-Change notes from older releases. For current info see RELEASE-NOTES-1.25.
+Change notes from older releases. For current info see RELEASE-NOTES-1.28.
+
+= MediaWiki 1.27 =
+
+== MediaWiki 1.27.0 ==
+
+=== PHP version requirement in 1.27 ===
+As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
+section). Additionally, the following PHP extensions are required:
+* ctype
+* iconv
+* json
+* mbstring (new requirement in 1.27)
+* xml
+The following PHP extensions are strongly recommended:
+* openssl
+
+=== Configuration changes in 1.27 ===
+* $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
+ now always enabled. If you use RDFa on your wiki, you now have to explicitly
+ set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
+* $wgUseLinkNamespaceDBFields was removed.
+* Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
+ $wgResourceLoaderMinifierMaxLineLength, because there was little value in
+ making the behavior configurable. The default values (`false` for the former,
+ 1000 for the latter) are now hard-coded.
+* $wgDebugDumpSqlLength was removed (deprecated in 1.24).
+* $wgDebugDBTransactions was removed (deprecated in 1.20).
+* $wgUseXVO has been removed, as it provides functionality only used by
+ custom Wikimedia patches against Squid 2.x that probably noone uses in
+ production anymore. There is now $wgUseKeyHeader that provides similar
+ functionality but instead of the MediaWiki-specific X-Vary-Options header,
+ uses the draft Key header standard.
+* $wgScriptExtension (and support for '.php5' entry points) was removed. See the
+ deprecation notice in the release notes for version 1.25 for advice on how to
+ preserve support for '.php5' entry points via URL rewriting.
+* Password handling via the User object has been deprecated and partially
+ removed, pending the future introduction of AuthManager. In particular:
+** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
+ getPasswordExpired() have been removed. They were unused outside of core.
+** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
+ now private and will be removed in the future.
+** The getPassword() and getTemporaryPassword() methods now throw
+ BadMethodCallException and will be removed in the future.
+** The ability to pass 'password' and 'newpassword' to createNew() has been
+ removed. The only users of it seem to have been using it to set invalid
+ passwords, and so shouldn't be greatly affected.
+** setPassword(), setInternalPassword(), and setNewpassword() have been
+ deprecated, pending the introduction of AuthManager.
+** User::randomPassword() is deprecated in favor of a new method
+ PasswordFactory::generateRandomPasswordString()
+** User::getPasswordFactory() is deprecated, callers should just create a
+ PasswordFactory themselves.
+** A new constructor, User::newSystemUser(), has been added to simplify the
+ creation of passwordless "system" users for logged actions.
+* $wgMaxSquidPurgeTitles was removed.
+* $wgAjaxWatch was removed. This is now enabled by default.
+* $wgUseInstantCommons now hotlinks Commons images by default instead of
+ downloading originals and thumbnailing them locally. This allows wikis to save
+ on CPU and bandwidth while reducing time to first byte for pages, even without
+ a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
+* (T27397) WebP is enabled by default as an uploadable filetype.
+* (T48998) $wgArticlePath must now be either a full url, or start with a "/".
+* $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
+* Deprecated API formats dbg, txt, and yaml have been removed.
+* CLDRPluralRule* classes have been replaced with
+ wikimedia/cldr-plural-rule-parser.
+* Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
+ $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
+ $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
+* For proper operation of LocalIdLookup with shared user tables, ensure that
+ $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
+ that all others are sharing from and that $wgLocalDatabases is set to the
+ full list of sharing wikis on all those wikis.
+* Massive overhaul to session handling:
+** $wgSessionsInObjectCache is no longer supported and must be true, due to
+ MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
+ used.
+** ObjectCacheSessionHandler is removed, replaced with
+ MediaWiki\Session\PhpSessionHandler.
+** PHP session handling in general ($_SESSION, session_id(), and so on) is
+ deprecated. Use MediaWiki\Session\SessionManager instead. A new config
+ variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
+ issue a deprecation warning or to cause most PHP session handling to throw
+ exceptions.
+** Deprecated UserSetCookies hook. Session-handling extensions should generally
+ be creating a custom subclass of CookieSessionProvider. Other extensions
+ messing with cookies can no longer count on user data being saved in cookies
+ versus other methods.
+** Deprecated UserLoadFromSession hook, extensions should create a
+ MediaWiki\Session\SessionProvider.
+** The User cannot be loaded from session until after Setup.php completes.
+ Attempts to do so will be ignored and the User will remain unloaded.
+** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
+ the MediaWiki\Session\Token class.
+* MediaWiki will now auto-create users as necessary, removing the need for
+ extensions to do so. An 'autocreateaccount' right is added to allow
+ auto-creation when 'createaccount' is not granted to all users.
+* Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
+* Most cookie-handling methods in User are deprecated.
+* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
+ experimental feature that has never worked.
+* Login and createaccount tokens now vary by timestamp.
+* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
+ return a MediaWiki\Session\Token, and tokens must be checked using that
+ class's methods.
+* $wgEnotifUseJobQ was removed and the job queue is always used.
+* The functionality of the ApiSandbox extension has been merged into core. The
+ extension should no longer be used.
+* $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
+ Extensions, skins, gadgets and scripts that use the mediawiki.util module must
+ express a dependency on it.
+* $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
+ Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
+ module should express a dependency on it.
+* Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
+ $wgFooterIcons['copyright']['copyright'] instead.
+* If the openssl and mcrypt PHP extensions are both unavailable, secure
+ session storage (used for login) will raise an exception. This exception may
+ be bypassed by setting $wgSessionInsecureSecrets = true.
+* Massive overhaul to authentication:
+** AuthPlugin and AuthPluginUser are deprecated.
+** LoginForm and associated templates are deprecated. Extensions which called
+ static LoginForm methods should be converted into authentication providers.
+** The following hooks are deprecated:
+*** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** AddNewAccount (use LocalUserCreated instead)
+*** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
+*** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
+*** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
+*** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
+*** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
+** The following hooks are removed:
+*** AbortChangePassword
+*** LoginPasswordResetMessage
+*** PrefsPasswordAudit
+** The UserLoginComplete hook will no longer be called for all logins, only for
+ those via the web UI. Use UserLoggedIn if you need to do something on all
+ logins.
+** $wgRequirePasswordforEmailChange is removed.
+
+=== New features in 1.27 ===
+* $wgDataCenterUpdateStickTTL was also added. This decides how long a user
+ sticks to the primary DC (via cookies) after they make changes to the site.
+* Added a new hook, 'UserMailerTransformContent', to transform the contents
+ of an email. This is similar to the EmailUser hook but applies to all mail
+ sent via UserMailer.
+* Added a new hook, 'UserMailerTransformMessage', to transform the contents
+ of an emai after MIME encoding.
+* Added a new hook, 'UserMailerSplitTo', to control which users have to be
+ emailed separately (ie. there is a single address in the To: field) so
+ user-specific changes to the email can be applied safely.
+* $wgCdnMaxageLagged was added, which limits the CDN cache TTL
+ when any load balancer uses a DB that is lagged beyond the 'max lag'
+ setting in the relevant section of $wgLBFactoryConf.
+* User::newSystemUser() may be used to simplify the creation of passwordless
+ "system" users for logged actions from scripts and extensions.
+* Extensions can now return detailed error information via the API when
+ preventing user actions using 'getUserPermissionsErrors' and similar hooks
+ by using ApiMessage instances instead of strings for the $result value.
+* $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
+ becomes too high.
+* Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
+ and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
+ cross-browser-compatible FlexBox rules. Users will still need to add fallback
+ float rules or the like for compatibility with IE9- separately.
+* Added MWTimestamp::getTimezoneString() which returns the localized timezone
+ string, if available. To localize this string, see the comments of
+ $wgLocaltimezone in includes/DefaultSettings.php.
+* Added CentralIdLookup, a service that allows extensions needing a concept of
+ "central" users to get that without having to know about specific central
+ authentication extensions.
+* $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
+ Regular web request transactions that takes longer than this are aborted.
+* Added a new hook, 'TitleMoveCompleting', which runs before a page move is
+ committed.
+* $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
+ from CDN to mitigate DB replication lag and WAN cache purge lag.
+* (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
+ if it is available.
+* It is now possible to patrol file uploads (both for new files and new versions
+ of existing files). Special:NewFiles has gained an option to filter by patrol
+ status. This functionality can be disabled using $wgUseFilePatrol.
+* MediaWiki\Session infrastructure allows for easier use of session mechanisms
+ other than the usual cookies.
+** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
+ custom session metadata.
+* Added MWGrants and associated configuration settings $wgGrantPermissions and
+ $wgGrantPermissionGroups to hold configuration for authentication features
+ such as OAuth that want to allow restricting the user rights a user may make
+ use of.
+** If you're already using the OAuth extension, these new variables are
+ identical to (and will replace) $wgMWOAuthGrantPermissions and
+ $wgMWOAuthGrantPermissionGroups.
+* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
+ to assert that the request comes from a particular IP range.
+* Added bot passwords, a rights-restricted login mechanism for API-using bots.
+* Whitelisted the following HTML attributes for all elements in wikitext:
+ aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
+* Removed "presentation" restriction on the HTML role attribute in wikitext.
+ All values are now allowed for the role attribute.
+* $wgContentHandlers now also supports callbacks to create an instance of the
+ appropriate ContentHandler subclass.
+* Added $wgAuthenticationTokenVersion, which if non-null prevents the
+ user_token database field from being exposed in cookies. Setting this would
+ be a good idea, but will log out all current sessions.
+* $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
+ specifically for reliable CDN url purges.
+* Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
+ MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
+ generated 24-character string. This request ID is used to annotate log records
+ and error messages. It is available client-side via mw.config.get( 'wgRequestId' ).
+ The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId()
+ is deprecated.
+* (T33313) Add a preference for watching uploads by default, also applies
+ to API-based upload tools.
+* $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
+ thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
+ savings versus the previous behavior on many files.
+* MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
+ configuration of multiple authentication pieces that was possible with
+ AuthPlugin. For example, it's now easy to plug in second-factor
+ authentication, or add additional checks to the login process, or to support
+ multiple login methods at once, or to support non-password-based login methods.
+** Providers are configured via the global setting $wgAuthManagerConfig.
+** A global, $wgDisableAuthManager, is temporarily available to disable
+ AuthManager until extensions are ready to support it.
+** New hook, AuthChangeFormFields, to adjust the form fields on
+ AuthManager-related special pages.
+** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
+ AuthManager-related authentication requests.
+** New hook, ChangeAuthenticationDataAudit, for additional logging of
+ AuthManager-related authentication data changes.
+** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
+ for requiring a recent login before taking security-sensitive operations
+ like changing a password.
+** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist
+ can be used to prevent the web UI and the API changing certain authentication data.
+* The file upload dialog (available if you install WikiEditor or VisualEditor)
+ can now be configured using $wgUploadDialog.
+
+=== External library changes in 1.27 ===
+
+==== Upgraded external libraries ====
+* Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
+* Updated composer/semver from v1.0.0 to v1.2.0.
+* Updated liuggio/statsd-php-client to 1.0.18.
+* Updated QUnit from v1.18.0 to v1.22.0.
+
+==== New external libraries ====
+* Added wikimedia/base-convert v1.0.1.
+* Added wikimedia/cldr-plural-rule-parser v1.0.0.
+* Added wikimedia/relpath v1.0.3.
+* Added wikimedia/running-stat v1.1.0.
+* Added wikimedia/php-session-serializer v1.0.3.
+
+==== Removed and replaced external libraries ====
+
+=== Bug fixes in 1.27 ===
+* Special:Upload will now display correct maximum allowed file size when running
+ under HHVM (T116347).
+* (T54077) The APIEditBeforeSave hook will once again give only the content of
+ the section being edited, rather than the whole revision. This reverts the
+ change made in MediaWiki 1.22.
+
+=== Action API changes in 1.27 ===
+* Added list=allrevisions.
+* generator=recentchanges now has the option to generate revids.
+* ApiPageSet::setRedirectMergePolicy() was added. This allows generator
+ modules to define how generator data for a redirect source gets merged
+ into the redirect destination.
+* prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
+ "was-deleted" warning.
+* Added difftotextpst to query=revisions which preforms a pre-save transform on
+ the text before diffing it.
+* Deprecated formats dbg, txt, and yaml have been removed.
+* (T47988) The protect log event details now use new-style formatting.
+* The following response properties from action=login are deprecated, and may
+ be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
+ handle cookies to properly manage session state.
+* action=login transparently allows login using bot passwords. Clients should
+ merely need to change the username and password used after setting up a bot
+ password.
+* action=upload no longer understands statuskey, asyncdownload or leavemessage.
+* Several changes when $wgDisableAuthManager is false:
+** action=login is deprecated for uses other than bot passwords.
+** list=users can now indicate if a missing username is creatable.
+** action=createaccount is changed in a non-backwards-compatible manner.
+** Added action=query&meta=authmanagerinfo.
+** Added action=clientlogin to be used to log into the main account instead of
+ action=login.
+** Added action=linkaccount.
+** Added action=unlinkaccount.
+** Added action=changeauthenticationdata.
+** Added action=removeauthenticationdata.
+** Added action=resetpassword.
+
+=== Action API internal changes in 1.27 ===
+* ApiQueryORM removed.
+* The following classes have been removed:
+** ApiFormatDbg
+** ApiFormatTxt
+** ApiFormatYaml
+* ApiBase::addTokenProperties() was removed (deprecated since 1.24).
+* ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
+* ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
+* ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24).
+* ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
+* ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24).
+* ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24).
+* ApiBase::getResultProperties() was removed (deprecated since 1.24).
+* ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
+* ApiBase::parseErrors() was removed (deprecated since 1.24).
+* ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
+ ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
+* ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
+* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
+* ApiQuery::getGenerators() was removed (deprecated since 1.21).
+* ApiQuery::getModules() was removed (deprecated since 1.21).
+* ApiQuery::getModuleType() was removed (deprecated since 1.21).
+* ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
+* ApiMain::getModules() was removed (deprecated since 1.21).
+* ApiBase::getVersion() was removed (deprecated since 1.21).
+* ApiMain::getShowVersions() was removed (deprecated in 1.21).
+* ApiMain::addModule() was removed (deprecated in 1.21).
+* ApiMain::addFormat() was removed (deprecated in 1.21).
+* ApiMain::getFormats() was removed (deprecated in 1.21).
+* ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
+* ApiCreateAccount is deprecated, and will be removed soon.
+
+=== Languages updated in 1.27 ===
-== MediaWiki 1.24 ==
+MediaWiki supports over 350 languages. Many localisations are updated
+regularly. Below only new and removed languages are listed, as well as
+changes to languages because of Phabricator reports.
+
+* (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
+* (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
+
+=== Other changes in 1.27 ===
+* Added dependency injection (DI) infrastructure, see docs/injection.txt for details.
+ It is planned to incrementally move MediaWiki code towards using DI, using the
+ service locator (SL) pattern as a stepping stone.
+* ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
+* WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
+ ignore the 2nd and 3rd arguments (formerly $id and $commit).
+* Removed "loaderScripts" option from ResourceLoaderFileModule class.
+* Removed ORM-like wrapper added in 1.20.
+* LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
+ (deprecated in 1.26).
+* WikiPage::doQuickEdit() was removed (deprecated since 1.21).
+* Removed SiteObject and SiteArray classes (deprecated in 1.21).
+* MessageBlobStore::getInstance() was removed (deprecated since 1.25).
+* (T84937) Free external links ("autolinked" urls) will now be terminated
+ by and HTML entity encodings of  , <, and >.
+* (T36948) The default file revert message's timestamp is now in
+ $wgLocaltimezone, instead of UTC.
+* The default name of the 'suppress' group page has been changed from
+ 'Project:Oversight' to 'Project:Suppress'.
+* DatabaseBase::resultObject() is now protected (use outside Database classes
+ not necessary since 1.11).
+* Calling ResourceLoaderFileModule::readStyleFiles() without a
+ ResourceLoaderContext instance is deprecated.
+* ResourceLoader::getLessCompiler() now takes an optional parameter of
+ additional LESS variables to set for the compiler.
+* wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
+ instead.
+* Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
+ were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
+* Removed msg_resource_links database table and associated code.
+* Removed msg_resource database table and associated code.
+* Skin::getNamespaceNotice() was removed.
+* wfIsConfiguredProxy() was removed (deprecated since 1.24).
+* wfDebugTimer() was removed (deprecated since 1.25).
+* wfIsTrustedProxy() was removed (deprecated since 1.24).
+* wfGetIP() was removed (deprecated since 1.19).
+* MWHookException was removed.
+* OutputPage::appendSubtitle() was removed (deprecated since 1.19).
+* OutputPage::loginToUse() was removed (deprecated since 1.19).
+* Article::loadContent() was removed (deprecated since 1.19).
+* User::editToken() was removed (deprecated since 1.19).
+* Removed --force-normal option of dumpBackup.php, as it no longer served
+ any useful purpose since 1.22.
+* The functions processOption() and processArgs() on the BackupDumper and
+ TextPassDumper classes have been removed.
+* The maintenance/backupTextPass.inc file was deleted. You should include
+ maintenance/dumpTextPass.php instead.
+* WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
+* wfEmptyMsg() was removed (deprecated since 1.18).
+* OutputPage::permissionRequired() was removed (deprecated since 1.18).
+* OutputPage::blockedPage() was removed (deprecated since 1.18).
+* User::getSkin() was removed (deprecated since 1.18).
+* OutputPage::includeJQuery() was removed (deprecated since 1.17).
+* WikiPage::updateRestrictions() was removed (deprecated since 1.19).
+* WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
+* LogPage::logName() was removed (deprecated since 1.19).
+* LogPage::logHeader() was removed (deprecated since 1.19).
+* wfCheckLimits() was removed (deprecated since 1.24).
+* Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
+* Linker::makeLinkObj() was removed (deprecated since 1.16).
+* wfMsgForContentNoTrans() was removed (deprecated since 1.18).
+* ChangesList::usePatrol was removed (deprecated since 1.22).
+* wfMsgNoTrans() was removed (deprecated since 1.18).
+* Linker::makeImageLink2 was removed (deprecated since 1.20).
+* Title::userIsWatching() was removed (deprecated since 1.20).
+* Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
+ database function directly instead.
+* wfMsg() was removed (deprecated since 1.18).
+* wfMsgForContent() was removed (deprecated since 1.18).
+* wfMsgReal() was removed (deprecated since 1.18).
+* wfMsgGetKey() was removed (deprecated since 1.18).
+* wfMsgHtml() was removed (deprecated since 1.18).
+* wfMsgWikiHtml() was removed (deprecated since 1.18).
+* wfMsgExt() was removed (deprecated since 1.18).
+* Language::armourMath() was removed (deprecated since 1.22).
+* LanguageConverter::armourMath() was removed (deprecated since 1.22).
+* FakeConverter::armourMath() was removed (deprecated since 1.22).
