
* WatchedItem::duplicateEntries()
* WatchedItem::IGNORE_USER_RIGHTS
* WatchedItem::CHECK_USER_RIGHTS
* WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
$wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
variable, has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
$wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
variable, has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have
been removed:
* PreparedEdit->newText
* PreparedEdit->oldText
* PreparedEdit->pst
* ParserOutput objects which are generated using a non-default value for
ParserOptions::setWrapOutputClass() can no longer be added to the parser
cache.
* The following deprecated methods from the OutputPage class have been removed:
* OutputPage::addExtensionStyle(); deprecated in 1.27
* OutputPage::getExtStyle(); deprecated in 1.27
* OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
* OutputPage::setSquidMaxage(); deprecated in 1.27
* OutputPage::readOnlyPage(); deprecated in 1.25
* OutputPage::rateLimited(); deprecated in 1.25
* Additionally, the protected OutputPage::$mExtStyles array, only accessed
through the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
were removed:
* $isCssJsSubpage — use ::isUserConfigPage()
* $isCssSubpage — use ::isUserCssConfigPage()
* $isJsSubpage — use ::isUserJsConfigPage()
* $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
* ::getSummaryInput() – use ::getSummaryInputWidget()
* ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
* ::getCheckboxes() – use ::getCheckboxesWidget() or
::getCheckboxesDefinition()
* ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
::getCheckboxesDefinition()
* ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on
the response object, and were deprecated in 1.27, have been removed:
* ::setCookie()
* ::clearCookie()
* ::setExtendedLoginCookie()
Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27 have
been removed:
* ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
* ::getPasswordFactory() – create a PasswordFactory directly
* ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when
DBO_TRX is set results in an exception. Calling Database::commit() explicitly
for an implicit transaction also results in an exception. Previously these
were logged as errors. The startAtomic() and endAtomic() methods, or
AtomicSectionUpdate should be used instead.
* The global function wfOutputHandler() was removed, use the its replacement
MediaWiki\OutputHandler::handle() instead. The global function was only
sometimes defined. Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
ResourceLoaderModule::getLessVars() to expose local variables instead of
global ones.
* As part of work to modernise user-generated content clean-up, a config option
and some methods related to HTML validity were removed without deprecation.
The public methods MWTidy::checkErrors() and the path through which it was
called, TidyDriverBase::validate(), are removed, as are the testing methods
MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
The $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies
the RESTRICT_DEFAULT Firejail restriction by default.
* The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
deprecated in 1.26, were removed.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.
=== Deprecations in 1.31 ===
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
RevisionRecord and its subclasses.
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* The global function wfCountDown is now deprecated in favor of
Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
have been deprecated in favor of similar methods that also return the tables
to select from and the join conditions for those tables.
* Block::selectFields() → Block::getQueryInfo()
* RecentChange::selectFields() → RecentChange::getQueryInfo()
* ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
* LocalFile::selectFields() → LocalFile::getQueryInfo()
* LocalFile::getCacheFields() with a prefix no longer works
* LocalFile::getLazyCacheFields() with a prefix no longer works
* OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
* RecentChange::selectFields() → RecentChange::getQueryInfo()
* Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
* Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
* Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
* Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
* Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
* Revision::selectFields() → Revision::getQueryInfo()
* Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
* User::selectFields() → User::getQueryInfo()
* WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated; use instead the hook
RevisionRecordInserted. RevisionInsertComplete is still called, but the second
and third parameter will always be null. Hard deprecation is scheduled for
1.32.
* The following methods that get and set ParserOutput state are deprecated.
Callers should use the new stateless $options parameter to
ParserOutput::getText() instead.
* ParserOptions::getEditSection()
* ParserOptions::setEditSection()
* ParserOutput::getEditSectionTokens()
* ParserOutput::setEditSectionTokens()
* ParserOutput::getTOCEnabled()
* ParserOutput::setTOCEnabled()
* OutputPage::enableSectionEditLinks()
* OutputPage::sectionEditLinksEnabled()
* The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
Setting template variables by reference allowed violating the principle of
data being immutable once added to the skin template. In practice, this method
was not being used for that. Rather, setRef() existed as memory optimisation
for PHP 4.
* QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced class
\Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
used instead.
* CommentStore::newKey is deprecated. Instead, get an instance from
MediaWikiServices.
* The following CommentStore methods have had their signatures changed to
introduce a $key parameter, usage of the methods on instances retrieved from
CommentStore::newKey will remain unchanged but deprecated:
* CommentStore::getFields
* CommentStore::getJoin
* CommentStore::getComment
* CommentStore::getCommentLegacy
* CommentStore::insert
* CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are
deprecated:
* Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
* Title::isCssOrJsPage – use ::isSiteConfigPage
* Title::isCssJsSubpage – use ::isUserConfigPage
* Title::isCssSubpage – use ::isUserCssConfigPage
* Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
* Parser::serializeHalfParsedText()
* Parser::unserializeHalfParsedText()
* Parser::isValidHalfParsedText()
* StripState::getSubState()
* StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
used instead.
* The function wfShellWikiCmd() has been deprecated, use
MediaWiki\Shell::makeScriptCommand().
* In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
will be allowed to provide any HTMLForm object rather than PreferencesForm.
=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was dropped entirely. Opera 15+
continues at Grade A.
* Multi-content-revision capability was introduced into the storage layer. See
.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext.
Links written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
wikitext table captions, wikitext table headings, wikitext table cells. HTML
headings, HTML list items, HTML table captions, HTML table headings, HTML
table cells will not have this trimming behavior.
== Compatibility ==
MediaWiki 1.31 requires PHP 7.0.0 or later. Although HHVM 3.18.5 or later is
supported, it is generally advised to use PHP 7.0.0 or later for long term
support.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.5.8 or later
* PostgreSQL 9.2 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.31 has several database changes since 1.30, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.
For notes on 1.30.x and older releases, see HISTORY.
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.freenode.net.
= MediaWiki 1.30 =
== MediaWiki 1.30.2 ==
This is a security and maintenance release of the MediaWiki 1.30 branch.
=== Changes since MediaWiki 1.30.1 ===
* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query
all titles when asked for none.
* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested
libraries.
* (T207540) Include IP address in "Login for $1 succeeded" log entry.
* (T205765) Don't link to the obsolete "Extension Matrix" page in installer.
* (T207603) SECURITY: User JS may no longer be loaded with mime type
text/javascript if there is no account associated with the username.
* (T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME
type if non-admins can edit the page.
* (T207541) Pass email address to mail().
* Fix addition of ug_expiry column to user_groups table on MSSQL.
* (T204531) rdbms: reduce LoadBalancer replication log spam.
* (T213489) Avoid session double-start in Setup.php.
* (T195525) Fix db error outage page.
* (T208871) The hard-coded Google search form on the database error page was
removed.
* (T216968) Return pageid as int in both list=iwbacklinks and
list=langbacklinks.
* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
$wgBlockDisablesLogin is true.
* (T25227) SECURITY: action=logout now requires to be posted and have a csrf
token.
* (T222385) resourceloader: Use AND instead of OR for upsert conds in
saveFileDependencies().
* (T224374) Fix message parameters so that the message that says SQLite is out
of date makes sense.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
getLoginSecurityLevel() returns non-false.
* (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
* (T208881) SECURITY: blacklist CSS var().
* (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
* (T222036, T222038) SECURITY: Add permission check for user is permitted to
view the log type.
* (T221739) SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358.
== MediaWiki 1.30.1 ==
This is a security and maintenance release of the MediaWiki 1.30 branch.
=== Changes since MediaWiki 1.30.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative
array.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
include extensions. Pass --with-extensions to enable that feature.
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker.
* (T179190) selenium: Move logic for running tests from package.json to
selenium.sh
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* Add default edit rate limit of 90 edits/minute for all users.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* oojs/oojs-ui updated to remove an unnecessary dependancy.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete
hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T193995) Fix undefined patchPath() method call in parser tests.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
hooks.