+* The unused jquery.validate ResourceLoader module was removed.
+* FileRepo::getRootUrl() was removed (deprecated since 1.20).
+* User::generateToken() was removed (deprecated since 1.20).
+* WikiPage::getRawText() was removed (deprecated since 1.21).
+* ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
+* ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
+* ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
+* Gallery images with multiple caption pipes no longer concatenate them all
+ together but instead pick the final one, similar to image syntax.
+* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
+ rather than consume everything until the end of the page.
+* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
+ a user forgot password/account was stolen.
+* wfCheckEntropy() was removed (deprecated in 1.27).
+* Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
+* ContentHandler::supportsCategories method added. Default is true.
+ CategoryMembershipChangeJob updates are skipped for content that
+ does not support categories.
+* wikidiff difference engine is no longer supported, anyone still using it are encouraged
+ to upgrade to wikidiff2 which is actively maintained and has better package availability.
+* Database logic was removed from WatchedItem and a WatchedItemStore was created:
+** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated.
+ User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
+** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
+** WatchedItem::resetNotificationTimestamp was deprecated.
+** WatchedItem::batchAddWatch was deprecated.
+** WatchedItem::addWatch was deprecated.
+** WatchedItem::removeWatch was deprecated.
+** WatchedItem::isWatched was deprecated.
+** WatchedItem::duplicateEntries was deprecated.
+** EmailNotification::updateWatchlistTimestamp was deprecated.
+** User::getWatchedItem was removed.
+* Unit tests don't work with external PHPUnit anymore, Composer is now the only supported
+ way. Run `composer install` to install it and other dev dependencies to run unit tests.
+* wl_id field added to the watchlist table.
+* Revision::getRawText() was removed (deprecated since 1.21).
+* WikiPage::replaceSection() was removed (deprecated since 1.21).
+* Article::replaceSection() was removed (deprecated since 1.21).
+* Language::getLangObj() was removed (deprecated since 1.24).
+* Language::getLanguageName() was removed (deprecated since 1.20).
+* Language::getLanguageNames() was removed (deprecated since 1.20).
+* Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
+* Language::specialPage() was removed (deprecated since 1.24).
+* MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
+* OutputPage::getHeadItems() was removed (deprecated since 1.24).
+* OutputPage::getScript() was removed (deprecated since 1.24).
+* OutputPage::out() was removed (deprecated since 1.22).
+* OutputPage::setAllowedModules() was removed (deprecated since 1.24).
+* UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
+* MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
+* Title::newFromRedirect() was removed (deprecated since 1.21).
+* Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
+* Skin::getCommonStylePath() was removed (deprecated since 1.24).
+* Skin::newFromKey() was removed (deprecated since 1.24).
+* Skin::getUsableSkins() was removed (deprecated since 1.23).
+* LoadBalancer::pickRandom() was removed (deprecated in 1.21).
+* Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since
+ 1.21).
+* DifferenceEngine::setText() was removed (deprecated in 1.21).
+* Title::newFromRedirectArray() was removed (deprecated in 1.21).
+* UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType
+ as the 6th. These must be passed in the options array now.
+* Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
+* Skin::accesskey was removed (deprecated since 1.21).
+* Skin::blockLink was removed (deprecated since 1.21).
+* Skin::buildRollbackLink was removed (deprecated since 1.21).
+* Skin::emailLink was removed (deprecated since 1.21).
+* Skin::formatComment was removed (deprecated since 1.21).
+* Skin::formatHiddenCategories was removed (deprecated since 1.21).
+* Skin::formatLinksInComment was removed (deprecated since 1.21).
+* Skin::formatRevisionSize was removed (deprecated since 1.21).
+* Skin::formatSize was removed (deprecated since 1.21).
+* Skin::formatTemplates was removed (deprecated since 1.21).
+* Skin::generateTOC was removed (deprecated since 1.21).
+* Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
+* Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
+* Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
+* Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
+* Skin::getLinkColour was removed (deprecated since 1.21).
+* Skin::getRevDeleteLink was removed (deprecated since 1.21).
+* Skin::getRollbackEditCount was removed (deprecated since 1.21).
+* Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
+* Skin::makeCommentLink was removed (deprecated since 1.21).
+* Skin::makeExternalImage was removed (deprecated since 1.21).
+* Skin::makeExternalLink was removed (deprecated since 1.21).
+* Skin::makeHeadline was removed (deprecated since 1.21).
+* Skin::makeImageLink was removed (deprecated since 1.21).
+* Skin::makeMediaLinkFile was removed (deprecated since 1.21).
+* Skin::makeMediaLinkObj was removed (deprecated since 1.21).
+* Skin::makeSelfLinkObj was removed (deprecated since 1.21).
+* Skin::makeThumbLink2 was removed (deprecated since 1.21).
+* Skin::makeThumbLinkObj was removed (deprecated since 1.21).
+* Skin::normaliseSpecialPage was removed (deprecated since 1.21).
+* Skin::normalizeSubpageLink was removed (deprecated since 1.21).
+* Skin::processResponsiveImages was removed (deprecated since 1.21).
+* Skin::revComment was removed (deprecated since 1.21).
+* Skin::revDeleteLink was removed (deprecated since 1.21).
+* Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
+* Skin::revUserLink was removed (deprecated since 1.21).
+* Skin::revUserTools was removed (deprecated since 1.21).
+* Skin::specialLink was removed (deprecated since 1.21).
+* Skin::splitTrail was removed (deprecated since 1.21).
+* Skin::titleAttrib was removed (deprecated since 1.21).
+* Skin::tocIndent was removed (deprecated since 1.21).
+* Skin::tocLine was removed (deprecated since 1.21).
+* Skin::tocLineEnd was removed (deprecated since 1.21).
+* Skin::tocList was removed (deprecated since 1.21).
+* Skin::tocUnindent was removed (deprecated since 1.21).
+* Skin::tooltip was removed (deprecated since 1.21).
+* Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
+* Skin::userTalkLink was removed (deprecated since 1.21).
+* Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
+* wikidiff3 is now the default and only PHP diff engine. It provides improved diff
+ performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore
+ makes no difference now. Users are still recommended to use wikidiff2 if possible,
+ though.
+* User::addNewUserLogEntry() was deprecated.
+* User::addNewUserLogEntryAutoCreate() was deprecated.
+* User::isPasswordReminderThrottled() was deprecated.
+* Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck)
+ were removed.
+* Installer can now be customized without patching MediaWiki code, see
+ mw-config/overrides/README for details.
+
+=== Compatibility ===
+
+MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
+HHVM 3.6.5 or later.
+
+MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
+support for them is somewhat less mature. There is experimental support for
+Oracle and Microsoft SQL Server.
+
+The supported versions are:
+
+* MySQL 5.0.3 or later
+* PostgreSQL 8.3 or later
+* SQLite 3.3.7 or later
+* Oracle 9.0.1 or later
+* Microsoft SQL Server 2005 (9.00.1399)
+
+=== Upgrading ===
+
+1.27 has several database changes since 1.26, and will not work without schema
+updates. Note that due to changes to some very large tables like the revision
+table, the schema update may take quite long (minutes on a medium sized site,
+many hours on a large site).
+
+If upgrading from before 1.11, and you are using a wiki as a commons
+repository, make sure that it is updated as well. Otherwise, errors may arise
+due to database schema changes.
+
+If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
+new database fields are filled with data.
+
+If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
+1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
+with MediaWiki 1.21.
+
+Don't forget to always back up your database before upgrading!
+
+See the file UPGRADE for more detailed upgrade instructions.
+
+For notes on 1.26.x and older releases, see HISTORY.
+
+
+= MediaWiki 1.26 =
+
+== MediaWiki 1.26.2 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.1 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
+
+== MediaWiki 1.26.1 ==
+
+This is a maintenance release of the MediaWiki 1.26 branch.
+
+=== Changes since 1.26.0 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
+* Fixed stray literal \n in Special:Search.
+* Fix issue that breaks HHVM Repo Authorative mode.
+* (T120267) Work around APCu memory corruption bug
+
+== MediaWiki 1.26.0 ==
+
+=== Configuration changes in 1.26 ===
+* $wgPasswordResetRoutes['email'] = true by default.
+* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
+ instead if you want to disable the parser cache.
+* New-style continuation is now the default for API action=continue. Clients may
+ use the 'rawcontinue' parameter to receive raw query-continue data, but the
+ new style is encouraged as it's harder to implement incorrectly.
+* Deprecated API formats dump and wddx have been completely removed.
+* (T7645) The "Signature" button on the edit toolbar is now hidden by default
+ in non-talk namespaces. A new configuration variable,
+ $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
+ the "Signature" button on the edit toolbar will be displayed.
+* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
+ feature that was never enabled by default.
+* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
+ This experimental feature was never enabled by default and is obsolete as of
+ MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
+* $wgMasterWaitTimeout was removed (deprecated in 1.24).
+* Fields in ParserOptions are now private. Use the accessors instead.
+* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
+ in extension.json) have been removed, after being deprecated in 1.24.
+* $wgAlwaysUseTidy has been removed.
+* ResetSessionID hook has been removed. Nothing seems to use it.
+* Certain AuthPlugin methods are deprecated in favor of new hooks:
+** AuthPlugin::initUser() is replaced by LocalUserCreated.
+** AuthPlugin::updateUser() is replaced by UserLoggedIn.
+** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
+** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
+** AuthPluginUser::isHidden() is replaced by UserIsHidden.
+** AuthPluginUser::isLocked() is replaced by UserIsLocked.
+* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
+* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
+ the passed User object.