* (T190539) Explicitly require Postgres 9.1.
* (T118420) Unbreak Oracle installer.
== MediaWiki 1.30.0 ==
=== Changes since MediaWiki 1.30.0-rc.0 ===
* Upgraded Moment.js from v2.15.0 to v2.19.3.
* Add ip_changes to postgres/tables.sql.
* Skip null shell parameters.
* Add wfWaitForSlaves() to maintenance/migrateComments.php.
* (T182245) Fix join conditions in ImageListPager.
* (T178626) Revert #contentSub and #jump-to-nav margin changes.
=== MySQL version requirement in 1.30 ===
As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
section).
=== Configuration changes in 1.30 ===
* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
unexpected behavior when code uses locale-sensitive string comparisons. For
example, the Scribunto extension considers "bar" < "Foo" in most locales
since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is
deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain
class names. This is intended for extensions that want control over the
instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative
to plain class names, using the 'factory' key in the module description
array. This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
of IP ranges that can be queried at Special:Contributions.
* (T45547) $wgUsePigLatinVariant added (off by default).
* (T152540) MediaWiki now supports a section ID escaping style that allows to
display non-Latin characters verbatim on many modern browsers. This is
controlled by the new configuration setting, $wgFragmentMode.
* $wgExperimentalHtmlIds is now deprecated and will be removed in a future
version, use $wgFragmentMode to migrate off it to a modern alternative.
* $wgExternalInterwikiFragmentMode was introduced to control how fragments in
sinterwikis going outside of current wiki farm are encoded.
* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of
'mysqli'. This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0.
MediaWiki auto-selects the 'mysqli' driver since MediaWiki 1.22, except if
explicitly requested through the configuration parameter $wgDBservers.
* $wgOOUIEditPage was removed, as it is now the default. This was documented as
a temporary variable during the migration period.
=== New features in 1.30 ===
* (T37247) Output from Parser::parse() will now be wrapped in a div with
class="mw-parser-output" by default. This may be changed or disabled using
ParserOptions::setWrapOutputClass().
* (T163562) Added ability to search for contributions within an IP ranges
at Special:Contributions.
* Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
specific tags to be added by users.
* Added a 'ParserOptionsRegister' hook to allow extensions to register
additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a
LanguageConverter variant. This allows English-speaking developers
to develop and test LanguageConverter more easily. Pig Latin can be
enabled by setting $wgUsePigLatinVariant to true.
* Added RecentChangesPurgeRows hook to allow extensions to purge data that
depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
* (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
'watchlistunwatchlinks' preference option is enabled). With JavaScript
enabled, these links toggle so the user can also re-watch pages that have
just been unwatched.
* Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
MediaHandlerFactory for parser tests.
* Edit summaries, block reasons, and other "comments" are now stored in a
separate database table. Use the CommentFormatter class to access them.
** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
soon as any necessary extensions are updated.
* (T138166) Added ability for users to prohibit other users from sending them
emails with Special:Emailuser. Can be enabled by setting
$wgEnableUserEmailBlacklist to true.
* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no
effect. Instead, users using browsers that do not support Unicode will be
unable to edit and should upgrade to a modern browser instead.
=== External library changes in 1.30 ===
==== Upgraded external libraries ====
* Updated justinrainbow/json-schema from v3.0 to v5.2.
* Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
* Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
* Updated wikimedia/relpath from v1.0.3 to v2.0.0.
* Updated OOjs from v2.0.0 to v2.1.0.
* Updated OOUI from v0.21.1 to v0.23.0.
* Updated QUnit from v1.23.1 to v2.4.0.
* Updated phpunit/phpunit from v4.8.35 to v4.8.36.
* Upgraded Moment.js from v2.15.0 to v2.19.3.
==== New external libraries ====
* The class \TestingAccessWrapper has been moved to the external library
wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
* Purtle, a fast, lightweight RDF generator.
==== Removed and replaced external libraries ====
* …
=== Bug fixes in 1.30 ===
* (T151633) Ordered list items use now Devanagari digits in Nepalese
(thanks to Sfic)
=== Action API changes in 1.30 ===
* (T37247) action=parse output will be wrapped in a div with
class="mw-parser-output" by default. This may be changed or disabled using
the new 'wrapoutputclass' parameter.
* When errorformat is not 'bc', abort reasons from action=login will be
formatted as specified by the error formatter parameters.
* action=compare can now handle arbitrary text, deleted revisions, and
returning users and edit comments.
* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
parameters to prop=revisions are deprecated, as are the similarly named
parameters to prop=deletedrevisions, list=allrevisions, and
list=alldeletedrevisions. Use action=compare, action=parse, or
action=expandtemplates instead.
=== Action API internal changes in 1.30 ===
* ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
deprecated. The existing message should be split between "apihelp-*-summary"
and "apihelp-*-extended-description".
* (T123931) Individual values of multi-valued parameters can now be marked as
deprecated.
=== Languages updated in 1.30 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Added: kbp (Kabɩyɛ / Kabiyè)
* Added: skr (Saraiki, سرائیکی)
* Added: tay (Tayal / Atayal)
* Removed: tokipona (Toki Pona)
==== Pig Latin added ====
* (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
for easier variant development and testing. Disabled by default. It can be
enabled by setting $wgUsePigLatinVariant to true.
=== Other changes in 1.30 ===
* The use of an associative array for $wgProxyList, where the IP address is in
the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
* mw.user.bucket (deprecated in 1.23) was removed.
* LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
deprecated. There are no known callers.
* File::getStreamHeaders() was deprecated.
* MediaHandler::getStreamHeaders() was deprecated.
* Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
used instead.
* MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
should be used instead.
* The ExtractThumbParameters hook (deprecated in 1.21) was removed.
* The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
deprecated in 1.24) were removed.
* wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
BagOStuff::makeGlobalKey() should be used instead.
* (T146304) Preprocessor handling of LanguageConverter markup has been improved.
As a result of the new uniform handling, '-{' may need to be escaped
(for example, as '-{') where it occurs inside template arguments
or wikilinks.
* (T163966) Page moves are now counted as edits for the purposes of
autopromotion, i.e., they increment the user_editcount field in the database.
* Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
manipulating Special:Log and Special:NewPages lines.
* The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
PageHistoryLineEnding, ContributionsLineEnding and
DeletedContributionsLineEnding hooks have an additional parameter, for
manipulating HTML data attributes of RC/history lines.
EnhancedChangesListModifyBlockLineData can do that via the
$data['attribs'] subarray.
* (T130632) The OutputPage::enableTOC() method was removed.
* WikiPage::getParserOutput() will now throw an exception if passed
ParserOptions that would pollute the parser cache. Callers should use
WikiPage::makeParserOptions() to create the ParserOptions object and only
change options that affect the parser cache key.
* Article::viewRedirect() is deprecated.
* IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
* DeprecatedGlobal no longer supports passing in a direct value, it requires a
callable factory function or a class name.
* The $parserMemc global, wfGetParserCacheStorage(), and
ParserCache::singleton() are all deprecated. The main ParserCache instance
should be obtained from MediaWikiServices instead. Access to the underlying
BagOStuff is possible through the new ParserCache::getCacheStorage() method.
* .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
* Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
escapeIdForLink() or escapeIdForExternalInterwiki() instead.
* Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
Sanitizer functions or, if possible, Title::getFragmentForURL().
* Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
nothing and is deprecated.
* mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
escapeIdForLink().
* MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
* WikiImporter now requires the second parameter to be an instance of the
Config, class. Prior to that, the Config parameter was optional (a behavior
deprecated in 1.25).
* Removed 'jquery.mwExtension' module. (deprecated since 1.26)
* mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
any more.
* CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
The namespaced classes in the Cdb namespace should be used instead.
* IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
should be used instead.