+* $wgBlockAllowsUTEdit is now set to true by default. This allows
+ blocked users to edit their talk pages unless explicitly disabled
+ when they are being blocked.
+
+=== New features in 1.26 ===
+* (T51506) Now action=info gives estimates of actual watchers for a page.
+ See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
+ to learn how to configure if needed.
+* Change tags can now be hidden in the interface by disabling the associated
+ "tag-<id>" interface message.
+* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
+ are not affected.
+* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
+* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
+ search results are rendered. The initial use case is to append a "give us
+ feedback" link beneath the search results.
+* Added a new hook, 'RejectParserCacheValue', which allows extensions to
+ reject an otherwise-successful parser cache lookup. The intent is to allow
+ extensions to manage the eviction of archaic HTML output from the cache.
+* (T68699) The expiration of the UserID and Token login cookies
+ ($wgExtendedLoginCookieExpiration) can be configured independently of the
+ expiration of all other cookies ($wgCookieExpiration).
+* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
+ if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
+ of WebP images still disabled by default. Add $wgFileExtensions[] =
+ 'webp'; to LocalSettings.php to enable uploading of WebP images.
+* Added new hooks 'EnhancedChangesListModifyLineData' &
+ 'EnhancedChangesListModifyBlockLineData', to modify the data used to build
+ lines in enhanced recentchanges and watchlist.
+* Caches that need purging ability now use the WANObjectCache interface.
+ This corresponds to a new $wgMainWANCache setting, which defaults to using
+ the $wgMainCacheType settings.
+* Callers needing fast light-weight data stores use $wgMainStash to select
+ the store type from $wgObjectCaches. The default is the local database.
+* Interface message overrides in the MediaWiki namespace will now be cached in
+ memcached and APC (if available), rather than memcached and local files.
+* Added a new hook, 'RandomPageQuery', to allow modification of the query used
+ by Special:Random to select random pages.
+* $wgTransactionalTimeLimit was added, which controls the request time limit
+ for potentially slow POST requests that need to be as atomic as possible.
+* ResourceLoader now loads all scripts asynchronously. The top-queue and
+ startup modules are no longer synchronously loaded.
+* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
+ page. During the deprecation period, the styles will only be loaded on pages
+ which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
+ only be loaded if explicitly required.
+* If search returns zero results and current search engine has a "did you mean"
+ suggestion, results for suggestion will be shown. Can be disabled by setting
+ $wgSearchRunSuggestedQuery to false.
+* Added several JavaScript libraries for uploading files to MediaWiki
+ from the client-side. See documentation for mw.Upload and its
+ subclasses for more information.
+* Added OOUI dialogs and layout for file upload interfaces. See
+ documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
+ subclasses for more information.
+
+=== extension.json changes in 1.26 ===
+* (T99344) The extension.json schema is now versioned. All extensions
+ and skins should set a "manifest_version" property corresponding to
+ the schema version they were written for. The only supported version
+ currently is "1".
+* (T102523) The error message if a non-array attribute is set was improved.
+* (T107646) Configuration settings can now specify how they should be merged,
+ which is necessary for arrays using integer keys.
+* (T110389) Adding namespaces through extension.json now actually works
+* $wgNamespaceProtection can now be set in extension.json.
+* $wgCapitalLinkOverrides can now be set in extension.json.
+* (T97186) Extensions using a custom prefix for their configuration settings
+ can now set a "_prefix" key to override the default of "wg".
+* (T99084) Extensions can now specify what MediaWiki core versions they
+ depend upon.
+* (T105236) The extension.json schema now validates custom classes in
+ the "ResourceModules" property properly.
+
+=== External library changes in 1.26 ===
+==== Upgraded external libraries ====
+* Updated es5-shim from v4.0.0 to v4.1.5.
+* Updated json2 from revision 2014-02-04 to 2015-05-03.
+* Updated Sinon.JS from 1.10.3 to 1.15.4.
+* Updated jQuery Client from v1.0.0 to v2.0.0.
+* Updated QUnit from v1.17.1 to v1.18.0.
+* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
+* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
+* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
+* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
+* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
+* Updated zordius/lightncandy from v0.18 to v0.21.
+
+==== New external libraries ====
+* Added composer/semver v1.0.0.
+* Added mediawiki/at-ease v1.1.0.
+* Added wikimedia/assert v0.2.2.
+* Added wikimedia/ip-set v1.0.1.
+* Added wikimedia/wrappedstring v2.0.0.
+
+==== Removed and replaced external libraries ====
+* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
+
+=== Bug fixes in 1.26 ===
+* (T53283) load.php sometimes sends 304 response without full headers
+* (T65198) Talk page tabs now have a "rel=discussion" attribute
+* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
+* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
+ value if set to an empty string.
+
+=== Action API changes in 1.26 ===
+* New-style continuation is now the default for action=continue. Clients may
+ use the 'rawcontinue' parameter to receive raw query-continue data, but the
+ new style is encouraged as it's harder to implement incorrectly.
+* Deprecated API formats dump and wddx have been completely removed.
+* API action=query&list=tags: The displayname can now be boolean false if the
+ tag is meant to be hidden from user interfaces.
+* action=import no longer allows both the namespace= and rootpage= parameters
+ to be set. If they are both set, the value of rootpage= will be ignored.
+* prop=revision output in enum mode is now sorted by timestamp rather than
+ revision ID. This usually won't make any difference.
+* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
+ with formatversion=2.
+* Various other output from meta=siteinfo will now always be arrays instead of
+ sometimes being numerically-indexed objects with formatversion=2.
+* When errors about users being blocked are returned, they now include
+ information about the relevant block.
+* (T99926) list=random has higher limits, in line with other API modules.
+* list=random's rnredirect parameter is deprecated in favor of a new
+ rnfilterredir parameter that also allows for listing both redirects and
+ non-redirects.
+* list=random now supports continuation.
+* API responses to GET requests may now include ETag and Last-Modified headers,
+ and will honor corresponding If-None-Match and If-Modified-Since on such
+ requests.
+
+=== Action API internal changes in 1.26 ===
+* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
+ into the value when the value is an assoc.
+* API action modules may now provide values for the RFC 7232 ETag and
+ Last-Modified headers. The API will check these against If-None-Match and
+ If-Modified-Since request headers on GET requests and avoid executing the
+ module when appropriate.
+
+=== Languages updated in 1.26 ===
+
+MediaWiki supports over 350 languages. Many localisations are updated
+regularly. Below only new and removed languages are listed, as well as
+changes to languages because of Phabricator reports.
+
+* Languages added:
+** ase (American sign language), thanks to translator Icemandeaf
+** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
+ मेश सिंह बोहरा, and राम प्रसाद जोशी
+** luz (لئری دوٙمینی / Southern Luri)
+** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
+ Ilja.mos, and Mashoi7
+
+=== Other changes in 1.26 ===
+* ChangeTags::tagDescription() will return false if the interface message
+ for the tag is disabled.
+* Added PageHistoryPager::doBatchLookups hook.
+* Added $wikiId parameter to FormatAutocomments hook.
+* Added ParserCacheSaveComplete to ParserCache
+* supportsDirectEditing and supportsDirectApiEditing methods added to
+ ContentHandler, to provide a way for ApiEditPage and EditPage to check
+ if direct editing of content is allowed. These methods return false,
+ by default for the ContentHandler base class and true for TextContentHandler
+ and it's derivative classes (everything in core). For Content types that
+ do not support direct editing, an alternative mechanism should be provided
+ for editing, such as action overrides or specific api modules.
+* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
+ one function. The callback can't be called directly any more. The callback
+ function is replaced with confirmCloseWindow.release().
+* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
+ ResourceLoaderModule::getDependencies(). Extension classes that override that
+ method should be updated. If they aren't updated, PHP Strict standards
+ warnings will appear when E_STRICT error reporting is enabled. Note: in the
+ near future, this parameter will probably become non-optional.
+* Removed maintenance script deleteImageMemcached.php.
+* MWFunction::newObj() was removed (deprecated in 1.25).
+ ObjectFactory::getObjectFromSpec() should be used instead.
+* The parser will no longer randomize the string it uses to mark the place of
+ items that were stripped during parsing. It will use a fixed string instead.
+ This causes the parser to re-use the regular expressions it uses to search
+ and replace markers rather than generate novel expressions on each parse.
+ Re-using regular expressions will improve performance on HHVM and the
+ forthcoming PHP 7. The interfaces changes accompanying this change are:
+ - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
+ - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
+ $prefix argument for StripState::_construct() are deprecated and their
+ value is ignored.
+* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
+ mediawiki/at-ease, and are now deprecated. Callers should use
+ MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
+* The Block class constructor now takes an associative array of parameters
+ instead of many optional positional arguments. Calling the constructor the old
+ way will issue a deprecation warning.
+* The jquery.mwExtension module was deprecated.
+* $wgSpecialPageGroups was removed (deprecated in 1.21).
+* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
+* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
+* DatabaseBase::ignoreErrors() is now protected.
+* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
+ a lengthy deprecation period.
+* The ScopedPHPTimeout class was removed.
+* Removed maintenance script fixSlaveDesync.php.
+* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
+ are deprecated. Applications using those can work via the OAuth
+ extension instead. New tokens types should not be added.
+* DatabaseBase::errorCount() was removed (unused).
+* $wgDeferredUpdateList was removed.
+* DeferredUpdates::addHTMLCacheUpdate() was removed.
+
+= MediaWiki 1.25 =
+
+== MediaWiki 1.25.5 ==
+
+This is a maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.4 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
+
+== MediaWiki 1.25.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.3 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
+* (T114606) mw.notify was not correctly fixed to the page if
+ initialized while not at the top of the page.