* RunningStat class (deprecated in 1.27) was removed. The namespaced
RunningStat\RunningStat should be used instead.
* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were
removed.
The MemcachedClient class should be used instead.
* EditPage underwent some refactoring and deprecations:
* EditPage::isOouiEnabled() is deprecated and will always return true.
* EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated.
Please use ::getSummaryInputWidget() instead.
* EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
use ::getCheckboxesWidget() instead.
* Creating an EditPage instance without calling EditPage::setContextTitle()
should be avoided and will be deprecated in a future release.
* EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and
no-ops.
* EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are
deprecated. The corresponding methods from Title should be used instead.
* EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
* EditPage::$mArticle and ::$mTitle are deprecated for public usage. The
getters ::getArticle() and ::getTitle() should be used instead.
* Trying to control or fake EditPage context by overriding $wgUser,
$wgRequest, $wgOut, and $wgLang is no longer supported and won't work. The
IContextSource returned from EditPage::getContext() must be modified
instead.
* Parser::getRandomString() (deprecated in 1.26) was removed.
* Parser::uniqPrefix() (deprecated in 1.26) was removed.
* Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
$uniq_prefix was deprecated in 1.26 and has now been removed.
* (T172514) The following tables have had their UNIQUE indexes turned into
proper PRIMARY KEYs for increased maintainability: categorylinks, imagelinks,
iwlinks, langlinks, log_search, module_deps, objectcache, pagelinks,
query_cache, site_stats, templatelinks, text, transcache, user_former_groups,
user_properties.
* IDatabase::nextSequenceValue() is no longer needed by any database backends
(formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
* (T146591) The lc_lang_key index on the l10n_cache table has been changed into
a PRIMARY KEY.
* (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
user_properties.up_user have all been made unsigned on MySQL.
* DB_SLAVE is deprecated. DB_REPLICA should be used instead.
* wfUsePHP() is deprecated.
* wfFixSessionID() was removed.
* wfShellExec() and related functions are deprecated, use Shell::command(). This
also slightly changes the behavior of how execution time limits are calculated
when only some of defaults are overridden per-call. When in doubt, always
override both wall clock and CPU time.
* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the
sending user object. Using the method without the second argument is
deprecated.
* (T67297) Browsers that don't support Unicode will have their edits rejected.
* (T178450) The module 'jquery.badge' is deprecated and will be removed in a
future release. For notifying the user of an event, the Notifications ("Echo")
system should be used instead.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
browser sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
= MediaWiki 1.29 =
== MediaWiki 1.29.3 ==
This is a security and maintenance release of the MediaWiki 1.29 branch.
=== Changes since 1.29.2 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
account lock.
* (T180551) Fix LanguageSrTest for language converter
* (T180552) Fix langauge converter parser test with self-close tags
* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
* (T180485) InputBox: Have inputbox langconvert certain attributes
* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
* (T172927) Drop vendor from MW release branch
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
include extensions. Pass --with-extensions to enable that feature.
* (T182381) Mask deprecated call in WatchedItemUnitTest
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* The karma qunit tests would fail on some configuration due to headers already
sent. Check headers_sent() before sending cpPosTime headers
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker
* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
fails under SQLite.
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* (T179190) selenium: Move test running logic from package.json to selenium.sh.
* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
* Add default edit rate limit of 90 edits/minute for all users.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T194237) Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T118420) Unbreak Oracle installer.
== MediaWiki 1.29.2 ==
This is a security and maintenance release of the MediaWiki 1.29 branch.
=== Changes since 1.29.1 ===
* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to
nesting.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* Fixed login button label to accept RawMessage.
* Fixed case of SpecialRecentChanges class usage.
* (T174255) Declare uploadCount property in importDump.php.
* (T163646) Pass a string not an int to mysql_real_escape_string().
* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
browser sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly
fixed in all branches in the previous security release.
== MediaWiki 1.29.1 ==
This is a maintenance release of the MediaWiki 1.29 branch.
The SpamBlacklist and PdfHandler extensions were missing from the generated
packages.
=== Changes since 1.29.1 ===
* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
* (T172061) Fix fatal when passing a category to refreshLinks.php.
== MediaWiki 1.29.0 ==
=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
determines whether to set a cookie when a user is autoblocked. Doing so means
that a blocked user, even after logging out and moving to a new IP address,
will still be blocked.
* The resetpassword right and associated password reset capture feature has
been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
or boolean false. This should be compatible with at least MediaWiki 1.23 if
not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
policies.
* Subpages are now enabled by default in the Template namespace. Set
$wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single
IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
browsers had poor support for them, but modern browsers handle them fine.
This might affect some forms that used them and only worked because the
attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
structures filters into user-friendly groups. This has corresponding
changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
Because this change can cause problems for extensions and on-wiki
scripts depending on the exact HTML, the old version is still available
and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
This will be removed later and OOjs UI will become the only option.
To make testing easier, users can also force either mode by adding
&ooui=true or &ooui=false to the action=edit URL.
=== External library changes in 1.29 ===
==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.
* Updated jQuery from v1.11.3 to v3.2.1 (including jQuery Migrate v3.0.0).
==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.
==== Removed and replaced external libraries ====
=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number
according to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly
only highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
redirect to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
CSRF token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary
directory in it's fallback chain when trying to work out where to write the
cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
inclusion syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected
against it.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata in the query string is now an error. They
should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings'
and 'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
key 'talkmove-errors', rather than using 'talkmove-error-code' and
'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
and errors for each item. Use errorformat=wikitext if you're wanting parsed
output.
* action=rollback no longer returns a "messageHtml" property. Use
errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
query in miser mode. This may result in less results being returned than were
requested.
=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
keys. Methods for using hard-coded English messages were deprecated:
* ApiBase::dieUsage() was deprecated
* ApiBase::dieUsageMsg() was deprecated
* ApiBase::dieUsageMsgOrDebug() was deprecated
* ApiBase::getErrorFromStatus() was deprecated
* ApiBase::parseMsg() was deprecated
* ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
being ApiUsageException is a subclass of UsageException to allow things that
catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
ApiErrorFormatter_BackCompat, note that the result format has changed and
various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
the logs.
=== Languages updated in 1.29 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Based as always on linguistic studies on intelligibility and language
knowledge by geography, language fallbacks have been expanded. When a
translation is missing in the user's preferred interface language, the
corresponding translation for the fallback language will be used instead.
English will only be used as last resort when there are no translations.
Some configurations (such as date formats and gender namespaces) have also
been updated when using the fallback language's configuration was inadequate.
The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.
==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
language will now use the default fallback language: English. When a
translation to Ukrainian is not available, an English string will be shown.
=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use
ArticleContentViewCustom instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
\MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId()
instead.
* Class ImageGallery (deprecated in 1.22) was removed.
Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class
instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked
deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed. Refer to index.php instead. If you want
"wiki.phtml" URLs to continue to work, set up redirects. In Apache, this can
be done by enabling mod_rewrite and adding the following rules to your
configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with
--category=... or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
now required to have a getGroupMemberships() method. See UserRightsProxy for
an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
and subclasses. It should only break if you call buildMainQueryConds
(changed to buildQuery with new signature) or doMainQuery (new
signature). Subclasses are likely to call at least doMainQuery
(possibly both), but other classes might too, because they were
public.
Also, some related hooks were deprecated, but this is not yet a
breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
WikiPage::PURGE_* constants are deprecated, and the functions will always
return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
if you don't actually care about checkboxes and just want to add some HTML
to the page.
* Selflinks are now rendered as href-less tags with the class mw-selflink
rather than tags. The old class name, "selflink", was deprecated
and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
addClickHandler, removeHandler, getElementsByClassName, getInnerText,
setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the element containing the login link has changed from
'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
deprecated (T30856). This old code dates from 2006, and was replaced in the
MediaWiki release tarball and in Wikimedia production by the WikiEditor
extension in 2010. It is only shown to users if no other editor was
installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
addModuleStyles() is deprecated and will log a warning server-side.