+* Fix issue that breaks HHVM Repo Authorative mode.
+
+== MediaWiki 1.25.3 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.2 ===
+
+* (T98975) Fix having multiple callbacks for a single hook.
+* (T107632) maintenance/refreshLinks.php did not always remove all links
+ pointing to nonexistent pages.
+* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
+ value if set to an empty string.
+* (T62174) Provide fallbacks for use of mb_convert_encoding() in
+ HtmlFormatter. It was causing an error when accessing the api help page
+ if the mbstring PHP extension was not installed.
+* (T105896) Confirmation emails would sometimes contain invalid codes.
+* (T105597) Fixed edit stash inclusion queries.
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
+ first
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
+
+== MediaWiki 1.25.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25.1 ===
+
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+* (T100767) Setting a configuration setting for skin or extension to
+ false in LocalSettings.php was not working.
+* (T100635) API action=opensearch json output no longer breaks when
+ $wgDebugToolbar is enabled.
+* (T102522) Using an extension.json or skin.json file which has
+ a "manifest_version" property for 1.26 compatability will no longer
+ trigger warnings.
+* (T86156) Running updateSearchIndex.php will not throw an error as
+ page_restrictions has been added to the locked table list.
+* Special:Version would throw notices if using SVN due to an incorrectly
+ named variable. Add an additional check that an index is defined.
+
+== MediaWiki 1.25.1 ==
+
+This is a bug fix release of the MediaWiki 1.25 branch.
+
+=== Changes since 1.25 ===
+* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
+
+== MediaWiki 1.25.0 ==
+
+=== Configuration changes in 1.25 ===
+* $wgPageShowWatchingUsers was removed.
+* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
+* $wgAntiLockFlags was removed.
+* $wgJavaScriptTestConfig was removed.
+* Edit tokens returned from User::getEditToken may change on every call. Token
+ validity must be checked by passing the user-supplied token to
+ User::matchEditToken rather than by testing for equality with a
+ newly-generated token.
+* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
+ for its $context parameter. Formerly it was documented as receiving a
+ RequestContext specifically.
+* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
+ See StartProfiler.sample for details.
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
+* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
+ longer be used. If extracts and page images are desired, the TextExtracts and
+ PageImages extensions are required.
+* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
+* Edits are now prepared via AJAX as users type edit summaries. This behavior
+ can be disabled via $wgAjaxEditStash.
+* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
+ with the jQuery Migrate library, as indicated when this option was provided in
+ MediaWiki 1.24.
+* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
+ StartProfiler.php config is updated to reflect this. Xhprof is available
+ for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
+* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
+ rather than 'rsvg'.
+* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
+ background with white fallback color, rather than just white background.
+ * MediaWikiBagOStuff class removed, make sure any object cache config
+ uses SqlBagOStuff instead.
+* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
+ job queues. This means that mediawiki/services/jobrunner service has to
+ be installed and running for any such queues to work.
+* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
+ compatibility, any 'view' event triggers will still trigger on 'edit'.
+* $wgExtensionDirectory was added for when your extensions directory is somewhere
+ other than $IP/extensions (as $wgStyleDirectory does with the skins directory).
+
+=== New features in 1.25 ===
+* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
+ for plural forms in Russian, Prussian, Tagalog, Manx and several languages
+ that fall back to Russian.
+* (T60139) ResourceLoaderFileModule now supports language fallback
+ for 'languageScripts'.
+* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
+ parser output for a content object before links update.
+* (T37785) Enhanced recent changes and extended watchlist are now default.
+ Documentation: https://meta.wikimedia.org/wiki/Help:Enhanced_recent_changes
+ and https://www.mediawiki.org/wiki/Manual:$wgDefaultUserOptions.
+* (T69341) SVG images will no longer be base64-encoded when being embedded
+ in CSS. This results in slight size increase before gzip compression (due to
+ percent-encoding), but up to 20% decrease after it.
+* Update jStorage to v0.4.12.
+* MediaWiki now natively supports page status indicators: icons (or short text
+ snippets) usually displayed in the top-right corner of the page. They have
+ been in use on Wikipedia for a long time, implemented using templates and CSS
+ absolute positioning.
+ - Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
+ - Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
+ - Adjusting custom skins to support indicators:
+ https://www.mediawiki.org/wiki/Manual:Skinning#Page_status_indicators
+* Edit tokens may now be time-limited: passing a maximum age to
+ User::matchEditToken will reject any older tokens.
+* The debug logging internals have been overhauled, and are now using the
+ PSR-3 interfaces.
+* Update CSSJanus to v1.1.1.
+* Update lessphp to v0.5.0.
+* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
+ and images for ApiOpenSearch output. The semantics are identical to the
+ "OpenSearchXml" hook provided by the OpenSearchXml extension.
+* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
+ this allows for pagination of prefix results. Extensions using this hook
+ should implement supporting behavior. Not doing so can result in undefined
+ behavior from API clients trying to continue through prefix results.
+* Update jQuery from v1.11.1 to v1.11.3.
+* External libraries installed via composer will now be displayed
+ on Special:Version in their own section. Extensions or skins that are
+ installed via composer will not be shown in this section as it is assumed
+ they will add the proper credits to the skins or extensions section. They
+ can also be accessed through the API via the new siprop=libraries to
+ ApiQuerySiteInfo.
+* Update QUnit from v1.14.0 to v1.16.0.
+* Update Moment.js from v2.8.3 to v2.8.4.
+* Special:Tags now allows for manipulating the list of user-modifiable change
+ tags.
+* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
+ and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
+ tags.
+* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
+ "active" formerly conflated by the 'ListDefinedTags' hook.
+* Added TemplateParser class that provides a server-side interface to cachable
+ dynamically-compiled Mustache templates (currently uses lightncandy library).
+* Clickable anchors for each section heading in the content are now generated
+ and appear in the gutter on hovering over the heading.
+* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
+ to allow extensions to override how links to pages are rendered within NS_CATEGORY
+* (T19665) Special:WantedPages only lists page which having at least one red link
+ pointing to it.
+* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
+ used for conditional registration of API modules.
+* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
+ links of a group of changes in EnhancedChangesList.
+* A full interface for StatsD metric reporting has been added to the context
+ interface, reachable via IContextSource::getStats().
+* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
+ proper, published library, which is now tagged as v1.0.0.
+* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
+ when they are editing if no edit notices apply to the page being edited.
+* (T94536) You can now make the sitenotice appear to logged-in users only by
+ editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
+ "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
+* Modifying the tagging of a revision or log entry is now available via
+ Special:EditTags, generally accessed via the revision-deletion-like interface
+ on history pages and Special:Log is likely to be more useful.
+* Added 'applychangetags' and 'changetags' user rights.
+* (T35235) LogFormatter subclasses are now responsible for formatting the
+ parameters for API log event output. Extensions should implement the new
+ getParametersForApi() method in their log formatters.
+
+==== External libraries ====
+* MediaWiki now requires certain external libraries to be installed. In the past
+ these were bundled inside the Git repository of MediaWiki core, but now they
+ need to be installed separately. For users using the tarball, this will be taken
+ care of and no action will be required. Users using Git will either need to use
+ composer to fetch dependencies or use the mediawiki/vendor repository which includes
+ all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
+ instructions can be found at:
+ https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
+* The following libraries are now required:
+** psr/log
+ This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
+ which are used by MediaWiki internally via the
+ MediaWiki\Logger\LoggerFactory class.
+ See the structured logging RfC (https://www.mediawiki.org/wiki/Requests_for_comment/Structured_logging)
+ for more background information.
+** cssjanus/cssjanus
+ This library was formerly bundled with MediaWiki core and has been removed.
+ It automatically flips CSS for RTL support.
+** leafo/lessphp
+ This library was formerly bundled with MediaWiki core and has been removed.
+ It compiles LESS files into CSS.
+** wikimedia/cdb
+ This library was formerly a part of MediaWiki core, and has been moved into a separate library.
+ It provides CDB functions which are used in the Interwiki and Localization caches.
+ More information about the library can be found at https://www.mediawiki.org/wiki/CDB.
+** liuggio/statsd-php-client
+ This library provides a StatsD client API for logging application metrics to a remote server.
+
+=== Bug fixes in 1.25 ===
+* (T73003) No additional code will be generated to try to load CSS-embedded
+ SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
+* (T69021) On Special:BookSources, corrected validation of ISBNs (both
+ 10- and 13-digit forms) containing "X".
+* Page moving was refactored into a MovePage class. As part of that:
+** The AbortMove hook was removed.
+** MovePageIsValidMove is for extensions to specify whether a page
+ cannot be moved for technical reasons, and should not be overridden.
+** MovePageCheckPermissions is for checking whether the given user is
+ allowed to make the move.
+** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
+** Title::moveTo() was deprecated. Use the MovePage class instead.
+** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
+ and MovePage::checkPermissions().
+* (T18530) Multiple autocomments are now formatted in an edit summary.
+* (T70361) Autocomments containing "/*" are parsed correctly.
+* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
+ on action=info about a file page does not list file links anymore.
+* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
+* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
+* (T85192) Captcha position modified in Usercreate template. As a result:
+** extrafields parameter added to Usercreate.php to insert additional data
+** 'extend' method added to QuickTemplate to append additional values to any field of data array
+* (T86974) Several Title methods now load from the database when necessary
+ (instead of returning incorrect results) even when the page ID is known.
+* (T74070) Duplicate search for archived files on file upload now omits the extension.
+ This requires the fa_sha1 field being populated.
+* Removed rel="archives" from the "View history" link, as it did not pass
+ HTML validation.
+* $wgUseTidy is now set when parserTests are run with the tidy option to match
+ output on wiki.
+* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
+* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().
+
+=== Action API changes in 1.25 ===
+* (T67403) XML tag highlighting is now only performed for formats
+ "xmlfm" and "wddxfm".
+* action=paraminfo supports generalized submodules (modules=query+value),
+ querymodules and formatmodules are deprecated
+* action=paraminfo no longer outputs descriptions and other help text by
+ default. If needed, it may be requested using the new 'helpformat' parameter.
+* action=help has been completely rewritten, and outputs help in HTML
+ rather than plain text.
+* Hitting api.php without specifying an action now displays only the help for
+ the main module, with links to submodule help.
+* API help is no longer displayed on errors.
+* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
+ explicitly select the language from the current user's preferences, and
+ "uselang=content" may be used to select the wiki's content language.
+* Default output format for the API is now jsonfm.
+* Simplified continuation will return a "batchcomplete" property in the result
+ when a batch of pages is complete.
+* Pretty-printed HTML output now has nicer formatting and (if available)
+ better syntax highlighting.
+* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
+ list=alldeletedrevisions.
+* prop=revisions will gracefully continue when given too many revids or titles,
+ rather than just ignoring the extras.
+* prop=revisions will no longer die if rvcontentformat doesn't match a
+ revision's content model; it will instead warn and omit the content.
+* If the user has the 'deletedhistory' right, action=query's revids parameter
+ will now recognize deleted revids.
+* prop=revisions may be used as a generator, generating revids.
+* (T68776) format=json results will no longer be corrupted when
+ $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
+ error instead of returning invalid serialized data.
+* Generators may now return data for the generated pages when used with
+ action=query.
+* Query page data for generator=search and generator=prefixsearch will now
+ include an "index" field, which may be used by the client for sorting the
+ search results.
+* ApiOpenSearch now supports XML output.
+* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
+ in JSON format.
+* (T76051) list=tags will now continue correctly.
+* (T76052) list=tags can now indicate whether a tag is defined.
+* (T75522) list=prefixsearch now supports continuation
+* (T78737) action=expandtemplates can now return page properties.
+* (T78690) list=allimages now accepts multiple pipe-separated values
+ for the 'aimime' parameter.
+* prop=info with inprop=protections will now return applicable protection types
+ with the 'restrictiontypes' key.
+* (T85417) When resolving redirects, ApiPageSet will now add the targets of
+ interwiki redirects to the list of interwiki titles.
+* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
+ property (like the existing 'tofragment' property) will be set.
+* Added action=managetags to allow for managing the list of
+ user-modifiable change tags. Actually modifying the tagging of a revision or
+ log entry is not implemented yet.
+* list=tags has additional properties to indicate 'active' status and tag
+ sources.
+* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
+* (T88010) Added action=checktoken, to test a CSRF token's validity.
+* (T88010) Added intestactions to prop=info, to allow querying of
+ Title::userCan() via the API.
+* Default type param for query list=watchlist and list=recentchanges has
+ been changed from all types (e.g. including 'external') to 'edit|new|log'.
+* Added formatversion to format=json. Still "experimental" as further changes
+ to the output formatting might still be made.
+* (T73020) Log event details are now always under a 'params' subkey for
+ list=logevents, and a 'logparams' subkey for list=watchlist and
+ list=recentchanges.
+* Log event details are changing formatting:
+ * block events now report flags as an array rather than as a comma-separated
+ list.
+ * patrol events now report the 'auto' flag as a boolean (absent/empty string
+ for BC formats) rather than as an integer.
+ * rights events now report the old and new group lists as arrays rather than
+ as comma-separated lists.
+ * merge events use new-style formatting.
+ * delete/event and delete/revision events use new-style formatting.
+* The root node and various other nodes will now always be an object in formats
+ such as json that distinguish between arrays and objects.
+ * Except for action=opensearch where the spec requires an array.
+
+=== Action API internal changes in 1.25 ===
+* ApiHelp has been rewritten to support i18n and paginated HTML output.
+ Most existing modules should continue working without changes, but should do
+ the following:
+ * Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
+ * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
+ to replace getParamDescription(). If necessary, the settings array returned
+ by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
+ message.
+ * Implement getExamplesMessages() to replace getExamples().
+* Modules with submodules (like action=query) must have their submodules
+ override ApiBase::getParent() to return the correct parent object.
+* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
+ and will have no effect for modules using i18n messages. Use
+ 'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
+* Api formatters will no longer be asked to display the help screen on errors.
+* ApiMain::getCredits() was removed. The credits are available in the
+ 'api-credits' i18n message.
+* ApiFormatBase has been changed to support i18n and syntax highlighting via
+ extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
+ has been removed.
+* ApiFormatBase now always buffers. Output is done when
+ ApiFormatBase::closePrinter is called.
+* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
+* The 'revids' parameter supplied by ApiPageSet will now count deleted
+ revisions as "good" if the user has the 'deletedhistory' right. New methods
+ ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
+ provided to access just the live or just the deleted revids.
+* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
+ to allow generators to include data in the action=query result.
+* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
+ used for conditional registration of API modules.
+* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
+ the current request was sent with the 'callback' parameter (or any future
+ method that breaks the same-origin policy).
+* Profiling methods in ApiBase are deprecated and no longer need to be called.
+* ApiResult was greatly overhauled. See inline documentation for details.
+* ApiResult will automatically convert objects to strings or arrays (depending
+ on whether a __toString() method exists on the object), and will refuse to
+ add unsupported value types.
+ * An informal interface, ApiSerializable, exists to override the default
+ object conversion.
+* ApiResult/ApiFormatBase "raw mode" is deprecated.
+* ApiFormatXml now assumes defaults and so on instead of throwing errors when
+ metadata isn't set.
+* (T35235) LogFormatter subclasses are now responsible for formatting log event
+ parameters for the API.
+* Many modules have changed result data formats. While this shouldn't affect
+ clients not using the experimental formatversion=2, code using
+ ApiResult::getResultData() without the transformations for backwards
+ compatibility may need updating, as will code that wasn't following the old
+ conventions for API boolean output.
+* The following methods have been deprecated and may be removed in a future
+ release:
+ * ApiBase::getDescription
+ * ApiBase::getParamDescription
+ * ApiBase::getExamples
+ * ApiBase::makeHelpMsg
+ * ApiBase::makeHelpArrayToString
+ * ApiBase::makeHelpMsgParameters
+ * ApiBase::getModuleProfileName
+ * ApiBase::profileIn
+ * ApiBase::profileOut
+ * ApiBase::safeProfileOut
+ * ApiBase::getProfileTime
+ * ApiBase::profileDBIn
+ * ApiBase::profileDBOut
+ * ApiBase::getProfileDBTime
+ * ApiBase::getResultData
+ * ApiFormatBase::setUnescapeAmps
+ * ApiFormatBase::getWantsHelp
+ * ApiFormatBase::setHelp
+ * ApiFormatBase::formatHTML
+ * ApiFormatBase::setBufferResult
+ * ApiFormatBase::getDescription
+ * ApiFormatBase::getNeedsRawData
+ * ApiMain::setHelp
+ * ApiMain::reallyMakeHelpMsg
+ * ApiMain::makeHelpMsgHeader
+ * ApiResult::setRawMode
+ * ApiResult::getIsRawMode
+ * ApiResult::getData
+ * ApiResult::setElement
+ * ApiResult::setContent
+ * ApiResult::setIndexedTagName_recursive
+ * ApiResult::setIndexedTagName_internal
+ * ApiResult::setParsedLimit
+ * ApiResult::beginContinuation
+ * ApiResult::setContinueParam
+ * ApiResult::setGeneratorContinueParam
+ * ApiResult::endContinuation
+ * ApiResult::size
+ * ApiResult::convertStatusToArray
+ * ApiQueryImageInfo::getPropertyDescriptions
+ * ApiQueryLogEvents::addLogParams
+* The following classes have been deprecated and may be removed in a future
+ release:
+ * ApiQueryDeletedrevs
+
+=== Languages updated in 1.25 ===
+
+MediaWiki supports over 350 languages. Many localisations are updated
+regularly. Below only new and removed languages are listed, as well as
+changes to languages because of Bugzilla reports.
+
+* Languages added:
+** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
+** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
+ Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
+** ses (Koyraboro Senni), thanks to translator Songhay.
+* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
+ interface language to kk where unexpected.
+* The Chinese conversion table was substantially updated to fix a lot of
+ bugs and ensure better reading experience for different variants.
+
+=== Other changes in 1.25 ===
+* (T45591) Links to MediaWiki.org translatable help were added to indicators,
+ mostly in special pages. Local custom target titles can be placed in the
+ relevant '(namespace-X|action name|special page name)-helppage' system
+ message. Extensions can use the addHelpLink() function to do the same.
+* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
+ removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
+ migration guide for creators and users of custom skins that relied on it.
+* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
+ available on Special:Upload.
+* (T58257) Set site logo from mediawiki.skinning.interface module instead of
+ inline styles in the HTML.
+* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
+* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
+* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
+* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
+* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
+* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
+ since 1.20)
+* Removed 'async' parameter from the mw.Api#getCategories() method. (deprecated
+ since 1.20)
+* Removed 'jquery.json' module. (deprecated since 1.24)
+ Use the 'json' module and global JSON object instead.
+* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
+ Also, the former will now throw an MWException if called with one or more
+ arguments.
+* Removed hitcounters and associated code.
+* The "temp" zone of the upload respository is now considered private. If it
+ already exists (such as under the images/ directory), please make sure that
+ the directory is not web readable (e.g. via a .htaccess file).
+* BREAKING CHANGE: In the XML dump format used by Special:Export and
+ dumpBackup.php, the <model> and <format> tags now apprear before the <text>
+ tag, instead of after the <text> and <sha1> tags.
+ The new schema version is 0.10, the new schema URI is:
+ https://www.mediawiki.org/xml/export-0.10.xsd
+* MWFunction::call() and MWFunction::callArray() were removed, having being
+ deprecated in 1.22.
+* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
+ and getInternalLinkAttributes methods in Linker, and removed
+ getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
+* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
+* Added wgRelevantArticleId to the client-side config, for use on special pages.
+* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
+ ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
+* Deprecated the TitleIsWikitextPage hook. Superseded by the
+ ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
+* Changed parsing of variables in schema (.sql) files:
+** The substituted values are no longer parsed. (Formerly, several passes
+ were made for each variable, so depending on the order in which variables
+ were defined, variables might have been found inside encoded values. This
+ is no longer the case.)
+** Variables are no longer string encoded when the /*$var*/ syntax is used.
+ If string encoding is necessary, use the '{$var}' syntax instead.
+** Variable names must only consist of one or more of the characters
+ "A-Za-z0-9_".
+** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
+ does not exist yet variable B does, the latter may not be replaced.
+ However, this difference is unlikely to arise in practice.
+* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
+ characters on both sides.
+* The FormatAutocomments hook will now receive $pre and $post as booleans,
+ rather than as strings that must be prepended or appended to $comment.
+* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
+ newlines; but they can contain and other non-newline whitespace.
+* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
+ toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
+ relied on this behavior, update your scripts' dependencies.
+* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
+ * HTMLForm::isVForm() is now deprecated.
+ * You can no longer do this:
+ $form = new HTMLForm( … );
+ $form->setDisplayFormat( 'vform' ); // throws exception
+ Instead, do this:
+ $form = HTMLForm::factory( 'vform', … );
+* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
+* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
+ The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
+* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
+ renders them incorrectly when combined with border-radius or background-size.
+* Removed maintenance script dumpSisterSites.php.
+* DatabaseBase class constructors must be called using the array argument style.
+ Ideally, DatabaseBase:factory() should be used instead in most cases.
+* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
+ This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
+ addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
+ since they interfere with caching of ParserOutput objects.
+* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
+* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
+ updates when a page is re-rendered.
+* EditPage::attemptSave has been modified not to call handleStatus itself and
+ instead just returns the Status object. Extension calling it should be aware of
+ this.
+* Removed class DBObject. (unused since 1.10)
+* wfDiff() is deprecated.
+* The -m (maximum replication lag) option of refreshLinks.php was removed.
+ It had no effect since MediaWiki 1.18 and should be removed from any cron
+ jobs or similar scripts you may have set up.
+* (T85864) The following messages no longer support raw html: redirectto,
+ thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
+ retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
+ protect-summary-cascade
+* All BloomCache related code has been removed. This was largely experimental.
+* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
+ can only be set for the entire skin.
+* Removed global function swap(). (deprecated since 1.24)
+* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
+ configuration variable. Refer to the ".php" files instead. If you want
+ ".php5" URLs to continue to work, set up redirects. In Apache, this can be
+ done by enabling mod_rewrite and adding the following rules to your
+ configuration:
+
+ RewriteEngine On
+ RewriteBase /
+ RewriteRule ^(.*)\.php5 $1.php [R=301,L]
+
+* The global importScriptURI and importStylesheetURI functions, as well as the
+ loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
+ warnings through mw.log.warn when accessed.
+
+= MediaWiki 1.24 =
+
+== MediaWiki 1.24.6 ==
+
+This is a maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.5 ===
+* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
+
+== MediaWiki 1.24.5 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.24.4 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+* (T103237) $wgUseGzip had no effect when using file cache.
+
+== MediaWiki 1.24.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.3 ===
+
+* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
+* (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
+ update.php to fix.
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
+ first
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
+
+== MediaWiki 1.24.3 ==
+
+This is a security and maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.2 ===
+
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* Update jQuery from v1.11.2 to v1.11.3.
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+
+== MediaWiki 1.24.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.1 ===
+
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+ to prevent various DoS attacks.
+* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
+ likelihood of DoS.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
+ using PBKDF2.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+ prevent XSS and protect viewer's privacy.
+* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
+ loading these special pages when $wgAutoloadAttemptLowercase is false.
+* (bug T70087) Fix Special:ActiveUsers page for installations using
+ PostgreSQL.
+* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
+ and running update.php to fix.
+
+== MediaWiki 1.24.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.24 branch.
+
+=== Changes since 1.24.0 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+* Fixed a couple of entries in RELEASE-NOTES-1.24.
+* (bug T76168) OutputPage: Add accessors for some protected properties.
+* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
+
+== MediaWiki 1.24.0 ==
=== Configuration changes in 1.24 ===
* MediaWiki will no longer run if register_globals is enabled. It has been
Special:DeletedContributions
* Added DeletedContributionsLineEnding hook allowing extensions to format
Special:DeletedContributions lines
+* (T69525) You can now make MediaWiki speed up its thumbnail rendering by using
+ intermediary thumbnails. $wgThumbnailBuckets must be set to a list of target
+ thumbnail widths; when a new thumbnail needs to be rendered, MediaWiki will
+ find the smallest bucket smaller than the original but larger than the target
+ width + $wgThumbnailMinimumBucketDistance, and it will scale that thumbnail,
+ rather than the original, down to the target size at greater speed in return
+ for minor loss of fidelity.
=== Bug fixes in 1.24 ===
* (bug 50572) MediaWiki:Blockip should support gender
* skins/common/images/icons/fileicon.png
* skins/common/images/ksh/button_S_italic.png
+= MediaWiki 1.23 =
+
+== MediaWiki 1.23.13 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.12 ===
+* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
+
+== MediaWiki 1.23.12 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.11 ===
+* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
+ that do not begin with a slash. This enabled trivial XSS attacks.
+ Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
+ "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
+ error.
+* (T119309) SECURITY: Use hash_compare() for edit token comparison
+* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
+ with '@' as file uploads
+* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
+ longer be shorter than $wgMinimalPasswordLength
+* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
+ result in improper blocks being issued
+* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
+ and related pages no longer use HTTP redirects and are now redirected by
+ MediaWiki
+
+== MediaWiki 1.23.11 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.10 ===
-== MediaWiki 1.23 ==
+* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
+* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
+* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
+
+== MediaWiki 1.23.10 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.9 ===
+
+* (T94116) SECURITY: Compare API watchlist token in constant time
+* (T97391) SECURITY: Escape error message strings in thumb.php
+* (T106893) SECURITY: Don't leak autoblocked IP addresses on
+ Special:DeletedContributions
+* (bug 67644) Make AutoLoaderTest handle namespaces
+* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
+* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
+ policy of Wikimedia Commons.
+
+== MediaWiki 1.23.9 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.8 ===
+
+* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
+ to prevent various DoS attacks.
+* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
+ likelihood of DoS.
+* (T88310) SECURITY: Always expand xml entities when checking SVG's.
+* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
+* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
+ prevent XSS and protect viewer's privacy.
+* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
+ update.php to fix.
+* (bug T70087) Fix Special:ActiveUsers page for installations using
+ PostgreSQL.
+
+== MediaWiki 1.23.8 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.7 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+
+== MediaWiki 1.23.7 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.6 ===
+
+* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
+ into API clients that used format=php to process pages that underwent flash
+ policy mangling. This was fixed along with improving how the mangling was done
+ for format=json, and allowing sites to disable the mangling using
+ $wgMangleFlashPolicy.
+* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
+ the content model for a page could allow an unprivileged attacker to edit
+ another user's common.js under certain circumstances. The user right
+ "editcontentmodel" was added, and is needed to change a revision's content
+ model.
+* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
+ HTML, it is not safe to preview wikitext coming from an untrusted source such
+ as a cross-site request. Thus add an edit token to the form, and when raw HTML
+ is allowed, ensure the token is provided before showing the preview. This
+ check is not performed on wikis that both allow raw HTML and anonymous
+ editing, since there are easier ways to exploit that scenario.
+* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
+ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
+ public RFC about the desired functionality. This issue was reported by user
+ Bawolff.
+* (bug 71621) Make allowing site-wide styles on restricted special pages a
+ config option.
+* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
+
+== MediaWiki 1.23.6 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.5 ===
+* (Bug 72274) Job queue not running (HTTP 411) due to missing
+ Content-Length: header
+* (Bug 67440) Allow classes to be registered properly from installer
+
+== MediaWiki 1.23.5 ==
+
+This is a security release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.4 ===
+* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
+ allowance.
+
+== MediaWiki 1.23.4 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.3 ===
+
+* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
+ elements; normalize style elements and attributes before filtering; add
+ checks for attributes that contain css; add unit tests for html5sec and
+ reported bugs.
+* (bug 65998) Make MySQLi work with non-standard socket.
+* (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
+ settings.
+
+== MediaWiki 1.23.3 ==
+
+This is a maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.2 ===
+
+* (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
+* (bug 64970) Fix support for blobs on DatabaseOracle::update.
+* (bug 66574) Display MediaWiki:Loginprompt on the login page.
+* (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
+* (bug 60629) Handle invalid language code gracefully in
+ Language::fetchLanguageNames.
+* (bug 62017) Restore the number of rows shown on Special:Watchlist.
+* Check for boolean false result from database query in SqlBagOStuff.
+
+== MediaWiki 1.23.2 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.1 ===
+
+* (bug 68187) SECURITY: Prepend jsonp callback with comment.
+* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
+ for loading a new page in Javascript,instead of relying on the URL in the link
+ that has been clicked.
+* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
+ ParserOutput.
+* (bug 68313) Preferences: Turn stubthreshold back into a combo box.
+* (bug 65214) Fix initSiteStats.php maintenance script.
+* (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.
+
+== MediaWiki 1.23.1 ==
+
+This is a security and maintenance release of the MediaWiki 1.23 branch.
+
+=== Changes since 1.23.0 ===
+
+* (bug 65839) SECURITY: Prevent external resources in SVG files.
+* (bug 67025) Special:Watchlist: Don't try to render empty row.
+* (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
+* (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
+* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
+ like only extracting the tail of the file partially or not at all.
+* (bug 66182) Removed -x flag on some php files.
+
+== MediaWiki 1.23.0 ==
=== Configuration changes in 1.23 ===
* (bug 13250) Restored method for clearing a watchlist in web UI
==== Removed globals ====
* $wgBetterDirectionality (deprecated in 1.18)
-== MediaWiki 1.22 ==
+= MediaWiki 1.22 =
+
+== MediaWiki 1.22.15 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.14 ===
+
+* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
+ could lead to xss. Permission to edit MediaWiki namespace is required to
+ exploit this.
+* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
+ $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
+ part of its name.
+* (bug T74222) The original patch for T74222 was reverted as unnecessary.
+== MediaWiki 1.22.14 ==
+
+This is a security and maintenance release of the MediaWiki 1.22 branch.
+
+=== Changes since 1.22.13 ===
+
+* (bugs 66776, 71478) SECURITY: User PleaseStand reported a way to inject code
+ into API clients that used format=php to process pages that underwent flash
+ policy mangling. This was fixed along with improving how the mangling was done
+ for format=json, and allowing sites to disable the mangling using
+ $wgMangleFlashPolicy.
+* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
+ the content model for a page could allow an unprivileged attacker to edit
+ another user's common.js under certain circumstances. The user right
+ "editcontentmodel" was added, and is needed to change a revision's content
+ model.
+* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
+ DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
+ public RFC about the desired functionality. This issue was reported by user
+ Bawolff.
+* (bug 71621) Make allowing site-wide styles on restricted special pages a
+ config option.
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+ might be a flash policy directive configurable.
== MediaWiki 1.22.13 ==
This is a maintenance release of the MediaWiki 1.22 branch.
* (bug 47055) Changed FOR UPDATE handling in Postgresql
* (bug 57026) Avoid extra parsing in prepareContentForEdit()
+== MediaWiki 1.22.0 ==
+
=== Configuration changes in 1.22 ===
* $wgRedirectScript was removed. It was unused.
* Removed $wgLocalMessageCacheSerialized, it is now always true.
file repositories, and related ForeignAPIRepo methods getInfo and getApiUrl.
* The new query module list=allfileusages to enumerate file usages was added.
-=== Languages updated in 1.22===
+=== Languages updated in 1.22 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
* mediawiki.util: mw.util.wikiGetlink has been renamed to getUrl. (The old name
still works, but is deprecated.)
-== MediaWiki 1.21 ==
+= MediaWiki 1.21 =
== MediaWiki 1.21.11 ==
This is a security and maintenance release of the MediaWiki 1.21 branch.
* A problem with the Oracle SQL table creation was fixed.
* (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.
+== MediaWiki 1.21.0 ==
+
=== Configuration changes in 1.21 ===
* (bug 29374) $wgVectorUseSimpleSearch is now enabled by default.
* Deprecated $wgAllowRealName is removed. Use $wgHiddenPrefs[] = 'realname'
* BREAKING CHANGE: (bug 38244) Removed the mediawiki.api.titleblacklist module
and moved it to the TitleBlacklist extension.
-== MediaWiki 1.20 ==
+= MediaWiki 1.20 =
== MediaWiki 1.20.8 ==
This is a security release of the MediaWiki 1.20 branch.
== MediaWiki 1.20.3 ==
This is a security and maintenance release of the MediaWiki 1.20 branch.
-== MediaWiki 1.20.2 ==
+=== Changes since MediaWiki 1.20.2 ===
* New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API. (Unbreaks MLEB.)
* (bug 44010) Context is passed to UserGetLanguageObject.
* The recursion guard on RequestContext::getLanguage() was weakened.
== MediaWiki 1.20.2 ==
This is a maintenance release of the MediaWiki 1.20 branch
-== MediaWiki 1.20.1 ==
+=== Changes since MediaWiki 1.20.1 ===
* (bug 42638) Fix API action=options&reset=1 & unit tests.
* (bug 42370) Fixed backport of 60cc060 to use mDoneWrites — caused * (bug 42592) User rights, preferences and other things are not saving in 1.20.1.
== MediaWiki 1.20.1 ==
This is a security release of the MediaWiki 1.20 branch
-Changes since 1.20
+=== Changes since 1.20.0 ===
* (bug 42202) Validate options to prevent html injection
* (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
* (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
* (bug 40632) Remove CleanupPresentationalAttributes feature
* [Database] Fixed case where trx idle callbacks might be lost.
-
-
-== MediaWiki 1.20 ==
+== MediaWiki 1.20.0 ==
=== PHP 5.3 now required ===
Since 1.20, the lowest supported version of PHP is now 5.3.2. Please
== MediaWiki 1.19.21 ==
This is a maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.20===
+=== Changes since 1.19.20 ===
* (bug 67440) Allow classes to be registered properly from installer.
* (bug 47281) Fixed a dumpBackup.php error with --uploads --include-filesoptions: Unable to find the wrapper "mwstore". * System administrators are encouraged to upgrade to this release or 1.22+ and produce a full data dump. https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Backing_up_a_wiki
* (bug 63049) Removed anonymous functions from ApiFormatBase, added in1.19.13 as part of the fix for bug 61362, for PHP 5.2 compatibility.
== MediaWiki 1.19.20 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.19===
+=== Changes since 1.19.19 ===
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
== MediaWiki 1.19.19 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.18===
+=== Changes since 1.19.18 ===
* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
== MediaWiki 1.19.18 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.17===
+=== Changes since 1.19.17 ===
* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
== MediaWiki 1.19.17 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.16===
+=== Changes since 1.19.16 ===
* (bug 65839) SECURITY: Prevent external resources in SVG files.
* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
== MediaWiki 1.19.16 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.15===
+=== Changes since 1.19.15 ===
* (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
== MediaWiki 1.19.15 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.14===
+=== Changes since 1.19.14 ===
Fixed resetting passwords.
* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
== MediaWiki 1.19.14 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.13===
+=== Changes since 1.19.13 ===
* (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
* (bug 62467) Set a title for the context during import on the cli.
== MediaWiki 1.19.13 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.12===
+=== Changes since 1.19.12 ===
* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
* Use the correct branch of the extensions' git repositories.
== MediaWiki 1.19.12 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.11===
+=== Changes since 1.19.11 ===
* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. * User will get an error including the namespace name if they use a non- whitelisted namespace.
* (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
== MediaWiki 1.19.11 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.10===
+=== Changes since 1.19.10 ===
* (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats
== MediaWiki 1.19.10 ==
This is a security release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.9===
+=== Changes since 1.19.9 ===
* (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
* (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
* (bug 58472) SECURITY: Disallow -o-link in styles
== MediaWiki 1.19.9 ==
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.8===
+=== Changes since 1.19.8 ===
* (bug 53032) SECURITY: Don't cache when a call could autocreate
* (bug 55332) SECURITY: Improve css javascript detection
* (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
This is a security and maintenance release of the MediaWiki 1.19 branch.
-=== Changes since 1.19.7===
+=== Changes since 1.19.7 ===
* SECURITY: Sanitize ResourceLoader exception messages
* SECURITY: Token-getting functions will fail when using jsonp callbacks.
* SECURITY: Fix extension detection with 2 .'s
This is a security release of the MediaWiki 1.19 branch
-=== Changes since 1.19.6===
+=== Changes since 1.19.6 ===
* (bug 48306) SECURITY: Run file validation checks on chunked uploads, and chunks of upload, during the upload process.
== MediaWiki 1.19.6 ==
This is a security and maintenance release of the MediaWiki 1.19 branch
-=== Changes since 1.19.5===
+=== Changes since 1.19.5 ===
* (bug 47304) SECURITY: Check SVG xml encoding against whitelist
* (bug 46590) Added AbortChangePassword hook to allow extensions to abort password changes from Special:ChangePassword
* Localisation updates from http://translatewiki.net.
This is a security and maintenance release of the MediaWiki 1.19 branch
-=== Changes since 1.19.4===
+=== Changes since 1.19.4 ===
* (bug 47251) SECURITY: Disable external entities in Import
* (bug 46859) SECURITY: Disable external entities in XMLReader
* (bug 46084) SECURITY: Sanitize $limitReport before outputting
This is a security release of the MediaWiki 1.19 branch
-=== Changes since 1.19.3===
+=== Changes since 1.19.3 ===
* New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
* (bug 44010) Context is passed to UserGetLanguageObject.
* The recursion guard on RequestContext::getLanguage() was weakened.
This is a security release of the MediaWiki 1.19 branch
-=== Changes since 1.19.2===
+=== Changes since 1.19.2 ===
* (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
* (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
* Increase permitted runtime for testParserTest (only used for continuous integration).