= MediaWiki 1.28 =
== MediaWiki 1.28.3 ==
This is a security and maintenance release of the MediaWiki 1.28 branch.
=== Changes since 1.28.2 ==
* (T168856) Allow SVGs created by Dia to be uploaded.
* (T157545) Add missing doUpdates() call to refreshLinks.php.
* (T165714) (T100085) Better handling of jobs execution in post-connection
shutdown.
* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of
Database->onTransactionIdle.
* (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
* (T149454) Restore erroneously removed realTableName call from
DatabasePostgres.
* (T167798) Fix phrase search and highlighting for phrase queries.
* (T151136) Provide credits information to callbacks in extension registration.
* (T160462) Allow namespaces defined in extension.json to be overwritten
locally.
* (T168337) Fix ErrorPageError to work from non-UI contexts.
* (T143788) Backports for PHP 7.0 and 7.1 support.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T174255) Declare uploadCount property in importDump.php.
* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to
v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and
browser sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in
update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
== MediaWiki 1.28.2 ==
Due to a packaging error, the wrong version of the SyntaxHighlight extension was
included in the tarball version of MediaWiki 1.28.1. The version included had a
serious security issue in it (T158689). There was also some minor code fixes in
MediaWiki itself since 1.28.1, but none of them were security relevant.
== MediaWiki 1.28.1 ==
This is a security and maintenance release of the MediaWiki 1.28 branch.
=== Changes since 1.28.0 ===
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki
has more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is
installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28
installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow
redirect to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a
CSRF token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary
directory in it's fallback chain when trying to work out where to write the
cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file
inclusion syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected
against it.
== MediaWiki 1.28 ==
=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.
=== Changes since 1.28.0-rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
comment to a machine-readable JavaScript config option 'wgPageParseReport'
have been undone. They caused the human-readable limit report to be shown
incompletely or not at all. ParserOutput::setLimitReportData() and
getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
the text of subheadings on a category page when creating it. This wasn't
working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
canonical pretty URL when a non-pretty URL is used. It resulted in redirect
loops in some clients and in some server configurations. This undoes a change
made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.
=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not
there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
made by MediaWiki via a proxy. Relying on the http_proxy environment
variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
access to session data, which includes the session user and the session
user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
signifies local uploads. A value of `[]` (empty array) now means that
no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
for Esperanto language character conversion. You are now recommended to use
input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
https://www.mediawiki.org/beacon with basic information about the local
MediaWiki installation. This data includes, for example, the type of system,
PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users
('user').
instead of just administrators ('sysop'). Documentation for this feature is
available at .
* $wgRevisionCacheExpiry is now set to one week by default instead of being
disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying
the value of $wgEnableMagicLinks. Their usage is discouraged, but if they are
manually enabled, a tracking category will be added to help identify usage and
make it easier to migrate away from. If you depend upon magic link
functionality, it is requested that you comment on
and explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
in upcoming Content-Security-Policy feature's reporting.
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
upload. Unlike 'UploadVerifyFile' it provides information about upload comment
and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting
$wgCategoryCollation to 'uca-default-u-kn' or 'uca--u-kn'. If you
can't use UCA collations, a 'numeric' collation is also available. If
migrating from another collation, you will need to run the updateCollation.php
maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in
current month, and "xiz" for days passed in the year, both in Iranian
calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
appropriate for sending multi-valued parameters. This defaults to true when
the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica
databases, MediaWiki will wait for the replica databases to synchronize with
the master database while it renders the HTML output. However, if the output
is a redirect to another wiki on the wiki farm with a different domain,
MediaWiki will instead alter the redirect URL to include a ?cpPosTime
parameter that triggers the database synchronization when the URL is followed
by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
'show' parameters to existing API query modules.
=== External library changes in 1.28 ===
==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1
=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page
does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline