Change notes from older releases. For current info, see RELEASE-NOTES-1.41. = MediaWiki 1.40 = PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.40.1 == This is a security and maintenance release of the MediaWiki 1.40 branch. === Changes since MediaWiki 1.40.0 === * Localisation updates. * (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T290464) Add DiscussionTools bundling to release notes. * (T309714) mime: Add support for 'font/sfnt' mime type. * (T341434) WikiImporter: Improve error message output. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively. * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer. * (T237898) installer: Check MariaDB version in updater/installer. * (T342632) ApiComparePages: Add help url. * (T326182, T324903) EditPage: Add #[AllowDynamicProperties]. * (T342351) rdbms: Fix postgres db function call. * (T343675) user: Use {@} to escape annotation when writting about annotation. * (T343797) LanguageWa: Fix double timezone adjustment. * (T343669) skins: Avoid function call on array. * (T326454) Update pear/mail to 1.5.1. * (T343622) docs: Set the tag back to optional. * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3. * Updated jQuery from v3.6.1 to v3.7.1. * (T337463) wdio-mediawiki: await saveScreenshot. * (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. * doc: Improve description of "type" in extension.schema.v2.json. * Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above). * (T288624) MultiHttpClient: Unset $this->cmh after closing it. * (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally. * (T265734) API Help: Note that parameters may be inherited from other context. * (T285545) i18n: Split apihelp for standard dir parameter. * (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show. * (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=. * (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=. * (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=. * (T285545) i18n: Split apihelp for parameter action=managetags&operation=. * (T285545) api: Add message for list=watchlist&wlprop=expiry. * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed. * (T342633) api: Add message for action=compare&prop=timestamp. * API: revids=… does not necessarily return the queried revisions. * (T235207) Get correct main page in API call examples. * doc: Make extension.schema.v2.json a valid JSON schema. * (T326696) Add since tag to UserOptionsManager::MAX_BYTES_OPTION_VALUE. * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). * doc: Improve description of type in extension.schema.v1.json. * (T340217, CVE-2023-45359) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. * (T340220, CVE-2023-45361) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. * (T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non standard configuration). == MediaWiki 1.40.0 == === Changes since MediaWiki 1.40.0-rc.0 === * Localisation updates. * (T330464) Work around argument corruption bug in XMLReader::open. * build: Updating mediawiki/mediawiki-phan-config to 0.12.1. * Fix frame and frameless rdfa depending on file existing. * (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj. * (T334659) Handle thumb errors when !$enableLegacyMediaDOM. * A manualthumb that doesn't exist should be considered a thumb error. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.40.0-rc.0 == == Upgrading notes for 1.40 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.35. Some specific notes for MediaWiki 1.40 upgrades are below: * Maintenance scripts should now be executed using maintenance/run.php, e.g. maintenance/run.php update not maintenance/update.php as before. * Five extensions have now been bundled with MediaWiki: * The DiscussionTools extension, which provides a forum-like editing experience for wikitext-based discussion pages. * The Echo extension, which provides a system of user notifications. * The Linter extension, which warns about use of deprecated wikitext. * The LoginNotify extension, which warns users about failed attempted logins. * The Thanks extension, which lets users thank editors for edits. * The Renameuser extension has been moved to MediaWiki core. It is now possible to rename users without installing an extension. The extension had already been bundled with MediaWiki since 1.18. For notes on 1.39.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.40 === * When computing PBKDF2 password hashes, MediaWiki now detects and uses OpenSSL support if available, unless $wgPasswordConfig['pbkdf2']['class'] is set in LocalSettings.php. OpenSSL is more efficient, so if that setting is present, you should remove it (or set it to 'Pbkdf2PasswordUsingOpenSSL' if possible). If users get an internal error when trying to log in, you can try setting it to 'Pbkdf2PasswordUsingHashExtension'. In particular, this would be necessary if existing PBKDF2 password hashes were computed using a hash algorithm other than "sha512" or "sha256" (the current and prior defaults). * You should configure your webserver to return the http header 'X-Content-Type-Options: nosniff' for the /images directory. This will instruct browsers to not apply content sniffing when accessing the files. MediaWiki before 1.40 shipped with a content sniffer which disallowed potentially dangerous files at upload time, but this protection has now been removed in favor of this 'X-Content-Type-Options: nosniff' header and the installer will return a warning when it is not in place. * Support for MW_USE_LEGACY_DEFAULT_SETTINGS has been removed, setting this constant will not have any effect. Use of MW_USE_LEGACY_DEFAULT_SETTINGS had been deprecated since 1.39. ==== New configuration ==== * $wgThumbnailNamespaces - This setting lets you define the namespaces for which image thumbnails (or a placeholder in the absence of a thumbnail) will be displayed on Special:Search. * $wgResourceLoaderClientPreferences – This experimental flag lets you enable client-side preferences for logged-out users. * $wgExternalLinksSchemaMigrationStage – This temporary flag lets you control the migration stage for the new schema for the external links database table. Ignore it unless you have a large wiki farm with complex migration needs. * $wgCommentTempTableSchemaMigrationStage – This temporary flag lets you control the migration stage for the temporary comment database table, from revision. Ignore it unless you have a large wiki farm with complex migration needs. * $wgSpecialContributeSkinsEnabled – This setting lets you list skins on which Special:Contribute is available, for where others don't work for the feature. * $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. ==== Changed configuration ==== * $wgPasswordPolicies – This setting, which controls what makes for a valid password for wiki accounts, has been adjusted to raise the minimal password length from 1 to 8 characters. The initial limit of 1 has been in place since MediaWiki 1.26. If you wish to allow shorter passwords, you can over-ride it in your LocalSettings following the guidance on MediaWiki.org. * (T254045) New accounts can no longer use an equals sign (=) in their usernames because of issues it causes in wikitext syntax. This can be adjusted by changing the value of $wgInvalidUsernameCharacters. * (T314318) $wgParserEnableLegacyMediaDOM – This setting has been changed, so the alternative modern HTML structure for media is now the default. You can disable it for now by over-riding this back to `true` in LocalSettings, but this configuration will be removed in future versions of MediaWiki. For more details, see the documentation at: https://www.mediawiki.org/wiki/Parsoid/Parser_Unification/Media_structure/FAQ * $wgWatchlistExpiryMaxDuration – This setting, which controls the maximum allowed duration for users to set their temporary watchlist entries for expiry if that feature is enabled, has been increased from 6 months to 1 year. ==== Removed configuration ==== * $wgShellboxUrl – This setting, deprecated in 1.37, has now been removed; use $wgShellboxUrls instead. * $wgMainWANCache and $wgWANObjectCaches – These never-used settings have been removed. To inject WANObjectCache parameters, use $wgWANObjectCache instead. These variables were introduced for multi-DC wiki farms to add a separate memcached proxy for cross-DC relaying of purges but never used because WANObjectCache works based on route prefixes, which can be transparently handled by the main memcached proxy. * $wgParserTestFiles – This setting, deprecated in 1.30, has now been removed; extensions can place their parser test files in `tests/parser` instead. * (T231412) $wgAutoloadAttemptLowercase – This setting, deprecated in 1.35, no longer has any effect. If you run into difficulties, fix the names of miscased local files. * (T309787) $wgVerifyMimeTypeIE – This setting, to provide extra security checks for very old versions of Internet Explorer clients, was removed. These user agents aren't used in practice, and haven't been served JavaScript content for years. === New user-facing features in 1.40 === * Special:Search can now show thumbnails for results for titles outside NS_FILE. This is controlled via the new onSearchResultProvideThumbnail hook. * A new preference ('search-thumbnail-extra-namespaces') to allow users to control whether to show more thumbnails (per $wgThumbnailNamespaces) * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters. * (T313804) The preferences page now provides a search bar to find preferences, regardless of the tab on which they appear. === New developer features in 1.40 === * The MediaWiki-Docker development environment is now configured to run on PHP 8.1 by default, up from PHP 7.4 now that that's EOL. * Vue development mode is enabled by default in DevelopmentSettings.php * (T277618) The @noVarDump annotation from the DebugInfoTrait tool can now be added to references to stop them from being expanded when their object is passed to var_dump(), to make its use for debugging more feasible. * The ApiSandbox will now by default request responses in the latest API format, rather than the original format. Users can set `formatversion` to a different value if needed. * A new hook, GetBlockErrorMessageKeyHook, allows extensions' block error messages to be received and displayed by BlockErrorFormatter. * A new hook, SpecialCreateAccountBenefits, lets extensions and local code set custom content on the signup page about the benefits of using an account. * (T321412) A new 'PageUndeleteComplete' hook has been added for more thorough information about a page post restoration than the 'PageUndelete' hook passes. This provides similar functionality to the 'PageDeleteComplete' hook. * The Linker::specialLink() method can now link to a Special page's with a sub- page or action parameter set, e.g. [[Special:Contributions/JohnDoe]]. * The PHPUnit entrypoints (tests/phpunit/phpunit.php and vendor/bin/phpunit) now check if composer dependencies are up-to-date, like update.php, using CheckComposerLockUpToDate. To disable this check, use MW_SKIP_EXTERNAL_DEPENDENCIES=1 environment flag when running PHPUnit. * ManualLogEntry::setForceBotFlag() has been added to allow the forcing of the bot flag for log entries which are inserted to the recent changes. === External library changes in 1.40 === ==== New external libraries ==== * Added codex-design-tokens at v0.6.2. * Added symfony/polyfill-php81 at v1.27.0. * Added wikimedia/bcp-47-code at v1.0.0. ===== New development-only external libraries ===== * Added wikimedia/langconv at v0.4.2. ==== Changed external libraries ==== * Updated OOUI from v0.44.3 to v0.46.3. * Updated codex, codex-search, and codex-icons from v0.2.2 to v0.6.2. * Updated cssjanus/cssjanus from 2.1.0 to 2.1.1. * Updated guzzlehttp/guzzle 7.4.5 to 7.5.0. * Updated justinrainbow/json-schema from 5.2.11 to 5.2.12. * Updated pear/mail from 1.4.1 to 1.5.1. * Updated pear/net_smtp from 0.10.0 to 0.10.1. * Updated psr/container from 1.1.1 to 1.1.2. * Updated symfony/polyfill-php80 from 1.26.0 to 1.27.0. * Updated symfony/yaml from 5.4.10 to 5.4.17. * Updated wikimedia/html-formatter from 3.0.1 to 4.0.3. * Updated wikimedia/less.php from 3.1.0 to 4.0.0. * Updated wikimedia/object-factory from 4.0.0 to 5.0.1. * Updated wikimedia/parsoid from 0.16.0 to 0.17.0. * Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * Updated wikimedia/shellbox from 3.0.0 to 4.0.0. * Updated wikimedia/timestamp from 4.0.0 to 4.1.0. * Updated wikimedia/xmp-reader from 0.8.4 to 0.9.1. ===== Changed development-only external libraries ===== * Updated QUnit from 2.18.2 to 2.19.4. * Updated api-testing from 1.5.0 to 1.5.1. * Updated composer/spdx-licenses from 1.5.6 to 1.5.7. * Updated eslint-config-wikimedia from 0.22.1 to 0.24.0. * Updated giorgiosironi/eris from ^0.10.0 to ^0.13.0. * Updated grunt from 1.5.2 to 1.6.1. * Updated grunt-banana-checker from 0.9.0 to 0.10.0. * Updated grunt-eslint from 24.0.0 to 24.0.1. * Updated karma from 6.3.15 to 6.4.1. * Updated mediawiki/mediawiki-codesniffer from 38.0.0 to 41.0.0. * Updated mediawiki/mediawiki-phan-config from 0.11.1 to 0.12.1. * Updated php-parallel-lint/php-console-highlighter from 0.5 to 1.0.0. * Updated php-parallel-lint/php-parallel-lint from 1.3.1 to 1.3.2. * Updated phpunit/phpunit from 8.5.28 to 9.5.28. * Updated stylelint-config-wikimedia from 0.13.0 to 0.13.1. * Updated wikimedia/alea from 0.9.3 to 1.0.0. ==== Removed external libraries ==== * jquery.throttle-debounce, deprecated since MediaWiki 1.33. * WVUI, deprecated since MediaWiki 1.39. === Action API changes in 1.40 === * New `cancreateaccount` parameter on action=query&meta=userinfo that allows you to check if the user can create an account. Some of the errors that have previously been returned by action=query&list=users&usprop=cancreate are now returned here. === Languages updated in 1.40 === MediaWiki supports over 400 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T300378) Added language support for Toki Pona (tok). * (T320465) Added language support for Magahi (mag). * (T320912) Added language support for Arakanese (rki). * (T323971) Added language support for Khakas (kjh). * (T326526) Added language support for Igala (igl). * (T329476) Added language support for Kusaal (kus). * (T330266) Added language support for Southern Dagaare (dga). * (T331596) Added language support for Obolo (ann). * (T331597) Added language support for Nogai (nog). * (T331599) Added language support for Wolaytta (wal). * (T295637) Add no to fallback chain of nb and nn. === Breaking changes in 1.40 === * OutputPage::enableClientCache no longer accepts a parameter, nor does it return the current value. It simply sets the OutputPage::mEnableClientCache to true. Use OutputPage::disableClientCache to disable client side caching instead. * ResourceLoader::makeMessageSetScript, unused since 1.26, has been removed without deprecation. * Changes to skins: - The internal protected method Skin::getFooterLinks() was removed. It had no known usages. Different from SkinTemplate::getFooterLinks. - The internal public method Skin::getSiteFooterLinks() was removed. It had no known usages. * The 'oojs-router' module has been removed without deprecation in favour of the 'mediawiki.router' wrapper module. * BagOStuff::makeKeyInternal(), deprecated for public use in 1.36, is now a protected method of MediumSpecificBagOStuff. * WANObjectCache::reap() and WANObjectCache::reapCheckKey(), deprecated since 1.39, have been removed. * The EnqueueJob class, unused since 1.31, has been removed without deprecation. * JobQueueGroup::singleton() and ::destroySingletons(), deprecated since 1.37, have been removed. * JobRunner no longer supports manually calling the constructor, use MediaWikiServices::getInstance()->getJobRunner() instead. * JobRunner::setLogger, deprecated since 1.35, has been removed. * ContextSource::getStats, deprecated since 1.27, has been removed. * The following public properties of Parser, deprecated in 1.35, have been made private: Parser::$mLinkId, Parser::$mIncludeSizes, Parser::$mDoubleUnderscore, Parser::$mShowToc, Parser::$mRevisionId, Parser::$mRevisionTimestamp, Parser::$mRevisionUser, Parser::$mRevisionSize, Parser::$mInputSize, Parser::$mInParse, Parser::$mFirstCall, Parser::$mGeneratedPPNodeCount * The MWGrants class, deprecated since 1.38, has been removed. * PageProps::getInstance(), deprecated since 1.38, has been removed. * Global functions wfReadOnly and wfReadOnlyReason, deprecated since 1.38, have been removed. * Global function wfQueriesMustScale, deprecated since 1.39, has been removed. * Global function wfLogProfilingData, deprecated since 1.38, has been removed. * The HTMLCacheUpdate class, deprecated since 1.34, has been removed. * Linker::normaliseSpecialPage(), deprecated since 1.35, has been removed. * MWTimestamp::getHumanTimestamp(), deprecated since 1.26, has been removed. * Collation::singleton() and ::factory(), deprecated since 1.37, have been removed. * SpecialVersion::listToText() and SpecialVersion::arrayToString() have become private or internal without deprecation. * The 'ParserTestFiles' key in the schema for extension.json has been removed. This was deprecated in 1.30 and the corresponding $wgParserTestFiles configuration variable has also been removed in this release. Extensions can put parser test files in their `tests/parser` directory to have them automatically run. * DBLockManager, MySqlLockManager, and PostgreSqlLockManager have been removed without deprecation. * MediaWikiTestCaseTrait::checkPHPExtension() has been removed without deprecation. Use PHPUnit @requires annotations instead. * EditPage::getCopywarn(), deprecated since 1.38, has been removed. * EditPage::getCopyrightWarning() now requires a MessageLocalizer parameter. Use of other parameter types or omitting it was deprecated since 1.38. * Action constructor now requires Article and IContextSource parameters. Use of other parameter types or omitting them was deprecated since 1.35. * Article::viewRedirect(), deprecated since 1.30, has been removed. * Title::getNotificationTimestamp(), deprecated since 1.35, has been removed. * WikiRevision::$fileIsTemp property, deprecated since 1.29, has been removed. * Use of CommentStore::insertWithTempTable() with 'img_description' is no longer supported, it was deprecated since 1.32. Use CommentStore::insert() instead. * Return values in the parameter $pageLang of the PageContentLanguage hook with other types than a Language object, deprecated since 1.33 & emitting warnings since 1.38, now throws an exception. * FormatMetadata::flattenArrayContentLang(), deprecated since 1.36, has been removed. * WikiRevision::downloadSource() and ::importUpload(), deprecated since 1.31, have been removed. * DataUpdate::runUpdates(), deprecated since 1.28, has been removed. * CdnCacheUpdate::newFromTitles(), deprecated since 1.35, has been removed. * HtmlFileCacheUpdate::newFromTitles(), deprecated since 1.37, has been removed. * BaseTemplate::renderAfterPortlet() and ::getAfterPortlet(), has been removed. Use the corresponding methods in Skin class. * DifferenceEngine::textDiff(), deprecated since 1.32, has been removed. * Skin::getSearchPageTitle() and Skin::setSearchPageTitle(), deprecated since 1.38, have been removed. * DifferenceEngine::getDiffBodyCacheKey(), deprecated since 1.31, has been removed. * ForeignDBViaLBRepo::getMasterDB(), LocalRepo::getMasterDB(), and JobQueueDB::getMasterDB(), deprecated since 1.37, have been removed. * Clarified that the InitializeArticleMaybeRedirect hook should not change its $article parameter; the behavior when doing so was previously undocumented. * IDatabase::ping()'s $rtt parameter was removed without deprecation. * IDatabase::setBigSelects(), unused, was removed without deprecation. * IDatabase::attributesFromType(), unused, was removed without deprecation. * IMaintainableDatabase::deadlockLoop() was removed without deprecation. * DatabasePostgres::remappedTableName(), deprecated since 1.37, has been removed. * ILBFactory::getChronologyProtectorClientId and ::commitAll, unused, were removed without deprecation. * LoadBalancer::haveIndex() and ::isNonZeroLoad(), deprecated in 1.34, have been removed. * LoadBalancer::getLazyConnectionRef(), deprecated in 1.38, has been removed. * ILBFactory::forEachLB(), deprecated in 1.39, has been removed. * LoadBalancer::getTransactionRoundStage and ::commitAll, unused, were removed without deprecation. * ILoadBalancer::getLaggedReplicaMode, unused, was removed without deprecation. Use ILBFactory::laggedReplicaUsed() instead. * Optional parameters of ILoadBalancer::waitForPrimaryPos(), $pos and $timeout have been removed without deprecation as they are unused. * LoadMonitorMysql was removed without deprecation. Use LoadMonitor instead. * IDatabase::selectDB(), deprecated since 1.32, has been removed. Use IDatabase::selectDomain() instead. * The following deprecated hooks have been removed: - BaseTemplateAfterPortlet, deprecated in 1.35 - BeforeParserFetchTemplateAndtitle, deprecated in 1.36 - BeforeParserrenderImageGallery, deprecated in 1.35 - InternalParseBeforeSanitize, deprecated in 1.35 - LinksUpdateConstructed, deprecated in 1.38 - LinksUpdateAfterInsert, deprecated in 1.38 - ParserSectionCreate, deprecated in 1.35 - ResourceLoaderTestModules, deprecated in 1.33 - SpecialMuteSubmit, deprecated in 1.35 - UserLoadFromDatabase, deprecated in 1.37 - UserSetCookies, deprecated in 1.27 * RemexDriver::__construct() now only accepts a ServiceOptions instance as the only argument. Passing an array was deprecated since 1.36. * TidyDriverBase::supportsValidate(), deprecated since 1.36, has been removed. * RevDelList::reloadFromMaster(), deprecated since 1.37, has been removed. * ExternalStoreDB::getMaster(), deprecated since 1.37, has been removed. * DeletePage::deletionWasScheduled(), deprecated since 1.38, has been removed. * The SearchResultProvideThumbnailHook (which was unstable) and now no longer used, has been removed. Use SearchResultProvideThumbnailHook in the search namespace: MediaWiki\Search\Hook\SearchResultProvideThumbnailHook. * Command::cgroup(), deprecated since 1.36, has been removed. * When running tests, the serialize_precision INI setting is now set to -1 (current PHP default) instead of 17. Extension tests may need to be adjusted accordingly; string representations of floating-point numbers in serialized or JSON-encoded data may change. * WikiRevision::$sha1base36 is now private. * IcuCollation::getUnicodeVersionForICU() was removed without deprecation. * LinkFilter::supportsIDN() was removed without deprecation. * The ability to pass null for the errorData parameter of HttpException and LocalizedHttpException was removed without deprecation. * ApiQueryExtLinksUsage::getProtocolPrefix() and ::prepareProtocols() have been moved to LinkFilter with the same name. * .box-sizing() Less mixin, deprecated since 1.37, has been removed. Use CSS box-sizing now. * MimeAnalyzer::getIEMimeTypes() and IEContentAnalyzer were removed. * Language::commafy and mw.language.commafy, deprecated since 1.36, has been removed. * BagOStuff::decr(), deprecated since 1.28, has been removed. * BagOStuff::incr(), deprecated since 1.28, has been removed. === Deprecations in 1.40 === * Changes to skins: - The public Skin::footerLink is deprecated. Use SkinComponentMenuLink::getTemplateData instead. It now emits deprecation warnings. - The protected Skin::lastModified is deprecated, and marked for @internal use and now emits deprecation warnings. * Manipulating $wgHooks after initialization is deprecated. HookContainer::register() or HookContainer::scopedRegister() should be used instead. During initialization, SettingsBuilder::registerHookHandlers can be used. For backwards compatibility, $wgHooks is replaced by a fake array that calls methods on HookContainer. $wgHooks can still be used as a configuration variable, only dynamic manipulation is deprecated. * ParserOptions::{get,set}ExternalLinkTarget() and ParserOptions::{get,set}MaxTemplateDepth() have been deprecated and marked for @internal use only. * ParserOutput::getCategories() has been deprecated; use ::getCategoryNames() and ::getCategorySortKey() instead. * ParserOutput::{get,set}TOCHTML() has been deprecated; use ::{get,set}TOCData() instead. * TransactionProfiler::setSilenced() is deprecated. Use TransactionProfiler::silenceForScope() instead. * The following methods in the Title class, deprecated since 1.37, emits deprecations warnings: - ::areCascadeProtectionSourcesLoaded() - ::areRestrictionsCascading() - ::areRestrictionsLoaded() - ::getAllRestrictions() - ::getCascadeProtectionSources() - ::getFilteredRestrictionTypes() - ::getRestrictionExpiry() - ::getRestrictionTypes() - ::getRestrictions() - ::isCascadeProtected() - ::isProtected() - ::isSemiProtected() - ::loadRestrictionsFromRows() * The class Pbkdf2Password was renamed to Pbkdf2PasswordUsingHashExtension, and the old name is now deprecated. * WikiPage::factory(), ::newFromID() and ::newFromRow, deprecated in 1.36, now emit deprecation warnings. * Manually constructing a LinkBatch object, deprecated in 1.35, now emits deprecation warnings. Use LinkBatchFactory instead. * Calling MediaWikiSite::getFileUrl() without a $path argument is deprecated. If you need the "generic" full file path, with $1 not replaced by anything, call $site->getPath( MediaWikiSite::PATH_FILE ) directly. * In SessionConsistentConnectionManager, the methods getReadConnectionRef() and getWriteConnectionRef() are deprecated; the ConnectionManager methods they override had been deprecated already. * Database::wasErrorReissuable() is deprecated. * MimeAnalyzer::isPHPImageType was not used and will now emit deprecation warnings. * GenericArrayObject, originally developed for Wikibase and SiteList, has been deprecated. Use built-in ArrayObject directly instead. * Parser::getFunctionLang() has been deprecated; use Parser::getTargetLanguage() instead. * MagicWordArray::getVariableRegex(), deprecated in 1.36, now emits deprecation warnings. * AbstractBlock::getId() now emits deprecation warnings in case of cross-wiki access. This use was deprecated in 1.38. * CommentStore::getStore, deprecated in 1.31, now emits deprecation warnings. * BacklinkCache::get(), ::getLinks() and ::getCascadeProtectedLinks(), deprecated in 1.37, now emit deprecation warnings. * LanguageConverterFactory::isTitleConversionDisabled(), deprecated in 1.36, now emits deprecation warnings. * Language::getFileName(), ::getMessagesFileName() and ::getJsonMessagesFileName(), deprecated in 1.34, now emit deprecation warnings. * Language::getLocalisationCache(), deprecated in 1.34, also Language::getMessagesFor(), ::getMessageFor() and ::getMessageKeysFor(), deprecated in 1.35, now emit deprecation warnings. * User::incEditCount(), deprecated in 1.37, now emits deprecation warnings. * User::idFromName(), deprecated in 1.37, now emits deprecation warnings. * The ability to override and use User::$mRights, deprecated in 1.34, now emits deprecation warnings. * IndexPager::getHookContainer is deprecated and emits deprecation warnings. Inject a HookContainer instead. * User::getGroupPermissions(), ::getGroupsWithPermission() and ::groupHasPermission(), deprecated in 1.34, now emit deprecation warnings. * PermissionManager::getGroupPermissions(), ::getGroupsWithPermission() and ::groupHasPermission(), deprecated in 1.36, now emit deprecation warnings. * Global function wfShowingResults is deprecated and emits deprecation warnings. * UserGroupMembership::getGroupMemberName is deprecated, the deprecation of UserGroupMembership::getGroupName in 1.38 missed a release note. Use Language::getGroupMemberName or ::getGroupName instead. * AbstractBlock::getPermissionsError(), deprecated in 1.35, now emits deprecation warnings. * SearchEngine::getNearMatcher() and ::getDefaultMatcher() have been deprecated in favor of MediaWikiServices::getInstance()->getTitleMatcher(). * SearchNearMatcher class has been deprecated in 1.40 in favor of TitleMatcher. * The following functions are deprecated: User::isBlockedGlobally and User::getGlobalBlock. Use User::getBlock instead. * The UserIsBlockedGlobally hook is deprecated. Use GetUserBlock hook instead. * The SystemBlock type global-block is deprecated. GlobalBlocks are now added into CompositeBlocks via the GetUserBlock hook. * Language::isWellFormedLanguageTag(), deprecated in 1.39, now emits deprecation notices. Please use LanguageCode::isWellFormedLanguageTag() instead. * Language::fetchLanguageNames() and ::fetchLanguageName(), deprecated in 1.34, now emit deprecation warnings. * Language::getFallbackFor(), ::getFallbacksIncludingSiteLanguage() and ::getFallbacksFor(), deprecated in 1.35, now emit deprecation warnings. * Language::isSupportedLanguage(), ::isValidCode(), ::isValidBuiltInCode() and ::isKnownLanguageTag(), deprecated in 1.34, now emit deprecation warnings. * Language::getConverter(), ::autoConvert(), ::autoConvertToAllVariants(), ::convert(), ::convertNamespace(), ::convertHtml(), ::convertCategoryKey(), ::getVariants(), ::hasVariants(), ::hasVariant(), ::getDefaultVariant(), ::getURLVariant(), ::getExtraHashOptions(), ::getConvRuleTitle(), deprecated in 1.35, now emit deprecation warnings. * Language::factory() and ::getParentLanguage(), deprecated in 1.35, now emit deprecation warnings. * Executing maintenance scripts directly is deprecated. The maintenance/run.php entry point should be used instead. * MWHttpRequest::factory, deprecated in 1.34, now emits deprecation warnings. * Job::factory is deprecated, use JobFactory::newJob instead. * Http::request(), ::get(), ::post(), ::userAgent() and ::isValidURI(), deprecated in 1.34, now emit deprecation warnings. * Title.js's confusingly-named getName() and getNameText() methods, for using media files' pages, have been renamed to getFileNameWithoutExtension() and getFileNameTextWithoutExtension() respectively. The old names are deprecated. * Command::whitelistPaths() should now emit deprecation warnings. Make use of Command::allowPaths/disallowPaths() instead. * When manually creating an HTMLFormField (i.e. not via HTMLForm::factory), it is deprecated to not include the "parent" field as one of the parameters. * The MWException class is deprecated. Use native exceptions, either directly or as base classes. * SelectQueryBuilder::lockForUpdate() is deprecated. Use ::forUpdate() with ::fetchRowCount() or ::acquireRowLocks() instead. * ArticleUndelete hook is deprecated. Use PageUndeleteComplete hook instead. * The global function wfReportTime() is now deprecated. * PrevNextNavigationRenderer, deprecated in 1.39, now emits deprecation warnings. * PagerNavigationBuilder::setMakeLinkCallback(), deprecated in 1.39, now emits deprecation warnings. * IndexPager::getPagingLinks(), IndexPager::getLimitLinks() and IndexPager::buildPrevNextNavigation(), deprecated in 1.39, now emit deprecation warnings. * Overriding the method IndexPager::makeLink(), deprecated in 1.39, now emits deprecation warnings. * The following class names were namespaced (and, for the special pages, also renamed), and the old class names are now deprecated: - MostimagesPage -> MediaWiki\Specials\SpecialMostImages - MovePageForm -> MediaWiki\Specials\SpecialMovePage - UserrightsPage -> MediaWiki\Specials\SpecialUserRights - WantedFilesPage -> MediaWiki\Specials\SpecialWantedFiles - WantedPagesPage -> MediaWiki\Specials\SpecialWantedPages - DerivativeRequest -> MediaWiki\Request\DerivativeRequest - FauxRequest -> MediaWiki\Request\FauxRequest - FauxRequestUpload -> MediaWiki\Request\FauxRequestUpload - PathRouter -> MediaWiki\Request\PathRouter - WebRequestUpload -> MediaWiki\Request\WebRequestUpload - HeaderCallback -> MediaWiki\Request\HeaderCallback - FauxResponse -> MediaWiki\Request\FauxResponse - WebResponse -> MediaWiki\Request\WebResponse - ForeignResourceManager -> MediaWiki\ResourceLoader\ForeignResourceManager - DummyLinker -> MediaWiki\Linker\DummyLinker - Linker -> MediaWiki\Linker\Linker - PageProps -> MediaWiki\Page\PageProps - MagicWord -> MediaWiki\Parser\MagicWord - MagicWordArray -> MediaWiki\Parser\MagicWordArray - MagicWordFactory -> MediaWiki\Parser\MagicWordFactory - RawMessage -> MediaWiki\Language\RawMessage - ActorMigration -> MediaWiki\User\ActorMigration - ActorMigrationBase -> MediaWiki\User\ActorMigrationBase - CategoriesRdf -> MediaWiki\Category\CategoriesRdf - Category -> MediaWiki\Category\Category - CategoryViewer -> MediaWiki\Category\CategoryViewer - TrackingCategories -> MediaWiki\Category\TrackingCategories - EditPage -> MediaWiki\EditPage\EditPage - TemplatesOnThisPageFormatter -> MediaWiki\EditPage\TemplatesOnThisPageFormatter - ContentSecurityPolicy -> MediaWiki\Request\ContentSecurityPolicy - FormOptions -> MediaWiki\Html\FormOptions - Html -> MediaWiki\Html\Html - HtmlHelper -> MediaWiki\Html\HtmlHelper - TemplateParser -> MediaWiki\Html\TemplateParser - FormOptions -> MediaWiki\Html\FormOptions - WikiMap -> MediaWiki\WikiMap\WikiMap - WikiReference -> MediaWiki\WikiMap\WikiReference - MediaWiki\BadFileLookup -> MediaWiki\Page\File\BadFileLookup - FileDeleteForm -> MediaWiki\Page\File\FileDeleteForm - MergeHistory -> MediaWiki\Page\MergeHistory - MovePage -> MediaWiki\Page\MovePage - ProtectionForm -> MediaWiki\Page\ProtectionForm - LinkFilter -> MediaWiki\ExternalLinks\LinkFilter - TitleArray -> MediaWiki\Title\TitleArray - TitleArrayFromResult -> MediaWiki\Title\TitleArrayFromResult - TitleFactory -> MediaWiki\Title\TitleFactory - Title -> MediaWiki\Title\Title - ForkController -> MediaWiki\Maintenance\ForkController - OrderedStreamingForkController -> MediaWiki\Maintenance\OrderedStreamingForkController - AtomFeed -> MediaWiki\Feed\AtomFeed - ChannelFeed -> MediaWiki\Feed\ChannelFeed - FeedItem -> MediaWiki\Feed\FeedItem - FeedUtils -> MediaWiki\Feed\FeedUtils - RSSFeed -> MediaWiki\Feed\RSSFeed - DeprecatedGlobal -> MediaWiki\StubObject\DeprecatedGlobal - StubGlobalUser -> MediaWiki\StubObject\StubGlobalUser - StubObject -> MediaWiki\StubObject\StubObject - StubUserLang -> MediaWiki\StubObject\StubUserLang * ContentHandler::getParserOutputForIndexing() and ::getDataForSearchIndex() now take an optional RevisionRecord parameter. * The SearchDataForIndex hook is deprecated in favor of SearchDataForIndex2 * IDatabase::lastQuery and IReadableDatabase::lastQuery are deprecated without without replacement. === Other changes in 1.40 === * Calling RecentChange::doMarkPatrolled() with $auto = true has no effect and logs a warning. Since 1.31, it would mark the change as manually patrolled, but would not log it as such in patrol log and would still require 'autopatrol' right (not 'patrol'). Generally, whether a change should become autopatrolled, is usually determined before it's inserted in the database. * In versions of MediaWiki before 1.39, the table of contents location was marked internally with ...; in version 1.39 this was changed to an empty tag . In 1.40 this has been changed a final time to use an empty tag for future Parsoid compatibility (see Parser::TOC_PLACEHOLDER). This may affect you if stale content is left in the ParserCache or if your skin did manual ToC replacement without using the recommended Parser::replaceTableOfContentsMarker() function. * Skins can now choose which Codex theme should be loaded by setting the SkinCodexThemes attribute in their skin.json file. * The parser test framework has been updated, and the 'pst', 'ill', 'cat' and 'showflags' options have slight differences in their output. These options are not much used outside core, but third parties may need to update parser tests. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. == Compatibility == MediaWiki 1.40 requires PHP 7.4.3 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can be used instead, but support for them is somewhat less mature. The supported versions are: * MariaDB 10.3 or higher * MySQL 5.7.0 or higher * PostgreSQL 10 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.39 = PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.39.5 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.4 === * Localisation updates. * (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion. * docs: Fix a few typos in MainConfigSchema. * (T309714) mime: Add support for 'font/sfnt' mime type. * (T341434) WikiImporter: Improve error message output. * (T317255) VueComponentParser: Use Zest's getElementsByTagName() rather than PHP's. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively. * (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer. * (T237898) installer: Check MariaDB version in updater/installer. * (T342632) ApiComparePages: Add help url. * (T326182, T324903) EditPage: Add #[AllowDynamicProperties]. * (T342351) rdbms: Fix postgres db function call. * (T343675) user: Use {@} to escape annotation when writting about annotation. * (T343797) LanguageWa: Fix double timezone adjustment. * (T326454) Update pear/mail to 1.5.1. * (T343622) docs: Set the tag back to optional. * (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3. * (T337463) wdio-mediawiki: await saveScreenshot. * (T274041) Include core PSR-4 classes in the generated classmap. * (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. * doc: Improve description of "type" in extension.schema.v2.json. * Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above). * HTMLForm: Fix E_NOTICE when hide-if is used with setFormIdentifier. * (T288624) MultiHttpClient: Unset $this->cmh after closing it. * (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally. * (T265734) API Help: Note that parameters may be inherited from other context. * API: Make continue parameter help description more specific. * (T285545) i18n: Split apihelp for standard dir parameter. * (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show. * (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=. * (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=. * (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=. * (T285545) i18n: Split apihelp for parameter action=managetags&operation=. * (T285545) api: Add message for list=watchlist&wlprop=expiry. * (T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed. * (T342633) api: Add message for action=compare&prop=timestamp. * API: revids=… does not necessarily return the queried revisions. * (T326696) user: Truncate option value in UserOptionsManager. * (T326696) ApiOptions: Give warning if the value is too long. * API i18n: Add {{PLURAL:}} for byte count messages. * (T235207) Get correct main page in API call examples. * doc: Make extension.schema.v2.json a valid JSON schema. * updateSpecialPages.php: Avoid implicit float conversion on modulo. * (T347227) ImportReporter: Make callback functions public. * (T346898) importDump: Unconditionally call $importer->setUsernamePrefix(). * doc: Improve description of type in extension.schema.v1.json. * (T340217, CVE-2023-45359) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS. * (T340220, CVE-2023-45361) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title. * (T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration). == MediaWiki 1.39.4 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.3 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (2.4.0 => 2.4.5). * (T333776) {{ACTIVEUSERS}} wasn't being updated without updateSpecialPages.php. * (T258860) Prevent LogicCache exception from message cache during IO errors from memcache. * (T336868) Improve idempotency of postgres index upgrades. * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * A fake MessageLocalizer for use in unit tests. * (T338114) Title: Add forward alias. * composer: Add symfony/polyfill-php81 like symfony/polyfill-php80. * (T330464) Work around argument corruption bug in XMLReader::open. * Fix frame and frameless rdfa depending on file existing. * Fixes for the phan upgrade, part 1. * Fixes for the phan upgrade, part 2. * (T298571) build: Update mediawiki/mediawiki-phan-config to 0.12.0. * build: Updating mediawiki/mediawiki-phan-config to 0.12.1. * (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj. * (T334659) Handle thumb errors when !$enableLegacyMediaDOM. * A manualthumb that doesn't exist should be considered a thumb error. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.39.3 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.2 === * Localisation updates. * (T328477) LinksUpdate: Use DB key for category links table. * GlobalFunctions: Remove check for MEDIAWIKI constant. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330382) postgres: Make the upgrade ignore dropping indexes that might not exist. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T291753) rdbms: escape backslashes in makeConnectionString for PostgreSQL. * (T325529) Fix total breakage of wgCanonicalServer fallback. * (T318103) mediawiki.storage: Disable async GC during integration test. * (T332461, T332397) TempFSFile: Keep the WeakMap alive. * (T332902) page: fix InvalidArgumentException in SQLPlatform::makeList. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.39.2 == This is a maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.1 === * Localisation updates. * (T325872) ChangeTags: Remove table name from condition. * (T324895) MWCallbackStream: Add explicit $stream property. * (T297031, T326039) PostgresUpdater: Move setDefault ahead of changeNullableField. * (T321319) Produce HTML for invalid JSON. * (T215466, T326071) MigrateActors: Write to revision table (Follow-up 24115a8). * (T223027) ReservedUsernames config: Add reserved names from maintenance scripts. * (T325000, T324896, T307631) Updated OOUI from v0.44.3 to v0.44.5. * Remove /images .htaccess rules that are no longer relevant. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * LocalFileTest: use encodeBlob/decodeBlob for img_metadata. * DatabaseSqlite: fix null blobs. * rdbms: avoid pg_escape_bytea() call-style deprecation notices. * (T322278) Improve LocalisationCache post-merge validation check. * (T324408, T326367) Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * (T322278) Fix the remaining Phan failures on PHP 8.1. * (T322278, T326367) Respond to some messages from Phan on PHP 8.1. * Fix phan error when Excimer is enabled. * (T326021) Add matrix: to $wgUrlProtocols. * (T314099) stream wrapper: Declare $context class property. * (T314099) libs\jsminplus: Declare JSNode::$expression. * (T314096) composer.json: Updated composer/spdx-licenses from 1.5.6 to 1.5.7. * (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1). * (T308536) rdbms: Remove deprecation mark for $wgSharedDB. * (T215466, T326071) installer: Split drop action out of the SQL patch for actor migration. * (T322603) SqliteMaintenance.php: Fix fatally broken instanceof check. * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being released. * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses * (T327821) skin: Restore default 'value' attribute in makeSearchButton(). * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T329415) Clear the statsd data buffer regardless of StatsdServer config. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if no path. * (T324894 TempFSFile: Use a WeakMap for reference tracking if available. * (T295637) Add no to fallback chain of nb and nn. == MediaWiki 1.39.1 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since MediaWiki 1.39.0 === * Localisation updates. * PostgresUpdater: Remove trailing space from 'user_id ' column. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324516) postgres: Fix upgrade for templatelinks primary key. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists. * (T314099) OutputPage: Remove unused dynamic property ParserOptions->isBogus. * (T314099) api: Remove use of undeclared property in action=comparepages. * Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6). * (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1). * Updated pear/mail (v1.4.1 => v1.5.0). * Removed wikimedia/dodo (v0.4.0). * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.39.0 == === Changes since MediaWiki 1.39.0-rc.1 === * Localisation updates. * exception: Tolerate no service container when trying DB rollback. * (T320282) Upgrading wikimedia/xmp-reader (0.8.3 => 0.8.4). * objectcache: Deprecate WANObjectCache::reap() and ::reapCheckKey(). * (T320864) When calling mail(), use an array for headers. * Upgrading wikimedia/xmp-reader (0.8.4 => 0.8.5). * (T321154) Call setFormIdentifier() on LogEventsList form. * When importing revision with same timestamp as latest revision, treat it as the new latest. * (T320726) RandomImageGenerator::getImageSpec: Don't pass a float to mt_rand(), for PHP 8.1. * (T298485, T322360) WikiExporter: Avoid calling reload in processing every row. * (T321551) pager: Fix null used for foreach in Pager::getNavigationBar. * (T321551) pager: Remove unused AlphabeticPager::getOrderTypeMessages() support. * pager: Remove unused PagerNavigationBuilder::setExtra(). * PagerNavigationBuilder: Document that nulls in setLinkQuery() etc. are allowed. * (T322335) ApiQueryRevisionsBase: Fix 'rvdiffto' parameter handling on PHP 8.0. * (T314096) TestFileEditor: Fix string interpolation. * (T289926) api: Fix minor PHP 8.1 incompatibility in ApiOptions. * (T322803) SpecialBotPasswords: Don't pass null to trim(). * (T289926) Fix incomplete ITextFormatter mocks. * Language: Handle ronna and quetta. * (T72510) rdbms: make SqlitePlatform::tableName() apply double quotes. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0. * .gitattributes: Ship docker-compose.yml to the tarball. == MediaWiki 1.39.0-rc.1 == === Changes since MediaWiki 1.39.0-rc.0 === * Localisation updates. * (T318481) composer: Drop symfony/php73-polyfill. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) HTMLFormField::validate(): Update docs to permit all data types * (T306802) docker: update to latest published images. * (T318754) WebInstallerOptions::addPersonalizationOptions(): Close fieldset. * (T227047) Soft-deprecate the remainder of ActorMigration. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name. * (T319186) .phan/config.php: Update minimum_target_php_version. * Tests: Explicit cast to int in RandomImageGenerator test (php8 warnings). * (T319186) .phan/config.php: Update minimum_target_php_version. * (T310243) Deprecate use of 'wvui-search' package. * utils: Fix return doc about false/null for UrlUtils::expand. * (T319000) WebInstaller: Don't try and run trim() on null. * In the event of preg failure in MagicWordArray throw exception. * (T318753) Installer: Disable logo dropper for now. == MediaWiki 1.39.0-rc.0 == == Upgrading notes for 1.39 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.31. Some specific notes for MediaWiki 1.39 upgrades are below: * (T278139) Drop PHP 7.3 support in MediaWiki 1.39; require 7.4.3 or higher. For notes on 1.38.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.39 === ==== New configuration ==== * $wgAutoCreateTempUser – This configures automatic user creation on page save. * $wgCopyUploadAllowOnWikiDomainConfig – This configures if administrators can use the MediaWiki:Copyupload-allowed-domains system message to define which domains can be used with the upload-by-url tool. * $wgCdnMatchParameterOrder – This can be set to false if MediaWiki is behind a CDN that re-orders query parameters. This will make the code that matches request URLs to canonical CDN URLs insensitive to parameter order. * $wgMultiShardSiteStats – This allows you to split site_stats across multiple rows. Only useful for very large, heavily edited wikis. (T306589) * $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively. ==== Changed configuration ==== * $wgInvalidUsernameCharacters – This setting now contains the char '>', which is now the reserved delimiter for external user names. * $wgLocalFileRepo – The default serialization method for file meta-data has been changed to JSON. You can revert it to PHP by setting the property 'useJsonMetadata' to false. * $wgLBFactoryConf – The 'configCallback' flag can now be set to a callback function that returns an array with keys to update in $wgLBFactoryConf. This can be used to update the database configuration on the fly, e.g. to take replica hosts out of rotation. * $wgDBservers and $wgLBFactoryConf – The DBO_SSL flag in has been deprecated in favour of a boolean "ssl" parameter. * $wgObjectCaches – The 'globalKeyLB' and 'localKeyLB' flags are no longer supported. ==== Removed configuration ==== * $wgMultiContentRevisionSchemaMigrationStage - This transition flag, deprecated since MediaWiki 1.35, has been removed; the data migration is over. * $wgActorTableSchemaMigrationStage - This transition flag has been removed; the data migration is over. * $wgWikiFarmSiteDetector – This experimental setting has been removed without replacement. Use the MW_WIKI_NAME environment variable to specifiy the name of the site for which to load configuration. Using the WIKI_NAME environment variable for this purpose is deprecated. * $wgParserCacheUseJson - The ParserCache now always uses JSON serialization. Reading old non-JSON cache entries is still supported. The setting had been deprecated since 1.36. * $wgAllowJavaUploads - To allow uploads of JAR files, remove application/java from $wgMimeTypeExclusions. * $wgMaxRedirects – This broken feature was removed, as it never worked as intended (T296430). * $wgElementTiming – This experimental, default-disabled feature has been removed without replacement. * $wgPriorityHints and $wgPriorityHintsRatio – The related experimental feature has been removed without replacement. * $wgIncludeLegacyJavaScript – This flag has been removed, without loss of any functionality in this release. Most former "wikibits" functions were removed after deprecation in previous releases. The remaining functions, such as importScript, are now available unconditionally. * $wgLegacySchemaConversion - This unused setting has been removed. * $wgInterwikiPrefixDisplayTypes - This unused setting has been removed. * $wgMangleFlashPolicy – This is no longer functional, and is now deprecated. Users who are somehow still using Flash as a browser extension will be exposed to CSRF vulnerabilities. === New user-facing features in 1.39 === * Optional automatic user creation on page save ($wgAutoCreateTempUser) * Administrators now have the option to delete/undelete the associated "Talk" page when they are (un)deleting a given page. `deletetalk` and `undeletetalk` options were added to the 'delete' and 'undelete' action APIs in MW 1.38. * `{{=}}` is now a wikitext built-in magic word, expanding to `=`. This is conventionally used as an escape mechanism to allow the use of `=` in unnamed template arguments. Defining [[Template:=]] to expand to something other than `=` has been deprecated since 1.36, with affected pages put into a special tracking category for migration. * (T284020) Bot passwords are now supported when using the REST API. === New developer features in 1.39 === * Added optional $size param to SearchResultProvideThumbnail hook. * SearchResultProvideThumbnail hook interface moved from MediaWiki\Rest\Hook namespace to MediaWiki\Search\Hook. * JsonValidateSaveHook has been added to allow extensions to set additional pre-save validations for specific JSON pages (T313254) * Added 'PermissionErrorAudit' hook, enabling extensions to audit permission errors on specfic actions. For instance account registration failed attempts due to a block (T306018). === External library changes in 1.39 === ==== New external libraries ==== * Added Codex v0.1.1. This replaces the now deprecated wvui library. * Added symfony/polyfill-php81. ===== New development-only external libraries ===== * Updated QUnit from 2.18.0 to 2.18.2. ==== Changed external libraries ==== * Updated jQuery from v3.6.0 to v3.6.1. * Updated OOUI from v0.43.2 to v0.44.5. * Updated composer/semver from 3.2.6 to 3.3.2. * Updated cssjanus/cssjanus fromv2.1.0 to v2.1.1. * Updated pear/mail from v1.4.1 to v1.5.1. * Updated symfony/polyfill-php73 from 1.25.0 to 1.26.0. * Updated symfony/polyfill-php80 from 1.25.0 to 1.26.0. * Updated symfony/yaml from 5.4.3 to 5.4.10. * Updated vue/compat from 3.2.23 to 3.2.37. * Updated wikimedia/base-convert from 2.0.1 to 2.0.2. * Updated wikimedia/html-formatter from 3.0.1 to 4.0.3. * Updated wikimedia/ip-set from 3.0.0 to 3.1.0. * Updated wikimedia/minify from 2.2.6 to 2.3.0. * Updated wikimedia/php-session-serializer from 2.0.0 to 2.0.1. * Updated wikimedia/remex-html from 3.0.2 to 3.0.3. * Updated wikimedia/running-stat from 1.2.1 to 2.1.0. * Updated wikimedia/scoped-callback from 3.0.0 to 4.0.0. * Updated wikimedia/services from 2.0.1 to 3.0.0. * Updated wikimedia/timestamp from 3.0.0 to 4.0.0. * Updated wikimedia/xmp-reader from 0.8.1 to 0.8.6. ===== Changed development-only external libraries ===== * Updated composer/spdx-licenses from 1.5.5 to 1.5.7. * Updated doctrine/dbal for PHP < 7.3 from 2.13.6 to 2.13.9. * Updated doctrine/dbal for PHP >= 7.3 from 3.1.5 to 3.4.2. * Updated mediawiki/mediawiki-phan-config from 0.11.1 to 0.12.1. ==== Removed external libraries ==== * Removed wikimedia/dodo (v0.4.0). === Bug fixes in 1.39 === * (T314013) $wgExtraNamespaces no longer overrides canonical namespace names specified in extension.json files. While this setting can still be used to rename extension-defined namespaces, system administrators may need to run namespaceDupes.php after upgrading. === Action API changes in 1.39 === * New `undeletetalk` parameter on action=undelete that allows you to restore all revisions of the associated talk page. === Languages updated in 1.39 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * Actual localization was added for several languages, which were already in Names.php and even used for a Wikipedia: ** (T313200) Added language support for Rundi (Kirundi, rn). ** (T310976) Added language support for Tumbuka (ChiTumbuka, tum). ** (T314270) Added language support for Kanuri (kr). * (T313199) Added language support for Sylheti (syl). * (T311975) Added language support for Ghanaian Pidgin (gpe). * (T307080) Added language support for Okinawan (ryu). * (T307887) Added language support for Mooré (mos). * (T308813) Added language support for Nigerian Pidgin (pcm). * (T309763) Added language support for Tai Nüa (tdd). * (T310040) Added language support for Fante (fat). * (T311034) Added language support for Campidanese Sardinian (sro). * (T315406) Fix the autonym of the Iñupiaq language to "Iñupiatun". * (T315677) Removed French fallback from the Fula language (ff). * (T304920) In Swahili, The "Media" namespace is now "Media", as in English, and the "File" namespace is now "Faili". The old name of the "File" namespace was "Picha", and it's kept for backwards compatibility. If you manage a wiki in Swahili, and you use "Faili:" as a namespace anywhere in wikitext, and you mean to use it as "Media:", these need to be replaced to "Media:". * (T309866) Some namespace translations were updated for Kyrgyz (ky). The old ones are retained as aliases for backwards compatibility. * (T117845) Started the renaming of the language codes for Serbian from sr-ec and sr-el to sr-cyrl and sr-latn. * (T295637) Add no to fallback chain of nb and nn. === Breaking changes in 1.39 === * Basic non-JavaScript (Grade C) support has been dropped for Internet Explorer 9-10, Firefox 27-38, and Android 4.3-4.4. * The following methods, deprecated since 1.37, have been removed from IDatabase - ::fetchObject() - ::fetchRow() - ::numRows() - ::freeResult() * Title::getDefaultNamespace(), deprecated since 1.37, has been removed. * The DBPrimaryPos class alias 'DBMasterPos' has been removed. * The global function wfGetLB(), deprecated since 1.27, has been removed. * Passing a db to BlockRestrictionStore::loadByBlockId() is no longer supported. BlockRestrictionStoreFactory should be used to fetch a correct BlockRestrictionStore instead. This was deprecated since 1.38. * The global function wfGetCache(), deprecated since 1.32, has been removed. You can use ObjectCache::getInstance() instead. * The global function wfGetMainCache(), deprecated since 1.32, has been removed. You can use ObjectCache::getLocalClusterInstance() instead. * MovePage::__construct() now requires that all parameters be passed. The fallback to MediaWikiServices emitted deprecation notices since 1.37. * WikiPage::doEditContent(), deprecated since 1.32, was removed. * WikiPage::prepareContentForEdit() now requires a UserIdentity parameter to be provided. Not providing one has been deprecated since 1.37. * EventRelayerKafka, deprecated in 1.38, was removed. * MediaWiki\Logger\Monolog\KafkaHandler, deprecated in 1.38, was removed. * The "trace" option of SectionProfiler, deprecated in 1.38, was removed. * The global function wfWikiID(), deprecated since 1.35, has been removed. * Database::wasKnownStatementRollbackError() was removed. Subclasses should override isKnownStatementRollbackError() instead. * Database::wasQueryTimeoutError() was removed. Subclasses should override isQueryTimeoutError() instead. * Database::buildSuperlative() has been removed without deprecation. * The following methods, deprecated in 1.37, have been removed: - Linker::setStubThreshold(), ::getStubThreshold(). - LinkRendererFactory::createForUser(). - ParserOptions::getStubThreshold(), ::setStubThreshold(). * Changes to ResourceLoader modules: - The mediawiki.viewport module, deprecated in 1.37 has been removed. Use IntersectionObserver instead. * If you manage a wiki in Swahili, and you use "Faili:" as a namespace anywhere, and you mean to use it as "Media:", replace it with "Media:". See T304920. * Changes to skins: - Skin::getCopyrightIcon(), ::getPoweredBy(), deprecated in 1.37 have been removed. - Skin::bottomScripts, deprecated in 1.37, now emits deprecation notices. Skins using SkinTemplate must set bodyOnly as a skin option and remove lines of code generating html, body and head elements. - Skin::makeSearchButton and Skin::makeSearchInput were deprecated in 1.38. Use SkinTemplate methods with the same name or Skin::getTemplateData instead. - Styles for the HTML classes `warningbox`, `errorbox` and `successbox` have been removed in favor of Html class methods. - The feature `legacy` used inside ResourceLoaderSkinModule, deprecated in 1.37, will no longer ship any styles. - Skin::getSkinStylePath, deprecated since 1.36, has been removed. - Skin::getPortletData has been made private. - SkinTemplate::getPersonalToolsList(), deprecated in 1.35 has been removed. - The following SkinTemplate template data, deprecated in 1.37, have been removed: - poweredbyico - copyrightico - The following hooks, deprecated in 1.37, have been removed: - SkinGetPoweredBy: SkinGetPoweredByHook - The following hooks are deprecated and replaced with SkinTemplateNavigation::Universal: - SkinTemplateNavigation::SpecialPage - SkinTemplateNavigation - PersonalUrls - The mediawiki.skinning.content.externallinks module, which was deprecated in 1.36 has been removed. Skins that still rely on it will lose the icon styling of external links by type. * Experimental wiki farm support: Automatic detection of the requested site within a wiki farm based on the requested domain has been removed. Use the MW_WIKI_NAME environment variable to specify the name of the site to load configuration for. Using the WIKI_NAME environment variable for this purpose is deprecated. This is only relevant if you have been using $wgWikiFarmSettingsDirectory to load wiki farm config. * MWExceptionHandler::installHandler was marked @internal and had required arguments added. This method is intended for use in bootstrap code and is unused in known extensions. * MWException::useOutputPage was made private without deprecation. This method was apparently only public for testing and is unused in known extensions. * Calling getId() on a User or UserIdentityValue from the wrong wiki, deprecated since 1.36, now throws an exception. * The following methods have been removed from ExtensionRegistry without deprecation and without replacement. They had been introduced in 1.35 for use in the testing framework, and were not in use by any known extension: - exportAutoloadClassesAndNamespaces - exportTestAutoloadClassesAndNamespaces * The MWNamespace class, deprecated since 1.34, has been removed. Use the NamespaceInfo service instead. * The UnknownContent and UnknownContentHandler class aliases have been removed, use FallbackContent and FallbackContentHandler instead. * IResultWrapper::next() now returns void, to match the Iterator interface that it implements. fetchObject() has the same behavior as next() used to. * In HTMLForm HTMLAutoCompleteSelectFields, the parameters 'autocomplete' and 'autocomplete-messages', which were deprecated in MediaWiki 1.29, were removed. Instead, use 'autocomplete-data' and 'autocomplete-data-messages'. * The global $wgParser, deprecated in 1.32, was removed. Use MediaWikiServices::getInstance()->getParser() instead. * ParserOutput::setText will now set the ParserOutput's text to null if given null. Previously it did nothing if given null. * The default value for the first argument to the ParserOutput constructor is now null instead of ''. * IDatabase::lockTables() and IDatabase::unlockTables(), deprecated since 1.38, have been removed. * The $context parameter to `new HTMLForm( … )` and `HTMLForm::factory( … )` is now required. * The class alias for revision related classes in namespace MediaWiki\Storage has been removed. Classes are IncompleteRevisionException, MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException, RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord, RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and SuppressedDataException. * Calling getBy() on an AbstractBlock from the wrong wiki, deprecated since 1.38, now throws an exception. * Passing a MediaWiki\Linker\LinkTarget to EditPage::makeTemplatesOnThisPageList or TemplatesOnThisPageFormatter::format is no longer supported, a MediaWiki\Page\PageIdentity is required. * The deprecated class alias FakeConverter has been removed, use TrivialLanguageConverter instead. * The deprecated ApiQueryContributions class alias has been removed, use ApiQueryUserContribs instead. * The deprecated MediaWiki\Special\SpecialPageFactory class alias has been removed, use MediaWiki\SpecialPage\SpecialPageFactory instead. * The following skin modules, deprecated in 1.37, have been removed: - mediawiki.skinning.elements - mediawiki.skinning.content - mediawiki.toc.styles - mediawiki.legacy.config - mediawiki.legacy.shared - mediawiki.legacy.commonPrint * FileModule::compileLessFile(), deprecated since 1.35, has been removed. Use ::compileLessString() instead. * LogFormatter::styleRestricedElement(), deprecated since 1.37, has been removed. Use ::styleRestrictedElement() instead. * Title::isNamespaceProtected(), deprecated in 1.34, has been removed. * ApiStashEdit::parseAndStash(), deprecated in 1.34, has been removed. * LinkCache::forUpdate(), deprecated in 1.34, has been removed. * Passing null instead of a NamespaceInfo instance to LinkCache::__construct() is not supported anymore. It is recommended to request an instance from the service container. * ApiQueryBase::showHiddenUsersAddBlockInfo(), deprecated in 1.34, has been removed. Use ApiQueryBlockInfoTrait instead. * ApiQueryBase::prefixedTitlePartToKey(), deprecated in 1.35, has been removed. Use ::parsePrefixedTitlePart() instead. * ExternalStoreDB::getSlave(), deprecated in 1.34, has been removed. Use ExternalStoreDB::getReplica() instead. * ChangesListSpecialPage::checkStructuredFilterUiEnabled() and SpecialWatchlist::checkStructuredFilterUiEnabled() now support UserIdentity as the only argument. Passing Config argument was deprecated in 1.34. * DatabaseUpdater::ifNoActorTable(), deprecated in 1.35, has been removed. Use ::ifTableNotExists() instead. * MediaWiki\Revision\RevisionStoreFactory::getRevisionStore was documented to allow passing bool true as a dbDomain, this is no longer possible, because that is an invalid value for a dbDomain. * LinkHolderArray::__construct() had its signature changed. The class was marked internal in 1.35. * SpecialMute::isTargetBlacklisted(), deprecated in 1.35, has been removed. Use ::isTargetMuted() instead. * WebRequest::checkUrlExtension(), deprecated in 1.35, has been removed. * ContentHandler::cleanupHandlersCache(), deprecated in 1.35, has been removed. * SpecialVersion::getExtAuthorsFileName, deprecated in 1.35, has been removed. Use MediaWiki\ExtensionInfo::getAuthorsFileName. * SpecialVersion::getExtLicenseFileName, deprecated in 1.35, has been removed. Use MediaWiki\ExtensionInfo::getLicenseFileNames. * CategoryPage::getCategoryViewerClass and ::setCategoryViewerClass, deprecated in 1.35, have been removed. * SqlBlobStore::getLegacyEncodingConversionLang(), deprecated in 1.34, has been removed. * wfCanIPUseHTTPS(), deprecated in 1.37, has been removed. * wfGetScriptUrl(), deprecated in 1.35, has been removed. * The following methods of Database class, are no longer stable to override: - ::implicitOrderby() - ::selectSQLText() - ::bitNot() - ::bitAnd() - ::bitOr() - ::buildConcat() - ::buildGreatest() - ::buildLeast() - ::buildSubstring() - ::buildStringCast() - ::buildIntegerCast() - ::tableName() - ::addIdentifierQuotes() - ::buildLike() - ::limitResult() - ::unionSupportsOrderAndLimit() - ::unionQueries() - ::conditional() - ::strreplace() - ::timestamp() - ::getInfinity() - ::setTableAliases() - ::setIndexAliases() - ::buildGroupConcatField() * SpecialUnblock::processUnblock(), deprecated in 1.36, has been removed. Use UnblockUser instead. * wfLocalFile() and wfFindFile(), deprecated in 1.34, have been removed. * Maintenance script resetUserTokens.php, deprecated in 1.27, has been removed. * These methods in Database have been removed without deprecation as they are not used outside core. Users should override corresponding methods in SQLPlatform instead: - Database::doInsert -> SQLPlatform::insertSqlText - Database::doDropTable -> SQLPlatform::dropTableSqlText - Database::doRollback -> SQLPlatform::rollbackSqlText - Database::doSavepoint -> SQLPlatform::savepointSqlText - Database::doReleaseSavepoint -> SQLPlatform::releaseSavepointSqlText - Database::doRollbackToSavepoint -> SQLPlatform::rollbackToSavepointSqlText * The following protected methods of Database class have been removed without deprecation as they are not used outside core. Users should call corresponding methods in SQLPlatform: - Database::makeInsertLists -> SQLPlatform::makeInsertLists - Database::isFlagInOptions -> SQLPlatform::isFlagInOptions - Database::normalizeOptions -> SQLPlatform::normalizeOptions - Database::fieldNameWithAlias -> SQLPlatform::fieldNameWithAlias - Database::isTransactableQuery -> SQLPlatform::isTransactableQuery * $wgCanonicalNamespaceNames no longer includes custom namespaces defined using $wgExtraNamespaces. Extensions should use the NamespaceInfo service instead of accessing this configuration setting directly. * The following hook, deprecated in 1.35, has been removed: - ParserGetVariableValueVarCache: ParserGetVariableValueVarCacheHook * The $variableCache parameter to the ParserGetVariableValueSwitch hook is no longer used; non-standard use of this parameter has been deprecated since 1.35. * These methods have been moved from IDatabase to IMaintainableDatabase: - IDatabase::fieldExists -> IMaintainableDatabase::fieldExists - IDatabase::indexExists -> IMaintainableDatabase::indexExists - IDatabase::tableExists -> IMaintainableDatabase::tableExists * DBConnRef doesn't accept live connection in constructor anymore. Only parameters for getting connection should be provided. * IDatabase::getTopologyRootPrimary() was removed. * User::blockedBy(), deprecated since 1.38, has been removed. * User::getBlockId(), deprecated since 1.38, has been removed. * AlphabeticPager::getOrderTypeMessages(), unused since 1.13, has been removed without deprecation. === Deprecations in 1.39 === * PageProps::getInstance(), deprecated since 1.38, emits deprecations warnings. * The global function wfGetDB() has been deprecated. Use LoadBalancer::getConnection() instead. * SpecialRedirectWithAction::__construct without SearchEngineFactory argument will now emit a deprecation notice. * Use of the SiteStatsUpdate constructor has been deprecated in favor of the ::factory() method. * AuthManager::checkAccountCreatePermissions has been deprecated. Use AuthManager::authorizeCreateAccount or AuthManager::probablyCanCreateAccount instead. * Title::getSelectFields() has been deprecated in favor of PageStore::newSelectQueryBuilder() * Title::newFromTitleValue(), deprecated since in 1.34, now emits deprecation warnings. Use ::newFromLinkTarget() instead. * ExtensionRegistry::readFromQueue() has been marked @internal. Extensions should use ExtensionProcessor instead. * Processor::getExtraAutoloaderPaths() and ExtensionProcessor::getExtraAutoloaderPaths() have been deprecated, use get getExtractedAutoloadInfo() instead. * The following global functions are deprecated in favor of the listed UrlUtils methods. - wfExpandUrl -> UrlUtils::expand - wfGetServerUrl -> UrlUtils::getServer - wfAssembleUrl -> UrlUtils::assemble - wfRemoveDotSegments -> UrlUtils::removeDotSegments - wfUrlProtocols -> UrlUtils::validProtocols - wfUrlProtocolsWithoutProtRel -> UrlUtils::validAbsoluteProtocols - wfParseUrl -> UrlUtils::parse - wfExpandIRI -> UrlUtils::expandIRI - wfMatchesDomainList -> UrlUtils::matchesDomainList These methods are exact replacements except that 1) they return null instead of false or empty string on error (where applicable); 2) UrlUtils::validProtocols does not take a parameter (documentation said not to pass one to wfUrlProtocols anyway); 3) they use type hints (don't try passing null instead of string, etc.). * MaintainableDBConnRef is deprecated, use DBConnRef instead. * Loading DefaultSettings.php is deprecated. To get default values of main config settings, use MainConfigSchema::listDefaultValues() or MainConfigSchema::getDefaultValue(). * AbstractContent::getRedirectChain() and AbstractContent::getUltimateRedirectTarget() are now emitting deprecation warnings (T296430). * (T244138) QueryPage::getSQL() is deprecated. Instead QueryPage::getQueryInfo() should be overridden. * Calling new JobRunner() directly without $serviceOptions now emits deprecation warnings. Use MediaWikiServices::getInstance()->getJobRunner() instead. * Passing an array of targets to Article::getRedirectHeaderHtml() is deprecated. Supply a single redirect target instead (T296430). * The following Less mediawiki.mixins have been deprecated: - .animation() - .animation-delay() - .transform-rotate() * Skin::getAction is deprecated. Use IContextSource::getActionName instead. * User::getOption, deprecated since 1.35, now emits deprecation warnings. Use UserOptionsLookup::getOption instead. * ILBFactory::forEachLB() is deprecated. Use ::getAllLBs(). * LoadBalancer::forEachOpenConnection() and ::forEachOpenPrimaryConnection() are deprecated without replacement. * The following classes were moved from the root namespace to the MediaWiki\ResourceLoader namespace, the old names becoming deprecated aliases: ResourceLoader, MessageBlobStore, VueComponentParser. * The following classes had the "ResourceLoader" prefix stripped while being moved to the MediaWiki\ResourceLoader namespace, the old names becoming deprecated aliases: DerivativeResourceLoaderContext, ResourceLoaderCircularDependencyError, ResourceLoaderClientHtml, ResourceLoaderCodexModule, ResourceLoaderContext, ResourceLoaderFileModule, ResourceLoaderFilePath, ResourceLoaderForeignApiModule, ResourceLoaderImage, ResourceLoaderImageModule, ResourceLoaderLanguageDataModule, ResourceLoaderLessVarFileModule, ResourceLoaderModule, ResourceLoaderMwUrlModule, ResourceLoaderOOUIFileModule, ResourceLoaderOOUIIconPackModule, ResourceLoaderOOUIImageModule, ResourceLoaderOOUIModule, ResourceLoaderSiteModule, ResourceLoaderSiteStylesModule, ResourceLoaderSkinModule, ResourceLoaderStartUpModule, ResourceLoaderUserModule, ResourceLoaderUserOptionsModule, ResourceLoaderUserStylesModule, ResourceLoaderWikiModule. * WANObjectCache::reap() and WANObjectCache::reapCheckKey() have been deprecated without replacement. * The following methods in WikiRevision and their interfaces ImportableUploadRevision and ImportableOldRevision are deprecated: - ::getUserObj() → ::getUser() - ::setUserObj() → ::setUsername() - ::setUserIP() → ::setUsername() * ObjectCache::addBusyCallback() is deprecated and non-functional. * MWTimestamp::getHumanTimestamp(), deprecated in 1.26, now emits deprecation warnings. * Article::viewRedirect(), deprecated in 1.30, now emits deprecation warnings. * Parser::getFreshParser() is deprecated, use ParserFactory::getInstance(). * CoreParserFunctions::mwnamespace() is deprecated and emits deprecation warnings, use CoreParserFunctions::namespace() instead. * Registering magic variables whose names include a colon is deprecated. * User::blockedFor(), deprecated in 1.35, now emits deprecation warnings. * Access to previously public properties AbstractBlock::$mExpiry, AbstractBlock::$mHideName, AbstractBlock::$mTimestamp, DatabaseBlock::$mAuto, and DatabaseBlock::$mParentBlockId, deprecated in 1.34, now emits deprecation warnings. * Access to previously public properties User::$mBlock, User::$mBlockedby, and User::$mHideName, deprecated in 1.35, now emits deprecation warnings. * JobQueueGroup::singleton() and ::destroySingletons(), deprecated in 1.37, now emit deprecation warnings. * Title::getNotificationTimestamp(), deprecated in 1.35, now emits deprecation warnings. * Global functions wfReadOnly and wfReadOnlyReason, deprecated in 1.38, now emit deprecation warnings. * Overriding or calling DifferenceEngine::getDiffBodyCacheKey(), deprecated in 1.31, now emits deprecation warnings. * Access to previously public property WikiRevision::$fileIsTemp, deprecated in 1.29, now emits deprecation warnings. * wfQueriesMustScale() has been deprecated and emits deprecation warnings. * ContextSource::getStats(), RequestContext::getStats(), and DerivativeContext::getStats(), deprecated in 1.27, now emit deprecation warnings. * ManualLogEntry::setTags(), deprecated in 1.33, now emits deprecation warnings. * WikiRevision::downloadSource(), deprecated in 1.31, now emits deprecation warnings. * DifferenceEngine::textDiff(), deprecated in 1.32, now emits deprecation warnings. * FormatMetadata::flattenArrayContentLang(), deprecated in 1.36, now emits deprecation warnings. * SkinTemplate::getNameSpaceKey(), deprecated in 1.35, now emits deprecation warnings. * EnqueueJob::newFromJobsByWiki(), deprecated in 1.33, now emits deprecation warnings. * The following methods of the MWGrants class, all deprecated since 1.38, are now emitting deprecation warnings: - getValidGrants - getRightsByGrant - grantName - grantNames - getGrantRights - grantsAreValid - getGrantGroups - getHiddenGrants - getGrantsLink - getGrantsWikiText * DataUpdate::runUpdates(), deprecated in 1.28, now emits deprecation warnings. * CdnCacheUpdate::newFromTitles(), deprecated in 1.35, now emits deprecation warnings. * Instantiating HTMLCacheUpdate class, deprecated in 1.34, now emits deprecation warnings. * ISQLPlatform::tableNames() (implemented by IDatabase) is now deprecated. None of the tableName*() functions should be used by most users; if you absolutely must use raw SQL, write several tableName() calls instead. * Language::isWellFormedLanguageTag() has been deprecated in favor of LanguageCode::isWellFormedLanguageTag(). * The PrevNextNavigationRenderer helper class has been deprecated in favor of the new PagerNavigationBuilder one. * The methods IndexPager::getPagingLinks(), IndexPager::getLimitLinks() and IndexPager::buildPrevNextNavigation() have been deprecated in favor of IndexPager::getNavigationBuilder(). * Overriding the method IndexPager::makeLink() has been deprecated. * ActorMigration is deprecated. The temporary table is no longer needed, the actor table can be directly joined to the revision table, which is simple enough to not need a helper class. See the methods of ActorMigration for more specific information on replacements. ActorMigrationBase remains usable for migrations in extension tables. === Other changes in 1.39 === * Dynamic default values are now applied before extension registration callbacks are run. This way, extensions have a complete view of config variables, with all defaults applied. For example, when the default value of X used to be static but becomes dynamic, and an extension reads the value of X in the registration callback, it will now continue to function as expected. In some cases however, this may cause an undesired change in behavior: if the dynamic default of setting X depends on the value of setting Y, and an extension changes Y, the changed value of Y will no longer affect the value of X. == Compatibility == MediaWiki 1.39 requires PHP 7.4.3 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can be used instead, but support for them is somewhat less mature. The supported versions are: * MariaDB 10.3 or higher * MySQL 5.7.0 or higher * PostgreSQL 10 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.38 = == MediaWiki 1.38.7 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.6 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (2.4.0 => 2.4.5). * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * (T330464) Work around argument corruption bug in XMLReader::open. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.38.6 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.5 === * Localisation updates. * (T325872) ChangeTags: Remove table name from condition. * (T324895) MWCallbackStream: Add explicit $stream property. * (T297031, T326039) PostgresUpdater: Move setDefault ahead of changeNullableField. * Remove /images .htaccess rules that are no longer relevent. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * Fix phan error when Excimer is enabled. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0 * (T326021) Add matrix: to $wgUrlProtocols. * (T326377) rdbms: Use DBConnRef in SelectQueryBuilder. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses. * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T295637) Add no to fallback chain of nb and nn. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.38.5 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.4 === * Localisation updates. * Tests: Explicit cast to int in RandomImageGenerator test (php8 warnings). * (T319000) WebInstaller: Don't try and run trim() on null. * (T318753) Installer: Disable logo dropper for now. * (T320864) When calling mail(), use an array for headers. * (T311567) In ManualLogEntry, cast the comment to string. * (T289926) api: Fix minor PHP 8.1 incompatibility in ApiOptions. * (T322803) SpecialBotPasswords: Don't pass null to trim(). * (T323082) Upgrading wikimedia/xmp-reader (0.8.1 => 0.8.5). * Language: Handle ronna and quetta. * PostgresUpdater: Remove trailing space from 'user_id ' column. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot= query parameters. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.38.4 == This is a maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.3 === * Fix missing use statement from backport of fix for T307278. == MediaWiki 1.38.3 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.2 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T311360) RecentChange: Straight join to actor table when needed. * (T311360) RecentChange: Make join to comment table also straight. * Remove messages in en-gb.json. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HTMLForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T304559) Use page ID from parent revision, improve logging. * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * (T313663) Make ReadOnlyModeTest work in php8. * (T313663) Make HandlerTestTrait compatible with php8.1. * (T313663) [php8] Make DeletePageTest stop giving warnings on php8.1. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix php8.1. * (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for ImportSource. * Fix tests so getName() doesn't return null. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) [php8.1] mock User::getTitleKey() in DeaultPreferencesFactoryTest. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T313663) Mock UserOptionsManager::getOption for php8.1. * (T289879, T289926) Get rid of warnings on PHP 8.1. * (T313663) Check for null return of preg_replace in MediaWikiTitleCodec. * (T313663) cast db name to string when checking if it is read only [php8.1]. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T313663) Mock User::getTitleKey in SpecialPreferencesTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T314099) preprocessor: Add missing field declarations. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T313663) [php8.1] Mock out getLocalDomainID for WatchedItemStore tests. * (T313663) Suppress warnings for the null test of addIdentifierQuotes. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314404) SpecialGoToInterwiki: Null coalescene $par. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T313663) Make ChangesListSpecialPageTest cast to string for php 8.1. * (T313663) Do not test giving a null fragment to Title::makeTitle. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * (T313663) Cast results of Sqlite test to string [php 8.1]. * (T314208) Set $wgServer for HttpRequestFactoryTest to prevent warnings on php8.1. * (T314208, T297082) phpunit: Fallback to global default user options. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * Fix a couple deprecation warnings in the installer under PHP 8.1. * api: Add rel=nofollow to help examples. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314226) LoginSignupSpecialPage: Check if $value is a string before length. * (T314824) tests: Update parser test after i18n change. * (T313663, T296083) context: Replace deprecated User::getOption. * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T313663) Do not compare byte-for-byte of serialized items in tests [php8.1]. * objectcache: avoid php 8.1 argument type warnings in genericKeyFromComponents(). * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * ManualLogEntry: Don't pass null to trim() as PHP 8.1 whines. * (T313663) Add a null check VueComponentParser to prevent php8.1 issues. * (T313049) Bump wikimedia/parsoid to v0.15.1. * (T318754) WebInstallerOptions::addPersonalizationOptions(): Close fieldset. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) Update docs for HTMLFormField::validate() to permit all data types. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name. == MediaWiki 1.38.2 == This is a security and maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.1 === * Localisation updates. * (T309426) Repair language selector for SVGs. * (T310013) Fix default value for $wgShowEXIF and $wgUsePathInfo. * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T308473) SECURITY: Escape contributions-title msg for use within page title. * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.4.1 to 7.4.5. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T289879) Address deprecations for PHP 8.1. * (T311473) rollbackEdits: Pass user identity to RollbackPage. * Upgrade wikimedia/remex-html from 3.0.1 to 3.0.2. * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * Upgrade wikimedia/common-passwords from 0.3.0 to 0.4.0. == MediaWiki 1.38.1 == This is a maintenance release of the MediaWiki 1.38 branch. === Changes since MediaWiki 1.38.0 === * (T309860) Add justinrainbow/json-schema to vendor. * (T309933) Drop PHP 7.2 support in MediaWiki 1.38; require 7.3.19. == MediaWiki 1.38.0 == === Changes since MediaWiki 1.38.0-rc.1 === * Localisation updates. * (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered. * (T305779) phpunit: Support setting skin context in BundleSizeTest subclasses. * (T309028) SECURITY: ApiEditPage: update title after redirects. * (T308967) notifications: prevent log spam when invalid user object listed. * composer: Lock Parsoid version to specific 0.15.0 release. * (T306362, T308680) change-your-logo.svg: Resize to 135px square, re-crush, and manually minify. == MediaWiki 1.38.0-rc.1 == === Changes since MediaWiki 1.38.0-rc.0 === * Localisation updates. * (T305028) Undeprecate EditPage::$textbox2. * (T305635) LogActions is a map, not a list. * (T306721) Add wikimedia/equivset to vendor; needed by bundled AbuseFilter. * (T307284) Simplify TransactionManager::pendingWriteQueryDuration. * (T307307) Add symfony/yaml to vendor. * Fix old_name in UserLogoutComplete hook. * REST: don't send stack trace in error responses. * (T307998) SessionManager: stop storing an ObjectFactory instance. * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update. == Upgrading notes for 1.38 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.29. Some specific notes for MediaWiki 1.38 upgrades are below: * (T191740) The AbuseFilter extension is now bundled with MediaWiki. This is an anti-abuse feature that lets privileged users to set specific actions to be taken when actions by users, such as edits or file uploads, match certain criteria. * (T232948) The Math extension is now bundled with MediaWiki. This is a content feature that lets users create mathematical formulæ, written in a sub-set of LaTeX and rendered in MathML with a fallback SVG image. By default, it will use Wikimedia's mathoid service to render each formula, but local rendering can be set up for network isolation or performance. * (T191743) The Minerva skin is now bundled with MediaWiki. This is a simple, light-weight, and scalable skin that is particularly optimised for mobile use, and integrates well with the MobileFrontend extension (available separately), but can also be used as a regular desktop skin. For notes on 1.37.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.38 === ==== New configuration ==== * (T297708) $wgMaxExecutionTimeForExpensiveQueries - This setting can be used to control the maximum execution time for several expensive query pages (e.g. RecentChanges and UserContribs). * $wgBrowserFormatDetection – This setting allows overriding browsers' automatic detection and handling of formats. It's initially used to prevent auto-linking of possible telephone numbers in wiki pages' output in Safari on iOS; this can be re-enabled if you wish, or locally extended for other browsers' quirks. * (T240685) $wgMetricsTarget, $wgMetricsFormat, $wgMetricsPrefix - These provide configuration for a new MetricsFactory service with support for the dogstatsd format, intended for integration with Prometheus integration. * $wgGroupInheritsPermissions – This setting allows inheriting permissions, both granted and revoked, from another group. * $wgForeignApiRepos – ForeignAPIRepo now has a apiMetadataExpiry option to control for how long file metadata is cached. Additionally the default changed from 1 hour to 4 hours. * $wgSkinsPreferred – This lets you set a list of preferred skins to be listed higher in Special:Preferences. * $wgWikiFarmSettingsDirectory – A directory that contains site-specific configuration files. Setting this will enable multi-tenant ("wiki farm") mode, causing site-specific settings to be loaded based on information from the web request. EXPERIMENTAL. * $wgWikiFarmSettingsExtension – The file extension to be used when looking up site-specific settings files in $wgWikiFarmSettingsDirectory, such as 'json' or 'yaml'. EXPERIMENTAL. * $wgWikiFarmSiteDetector – A callback function that returns the name of the wiki for the current request. This is used in multi-tenant ("wiki farm") mode to determine which settings file to load from $wgWikiFarmSettingsDirectory. EXPERIMENTAL. * $wgEnableRemoteBagOStuffTests – This replaces the environment variable PHPUNIT_USE_BAGOSTUFF. * (T230211) $wgForceDeferredUpdatesPreSend – Force deferred updates to be run before sending a response to the client, instead of attempting to run them after sending the response. Setting this to true is useful for end-to-end testing, to ensure that the effects of a request are visible to any subsequent requests, even if they are made immediately after the first one. Note however that this does not ensure that database replication is complete, nor does it execute any jobs enqueued for later. * $wgTemplateLinksSchemaMigrationStage – Templatelinks table schema migration stage, for normalizing tl_namespace and tl_title fields. ==== Changed configuration ==== * $wgStyleDirectory and $wgExtensionDirectory – These are now set later, so can no longer be used within LocalSettings.php unless explicitly set in that file. * $wgFileBackends – This setting no longer takes 'fileJournal' as an option. * $wgMaxImageArea - This setting may now be set to false to disable size. checking before scaling. Extensions can still override its value by using the BitmapHandlerCheckImageArea hook. * $wgAjaxUploadDestCheck – This is now deprecated, and act as always-true. * $wgInterwikiCache – This no longer supports the string value for CDB files. * $wgParserOutputHooks – This is now deprecated; adjustments using this should be done with OutputPageParserOutputHook instead. (T292321) * $wgExternalStores – This is newly documentated in includes/externalstore/README.md. ==== Removed configuration ==== * $wgShellLocale - This setting has been removed as it was a flawed solution to the problem of locale dependence, MediaWiki will now always set a locale of C.UTF-8 or C and works around the remaining problems of the C locale by not using escapeshellarg. This follows the direction of PHP 8.0, which sets a locale of C by default instead of respecting LC_CTYPE. * $wgLoggedOutMaxAge - Experiment removed, originally added in 1.35. (T293848) * $wgIncludejQueryMigrate - Deprecated in 1.36. We only support jQuery v3. * $wgUseCategoryBrowser - This experimental feature has been removed. If you still need to use this feature, please see [[mw:Extension:CategoryExplorer]]. * $wgStyleSheetPath - alias for $wgStylePath, deprecated since 1.3 (2004). === User-facing changes in 1.38 === * (T284921) The "auto-number headings" feature was removed following a consultation, due to performance reasons. === New operator/developer features in 1.38 === * EXPERIMENTAL: The environment variable MW_CONFIG_FILE can be used to specify the location of the settings file. This allows alternative settings files to be loaded depending on the environment. Settings files may be given as PHP files like the traditional LocalSettings.php file, or they may use JSON or YAML format. See https://www.mediawiki.org/wiki/Manual:YAML_settings_file_format * Added a deleteUserEmail maintenance script - This file enables the deletion of a given user's associated email address. It can be helpful for privacy-preserving operations. * The description array for constructing an HTMLForm now can use 'disable-if' to disable fields on condition easily, supported expressions are the same as 'hide-if'. * There is a new interface, IForeignRepoWithMWApi, to allows you to mark file repos provided by an extension as supporting making API queries against the foreign file repo so that extensions like TimedMediaHandler that depend on this can stop hard-coding looking for specific class names. * Added EXPERIMENTAL support for an easy to configure multi-tenant ("wiki farm") mode: Settings for each site can be placed in a directory specified by $wgWikiFarmSettingsDirectory. Site detection is controlled by $wgWikiFarmSiteDetector and defaults to the requested host name. For example, setting $wgWikiFarmSettingsDirectory = "sites" would cause the settings for wiki.example.com to be loaded from "sites/wiki_example_com.yaml". WARNING: YAML files under the web root may be accessible to browsers, please take appropriate measures to protect them from access via HTTP. * Running QUnit tests for an individual test suite module is possible with `grunt qunit --qunit-component={componentName}`, where {componentName} is "MediaWiki" to run core's QUnit tests or the skin or extension name. * The 'mediawiki.mixins' module now has a `.user-select()` Less mixin. === External library changes in 1.38 === ==== New external libraries ==== * symfony/yaml was promoted from development-only. * justinrainbow/json-schema was promoted from development-only. ==== Changed external libraries ==== * Updated OOUI from v0.42.0 to v0.43.2. * Updated Vue from 2.6.11 to 3.2.23. * Updated WVUI from v0.3.0 to v0.4.0. * Updated composer/semver from 3.2.5 to 3.2.6. * Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Updated pear/net_smtp from 1.9.2 to 1.10.0. * Updated psr/log from 1.1.3 to 1.1.4. * Updated psy/psysh from 0.10.5 to 0.11.1. * Updated symfony/polyfill-php80 from 1.23.1 to 1.25.0. * Updated wikimedia/assert from 0.5.0 to 0.5.1. * Updated wikimedia/cdb from 1.4.1 to 2.0.0. * Updated wikimedia/ip-utils from 3.0.2 to 4.0.0. * Updated wikimedia/minify from 2.2.4 to 2.2.6. * Updated wikimedia/object-factory from 3.0.2 to 4.0.0. * Updated wikimedia/parsoid from v0.14.0-a14 to v0.15.0. * Updated wikimedia/purtle from 1.0.7 to 1.0.8. * Updated wikimedia/request-timeout from 1.1.0 to 1.2.0. * Updated wikimedia/shellbox from 2.0.0 to 3.0.0. * Updated wikimedia/wrappedstring from 3.2.0 to 4.0.1. * Updated wikimedia/remex-html from 3.0.1 to 3.0.2. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0. ===== Changed development-only external libraries ===== * Updated QUnit from 2.16.0 to 2.18.0. * Updated composer/semver from 3.5.4 to 3.5.5. * Updated composer/spdx-licenses from 1.5.4 to 1.5.5. * Updated doctrine/dbal for PHP < 7.3 from 2.10.4 to 2.13.6. * Updated doctrine/dbal for PHP >= 7.3 from 3.0.0 to 3.1.5. ==== Removed external libraries ==== * jquery.jStorage, deprecated since MW 1.28; use "mediawiki.storage" instead. === Action API changes in 1.38 === * New `deletetalk` parameter on action=delete that allows you to delete the associated talk page of a subject page. * New `variant` parameter for all API actions, for specifying language variant (akin to the existing `variant` parameter for index.php). Task T117549. === Languages updated in 1.38 === MediaWiki supports over 400 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T292166) Updated namespace names for the Lombard language. * (T299201) Changed the autonym of the Angika language to अंगिका * (T298309) Changed the autonym of the Abkhaz language to аԥсшәа * (T302972) Changed the autonym of the Kirundi language to ikirundi * (T220303) Show numbered lists with Burmese numerals in relevant languages * (T291899) Added language support for Xiang Chinese (hsn). * (T292612) Added language support for S'gaw Karen (ksw). * (T293656) Added language support for Farefare (gur). * (T294729) Added language support for Pa'O (blk). * (T296286) Added language support for Skolt Sámi (sms). * (T296612) Added language support for Makhuwa (vmw). * (T296707) Added language support for Ga (gaa). * (T297073) Added language support for Nanai (gld). * (T297074) Added language support for Nawdm (nmz). * (T298075) Added language support for Northern Thai (nod). * (T298182) Added language support for Cape Verdean Creole (kea). * (T298385) Added language support for Nheengatu (yrl). * (T299329) Added language support for Fon (fon). * (T300474) Added language support for Nkore (nyn). * (T302556) Added language support for Pannonian Rusyn (rsk). === Breaking changes in 1.38 === * (T291008) The IP class, deprecated since 1.35 in favor of the IPUtils library, has been removed. The IP related regexes which were also deprecated in favor of the IPUtils library were also removed, IPUtils::RE_* should be used instead. * (T293043) The MediaWikiIntegrationTestCase class alias 'MediaWikiTestCase' has been removed. * LinkCache::singleton(), deprecated since 1.28, has been removed. * RepoGroup::singleton(), ::destroySingletons() and setSingleton(), all deprecated since 1.34, have been removed. * The following methods from FileDeleteForm were removed: - ::__construct (the class is no longer newable) - ::execute() - ::haveDeletableFile() Use FileDeleteAction instead. * MessageCache::singleton(), deprecated since 1.34, has been removed. * LockManagerGroup::singleton() and ::destroySingletons(), both deprecated since 1.34, have been removed. * FileBackendGroup::singleton() and ::destroySingletons(), both deprecated since 1.35, have been removed. * TemplateParser used to support disabling the cache with a boolean parameter in its constructor. This was deprecated in 1.35 and has now been removed. * The ArticleUndeleteLogEntry hook, deprecated in 1.37, was removed. * The BeforeResetNotificationTimestamp hook, deprecated in 1.37, was removed. * The global function mimeTypeMatch() has been removed without a deprecation process. * The following JavaScript mw.config keys have been removed: - $wgCookiePrefix - $wgCookieDomain - $wgCookiePath - $wgCookieExpiration Use mw.cookie from the mediawiki.cookie module instead. * The signature of PageUpdater::markAsRevert method was changed. It has never been used outside of MediaWiki core. * If you want to use interwiki titles with HTMLTitleTextField, you now need to pass 'interwiki' => true. In 1.37, the default behavior was to let interwiki title through by default, logging a deprecation warning. * The `UndeleteForm::undelete` hook, deprecated in 1.37, was removed. * BagOStuff::setDebug(), deprecated since 1.36, has been removed. * The `jquery.mw-jump` ResourceLoader module was removed. * The `wgForeignUploadTargets` and `wgEnableUploads` configuration values were removed from mw.config. They had previously been documented as being included for internal use by the mediawiki.ForeignUpload module. *The `&$hasHistory` parameter to WikiPage::getAutoDeleteReason() and ContentHandler::getAutoDeleteReason() was hard-deprecated with no replacement. * Several Skin methods, which have emitted deprecation warnings since 1.36, have been removed. These include: - Skin::privacyLink() - Skin::aboutLink() - Skin::disclaimerLink() For these, instead use Skin::footerLink() to alter footer links. - Skin::getLogo() For this, use ResourceLoaderSkinModule::getAvailableLogos() instead. - Skin::getIndicatorsHTML() For this, use Skin::getIndicatorsData() instead. - Skin::subPageSubtitle() For this, use Skin::prepareSubtitle() instead. - Skin::makeVariablesScript() For this, use ResourceLoader::makeInlineScript() instead. - Skin::getAllowedSkins() - Skin::getSkinNames() For these, use SkinFactory::getAllowedSkins() or ::getInstalledSkins(). - Skin::makeUrl() - Skin::getSearchLink() - Skin::mainPageLink() * Parser::getUser and ::mUser, as well as ParserOptions::getUser, deprecated since 1.37, has been removed. * Parser::$mStripState, deprecated in 1.35, has been made private. Use Parser::getStripState() instead. * The following deprecated features in blocks were removed: - DatabaseBlock constructor 'byText' property with blocker's name, use 'by' property with UserIdentity value instead. - DatabaseBlock constructor 'by' property with blocker's ID, use 'by' property with UserIdentity value instead. - DatabaseBlock::isWhitelistedFromAutoblocks, use ::isExemptedFromAutoblocks. - DatabaseBlock::setBlocker now only accepts UserIdentity. - AbstractBlock::getTargetAndType and ::getTarget, use ::getTargetName, ::getTargetUserIdentity and ::getType instead * The following functions, emitting deprecations since 1.37, have been removed: - Title::isWatchable() - WatchAction::doWatchOrUnwatch(), WatchAction::doWatch(), WatchAction::doUnwatch(), WatchAction::getWatchToken() - User::isWatched(), User::isTempWatched(), User::addWatch(), User::removeWatch() * ParserOptions::setTidy() that had no effect and was deprecated since 1.35 has been removed. * The "YAML" encoding option of EtcdConfig, has been removed without deprecation. * The constant ApiBase::PARAM_VALUE_LINKS, deprecated since 1.35 has been removed. * UserLoadOptions, UserSaveOptions and UserResetAllOptions hooks, deprecated since 1.37, were removed. * The experimental FileJournal system has been removed without deprecation. This includes the FileJournal abstract class, its implementation classes DBFileJournal and NullFileJournal, various minor getters and setters, and the option for the wiki configuration $wgFileBackends. * The return values for each `bind` function in checkboxHack.js has been changed from an object to a function. In addition, the `unbind` function has been removed. A deprecation process was assumed unnecessary as there were no known usages. * File::getUser, ::getImageSize, ArchivedFile::getRawDescription, ::getUser, ::getRawUser and ::getRawDescription, deprecated since 1.37, has been removed. * ShellboxHttpClient class has been removed without deprecation. It was an internal class used by ShellboxClientFactory. * The following hard deprecated User methods have been removed: - ::resetIdByNameCache, - ::getStubThreshold, - ::matchEditTokenNoSuffix, - ::changeableByGroup, - ::changeableGroups, - ::isAllowUsertalk, - ::getRights - ::isAllowUsertalk - ::isIP, - ::isIPRange, - ::isValidUserName, - ::isUsableName, - ::isCreatableName, - ::getCanonicalName, - ::addAutopromoteOnceGroups, - ::getDefaultOptions, - ::getDefaultOption, - ::getOptions, - ::getBoolOption, - ::getIntOption, - ::setOption - ::listOptionKinds - ::getOptionKinds, - ::resetOptions, - ::getEffectiveGroups, - ::getAutomaticGroups, - ::getFormerGroups - ::isLoggedIn - ::getFirstEditTimestamp - ::getLatestEditTimestamp * Http::$httpEngine, deprecated since 1.34, has been removed. The only available HTTP engine is now Guzzle. CurlHttpRequest and PhpHttpRequest classes were removed. * The UserRightsProxy class was deprecated. Pass the correct domain to UserGroupManagerFactory instead. * Parser option enableLimitReport was deprecated. The report is now generated post-parse and can be included by providing 'includeDebugInfo' option to ParserOutput::getText. Thus, ParserOptions::enableLimitReport and ::getEnableLimitReport methods were deprecated. * Ajax action that was deprecated in 1.27 now has been removed. * The following methods have been removed from IDatabase without deprecation as they were completely unused: - ::preCommitCallbacksPending() - ::pendingWriteRowsAffected() - ::getServerUptime() - ::maxListLen() * The following deprecated methods have been removed from IDatabase: - ::aggregateValue() soft-deprecated since 1.33 - ::getTopologyRootMaster() since 1.37 - ::masterPosWait() since 1.37 - ::dataSeek() soft-deprecated since 1.37 - ::numFields() soft-deprecated since 1.37 - ::fieldName() soft-deprecated since 1.37 - ::onTransactionIdle() soft-deprecated since 1.32 - ::getMasterPos() since 1.37 * DatabaseMysqlBase::fieldType() and DatabasePostgres::fieldType(), deprecated since 1.37, have been removed. * Database::assertIsWritableMaster(), deprecated since 1.37, has been removed. * ResultWrapper::getInternalResult(), soft-deprecated since 1.37 and ResultWrapper::unwrap(), deprecated since 1.37, have been removed. * Language::AS_AUTONYMS, deprecated since 1.34, has been removed. You can use the LanguageNameUtils::AUTONYMS constant instead. * Several Language class variables deprecated in 1.35 have been removed; they are each replaced by a constant, as listed after the arrow: - ::$mWeekdayMsgs → WEEKDAY_MESSAGES - ::$mWeekdayAbbrevMsg → WEEKDAY_ABBREVIATED_MESSAGES - ::$mMonthGenMsgs → MONTH_GENITIVE_MESSAGES - ::$mIranianCalendarMonthMsgs → IRANIAN_CALENDAR_MONTHS_MESSAGES - ::$mHebrewCalendarMonthMsgs → HEBREW_CALENDAR_MONTHS_MESSAGES - ::$mHebrewCalendarMonthGenMsgs → HEBREW_CALENDAR_MONTH_GENITIVE_MESSAGES - ::$mHijriCalendarMonthMsgs → HIJRI_CALENDAR_MONTH_MESSAGES * wfIncrStats, deprecated since 1.36, has been removed. * Profiler::profileIn and ::profileOut, deprecated in 1.33, has been removed. * IEditObject::AS_CANNOT_USE_CUSTOM_MODEL, deprecated in 1.35, was removed. * Several protected methods in EditPage were made private. None of these was used outside of EditPage itself. Since the class is not stable to extend, this change happened without a deprecation phase. * The following public methods in EditPage, unused externally, were made private: - ::getCancelLink() - ::isSupportedContentModel() - ::getParentRevId() * EditPage::setApiEditOverride() was marked as @internal for use by ApiEditPage only. * SelectQueryBuilder::straightJoin() was renamed to straightJoinOption(). * The following deprecated methods have been removed from ILBFactory: - ::beginMasterChanges() since 1.37 - ::commitMasterChanges() since 1.37 - ::rollbackMasterChanges() since 1.37 - ::hasMasterChanges() since 1.37 - ::hasOrMadeRecentMasterChanges() since 1.37 * The "groupLoadsByDB" option to LBFactoryMulti has been removed. Consider using "groupLoadsBySection" instead. * The following methods have been removed from ILoadBalancer without deprecation as they were completely unused: - ::waitForOne() - ::allowLagged() - ::forEachOpenReplicaConnection() * The following deprecated methods have been removed from ILoadBalancer: - ::getMasterPos() since 1.37 - ::finalizeMasterChanges() since 1.37 - ::approveMasterChanges() since 1.37 - ::beginMasterChanges() since 1.37 - ::commitMasterChanges() since 1.37 - ::runMasterTransactionIdleCallbacks() since 1.37 - ::runMasterTransactionListenerCallbacks() since 1.37 - ::rollbackMasterChanges() since 1.37 - ::flushMasterSnapshots() since 1.37 - ::hasMasterConnection() since 1.37 - ::hasMasterChanges() since 1.37 - ::lastMasterChangeTimestamp() since 1.37 - ::hasOrMadeRecentMasterChanges() since 1.37 - ::pendingMasterChangeCallers() since 1.37 - ::forEachOpenMasterConnection() since 1.37 - ::waitForMasterPos() since 1.37 * LoadBalancer::safeGetLag() which has been soft-deprecated since 1.34 has been removed. * The following properties of the EditPage class, deprecated since 1.35, were made private: - ::$deletedSinceEdit - ::$lastDelete - ::$mTokenOk - ::$mTriedSave - ::$incompleteForm - ::$tooBig - ::$missingComment - ::$missingSummary - ::$allowBlankSummary - ::$autoSumm - ::$mParserOutput - ::$hasPresetSummary - ::$minoredit - ::$watchthis - ::$recreate - ::$nosummaryparentRevId - ::$editintro - ::$scrolltop - ::$markAsBot * Special:ListFiles and Special:NewFiles no longer allows to search for parts of file names (option was not available for $wgMiserMode = true) * DBAccessBase, deprecated since 1.37, has been removed. * The UserNamePrefixSearch service no longer supports a UserIdentity parameter to search(), to check for a specific audience an Authority object is required. * The methods CoreParserFunctions::register() and CoreTagHooks::register() have been marked @internal, and had a seconds parameter added. These methods are intended for use in Parser's constructor, and are not used by any known extension. * LoadBalancer::openConnection(), deprecated since 1.34, has been removed. * Skin::preloadExistence has been made private. There is no known usages outside of MediaWiki core. === Deprecations in 1.38 === * The MWGrants class is deprecated in favor of the new GrantsInfo and GrantsLocalization services. * The global functions wfReadOnly() and wfReadOnlyReason() have been deprecated in favor of the ReadOnlyMode service. * PageProps::getInstance() has been deprecated. Use MediaWikiServices::getPageProps() instead. * User::setOption(), deprecated since 1.35, now emits deprecation warnings. * Linker::formatComment(), ::formatLinksInComment(), ::commentBlock() and revComment() were deprecated. Use the new CommentFormatter service. * Several Skin methods have been deprecated. - Skin::setSearchPageTitle(), Skin::getSearchPageTitle(). For these, use SpecialPage::newSearchPage() or associated user preference instead. - Skin::getSkinStylePath now triggers deprecation warnings. Direct string path should be used instead. - SkinTemplate::getPersonalToolsList(), deprecated since 1.35, now emits deprecation warnings. - In preparation for SkinTemplate::getPortletData becoming a private function, extending the method is no longer permitted. Use SkinTemplate::getTemplateData instead. - SkinTemplate::buildContentNavigationUrls is now deprecated. Skins can use the runOnSkinTemplateNavigationHooks method or the SkinTemplateNavigation__Universal hook if they need access to this data. * Usage of several template data keys in QuickTemplate are now deprecated: - searchaction, poweredbyico, copyrightico * DatabaseBlock::purgeExpired(), deprecated since 1.36, now emits deprecation warnings. * The following methods from the User class now trigger deprecation warnings: - ::blockedBy - ::getBlockId * Content::getParserOutput and AbstractContent::fillParserOutput was hard-deprecated, use ContentRenderer::getParserOutput instead. Extensions defining a content model should override ContentHandler::fillParserOutput. * Title::newFromIDs and TitleFactory::newFromIDs have been hard deprecated. Use a PageSelectQueryBuilder from a PageStore instead. * Content::getRedirectChain() and Content::getUltimateRedirectTarget() have been deprecated with no replacement because support for $wgMaxRedirect will be removed completely. See T296430 for more information. * WikiPage::getRedirectTarget() has been deprecated. Use the equivalent RedirectLookup::getRedirectTarget() instead. * Article::doDelete() was deprecated. Use WikiPage::doDeleteArticleReal if you only need to delete the article. If you also need things to happen with OutputPage, you may want to check the hooks in DeleteAction instead. * Instantiating the MessageContent class now emits deprecation notices. * Message::content() now triggers deprecation warnings. * Parser::setDefaultSort(), Parser::getDefaultSort(), and Parser::getCustomDefaultSort() now trigger deprecation warnings. Use ParserOutput::{get,set}PageProperty('defaultsort') instead. * The following methods from the ParserOutput class now emit deprecation warnings: - ::hideNewSection() - use ::setHideNewSection() - ::preventClickjacking() - use ::{get,set}PreventClickjacking() - ::getProperty() - use ::getPageProperty() (return value changed) - ::setProperty() - use ::setPageProperty() - ::unsetProperty() - use ::unsetPageProperties() - ::getProperties() - use ::getPageProperties() - ::getCategoryLinks() - use ::getCategoryNames() - ::setCategoryLinks() - use ::setCategories() - ::addTrackingCategory() - use Parser::addTrackingCategory() or TrackingCategories::addTrackingCategory() - ::addWarning() - use ::addWarningMsg() - ::hasDynamicContent() - use ::hasReducedExpiry() * The following methods from the ParserOutput class were deprecated: - ::getFlag() - use ::getOutputFlag() - ::setFlag() - use ::setOutputFlag() - ::getAllFlags() - this method is now marked @internal - ::addJsConfigVars() - use ::setJsConfigVar() or ::appendJsConfigVar() - ::addOutputHook() / ::getOutputHooks() - these hooks should be migrated to use the OutputPageParserOutput hook instead * The use of ParserOutput::setExtensionData() to overwrite previous values stored under a given key has been deprecated; use the new ::appendExtensionData() to collect multiple values in the ParserOutput rather than destructively updating stored values. (T300981) * The signatures of the following methods from the ParserOutput class were narrowed, restricting the permitted argument types: - ::addModules() - if you formerly passed a string, pass an array with the string as the only element. - ::addModuleStyles() - if you formerly passed a string, pass an array with the string as the only element. * Access to the following public or protected properties of OutputPage was deprecated; they will be made private or removed in a future release. Use accessor functions instead. - ::$mCategoryLinks - ::$mCategories - ::$mIndicators - ::$mHeadItems - ::$mModules - ::$mModuleStyles - ::$mJsConfigVars - ::$mTemplateIds - ::$mEnableClientCache - ::$mNewSectionLink - ::$mHideNewSectionLink - ::$mNoGallery * The following methods were deprecated; use ::setPreventClickjacking(..) instead: - OutputPage::preventClickjacking() - OutputPage::allowClickjacking() - ImageHistoryList::preventClickjacking() - ImageHistoryPseudoPager::preventClickjacking() - ContribsPager::preventClickjacking() * OutputPage::enableClientCache() was deprecated, because it is universally used to do the opposite -- use OutputPage::disableClientCache() instead. * Sanitizer::removeHTMLtags() has been deprecated. Its output can include unbalanced or ill-formed HTML and thus external callers may be misled about how to safely incorporate its output into a page. It is recommended to use the new Sanitizer::removeSomeTags() method instead, which will always return balanced HTML. * EventRelayerKafka was deprecated. To use $wgEventRelayerConfig with Kafka, add a similar class to your code. * MediaWiki\Logger\Monolog\KafkaHandler was deprecated. Consider using $wgMWLoggerDefaultSpi with SyslogHandler, or to use Kafka, add a similar Monolog handler class to your code. * Collation::singleton() and ::factory() now trigger deprecation warnings. * The following methods in MWNamespace, all deprecated since 1.34, now emit deprecation warnings: - isTalk() - exists() - subjectEquals() - getCanonicalNamespaces() - getCanonicalName() - getCanonicalIndex() - getValidNamespaces() - isContent() - hasSubpages() - getContentNamespaces() * Return values in the parameter $pageLang of the hook PageContentLanguage with other types than a Language object, deprecated since 1.33, now emmits deprecation warnings. * Passing a db to BlockRestrictionStore::loadByBlockId() is deprecated. BlockRestrictionStoreFactory should be used to fetch a correct BlockRestrictionStore instead. * All external access to ParserOutput and CacheTime classes properties will now emit deprecation warnings. Use getters and setters instead. * The custom jQuery event `watchpage.mw` emitted on #ca-watch and #ca-unwatch is now deprecated in favour of the new `wikipage.watchlistChange` hook. * The global function wfLogProfilingData() has been deprecated without a replacement. The logic has been moved to the MediaWiki class. * The "trace" option of SectionProfiler has been deprecated. * The PageArchive class has had several methods deprecated. The replacements are as follows: - Use UndeletePage instead of ::undeleteAsUser(), ::getFileStatus() and ::getRevisionStatus(). - Use the respective methods of the new ArchivedRevisionLookup service instead of ::listRevisions, ::getRevisionRecordByTimestamp, ::getArchivedRevisionRecord, ::getPreviousRevisionRecord and ::getLastRevisionId. - Use ArchivedRevisionLookup::hasArchivedRevisions instead of ::isDeleted. * PageUpdater::isUnchanged() has been deprecated, use wasRevisionCreated() instead. * The `mediawiki.pager.tablePager` module was deprecated in favor of the more generic `mediawiki.pager.styles`. * wfGetCache() and wfGetMainCache(), both deprecated since 1.32, now emit deprecation warnings. * LinkCache::addGoodLinkObj() has been hard deprecated. * ApiStashEdit::parseAndStash has been hard deprecated. * Content::prepareSave was hard-deprecated, now emits deprecation warnings. Use ContentHandler::validateSave instead. * The hooks LinksUpdateAfterInsert and LinksUpdateConstructed were deprecated. * Access to all public properties in LinksUpdate was deprecated. * The global variable $IP has been deprecated for use in application logic. It will remain available for use in LocalSettings.php for now, though $wgBaseDirectory is preferred. Application logic should use the BaseDirectory setting from the main config. Tests and framework code that need to function without MediaWiki being fully initialized should use the MW_INSTALL_PATH constant. * The global function wfWikiID(), deprecated since 1.35, now emits deprecation warnings. * AbstractBlock::getBy() now takes a wikiId as a parameter and emits deprecation warnings in case of cross-wiki accesses. * The `button` parameter for `bindUpdateAriaExpandedOnInput` and `updateAriaExpanded` in checkboxHack.js have been deprecated. `bindToggleOnSpaceEnter` has also been deprecated in favor of `bindToggleOnEnter`. * IDatabase::lockTables() and IDatabase::unlockTables() have been deprecated with no replacement. Instead, callers should batch updates into atomic transactions, using FOR UPDATE for SELECT queries. * EditPage::addNewLineAtEnd() was deprecated; use TextboxBuilder::addNewLineAtEnd instead. * EditPage::getCopywarn() was deprecated; use EditPage::getCopyrightWarning instead. * EditPage::getCopyrightWarning() without passing a MessageLocalizer parameter has been deprecated. * Passing the $formCallback parameter to EditPage::showEditForm, deprecated in 1.25 and previously emitting a warn notice, now emits a deprecation notice. * EditPage::$action has been deprecated. * The following properties in EditPage now emit deprecation notices when used from another class: - mArticle (use ::getArticle() instead) - mTitle (use ::getTitle() instead) - isNew (no replacement) - allowBlankArticle (no replacement) - selfRedirect (no replacement) - allowSelfRedirect (no replacement) - diff (no replacement) - textbox2 (no replacement) - undoAfter (no replacement) - edit (no replacement) - contentLength (no replacement) * The HTMLForm methods getPreText, setPreText, addPreText, getPostText, setPostText, addPostText, getHeaderText, setHeaderText, addHeaderText, getFooterText, setFooterText and addFooterText have been renamed to getPreHtml, setPreHtml, addPreHtml, getPostHtml, setPostHtml, addPostHtml, getHeaderHtml, setHeaderHtml, addHeaderHtml, getFooterHtml, setFooterHtml and addFooterHtml respectively. * The FormSpecialPage methods preText and postText have been renamed to preHtml and postHtml respectively. * Article::doDelete, deprecated in 1.37, now emits deprecation notices. * The following Less mediawiki.mixins have been deprecated: - .background-image() - .list-style-image() * Category::getPageCount now takes a parameter. Category::COUNT_ALL_MEMBERS return count of all members while Category::COUNT_CONTENT_PAGES return that of content pages. For the former behavior use Category::getMemberCount() * Using `new HTMLForm( … )` or `HTMLForm::factory( … )` without the $context parameter is now deprecated. * BagOStuff::incr() and BagOStuff::decr() are now deprecated. * Action::exists() and ActionFactory::actionExists() are deprecated, use (bool)ActionFactory::getAction(). === Other changes in 1.38 === * The following things were changed in the file deletion form: - The name and ID of the submit button are now `wpConfirmB`, not `mw-filedelete-submit` - The ID of the form is now `deleteconfirm`, not `mw-img-deleteconfirm` - The `mw-filedelete-editreasons` class was replaced with `mw-delete-editreasons` The goal of these changes is to make the HTML more similar to that of normal page deletion. * ParserOptions created with ::newFrom* or ::newCanonical are now identical. * MediaWiki initialization order have been changed to load vendor autoload earlier. This means that extensions that are installed via composer and execute code upon autoloading can not depend on any MediaWiki classes, constants or globals in that code. * The source of truth for configuration defaults is now the MainConfigSchema class. DefaultSettings.php still exists for backwards compatibility. A PHP file generated for optimized loading will be used in Setup.php to initialize configuration variables. Setup.php can be made to load DefaultSettings.php as before by setting MW_USE_LEGACY_DEFAULT_SETTINGS as an environment variable (e.g. via SetEnv in htaccess) or a PHP constant (e.g. via auto_prepend_file in php.ini). == Compatibility == MediaWiki 1.38 requires PHP 7.3.19 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. The supported versions are: * MySQL 5.5.8 or later * PostgreSQL 9.4 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.37 = == MediaWiki 1.37.6 == This is a maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.5 === * Fix missing use statement from backport of fix for T307278. == MediaWiki 1.37.5 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.4 === * Localisation updates. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HTMLForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * (T313663) parser: Mock WikiPage::getContentModel in ParserCacheTest to fix php8.1. * (T313663) [php8.1] Make WikiImporterFactoryTest use better mock for ImportSource. * Fix tests so getName() doesn't return null. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T313663) Mock UserOptionsManager::getOption for php8.1. * (T289879, T289926) Get rid of warnings on PHP 8.1. * (T313663) Check for null return of preg_replace in MediaWikiTitleCodec. * (T313663) cast db name to string when checking if it is read only [php8.1]. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * Fix a couple deprecation warnings in the installer under PHP 8.1. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T313663) Mock User::getTitleKey in SpecialPreferencesTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T314099) preprocessor: Add missing field declarations. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T313663) Make ChangesListSpecialPageTest cast to string for php 8.1. * (T313663) Do not test giving a null fragment to Title::makeTitle. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * api: Add rel=nofollow to help examples. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314226) LoginSignupSpecialPage: Check if $value is a string before length. * (T314824) tests: Update parser test after i18n change. * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T313049) Bump wikimedia/parsoid to v0.14.2. * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * (T318079) SpecialEditTags: Set default value of wpTagsToRemove to empty array. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T318307) Update docs for HTMLFormField::validate() to permit all data types. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. * (T307278, CVE-2022-41766) SECURITY: On action=rollback the message "alreadyrolled" can leak revision deleted user name. == MediaWiki 1.37.4 == This is a maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.3 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor. * (T296435, T297669) cache: Add four fields to LinkCache::getSelectFields. == MediaWiki 1.37.3 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.2 === * Localisation updates. * (T289879) Type hints for ArrayAccess and JsonSerializable. * (T304783) TemplateParser: avoid warnings when called by NoLocalSettings. * Rebuilt vendor with composer 2.3.3. * Fix old_name in UserLogoutComplete hook. * (T289879) Address some deprecations for PHP 8.1. * (T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update. * (T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs triggered. * (T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1. * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T308473) SECURITY: Escape contributions-title msg for use within page title. * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * Updated wikimedia/shellbox from v2.0.0 to v2.1.1. * (T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T311473) rollbackEdits: Pass user identity to RollbackPage. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * (T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T281741) ChangeTags: Fix adding CSS classes for hidden tags. * (T296642) changetags: Fix management of a '0' tag. * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * (T303033) Handle null in ChangeTags::modifyDisplayQuery. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0. == MediaWiki 1.37.2 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.1 === * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T296898) Add entry point name to disabled Session exception if possible. * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T289956) WatchAction: Fix bug that prevents showing proper success message in the noscript fallback mode. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of RefreshSecondaryDataUpdateTest. * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * (T275673) objectcache: Avoid getCurrentTime() call in MapCacheLRU::has(). * (T275673) objectcache: split up MapCacheLRU::getAge() to avoid conditional overhead. * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * (T195807, T256401) Fix signature of DatabasePostgres::buildGroupConcatField. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T300462) SpecialUndelete: Do not show empty comments as deleted. * (T297708) Allow setting max execution time to several special pages. * (T205349) LinkCache: Try invalidating cache before throwing. * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303871) Fix @since of Title::getId(). * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. * (T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages. == MediaWiki 1.37.1 == This is a security and maintenance release of the MediaWiki 1.37 branch. === Changes since MediaWiki 1.37.0 === * (T296112) Allow inserting new sections named '0'. * Fix path for ZhConversion.php. * nukeNS: don't run purgeRedundantText() after every change. * (T286779, T297031) installer: Fix Postgres mistakes in using changeField method. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model. == MediaWiki 1.37.0 == === Changes since MediaWiki 1.37.0-rc.2 === * Remove justinrainbow/json-schema from vendor. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * (T281972) UserIdentityValue: Correct @since tags. * Updated wikimedia/parsoid from v0.14.0-a19 to v0.14.0. * Localisation updates. * Tweak error message for missing composer dependencies. == MediaWiki 1.37.0-rc.2 == === Changes since MediaWiki 1.37.0-rc.1 === * (T295173) Re-add wikimedia/normalized-exception to vendor. * Remove wikimedia/testing-access-wrapper, psr/simple-cache, psr/http-factory from vendor. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * (T212428) Allow populateContentTables to continue when there are bad blobs. == MediaWiki 1.37.0-rc.1 == === Changes since MediaWiki 1.37.0-rc.0 === * (T294043) checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion results. * (T293783) ApiQueryImageInfo: don't show empty comments as deleted. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * Remove duplicate settings from DefaultSettings. * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser. == MediaWiki 1.37.0-rc.0 == == Upgrading notes for 1.37 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.27. Some specific notes for MediaWiki 1.37 upgrades are below: * (T280806) Deprecated methods of fetching API tokens have been removed. This may cause older bots and scripts to fail. Most queries are trivially updateable to using new methods. See the Action API changes section below for more information. For notes on 1.36.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.37 === * (T242768) The PasswordCannotMatchUsername password policy has been removed, please use PasswordCannotBeSubstringInUsername instead. If you have not customised your password policies, there will be nothing to do here. ==== New configuration ==== * $wgBrowserFormatDetection - This setting allows the enabling or disabling of automatic detection of possible phone numbers in a webpage in iOS Safari. * $wgParserEnableLegacyMediaDOM - This setting defaults to true, and enables the legacy media HTML structure in the output from the Parser. The alternative modern HTML structure for media is described at https://www.mediawiki.org/wiki/Parsing/Media_structure In a future release of MediaWiki this option will default to false, so it's a good idea to test this setting on your wiki early and report any issues. ==== Changed configuration ==== * $wgContentHandlerTextFallback - This migration setting, which defines how to react if a plain text version of a non-text Content object is requested using ContentHandler::getContentText(), is deprecated. * $wgActions – This setting lets sysadmins over-ride which actions can be used. It has been re-worked to support injecting dependencies into Action sub- classes as part of wider work on dependency injection. Previously, $wgActions was an array where the keys were the names of actions, and the values had the following impacts (for a given key 'Foo'): - `true`: use the class 'FooAction' unless for a specific page WikiPage::getActionOverrides() wants to override that action - a string: use the class with that name, and do not allow over-riding on a per-page basis - `false`: the action is disabled - a callable: use the Action instance returned by invoking that callback, and do not allow overriding on a per-page basis - an object: use that specific Action instance, and do not allow overr-iding on a per-page basis. As part of T253078, values can now be arrays that are not callables, which are treated as ObjectFactory specs, allowing for services to be injected. Additionally, the distinction between values that allow per-page overrides and those that do not was removed - all actions can now be overridden on a per- page basis using WikiPage::getActionOverrides(). * $wgShellboxUrl – This setting, new in 1.36 to configure the novel Shellbox encapsulation system, is now deprecated; use $wgShellboxUrls as a mapping of service => URL instead. * $wgIncludejQueryMigrate – This setting, introduced in 1.29 to on whether to provide a migration layer for jQuery, has now switched its default value from true to false. This may break gadgets that depended on methods that were removed in jQuery 3 in 2017. See T280944 for more information. * A number of settings have been renamed. The former configuration variable names are deprecated, but will be used as the fall back if they are still set, and remain temporarily available for extensions which might try to read them: - $wgFileBlacklist is now $wgProhibitedFileExtensions - $wgMimeTypeBlacklist is now $wgMimeTypeExclusions - $wgEnableUserEmailBlacklist is now $wgEnableUserEmailMuteList - $wgShortPagesNamespaceBlacklist is now $wgShortPagesNamespaceExclusions * $wgMimeTypeExclusions - As well as being renamed, this configuration array now also prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * $wgFragmentMode - This setting, which determines the encoding of section IDs, has now switched its default value from legacy-first to html5-first: both the HTML5 anchor and the legacy percent-encoding-style anchor will still be generated for section titles, but references to them will use the HTML5 version, resulting in human-readable fragments. ==== Removed configuration ==== * $wgLegacyJavaScriptGlobals, deprecated in 1.36. * (T274695) $wgAjaxEditStash, deprecated in 1.36. * $wgShowDBErrorBacktrace, deprecated and non-functional since 1.32. * $wgShowSQLErrors, deprecated and non-functional since 1.32. * $wgLangObjCacheSize, without deprecation; the LanguageFactory service now always retains at most 10 objects in its LRU-cache. * $wgDjvuToXML, without deprecation; the tool it enables is obsolete and abandoned upstream. Use $wgDjvuDump to use that tool instead. === New user-facing features in 1.37 === * (T161934) MediaWiki now supports JPEG2000 files, to a limited extent. === External library changes in 1.37 === ==== New external libraries ==== * Added symfony/polyfill-php80 1.23.1. * Added whatwg-fetch 3.6.2. * Added wikimedia/normalized-exception 1.0.1. ==== Changed external libraries ==== * Updated OOjs from v5.0.0 to v6.0.0 * Updated OOjs-Router from v0.2.0 to v0.3.0 * Updated OOUI from v0.41.3 to v0.42.0 * Updated WVUI from v0.1.0 to v0.3.0 * Updated cssjanus/cssjanus from v1.3.0 to v2.1.0. * Updated pear/mail_mime from 1.10.9 to 1.10.11. * Updated psr/container from v1.0.0 to v1.1.1. * Updated wikimedia/minify from v2.2.2 to v2.2.4. * Updated wikimedia/object-factory from v3.0.0 to v3.0.2. * Updated wikimedia/parsoid from v0.13.1 to v0.14.1. * Updated wikimedia/relpath from v2.1.1 to v3.0.0. * Updated wikimedia/remex-html from v2.3.1 to v2.3.2. * Updated wikimedia/shellbox from v1.0.4 to v2.1.1. * Updated wikimedia/wait-condition-loop from v2.0.1 to v2.0.2. * Updated zordius/lightncandy from v1.2.5 to v1.2.6. * Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5. * Updated wikimedia/common-passwords from 0.3.0 to 0.4.0. ===== Changed development-only external libraries ===== * Updated qunit from 2.10.0 to 2.16.0. ==== Removed external libraries ==== * The pimple/pimple development-only library has been removed. === Action API changes in 1.37 === * (T280806) The API methods for fetching tokens which were deprecated in MediaWiki 1.24 have been removed. action=query&meta=tokens&type= should be used instead. Please note some token types no longer exist, and you should just use type=csrf for those instead. - action=query&prop=info&intoken -> action=query&meta=tokens&type=csrf - action=tokens&type= -> action=query&meta=tokens&type= - action=query&list=recentchanges&rctoken -> action=query&meta=tokens&type=csrf - action=query&prop=revisions&rvtoken=rollback -> action=query&meta=tokens&type=rollback - action=query&meta=userinfo&uiprop=preferencestoken -> action=query&meta=tokens&type=csrf - action=query&list=users&ustoken=userrights -> action=query&meta=tokens&type=userrights === Languages updated in 1.37 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T280435) LRM and RLM characters were removed from names of languages with parentheses in Names.php * (T283422) Add namespace name translations and change the autonym of the Kinyarwanda language to "Ikinyarwanda". * (T283423) Change the autonym of the Lombard language from "lumbaart" to "lombard". * (T279619) Added language support for Dagbani (dag). * (T282085) Added language support for Malay in Arabic (Jawi) script (ms-arab). * (T283053) Added language support for Ojibwe (ojb). * (T283480) Added language support for Wallisian (wls, Fakaʻuvea). * (T284002) Added language support for Paiwan (pwn). * (T284044) Added language support for Carpathian Romani (rmc). * (T286460) Added language support for Gun (guw, Gungbe). * (T287345) Added language support for Baoulé (bci). * (T290126) Added language support for Kildin Sami (sjd). * (T290408) Added language support for Pite Sami (sje). * (T25216) Started the renaming of the language code for Norman from nrm to nrf. === Breaking changes in 1.37 === * The Revision class, emitting deprecation warnings since 1.35, was removed entirely. As part of this, the following hooks that included a Revision object were removed: - ArticleRevisionUndeleted - use RevisionUndeleted - ArticleRollbackComplete - use RollbackComplete - DiffRevisionTools - use DiffTools - DiffViewHeader - use DifferenceEngineViewHeader - HistoryRevisionTools - use HistoryTools - NewRevisionFromEditComplete - use RevisionFromEditComplete - PageContentInsertComplete - use PageSaveComplete - PageContentSaveComplete - use PageSaveComplete - ParserFetchTemplate - use BeforeParserFetchTemplateRevisionRecord - RevisionInsertComplete - use RevisionRecordInserted - TitleMoveComplete - use PageMoveComplete - TitleMoveCompleting - use PageMoveCompleting - UndeleteShowRevision - no replacement - UserRetrieveNewTalks - no replacement … the following methods and variables have been removed: - Article::$mRevision - Article::getRevisionFetched() - ContribsPager::tryToCreateValidRevision() - EditPage::$mBaseRevision - EditPage::getBaseRevision() - LinksUpdate::getRevision() - LinksUpdate::setRevision() - PageArchive::getArchivedRevision() - PageArchive::getPreviousRevision() - PageArchive::getRevision() - Parser::$mRevisionObject - Parser::fetchCurrentRevisionOfTitle() - Parser::getRevisionObject() - Parser::statelessFetchRevision() - ParserOptions::getCurrentRevisionCallback() - ParserOptions::setCurrentRevisionCallback() - Title::countAuthorsBetween() - Title::getFirstRevision() - User::getNewMessageLinks() - User::getNewMessageRevisionId() - User::setNewtalk() - WikiPage::getOldestRevision() - WikiPage::getRevision() - WikiPage::getUndoContent() - WikiPage::updateIfNewerOn() … and the following methods no longer accept Revision objects as parameters: - CategoryMembershipChange::__construct() - ContentHandler::getUndoContent() - DerivedPageDataUpdater::prepareUpdate() - DifferenceEngine::getRevisionHeader() - Linker::buildRollbackLink() - Linker::generateRollback() - Linker::getRevDeleteLink() - Linker::getRollbackEditCount() - Linker::revComment() - Linker::revUserLink() - Linker::revUserTools() - WikiPage::doDeleteUpdates() - WikiPage::doEditUpdates() - WikiPage::hasDifferencesOutsideMainSlot() - WikiPage::onArticleEdit() - WikiPage::prepareContentForEdit() - WikiPage::updateRevisionOn() The following methods return arrays that formerly included a 'revision' key that would emit deprecation warnings when accessed and return a Revision object. The Revision object has been removed from the arrays, and the 'revision-record' key should be used to get the relevant RevisionRecord instead: - PageUpdater::doCreate() - PageUpdater::doModify() - Parser::statelessFetchTemplate() - WikiPage::doEditContent() Finally, the ParserOptions `templateCallback` option is a callback that is called in Parser::fetchTemplateAndTitle() and should return an array - the 'revision' key to that array used to be a Revision object and was used if no 'revision-record' was returned - is now ignored. * Previously, the classes RevisionTestModifyableContent and RevisionTestModifyableContentHandler were loaded for use in tests, but were only used within the tests for the since-removed Revision class. This content and content handler class were removed without deprecation. * WANObjectCache::HOLDOFF_NONE, deprecated since 1.35, was removed. Use WANObjectCache::HOLDOFF_TTL_NONE instead. * Calling ResourceLoader::makeVersionQuery() without $modules parameter, deprecated since MediaWiki 1.34, is no longer supported. * LocalFile::recordUpload2(), deprecated since 1.35, was removed. * The following methods and fields in the Language class, deprecated since 1.35, have been removed: - ::classFromCode() - ::clearCaches() - ::convertTitle() - ::findVariantLink() - ::$mConverter - ::updateConversionTable() * The following methods in the Parser class have been removed after having been deprecated in 1.35: - fetchTemplate() - Title() * (T273354) When an edit is prevented by an 'EditFilterMergedContent' hook handler without changing the status, the edit form will now be displayed. * User::clearNotification() which had been deprecated in 1.35 has been removed. Use WatchlistManager::clearTitleUserNotification() instead. * User::getNewtalk() which had been deprecated in 1.35 has been removed. Use TalkPageNotificationManager::userHasNewMessages() instead. * The Autopromote class, deprecated since 1.35, was removed. Use UserGroupManager instead. * The CachedAction, SpecialCachedPage, CacheHelper, and ICacheHelper classes, all emitting deprecation warnings since 1.36, have been removed. * The hooks BeforeHttpsRedirect, CanIPUseHTTPS and UserRequiresHTTPS, deprecated in 1.35, were removed. * The TitleArrayFromResult hook, deprecated in 1.36, was removed. * The deprecated "es6-promise" alias ResourceLoader module has been removed. Use the "es6-polyfills" module directly intead. * The deprecated "mediawiki.legacy.protect" ResourceLoader module, deprecated since 1.36, has been removed. Use "mediawiki.action.protect" instead. * The JavaScript alias $j for references to jQuery, deprecated since 1.23, has been removed. Use $ instead. * The AuthenticationProvider interface and the SessionProvider class no longer extend the PSR LoggerAwareInterface concept, so they can't be typehinted as LoggerAwareInterface. * User::getGrantName(), emitting deprecation warnings since 1.36, has been removed. Use MWGrants::grantName() instead. * The following ApiBase methods, deprecated since 1.35, have been removed: - ApiBase::explodeMultiValue - ApiBase::parseMultiValue - ApiBase::validateLimit - ApiBase::validateTimestamp * The User::idCacheByName() public static field was removed without deprecation. Instead of using it, get a UserIdentity by name from the UserIdentityLookup service. * IDatabase::upsert() and IDatabase::replace() now only accept a single unique key. Previously, a warning was issued if there were multiple unique keys provided. * The MediaWiki:Autoblock_whitelist block exemption control was moved in 1.36 to MediaWiki:Block-autoblock-exemptionlist. The backward-compatibility of reading the old MediaWiki:Autoblock_whitelist page has now been dropped. * The following overridable methods in File hierarchy have changed signatures: - File::deleteFile() - now accepts UserIdentity instead of User - File::getDescription() - now accepts Authority instead of User - File::userCan() - now accepts Authority instead of User - LocalFile::deleteOldFile() - now accepts UserIdentity instead of User * The following global methods, each deprecated since 1.36, have been removed: - wfAppendToArrayIfNotDefault() - wfAcceptToPrefs() - wfConfiguredReadOnlyReason() - wfDebugMem() - wfGetPrecompiledData() - wfNegotiateType() * The following deprecated methods of the Title class have been removed: - ::nameOf(), deprecated in 1.36 - ::getPreviousRevisionID(), deprecated in 1.34 - ::getNextRevisionID(), deprecated in 1.34 - ::getEarliestRevTime(), deprecated in 1.35 * UploadBase::stashFile(), deprecated since 1.28, was removed. * wfGetRusage(), deprecated since 1.35, has been removed. * The following CLI options were removed from tests/phpunit.php: - use-filebackend - use-jobqueue - use-bagostuff The following options (inherited from Maintenance) were also removed: - conf - dbuser - dbpass - dbdefaultgroup - globals - memory-limit - profiler - server The following options were changed to environment variables: - wiki => PHPUNIT_WIKI - use-normal-tables => PHPUNIT_USE_NORMAL_TABLES - use-filebackend => PHPUNIT_USE_FILEBACKEND - use-bagostuff => PHPUNIT_USE_BAGOSTUFF - use-jobqueue => PHPUNIT_USE_JOBQUEUE This is so that we can use the default PHPUnit entry point (T90875). * The PHPUNIT_REUSE_DB / --reuse-db option was removed from the phpunit.php runner. It had been broken for at least three years already. The original use case was speeding up tests on Oracle, but Oracle support was dropped several releases ago. * The MediaWikiPHPUnitTest__endTestHook and MediaWikiPHPUnitTest__startTestHook PHPUnit hooks were removed. MediaWikiHooksPHPUnitExtension was also removed. * EntryPoint::getTextFormatters() was made private without a deprecation period; it had no known external callers. * DatabaseBlock::chooseBlock(), deprecated since 1.35, was removed. * SpecialPageFactory::getRestrictedPages(), deprecated since 1.36, was removed. * SpecialBlock::validateTarget(), deprecated since 1.36, was removed. * The PatchFileLocation trait was removed without deprecation. * ActorMigrationBase::getExistingActorId() and ::getNewActorId(), emitting deprecation warnings since 1.36, were removed. * Hook handlers implementing the MediaWikiServicesHook hook are now prohibited from having services injected. This is because by definition, this hook runs before the service container is fully initialized. * The protected property LocalFile::$metadata was removed without deprecation. * WatchedItem::getUser(), emitting deprecation warnings since 1.36, has been removed. * AuthManager::singleton(), emitting deprecation warnings since 1.36, has been removed. * The AugmentPageProps class was removed without deprecation. It had no known uses. * Html::infobox(), deprecated since 1.36, was removed. * ParserOptions::__construct() now requires that the first parameter is a UserIdentity object - passing `null` used to fallback to the global $wgUser but was deprecated since 1.36. * ParserOptions::newCanonical() no longer supports the first parameter being null (or omitted entirely), which would fallback to the global $wgUser but was deprecated since 1.35. * The SkinTemplatePreventOtherActiveTabs hook, deprecated in 1.35, was removed entirely. * The SkinTemplateTabAction hook, deprecated in 1.35, was removed entirely. * The SkinTemplateBuildNavUrlsNav_urlsAfterPermalink hook, deprecated in 1.35, was removed entirely. * The SkinTemplateToolboxEndHook, deprecated in 1.35, was removed entirely. * The following methods of RevisionStore class, formerly emitting deprecation warnings, were removed: - ::newMutableRevisionFromArray() - ::loadRevisionFromPageId() - ::loadRevisionFromTitle() - ::loadRevisionFromTimestamp() - ::listRevisionSizes() * LogEntry::getPerformer(), deprecated since 1.36, was removed along with methods in sub-classes: DatabaseLogEntry, ManualLogEntry, RCDatabaseLogEntry. * Skin::getRelevantUser() now returns an instance of UserIdentity, and not necessarily a User object. There is no known usages in MediaWiki ecosystem that were not satisfied with UserIdentity. * Direct construction of MergeHistory class, deprecated since 1.35, is no longer supported. Use MergeHistoryFactory instead. MergeHistory::checkPermissions, deprecated since 1.36, was removed. * Skin::generateDebugHTML(), deprecated since 1.35, was removed. Call MWDebug::getHTMLDebugLog() directly. * The ApiTestCase class no longer interacts with the global $wgUser. Previously, the global variable was set at the start of each test, and in ApiTestCase::doApiRequest() if a performer was specified $wgUser was updated to match, and if no performer was specified $wgUser was used instead. Now, $wgUser is not updated, and if no performer is specified the reusable TestUser object for the sysop is relied on. Extensions or skins that rely on the global $wgUser variable (which has been deprecated since 1.35) should instead retrieve the acting user from the relevant context source. * SkinTemplate::makeArticleUrlDetails(), deprecated since 1.35, was removed. * Skin::makeNSUrl(), deprecated since 1.35, was removed. * Skin::getRevisionId(), deprecated since 1.34, was removed. Use OutputPage::getRevisionId() instead. * Skin::isRevisionCurrent(), deprecated since 1.34, was removed. Use OutputPage::isRevisionCurrent() instead. * AbstractBlock::parseTarget(), deprecated since 1.36, was removed. * The ArticleEditUpdates hook, deprecated since 1.35, was removed. * The `@stable to extend` class CentralIdLookup has following changes: - The protected ::checkAudience() method now returns an Authority instead of a User instance. - A number of its `@stable to override` methods now accept an Authority instead of a User instance as the $audience parameter. - A number of methods now accept a UserIdentity instead of their User parameter. - The ::localUserFromCentralId() method now returns UserIdentity and not necessarily a User object. All extensions that extend this class or use this method were updated to be ready to the new behavior. * WatchedItemStoreInterface::enqueueWatchlistExpiryJob(), deprecated since 1.36, was removed. * ResultWrapper is now abstract. It cannot be directly constructed (T286694). * The SecondaryDataUpdates hook, deprecated in 1.32, was removed entirely. * Content::getDeletionUpdates(), was removed. Use ContentHandler::getDeletionUpdates() instead. * Content::getSecondaryDataUpdates(), was removed. Use ContentHandler::getSecondaryDataUpdates() instead. * wfDiff(), deprecated since 1.25, has been removed. * Language::$mLangObjCache, deprecated since 1.35, was removed. * Language::$transformData, deprecated since 1.35, was removed. * Language::transformUsingPairFile() was marked @internal. Its deprecated parameters are no longer supported. * SpecialMute::getTarget(), unused outside of the SpecialMute class, was made private. * The Skin::setupSkinUserCss() method, deprecated in 1.32, was removed. Please use skin registration instead. * The ResourceLoaderSkinModule `legacy`, `content` and `content-thumbnails` features were deprecated. Skins should instead select from the features listed on [[mw:Manual:ResourceLoaderSkinModule]]. * ParserCache::getKey() and ::getEtag(), deprecated since 1.36, were removed. * The BaseTemplateToolbox hook, deprecated since 1.35, was removed. * Previously a capitalize-all-nouns class was added to the body element of languages where nouns must be capitalized. This class is no longer added to the body tag and must be provided by skins. * The SkinTemplateOutputPageBeforeExec hook, deprecated since 1.35, was removed. * Calling Message::toString() without a parameter, which triggered deprecation warnings since 1.36, is no longer supported. You can instead use the explicit formatting methods directly, such as Message::text() and Message::escaped(). * Article::getContentObject(), deprecated since 1.32, was removed. * Article::delete(), Article::confirmDelete() and ImagePage::delete() were removed. The logic responsible for building the form is being moved to DeleteAction, while the actual deletion logic will be moved to a separate service. * WikiImporter::debugRevisionHandler(), unused and for debug only, was removed. * Content::preloadTransform() now emits deprecation warnings. Instead, please use ContentTransformer::preloadTransform(). Extensions defining a content model should override ContentHandler::preloadTransform(). * Content::preSaveTransform() now emits deprecation warnings. Instead, please use ContentTransformer::preSaveTransform() instead. Extensions defining a content model should override ContentHandler::preSaveTransform(). * Constructing WikiPage objects from Title instances that cannot exist, emitting deprecation warnings since 1.36, now throws an exception. Additionally, WikiPage now implements ProperPageIdentity, rather than just PageIdentity. * The Skin::bottomScripts() method is deprecated. Please instead use OutputPage::getBottomScripts(). * LinksUpdate::getTriggeringUser() now returns ?UserIdentity instead of ?User. * The LESS mixin `.box-shadow()` (from mediawiki.mixins.less), deprecated since 1.36, was removed. Use CSS property `box-shadow` unprefixed for all basic supported browsers instead. * The LESS mixin `.flex()` now no longer tries to support the 2009 version of the Flexbox specification; support for the 2012 and modern standard versions remains unchanged. * The StorageAwareness::ATTR_SYNCWRITES, StorageAwareness::QOS_SYNCWRITES_*, StorageAwareness::ATTR_LOCALITY, and StorageAwareness::QOS_LOCALITY_* constants were removed. === Deprecations in 1.37 === * JobQueue::getWiki(), deprecated in 1.33, now emits deprecation warnings. * AbstractBlock::getTargetAndType() and ::getTarget() now emit deprecation warnings. Use ::getTargetName() and ::getTargetUserIdentity() together with ::getType(). * Passing a UserIdentity to WatchlistManager::clearAllUserNotifications() and WatchlistManager::clearTitleUserNotifications() is now deprecated. Pass an Authority instead. * Passing LinkTarget to WatchlistManager::clearTitleUserNotifications() and WatchlistManager::getTitleNotificationTimestamp(). Pass PageIdentity instead. * The User class methods ::isWatched(), ::isTempWatched(), ::removeWatch(), and ::addWatch() have been deprecated. Use corresponding methods in WatchlistManager instead. * Multiple WatchAction methods have been deprecated in lieu of WatchlistManager: - ::doWatchOrUnwatch() use WatchlistManager::setWatch() - ::doWatch() -> WatchlistManager::addWatch() - ::doUnwatch() -> WatchlistManager::removeWatch() * WatchAction::getWatchToken() now emits deprecation warnings. Instead use CsrfTokenSet::getToken(). * Action::getHookContainer() has been marked as internal. Actions that require access to a hook container should have one injected instead. * The ::getTitle() and ::setTitle() methods in Parser have been deprecated. Use ::getPage() and ::setPage() instead. * Title::isWatchable() has been deprecated. Use WatchlistManager::isWatchable() instead. * Methods and classes related to the primary database, previously referred to as 'master', have been deprecated, with the new ones replacing them as follows: - The DBMasterPos and MySQLMasterPos classes have been respectively renamed to DBPrimaryPos and MySQLPrimaryPos. - LocalRepo::getMasterDB() -> ::getPrimaryDB() - ForeignDBRepo::getMasterDB() -> ::getPrimaryDB() - JobQueueDB::getMasterDB() -> ::getPrimaryDB() - ForeignDBViaLBRepo::getMasterDB() -> ::getPrimaryDB() - DBFileJournal::getMasterDB() -> ::getPrimaryDB() - ILoadBalancer::getMasterPos() -> ::getPrimaryPos() - IDatabase::getMasterPos() -> ::getPrimaryPos() - ILoadBalancer::finalizeMasterChanges() -> ::finalizePrimaryChanges() - ILoadBalancer::approveMasterChanges() -> ::approvePrimaryChanges() - ILoadBalancer::beginMasterChanges() -> ::beginPrimaryChanges() - ILBFactory::beginMasterChanges() -> ::beginPrimaryChanges() - ILoadBalancer::commitMasterChanges() -> ::commitPrimaryChanges() - ILBFactory::commitMasterChanges() -> ::commitPrimaryChanges() - IDatabase::getTopologyRootMaster() -> ::getTopologyRootPrimary() - IDatabase::masterPosWait() -> ::primaryPosWait() - ILoadBalancer::runMasterTransactionIdleCallbacks() -> ::runPrimaryTransactionIdleCallbacks() - ILoadBalancer::runMasterTransactionListenerCallbacks() -> ::runPrimaryTransactionListenerCallbacks() - ILoadBalancer::rollbackMasterChanges() -> ::rollbackPrimaryChanges() - ILBFactory::rollbackMasterChanges() -> ::rollbackPrimaryChanges() - ILoadBalancer::flushMasterSnapshots() -> ::flushPrimarySnapshots() - ILoadBalancer::hasMasterConnection() -> ::hasPrimaryConnection() - ILoadBalancer::hasMasterChanges() -> ::hasPrimaryChanges() - ILBFactory::hasMasterChanges() -> ::hasPrimaryChanges() - ILoadBalancer::lastMasterChangeTimestamp() -> ::lastPrimaryChangeTimestamp() - ILoadBalancer::hasOrMadeRecentMasterChanges() -> ::hasOrMadeRecentPrimaryChanges() - ILBFactory::hasOrMadeRecentMasterChanges() -> ::hasOrMadeRecentPrimaryChanges() - ILoadBalancer::pendingMasterChangeCallers() -> ::pendingPrimaryChangeCallers() - ILoadBalancer::forEachOpenMasterConnection() -> ::forEachOpenPrimaryConnection() - ILoadBalancer::waitForMasterPos() -> ::waitForPrimaryPos() - Database::assertIsWritableMaster() -> ::assertIsWritablePrimary() - RevDelList::reloadFromMaster() -> ::reloadFromPrimary() - ExternalStoreDB::getMaster() -> ::getPrimary() - DatabaseMysqlBase::getMasterServerInfo() -> ::getPrimaryServerInfo() - MWExceptionHandler::rollbackMasterChangesAndLog() -> ::rollbackPrimaryChangesAndLog() * wfGetLB(), deprecated since 1.27, now emits deprecation warnings. * wfLocalFile(), deprecated since 1.34, now emits deprecation warnings. * wfFindFile(), deprecated since 1.34, now emits deprecation warnings. * wfIncrStats(), deprecated in 1.36, now emits deprecation warnings. * wfCanIPUseHTTPS() is now deprecated, and always returns true. * The UserLoadFromDatabase hook has been deprecated. It had no known uses. * The following methods in ApiPageSet have been deprecated: - ::getTitles(), use ::getTargets() instead. - ::getGoodTitles(), use ::getGoodPages() instead. - ::getMissingTitles(), use ::getMissingPages() instead. - ::getGoodAndMissingTitles(), use ::getGoodAndMissingPages() instead. - ::getRedirectTitles(), use ::getRedirectTargets() instead. - ::getSpecialTitles(), use ::getSpecialPages() instead. * The following methods from the User class, deprecated in 1.35, now each emit deprecation warnings: - ::getOptions() - ::isIP() - ::isUsableName() - ::isCreatableName() - ::getCanonicalName() - ::addAutopromoteOnceGroups() - ::getEffectiveGroups() - ::getAutomaticGroups() - ::getFormerGroups() - ::getIntOption() - ::getBoolOption() * The following methods in User were deprecated: - ::idFromName() - use UserIdentityLookup::getUserIdentityByName() instead. - ::resetIdByNameCache() - in tests, reset service container. No replacement needed in production code. * Use of ActorMigration for any table except revision, deprecated in 1.34, now emits deprecation warnings. Instead of getInsertValues(), use ActorNormalization::acquireActorId(). Instead of getWhere() and getJoin(), do your own join on the actor table. * DatabasePostgres::remappedTableName() and its dependent constructor parameter 'keywordTableMap' are deprecated. Reserved identifiers that are used as table names should be quoted where necessary. * LinkCache::singleton(), deprecated since 1.28, now emits deprecation warnings. * MessageCache::singleton(), deprecated since 1.34, now emits deprecation warnings. * LockManagerGroup::singleton() and ::destroySingletons(), deprecated since 1.34, now emit deprecation warnings. * HtmlFileCacheUpdate::newFromTitles() is now deprecated and emitting warnings. Use newFromPages() instead. * SessionProvider ::setLogger(), ::setManager(), ::setConfig(), and ::setHookContainer() were deprecated. Use ::init() to inject dependencies, or override ::postInitSetup() to do any custom post-initialization configuration. * AbstractAuthenticationProvider ::setLogger(), ::setManager(), ::setConfig(), and ::setHookContainer() now emit deprecation warnings. Use ::init() to inject dependencies, or override ::postInitSetup() to do any custom post- initialization configuration. * User::isLoggedIn(), deprecated since 1.36, now emits deprecation warnings. Use the method it wraps, User::isRegistered(), instead. * FileBackendGroup::singleton() and ::destroySingletons(), deprecated since 1.35, now emit deprecation warnings. * The first parameter of User::getBlock() should now be an integer using the Authority::FOR_XXX constants. Providing a boolean is deprecated. * ApiBase::addBlockInfoToStatus() is deprecated for use by extensions. It is now marked as @internal and may be deleted in the future. It should not be necessary to call this method, Authority should be providing all relevant information via a PermissionStatus object. * JobQueueGroup::singleton() was deprecated - use MediaWikiServices::getJobQueueGroup() instead. * JobQueueGroup::destroySingletons() was deprecated. JobQueueGroups are now automatically destroyed after tests. * LinkCache::addGoodLinkObj() has been deprecated, since it is prone to corrupting the cache with invalid information. Use addGoodLinkObjFromRow() instead. PHPUnit tests must use LinkCacheTestTrait::addGoodLinkObject(). * ContentHandler::getContentText() is now deprecated. Use Content::getText() instead. * LinkCache::addLinkObj() has been deprecated, use PageStore::getPageForLink() instead. * MediaWiki\User\UserNamePrefixSearch::search() previously accepted as its first parameter either the string 'public' or a UserIdentity object, to filter results for. It now expects an Authority object instead of UserIdentity, and providing just a UserIdentity will now trigger a deprecation warning. * User::getRights(), deprecated since 1.34, now emits deprecation warnings. * User::changeableGroups() and ::changeableByGroup() now emit deprecation warnings, use corresponding methods in UserGroupManager instead. * User::incEditCount() was deprecated in favor of the new method UserEditTracker::incrementUserEditCount(). * RepoGroup::singleton(), ::destroySingleton() and ::setSingleton(), deprecated since 1.34, now emit deprecation warnings. * RecentChange::getPerformer(), deprecated since 1.36, now emits deprecation warnings. Use ::getPerformerIdentity() instead. * ContentHandler::cleanupHandlersCache(), deprecated since 1.35, now emits deprecation warnings. * Category::getTitle() was deprecated in favor of Category::getPage() * File::getUser() method now emits deprecation warnings, along with its over- rides in LocalFile and ForeignApiFile in favor of ::getUploader(). * SpecialBlock::checkUnblockSelf(), deprecated in 1.36, now emits deprecation warnings. * (T284179) The mediawiki.viewport ResourceLoader module is deprecated. You can now just use MutationObserver or InterSectionObserver directly, which are widely available in all supported JavaScript browsers. * The following constructor options of DatabaseBlock class will now trigger deprecation warnings: - the 'byText' property with blocker's name, - the 'by' property with blocker's ID, For both of these, use the 'by' property with UserIdentity value instead. * The BeforeResetNotificationTimestamp hook was deprecated. * ArchivedFile::getUser() ::getRawUser() ::getRawUserText() were deprecated in favor of ::getUploader.() ::getRawDescription() was deprecated in favor of ::getDescription() with RAW audience parameter. * When calling LocalFile::newFromRow() or LocalFile::loadFromRow(), passing extra fields not requested by ::getQueryInfo() will now trigger deprecation warnings. This is to warn callers that deprefixing and automatic assignment of such fields will not be done in a future version. * JobSpecification::getTitle() was deprecated without providing a replacement. It wasn't used and job given the purpose of JobSpecification class it is not needed. * The protected method File::getImageSize() is now deprecated. * BacklinkCache::get() was deprecated, use BacklinkCacheFactory::getBacklinkCache() instead. * Title::getBacklinkCache() now emits deprecation warnings. Instead, use the ::getBacklinkCache() method in the BacklinkCacheFactory service. * MediaHandler::getImageSize(), ::getMetadata(), and ::isMetadataValid() were deprecated and should no longer be overridden. Instead, sub-classes should override getSizeAndMetadata(). * Deprecated File::getMetadata(). Instead use ::getMetadataArray(), ::getMetadataItem() and ::getMetadataItems(). * Message::title() has been deprecated; use Message::page() instead. * BaseTemplate::getAfterPortlet(), BaseTemplate::renderAfterPortlet(), and the BaseTemplateAfterPortlet hook, which were deprecated in 1.35, now emit deprecation warnings. * The LocalFile::getHistory() hook is deprecated. * Previously the Skin templateDirectory option inside skin.json had to be relative to MediaWiki core. This should now be relative to the skin. * Calling WikiPage::prepareContentForEdit() without a UserIdentity is now deprecated. * User::getEditTokenObject(), ::getEditToken(), and ::matchEditToken() were each deprecated. Use CsrfTokenRepository, which is available via IContextSource, instead. ::matchEditTokenNoSuffix() was deprecated without replacement. It was introduced to be able to provide custom error message if the token was submitted, but ending slashes were stripped by some ASCII mangling proxy. Use ::matchToken() instead, such proxies are much less common now and there's not much benefit in customising the error message. * ContentHandler::getForTitle(), deprecated since 1.35, now emits deprecation warnings. * User::listOptionKinds(), deprecated since 1.35, now emits deprecation warnings. * WikiPage::doEditContent(), deprecated since 1.32, now emits deprecation warnings. * CentralIdLookup::factory() and ::factoryNonLocal() now emit deprecation warnings; obtain an instance from MediaWikiServices instead. * The class RandomPage was renamed to SpecialRandomPage. The class RandomPage is now deprecated. * BotPassword::invalidateAllPasswordsForCentralId() was deprecated. * BotPassword::removeAllPasswordsForCentralId() was deprecated. * The Title class members: $mTextform, $mUrlform, $mDbkeyform, $mNamespace, $mInterwiki, and $mFragment have been deprecated to not be used directly. Instead, their corresponding accessor methods should be used. * IDatabase::fetchObject(), ::fetchRow(), ::numRows(), ::numFields(), ::fieldName(), ::freeResult() and ::dataSeek() are deprecated. Use the corresponding methods in IResultWrapper instead. * ResultWrapper::unwrap(), DatabaseMysqlBase::fieldType() and DatabasePostgres::fieldType() each now emit deprecation warnings. * Sub-classes implementing Database::doQuery() should return either boolean or an IResultWrapper. To do otherwise will now trigger a deprecation warning. * User::getOptionKinds() and ::resetOptions(), both deprecated since 1.35, now emit deprecation warnings. * The following methods in MWNamespace, all deprecated since 1.34, now emit deprecation warnings: - ::isMovable() - ::isSubject() - ::getTalk() - ::getSubject() - ::getAssociated() - ::equals() - ::subjectEquals() - ::hasTalkNamespace() - ::wantSignatures() - ::isWatchable() - ::getSubjectNamespaces() - ::getTalkNamespaces() - ::isCapitalized() - ::hasGenderDistinction() - ::isNonincludable() - ::getNamespaceContentModel() - ::getRestrictionLevels() - ::getCategoryLinkType() * LogFormatter::styleRestricedElement() has been deprecated in favor of LogFormatter::styleRestrictedElement() * The following hooks related to user preferences were deprecated: - UserLoadOptions: use LoadUserOptions instead. - UserSaveOptions: use SaveUserOptions instead. - UserResetAllOptions: no replacement was provided, the hook is not used. * Title::isNamespaceProtected(), deprecated in 1.34, now emits deprecation warnings. * UserSelectQueryBuilder::userIds(), ::userNames(), and ::userNamePrefix() has been deprecated in favor of ::whereUserIds(), ::whereUserNames(), and ::whereUserNamePrefix(). * Manually constructing a MovePage object, deprecated in 1.34, now emits deprecation warnings. Use MovePageFactory instead. * The following deletion-related methods were deprecated: - WikiPage::doDeleteArticleReal() (soft) - use DeletePage - WikiPage::doDeleteArticleBatched() (soft) - no replacement - WikiPage::isBatchedDelete() (soft) - use DeletePage - WikiPage::doDeleteUpdates() (hard) - no replacement - WikiPage::getDeletionUpdates() (hard) - no replacement - Title::isBigDeletion (soft) - no replacement * Relying on PermissionManager or Authority to check for big deletions was deprecated. This is now automatically checked if you use DeletePage::deleteIfAllowed(). (T288759) * The userCan hook now emits deprecation warnings. Use the getUserPermissionsErrors or getUserPermissionsErrorsExpensive hooks instead. * Parser::$mUser public access, and the methods ParserOptions::getUser() and Parser::getUser() each now emit deprecation warnings. * The following methods in the Title class have been deprecated in favor of the corresponding methods in the new RestrictionStore service (with different names where indicated): - ::areCascadeProtectionSourcesLoaded() - ::areRestrictionsCascading() - ::areRestrictionsLoaded() - ::getAllRestrictions() - ::getCascadeProtectionSources() - ::getFilteredRestrictionTypes() -> ::listAllRestrictionTypes() - ::getRestrictionExpiry() - ::getRestrictionTypes() -> ::listApplicableRestrictionTypes() - ::getRestrictions() - ::isCascadeProtected() - ::isProtected() - ::isSemiProtected() - ::loadRestrictionsFromRows() * The following Title methods have been deprecated with no direct public replacement: - ::deleteTitleProtection() - ::getTitleProtection() - ::flushRestrictions() - ::loadRestrictions() * User::isAllowUsertalk() now emits deprecation warnings. Use User::getBlock() and AbstractBlock::isUsertalkEditAllowed() instead. * Classes used by Preprocessor_DOM have been merged with classes used by Preprocessor_Hash, as Preprocessor_DOM was removed in 1.35. - PPDPart has been merged into PPDPart_Hash - PPDStack has been merged into PPDStack_Hash - PPDStackElement has been merged into PPDStackElement_Hash * By default, the global variable $wgUser is now an instance of the new class StubGlobalUser rather than User, and the first time it is used it will emit deprecation warnings (the $wgUser variable was deprecated in 1.35). For extensions that read from this variable, please use a relevant ContextSource instead, falling back to RequestContext::getMain() if none is available. * Collation::singleton() and ::factory() were deprecated; obtain an instance of the CollationFactory from MediaWikiServices instead. * Title::getDefaultNamespace() has been deprecated to be removed because there are no known callers/consumers. * With removal of the stub threshold feature, the following methods now emit deprecation warnings: - LinkRenderer::setStubThreshold() and ::getStubThreshold() - no replacement. - LinkRendererFactory::createForUser() - calling ::create() is now sufficient - ParserOptions::setStubThreshold() and ::getStubThreshold() - no replacement. - User::getStubThreshold() - no replacement. * The ArticleDelete and ArticleDeleteComplete hooks were deprecated. Use PageDelete and PageDeleteComplete instead. * The ArticleUndeleteLogEntry hook was deprecated without replacement. * The following LESS mediawiki.mixins have been deprecated: - .box-sizing() - .transform() - .transform-origin() - .transition() - .transition-transform() * The `UndeleteForm::undelete` hook was deprecated. A new hook was introduced, `PageUndelete`, that provides handlers with more information and is also called for non-UI requests. The capability of replacing the PageArchive object has been removed, as that violates the laws of nature. === Other changes in 1.37 === * WatchlistManager::addWatch() and WatchlistManager::addWatchIgnoringRights(), which replace User::addWatch(), now call the WatchArticle and WatchArticleComplete hooks. * WatchlistManager::removeWatch() and WatchlistManager::removeWatchIgnoringRights(), which replace User::removeWatch(), now call the UnwatchArticle and UnwatchArticleComplete hooks. * The overridable postInitSetup() method was added to the AbstractAuthenticationProvider class. A provider can override postInitSetup() to do any custom post-initialization configuration. * The overridable postInitSetup() method was added to the SessionProvider class. A provider can override postInitSetup() to do any custom post-initialization configuration. * The protected getConfig() method was added to the SessionProvider class. Use SessionProvider::getConfig() to get a config. * The DBAccessBase class is deprecated. Classes that used to extend it should get a load balancer (factory) injected in the constructor instead. * ActorNormalization::acquireActorId() now requires IDatabase parameter. Not providing one emitted deprecation warnings since 1.36. * Anti-lock constants ALF_PRELOAD_LINK, ALF_NO_BLOCK_LOCK, ALF_NO_LINK_LOCK and ALF_PRELOAD_EXISTENCE have been removed. They're unused since 1.25. * (T278036) CSS class 'mw-htmlform-field-autoinfuse' used by some forms has been renamed to 'mw-htmlform-autoinfuse'. * User::newFromRow() does not accept pre-loaded user preferences under $data['user_properties'] anymore. This optimization was not used. * The following files change the letter case of the file names: - SpecialRandompage.php -> SpecialRandomPage.php - SpecialRandomredirect.php -> SpecialRandomRedirect.php - SpecialRandomrootpage.php -> SpecialRandomRootPage.php * Media files which are uploaded server side using the importImages.php maintenance script will now have the "mw-server-side-upload" change tag. * (T284917) The stub threshold feature has been removed. * Skin::getPoweredBy() and Skin::getCopyrightIcon() have been deprecated as they are only designed for use by skins extended BaseTemplate. You can move calls to instead use BaseTemplate::getPoweredByHTML() and ::getCopyrightIconHTML() respectively. * The SkinGetPoweredBy hook is deprecated. No replacement is provided. * HTMLTitleTextField didn't support interwiki titles well previously. Starting with 1.37, HTMLTitleTextField has a new parameter, 'interwiki', which can be used to control acceptance of interwiki titles. To provide a transitional period, the default value ('interwiki' => null) ensures MW will have the same behavior as before (logging a deprecation warning). In 1.38, the default behavior will change to "interwiki links aren't allowed". == Compatibility == MediaWiki 1.37 requires PHP 7.3.19 or later, or PHP 7.4.3 or later, and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml Support for PHP 8.0 is not yet complete. MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. The supported versions are: * MySQL 5.5.8 or later * PostgreSQL 9.4 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.36 = == MediaWiki 1.36.4 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.3 === * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T296898) Add entry point name to disabled Session exception if possible. * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T297708) Allow setting max execution time to several special pages. * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303871) Fix @since of Title::getId(). * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. == MediaWiki 1.36.3 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.2 === * (T280363) mediawiki.page.ready: Introduce wikipage.indicators hook. * (T290697) Add symfony/polyfill-php80. * IcuCollation: Add some more icu to unicode version mappings. * ApiBase: Annotate deprecated constants individually. * PHPVersionCheck: Mark PHP 7.4.0 - 7.4.2 as buggy. * (T293044) installer: Fix 5th param to sourceFile() in DatabaseUpdater. * (T291127) Always encode spaces in cookie values as "%20". * Use LocalFile::getHookRunner instead of LocalFile::hookRunner. * (T293564) mediawiki.page.ready: Fire hook 'wikipage.indicators' with children. * HistoryBlobStub: add getLocation() to get $mOldId. * Fix checkStorage.php. * checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion results. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * (T278037) NoLocalSettings: Pass an EmptyBagOStuff to TemplateParser. * (T212428, T267468) Allow populateContentTables to continue when there are bad blobs. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * Update pear/mail_mime to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * (T281972) Follow-Up: I10fbd4b6a: Update @since tags as those were backported. * Tweak error message for missing composer dependencies. * (T296112) Allow inserting new sections named '0'. * nukeNS: don't run purgeRedundantText() after every change. * (T286779, T297031) installer: Fix Postgres mistakes in using changeField method. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model. == MediaWiki 1.36.2 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.1 === * Don't access MWServices prematurely in Maintenence.php. * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode. * Installer: Fix foundation.wikimedia.org link in config-pingback-help. * (T283273) Make postgres IRC channel point to libera.chat. * composer.json: Promote and pin monolog/monolog to require from require-dev. * (T287526) JavaScriptMinifer: Recognize `...` as a single token. * (T287526) Update wikimedia/minify to 2.2.4. * (T289108) ExtensionProcessor: Remove loaderScripts from extension.json schemas. * (T281549) Installer: Fix mediawiki-announce auto subscription code. * FormatJson: Optimize encode() for supported PHP versions. * (T290398) renameRestrictions.php: Update protected_titles as well. * (T290489) objectcache: Fix PHP warning for ReplicatedBagOStuff::setMulti. * $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * (T51097, T290273) resourceloader: Call getStyleFiles from FileModule::getFileHashes. * (T277788) parser: Avoid calling ParserOptions::getOption() too many times. * (T291244) Unserialize objects in ParserCache->mExtensionData as objects. * MysqlUpdater: Add updatelog entries for dropDefault. * (T290776) Fix $phase check in OutputHandler. * The wikimedia/parsoid library has been upgraded from v0.13.0 to v0.13.1. * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions. == MediaWiki 1.36.1 == This is a security and maintenance release of the MediaWiki 1.36 branch. === Changes since MediaWiki 1.36.0 === * (T283942) DatabaseInstaller.php: Only run core schema file if specified table doesn't already exist. * (T247223) Optimise MessageCache::isMainCacheable() for the single-message case. * (T283244) JavaScriptMinifer: Fix handling of "delete" as object property. * (T284391) Fix SkinModule to correctly prepend remote path on document root installs. * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors. * (T278579) Don't send headers on ob_end_clean(). * (T285287) MultiHttpClient: Replace PHP version check with defined(). * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages. == MediaWiki 1.36.0 == === Changes since MediaWiki 1.36.0-rc.0 === * (T248481) rdbms: Use server time in DatabaseMysqlBase::getLagFromPtHeartbeat(). * (T281549) WebInstaller: Don't show the announce-l subscribe checkbox for now. * (T264214) Follow-ups for UserGroupManager. * (T282280) resourceloader: Fix path-only URLs in wiki modules when script path is docroot. * (T281972) UserIdentityValue: Introduce convenience static factory methods. * (T230428) Make page_is_redirect and page_is_new unsigned. * (T280292) Legacy feature should not load thumbnail style rules (only layout). * (T283247) Freenode -> Libera per wikimedia moving from freenode to libera. * (T280270) composer: Lock Parsoid version to specific 0.13.0 release. * (T142663) Add extension.json merge strategy "provide_default". * (T283540) HookContainer: Fix normalization of callback for static handler. * (T283464) registration: Fix array order for array_replace_recursive merge strategy. * (T283539) Interwiki: Fix calling "onInterwikiLoadPrefix" hook. * (T282594) Timeless: Re-branch to 40eb3dad1for REL1_36. == MediaWiki 1.36.0-rc.0 == == Upgrading notes for 1.36 == Don't forget to always back up your database before upgrading! See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.27. Some specific notes for MediaWiki 1.36 upgrades are below: * MediaWiki 1.36 now requires the PHP internationalization extension (commonly referred to as Intl, ext-intl, or php-intl). * The MediaWiki:Autoblock_whitelist block exemption control has been moved to MediaWiki:Block-autoblock-exemptionlist. If you use this feature, please move the MediaWiki:Autoblock_whitelist page. * (T275334) $wgExtensionFunctions is sometimes used to change configuration settings. This is not safe; extension functions are run relatively late, some services are already initialized by that point and so they use the old configuration. Changes in 1.36 make this kind of breakage even more common. You can use the MediaWikiServices hook instead. (In the future there might be a dedicated hook for configuration changes.) For notes on 1.35.x and older releases, see HISTORY. === Configuration changes for system administrators in 1.36 === The MediaWiki update script, maintenance/update.php, used to accept `--nopurge` as an option to prevent clearing caches stored in the database during upgrade. This is no longer encouraged, and the option has been removed. ==== New configuration ==== * (T256001) $wgManualRevertSearchRadius – This setting controls a new feature that marks edits as reverts if they restore the page to an exact previous state. This configuration variable sets the maximum number of revisions of a page that will be checked against every new edit. Set this to 0 to disable the feature entirely. * (T244058) $wgOldRevisionParserCacheExpireTime — This setting was added to control caching of ParserOutput for old (non-current) revisions. * (T265263) $wgRememberMe - This setting configures the "remember me" checkbox on account log-in systems via RememberMeAuthenticationRequest. * (T157145) $wgSkinMetaTags – This setting lets sysadmins configure skins that support meta tags. These tags make sharing of MediaWiki pages on a variety of social platforms more contentful and thus useful. * (T280944) $wgIncludejQueryMigrate - This setting lets sysadmins disable the jQuery Migrate plugin. It has been enabled by default since MediaWiki 1.27. In future releases it will be disabled by default. ==== Changed configuration ==== * $wgLogos – This setting selects the logo shown on the site. The default value for the site logo, which is shown in an install if you have not set one, will now be the new logo of MediaWiki. * (T274695) $wgAjaxEditStash — This setting, to disable the edit stashing feature when users start writing an edit summary, has been deprecated. In future releases, this feature will always be enabled. * $wgUploadStashScalerBaseUrl – This setting, to enable remote on-demand media scaling, was deprecated. Use the `thumbProxyUrl` setting in $wgLocalFileRepo instead. * $wgSlaveLagWarning and $wgSlaveLagCritical – These settings have been renamed, to $wgDatabaseReplicaLagWarning & $wgDatabaseReplicaLagCritical respectively. The former configuration variable names are deprecated, but will be used as the fall back if they are still set, and remain temporarily available for extensions which try to read them. * $wgWANObjectCaches - The "coalesceKeys" option was removed without deprecation and replaced by a new "coalesceScheme" option, set to "hash_stop" by default. If you use Dynomite, then set the new "coalesceKeys" option to "hash_tag". The "cluster" and "mcrouterAware" options were also removed without deprecation. Use "broadcastRoutingPrefix" instead. ==== Removed configuration ==== * $wgUseTwoButtonsSearchForm — This setting, deprecated in 1.35, has been removed. * $wgAllowImageMoving — This setting, deprecated in 1.35, has been removed. Use group permission settings instead. For example, to prevent sysops from moving files, set `$wgGroupPermissions['sysop']['movefile'] = false;` * $wgExtNewTables, $wgExtNewFields, $wgExtNewIndexes, $wgExtPGNewFields, $wgExtPGAlteredFields, $wgExtModifiedFields — These settings were removed. They became obsolete after 1.17 overhauled the database updater, but were kept for backwards compatibility. The LoadExtensionSchemaUpdates hook should be used instead. * $wgParserConf - This setting, deprecated in 1.35, has been removed. The last use of this setting was for pre-processor configuration, which was deprecated in 1.34 and removed in 1.35. * $wgEnableRestAPI - This setting, ignored since 1.35, has been removed. * $wgPagePropsHaveSortkey – This temporary setting has been removed, along with the schema change upgrade path it controlled. If your site is still using it, meaning you have not yet applied the `pp_sortkey` schema change from 1.24, you must now apply it before upgrading. * The deprecated password policies PasswordCannotMatchBlacklist and PasswordNotInLargeBlacklist were removed. Please use PasswordCannotMatchDefaults and PasswordNotInCommonList respectively instead. === New user-facing features in 1.36 === * The logo of MediaWiki has changed. This means that the "Powered By MediaWiki" button shown in the skin footer will be different. * All HTML5 named entities are now accepted in wikitext. * (T106263) The file description page's alternate sizes now include 2048px. === New developer features in 1.36 === * Parser test files can now declare a dependency on a specific extension being loaded, not just on the presence of a certain extension tag hook. This is a better fit for extensions like TimedMediaHandler, which affect the output but don't register parser hooks. Use `extension:Foo` in the `!! hooks` section of your parser test file to declare a dependency on the `Foo` extension being loaded. * To expose code previously present in SpecialBlock/SpecialUnblock to other parts of the code, or to extensions, the new BlockUser and UnblockUser command objects were added. Use the BlockUserFactory and UnblockUserFactory services to create them. * The hook UsersPagerDoBatchLookupsHook takes now a \Wikimedia\Rdbms\IDatabase, instead of \Wikimedia\Rdbms\DBConnRef, as the first parameter. * MediaHandlers can now customize the formatting of the metadata they emit by over-riding MediaHandler::formatTag( $key, $value ). The default for unknown tags is numeric formatting; non-EXIF tags which are non-numeric should always use this method to specify the desired formatting. * The new 'title' type can be used to validate action API and REST API inputs. * The new ArticleParserOptions hook allows customizing the parser options used to parse wikitext for an article, based on user preferences, title, etc. * The new 'raw' type can be used to validate action API inputs. It bypasses the Unicode NFC normalization done on inputs of type 'string', so it more suitable when the input is binary or may contain deprecated Unicode sequences or characters (such as U+2001) that should be passed unmodified. * (T260330) A new abstraction for running shell commands has been introduced, called BoxedCommand. A BoxedCommand object can be obtained with MediaWikiServices::getInstance()->getCommandFactory()->createBoxed(). * ResourceLoader modules can now mark themselves as ES6-only by setting `'es6' => true` in their module definition. ES6-only modules will not be executed in browsers that don't support ES6, such as IE11. === External library changes in 1.36 === ==== New external libraries ==== * Added wikimedia/minify 2.2.2. * Added wikimedia/request-timeout 1.1.0. * Added wikimedia/shellbox 1.0.4. * Added WVUI 0.1.0. * Added symfony/symfony/polyfill-php80 1.23.1. ==== Changed external libraries ==== * Updated composer/semver from 1.5.1 to 3.2.4. * Updated guzzlehttp/guzzle from 6.5.4 to 7.2.0. * Updated jQuery from v3.4.1 to v3.6.0. * Updated jQuery Migrate from v3.1.0 to v3.3.2. * Updated jquery.client from 2.0.2 to 3.0.0. * Updated OOUI from 0.39.3 to 0.41.3. * Updated pear/mail_mime from 1.10.8 to 1.10.9. * Updated pear/net_smtp from 1.9.1 to 1.9.2. * Updated pimple/pimple from 3.3.0 to 3.3.1. * Updated wikimedia/at-ease from 2.0.0 to 2.1.0. * Updated wikimedia/cldr-plural-rule-parser from 1.0.0 to 2.0.0. * Updated wikimedia/common-passwords from 0.2.0 to 0.3.0. * Updated wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1. * Updated wikimedia/html-formatter from 1.0.2 to 3.0.1. * Updated wikimedia/ip-set from 2.1.0 to 3.0.0. * Updated wikimedia/ip-utils from 1.0.0 to 3.0.2. * Updated wikimedia/less.php from 3.0.0 to 3.1.0. * Updated wikimedia/object-factory from 2.1.0 to 3.0.0. * Updated wikimedia/php-session-serializer from 1.0.7 to 2.0.0. * Updated wikimedia/remex-html from 2.2.0 to 2.2.2. * Updated wikimedia/utfnormal from 2.0.0 to 3.0.2. * Updated wikimedia/wait-condition-loop from 1.0.1 to 2.0.1. * Updated wikimedia/xmp-reader from 0.7.0 to 0.8.1. ===== Changed development-only external libraries ===== * Updated composer/spdx-licenses from 1.5.3 to 1.5.4. * Updated doctrine/dbal from 2.10.2 to 3.0.0. * Updated doctrine/sql-formatter from 1.1.0 to 1.1.1. * Updated mediawiki/mediawiki-phan-config from 0.10.2 to 0.10.6. * Updated monolog/monolog from 1.25.3 to 2.2.0. * Updated nikic/php-parser from 4.4.0 to 4.10.2. * Updated psy/psysh from 0.10.4 to 0.10.5. * Updated seld/jsonlint from 1.7.1 to 1.8.3. * Updated symfony/yaml from ~3.4|~4.3|~5.0.5 to ~3.4|~5.1. * Updated wikimedia/testing-access-wrapper from 1.0.0 to 2.0.0. ==== Removed external libraries ==== * The html5shiv library has been removed, as support for Internet Explorer 8 has been dropped. * The wikimedia/avro suggested development-only library has been removed, as the support for logging in Avro format has been dropped. === Bug fixes in 1.36 === * (T190285) ApiEditPage module used to switch 'undo' and 'undoafter' parameters, if it founds you reversed them (based on assumption that higher revision ID indicates a later revision). The assumption is not always true, and is hindering proper edit undoing in some cases, hence the logic has been removed. Reversing the parameters will now lead to edit conflict or undefined behavior. * (T263340) In history merging, pages with a content model that does not support redirects will now be recorded as deleted if no revision is being left in the source page (that's if all revisions of the page have been merged to another). === Action API changes in 1.36 === * (T269636) `Access-Control-Max-Age` was added to the default list of headers allowed for cross-origin API requests ($wgAllowedCorsHeaders). * (T258108) Accounts with the 'bot' right no longer have pages automatically added to the watchlist when making API edits, regardless of their preferences. This is to reduce the size of the watchlist data in the database. To add API bot edits to the watchlist, explicitly set the 'watch' option. === Languages updated in 1.36 === MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports. * (T258975) Added a Latin/Cyrillic script converter for the Talysh language. * (T245359) Split Bali script locale from "ban" (Balinese) (ban-bali). * (T264582) Added language support for Madurese (mad). * (T259330) Added language support for Mara (mrh). * (T263968) Added language support for Nias (nia). * (T270365) Added language support for Tyap (kcg). * (T276745) Added language support for Wayuu (guc). === Breaking changes in 1.36 === * Grade C (non-JavaScript) support for Internet Explorer 8 has been dropped. * (T249459) wfIsBadImage(), deprecated in 1.34, has been removed. * (T176526) EditPage::getContextTitle() will now throw an exception if a context title was not set using setContextTitle(). Previously, this mis-use would only cause a deprecation warning to be emitted. * The DeferredStringifier class, deprecated since 1.31, was removed. * Multiple methods that fell back to the $wgUser global variable were individually hard deprecated previously. The following have now been removed: - ApiTestCase::doLogin - Article::doDeleteArticle - Article::doDeleteArticleReal - Article::getComment - Article::getCreator - Article::getUser - Article::getUserText - Article::insertProtectNullRevision - File::delete - File::recordUpload - ForeignDBFile::delete - ForeignDBFile::recordUpload - LocalFile::delete - LocalFile::deleteOld - LocalFile::recordUpload - PageArchive::undelete - RecentChange::markPatrolled - Title::getUserPermissionsErrors - Title::quickUserCan - Title::userCan - WebRequest::getLimitOffset - WikiPage::doDeleteArticle - WikiPage::insertProtectNullRevision * The SpecialPageFactory class, deprecated in 1.32, has been removed. Use the SpecialPageFactory service instead. * Multiple methods previously had optional User parameters, with fallbacks to the $wgUser global variable. Not passing a User to those methods was previously hard deprecated, and support for not passing a User has now been removed: - ArchivedFile::userCan - File::userCan - FileDeleteForm::__construct - FileDeleteForm::doDelete - LocalFileDeleteBatch::__construct - LogEventsList::getExcludeClause (only needed for the 'user' audience) - LogEventsList::userCan - LogEventsList::userCanBitfield - LogEventsList::userCanViewLogType - LogPage::addEntry (also accepts user id instead) - OldLocalFile::userCan - PatrolLog::record - Title::getNotificationTimestamp (though the entire method is deprecated) - WikiPage::getComment (only needed for the FOR_THIS_USER audience) - WikiPage::getCreator (only needed for the FOR_THIS_USER audience) - WikiPage::getUser (only needed for the FOR_THIS_USER audience) - WikiPage::getUserText (only needed for the FOR_THIS_USER audience) * The following hooks have been removed: - APIQueryInfoTokens - APIQueryRecentChangesTokens - APIQueryRevisionsTokens - APIQueryUsersTokens - ApiTokensGetTokenTypes * LogEventsList::typeAction previously accepted an optional right parameter, and checked if the context user ($wgUser) had that right. Passing a right was hard deprecated in 1.35, and support for passing a right has now been removed. * WikiPage::doDeleteArticleReal previously accepted an optional user as its fifth parameter, and fell back to $wgUser if not user was provided. The signature changed to have the user as the second parameter, and the old signature was hard deprecated in 1.35. Support for the old signature has now been removed. * User::addNewUserLogEntry, deprecated since 1.27, was removed. * As part of refactoring the EditPage class, EditPage::setPreloadedContent, which had no known callers was removed entirely. Additionally, the following public methods were made private: - ::extractSectionTitle - ::getSummaryInputWidget - ::noSuchSectionPage - ::initialiseForm * EditPage::matchSpamRegex and ::matchSummarySpamRegex, deprecated in 1.35, were removed. Use the SpamChecker service instead. * The global function `wfWaitForSlaves`, deprecated in 1.27 and hard-deprecated in 1.35, has been removed. Use LBFactory::waitForReplication() instead. * Calling Action::factory() with null as the first parameter, rather than a string, was deprecated in 1.35 and support was now removed. * Calling Action::factory() with an object that wasn't an Article as the second parameter was deprecated in 1.35 and support was now removed. * The global variable $wgMemc, deprecated since 1.35, has been removed. Usage should generally be migrated to WANObjectCache, or if you really need the internal object, use ObjectCache::getLocalClusterInstance instead. * The preprocessDump.php maintenance script was removed. * CategoryFinder, which was deprecated in 1.31 and hard-deprecated in 1.35, has been removed. * GenderCache::singleton(), which was deprecated in 1.28 and hard-deprecated in 1.35, has been removed. * Sanitizer::escapeId(), deprecated in 1.30, has been removed. * Direct invocation of Parser::__construct() (instead of via a ParserFactory) now throws an exception; support has also been removed for several deprecated variants on the arguments passed to Parser::__construct. Direct invocation of Parser::__construct was deprecated in 1.34. * Parser::setFunctionTagHook(), deprecated in 1.35, has been removed. * The following properties of Parser, deprecated in 1.35, have been made private: - $mTagHooks - use Parser::getTags() - $mFunctionHooks - use Parser::getFunctionHooks() - $mOutput - use Parser::getOutput() - $mPreprocessor - use Parser::getPreprocessor() * The ParserBeforeTidy hook, deprecated in 1.35, has been removed. * The ParserBeforeTidy, ParserBeforeStrip, and ParserAfterStrip hooks, deprecated in 1.35, have been removed. * All methods of MWTidy except for MW::tidy() have been removed. These were each either marked as @internal or deprecated in 1.35. * (T248062) Mixins `.background-image-svg()` and `.background-image-svg-quick()` (provided by mediawiki.mixins.less), which have been deprecated since 1.35, have now been removed. MediaWiki no longer supports any browser which would require this SVG-fallback PNG support, so you can simply use the regular CSS `background-image:` declaration instead. * The ResourceLoader module `mediawiki.legacy.oldshared` and its file 'oldshared.css', deprecated since 1.35 has been removed (T248357). * `ResourceLoader::__construct` now requires a Config parameter. The optional nature of this parameter was deprecated in 1.34. * The LinkBegin and LinkEnd hooks, deprecated in 1.28, have been removed. You can instead use the HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd hooks, respectively. * The EmailUser hook passes its fifth param, $error, by reference, to allow hook handlers to add error messages, indicate that they have sent the email instead of core, etc. Setting the parameter to something other than a Status object, true, false, an empty string, an array, or a MessageSpecifier, object, which had been deprecated in 1.29, is no longer supported, and now results in an MWException being thrown. * Skin::getDynamicStylesheetQuery(), deprecated in 1.32, has been removed. You should use action=raw&ctype=text/css directly. * Skin::makeI18nUrl(), deprecated in 1.35, has been removed. * The following User methods, deprecated and moved to BlockManager in 1.34, were removed: - ::isDnsBlacklisted - ::inDnsBlacklist - ::isLocallyBlockedProxy - ::trackBlockWithCookie * Support for v1 of the parser tests file format has been removed; it was deprecated in 1.35. (T174199) * SpecialUnblockUser::processUIUnblock() now returns a Status object instead of an array of messages or a boolean value. This function was also marked as @internal and is no longer safe to call it publicly. * mw.Title.getDotExtension() from the 'mediawiki.Title' module was removed without deprecation. You should use mw.Title.getExtension() and prepend the dot if need be. * Profiler::getTemplated and Profiler::setTemplated, deprecated in 1.34, have been removed. * DatabaseMysqlBase now requires MySQL version 5.6.4+ when "lagDetectionMethod" is set to "pt-heartbeat". * Removed HookContainer::getOriginalHooksForTest() without deprecation. This method was introduced in 1.35 for internal use, and appears unused outside of MediaWiki core. * ParserCache::__construct() now requires three parameters. * Message->getFormat(), deprecated in 1.29, has been removed. * Support for passing Article to ParserCache::get, deprecated in 1.35, has been removed. * ParserCache::singleton(), deprecated in 1.30, has been removed. * DatabaseBlock::deleteIfExpired and ::fromMaster, deprecated in 1.35, have been removed. * Some deprecated AbstractBlock methods have been removed: - ::prevents, deprecated in 1.33 - ::shouldTrackWithCookie, deprecated in 1.34 - ::getBlocker, deprecated in 1.35 - ::setBlocker, deprecated in 1.35 - ::getBlockErrorParams, deprecated in 1.35 * Multiple DatabaseBlock methods dealing with cookies, deprecated in 1.34, have been removed: - ::setCookie - ::clearCookie - ::getCookieValue - ::getIdFromCookieValue - ::shouldTrackWithCookie * The public static callback function SpecialUnblock::processUIUnblock has been removed. This method was for internal use only, and appears unused outside of MediaWiki core. * ChangeTags::truncateTagDescription, deprecated in 1.35, has been removed. * Deprecated null fallbacks in PasswordReset constructor have been removed. * User::isEveryoneAllowed and User::getAllRights, deprecated in 1.34, has been removed. * The following methods of the UserGroupMembership class, deprecated in 1.35, has been removed: - ::initFromRow - ::newFromRow - use UserGroupManager::newGroupMembershipFromRow - ::selectFields - use UserGroupManager::getQueryInfo - ::delete - use UserGroupManager::removeUserFromGroup - ::insert - use UserGroupManager::addUserToGroup - ::purgeExpired - use UserGroupManager::purgeExpired - ::getMembershipsForUser - use UserGroupManager::getUserGroupMemberships - ::getMembership - use UserGroupManager::getUserGroupMemberships * The public static callback function SpecialBlock::validateTargetField has been removed. This method was for internal use only, and appears unused outside of MediaWiki core. * The public static callback function SpecialUploadStash::tryClearStashedUploads has been removed. This method was for internal use only, and appears unused outside of MediaWiki core. * SpecialComparePages::showDiff() ::revOrTitle(), ::checkExistingTitle(), and ::checkExistingRevision() were marked as @internal to allow for breaking changes. They are no longer safe to call. The methods were unused outside of MediaWiki core. * Each special page within core now uses service injection via it constructor. When extending these special pages, a call to the grandparent constructor (`SpecialPage::__construct()`) in the sub-class would now break the derived special page, as the fallback code in the parent constructor cannot set the services as needed. Be sure to call the parent constructor when extending core special pages. Extending core's special pages is not part of the stable interface, and should generally be avoided. * Language::getExtraUserToggles and ::viewPrevNext, deprecated in 1.34, have been removed. * StreamFile::send404Message and ::parseRange, deprecated in 1.34, have been removed. * SVGMetadataExtractor class, deprecated in 1.34, has been removed. * ProcessCacheLRU class, deprecated in 1.32, has been removed. * wfForeignMemcKey(), deprecated in 1.35, has been removed. * LoadBalancer::safeWaitForMasterPos(), deprecated in 1.34, has been removed. * JobQueue::factory() now requires its `idGenerator` option. The optional nature of this option was deprecated in 1.35. * ApiFeedRecentChanges::getFeedObject has been changed to private, and appears unused outside of MediaWiki core. * Skin::subPageSubtitle() has been changed to private method. Callers should use Skin::prepareSubtitle(). * RevisionDeleter::checkRevisionExistence was removed without deprecation. It had no known callers. * wfForeignMemcKey() and wfMemcKey(), deprecated in 1.35, have been removed. * MediaWiki now also requires the php-intl extension. * BotPassword::save() now returns a Status object for the result rather than a bool. * The methods in CoreTagHooks have been marked @internal and type hints have been added. The methods appeared to be unused outside of MediaWiki core. * SquidPurgeClient and SquidPurgeClientPool, deprecated since 1.35, have been removed. * Several methods on WikiPage will now throw an exception when called on a WikiPage instance that where constructed on a title that does not refer to a proper page (but rather a special page or interwiki link). The behavior was previously undefined and could in some cases lead to data corruption. Affected methods are: getId(), insertOn(), newPageUpdater(), doUpdateRestrictions(), doDeleteArticleReal(), doRollback(), and doEditContent(). * The ParserTestRunner no longer invokes the ParserTestTables hook. Instead, it clones all database tables before running tests, like MediaWikiIntegrationTest does. If an extension was mis-using the hook to *exclude* tables from the clone, that will no longer occur, and tests may fail. * The following classes, which were only loaded for tests and had no uses found in public MediaWiki-related git, were removed: - MockWebRequest - UserWrapper * Passing Title as a second parameter to RevisionStore::getPreviousRevision and getNextRevision, hard deprecated since 1.31, was prohibited. * (T275619) Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods. * The internal class FirejailCommand was removed. * Command::execute() now returns a Shellbox\Command\UnboxedResult instead of a MediaWiki\Shell\Result. Any type hints should be updated. * WikiPage::$mIsRedirect was removed. * ObjectCache::detectLocalServerCache(), deprecated in 1.35, was removed. * The following functions from the Title class have been removed: - countRevisionsBetween - getAuthorsBetween * The PageProps class was converted to a service. PageProps::overrideInstance was removed, and MediaWikiServices::redefineService should be used instead. * Support for creating a MediaWikiTitleCodec object without the InterwikiLookup and NamespaceInfo services, deprecated in 1.34, was removed. Note that the MediaWikiTitleCodec class is not @newable or @stable to create, and should be retrieved from MediaWikiServices instead. * The $wgContLang variable, deprecated in 1.32, was removed. You can instead use MediaWikiServices::getInstance()->getContentLanguage(). * User::clearAllNotifications(), hard deprecated in 1.35, was removed. Use WatchlistManager::clearAllUserNotifications() instead. * DatabaseBlock::getBlocker can return any UserIdentity instance, not just User. * MediaWiki::triggerJobs(), deprecated in 1.34, was removed. * The following Article methods, deprecated in 1.35, were removed: - checkFlags - checkTouched - clearPreparedEdit - doDeleteUpdates - doEditUpdates - doPurge - doViewUpdates - exists - followRedirect - getAutoDeleteReason - getCategories - getContentHandler - getContentModel - getContributors - getDeletionUpdates - getHiddenCategories - getId - getLatest - getLinksTimestamp - getMinorEdit - getOldestRevision - getRedirectTarget - getRedirectURL - getRevision - getTouched - getUndoContent - hasViewableContent - insertOn - insertRedirect - insertRedirectEntry - isCountable - isRedirect - loadFromRow - loadPageData - lockAndGetLatest - makeParserOptions - pageDataFromId - pageDataFromTitle - prepareContentForEdit - protectDescription - protectDescriptionLog - replaceSectionAtRev - replaceSectionContent - setTimestamp - shouldCheckParserCache - supportsSections - triggerOpportunisticLinksUpdate - updateCategoryCounts - updateIfNewerOn - updateRedirectOn - updateRevisionOn - doUpdateRestrictions - updateRestrictions - doRollback - commitRollback - generateReason * The monolog-based logging system has dropped the Avro format. Because of this, the AvroFormatter class and the AvroValidator utility class have been removed without deprecation. * AbstractBlock::$mReason, deprecated in 1.34, was removed. Use AbstractBlock::getReasonComment and AbstractBlock::setReason instead. === Deprecations in 1.36 === * (T278026) The DB_MASTER constant has been deprecated in favour of DB_PRIMARY. * (T245963) User::getGrantName() is now hard deprecated and will be removed in a subsequent release. Use MWGrants::grantName() instead. * wfIncrStats() is now deprecated. Use MediaWikiServices::getInstance() ->getStatsdDataFactory()->updateCount() instead. * WikiPage::doEditContent() is now deprecated. Use WikiPage::doUserEditContent() instead. Note that doEditContent() was also deprecated in 1.32 for unrelated reasons and doUserEditContent() is deprecated for other reasons, however, using doUserEditContent() is recommended over using doEditContent(). * WikiPage::doUserEditContent() is now deprecated. Use PageUpdater::saveRevision instead. Note that the new method expects callers to take care of checking EDIT_MINOR against the minoredit right, and to apply the autopatrol right as appropriate. * LocalFile::recordUpload2, soft deprecated in 1.35, now emits deprecation warnings. Use ::recordUpload3 instead. * Constructing a new instance of the ParserOptions class without providing a User object, which falls back to the global $wgUser, is now deprecated. * The User class, which was marked as @newable in 1.35, is no longer newable, meaning that it is no longer safe to manually call the constructor via `new User`. Instead, use the UserFactory service. Additionally, the following static constructor methods were deprecated in favor of using the UserFactory service: - User::newFromName - User::newFromId - User::newFromActorId - User::newFromIdentity - User::newFromAnyId - User::newFromConfirmationCode * The following User methods have been hard deprecated in favor of the new UserEditTracker service: - User::getFirstEditTimestamp - User::getLatestEditTimestamp * The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered(). * Use of the `preprocessor=Preprocessor_DOM` option in parser test files has been deprecated. Preprocessor_DOM was removed in 1.35. * ParserOptions::setTidy() has been deprecated. It has had no effect since 1.35. * Sanitizer::escapeIdReferenceList() has been deprecated; it will eventually be made private to the class, as it appears to have no uses outside the Sanitizer class. * Sanitizer::hackDocType() is deprecated; it will eventually be made private. * Skin::getIndicatorsHTML() is deprecated. The functionality can be retained by reimplementing the method using the raw indicators data from OutputPage::getIndicators. * Skin::makeVariablesScript() has been deprecated. Use ResourceLoader::makeInlineScript() instead. * SpecialPageFactory::getRestrictedPages() has been deprecated. Use SpecialPageFactory::getUsablePages() instead. * Title::nameOf() is deprecated; use Title::newFromID()->getPrefixedDBkey() instead. * DatabaseBlock::insert, DatabaseBlock::update, DatabaseBlock::purgeExpired and DatabaseBlock::delete are deprecated. Use DatabaseBlockStore::insertBlock, DatabaseBlockStore::updateBlock, DatabaseBlockStore::purgeExpiredBlocks and DatabaseBlockStore::deleteBlock instead. * SpecialBlock::getTargetAndType and AbstractBlock::parseTarget are deprecated. Call BlockUtils::parseBlockTarget instead. * SpecialUnblock::processUnblock was deprecated - use UnblockUserFactory service instead. * Deprecated MediaWikiIntegrationtestCase::removeTemporaryHook() in favor of MediaWikiIntegrationtestCase::clearHook(). * Skin::getSearchLink(), also exposed as 'searchaction' option in SkinTemplate, has been deprecated. Use Title or SpecialPage methods directly. * Skin::getAllowedSkins and ::getSkinNames have been deprecated. Use their respective equivalents in SkinFactory instead. * The RollbackComplete hook has been deprecated, use the PageSaveComplete hook instead. * Skin::makeUrl() has been deprecated. Title methods should be used instead. * Skin::privacyLink(), Skin::disclaimerLink() and Skin::aboutLink() have been deprecated. Please use Skin::footerLink() instead. * Skin::getLogo() has been deprecated. Use ResourceLoaderSkinModule instead. * The module `mediawiki.toc.styles` has been replaced by ResourceLoaderSkinModule. If you are having problems styling table of contents ensure you have an updated skin. * Skin::mainPageLink() has been deprecated. Use LinkRenderer service instead. * BaseTemplate::getToolbox() method has been hard deprecated. The toolbox data is now available in a sidebar data array which you can get from any class that's extending QuickTemplate class. * Constructing a DefaultPreferencesFactory, LinkHolderArray or PasswordReset without a $hookContainer parameter is deprecated. * Autopromote class, soft deprecated since 1.35, now emits deprecation warnings. Use UserGroupManager instead. * SpecialBlock::canBlockEmail has been deprecated. Please use BlockPermissionChecker::checkEmailPermissions instead. * SpecialBlock::checkUnblockSelf has been deprecated. Please use BlockPermissionChecker::checkBlockPermissions instead. * SpecialBlock::parseExpiryInput was deprecated - use BlockUser::parseExpiryInput instead. * SpecialBlock::validateTarget has been deprecated, use BlockUtils instead. * SpecialBlock::validateTargetField has been deprecated for external use, use BlockUtils instead. * SpecialPage::getLanguageConverter has been deprecated, use LanguageConverterFactory::getLanguageConverter() directly. * ParserCache::getKey has been deprecated. Use ParserCache::getMetadata and ParserCache::makeParserOutputKey instead. * The PHPUnit4And6Compat class, used to provide compatibility with PHPUnit 4, was removed. MediaWiki support for PHPUnit 4 ended with the removal of HHVM support. * The PHPUnit6And8Compat class, used to provide compatibility with PHPUnit 6, was removed without deprecation. This class was introduced during the upgrade to PHPUnit 8, but never used. * MediaWikiIntegrationTestCase::assertType, hard-deprecated in 1.35 due to incompatibility with PHPUnit 8, was removed. * ParserCache::getETag has been deprecated, instead build suitable etag explicitly. * The following functions from the Language class have been hard deprecated and will be removed in a subsequent release: - findVariantLink - convertTitle - updateConversionTable - commafy * The following functions from the Title class have been hard deprecated: - getPreviousRevisionID - getNextRevisionID - getEarliestRevTime * The following functions from the User class have been hard deprecated: - getDefaultOptions - getDefaultOption * The mw.language.commafy client-side method has been deprecated, to match the deprecation of Language::commafy. Use mw.language.convertNumber instead. * The "es6-promise" module has been deprecated. Use "es6-polyfills" instead. * Title::isDeleted() and Title::isDeletedQuick() have been deprecated. Please use Title::getDeletedEditsCount() and Title::hasDeletedEdits() instead. * Article::getContentObject, soft-deprecated since 1.32, was hard-deprecated. * WikiRevision::importUpload, soft-deprecated since 1.31, was hard-deprecated. * Html::infoBox() has been deprecated. There's no replacement. * Message::toString() without a $format parameter, soft-deprecated since 1.28, was hard-deprecated. Use explicit formatting methods instead, such as Message::text() and Message::escaped(). * BagOStuff::makeKeyInternal() usage outside of BagOStuff has been deprecated. * BagOStuff::setDebug() is deprecated and calls to it are ignored. Debug logs are now unconditionally enabled. * The following global functions have been hard deprecated: - wfAppendToArrayIfNotDefault - wfAcceptToPrefs - wfClearOutputBuffers - wfConfiguredReadOnlyReason - wfDebugMem - wfGetPrecompiledData - wfNegotiateType * BeforeParserFetchTemplateAndtitleHook has been deprecated; replace with the new BeforeParserFetchTemplateRevisionRecord hook. (The similar ParserFetchTemplateHook was deprecated in 1.35; the new hook replaces both.) * The InterwikiLoadPrefix hook has been deprecated; it is not compatible with future wikitext parsers (which need to enumerate all interwiki prefixes). In test cases please use $wgInterwikiCache instead. * WikiPage instances should no longer be constructed for titles that do not represent editable pages (e.g. special pages). WikiPages were always documented to represent "MediaWiki article and history". * Skin::getSkinStylePath() has been deprecated. Please replace usages with the direct path to the resources. * The second argument of EnhancedChangesList::getDiffHistLinks, $query, has been deprecated. * The ParserTestTables hook has been deprecated; it is no longer necessary after a ParserTestRunner refactoring. * The following classes have been hard deprecated: CachedAction, SpecialCachedPage, CacheHelper, ICacheHelper. They were unused in MediaWiki ecosystem, so no replacement was provided. * The ProtectionForm::buildForm hook has been deprecated. Please use the ProtectionFormAddFormFields hook instead. * RevisionStore::newMutableRevisionFromArray has been hard deprecated. Instead, MutableRevisionRecord should be constructed directly via constructor. * UserIdentity::getActorId() is deprecated. The actor ID should not be exposed to application logic. Storage layer code should use the ActorNormalization service for normalizing and denormalizing user names. * Constructing a UserIdentityValue with an actor ID as the third parameter is deprecated. The parameter should be omitted. Storage layer code should use the ActorNormalization service for normalizing and denormalizing user names. * Command::cgroup() is deprecated and no longer functional. $wgShellCgroup is now implemented as an Executor option. * Command::restrict() is deprecated. Instead use the new separate accessors. * MWTidy::tidy() is deprecated. Use MediaWikiServices::getTidy()-tidy() instead. * TidyDriverBase::supportsValidate() is deprecated; it has always returned false since 1.33. * WatchedItem::getUser hard-deprecated in favor of ::getUserIdentity. * WatchedItemStoreInterface::enqueueWatchlistExpiryJob was hard deprecated in favor of the new method maybeEnqueueWatchlistExpiryJob that takes care of relevant configuration checks. * LogEntry::getPerformer() and its implementations have been hard-deprecated, in favor of ::getPerformerIdentity(). * AuthManager::singleton(), deprecated in 1.35, is hard deprecated. Use MediaWikiServices::getAuthManager() instead. * User::clearNotification(), deprecated in 1.35, is hard deprecated. Use WatchlistManager::clearTitleUserNotification() instead. * Passing string to DatabaseBlock::setBlocker was deprecated. Only UserIdentity is now allowed. * DatabaseBlock constructor 'byText' option was deprecated in favour of 'by' option, which now accepts UserIdentity. Passing user ID is deprecated. * Parser::getUser was deprecated. Use Parser::getUserIdentity instead. * DatabaseBlock::isWhitelistedFromAutoblocks was deprecated. Use DatabaseBlock::isExemptedFromAutoblocks instead. * User::isIPRange(), deprecated in 1.35, is hard deprecated. Use the UserNameUtils service or IPUtils directly. * BaseTemplate::getFooterIcons(), deprecated in 1.35, is hard deprecated. Read footer icons from template data requested via $this->get('footericons'). * `box-shadow()` LESS mixin from mediawiki.mixins is deprecated due to updated basic browser support. Use unprefixed property `box-shadow:` instead. * MergeHistory::checkPermissions was deprecated. Use ::probablyCanMerge or ::authorizeMerge instead. * User::isValidUserName(), deprecated in 1.35, is hard deprecated. Use the UserNameUtils service instead. * The TitleArrayFromResult hook has been deprecated. * The EditPageBeforeEditToolbar hook has been deprecated; it has become defunct after the classic edit toolbar was removed. Use one of the many other EditPage hooks instead. * Deprecated the class name MediaWiki\User\WatchlistNotificationManager; use MediaWiki\Watchlist\WatchlistManager instead. Deprecated the method MediaWikiServices->getWatchlistNotificationManager(); use MediaWikiServices->getWatchlistManager() instead. * The "ArticleEditUpdatesDeleteFromRecentchanges" hook, deprecated in 1.35, has been removed. Other hooks like "RecentChange_save" can be used instead. === Other changes in 1.36 === * The 'tidy' key in ParserOptions (used in the parser cache) has been removed. It has had no effect since 1.35. * A future release of MediaWiki will make `{{=}}` a built-in parser function, for use when automatically escaping the `=` character in template arguments. A tracking category and parser warning have been added to this release when `{{=}}` is used and it expands to something other than `=`. * The implementation of TestFileReader::read has been changed to use Parsoid's parser test file parser. This should be compatible with existing code, but it only supports version 2 of the test file specification and may be more strict when parsing invalid input, including duplicate tests. * BeforeParserFetchTemplateRevisionRecord, a new hook, unifies and replaces the old BeforeParserFetchTemplateAndtitleHook and ParserFetchTemplateHook. * The SkinLessImportPaths attribute was added, allowing skins to add a directory to the import path for LESS stylesheets. Skins can use this to provide a custom version of mediawiki.skin.variables.less, setting skin-specific values for certain LESS variables. * The interaction between ContentHandler::getParserOutputForIndexing() and ContentHandler::getDataForSearchIndex() has been clarified (the latter should only be called with the result of the former). Extensions may override getParserOutputForIndexing() to skip generating HTML, which may improve indexing performance. (The default implementation still generates HTML, and getDataForSearchIndex() implementations can still rely on it if they do not over-ride getParserOutputForIndexing().) * Article::fetchContentObject, ::mContentObject, ::mContentLoaded, ::mRevIdFetched, all deprecated since 1.32, were removed. * Article::mParserOptions and ::setParserOptions were removed. * Article and ImagePage::getEmptyPageParserOutput, unused, were removed. * ParserCache's default serialization format was changed from PHP serialization to JSON serialization. In case some installed extension do not support JSON yet, $wgParserCacheUseJson can be used to revert back to PHP serialization. * PermissionManager::groupHasPermission, ::getGroupPermissions and ::getGroupsWithPermission were deprecated, use GroupPermissionsLookup service instead. * WatchedItemStoreInterface now accepts PageIdentity where it accepted LinkTarget, calling with LinkTarget was deprecated. * 'movable' attribute has been added to the 'namespaces' property of extension.json schema. Extensions that define namespaces can set it to `false` to disallow moving pages in the specified namespace. Extensions should either use this or NamespaceIsMovableHook, but not both. The hook overrides the attribute. == Compatibility == MediaWiki 1.36 requires PHP 7.3.19 or later and the following PHP extensions: * ctype * dom * fileinfo * iconv * intl * json * mbstring * xml MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. The supported versions are: * MySQL 5.5.8 or later * PostgreSQL 9.4 or later * SQLite 3.8.0 or later == Online documentation == Documentation for both end-users and site administrators is available on MediaWiki.org, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain): https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation == Mailing list == A mailing list is available for MediaWiki user support and discussion: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l A low-traffic announcements-only list is also available: https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes. == IRC help == There's usually someone online in #mediawiki on irc.libera.chat. = MediaWiki 1.35 = MediaWiki 1.35 should mostly work on PHP 8.0/8.1, however it is not currently actively supported. Testing (on a development wiki!) is appreciated, and bugs with PHP 8.0/8.1 on MediaWiki 1.35 will be accepted. It is anticipated that in a later MediaWiki 1.35 point release, we can declare 1.35 as supporting PHP 8.0/8.1. PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/ PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/ PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/ == MediaWiki 1.35.13 == This is a maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.12 === * Tarball release to fix backport issues with patch for T341529. == MediaWiki 1.35.12 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.11 === * Localisation updates. * (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion. * (T341434) WikiImporter: Improve error message output. * (T341737) ApiBase: Cast $id to string in filterIDs. * (T342632) ApiComparePages: Add help url. * (T347227) ImportReporter: Make callback functions public. * doc: Improve description of type in extension.schema.v1.json. * (T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages. * (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression. * (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non-standard configuration). == MediaWiki 1.35.11 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.10 === * Localisation updates. * (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1. * (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7 (1.9.0 => 1.9.1). * (T269636) Add Access-Control-Max-Age to $wgAllowedCorsHeaders. * (T322944) Add Authorization to default $wgAllowedCorsHeaders. * (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter. * (T297917) objectcache: avoid use of ctype_digit() in WANObjectCache::adaptiveTTL(). * (T330464) Work around argument corruption bug in XMLReader::open. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker. == MediaWiki 1.35.10 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.9 === * Localisation updates. * (T324895) MWCallbackStream: Add explicit $stream property. * Remove /images .htaccess rules that are no longer relevent. * Disable php in .htaccess of images directory as a hardening measure. * (T322583) Include missing message parameter in message. * Fix phan error when Excimer is enabled. * (T274966) tests: Make pass on php8.0. * (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0. * (T326021) Add matrix: to $wgUrlProtocols. * api/en.json: api-help-datatype-expiry add missing 'may'. * (T225218) Wait until the recent changes are updated. * (T328222) Pass empty string to strlen() if schema is null for PostgresDatabase. * (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code. * (T289926) SpecialRevisionDelete: Set default of '' for wpReason. * (T155582, T328503) Fix XML dumps for content types with non-string getNativeData(). * (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4. * (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses. * (T329198) ParamValidator: Improve paramvalidator-help-multi-max message. * (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag. * (T329484) API: Fix query+allimages user parameter description. * (T330529) SpecialEditTags: Set default of '' for wpReason. * (T330526) htmlform: Handle null from HTMLFormField::getDefault in multiselects. * (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted XFF headers. == MediaWiki 1.35.9 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.8 === * Localisation updates. * (T319000) WebInstaller: Don't try and run trim() on null. * (T320864) When calling mail(), use an array for headers. * (T311567) In ManualLogEntry, cast the comment to string. * (T323082) Upgrading wikimedia/xmp-reader (0.7.0 => 0.8.5). * Language: Handle ronna and quetta. * (T304515) LCStoreStaticArray: atomically replace the cache file. * (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2. * (T322637) SECURITY: sqlite should not create DB file world-readable. == MediaWiki 1.35.8 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.7 === * Localisation updates. * (T311568) UploadBase::setTempFile() handle $tempPath being passed as null. * (T311559) SpecialListFiles: user parameter isn't always present. * (T311561) ImageListPager: Don't call htmlspecialchars() on null. * (T311920) SpecialBlockList: Prevent passing null to trim(). * (T311921) SpecialUserrights: Don't pass null to str_replace. * (T311570) SpecialWithoutInterwiki: Don't pass null through to Title::capitalize(). * (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser. * (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null. * (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid. * (T312302) SpecialRedirect: Don't pass null to explode. * RemoveInvalidEmails: Fix quoting for postgres. * (T312678) import: UploadSourceAdapter::stream_read() don't pass null to strlen(). * (T312300) SpecialDiff: Don't pass null to explode(). * (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg. * (T289926) Handle null passed to wfShorthandToInteger() and Html::element(). * (T289926) Ensure that strlen() does not get passed a (valid) null. * (T312301) SpecialDiff: Don't pass null to trim(). * Hooks: Use more meaningful name for SkinAfterPortlet hook parameter. * (T289926) Ensure we don't pass null to mb_strlen. * (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim() calls. * (T289926) site: Consistently return null from Site::getDomain(). * (T307304, T289879) filebackend,jobqueue: Add signature for FilterIterator::accept(). * (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1. * Add application/vnd.ms-opentype to MIME list. * Allow composer/installers plugin in composer.json. * (T313663) Make HandlerTestTrait compatible with php8.1. * (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests. * Change type hints for BatchRowIterator and NotRecursiveIterator for compatibility with PHP 8.1. * (T313663) [php8] Don't use strlen on potentially null string. * (T313663) [php8.1] Suppress test warning about providing null. * (T313663) Parser will use current timestamp instead of null if passed a RevisionRecord that does not have a timestamp. * (T313663) Add explicit null check for $sha in FileBackend [php8.1]. * (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1]. * (T289879, T289926) Get rid of warnings on PHP 8.1. * rdbms: fix some PHP 8 warnings in Database/LoadBalancer/LBFactory. * (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat]. * Fix a couple deprecation warnings in the installer under PHP 8.1. * (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1]. * (T314096) Migrate use of ${var}-style string interpolation. * (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be '' not null. * (T314225) SpecialCategories: Null coalescene $par. * (T314099) User: Allow dynamic properties on PHP 8.2. * (T314404) SpecialGoToInterwiki: Null coalescene $par. * (T314397) SpecialBlock: Better handle null in getTargetUserTitle. * (T314099) phpunit: Fix trivial dynamic property usages in tests. * (T314405) UploadStash: Check if us_prop is set in the fileMetadata. * (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint. * (T314551) SpecialMergeHistory: Set defaults for target and dest parameters. * api: Add rel=nofollow to help examples. * (T314824) tests: Update parser test after i18n change. * (T263927) Add autocomplete HTML attribute to common auth form fields. * (T307613) Validate length of user email on Special:ChangeEmail/ Special:CreateAccount. * (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and wpNamespaceRestrictions. * (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite. * (T315892) composer.json: Pin phpunit to 8.5.28. * (T229092) MigrateActors.php: ignore duplicate creations of actors. * (T313049) Bump wikimedia/parsoid to v0.12.3. * (T317750) session: Fix broken SessionTest case due to PHPUnit dependency change. * (T318460) SpecialChangeEmail: Set default for returntoquery. * (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results in an IP range check on Special:Contributions. * (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence of hidden users. == MediaWiki 1.35.7 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.6 === * Localisation updates. * (T289879) Type hints for ArrayAccess. * (T304783) TemplateParser: avoid warnings when called by NoLocalSettings. * Rebuilt vendor with composer 2.3.3. * (T289879) Address some deprecations for PHP 8.1. * Fix old_name in UserLogoutComplete hook. * (T286260, T307979) objectcache: normalize $exptime to a TTL in APCUBagOStuff/WinCacheBagOStuff. * MediaSearchWidget should declare an explicit dependency on mediawiki.user module. * (T288423) WikiImporter: Replace deprecated WikiRevision::setText. * (T309377, CVE-2022-29248, T311384, CVE-2022-27776) Updating guzzlehttp/guzzle (6.5.5 => 6.5.8). * (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage(). * (T311272) Call parent constructor of AddSite maintenance script first. * MediaWiki: Don't eagerly initialize action name. * (T289926) Avoid passing null to trim() in SkinTemplate. * (T307282) Avoid passing null to strcasecmp(), for PHP 8.1. * (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode(). * (T311569) FileBackend::isStoragePath() Handle being passed null. * (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param. * (T311678) SpecialEditWatchlist: Prevent passing null to strtolower(). * (T281741) ChangeTags: Fix adding CSS classes for hidden tags. * (T296642) changetags: Fix management of a '0' tag. * (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null. * (T303033) Handle null in ChangeTags::modifyDisplayQuery. == MediaWiki 1.35.6 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.5 === * (T298261) Fix support for Composer 2.2. * (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins. * Update doctrine/dbal (3.0.0 => 3.1.5). * (T298564) MemcachedClient: Add support for IPv6. * (T297543, CVE-2022-28202) SECURITY: properly escape output used within galleries and Special:RevisionDelete. * (T268847) Suppress deprecation warnings from libxml_disable_entity_loader(). * (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest. * (T274966) Upgrading wikimedia/html-formatter (1.0.2 => 2.0.1). * Fix the json schema and the extension processor for Parsoid extension modules. * (T299696) update.php: Avoid passing null to substr. * In PHP 8.1 don't throw exceptions from mysqli. * (T289926) SiteConfiguration: Don't pass null to str_replace(). * (T264735) Fix deprecation warning from CURLPIPE_HTTP1. * (T260735) Stop using is_resource() where possible. * (T289879) Apply ReturnTypeWillChange to various implementations of built in interfaces. * (T299312) Implement __serialize/__unserialize for PHP 8.1 support. * ExtensionRegistry: Add process cache for lazy attributes. * (T301041) ApiPageSet: Add "missing": true to missing revisions. * Allow ParsoidModules extension schema to register services. * (T297708) Allow setting max execution time to several special pages. * Upgrading wikimedia/object-factory (v2.1.0 => v2.2.0). * (T302540) composer.json: Add ext-calendar to require. * (T302540) composer.json: Add ext-simplexml to require-dev. * (T302540) composer.json: Add various PHP extensions to suggests. * Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0). * (T303871) Add Title::getId() as an alias for ::getArticleId(). * (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning. * (T293576) listFiles: Display file name instead of version. * (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value. * wrapOldPasswords: add \n to two output calls. * (T304993) Make editcontentmodel a part of editpage grant. * (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki. * (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS. == MediaWiki 1.35.5 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.4 === * (T290697) Add symfony/polyfill-php80. * IcuCollation: Add some more icu to unicode version mappings. * ApiBase: Annotate deprecated constants individually. * PHPVersionCheck: Mark PHP 7.4.0 - 7.4.2 as buggy. * (T293044) installer: Fix 5th param to sourceFile() in DatabaseUpdater. * (T291127) Always encode spaces in cookie values as "%20". * Use LocalFile::getHookRunner instead of LocalFile::hookRunner. * HistoryBlobStub: add getLocation() to get $mOldId. * Fix checkStorage.php. * checkStorage: pass no parameters to WikiRevision::getContent(). * (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion results. * (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode". * (T250068) resources: Upgrade jQuery from 3.4.1 to 3.6.0. * (T250068) resources: Upgrade jquery-migrate from 3.1.0 (patched) to 3.3.2 (patched). * (T294796) JobQueueRedis: Replace deprecated zSize with zCard. * (T212428, T267468) Allow populateContentTables to continue when there are bad blobs. * (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is set. * Update pear/mail_mime to 1.10.11. * Update deprecated Guzzle Psr7 function calls. * Tweak error message for missing composer dependencies. * (T296112) Allow inserting new sections named '0'. * nukeNS: don't run purgeRedundantText() after every change. * (T225888) RollbackAction: fix missing pagetitle. * (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in undo actions. * (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback. * (T34716, T297416) SECURITY: Require 'read' right for most actions. * (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook when changing content model. == MediaWiki 1.35.4 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.3 === * (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode. * (T283273) Make postgres IRC channel point to libera.chat. * (T289108) ExtensionProcessor: Remove loaderScripts from extension.json schemas. * (T281549) Installer: Fix mediawiki-announce auto subscription code. * FormatJson: Optimize encode() for supported PHP versions. * (T290398) renameRestrictions.php: Update protected_titles as well. * $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329 form of JavaScript, 'application/javascript', as well as previous MIME types. * (T51097, T290273) resourceloader: Call getStyleFiles from FileModule::getFileHashes. * (T277788) parser: Avoid calling ParserOptions::getOption() too many times. * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. * (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions. == MediaWiki 1.35.3 == This is a security and maintenance release of the MediaWiki 1.35 branch. === Changes since MediaWiki 1.35.2 === * (T259685) SQLite compatibility with ZeroConf VisualEditor was fixed in 1.35.2. * (T196906, T242751) Fix the test MonologSpiTest::testDefaultChannel. * (T279964) Parser: Trim trailing whitespace as the last step in pre-save transform. * (T278026) rdbms: Add DB_PRIMARY to replace DB_MASTER. * (T252853) Update updateSearchIndex.php to 2006+ standards. * (T276945) Define a batch size in maintenance/manageJobs.php. * (T276945) Implement JobQueueDB::getAllAbandonedJobs. * (T269676) authevents: strval() variables passed to status when logging. * (T280944) $wgIncludejQueryMigrate - This setting allows the jQuery Migrate plugin to be disabled. It has been enabled by default since MediaWiki 1.27. * (T281584) apihelp-query+iwlinks-param-prop: s/interlanguage/interwiki/. * (T281635) Delete maintenance/cleanupAncientTables.php. * (T282133) RedisConnectionPool: Suppress phan issue. * (T281549) WebInstaller: Don't show the announce-l subscribe checkbox temporarily. * (T278266) Fix annoying E_NOTICE about undefined 'alt' index in Skin#makeFooterIcon. * (T264214) UserRightsProxy::addGroup has to be allowed to update the old group as well, which is used for granting interwiki rights. * (T269776, T278266) getFooterIcons should not return empty arrays. * (T274966) Skip AvroFormatterTest::testSchemaNotAvailable on PHP 8.0. * phpunit: fail on warnings. * (T283247) Freenode -> Libera per wikimedia moving from freenode to libera. * (T243124) Make phpunit:unit accept extension*.json to populate the classes. * (T142663) Add extension.json merge strategy "provide_default". * (T283540) HookContainer: Fix normalization of callback for static handler. * (T283464) Fix array order for array_replace_recursive merge strategy. * (T247223) Optimise MessageCache::isMainCacheable() for the single-message case. * (T278579) Don't send headers on ob_end_clean(). * (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages. == MediaWiki 1.35.2 == This is a security and maintenance release of the MediaWiki 1.35 branch. MediaWiki 1.35.2 supports Composer 2.0. It is recommended to make sure your libraries are up to date on Composer 1.x, before running Composer 2.x. While normally running update.php isn't required for point releases, it is recommended to run it for 1.35.2 so that iwlinks.iwl_prefix is updated to take 32 characters. === Changes since MediaWiki 1.35.1 === * (T270450) The confusingly-named User->isLoggedIn() method has been deprecated in favour of the method it wraps, User->isRegistered(). * Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support. * Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support. * Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support. * (T270734) Fix display of Special:Preferences URL in password reset email. * (T252774, T271441) resourceloader: Give SkinModule 'features' option an extensible default. * (T271441) Unknown features shouldn't break style output. * (T264986) Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having curl >= 7.30.0. * DefaultSettings.php: Update $wgPingback documentation. * Fix docs for LanguageConverter::translate. * (T272250) Don't rely on implicit string->int cast in comparison. * (T272327) Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn't whine. * (T272328) UploadBase: Don't call MimeAnalyzer if mTempPath is null. * Remove nonfunctional default sampling for WANObjectCache metrics. * (T258851) Prevent service injection to LoadExtensionSchemaUpdates hook. * (T270852) Hooks: Map dash character to underscore when generating hook names. * (T271551, T270145) Fix fetching ipblock-exempt within BlockManager::getUserBlock. * PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0. * (T248925) Set empty closures in DatabaseTest to fix PHP 8 tests. * (T34217) rdbms: Remove outdated MySQL 4 references and fix doc URLs. * (T248925) Special:Contributions reports negative namespace error on PHP 8. * (T248925) objectcache: Fix non-numeric string check in HashBagOStuff for PHP 8. * (T248925) Fix CacheTime::getCacheExpiry for PHP 8. * (T259685) Allow REST API POST handlers to opt out of mandatory SQLite locking. * (T91820, T259685) MWLBFactory: rename magic HTTP header for opting out of SQLite write lock. * (T272326) Fix DeprecationHelperTest on PHP 8. * Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support. * (T236639) OutputPage: Make $wgDebugRedirects work again. * (T274648) registration: Allow reusing cached metadata between wikis. * CdnCacheUpdate: Send full URL instead of path to Curl for purge. * Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support. * FileBackend: Do not use SOCKET_ENOENT on windows. * (T275441) ApiQueryUserInfo: Allow all uiprops to be requested at once. * (T275261) Escape wikitext in the title in invalid title error messages. * (T275242) Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL. * (T246594, T270228) PHPVersionCheck: Complain about known-bad versions above minimum. * (T275824) Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for Composer 2.0 support. * (T269293) Record all used options in metadata. * Allow usage of Composer 2.0 to install MediaWiki's dependencies. * (T259872) skins: Call headElement() after getTemplateData() in SkinMustache. * (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access Special:ResetTokens. * (T272412) Add "Account data" section to user preferences. * (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook. * (T277520) registration: Allow specifying immovable namespaces in extension.json. * (T275619) Maintenance::hasOption and Maintenance::getOption now behave as documented and are not altered by previous calls to these methods. * (T254688) Remove page inner join from subquery in SpecialWhatLinksHere. * (T122124) signup: added help message for security. * (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages on Special:NewFiles. * (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on ChangesList pages. * (T277414) HTMLFormField: Use non namespaced class name rather than static::class. * (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php for page_namespace below 0. * (T246594, T270228) Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8. * (T268230) Switch to new MediaWiki logo by Serhio Magpie. * (T271735) Expand config-pingback-help, link to privacy policy in config-pingback. * Fix documentation of user-global in $wgRateLimits. * BackupDumper: Add -o as shortcode for --output. * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors. * (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they have right to do so via action=protect. * (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast double move. * (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user can create pages. * (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for inserting mostly arbitrary tags. == MediaWiki 1.35.1 == This is a security and maintenance release of the MediaWiki 1.35 branch. While normally running update.php isn't required for point releases, it is recommended to run it for 1.35.1 so that sites.site_language is updated to take 35 characters. Watchlist Expiry is no longer considered experimental, but is off by default. To enable it, set $wgWatchlistExpiry = true; in your LocalSettings.php. === Changes since MediaWiki 1.35.0 === * (T263929) purgeList.php Fix all-namespaces option to match one used in code. * (T248719) ParserCache::get - fix wfDeprecated call. * (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown after hitting Tab. * Preload mediawiki.watchstar.widgets before api request. * (T261030) ApiEditPage: Show existing watchlist expiry if status is not being changed. * (T264502) Fix PHP 8 compat with strcspn() $length parameter exceeding string. * (T248925) Remove final modifier on private function. * (T264683) Remove ipb_anon_only from ipb_address_unique index addition. * (T261415) Add days left messages to changes-lists' clock icons. * Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave. * (T261260) Preload class used in HeaderCallback. * (T260868, T260009) Normalize WatchedItem expiry field. * (T264683) Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields. * (T264534) ApiPageSet: Avoid infinite loop when merging redirects. * (T196906) Empty Monolog loggers are now real blackholes. * (T258649) WatchAction: avoid UPDATE when old and new watch period is indefinite. * Parser: Adjust typehint to show that getTitle can return null. * (T263592) media: Fix case of FlashPixVersion in FormatMetadata::makeFormattedData(). * (T265223) BaseTemplate: Guard against passing zero arg to array_merge(). * (T264965) Fix base path handling for MessagePosterModule registration. * (T252183) Fix Database::getTempTableWrites for multi table DDLs. * (T182546) Fix switch/case indentation per mediawiki coding conventions. * Flip Yoda conditionals. * (T263213) Move SkinTemplate::getFooterLinks() to Skin. * build: Updating mediawiki/mediawiki-codesniffer to 33.0.0. * (T267105) Make ImageBuilder::checkMissingImage public. * Updating guzzlehttp/guzzle (6.5.4 => 6.5.5). * (T266681) Support new style hook registration on install and update. * (T266980) Fix unsetting of copyright icon in FooterIcons. * upload.js: Don't assume that warnings array will include 'code' key. * upload.js: Fix typo in upload API. * (T264333, T190988, T266903) Pass along ignorewarnings param to all individual chunks being uploaded. * (T267558) importTextFiles.php: Replace deprecated WikiRevision:setText(). * (T266418) composer.json: add requirement for composer-plugin-api ^1.1. * (T261431) Add ARIA attributes to watchlink and its notification. * (T258877) Change invalid 'Content-Encoding: none' header. * Fix trailing ; in patch-sites-site_language-35.sql. * (T248852) wfAssembleUrl: Handle empty query field in URL bits. * (T268846) Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0). * (T268887) migrateComments: Cast array keys back to string before passing to the DB. * (T266619) Introduce new $wgThumbPath config. * (T269178) MemcachedClient: Cast Resource to integer. * (T263925) Use the old HookContainer to set up the post-reset services. * Change "site cache" to just "cache" in the right-purge message. * [UploadedFileStreamTest] Skip test with chmod. * (T269710) Updating composer/semver (1.5.1 => 1.7.2). * (T269710) Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0). * (T260631, T260633), BotPassword::save() now returns a Status object for the result rather than a bool. The length of the bot password grants and restriction fields are now validated, and an error will be thrown if it would be truncated by the database. * (T265778) Fix English/*nix specific error messages in FSFileBackend. * (T267543) Split dropping of image.img_user_timestamp. * [FileTest] Do not assume /tmp exists on windows. * Clean up temp files correctly after unit tests. * Skip undo related phpunit tests when diff3 is missing. * (T269964) rdbms: Remove outer parentheses in insert query for Postgres. * (T263911) In MWExceptionHandler::report(), catch all throwables. * (T268894, CVE-2020-35474) SECURITY: Use Html::element in ChangeListSpecialPage for sanity. * (T268917) Use Xml::element in SpecialUserrights for sanity. * (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass escaped html to LogFormatter::makePageLink for sanity. * (T268938) Fixed mixed escaping in Language::translateBlockExpiry. * (T263911) UserOptionsManager: don't differentiate anons caches. * (T261260) HeaderCallback: pre-cache request ID. * Parsoid updated to v0.12.1. * (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. * (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. * (T270145) Fix condition that can lead to using APCOND_BLOCKED in $wgAutopromote to cause an OOM in PHP. == MediaWiki 1.35.0 == === Changes since MediaWiki 1.35.0-rc.3 === * (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler. * (T260232) Don't include null page ids in query list for category dumps. * (T260009) Check existing watchitem when saving action=watch. * (T259055) Correct success messages for action=watch. * mediawiki.page.ready: Simpler tablesorter/makeCollapsible call. * mediawiki.page.ready: Fix skin override config flags, wrong way round. * (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase. * (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when action=watch. * (T261901, T261476) mediawiki.notification: Don't close notif when clicking in Special:Preferences now has a correct type="text" parameter * (bug 482) Don't include TOC in the printable version if it has been hidden * Adjust the time according to the user configuration on Special:Revisiondelete * (bug 20624) Installation no longer allows "qqq" as the chosen language * (bug 20634) The installer-created database user will now have all rights on the database so that upgrades will go more smoothly. * (bug 18180) Special:Export ignores limit, dir, offset parameters * User::getBlockedStatus() works for all kinds of user objects and doesn't assume the user object is equal to the current-user object ($wgUser) * (bug 20517) Cancel link from edit page now returns to the old version when editing an old version * (bug 16902) Installer no longer shows warnings when exec() has been disabled by disable_functions * (bug 20726) Title::getLatestRevID's documentation now says that the function returns false if the page doesn't exist * (bug 20751) ForeignApiRepo now urldecodes filenames when saving to local cache * (bug 20730) Fix to Special:Version ViewVC link for branch checkouts * (bug 20353) wfShellExec() was adding extra quotes on Windows Vista, causing command line scripts to fail * (bug 20702) Parser functions can now be used correctly in MediaWiki:Missing-article * (bug 14117) "redirected from" is now also shown on foreign file redirects * (bug 17747) Only display thumbnail column in file history if the image can be rendered. * (bug 3421) Live preview no longer breaks user CSS/JS previews * (bug 11264) The file logo on a file description page for documents (PDF, ...) now links to the file rather than the file description page * Password fields built with HTMLForm now still have the type="password" attribute if $wgHtml5=false. * (bug 20836) Preload now works for MediaWiki namespace * (bug 20885) Search box no longer suggests unavailable special pages * (bug 20948) "Create this page" on Special:Search is no longer displayed when searching for special pages * (bug 20524) Hideuser: Show nice error when trying to block hidden user without hideuser right * (bug 21026) Fixed file redirects on shared repos on non-English client wikis * (bug 21030) Fixed schema choices from being overwritten by defining unique field names per driver. * (bug 21115) wgCanonicalSpecialPageName javascript variable is now always false on non-special pages * (bug 21113) "Other statistics" header on Special:Statistics is no more displayed when there isn't any entry in it * (bug 21114) Special:Contributions no longer shows diff links for new revisions * (bug 21116) MediaWiki:Templatesused, MediaWiki:Templatesusedpreview and MediaWiki:Templatesusedsection now support plural * (bug 21079) There is no more line wrapping between label and field in Special:Log * (bug 20256) Fixed SQL errors on Special:Recentchanges and Special:Recentchangeslinked on SQLite backend * (bug 20880) Fixed updater failure on SQLite backend * (bug 21182) Fixed invalid HTML in Special:Listgrouprights * (bug 20242) Installer no longer promts for user credentials for SQLite databases * (bug 20911) Installer failed to create a SQLite database * (bug 20847) Deprecated deprecated akeytt() removed in wikibits.js leaving dummy * (bug 21161) Changing $wgCacheEpoch now always invalidates file cache * (bug 20268) Fixed row count estimation on SQLite backend * (bug 20275) Fixed LIKE queries on SQLite backend * (bug 21234) Moving subpages of titles containing \\ now works properly * (bug 21006) maintenance/updateArticleCount.php now works again on PostgreSQL * (bug 19319) Add activeusers-intro message at top of SpecialActiveUsers page * (bug 21255) Fixed hostname construction for DNSBL checking * (bug 18019) Users are now warned when moving a file to a name in use on a shared repository and only users with the 'reupload-shared' permission can complete the move. * (bug 18909) Add missing Postgres INSERT SELECT wrapper * User::isValidPassword now only returns boolean results, User::getPasswordValidity can be used to get an error message string * The error message shown in Special:ChangePassword now parses wiki markup * (bug 19859) Removed experimental HTMLDiff feature * Removed section edit links in edit conflict form * Allow SpecialActiveusers to work on non-MySQL databases * (bug 6579) Fixed protecting images from uploading only * (bug 18609) Search index was empty for some pages * (bug 13453) rebuildrecentchanges maintenance script works on PG again * (bug 16583) Reduce false positives when checking for PHP (on upload, etc.) * (bug 20112) Bitrotted tests in the t/ directory were failing. * (bug 21470) MediaWiki:Sp-contributions-explain is now wrapped in a

with id "mw-sp-contributions-explain" * (bug 19159) Fixed \overleftrightarrow in texvc * (bug 19391) Fix caching for Recent ChangesFeed. * (bug 21455) Fixed "Watch this page" checkbox appearing on some special pages even to non-logged in users * (bug 21551) Rewrote the Squid purge HTTP client to provide a more robust and general implementation of HTTP, allowing it to purge non-Squid caches such as Varnish. * Fixed corruption of long UDP debug log messages by using socket_sendto() instead of fsockopen() with fwrite(). * (bug 16884) Fixed feed links in sidebar not complying with URL parameters of the displayed page * (bug 21403) memcached class renamed to MWMemecached to avoid conflict with PHP's memcached extension * (bug 21650) Both calls to SkinTemplateTabs hook are now compatible * (bug 21672) Add missing Accept-Language to both Vary and XVO headers * (bug 21679) "Edit block reasons" link at the bottom of Special:Blockip is now only displayed to the users that have "editinterface" right * (bug 21740) Attempting to protect a page that doesn't exist (salting) returns "unknown error" * (bug 18762) both redirects and links get fixed one after another if redirects-only switch is not present * (bug 20159) thumbnails rerendered if older than $wgThumbnailEpoch * Fixed a bug which in some situations causes the job queue to grow forever, due to an infinite loop of job requeues. * (bug 21523) File that can have multiple pages (djvu, pdf, ...) no longer have the page selector when they have only one page * (bug 21559) "logempty" message is now wrapped in a div with class "mw-warning-logempty" when used in log extract * (bug 20549) Parser tests were broken on SQLite backend * (bug 21776) Interwiki urls like http://en.wikibooks.org/wiki/cs: should give a redirect instead of a baderror. * (bug 21803) Special:MyContributions now keeps the query string parameters * Redirecting special pages now keep query string parameters set to "0" (e.g. for namespace) * (bug 20765) Special:ListGroupRights no longer misses addables and removables groups if there are duplicate entries * (bug 21814) Message shown when rolling back an edit with a deleted username now shows '(username deleted)' instead of broken user tool links * (bug 21536) Fixed JavaScript error on Special:Search caused by an incorrect ID * (bug 21535) RecentChanges RSS feed now always recognises the namespace filter, previously it sometimes didn't due to caching. * (bug 20388) ProfilerSimpleText no longer outputs comment on action=raw * refreshLinks.php now purges orphaned redirect table rows * (bug 2971) Swap links of hist & diff location on Special:Contributions for consistency with RC/WL * (bug 21986) Special page names are now capitalized by content language * If two log types have the same description, they're now both displayed in the type selector on Special:Log * (bug 20115) Special:Userlogin title says "Log in / create account" even if the user can't create an account * (bug 2658) Don't attempt to set the TZ environment variable. * (bug 9794) User rights log entries for foreign user now links to the foreign user's page if possible * (bug 14717) Don't load nonexistent CSS fix files for non-Monobook skins * (bug 22034) Use wfClientAcceptsGzip() in wfGzipHandler instead of reimplementing it. * (bug 19226) First line renders differently on many UI messages. * (bug 21303) Comments are no longer stripped from MediaWiki:Common.js and skin-specific JS pages * (bug 5061) Use the more precise thumbcaption thumbimage and thumbinner classes for image divs. * (bug 22096) IE50Fixes.css and IE55Fixes.css have been dropped from the Monobook and Chick skins * Fixed bug involving unclosed "-{" markup in the language converter * (bug 21870) No longer include Google logo from an external server on wiki error. * (bug 22181) Do not truncate if the ellipsis actually make the string longer * (bug 16039) Text disappearing after a bad image * (bug 18784) Internal links like [[File:Foo|caption]] should read 'caption', not 'File:Foo' when Foo is not an image * (bug 21518) Special:UserRights no longer displays the user name box for users that can only change their rights * (bug 21593) Special:UserRights now lists automatic groups membership * (bug 22364) Setting $wgUseExternalEditor to false no longer hides the reupload link from file pages * Fix bug introduced in MediaWiki 1.12: The author field in $wgExtensionCredits is no longer sorted with sort() but rather used as it appears in extensions as was the case before r30117 where it was unintentionally sorted along with other fields. * (bug 19334) Textarea no longer jumps when editing longer articles in IE8 * Truncate summary of page moves in revision comment field to avoid broken multibyte characters * (bug 22540) ForeignApiRepos no longer try to store thumbnails that don't exist * (bug 22551) Special:Resetpass now has a "Cancel" button that sends the user to the page set in the &returnto parameter. * (bug 19194) Search box in Modern skin doesn't focus with Safari/Chrome * (bug 17790) Users instantly logged off on HughesNet * (bug 21549) Make foreign key constraints DEFERRABLE INITIALLY DEFERRED when using Postgres as the database backend. == API changes in 1.16 == * Added uiprop=changeablegroups to meta=userinfo * Added usprop=gender to list=users * (bug 18311) action=purge now works for images too * Add parentid to prop=revisions output * (bug 17832) action=delete returns 'unknownerror' instead of 'permissiondenied' when the user is blocked * (bug 18546) Added timestamp of new revision to action=edit output * (bug 18554) Also list hidden revisions in list=usercontribs for privileged users * (bug 13049) "API must be accessed from the primary script entry point" error * (bug 16422) Don't display help for format=jsonfm unless specifically requested * Added PHP and database version to meta=siteinfo output * (bug 18533) Add readonly message to meta=siteinfo output * (bug 18518) Add clprop=hidden to prop=categories * (bug 18710) Fixed internal error with empty parameter in action=paraminfo * (bug 18709) Missing descriptions for some parameters in action=paraminfo output * (bug 18731) Show correct SVN links for extension modules in api.php?version * (bug 18730) Add version information to action=paraminfo output * (bug 18743) Add ucprop=size to list=usercontribs * (bug 18749) Add generator flag to action=paraminfo output * Make action=block respect $wgEnableUserEmail and $wgSysopEmailBans * Made deleting file description pages without files possible * (bug 18773) Add content flag to siprop=namespaces output * (bug 18785) Add siprop=languages to meta=siteinfo * (bug 14200) Added user and excludeuser parameters to list=watchlist and list=recentchanges * Added index, fromtitle and byteoffset fields to action=parse&prop=sections output * (bug 19313) action=rollback returns wrong revid on master/slave setups * (bug 19323) action=parse doesn't return section tree on pages with Cite warnings * (bug 18720) Add anchor field to action=parse&prop=sections output * (bug 19423) The initial file description page used caption in user lang rather than UI lang * (bug 17809) Add number of users in user groups to meta=siteinfo * (bug 18533) Add readonly reason to readonly exception * (bug 19528) Added XSLT parameter to API queries in format=xml * (bug 19040) Fix prependtext and appendtext in combination with section parameter in action=edit * (bug 19090) Added watchlist parameter, deprecated watch and unwatch parameter in action=edit * Added fields to list=search output: size, wordcount, timestamp, snippet * Where supported by backend, list=search adds a 'searchinfo' element with optional info: 'totalhits' count and 'suggestion' alternate query term * (bug 19907) $wgCrossSiteAJAXdomains added to allow specified (or all) external domains to access api.php via AJAX, if the browser supports the Access-Control-Allow-Origin HTTP header * (bug 19999) Made metadata and properties of search results optional. Added srprop and srinfo. * (bug 20700) Add amprop=default to meta=allmessages to list default value for customized messages * Don't parse magic words in meta=allmessages, output messages unparsed * (bug 21105) list=usercontribs can now list contribs for User:0 * (bug 21085) list=deletedrevs no longer returns only one revision when drcontinue param is passed * (bug 21106) Deprecated parameters now tagged in action=paraminfo * (bug 19004) Added support for tags * (bug 21083) list=allusers no longer returns current timestamp for users without registration date * (bug 20967) action=edit allows creation of invalid titles * (bug 19523) Add inprop=watched to prop=info * (bug 21589) API: Separate summary and initial page text for uploads * (bug 21817) list=usercontribs returns empty result for empty ucuser * (bug 21441) meta=userinfo&uiprop=options no longer returns default options for logged-in users under certain circumstances * (bug 21945) Add chomp control in YAML * Expand the thumburl to an absolute url to make it consistent with url and descriptionurl * (bug 20233) ApiLogin::execute() doesn't handle LoginForm :: RESET_PASS * (bug 22061) API: add prop=headitems to action=parse * (bug 22240) API: include time in siteinfo * (bug 22241) Quick edit is still using the deprecated watch parameter (API: Setting default for watch/unwatch wrongly set) * (bug 22245) blfilterredirect=nonredirects in blredirect mode wrongly filtering * (bug 22248) Output extension URLs in meta=siteinfo&siprop=extensions * Support key-params arrays in 'descriptionmsg' in meta=siteinfo&siprop=extensions * (bug 21922) YAML output should quote asterisk when used as key * (bug 22297) safesubst: to allow substitution without breaking transclusion * (bug 18758) API read of watchlist's wl_notificationtimestamp * (bug 20809) Expose EditFormPreloadText via the API * (bug 18427) Comment (edit summary) parser option for API * (bug 18608) API should provide list of CSS styles to apply to rendered output * (bug 18771) List possible errors in action=paraminfo === Languages updated in 1.16 === MediaWiki supports over 300 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports. * Capiznon (cps) (new) * North Frisian (frr) (new) * Kirmanjki (kiu) (new) * Komi-Permyak (koi) (new) * Karachay-Balkar (krc) (new) * Hill Mari (mrj) (new) * Prussian (prg) (new) * Romagnol (rgn) (new) * Lower Silesian (sli) (new) * Picard (pcd) (new) * Uyghur (Arabic script) (ug-arab) (new) * Upper Franconian (vmf) (new) * Votic (vot) (new) * Eastern Yiddish (ydd) (removed) * Iriga Bicolano (bto) (removed) * Ladin (lld) (removed) * Laz (lzz) (removed) * Palembang (plm) (removed) * Megleno-Romanian (Greek script) (ruq-grek) (removed) * Tamazight (tzm) (removed) * Laz (lzz) (new) * (bug 18474) Sorani (ckb - Central Kurdish) (renamed from ku-arab) * Add PLURAL function for Scots Gaelic (gd) * Add Estonian letters äöõšüž to linktrail (et) * (bug 18776) Native name of Burmese language (my) * (bug 18806) Use correct unicode characters in spelling of native Chuvash (Чӑвашла) * (bug 18864) Updated autonym for Zhuang language * (bug 18308) Updated date formatting in Occitan (oc) * (bug 19080) Added ăâîşţșțĂÂÎŞŢȘȚ to Romanion (ro) linktrail * (bug 19286) Correct commafying function in Polish (pl) * (bug 19441) Updated date formatting for Lithuanian * (bug 19630) Added ÄäÇçĞğŇňÖöŞşÜüÝýŽž to Turkmen (tk) linktrail * (bug 19949) New linktrail for Greek (el) * (bug 19809) Korean (North Korea) (ko-kp) (new) * (bug 19968) Fixed "Project talk" namespace name for Maltese (mt) * (bug 21168) Added áâãàéêçíóôõúü to Portuguese (pt) linktrail * (bug 21596) Change interwiki link for Kurdish (ku) * (bug 23767) PHP warning/error when REQUEST_URI returns blank (IIS issue). == MediaWiki 1.15 == == MediaWiki 1.15.5 == === Changes since 1.15.4 === * (bug 24565) Fixed Cache-Control headers sent from API modules, to protect user privacy in the case where an attacker can access the wiki through the same HTTP proxy as a logged-in user. * Fixed a minor cookie header parsing issue causing incorrect Cache-Control headers to be sent. * Fixed an XSS vulnerability in profileinfo.php for installations with $wgEnableProfileInfo = true (false by default) * For backwards compatibility with extensions from 1.14.x or before, restored the original function ApiMain::requestWriteMode(). * In API login "need token" responses, added the cookieprefix and sessionid fields, as in MediaWiki 1.16.x. This is an improvement to the CSRF fix introduced in 1.15.3. == MediaWiki 1.15.4 == === Changes since 1.15.3 === * (bug 23534) Fixed SQL query error in API list=allusers. * (bug 23371) Fixed CSRF vulnerability in "e-mail me my password", "create account" and "create by e-mail" features of [[Special:Userlogin]] * (bug 23687) Fixed XSS vulnerability affecting IE clients only, due to a CSS validation issue. == MediaWiki 1.15.3 == === Changes since 1.15.2 === * (bug 22828) Fixed deletion on SQLite. * (bug 23076) Fixed login CSRF vulnerability. Logins now require a token to be submitted along with the user name and password. == MediaWiki 1.15.2 == === Changes since 1.15.1 === * The installer now includes a check for a data corruption issue with certain versions of libxml2 2.7 and PHP earlier than 5.2.9, and also for a PHP bug present in the official release of PHP 5.3.1. * (bug 20239) MediaWiki:Imagemaxsize does not contain anymore a
tag which was displayed to the user * (bug 21150) SQLite no longer raise an error when deleting files * (bug 20880) Fixed updater failure on SQLite backend * upgrade1_5.php now requires to be run --update option to prevent confusion * Fixed a CSS validation issue which allowed external images to be included into wikis where that is disallowed by configuration. * Fixed a data leakage vulnerability for private wikis using img_auth.php or similar image access authentication schemes. Check user permissions before streaming out scaled images from thumb.php. == MediaWiki 1.15.1 == === Changes since 1.15.0 === * Fixed fatal errors for unusual file repository configurations, such as ForeignAPIRepo. * Fixed the "change password" link on Special:Preferences to have the correct returnto parameter. * (bug 19693) Fixed cross-site scripting vulnerability in Special:Block == MediaWiki 1.15.0 == === Changes since 1.15.0rc1 === * Removed category redirect feature, implementation was incomplete. * (bug 18846) Remove update_password_format(), unnecessary, destroys all passwords if a wiki with $wgPasswordSalt=false is upgraded with the web installer. * (bug 19127) Documentation warning for PostgreSQL users who run update.php: use the same user in AdminSettings.php as in LocalSettings.php. * Fixed possible web invocation of some maintenance scripts, due to the use of include() instead of require(). A full exploit would require a very strange web server configuration. * Localisation updates. === Configuration changes in 1.15 === * Added $wgNewPasswordExpiry, to specify an expiry time (in seconds) to temporary passwords * Added $wgUseTwoButtonsSearchForm to choose the Search form behavior/look * Added $wgNoFollowDomainExceptions to allow exempting particular domain names from rel="nofollow" on external links * (bug 12970) Brought back $wgUseImageResize. * Added $wgRedirectOnLogin to allow specifying a specific page to redirect users to upon logging in (ex: "Main Page") * Add $wgExportFromNamespaces for enabling/disabling the "export all from namespace" option (disabled by default) === New features in 1.15 === * (bug 2242) Add an expiry time to temporary passwords * (bug 9947) Add PROTECTIONLEVEL parser function to return the protection level for the current page for a given action * (bug 17002) Add &minor= and &summary= as parameters in the url when editing, to automatically add a summary or a minor edit. * (bug 16852) padleft and padright now accept multiletter pad characters * When using 'UserCreateForm' hook to add new checkboxes into Special:UserLogin/signup, the messages can now contain HTML to allow hyperlinking to the site's Terms of Service page, for example * Add new hook 'UserLoadFromDatabase' that is called while loading a user from the database. * (bug 17045) Options on the block form are prefilled with the options of the existing block when modifying an existing block. * (bug 17055) "(show/hide)" links to Special:RevisionDelete now use a CSS class rather than hardcoded HTML tags * Added new hook 'WantedPages::getSQL' into SpecialWantedpages.php to allow extensions to alter the SQL query which is used to get the list of wanted pages * (bugs 16957/16969) Add show/hide to preferences for RC patrol options on specialpages * (bug 11443) Auto-noindex user/user talk pages for blocked user * (bug 11644) Add $wgMaxRedirects variable to control how many redirects are recursed through until the "destination" page is reached. * Add $wgInvalidRedirectTargets variable to prevent redirects to certain special pages. * Use HTML5 rel attributes for some links, where appropriate * Added optional alternative Search form look - Go button & Advanced search link instead of Go button & Search button * (bug 2314) Add links to user custom CSS and JS to Special:Preferences * More helpful error message on raw page access if PHP_SELF isn't set * (bug 13040) Gender switch in user preferences * (bug 13040) {{GENDER:}} magic word for interface messages * (bug 3301) Optionally sort user list according to account creation time * Remote description pages for foreign file repos are now fetched in the content language. * (bug 17180) If $wgUseFileCache is enabled, $wgShowIPinHeader is automatically set to false. * (bug 16604) Mark non-patrolled edits in feeds with "!" * (bug 16604) Show title/rev in IRC for patrol log * (bug 16854) Whether a page is being parsed as a preview or section preview can now be determined and set with ParserOptions. * Wrap message 'confirmemail_pending' into a div with CSS classes "error" and "mw-confirmemail-pending" * (bug 8249) The magic words for namespaces and pagenames can now be used as parser functions to return the desired namespace or normalized title/title part for a given title. * (bug 17110) Styled #mw-data-after-content in cologneblue.css to match the rest of the font * (bug 7556) Time zone names in signatures lack i18n * (bug 3311) Automatic category redirects * (bug 17236) Suppress 'watch user page link' for IP range blocks * Wrap message 'searchresulttext' (Special:Search) into a div with class "mw-searchresult" * (bug 15283) Interwiki imports can now fetch included templates * Treat svn:// URLs as external links by default * New function to convert namespace text for display (only applies on wiki with LanguageConverter class) * (bug 17379) Contributions-title is now parsed for magic words. * Preprocessor output now cached in memcached. * (bug 14468) Lines in classic RecentChanges and Watchlist have classes "mw-line-odd" and "mw-line-even" to make styling using css possible. * (bug 17311) Add a note beside the gender selection menu to tell users that this information will be public * Localize time zone regions in Special:Preferences * Add NUMBEROFACTIVEUSERS magic word, which is like NUMBEROFUSERS, but uses the active users data from site_stats. * Add a tag on redirected page views * Replace hardcoded '...' as indication of a truncation with the 'ellipsis' message * Wrap warning message 'editinginterface' into a div with class 'mw-editinginterface' * (bug 17497) Oasis opendocument added to mime.types * Remove the link to Special:FileDuplicateSearch from the "file history" section of image description pages as the list of duplicated files is shown in the next section anyway. * Added $wgRateLimitsExcludedIPs, to allow specific IPs to be whitelisted from rate limits. * (bug 14981) Shared repositories can now have display names, located at Mediawiki:Shared-repo-name-REPONAME, where REPONAME is the name in $wgForeignFileRepos * Special:ListUsers: Sort list of usergroups by alphabet * (bug 16762) Special:Movepage now shows a list of subpages when possible * (bug 17585) Hide legend on Special:Specialpages from non-privileged users * Added $wgUseTagFilter to control enabling of filter-by-change-tag * (bug 17291) MediaWiki:Nocontribs now has an optional $1 parameter for the username * Wrap special page summary message '$specialPageName-summary' into a div with class 'mw-specialpage-summary' * $wgSummarySpamRegex added to handle edit summary spam. This is used *instead* of $wgSpamRegex for edit summary checks. Text checks still use $wgSpamRegex. * New function to convert content text to specified language (only applies on wiki with LanguageConverter class) * (bug 17844) Redirect users to a specific page when they log in, see $wgRedirectOnLogin * Added a link to Special:UserRights on Special:Contributions for privileged users * (bug 10336) Added new magic word {{REVISIONUSER}}, which displays the editor of the displayed revision * LinkerMakeExternalLink now has an $attribs parameter for link attributes and a $linkType parameter for the type of external link being made * (bug 17785) Dynamic dates surrounded with a tag, fixing sortable tables with dynamic dates. * (bug 4582) Provide preference-based autoformatting of unlinked dates with the dateformat parser function. * (bug 17886) Special:Export now allows you to export a whole namespace (limited to 5000 pages) * (bug 17714) Limited TIFF upload support now built in if 'tif' extension is enabled. Image width and height are now recognized, and when using ImageMagick, optional flattening to PNG or JPEG for inline display can be enabled by setting $wgTiffThumbnailType * Renamed two input IDs on Special:Log from 'page' and 'user' to 'mw-log-page' and 'mw-log-user', respectively * Added $wgInvalidUsernameCharacters to disallow certain characters in usernames during registration (such as "@") * Added $wgUserrightsInterwikiDelimiter to allow changing the delimiter used in Special:UserRights to denote the user should be searched for on a different database * Add a class if 'missingsummary' is triggered to allow styling of the summary line * Title attributes are now always blank on framed and thumbnailed images, and default to blank on inline images instead of defaulting to the image's filename. Additionally, the alt attribute now defaults to the filename on framed and thumbnailed images if no caption or alt attribute is specified. === Bug fixes in 1.15 === * (bug 16968) Special:Upload no longer throws useless warnings. * (bug 17000) Special:RevisionDelete now checks if the database is locked before trying to delete the edit. * (bug 16852) padleft and padright now handle multibyte characters correctly * (bug 17010) maintenance/namespaceDupes.php now add the suffix recursively if the destination page exists * (bug 17035) Special:Upload now fails gracefully if PHP's file_uploads has been disabled * Fixing the caching issue by using -{T|xxx}- syntax (only applies on wiki with LanguageConverter class) * Improving the efficiency by using -{A|xxx}- syntax (only applies on wiki with LanguageConverter class) * (bug 17054) Added more descriptive errors in Special:RevisionDelete * (bug 11527) Diff on page with one revision shows "Next" link to same diff * (bug 8065) Fix summary forcing for new pages * (bug 10569) redirects to Special:Mypage and Special:Mytalk are no longer allowed by default. Change $wgInvalidRedirectTargets to re-enable. * (bug 3043) Feed links of given page are now preceded by standard feed icon * (bug 17150) escapeLike now escapes literal \ properly * Inconsistent use of sysop, admin, administrator in system messages changed to 'administrator' * (bug 14423) Check block flag validity for block logging * DB transaction and slave-lag avoidance tweaks for Email Notifications * (bug 17104) Removed [Mark as patrolled] link for already patrolled revisions * (bug 17106) Added 'redirect=no' and 'mw-redirect' class to redirects at "user contributions" * Rollback links on new pages removed from "user contributions" * (bug 15811) Re-upload form tweaks: license fields removed, destination locked, comment label uses better message * Whole HTML validation ($wgValidateAllHtml) now works with external tidy * Parser tests no longer fail when $wgExternalLinkTarget is set in LocalSettings * (bug 15391) catch DBQueryErrors on external storage insertion. This avoids error messages on save were the edit in fact is saved. * (bug 17184) Remove duplicate "z" accesskey in MonoBook * Parser tests no longer fail when $wgAlwaysUseTidy is set in LocalSettings.php * Removed redundant dupe warnings on reupload for the same title. Dupe warnings for identical files at different titles are still given. * Add 'change tagging' facility, where changes can be tagged internally with certain designations, which are displayed on various summaries of changes, and the entries can be styled with CSS. * (bug 17207) Fix regression breaking category page display on PHP 5.1 * Categoryfinder utility class no longer fails on invalid input or gives wrong results for category names that include pseudo-namespaces * (bug 17252) Galician numbering format * (bug 17146) Fix for UTF-8 and short word search for some possible MySQL configs * (bug 7480) Internationalize database error message * (bug 16555) Number of links to mediawiki.org scaled back on post-installation * (bug 14938) Removing a section no longer leaves excess whitespace * (bug 17304) Fixed fatal error when thumbnails couldn't be generated for file history * (bug 17283) Remove double URL escaping in show/hide links for log entries and RevisionDeleteForm::__construct * (bug 17105) Numeric table sorting broken * (bug 17231) Transcluding special pages on wikis using language conversion no longer affects the page title * (bug 6702) Default system messages updated/improved * (bug 17190) User ID on preference page no longer has delimeters * (bug 17341) "Powered by MediaWiki" should be on the left on RTL wikis * (bug 17404) "userrights-interwiki" right was missing in User::$mCoreRights * (bug 7509) Separation strings should be configurable * (bug 17420) Send the correct content type from action=raw when the HTML file cache is enabled. * (bug 12746) Do not allow new password e-mails when wiki is in read-only mode * (bug 17478) Fixed a PHP Strict standards error in maintenance/cleanupWatchlist.php * (bug 17488) RSS/Atom links in left toolbar are now localized in classic skin * (bug 17472) use print << parameters in Special:Contributions feeds (RSS and Atom) now point to the actual contributors' feed. * ForeignApiRepos now fetch MIME types, rather than trying to figure it locally * Special:Import: Do not show input field for import depth if $wgExportMaxLinkDepth == 0 * (bug 17570) $wgMaxRedirects is now correctly respected when following redirects (was previously one more than $wgMaxRedirects) * (bug 16335) __NONEWSECTIONLINK__ magic word to suppress new section link. * (bug 17581) Wrong index name in PostgreSQL's updater: was rc_timestamp_nobot, changed to rc_timestamp_bot * (bug 17437) Fixed incorrect link to web-based installer * (bug 17538) Use shorter URLs in elements * (bug 13778) Hidden input added to the search form so that using the Enter key on IE will do a fulltext search like clicking the button does * (bug 1061) CSS-added icons next to links display through the text and makes it unreadable in RTL * Special:Wantedtemplates now works on PostgreSQL * (bug 14414) maintenance/updateSpecialPages.php no longer throws error with PostgreSQL * (bug 17546) Correct Tongan language native name is "lea faka-Tonga" * (bug 17621) Special:WantedFiles has no link to Special:Whatlinkshere * (bug 17460) Client ecoding is now correctly set for PostgreSQL * (bug 17648) Prevent floats from intruding into edit area in previews if no toolbar present * (bug 17692) Added (list of members) link to 'user' in Special:Listgrouprights * (bug 17707) Show file destination as plain text if &wpForReUpload=1 * (bug 10172) Moved setting of "changed since last visit" flags out of the job queue * (bug 17761) "show/hide" link in page history in now works for the first displayed revision if it's not the current one * (bug 17722) Fix regression where users are unable to change temporary passwords * (bug 17799) Special:Random no longer throws a database error when a non- namespace is given, silently falls back to NS_MAIN * (bug 17751) The message for bad titles in WantedPages is now localized * (bug 17860) Moving a page in the "MediaWiki" namespace using SuppressRedirect no longer corrupts the message cache * (bug 17900) Fixed User Groups interface log display after saving groups. * (bug 17897) Fixed string offset error in

 tags
* (bug 17778) MediaWiki:Catseparator can now have HTML entities
* (bug 17676) Error on Special:ListFiles when using Postgres
* Special:Export doesn't use raw SQL queries anymore
* (bug 14771) Thumbnail links to individual DjVu pages no longer have
  two "page" parameters
* (bug 17972) Special:FileDuplicateSearch form now works correctly on wikis that
  don't use PathInfo or short urls
* (bug 17990) trackback.php now has a trackback.php5 alias and works with
  $wgScriptExtension
* (bug 14990) Parser tests works again with PostgreSQL
* (bug 11487) Special:Protectedpages doesn't list protections with pr_expiry
  IS NULL
* (bug 18018) Deleting a file redirect leaves behind a malfunctioning redirect
* (bug 17537) Disable bad zlib.output_compression output on HTTP 304 responses
* (bug 11213) [edit] section links in printable version no longer appear when
  you cut-and-paste article text
* (bug 17405) "Did you mean" to mirror Go/Search behavior of original request
* (bug 18116) 'edittools' is now output identically on edit and upload pages
* (bug 17241) The diffonly URI parameter should cascade to "Next edit" and
  "Previous edit" diff links
* (bug 16823) Sidebar search form should not use Special:Search view URL as
  target
* (bug 16343) Non-existing, but in use, category pages can be "go" match hits
* Fixed a CSS validation issue which allowed external images to be included
  into wikis where that is disallowed by configuration.
* Fixed a data leakage vulnerability for private wikis using img_auth.php or
  similar image access authentication schemes. Check user permissions before
  streaming out scaled images from thumb.php.

== API changes in 1.15 ==
* (bug 16858) Revamped list=deletedrevs to make listing deleted contributions
  and listing all deleted pages possible
* (bug 16844) Added clcategories parameter to prop=categories
* (bug 17025) Add "fileextension" parameter to meta=siteinfo&siprop=
* (bug 17048) Show the 'new' flag in list=usercontribs for the revision that
  created the page, even if it's not the top revision
* (bug 17069) Added ucshow=patrolled|!patrolled to list=usercontribs
* action=delete respects $wgDeleteRevisionsLimit and the bigdelete user right
* (bug 15949) Add undo functionality to action=edit
* (bug 16483) Kill filesort in ApiQueryBacklinks caused by missing parentheses.
  Building query properly now using makeList()
* (bug 17182) Fix pretty printer so URLs with parentheses in them are
  autolinked correctly
* (bug 17224) Added siprop=rightsinfo to meta=siteinfo
* (bug 17239) Added prop=displaytitle to action=parse
* (bug 17317) Added watch parameter to action=protect
* (bug 17007) Added export and exportnowrap parameters to action=query
* (bug 17326) BREAKING CHANGE: Changed output format for iiprop=metadata
* (bug 17355) Added auwitheditsonly parameter to list=allusers
* (bug 17007) Added action=import
* BREAKING CHANGE: Removed rctitles parameter from list=recentchanges because
  of performance concerns
* Listing (semi-)deleted revisions and log entries as well in prop=revisions
  and list=logevents
* (bug 11430) BREAKING CHANGE: Modules may return fewer results than the
  limit and still set a query-continue in some cases
* (bug 17357) Added movesubpages parameter to action=move
* (bug 17433) Added bot flag to list=watchlist&wlprop=flags output
* (bug 16740) Added list=protectedtitles
* Added mainmodule and pagesetmodule parameters to action=paraminfo
* (bug 17502) meta=siteinfo&siprop=namespacealiases no longer lists namespace
  aliases already listed in siprop=namespaces
* (bug 17529) rvend ignored when rvstartid is specified
* (bug 17626) Added uiprop=email to list=userinfo
* (bug 13209) Added rvdiffto parameter to prop=revisions
* Manual language conversion improve: Now we can include both ";" and ":" in
  conversion rules
* (bug 17795) Don't report views count on meta=siteinfo if $wgDisableCounters
  is set
* (bug 17774) Don't hide read-restricted modules like action=query from users
  without read rights, but throw an error when they try to use them.
* Don't hide write modules when $wgEnableWriteAPI is false, but throw an error
  when someone tries to use them
* BREAKING CHANGE: action=purge requires write rights and, for anonymous users,
  a POST request
* (bug 18099) Using appendtext to edit a non-existent page causes an interface
  message to be included in the page text
* Fixed the circular template inclusion check, was broken when the loop
  involved redirects. Without this, infinite recursion within the parser is
  possible.
* (bug 18601) generator=backlinks returns invalid continue parameter
* (bug 18597) Internal error with empty generator= parameter
* (bug 18617) Add xml:space="preserve" attribute to relevant tags in XML output
* (bug 17611) Provide a sensible error message on install when the SQLite data
  directory is wrong.

=== Languages updated in 1.15 ===

MediaWiki supports over 300 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.

* Austrian German (de-at) (new)
* Swiss Standard German (de-ch) (new)
* Simplified Gan Chinese (gan-hans) (new)
* Traditional Gan Chinese (gan-hant) (new)
* Literary Chinese (lzh) (new)
* Uyghur (Latin script) (ug-latn) (renamed from 'ug')
* Veps (vep) (new)
* Võro (vro) (renamed from fiu-vro)
* (bug 17151) Add magic word alias for #redirect for Vietnamese
* (bug 17288) Messages improved for default language (English)
* (bug 12937) Update native name for Afar
* (bug 16909) 'histlegend' now reuses messages instead of copying them
* (bug 17832) action=delete returns 'unknownerror' instead of 'permissiondenied'
  when the user is blocked
* Traditional/Simplified Gan Chinese conversion support

== MediaWiki 1.14 ==

== MediaWiki 1.14.1 ==
=== Changes since 1.14.0 ===

* (bug 17737) Fixed russian URLs for Special:BookSources
* (bug 17713) Using links with only an anchor no longer add an dummy entry in
  the pagelinks table
* (bug 17897) Fixed string offset error in 
 tags
* (bug 17832) Fixed action=delete returning 'unknownerror' instead of
  'permissiondenied' when the user is blocked
* Fixed performance regression when accessing deleted (archived) files
* (bug 19693) Fixed cross-site scripting vulnerability in Special:Block

== MediaWiki 1.14.0 ==
=== Changes since 1.14.0rc1 ===

* Fixed the performance of the backlinks API module
* (bug 17420) Send the correct content type from action=raw when the HTML file
  cache is enabled.
* (bug 17437) Fixed incorrect link to web-based installer
* (bug 17527) Fixed missing MySQL-specific options in installer

=== Configuration changes in 1.14 ===

* $wgExemptFromUserRobotsControl is an array of namespaces to be exempt from
  the effect of the new __INDEX__/__NOINDEX__ magic words.  (Default: null, ex-
  empt all content namespaces.)
* $wgForwardSearchUrl has been removed entirely. Documented setting since 1.4
  has been $wgSearchForwardUrl.
* (bug 15080) $wgOverrideSiteFeed has been added. Setting either
  $wgSiteFeed['rss'] or 'atom' to a URL will override the default Recent
  Changes feed that appears on all pages.
* $wgSQLiteDataDirMode has been introduced as the default directory mode for
  SQLite data directories on creation. Note that this setting is separate from
  $wgDirectoryMode, which applies to all normal dirs created by MediaWiki.
* $wgGroupsAddToSelf and $wgGroupsRemoveFromSelf now work more like
  $wgAddGroups and $wgRemoveGroups, where the user must belong to a specified
  group in order to add or remove those groups from themselves.
  Backwards compatibility is maintained.
* $wgRestrictDisplayTitle controls if the use of the {{DISPLAYTITLE}} magic
  word is restricted to titles equivalent to the actual page title. This
  is true per default, but can be set to false to allow any title.
* $wgSpamRegex may now be an array of multiple regular expressions.
* $wgAjaxSearch has been removed; use $wgEnableMWSuggest instead.
* Editing the MediaWiki namespace is now unconditionally restricted to people
  with the editinterface right, configuring this in $wgNamespaceProtection
  is not required.
* $wgAllowExternalImagesFrom may now be an array of multiple strings.
* Introduced $wgEnableImageWhitelist to toggle the on-wiki external image
  whitelist on or off.
* Added $wgRenderHashAppend to append some string to the parser cache and the
  sitenotice cache keys.
* $wgRCChangedSizeThreshold is now a positive integer by default,
* (bug 16006) $wgEnableWriteAPI is now true by default. Authorized can perform
  write actions using the API.
* Added $wgRC2UDPInterwikiPrefix which adds an interwiki prefix
  ($wgLocalInterwiki) onto the page names in the UDP feed.
* Added $wgAllowUserSkin to let the wiki's owner disable user selectable skins
  on the wiki. If it's set to false, then the skin used will *always* be
  $wgDefaultSkin.
* Added $wgEnotifUseRealName, which allows UserMailer to send out e-mails based
  on the user's real name if one is set. Defaults to false (use the username)
* Removed the 'apiThumbCacheDir' option from $wgForeignFileRepos (only used in
  ForeignAPIRepo)
* (bug 44) Image namespace and accompanying talk namespace renamed to File.
  For backward compatibility purposes, Image still works. External tools may
  need to be updated.
* The constants NS_FILE and NS_FILE_TALK can now be used instead of NS_IMAGE and
  NS_IMAGE_TALK.  The old constants are retained as aliases for compatibility,
  and should still be used in code meant to be compatible with v1.13 or older.
* MediaWiki can be forced to use private IPs forwarded by a proxy server by
  using $wgUsePrivateIPs.
* The 'BeforeWatchlist' hook has been removed due to internal changes in
  Special:Watchlist. 'SpecialWatchlistQuery' should now be used by extensions
  to customize the watchlist database query.

=== Migrated extensions ===
The following extensions are migrated into MediaWiki 1.14:

* Special:DeletedContributions to show deleted user contributions (was
  extension DeletedContributions)
* Special:Log/newusers recording new users (was extension Newuserlog)
* Special:LinkSearch to search for external links (was extension LinkSearch)
* RenderHash
* NoMoveUserPages
* UniversalEditButton

=== New features in 1.14 ===

* New URL syntaxes for Special:ListUsers - 'Special:ListUsers/USER' and
  'Special:ListUsers/GROUP/USER', in addition to the older syntax
  'Special:ListUsers/GROUP' where GROUP is a valid group name.
* Configurable per-namespace and per-page notices for the edit form,
  respectively MediaWiki:Editnotice-# where # is the namespace number, and
  MediaWiki:Editnotice-#-PAGENAME where # is the page's namespace number and
  PAGENAME is the page name minus the namespace prefix.
* (bug 8068) New __INDEX__ and __NOINDEX__ magic words allow user control of
  search engine indexing on a per-article basis.
* Handheld stylesheet options
* Added 'DoEditSectionLink' hook as a cleaner unified version of the old
  'EditSectionLink' and 'EditSectionLinkForOther' hooks.  Note that the
  'EditSectionLinkForOther' hook has been removed, but 'EditSectionLink' is
  run in all cases instead, so extensions using the old hooks should still work
  if they ran roughly the same code for both hooks (as is almost certain).
* Signature (~~~~) "cleaning", i.e. template removal, can be disabled with
  $wgCleanSignatures=false
* Extensions can use the SkinBuildSidebar hook to modify the content of the
  sidebar and add custom portlets to it
* Added 'MakeGlobalVariablesScript' hook for extensions to be able to add vari-
  ables into the output of Skin::makeVariablesScript
* (bug 13846) Added $wgAddGroups and $wgRemoveGroups display on
  Special:ListGroupRights
* (bug 14377) Add a date selector to history pages
* (bug 15007) New 'pagetitle-view-mainpage' message allows the HTML  of
  the main page to be customized
* Added $wgDisableTitleConversion to disabling the conversion for all pages on
  the wiki
* Added 'noconvertlink' toggle that can be set per user preferences, also
  added 'convertlink=no|yes' on GET requests whether have the link titles
  being converted or not
* (bug 14921) Special:Contributions/: add user name to <title>
  Patch by Emufarmers
* Unescape more "safe" characters when producing URLs, for added prettiness
* Introduced a new hook 'SkinAfterContent' that allows extensions to add text
  after the page content and article metadata. Updated all skins and skin
  templates to work with that hook.
* (bug 14929) removeUnusedAccounts.php now supports 'ignore-touched' and
  'ignore-groups'. Patch by Louperivois
* (bug 15127) Work around minor display glitch in Opera.
* By default, reject file uploads that look like ZIP files, to avoid the
  so-called GIFAR vulnerability.
* (bug 15141) Give ability to only list protected pages with the cascading
  option enabled on Special:ProtectedPages
* (bug 15157) Special:Watchlist has the same options as Special:Watchlist:
  Show/Hide logged in users, Show/Hide anonymous, Invert namespace selection
* Added hook 'UserrightsChangeableGroups' to allow modification of what
  groups may be added or removed via the Special:UserRights interface.
* HTML entities like   now work (are not escaped) in edit summaries.
* (bug 13815) In the comment for page moves, use the colon-separator message
  instead of a hardcoded colon.
* Allow <gallery> to accept image names without an Image: prefix
* Add tooltips to rollback and undo links
* BMP images are now displayed as PNG
* (bug 13471) Added NUMBERINGROUP magic word
* (bug 11884) Now support Flash EXIF attribute
* Show thumbnails in the file history list, patch by User:Agbad
* Added support of piped wikilinks using double-width brackets
* Added an on-wiki external image whitelist. Items in this whitelist are
  treated as regular expression fragments to match for when possibly
  displaying an external image inline.
* (bugs 15405, 15436) Sort more currency types correctly in sortable tables
* (bug 15422) Sort more different types of numbers in sortable tables
* (bug 2889) MediaWiki:Print.css applies to the printable version
* Category counts (e.g. from {{PAGESINCATEGORY:}}) should be more accurate for
  small categories
* After logging in, automatically redirect to wherever you logged in from
* (bug 5619) Break messages used in Special:Statistics down further
* (bug 11029) Add link to Special:Listusers?group=sysop etc at
  Special:Statistics
* (bug 15514) Setting $wgRightsText without $wgRightsUrl now produces a
  plaintext copyright notice. Patch by Juliano F. Ravasi.
* (bug 15551) Deletion log excerpt is now shown whenever a user vists a
  deleted page, even if they are unable to edit it.
* Added Wantedfiles special pages, allowing users to find image links with no
  image.
* (bug 12650) It is now possible to set different expiration times for
  different restriction types on the protection form.
* (bug 8440) Allow preventing blocked users from editing their talk pages
* Improved upload file type detection for OpenDocument formats
* Added the ability to set the target attribute on external links with
  $wgExternalLinkTarget
* api.php now sends "Retry-After" and "X-Database-Lag" HTTP headers if the
  maxlag check fails, just like index.php does
* Added "link" parameter to image links, to allow images to link to an
  arbitrary title or URL. This should replace inaccessible and incomplete
  solutions such as CSS-based overlays and ImageMap.
* (bug 368) Don't use caption for alt attribute; allow manual specification
  using new "alt=" parameter for images
* (bug 44) The {{ns:}} core parser function now also accepts localized
  namespace names and aliases; also, its output now uses spaces instead of
  underscores to match the behavior of the {{NAMESPACE}} magic word
* Added the ability to display user edit counts in Special:ListUsers. Off by
  default, enabled with $wgEdititis = true (named after the medical condition
  marked by unhealthy obsession with edit counts).
* Added a file cache to the parser to improve page rendering time on pages with
  several uses of the same image.
* (bug 1250) Users can still use "show preview" and "show changes" even if the
  wiki is set to read-only mode.
* Added a call to the 'UnwatchArticleComplete' hook to the watchlist editor.
  This should make it so that ALL user-accessible methods of removing a page
  from a watchlist lead to this hook being called (it was previously only
  called from within Article.php
* Maximum execution time for shell processes on linux is now configured with
  $wgMaxShellTime (180 seconds by default)
* (bug 1306) 'Email user' link no longer shown on user page when emailing
  is not available due to lack of confirmed address or disabled preference
* Special:Wanted templates special page added to display missing templates
  linked from articles
* Make search matches bold only, not red as well
* (bug 10080) Blocks can be modified without unblocking first
* (bug 15820) Special:BlockIP shows a notice if the user being blocked is
  already directly blocked
* (bug 13710) Allow to force "watch this" checkbox via URL using parameter
  "watchthis"
* (bug 15125) Add Public Domain to default options when installing. Patch by
  Nathan Larson.
* Set a special temporary directory for ImageMagick with $wgImageMagickTempDir
* (bug 16113) Show/hide for redirects in Special:NewPages
* (bug 15903) Upload link was added to Nostalgia skin
* (bug 15761) Add user toggle to omit diff after rollback
* Added the BitmapHandler_ClientOnly media handler, which allows server-side
  image scaling to be completely disabled for specific media types, via the
  $wgMediaHandlers configuration variable.
* New 'AbortDiffCache' hook can be used to cancel the caching of a diff
* (bug 15835) Added Content-Style-Type meta tag
* (bug 11027)  Add parameter to MW:Randompage-nopages so that user can see the
  namespace.
* Add id="mw-user-domain-section" to <tr> tag in Userlogin.php template so that
  admins with a single domain can hide the domain section using CSS
* Dropped old Paser_OldPP class. Only new parser with preprocessor is used.
* Moved password reset form from Special:Preferences to Special:ResetPass
* Added Special:ChangePassword as a special page alias for Special:ResetPass
* Added complementary function for addHandler() called removeHandler() for
  removing events
* Improved security of file uploads for IE clients, using a reverse-engineered
  algorithm very similar to IE's content detection algorithm.
* Cascading protection no longer requires that both edit and move are restricted
  to sysop, just edit=sysop is enough
* (bug 2391) A warning is now shown for invalid ISBN numbers on
  Special:Booksources.
* Installer has been updated to reflect the release of the GFDL 1.3. The URL for
  1.2 has been updated, and the 1.3 URL has been given. 1.2 is still
  Wikipedia-compatible. RightsCode was changed from 'gfdl' to 'gfdl1_2', so we
  can now support 1.2 as well as 1.3 (gfdl1_3).
* (bug 16293) PD URL was changed to the CreativeCommons site on PD (which
  auto-detects your language) instead of Wikipedia.
* (bug 16635) The "view and edit watchlist" page (Special:Watchlist/edit) now
  includes a table of contents
* File objects returned by wfFindFile() are now cached by default
* (bug 7492) Rights can now be assigned to specific IP addresses and ranges by
  using $wgAutopromote (new defines: APCOND_ISIP and APCOND_IPINRANGE)
* Add a 'change block' link to Special:IPBlockList and Special:Log
* (bug 16459) Use native getElementsByClassName where possible, for better
  performance in modern browsers
* Enable \cancel and \cancelto in texvc (recompile required)
* Added 'UserCryptPassword' and 'UserComparePasswords' hooks to allow extensions
  to implement their own password hashing methods.
* (bug 16760) Add CSS-class to action links of Special:Log
* (bug 505) Time zones can now be specified by location in user preferences,
  avoiding the need to manually update for DST. Patch by Brad Jorsch.
* (bug 2585) HTTP 404 return code is now given for a page view if the page
  does not exist, allowing spiders and link checkers to detect broken links.
* Special:Log: Add 'change protection' link for unprotected pages too
* Special:Log: Add log type specific CSS classes 'mw-logline-$logtype' to
  'li' elements
* (bug 16754) Making arbitrary rows of sortable tables sticky:
  |- class="unsortable"
* Show subversion too even if a "normal" version number is available
* (bug 16121) Add a note that a page move was without creating a redirect in the
  move log
* Image moving is now enabled for sysops by default
* Make "Did you mean" search feature more noticeable
* (bug 16720) Transcluded Special:NewPages processes "/username="

=== Bug fixes in 1.14 ===

* (bug 14907) DatabasePostgres::fieldType now defined.
* (bug 14659) Passing the default limit param to Special:Recentchanges no more
  falls back to the user option
* (bug 14954) Fix regression in Modern and Simple skins
* Recursion loop check added to Categoryfinder class
* Fixed few performance troubles of large job queue processing
* Not setting various parameters in Foreign Repos now fails more gracefully
* (bug 2333) Redirects are properly rendered when previewing an edit.
* (bug 14972) Use localized alias of Special:Search on all search forms
* (bug 11035) Special:Search should have descriptive <title>
* Special pages are now not subject to special handling for "self-links"
* (bug 15053) Syntactically incorrect redirects with another link in them
  no longer redirect to the second link
* (bug 15049) Fix for CheckUser extension's log search: usernames containing
  a "-" were incorrectly turned into bogus IP range searches.
  Patch by Max Semenik.
* (bug 15055) Talk page notifications no longer attempt to send mail when
  user's e-mail address is invalid or unconfirmed
* (bug 12370) Add throttle on password attempts. Defaults to max 5 attempts in
  5 minutes.
* (bug 15016) 'Templates used on this page' list in view source should be
  wrapped in a div with class "templatesUsed"
* (bug 14868) Setting $wgFeedDiffCutoff to 0 now disables generation of the
  diff entirely, not just the display of it.
* (bug 6387) Introduced new setting $wgCategoryPrefixedDefaultSortkey which
  allows having the unprefixed page title as the default category sortkey
* (bug 15079) Add class="ns-talk" / "ns-subject" to <body>. Also added
  ns-special to special pages.
* (bug 15052) Skins should add their name as a class in <body>
* (bug 14165, bug 14294) Wikimedia specific configuration in convertGrammar()
  for several languages was removed. The settings have been put in extension
  WikimediaMessages. Patch for Czech by Danny B.
* (bug 15101) Displaying only bots edits in Special:Recentchanges now works
  again
* (bug 13770) Fixed incorrect detection of PHP's DOM module
* (bug 14790) Export of category pages when using Category: prefix now actually
  gives results
* Avoid recursive crazy expansions in section edit comments for pages which
  contain '/*' in the title
* Fix excessive memory usage when parsing pages with lots of links
* $wgSpamRegex now matches the edit summary and page move descriptions in
  addition to body text.
* Navigation links to images available from a shared repository (like Commons)
  from their local talk pages no longer appear as redlinks
* Action=purge on ForeignApiFiles now works (purges their thumbnails and
  description pages).
* (bug 15303) Title conversion for templates wasn't working in some cases.
* (bug 15264) Underscores in Special:Search/Foo_bar parameters were taken
  literally; now converting them to spaces per expectation.
* (bug 15342) "Invert" checkbox now works correctly when selecting main
  namespace in Special:Watchlist
* (bug 15172) 'Go' button of Special:Recentchanges now on the same line as the
  last input element (like Special:Watchlist too)
* (bug 15351) Fix fatal error for invalid section fragments in autocomments
* Fixed intermittent deadlock errors involving objectcache table queries.
  Use a separate database connection for the objectcache table to avoid
  long-lasting locks on that table.
* Respect file restrictions in the file history list
* (bug 15399) Odd/even classes on sortable tables' rows could be slow for large
  tables, and have been disabled by default.
* (bug 15482) Special:Recentchangeslinked has no longer two submit buttons
* (bug 15292) New message notification for unregistred users now works again
* (bug 14398) mwsuggest.js: Let width of container be configurable
* (bug 15543) Only include user touched timestamp to generated CSS
* (bug 15497) Removed encoding attribute from <?xml ?> tag
* (bug 12284) Special:Preferences now sets a returnto parameter on the link to
  Special:UserLogin. Patch by Marooned.
* Fixed the HTTP accept language string detection length in
  LanguageConverter.php, instead of the fixed length language codes.
* Special:RecentChangesLinked no longer shows outgoing links for nonexistent
  pages even if there are broken link records with source article id 0 in the
  database
* (bug 15598) Special:Newpages default limit uses user preference for
  recentchanges limit instead of hardcoded 50.
* (bug 15617) $wgFeedClassesOutputPage::getHeadLinks() respects $wgFeedClasses,
  instead of hardcoding rss and atom. Patch by Juliano F. Ravasi.
* (bug 14638) Special:Blockip now provides a link to the block log if the user
  has been blocked more than 10 times. Patch by Matt Johnston.
* (bug 12678) Skins don't show Upload link if the user isn't allowed to upload.
* Fixed incorrect usage of DB_LAST in Special:Export. Deprecated DB_LAST.
* (bug 15642) Blocked sysops can no longer block other users
* Http::request() now respects $wgHTTPtimeout when not using cURL
* (bug 15158) Userinvalidcssjstitle not shown on preview
* (bug 15196) Free external links should be numbered in a localised manner
* (bug 15388) Title of Special:PrefixIndex
* Links with no title but a curid parameter now use the curid to pick a page
* (bug 10323) Special:Undelete should have "inverse selection" button
* (bug 15831) Modern skin RTL support is bugous
* (bug 15869) Nostalgia skin does not show page title in printable mode
* (bug 15795) Special:Userrights is now listed on Special:SpecialPages when the
  user can only change his rights
* (bug 15846) Categories "leak" from older revisions in certain circumstances
* (bug 15928) Special pages dropdown should be inline in non-MonoBook skins
* (bug 14178) Some uses of UserLoadFromSession hook cause segfault
* (bug 15925) Postitive bytes added on recentchanges and watchlists are now
  bolded if above the threshold, previously it only worked for negatives
* Specify apple-touch-icon before favicon in HTML head section to make the
  Konqueror browser correctly use the latter
* (bug 15717) Set $separatorTransformTable for language 'eu'
* (bug 15605) Enabled $datePreferences for language 'hr'. Added standard date
  preferences.
* (bug 13701) {{NUMBEROFVIEWS}} magic word to show number of total views.
* (bug 5101) Image from Commons doesn't show up when searched in Wikipedia
  search box
* (bug 14609) User's namespaces to be searched default not updated after adding
  new namespace
* Purge form uses valid XHTML
* (bug 12764) Special:LonelyPages shows transcluded pages
* (bug 16073) Enhanced RecentChanges uses onclick handler with better fallback
  if JavaScript is disabled
* (bug 4253) Recentchanges IRC messages no longer include title in diff URLs
* Allow '0' to be an accesskey.
* (bug 8063) Use language-dependent sorting in client-side sortable tables
* (bug 16160) Suggestions box should be resized from left for RTL wikis
* (bug 11533) Fixed insane slowdown when in read-only mode for long periods
  of time with CACHE_NONE (default objectcache table configuration).
* Trying to set two different default category sort keys for one page now
  produces a warning
* (bug 16143) Fix redirect loop on special pages starting with lower case
  letters
* (bug 15737) Fix notices while expanding using PPCustomFrame
* (bug 15544) Non-index entry points cause the "Wiki not set up" message to
  have corrupt URLs
* (bug 5101) Image from Commons doesn't show up when searched in Wikipedia
  search box
* (bug 4362) [[MediaWiki:History copyright]] no more used with most recent
  revision when passing oldid parameter in the url
* (bug 16265) When caching thumbs with the ForeignApiRepo, we now use the same
  filename as the remote site.
* (bug 8345) Don't autosummarize where a redirect was left unchanged
* Made thumb caching in ForeignApiFile objects integrated with normal thumb
  path naming (/thumbs/hash/file), retired 'apiThumbCacheDir' as a result.
* (bug 5530) Consistency between character encoding in {{PAGENAMEE}},
  {{SUBPAGENAMEE}} and {{FULLPAGENAMEE}}
* Safer handling of non-MediaWiki exceptions -- now obeys our settings for
  formatting and path exposure.
* Less verbose errors from profileinfo.php when not configured
* Blacklist redirects via Special:Filepath, hard to use.
* Improved input validation on Special:Import form
* Add a .htaccess to deleted images directory for additional protection
  against exposure of deleted files with known SHA-1 hashes on default
  installations.
* Improved scripting safety heuristics for IE 5/6 content-type detection.
* Improved scripting safety heuristics on SVG uploads.
* (bug 11728) Unify layout of enhanced watchlist/recent changes
* (bug 8702) Properly update stats when running nukePage maintenance script
* (bug 7726) Searches for words less than 4 characters now work without
  requiring customization of MySQL server settings
* Honour unchecked "Leave a redirect behind" for moved subpages
* (bug 16440) Broken 0-byte math renderings are now deleted and re-rendered
  when page is re-parsed.
* (bug 6100) Unicode BiDi embedding/override characters (U+202A - U+202E) are
  now automatically removed from titles; these characters can accidentally end
  up in copy-and-pasted titles, and, by overriding normal bidirectional text
  handling, can lead to annoying behavior such as text rendering backwards
* Fixed minor bug where the memcached value for how many accounts an IP had
  created that day would be increased even if $wgAccountCreationThrottle was
  hit. This meant if an IP hit the throttle and then the throttle was raised
  later that day, the IP still couldn't create another account, because it
  had marked them as having created another account, when their last account
  creation had actually failed.
* (bug 12647) Allow autogenerated edit summary messages to be blanked with '-'
* (bug 16026) 'Revision-info' and 'revision-info-current' both accept wiki
  markup now.
* (bug 16529) Fix for search suggestions with some third-party JS libraries
* (bug 13342) importScript() generates more consistent URI encoding
* (bug 16577) When a blocked user tries to rollback a page, the block message
  is now only displayed once
* (bug 14268) SVG image sizes now extracted with proper XML parser
* (bug 14365) RepoGroup::findFiles() no longer crashes if passed an invalid
  title via the API
* (bug 4253, bug 16586) Revision ID is now given instead of title in URLs for
  new pages in the recent changes IRC feed
* Ugly tooltips in Special:Statistics were phased out in favor of more direct
  information. Went ahead and rewrote SpecialStatistics to subclass SpecialPage
* (bug 5506) Links to files on foreign repositories are now shown consistently
  as bluelinks e.g. in logs and edit summaries
* (bug 16623) Add missing </p> tag in Special:LockDB
* (bug 15849) Special:Movepage now throws a more specific error when trying to
  move a title to an interwiki target
* (bug 16638) 8-bit URL fallback encoding now set on additional languages using
  Arabic script (Persian, Urdu, Sindhi, Punjabi)
* (bug 16656) cleanupTitles and friends should now work in load-balanced
  DB environments when $wgDBserver isn't set.
* (bug 3691) Aspect ratio from viewBox attribute is now preserved for SVG
  images which do not specify width and height attributes.
* (bug 15027) Internet domain names and IP addresses can now be indexed and
  searched sensibly with the default MySQL search backend.
* (bug 11733) Fixed parameter validation in importTextFile.php
* (bug 16712) Special:NewFiles updated to use "newer"/"older" paging messages
  for clarity over "previous/next"
* (bug 16612) Fixed "noprint" class for Modern skin print style
* Section anchors now have an "id" attribute as well as a "name" attribute,
  even when Tidy is not used
* (bug 16026) revision-info, revision-info-current, cannotdelete,
  redirectedfrom, historywarning and difference messages now use Wiki text
  rather than raw HTML markup
* (bug 13835) Fix rendering of {{filepath:Wiki.png|nowiki}}
* (bug 16772) Special:Upload now correctly rejects files with spaces in the
  file extension (e.g. Foo. jpg).
* Image moving over an existing file no longer throws a database error
* (bug 16786) Restored "redundant" links recently removed from Classic sidebar
* (bug 16850) $wgActionPaths can have query strings now, previously, this broke
  local URLs
* (bug 16376) Mention in deleteBatch.php and moveBatch.php maintenance scripts
  that STDIN can be used for page list
* (bug 16560) Special:Random returns a page from ContentNamespaces, and no
  longer from NS_MAIN

=== API changes in 1.14 ===

* Registration time of users registered before the DB field was created is now
  shown as empty instead of the current time.
* API search now falls back to fulltext search by default when using Lucene
  or other engine which doesn't support a separate title search function.
  This means you can use API search on Wikipedia without explicitly adding
  &srwhat=text to the query.
* Added iiprop=bitdepth to imageinfo and aiprop=bitdepth to allimages
* (bug 14713) API-specific permissions (such as 'writeapi' and 'apihighlimits'
  are now listed on action=help
* (bug 15044) Added requestid parameter to api.php to facilitate distinguishing
  between requests
* (bug 15048) Added limit field for multivalue parameters to action=paraminfo
  output.
* When the limit on multivalue parameters is exceeded, a warning is issued
* list=search doesn't list missing pages any more
* (bug 15178) Added clshow to prop=categories to allow filtering for hidden/
  non-hidden categories
* (bug 15228) Combining revids= and redirects now throws a warning instead of
  an error, and still resolves redirects generated by the generator.
* list={backlinks,embeddedin,imageusage} now return arrays with keys 0, 1, 2,
  etc. (AKA lists) instead of arrays with pageIDs as keys (AKA hash tables)
  for consistency with other list modules.
* Added action=watch
* (bug 15275) apprefix and related parameters ignore spaces at the end
* action=edit no longer throws unknown error 228  when trying to create an
  empty section with section=new
* Database replication lag doesn't cause all action=edit requests to return the
  nochange flag any more
* (bug 15392) ApiFormatBase::formatHTML now uses $wgUrlProtocols.
* (bug 15444) action=edit returns "Unknown error: ``AS_END''" where it should
  return just "Unknown error"
* (bug 15448) YAML output returns empty values instead of 0
* (bug 15445) Added action=patrol
* (bug 15466) Added action=purge
* (bug 15486) action=block ignores autoblock parameter
* (bug 15492) added rcprop=loginfo to list=recentchanges
* (bug 15527) action=rollback can now revert anonymous editors
* (bug 15535) prop=info&inprop=protection doesn't list pre-1.10 protections
  if the page is also protected otherwise (1.10+ style or cascading)
* list=random now has rnredirect parameter, to get random redirects.
* Added APIAfterExecute, APIQueryAfterExecute and APIQueryGeneratorAfterExecute
  hooks which allow for extending core modules in a cleaner way
* action=protect checks for invalid protection types and levels
* (bug 15673) Added indentation to format=wddxfm output and improved built-in
  WDDX formatter to resemble PHP's more
* (bug 15706) Empty values for apprtype and apprlevel are now silently ignored
  rather than causing an exception
* Added uiprop=preferencestoken to meta=userinfo
* (bug 15609) Add inprop=url and inprop=readable to prop=info
* Add ApiDisabled and ApiQueryDisabled classes so individual modules can
  be disabled in LocalSettings.php
* (bug 15653) Add prop=duplicatefiles
* (bug 15768) Add list=watchlistraw
* (bug 15647) action=edit with basetimestamp fails if the page has been deleted
  and undeleted since the last edit
* (bug 15785) Allow for different expiry times for different protections in
  action=protect
* Added allowsduplicates attribute to action=paraminfo output
* (bug 15767) apfilterlanglinks returns duplicate results
* (bug 15845) Added pageid/fromid parameter to action=delete/move, making
  manipulation of legacy pages with invalid titles possible
* (bug 15881) Empty or invalid parameters cause database errors
* The maxage and smaxage parameters are now properly validated
* (bug 15945) list=recentchanges doesn't check $wgUseRCPatrol, $wgUseNPPatrol
  and patrolmarks right
* (bug 15985) acfrom and aifrom parameters didn't work when sorting in
  descending order.
* (bug 15995) Add cmstartsortkey and cmendsortkey parameters to
  list=categorymembers
* (bug 16017) list=categorymembers sets invalid continue parameters for
  sortkeys containing pipes
* (bug 16018) Added uccontinue parameter to list=usercontribs so paging
  works properly when multiple users are queried or a userprefix is used
* (bug 16047) Added activeusers attribute to meta=siteinfo&siprop=statistics
  output
* Added redirect resolution to action=parse
* (bug 16074) rvprop=content combined with a generator with a high limit causes
  an error
* (bug 16105) Image metadata attributes containing spaces result in invalid XML
* (bug 16126) Added siprop=magicwords to meta=siteinfo
* (bug 16159) Added wlshow=patrolled|!patrolled to list=watchlist
* (bug 16225) Titles like Talk:Talk:Foo broke apfrom and friends
* meta=siteinfo&siprop=interwikimap no longer throws an exception for empty
  sifilter parameter.
* (bug 12760) meta=userinfo&uiprop=ratelimits doesn't list group-specific rate
  limits
* (bug 16398) meta=userinfo&uiprop=rights lists some rights twice in some cases
* (bug 16408) Added rvgeneratexml to prop=revisions
* (bug 16421) Made list=logevents's leuser accept user names with underscores
  instead of spaces
* (bug 16516) Made rvsection=T-2 work
* (bug 16526) Added usprop=emailable to list=users
* (bug 16548) list=search threw errors with an invalid error code
* (bug 16515) Added pst and onlypst parameters to action=parse
* (bug 16541) Added block expiry timestamp to list=logevents output
* (bug 16613) action=protect doesn't tell when &cascade was set but cascading
  protection wasn't allowed
* (bug 16626) action=delete now correctly handles empty "reason" param
* (bug 15579) clshow considers all categories !hidden
* (bug 16647) list=allcategories, prop=categories don't return "hidden"
  property for hidden categories
* New siprop parameter of 'extensions' to list all installed extensions
* (bug 16672) Include canonical namespace name in
  meta=siteinfo&siprop=namespaces.
* (bug 16726) siprop=namespacealiases should also list localized aliases
* (bug 16730) Added apprfiltercascade parameter to list=allpages to filter
  cascade-protected pages

=== Languages updated in 1.14 ===

MediaWiki supports over 300 languages. Many localisations are updated
regularly. Below only new and removed languages are listed.

* Bakhtiari (bqi) (new)
* Fiji Hindi (Devanagari script) (hif-deva) (new)
* Krio (kri) (new)
* Lezghian (lez) (new)
* Laz (lzz) (new)
* Eastern Mari (mhr) (new)
* Niuean (niu) (new)
* Oromo (om) (new)
* Plautdietsch (pdt) (new)
* Western Punjabi (pnb) (new)
* Tarantino (roa-tara) (new)
* Serbo-Croatian (sh) (new)
* Tulu (tcy) (new)


== MediaWiki 1.13 ==

== MediaWiki 1.13.5 ==

February 22, 2009

This is a maintenance update to the Summer 2008 snapshot release of MediaWiki.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN

== Changes since 1.13.4 ==

* (bug 17449) Fixed PostgreSQL installation
* (bug 17527) Fixed missing MySQL-specific options in installer

== Changes since 1.13.3 ==

A number of cross-site scripting (XSS) security vulnerabilities were discovered
in the web-based installer (config/index.php). These vulnerabilities all
require a live installer -- once the installer has been used to install a wiki,
it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack any website
in the same cookie domain. So if you have an uninstalled copy of MediaWiki on
the same site as an active web service, MediaWiki could be used to attack the
active service.

If you are hosting an old copy of MediaWiki that you have never installed, you
are advised to remove it from the web.

== Changes since 1.13.2 ==

David Remahl of Apple's Product Security team has identified a number of
security issues in previous releases of MediaWiki. Subsequent analysis by the
MediaWiki development team expanded the scope of these vulnerabilities. The
issues with a significant impact are as follows:

* An XSS vulnerability affecting all MediaWiki installations between 1.13.0 and
  1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer clients for
  all MediaWiki installations with uploads enabled. [CVE-2008-5250]
* A local script injection vulnerability affecting clients with SVG scripting
  capability (such as Firefox 1.5+), for all MediaWiki installations with SVG
  uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki
  installations since the feature was introduced in 1.3.0. [CVE-2008-5252]

XSS (cross-site scripting) vulnerabilities allow an attacker to steal an
authorised user's login session, and to act as that user on the wiki. The
authorised user must visit a web page controlled by the attacker in order to
activate the attack. Intranet wikis are vulnerable if the attacker can
determine the intranet URL.

Local script injection vulnerabilities are like XSS vulnerabilities, except
that the attacker must have an account on the local wiki, and there is no
external site involved. The attacker uploads a script to the wiki, which another
user is tricked into executing, with the effect that the attacker is able to act
as the privileged user.

CSRF vulnerabilities allow an attacker to act as an authorised user on the wiki,
but unlike an XSS vulnerability, the attacker can only act as the user in a
specific and restricted way. The present CSRF vulnerability allows pages to be
edited, with forged revision histories. Like an XSS vulnerability, the
authorised user must visit the malicious web page to activate the attack.

These four vulnerabilities are all fixed in this release.

David Remahl also reminded us of some security-related configuration issues:

* By default, MediaWiki stores a backup of deleted images in the images/deleted
  directory. If you do not want these images to be publically accessible, make
  sure this directory is not accessible from the web. MediaWiki takes some steps
  to avoid leaking these images, but these measures are not perfect.
* Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal
  errors. This is the default on most shared web hosts.
* Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may
  lead to path disclosure.

Other changes in this release:

* Avoid fatal error in profileinfo.php when not configured.
* Add a .htaccess to deleted images directory for additional protection against
  exposure of deleted files with known SHA-1 hashes on default installations.
* Avoid streaming uploaded files to the user via index.php. This allows
  security-conscious users to serve uploaded files via a different domain, and
  thus client-side scripts executed from that domain cannot access the login
  cookies. Affects Special:Undelete, img_auth.php and thumb.php.
* When streaming files via index.php, use the MIME type detected from the
  file extension, not from the data. This reduces the XSS attack surface.
* Blacklist redirects via Special:Filepath. Such redirects exacerbate any
  XSS vulnerabilities involving uploads of files containing scripts.
* Internationalisation updates.

== Changes since 1.13.1 ==

* Security: Work around misconfiguration by requiring strict comparisons for
  in_array in User::isAllowed().
* (bug 14944) Added $wgShellLocale for configuration of an appropriate locale
  to use for LC_CTYPE during shell invocation. For servers that don't have
  en_US.utf8. Also added locale detection during install.
* Localisation updates
* Security: Fixed XSS vulnerability in useskin parameter.

== Changes since 1.13.0 ==

* (bug 15460) Fixed intermittent deadlock errors and poor concurrent
  performance for installations without memcached.
* (bug 13770) Fixed DOM module detection for installations with both dom
  and domxml.
* (bug 15148) Fixed Special:BlockIP for PostgreSQL
* Fixed SQLite support for non-memcached installations
* Localisation updates, Achinese (ace) added.

== Changes since 1.13.0rc2 ==

* (bug 13770) Fixed incorrect detection of PHP's DOM module
* Fix regression from r37834: accesskey tooltip hint should be given for the
  minor edit and watch labels on the edit page.
* Updated Chinese simplified/traditional conversion tables

== Changes since 1.13.0rc1 ==

* $wgForwardSearchUrl has been removed entirely. Documented setting since 1.4
  has been $wgSearchForwardUrl.
* (bug 14907) DatabasePostgres::fieldType now defined.
* (bug 14966) Fix SearchEngineDummy class for silently non-functional search
  on Sqlite instead of horribly fatal error breaky one.
* (bug 14987) Only fix double redirects on page move when the checkbox is
  checked
* (bug 13376) Use $wgPasswordSender, not $wgEmergencyContact, as return
  address for page update notification mails.
* API: Registration time of users registered before the DB field was created is
  now shown as empty instead of the current time.
* (bug 14904): fragments were lost when redirects were fixed.
* Added magic word __STATICREDIRECT__ to suppress the redirect fixer
* (bug 15035) Revert English linkTrail to /^([a-z]+)(.*)$/sD, as it was before
  r36253. Multiple reports of breakage due to old (pre-5.0) PCRE libraries,
  both bundled with PHP and packaged with distros such as RHEL.
* (bug 14944) Shell invocation of external programs such as ImageMagick convert
  was broken in PHP 5.2.6, if the server had a non-UTF-8 locale.


=== Configuration changes in 1.13 ===

* New option $wgFeed can be set false to turn off syndication feeds
* (bug 5745) Special:Whatlinkshere now shows up to $wgMaxRedirectLinksRetrieved
  links through each redirect instead of hardcoded 500
* Set $wgUploadSizeWarning to false by default
* Added $wgLBFactoryConf, for generic configuration of multi-master wiki farms
* Removed $wgAlternateMaster, use $wgLBFactoryConf
* (bug 13562) Misspelled option $wgUserNotifedOnAllChanges changed to
  $wgUserNotifiedOnAllChanges
* (bug 12860) New option $wgSitemapNamespaces allows sitemaps to be generated
  for only some namespaces
* Removed the emailconfirmed implicit group by default. To re-add it, use:
    $wgAutopromote['emailconfirmed'] = APCOND_EMAILCONFIRMED;
  in your LocalSettings.php.
* (bug 2396) New shared database configuration variables. $wgSharedPrefix allows
  you to use a shared database with a different prefix. Or you can now use a
  local database and use prefixes to separate wiki and the shared tables. And
  the new $wgSharedTables variable allows you to specify a list of tables to
  share.
* Automatic edit summaries can be disabled with $wgUseAutomaticEditSummaries
* Duplicates of images are now shown on the image page
* $wgRCFilterByAge allows for the list of dates in recent changes special pages
  to be filtered to only those within the range of $wgRCMaxAge
* $wgRCLinkLimits and $wgRCLinkDays allow for customization of the list and
  limits displayed on the recent changes special pages
* The "createpage" permission is no longer required when uploading if the target
  image page already exists
* $wgMaximumMovedPages restricts the number of pages that can be moved at once
  (default 100) with the new subpage-move functionality of Special:Movepage
* Hooks display in Special:Version is now disabled by default, use
  $wgSpecialVersionShowHooks = true; to enable it.
* $wgActiveUserEditCount sets the number of edits that must be performed over
  a certain number of days to be considered active
* $wgActiveUserDays is that number of days
* $wgRateLimitsExcludedGroups has been deprecated in favor of
  $wgGroupPermissions[]['noratelimit']. The former still works, however.
* New $wgGroupPermissions option 'move-subpages' added to control bulk-moving
  subpages along with pages.  Assigned to 'user' and 'sysop' by default.
* New $wgRC2UDPOmitBots allows user to omit bot edits from UDP output.
  Default: false
* Removed $wgEnableCascadingProtection option. Disabling cascading protection
  is no longer possible.
* $wgMessageCacheType defines now the type of cache used by the MessageCache
  class, previously it was choosen based on $wgParserCacheType
* $wgExtensionAliasesFiles option to simplify adding aliases to special pages
  provided by extensions, in a similar way to $wgExtensionMessagesFiles
* Added $wgXMLMimeTypes, an array of XML mimetypes we can check for
  with MimeMagic.
* Added $wgDirectoryMode, which allows for setting the default CHMOD value when
  creating new directories.
* (bug 14843) $wgCookiePrefix can be set by LocalSettings now, false defaults
  current behavior.

=== New features in 1.13 ===

* __HIDDENCAT__ on a category page causes the category to be hidden on the
  article page
* Do not show edit permissions errors on a red link click, just redirect to the
  article. This is so that readers who don't know what a red link is are not
  confused when they are told they are range-blocked.
* Add a new hook ImageBeforeProduceHTML to allow extensions to modify wikitext
  image syntax output
* (bug 13100) Added 'preloadtitle' parameter to action=edit§ion=new that
  pre-fills the section title field
* (bug 13112) Added Special:RelatedChanges alias to Special:RecentChangesLinked
* (bug 13130) Moved edit token and autosummary fields above edit tools to
  reduce broken form submissions
* Add --old-redirects-only option to maintenance/refreshLinks.php, to add old
  redirects to the redirect table
* Add links to page and file deletion forms to edit predefined delete reasons
* (bug 13269) Added MediaWiki:Uploadfooter to the bottom of Special:Upload
* (bug 2815) Search results for media now use thumbnail instead of text extract
* When a page doesn't exist, the tab should say "create", not "edit"
* (bug 12882) Added a span with class "patrollink" around "Mark as patrolled"
  link on diffs
* Magic word formatnum can now take raw suffix to undo formatting
* Add updatelog table to reliably permit updates that don't change the schema
* Add category table to allow better tracking of category membership counts
** (bug 1212) Give correct membership counts on the pages of large categories
** Use category table for more efficient display of Special:Categories
* (bug 1459) Search for duplicate files by hash: Special:FileDuplicateSearch
* (bug 9447) Added hooks for search result headings
* Image redirects are now enabled by default
* (bug 13450) Email confirmation can now be canceled before the expiration
* (bug 13490) Show upload/file size limit on upload form
* Redesign of Special:UserRights
* Make rev_deleted log entries more intelligible
* (bug 6943) Added PAGESINCATEGORY: magic word
* (bug 13604) Added Special:ListGroupRights
* (bug 6332, 8617) Added message 'mainpage-description' as duplicate of
  'mainpage' and added it to message 'sidebar'
* Automatically add old redirects to the redirect table when needed
* (bug 6934) Allow inclusions, links, redirects to be separately toggled on or
  off on Special:WhatLinksHere
* Cache image redirects
* (bug 10457) Organize Special:SpecialPages into sections
* Add a new hook EditPageBeforeConflictDiff to allow extensions like FCKeditor
  to modify the output for edit conflicts
* Add class="nested" for <fieldset>s so fieldsets inside fieldsets get
  a slightly less huge margin and padding
* (bug 13527) Use sitemaps.org format 0.9 instead of a Google-specific format
* Allow \C and \Q as TeX commands to match \R, \N, \Z
* On Special:UserRights, when you can add a group you can't remove or remove
  one you can't add, a notice is printed to warn you
* (bug 12698) Create PAGESIZE parser function, to return the size of a page
* Allow the "log in / create account" link in the toolbar to have different
  text from Special:UserLogin title (new message 'nav-login-createaccount')
* Say "log in / create account" if an anonymous user can create an account,
  otherwise just "log in", consistently across skins
* Special:Shortpages and Special:Longpages now returns pages in all content
  namespaces, not just NS_MAIN.
* (bug 889) Improve conflict-handling between shared upload repository
  and local one
* Update documentation links in auto-generated LocalSettings.php
* (bug 13584) The new hook SkinTemplateToolboxEnd was added.
* (bug 709) Cannot rename/move images and other media files [EXPERIMENTAL]
* Custom rollback summaries now accept the same arguments as the default message
* (bug 12542) Added hooks for expansion of Special:Listusers
* Drop-down AJAX search suggestions (turn on $wgEnableMWSuggest)
* More relevant search snippets (turn on $wgAdvancedSearchHighlighting)
* (bug 13950) Allow users to watch the user/talk pages of users they block.
* (bug 13970) Allow MonoBook-based skins to specify their own print stylesheet
* Show image links on Special:Whatlinkshere
* Use rel="start", "prev", "next" appropriately on Pager-based pages
* Add support for SQLite
* AutoAuthenticate hook renamed to UserLoadFromSession
* (bug 13232) importScript(), importStylesheet() funcs available to custom JS
* (bug 13095) Search by first letters or digits in [[Special:Categories]]
* Users moving a page can now move all subpages automatically as well
* (bug 14259) Localisation message for upload button on Special:Import is now
  'import-upload' instead of 'upload'
* Add information about user group membership to Special:Preferences
* (bug 14146) Wrap usage section on imagepages into <div>s.
* New layout for Special:Specialpages. Restricted pages are marked but not
  separated from other pages in their group.
* (bug 14263) Show a diff of the revert on rollback notification page.
* (bug 13434) Show a warning when hash identical files exist
* Sidebar is now cached for all languages
* The User class now contains a public function called isActiveEditor. Figures
  out if a user is active based on at least $wgActiveUserEditCount number of
  edits in the last $wgActiveUserDays days.
* SpecialSearchResults hook now passes results by reference, so they can be
  changed by extensions.
* Add a new hook LinkerMakeExternalLink to allow extensions to modify the output
  of external links.
* (bug 14132) Allow user to disable bot edits from being output to UDP.
* (bug 14328) jsMsg() within Wikibits now accepts a DOM object, not just a
  string
* (bug 14558) New system message (emailuserfooter) is now added to the footer of
  e-mails sent with Special:Emailuser
* Add support for Hijri (Islamic) calendar
* Add a new hook LinkerMakeExternalImage to allow extensions to modify the
  output of external (hotlinked) images.
* (bug 14604) Introduced the following features for the LanguageConverter:
  Multi-tag support, single conversion flag, remove conversion flag on a single
  page, description flag, variant name, multi-variant fallbacks.
* Add zh-mo and zh-my variants for the zh language
* (bugs 4832, 9481, 12890) Special:Recentchangeslinked now has all options that
  are in Special:Recentchanges
* Allow an $error message to be passed to ArticleDelete hook
* Allow extensions to modify the user creation form by calling addInputItem();
* Add meta generator tag to HTML output
* MediawikiPerformAction hook is now passed the Mediawiki object
* Added blank special page Special:BlankPage for benchmarking, etc.
* Foreign repo file descriptions and thumbnails are now cached.
* (bug 11732) Allow localisation of edit button images
* Allow the search box, toolbox and languages box in the Monobook sidebar to be
  moved around arbitrarily using special sections in [[MediaWiki:Sidebar]]:
  SEARCH, TOOLBOX and LANGUAGES
* Add a new hook NormalizeMessageKey to allow extensions to replace messages
  before the database is potentially queried
* (bug 9736) Redirects on Special:Fewestrevisions are now marked as such.
* New date/time formats in Cs localization according to ČSN and PČP.
* Special:Recentchangeslinked now includes changes to transcluded pages and
  displayed images; also, the "Show changes to pages linked" checkbox now works
  on category pages too, showing all links that are not categorizations
* (bug 4578) Automatically fix redirects broken by a page move

=== Bug fixes in 1.13 ===

* (bug 10677) Add link to the file description page on the shared repository
* (bug 13084) Increase size of source/destination filename fields in upload form
* (bug 13115) rebuildrecentchanges should print the current value of $wgRCMaxAge
* (bug 13140) Show parent categories in category namespace
* (bug 13149) Correctly format 'fileexists' message on Upload page
* Make the default filepageexists message accurate
* (bug 12988) $wgMinimalPasswordLength no longer breaks create user by email
* (bug 13022) Fix upload from URL on PHP 5.0.x
* (bug 13132) Unable to unprotect pages protected with earlier versions of
  MediaWiki
* (bug 12723) OpenSearch description name now uses more compact language code
  to avoid passing the length limit as often, is customizable per site via
  'opensearch-desc' message.
* (bug 13135) Special:Userrights now passes IDs through form submission
  to allow functionality on not-quite-right usernames
* (bug 12575) Prevent duplicate patrol log entries from being created
* (bug 13174) __HIDDENCAT__ now applies only to category pages
* (bug 13031) Add links to user pages in e-mail form
* (bug 13147) Description for categoriespagetext (used in Special:Categories)
  reworded
* (bug 11561) Fix fatal error when calling action=revert to non-image page
* (bug 12430) Fix call to private method LinkFilter::makeRegex fatal error in
  maintenance/cleanupSpam.php
* All skins should have the "mediawiki" class on the body element
* (bug 13019) Message cache for some extensions not loaded at time of editing
* (bug 13247) Prettified ISBN links
* maintenance/refreshLinks.php did not fix page_id 1 with the --new-only option
* (bug 13110) Don't show "Permission error" page if the edit is already rolled
  back when using rollback
* (bug 13012) Use content messages for block options when generating the
  recentchanges entry
* (bug 13274) Change links for messages to ucfirst
* (bug 13273) Un-hardcode some punctuation (add new messages colon-separator,
  autocomment-prefix)
* Parse MediaWiki message translations with a correct language setting on
  preview
* (bug 13281) Treat X-Forwarded-For, Client-ip and User-Agent headers as
  case-insensitive names.
* Adding the fix for lists in RTL wikis to more skins, and fixing the image toc
* (bug 8157) Remove redirects from Special:Unusedtemplates. Patch by WebBoy.
* (bug 10721) Duplicate section anchors with differing case now disambiguated
  for Internet Explorer's sake and standards compliance
* (bug 13298) Tighter limits on Special:Newpages limits when embedding
* Email subject in content language instead of sending user's UI language
* (bug 13251) Allow maintenance rebuild scripts to work with Postgres
* (bug 2084) Fixed incorrect regex to match redirects
* (bug 3131) Manually-specified upload destination filename is no longer
  overwritten by browsing for a file after you wrote it.
* (bug 7251) Sidebars generated by MediaWiki:Sidebar now have the class
  'generated-sidebar'.
* (bug 13265) Media handler is missing 'image/x-bmp'
* (bug 13407) MediaWiki:Powersearch is used in two places
* (bug 13403) Fix cache invalidation of history pages when old revisions change
* (bug 11563) Deprecated SearchMySQL4 class; merged code to SearchMySQL
* (bug 12801) Fix link in subtitle message in AJAX search
* (bug 13428) Fix regression in protection form layout HTML validity
* (bug 9403) Sanitize newlines from search term input
* (bug 13429) Separate date and time in message sp-newimages-showfrom
* (bug 13137) Allow setting 'editprotected' right separately from 'protect',
  so groups may optionally edit protected pages without having 'protect' perms
* Disallow deletion of big pages by means of moving a page to its title and
  using the "delete and move" option.
* (bug 13466, 13632) White space differences not shown in diffs
* (bug 1953) Search form now honors namespace selections more reliably
* (bug 12294) Namespace class renamed to MWNamespace for PHP 5.3 compatibility
* PHP 5.3 compatibility fix for wfRunHooks() called with no parameters
* (bug 6447) Trackbacks now work with transactional tables, if enabled
* (bug 6892, 7147) Trackback error handling, optional fields more robust
* (bug 6813) Don't break HTML validator when using trackbacks
* Fix for size checks on SVG images with global 'stroke-width' attribute
* (bug 11874) Inline CSS with !important no longer borken
* (bug 1600) Strip extra == section markup == in new-comment field
* (bug 11325) Wrapped page titles in MonoBook skin spaced more nicely
* (bug 12077) Fix HTML nesting for TOC
* (bug 344) Purge cache for talk/article pages when deleting the other tab
* (bug 13436) Treat image captions correctly when they include option keywords
  (like ending with "px" or starting with "upright")
* Trackback display formatting fixed
* Don't die when single-element arrays are passed to SQL query constructors
  that have an array index other than 0
* (bug 13522) Fix fatal error in Parser::extractTagsAndParams
* (bug 13532) Use proper timestamp call when reverting images
* (bug 13543) Updated FAQ link in the installer sidebar
* (bug 13540) Date format in confirmation e-mail now matches message language
* (bug 13554) PHP Notice in old pre-processor when list item is empty.
* (bug 13556) Don't show a blank form if no image is attached in Special:Upload
* (bug 13576) maintenance/rebuildrecentchanges.php fails
* (bug 13441) Allow Special:Recentchanges to show bots only
* (bug 13431) Show true message source in Special:Allmessages&ot=php / xml
* (bug 13463) Login successful page doesn't use user's preferred interface
  language
* (bug 13630) Fixed warnings for pass by reference at call time in
  Special:Revisiondelete when generating the log entry.
* (bug 12064) BeforePageDisplay hook is now called for all skins
* (bug 13624) Fix regression with manual thumb= parameter on images
* (bug 11039) Add missing labels on protection form
* (bug 13458) Preview/edit toolbar spacing now works consistently
* (bug 13433) Fix action=render on Image: pages
* (bug 13678) Fix CSS validation for Monobook
* (bug 13684) Links in Special:ListGroupRights should be in content language
* (bug 13690) Fix PHP notice on accessing some URLs
* Hide (undo) link if user isn't able to edit page
* Invalidate cache of pages that includes images via redirects on upload
* (bug 13705) Don't show rollback link in page history on incorrect revisions
* (bug 13708) Don't set "Search results" title when loading Special:Search
  without query
* (bug 13736) Don't show MediaWiki:Anontalkpagetext on non-existent IP addresses
* (bug 13728) Don't trim initial whitespace during section edits
* (bug 13727) Don't delete log entries from recentchanges on page deletion
* (bug 13752) Redirects to sections now work again
* (bug 13725) Upload form watch checkbox state set correctly with wpDestFile
* (bug 13756) Don't show the form and navigation links of Special:Newpages if
  the page is included
* When hiding things on WhatLinksHere, generated URLs should hide them too
* Properly escape search terms with regex chars so they appear highlighted in
  search results
* (bug 13768) pt_title field encoding fixed
* Do not display empty columns on Special:UserRights if all groups are
  changeable or all unchangeable
* Fix fatal error on calling PAGESINCATEGORY with invalid category name
* (bug 13793) Special:Whatlinkshere filters wrong - after paginating instead of
  before
* (bug 13796) Show links to parent pages even if some of them are missing
* (bug 13816) Filter by main namespace doesn't work on WhatLinksHere
* (bug 13822) Fatal error on some pages when calculating subpage subtitle
* (bug 13824) AJAX search suggestion now works with non-SkinTemplate skins
* Added 'application/x-dia-diagram' MediaWiki's known MIME types
* (bug 13866) skins/common/shared.css - invalid attribute fixing
* Hide edit section links on Special:Undelete
* (bug 13860) Fix "Justify paragraphs" option for Modern skin
* (bug 13168) accessibility links in Modern skin link to wrong anchor id
* (bug 13185) No line break after 'subpages' class in Modern skin
* (bug 13583) No "poweredby" in Modern skin
* (bug 13880) "Printable" link in Modern skin now formats as print mode
* (bug 13885) Bump default $wgSVGMaxSize from 1024 to 2048 pixels
* (bug 13891) Show categories box even if all categories are hidden and user has
  "show hidden categories" option on
* (bug 13915) Undefined variable $wltsfield in includes/SpecialWatchlist.php
* (bug 13913) Special:Whatlinkshere now has correct HTML markup
* (bug 13905) Blacklist Mac IE from HttpOnly cookies; it eats them sometimes
* (bug 13922) Fix bad HTML on empty Special:Prefixindex and Special:Allpages
* (bug 13924) Fix bad HTML on power search form
* (bug 13820) Fix updater for rev_parent_id population
* (bug 13925) Fix bad HTML on search results list
* (bug 13934) Fixing the link to GNU General Public License Version 2
* Show correct accesskey prefix for Firefox 3 beta (Alt-Shift-, not Alt-)
* (bug 13949) Special:PrefixIndex/AllPages paging links contain invalid XML
* (bug 13770) Use Preprocessor_Hash by default to avoid missing DOM module
  errors
* (bug 13982) Disable ccmeonemails preference when user-to-user mails disabled
* (bug 13615) Update case mappings and normalization to Unicode 5.1.0
  Note that case mappings will only be used if mbstring extension is not
  present.
* (bug 14044) Don't increment page view counters on views from bot users
* (bug 14042) Calling Database::limitResult() misplaced the comment in the log
  file
* (bug 14047) Fix regression in installer which hid DB-specific options
  Also makes SQLite path configurable in the installer.
* (bug 13546) Follow image redirects on image page
* (bug 12644) Template list on edit page now sorted on preview
* (bug 14058) Support pipe trick for namespaces and interwikis with "-"
* Message name filter on Special:Allmessages now case-insensitive
* (bug 13943) Fix image redirect behavior on image pages
* (bug 14093) Do 'sysop' => 'protect' magic in Title::isValidMoveOperation
* (bug 14063) Power search form missing <label> for redirects check
* (bug 14111) Similar filename warning links now lead to correct page
* (bug 14082) Fix for complex text input vs AJAX suggestions on some browsers
* (bug 13693) Categories sometimes claim to have a negative number of members
* (bug 1701) Korean Hangul syllables now broken down properly in Category lists
  even if the wiki's overall content language is not Korean
* (bug 12773) addOnloadHook() now calls functions immediately when scripts are
  loaded after the primary page completion, instead of dropping them
* (bug 14199) Fix deletion form for image redirect pages
* (bug 14220) Disabling $wgCheckFileExtensions now works without also
  disabling $wgStrictFileExtensions
* (bug 14241) Pages can no longer be protected to levels you are not in
* (bug 14296) Fix local name of ang: (Anglo-Saxon)
* (bug 4871) Hardcoded superscript in time zone preferences moved to message
* (bug 6957) E-mail confirmation links now using English special page name
  for better compatibility and keeping the links shorter. Avoids problem
  with corrupt links in Gmail on IE 6.
* (bug 14273) Fix for HTTP Accept header parsing with spaces as from Konqueror
* (bug 14312) Update LanguageKaa.php for handling transform issues with i to İ
  and I to ı
* (bug 13826) MediaWiki:Defaultns accepts Wikicode
* (bug 14324) Creating an account is again possible with $wgEmailConfirmToEdit
  set to true
* (bug 13034) Interwiki pages can now be reached using Go search button
* (bug 14362) Change interwiki names of Erzya and Moksha Wikipedias
* (bug 14370) When a grouppage-x message does not exist the entry on the
  ListGroupRights special page now links to the project namespace page for it,
  not the main namespace page.
* (bug 11659) Urldecode image names in galleries
* (bug 14258, 14368) Fix for subpage renames in replication environments
* (bug 14367) Failed block no longer adds phantom watchlist entry
* (bug 14385) "Move subpages" option no longer tries to move to invalid titles
* (bug 14386) Fix subpage namespace oddity when moving a talk page
* (bug 11771) Signup form now not shown if in read-only mode.
* (bug 12859) $wgRateLimitsExcludedGroups has been deprecated in favor of
  $wgGroupPermissions[]['noratelimit'].
* (Bug 13828) Split parameter $1 of MediaWiki:Missingarticle into $1 (=title)
  and $2 (=revision numbers)
* (bug 14401) Fix Safari access key tooltips for Windows and >3.1 Mac versions
* (bug 14432) Fix notice regression in Special:Newpages feed mode
* (bug 11951) EditPage::getEditToolbar() is now static.
* (bug 14392) Fix regression breaking table prefix in installer
* (bug 11084) $wgDBprefix replacement for updater SQL will now work for
  extension tables using uppercase letters or digits in their names.
* (bug 12311) Fix regression with lists at start of undeletion preview
* (bug 14496) Fix regression with parseinline on Special:Upload.
* We no longer just give up on a missing upload base directory; it's now
  created automatically if we have sufficient permissions!
* (bug 14479) MediaWiki:upload-maxfilesize should have a div id wrapper
* (bug 14497) Throw visible errors in installer scripts when SQL files
  fail due to database permission or other error
* (bug 14500) Site feed (Recentchanges) no longer shows up on the actual
  recent changes page.
* (bug 14511) MediaWiki:Delete-legend is no longer double escaped
* Generate correct section anchors for numeric headers
* (bug 14520) Don't load nonexistent CSS files for Chick/Myskin/Simple skins
* (bug 14551) Cancel upload no longer automatically suppresses warnings
* (bug 13878) Deprecate Article::getDB() in favor of direct wfGetDB() calls
* (bug 4977) Fix for possible squid purging errors when using HTTP purges
  and multiple servers
* (bug 14572) Redirects listed on file links on image pages no longer redirect.
* (bug 14537) Change interwiki name for Old Church Slavonic (cu)
* (bug 14583) Fix regression in recent changes "limit to certain categories."
* (bug 14515) HTML nesting cleanup on edit form
* (bug 14647) Removed unused 'townBox' CSS classes
* (bug 14687) OutputPage::addStyle() now adds type="text/css" like it should.
* OpenSearch cleanup; Firefox now sends you to the search page for empty
  searches instead of the domain root (which may not even be a wiki).
* (bug 3481) Pages moved shortly after creation are shown at their new title
  on Special:Newpages.
* (bug 12716) Trying to unprotect a title that isn't protected no longer
  generates a log entry.
* (bug 14088) Excessively long block expiry times are rejected as invalid,
  keeps the log page from being distorted.
* (bug 14708) Emulate INSERT...IGNORE with standard SQL for Postgres backend.
* (bug 14646) Fix some double-escaping of HTML in feed output
* (bug 14709) Fix login success message formatting when using cookie check
* (bug 14710) Remove "donate" link from default sidebar
* (bug 14745) Image moving works on sites that transform thumbnails via 404
* (bug 2186) Document.write() in wikibits caused failures when using
  application/xhtml+xml. The calls to this have been removed.
* (bug 14764) Fix regression in from Article::lastModified(), failed to work
  on non-mySQL schemas.
* (bug 14763) Child classes of Database (DatabasePostgres and DatabaseOracle)
  had strict standards issues with setFakeSlaveLag() and setFakeMaster().
* (bug 451) Improve the phrase mappings of the Chinese converter arrays.
* (bug 12487) Rights log is not fully internationalized
* (bug 10837) Language variants no longer override other languages than base
* (bug 14778) 'limit' parameter now applies to history feeds as well as
  history pages
* (bug 14845) Bug in prefs javascript: Calling an array item without checking
  its existance.
* Accesskeys for minor edit/watch checkboxes on edit now work in Firefox 3
* (bug 12384) Comments in maintenance/*php
* (bug 12441) ./maintenance/generateSitemap.php fix -fspath requiring
  a trailing slash.
* (bug 12568) configuration script now produce valid XHTML.
* The accesskey to edit a page is now disabled when editing the page, to pre-
  vent conflicts with Safari shortcuts.

=== API changes in 1.13 ===

* Fixing main page display in meta=siteinfo
* (bug 13128) Added patrolled flag to list=recentchanges
* Implemented {bl,ei,iu}redirect (lists links through redirects as well)
* (bug 13154) Introduced subpages flag to meta=siteinfo&siprop=namespaces
* (bug 13157) Added ucuserprefix parameter to list=usercontribs
* (bug 12394) Added rctitles parameter to list=recentchanges, making rcid
  retrieval easier
* (bug 13218) Fix inclusion of " character in hyperlinks
* Added watch and unwatch parameters to action=delete and action=move
* Added action=edit
* (bug 11401) Added xmldoublequote to xml formatter
* Added rvsection parameter to prop=revisions to allow fetching the content of
  a certain section only
* Introduced list=allimages
* (bug 13371) Build page set from image hashes
* Mark non-existent messages in meta=allmessages as missing
* (bug 13390) One invalid title no longer kills an entire API query
* (bug 13419) Fix gblredirect so it actually works
* (bug 13418) Disable eiredirect because it's useless
* (bug 13395) list=allcategories should use category table
* (bug 13442) Missing pages in prop=langlinks and prop=extlinks are now
  handled properly.
* (bug 13444) Add description to list=watchlist
* (bug 13482) Disabled search types handled properly
* Added inprop=talkid,subjectid to prop=info
* Added help text message that specifies whether a module is POST-only
* Added createonly parameter to action=edit
* Replaced $wgAPIUCUserPrefixMinLength by the more generic $wgAPIMaxDBRows
* (bug 11719) Remove trailing blanks in YAML output.
* (bug 13541) Added siprop=specialpagealiases to meta=siteinfo
* Added fallback8bitEncoding and readonly fields to
  meta=siteinfo&siprop=general output
* (bug 13544) Added prop=revid to action=parse
* (bug 13603) Added siprop=usergroups to meta=siteinfo
* Cleaned up redirect resolution
* Added possibility to obtain all external links through list=exturlusage
* (bug 13606) Added archivename to iiprop
* (bug 11633) Explicitly convert redirect titles to strings due to PHP's
  very weak typing on array keys.
* (bug 12136) Extend allowed characters in JSON callback to ][.'"_A-Za-z0-9
* (bug 11673) Return error 'unknown_action' in specified format
* (bug 13618) Added rcprop=redirect and rcshow=redirect to list=recentchanges
* (bug 13544) Added oldid parameter to action=parse to allow for parsing of old
  revisions
* (bug 13718) Return the proper continue parameter for cmsort=timestamp
* action=login now returns the correct waiting time in the details property
* (bug 13792) Broken titles are now silently skipped in search results.
* (bug 13819) exturlusage paging skipped an item
* Fixed handling of usernames containing spaces in list=block
* (bug 13836) Fixed fatal errors resulting from combining iiprop=metadata with
  format=xml
* (bug 13735) Added prop=categoryinfo module
* (bug 13945) Retrieve cascading protection sources via inprop=protection
* (bug 13965) Hardcoded 51 limit on titles is too limiting
* (bug 13993) apfrom doesn't work with apdir=descending
* (bug 14018) Introduced alcontinue to list=alllinks to improve paging
* (bug 14013) Added rcshow=patrolled to list=recentchanges
* (bug 14028) Added language attribute to interwiki map in meta=siteinfo
* (bug 14022) Added usprop=registration and auprop=blockinfo
* (bug 14021) Removed titles= support from list=backlinks (has been obsolete
  for ages)
* (bug 13829) Expose parse tree via action=expandtemplates
* (bug 13606) Allow deletion of images
* Added iiprop=mime and aiprop=metadata
* Handled unrecognized values for parameters more gracefully
* Handled requesting disallowed tokens more gracefully
* (bug 14140) URL-encoded page titles are now decoded in edit summaries
* (bug 14243) Only accept post requests in action=edit; patch by HardDisk
* action=block now returns an ISO8601 timestamp, like all other modules do
* Added md5 parameter to action=edit
* (bug 14335) Logging in to unified account using API not possible
* Added action=emailuser to send an email to a user
* (bug 14471) Use HTMLTidy and generate limit report in action=parse
* (bug 14459) Added prependtext and appendtext parameters to action=edit
* (bug 14526) Unescaped SQL in list=backlinks
* Added 'hidden' flag to list=allcategories and prop=categoryinfo output
* Added nocreate parameter to action=edit
* (bug 14402) Added maxage and smaxage parameters to api.php
* Added bkip parameter to list=blocks
* (bug 14651) apprefix and similar parameters are now canonicalized
* Added clprop=timestamp to prop=categories
* (bug 14678) API errors now respects $wgShowExceptionDetails and
  $wgShowSQLErrors
* (bug 14723) Added time zone and writing direction to meta=siteinfo
* Added APIQueryInfoTokens and APIQueryRevisionsTokens hooks so extensions
  can add their own tokens
* Added block and unblock tokens to prop=info as well
* Added paging (limit and continue parameters) to
  prop={links,templatelinks,langlinks,extlinks,categories,images}
* Added flag "top" to list=usercontribs if the user is the last contributor to
  the page
* list=exturlusage in "list all links" mode can now filter by protocol

== MediaWiki 1.12 ==

== MediaWiki 1.12.4 ==

February 7, 2009

A number of cross-site scripting (XSS) security vulnerabilities were discovered
in the web-based installer (config/index.php). These vulnerabilities all
require a live installer -- once the installer has been used to install a wiki,
it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack any
website in the same cookie domain. So if you have an uninstalled copy of
MediaWiki on the same site as an active web service, MediaWiki could be used to
attack the active service.

If you are hosting an old copy of MediaWiki that you have never installed, you
are advised to remove it from the web.

== MediaWiki 1.12.3 ==

* Fixed packaging/distribution error. Many files were missing from the
distributed tarball.

== MediaWiki 1.12.2 ==

David Remahl of Apple's Product Security team has identified a number of
security issues in previous releases of MediaWiki. Subsequent analysis by the
MediaWiki development team expanded the scope of these vulnerabilities. The
issues with a significant impact are as follows:

* A local script injection vulnerability affecting Internet Explorer clients
for all MediaWiki installations with uploads enabled. [CVE-2008-5250]
* A local script injection vulnerability affecting clients with SVG scripting
capability (such as Firefox 1.5+), for all MediaWiki installations with SVG
uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki
installations since the feature was introduced in 1.3.0. [CVE-2008-5252]

A local script injection vulnerability allows an attacker with a wiki account
to steal another user's login session, and to act as that user on the wiki. The
attacker uploads a malicious script file, and tricks the victim into executing
it.

CSRF vulnerabilities allow an attacker to act as an authorised user on the
wiki, but unlike an XSS vulnerability, the attacker can only act as the user in
a specific and restricted way. The present CSRF vulnerability allows pages to
be edited, with forged revision histories. Like an XSS vulnerability, the
authorised user must visit the malicious web page to activate the attack.

These three vulnerabilities are all fixed in this release.

David Remahl also reminded us of some security-related configuration issues:

* By default, MediaWiki stores a backup of deleted images in the images/deleted
directory. If you do not want these images to be publically accessible, make
sure this directory is not accessible from the web. MediaWiki takes some steps
to avoid leaking these images, but these measures are not perfect.
* Set display_errors=off in your php.ini to avoid path disclosure via PHP fatal
errors. This is the default on most shared web hosts.
* Enabling MediaWiki's debugging features, such as $wgShowExceptionDetails, may
lead to path disclosure.

Other changes in this release:

* Avoid fatal error in profileinfo.php when not configured.
* Add a .htaccess to deleted images directory for additional protection against
exposure of deleted files with known SHA-1 hashes on default installations.
* Avoid streaming uploaded files to the user via index.php. This allows
security-conscious users to serve uploaded files via a different domain, and
thus client-side scripts executed from that domain cannot access the login
cookies. Affects Special:Undelete, img_auth.php and thumb.php.
* When streaming files via index.php, use the MIME type detected from the file
extension, not from the data. This reduces the XSS attack surface.
* Blacklist redirects via Special:Filepath. Such redirects exacerbate any XSS
vulnerabilities involving uploads of files containing scripts.
* Internationalisation updates.

== MediaWiki 1.12.1 ==

Changes since 1.12.0:
* (bug [[bugzilla:13522|13522]]) Fix fatal error in Parser::extractTagsAndParams
* (bug [[bugzilla:12077|12077]]) Fix HTML nesting for TOC
* (bug [[bugzilla:13532|13532]]) Use proper timestamp call when reverting images
* (bug [[bugzilla:13649|13649]], [[bugzilla:14084|14084]]) Bad call to
wfTimestamp()
* (bug [[bugzilla:13770|13770]]) Use Preprocessor_Hash by default to avoid
missing DOM module errors
* (bug [[bugzilla:13442|13442]]) API: Missing pages in prop=langlinks and
prop=extlinks are now handled properly.
* (bug [[bugzilla:13482|13482]]) API: Disabled search types handled properly
* (bug [[bugzilla:13836|13836]]) API: Fixed fatal errors resulting from
combining iiprop=metadata  with format=xml
* (bug [[bugzilla:11633|11633]]) API: Explicitly convert redirect titles to
strings due to PHP's very weak typing on array keys.
* API: Fixing main page display in meta=siteinfo
* (bug [[bugzilla:11719|11719]]) API: Remove trailing blanks in YAML output.
* (bug [[bugzilla:13718|13718]]) API: Return the proper continue parameter for
cmsort=timestamp
* Security: Work around misconfiguration by requiring strict comparisons for
in_array in User::isAllowed().
* Security: Fixed XSS vulnerability in useskin parameter.

== MediaWiki 1.12.0 ==

This is the quarterly branch release of [[MediaWiki]] for Winter 2008.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept "ready
to run", and in fact runs our own sites on [[wikipedia:|Wikipedia]].

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments will be
made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it
from source control: [[Download from SVN]].

Changes since 1.12.0rc1:
*(bug [[bugzilla:13359|13359]]) Double-escaping in [[Special:Allpages]].
*Localization updates.

== MediaWiki 1.12.0rc1 ==

This is a release candidate of the Winter 2008 quarterly snapshot release of
[[MediaWiki]].

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept "ready
to run", and in fact runs our own sites on [[wikipedia:|Wikipedia]].

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments will be
made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it
from source control: [[Download from SVN]].

This is the Winter 2007 quarterly release.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain
it from source control: https://www.mediawiki.org/wiki/Download_from_SVN

=== Configuration changes in 1.12 ===
* Marking edits as bot edits with Special:Contributions?bot=1 now requires the
  markbotedit permission, rather than the rollback permission previously used.
  This permission is assigned by default to the sysop group.
* MediaWiki now checks if serialized files are out of date. New configuration
  variable $wgCheckSerialized can be set to false to enable old behavior (i.e.
  to not check and assume they are always up to date)
* The rollback permission can now be rate-limited using the normal mechanism.
* New configuration variable $wgExtraLanguageNames
* Behavior of $wgAddGroups and $wgRemoveGroups changed. New behavior:
* * Granting the userrights privilege allows arbitrary changing of rights.
* * Without the userrights privilege, a user will be able to add and/or
     remove the groups specified in $wgAddGroups and $wgRemoveGroups for
     any groups they are in.
* New permission userrights-interwiki for changing user rights on foreign wikis.
* $wgImplicitGroups for groups that are hidden from Special:Listusers, etc.
* $wgAutopromote: automatically promote users who match specified criteria
* $wgGroupsAddToSelf, $wgGroupsRemoveFromSelf: allow users to add or remove
  themselves from specified groups via Special:Userrights.
* When $wgUseTidy has been enabled, PHP's Tidy module is now used if it is
  present, in preference to an external Tidy executable which may or may not
  be present. To force use of external Tidy even when the PHP module is
  available, set $wgTidyInternal to false.


=== New features in 1.12 ===
* (bug 10735) Add a warning for non-descriptive filenames at Special:Upload
* Add {{filepath:}} parser function to get full path to an uploaded file,
  complementing {{fullurl:}} for pages.
* (bug 11136) If using Postgres, search path is explicitly set if wgDBmwschema
  is not set to 'mediawiki', allowing multiple mediawiki instances per user.
* (bug 11151) Add descriptive <title> to revision history page
* (bug 5412) Add feed links for the site to all pages
* (bug 11353) Add ability to retrieve raw section content via action=raw
* (bug 6909) Show relevant deletion log lines when uploading a previously
  deleted file
* On SkinTemplate based skins (like MonoBook), omit confusing "edit"/"view
  source" tab entirely if the page doesn't exist and the user isn't allowed to
  create it
* Clarify instructions given when an exception is thrown
* AuthPlugin added strictUserAuth() method to allow per-user override
  of the strict() authentication behavior.
* (bug 7872) Deleted revisions can now be viewed as diffs showing changes
  against the previous revision, whether currently deleted or live.
* Added tooltips for the "Go" and "Search" buttons
* (bug 11649) Show input form when Special:Whatlinkshere has no parameters
* isValidEmailAddr hook added to User method of that name, to allow, e.g., re-
  stricting e-mail addresses to a specific domain
* Removed "Clear" link in watchlist editor tools, as people were afraid to
  click it. Existing clear links will fall back to the raw editor, which is
  very easy to clear your watchlist with.
* (bug 1405) Add wgUseNPPatrol option to control patroling for new articles
  on Special:Newpages
* LogLine hook added to allow formatting custom entries in Special:Log.
* Support for Iranian calendar
* (bug 1401) Allow hiding logged-in users, bots and patrolled pages on
  Special:Newpages
* ChangesListInsertArticleLink hook added for adding extra article info to RC.
* MediaWikiPerformAction hook added for diverting control after the main
  globals have been set up but before any actions have been taken.
* BeforeWatchlist hook added for filtering or replacing watchlist.
* SkinTemplateTabAction hook added for altering the properties of tab links.
* OutputPage::getRedirect public method added.
* (bug 11848, 12506) Allow URL parameters 'section', 'editintro' and 'preload'
  in Special:Mypage and Special:Mytalk
* Add ot=raw to Special:Allmessages
* Support for Hebrew calendar
* Support for Hebrew numerals in dates and times
* (bug 11315) Signatures can be configured in [[MediaWiki:Signature]] and
  [[MediaWiki:Signature-anon]]
* Signatures for anonymous users link to Special:Contributions page rather than
  user page
* Added --override switch for disabled pages in updateSpecialPages.php
* Provide a unique message (ipb_blocked_as_range) if unblock of a single IP
  fails
  because it is part of a blocked range.
* (bug 3973) Use a separate message for the email content when an account is
  created by another user
* dumpTextPass.php can spawn fetchText.php as a subprocess, which should restart
  cleanly if database connections fail unpleasantly.
* (bug 12028) Add Special:Listbots as shortcut for Special:Listusers/bot
* (bug 9633) Add a predefined list of delete reasons to the deletion form
* Show a warning message when creating/editing a user (talk) page but the user
  does not exists
* (bug 8396) Ignore out-of-date serialised message caches
* (bug 12195) Undeleting pages now requires 'undelete' permission
* (bug 11810) Localize displayed semicolons
* (bug 11657) Support for Thai solar calendar
* (bug 943) RSS feed for Recentchangeslinked
* Introduced AbortMove hook
* (bug 2919) Protection of nonexistent pages with regular protection interface.
* Special:Upload now lists permitted/prohibited file extensions.
* Split ambiguous filetype-badtype message into two new messages,
  filetype-unwanted-type and filetype-banned-type.
* Added link to the old title in Special:Movepage
* On Special:Movepage, errors are now more noticeable.
* It is now possible to change rights on other local wikis without the MakeSysop
  extension
* Add HTML ID's mw-read-only-warning and mw-anon-edit-warning to warnings when
  editing to allow CSS styling.
* Parser now returns list of sections
* When a user is prohibited from creating a page, a title of "View source"
  makes no sense, and there should be no "Return to [[Page]]" link.
* (bug 12486) Protected titles now give a warning for privileged editors.
* (bug 9939) Special:Search now sets focus to search input box when no existing
  search is active
* For Special:Userrights, use GET instead of POST to search for users.
* Allow subpage syntax for Special:Userrights, i.e., Special:Userrights/Name.
* When submitting changes on Special:Userrights, show the full form again, not
  just the search box.
* Added exception hooks
* (bug 12574) Allow bots to specify whether an edit should be marked as a bot
  edit, via the parameter 'bot'. (Default: '1')
* (bug 12536) User should be able to get MediaWiki version from any page
* (bug 12622) A JavaScript constant to declare whether api.php is available
* Add caching to the AJAX search
* Add APCOND_INGROUPS
* Add DBA caching to installer
* (bug 12585) Added a bunch of parameters to the revertpage message
* Support redirects in image namespace
* (bug 10049) Prefix index search and namespaces in Special:Withoutinterwiki
* (bug 12668) Support for custom iPhone bookmark icon via $wgAppleTouchIcon
* Add option to include templates in Special:Export.
* (bug 12655) Added $wgUserEmailUseReplyTo config option to put sender
  address in Reply-To instead of From for user-to-user emails.
  This protects against SPF problems and privacy-leaking bounce messages
  when using mailers that set the envelope sender to the From header value.
* (bug 11897) Add alias [[Special:CreateAccount]] & [[Special:Userlogin/signup]]
  for Special:Userlogin?type=signup
* (bug 12214) Add a predefined list of delete reasons to the file deletion form
* Merged backends for OpenSearch suggestions and AJAX search.
  Both now accept namespace prefixes, handle 'Media:' and 'Special:' pages,
  and reject interwiki prefixes. PrefixSearch class centralizes this code,
  and the backend part can be overridden by the PrefixSearchBackend hook.
* (bug 10365) Localization of Special:Version
* When installing using Postgres, the Pl/Pgsql language is now checked for
  and installed when at the superuser level.
* The default robot policy for the entire wiki is now configurable via the
  $wgDefaultRobotPolicy setting.
* (bug 12239) Use different separators for autocomments
* (bug 12857) Patrol link on new pages should clear floats
* (bug 12968) Render redirect wikilinks in a redirect class for customization
  via user/site CSS.
* EditPageBeforeEditButtons hook added for altering the edit buttons below the
  edit box

=== Bug fixes in 1.12 ===

* Subpages are now indexed for searching properly when using PostgreSQL
* (bug 3846) Suppress warnings from, e.g. open_basedir when scanning for
  ImageMagick, diff3 et al. during installation [patch by Jan Reininghaus]
* (bug 7027) Shift handling of deletion permissions-checking to
  getUserPermissionsErrors.
* Login and signup forms are now more correct for right-to-left languages.
* (bug 5387) Block log items on RecentChanges don't make use of possible
  translations
* (bug 11211) Pass, as a parameter to the protectedpagetext interface
  message, the level of protection.
* (bug 9611) Supply the blocker and reason for the cantcreateaccounttext
  message.
* (bug 8759) Fixed bug where rollback was allowed on protected pages for wikis
  where rollback is given to non-sysops.
* (bug 8834) Split off permission for editing user JavaScript and CSS from
  editinterface to a new permission key editusercssjs.
* (bug 11266) Set fallback language for Fulfulde (ff) to French
* (bug 11179) Include image version deletion comment in public log
* Fixed notice when accessing special page without read permission and whitelist
  is not defined
* (bug 9252) Fix for tidy funkiness when using editintro mode
* (bug 4021) Fix for MySQL wildcard search
* (bug 10699) Fix for MySQL phrase search
* (bug 11321) Fix width of gallerybox when option "width=xxx" is used
* (bug 7890) Special:BrokenRedirects links deleted redirects to a non-existent
  page
* Fix initial statistics when installing: add correct values
* (bug 11342) Fix several 'returnto' links in permissions/error pages which
  linked to the main page instead of targetted page
* Strike the link to the redirect rather than using an asterisk in
  Special:Listredirects
* (bug 11355) Fix false positives in Safe Mode and other config detection
  when boolean settings are disabled with 'Off' via php_admin_value/php_value
* (bug 11292) Fixed unserialize errors with Postgres by creating special Blob
  object.
* (bug 11363) Make all metadata fields bytea when using Postgres.
* (bug 11331) Add buildConcat() and use CASE not IF for DB compatibility. Make
  oldimage cascade delete via image table for Postgres, change fa_storage_key
  TEXT.
* (bug 11438) Live Preview chops returned text
* Show the right message on account creation when the user is blocked
* (bug 11450) Fix creation of objectcache table on upgrade
* Fix namespace selection after submit of Special:Newpages
* Make input form of Special:Newpages nicer for RTL wikis
* (bug 11462) Fix typo in LanguageGetSpecialPageAliases hook name
* (bug 11474) Fix unintentional fall-through in math error handling
* (bug 11478) Fix undefined method call in file deletion interface
* (bug 278) Search results no longer highlight incorrect partial word matches
* Compatibility with incorrectly detected old-style DJVU mime types
* (bug 11560) Fix broken HTML output from weird link nesting in edit comments.
  Nested links (as in image caption text) still don't work _right_ but they're
  less wrong
* (bug 9718) Remove unnecessary css from main.css causing spacing issues on
  some browsers.
* (bug 11574) Add an interface message loginstart, which, similarly to loginend,
  appears just before the login form. Patch by MinuteElectron.
* Do not cache category pages if using 'from' or 'until'
* Created new hook getUserPermissionsErrors, to go with userCan changes.
* Diff pages did not properly display css/js pages.
* (bug 11620) Add call to User::isValidEmailAddr during accout creation.
* (bug 11629) If $wgEmailConfirmToEdit is true, require people to supply an
  email address when registering.
* (bug 11612) Days to show in recent changes cannot be larger than 7
* (bug 11131) Change filearchive width/height columns to int for Postgres
* Support plural in undeleted{revisions,revisions-files,files}
* (bug 11343) If the database is read-only, ensure that undelete fails.
* (bug 11690) Show revert link for page moves in Special:Log to allowed users
  only
* Initial-lowercase prefix checks in namespaceDupes.php now actually work.
* Fix regression in LinkBatch.php breaking PHP 5.0
* (bug 11452) wfMsgExt uses sometimes wrong language object for parsing magic
  words when called with options ''parsemag'' or ''content''.
* (bug 11727) Support plural in 'historysize' message
* (bug 11744) Incorrect return value from Title::getParentCategories()
* (bug 11762) Fix native language name of Akan (ak)
* (bug 11722) Fix inconsistent case in unprotect tabs
* (bug 11795) Be more paranoid about confirming accept-encoding header is
  present
* (bug 11809) Use formatNum() for more numbers
* (bug 11818) Fix native language name of Inuktitut (iu)
* Remove all commas when parsing float numbers in sorted tables
* Limit text field of deletion, protection and user rights changes reasons to
  255 characters (already restricted in the database)
* In the deletion default reasons, calculate how much text to get from the
  article text, rather than getting 150 characters (which may be too much)
* Add two messages for Special:Blockme which were used but undefined
* (bug 11921) Support plural in message number_of_watching_users_pageview
* If an IP address is blocked as part of a rangeblock, attempting to unblock
  the single IP should not unblock the entire range.
* (bug 6695) Fix native language name of Southern Sotho (Sesotho) (st)
* Make action=render follow redirects by default
* If restricted read access was enabled, whitelist didn't work with special
  pages which had spaces in theirs names
* If restricted read access was enabled, requests for non-existing special pages
  threw an exception
* Feeds for recent changes now provide correct URLs for the change, not just
  the page
* Check for if IP is blocked as part of a range when unblocking (see above bug-
  fix) was faulty. Now fixed.
* Fixed wpReason URL parameter to action=delete.
* Do not force a password for account creation by email
* Ensure that rate-limiting is applied to rollbacks.
* Make a better rate-limiting error message (i.e. a normal MW error,
  rather than an "Internal Server Error").
* Do not present an image bigger than the source when 'frameless' option is used
  (to be consistent with the 'thumb' option now)
* Support {{PLURAL}} for import log
* Make sure that the correct log entries are shown on Special:Userrights even
  for users with special characters in their names
* The number of watching users in watchlists was always reported as 1
* namespaceDupes.php no longer dies when coming across an illegal title
* (bug 12143) Do not show a link to patrol new pages for non existent pages
* (bug 12166) Fix XHTML validity for Special:Emailuser
* (bug 11346) Users who cannot edit a page can now no longer unprotect it.
* (bug 451) Add a generic Traditional / Simplified Chinese conversion table,
  instead of a Traditional conversion with Taiwan variant, and a Simplified
  conversion with China variant.
* (bug 12178) Fix wpReason parameter to action=delete, again.
* Graceful behavior for updateRestrictions.php if a page already has records
  in the page_restrictions matching its old page_restrictions field.
  May help with odd upgrade issues or race condition.
* (bug 11993) Remove contentsub "revision history"
* (bug 11952) Ensure we quote_ident() all schema names as needed
   inside of the DatabasePostgres.php file.
* (bug 12184) Exceptions now sent to stderr instead of stdout for command-line
  scripts, making for cleaner reporting during batch jobs. PHP errors will also
  be redirected in most cases on PHP 5.2.4 and later, switching 'display_errors'
  to 'stderr' at runtime.
* (bug 12148) Text highlight wasn't applied to cleanly deleted and added
  lines in diff output
* (bug 10166) Fix a PHP warning in Language::getMagic
* Only mark rollback edits as minor if the user can normally mark edits minor
* Escape page names in the move successful page (e.g. for pages with two
  apostrophes).
* (bug 12145) Add localized names of kk-variants
* (bug 12259) Localize the numbers in deleted pages on the sysop view
* Set proper page title for successful file deletion
* (bug 11221) Do not show 'Compare selected versions' button for a history page
  with one revision only
* (bug 12267) Set the default date format to Thai solar calender for the Thai
  language
* (bug 10184) Extensions' stylesheets and scripts should be loaded before
  user-customized ones (like Common.css, Common.js)
* (bug 12283) Special:Newpages forgets parameters
* (bug 12031) All namespaces doesn't work in Special:Newpages
* (bug 585) Only create searchindex replica table for parser tests if db is
  MySQL
* Allow --record option if parserTests.php to work when using Postgres
* (bug 12296) Simplify cache epoch in default LocalSettings.php
* (bug 12346) XML fix when body double-click and click handlers are present
* Fix regression -- missing feed links in sidebar on Special:Recentchanges
* (bug 12371) Handle more namespace case variants in namespaceDupes.php
* (bug 12380) Bot-friendly EditPage::spamPage
* (bug 8066) Spaces can't be entered in special page aliases
* Hide undo link if user can't edit article
* (bug 12416) Fix password setting for createAndPromote.php
* (bug 3097) Inconsistently usable titles containing HTML character entities
  are now forbidden. A run of cleanupTitles.php will fix up existing pages.
* (bug 12446) Permissions check fix for undelete link
* (bug 12451) AJAX title normalization tweaks
* When a user creating a page is not allowed to either create the page nor edit
  it, all applicable reasons are now shown.
* (bug 11428) Allow $wgScript inside $wgArticlePath when emulating PATH_INFO
  Fixes 'root'-style rewrite configurations
* (bug 12493) Removed hardcoded MAX_FILE_SIZE from Special:Import upload form
* (bug 12489) Special:Userrights listed in restricted section again
* (bug 12553) Fixed invalid XHTML in edit conflict screen
* (bug 12505) Fixed section=0 with action=raw
* (bug 12614) Do not log user rights change that didn't change anything
* (bug 12584) Don't reset cl_timestamp when auto-updating sort key on move
* (bug 12588) Fix selection in namespace selector on Special:Newpages
* Use only default options when generating RSS and Atom syndication links.
  This should help prevent infinite link loops that some software may follow,
  and will generally keep feed behavior cleaner.
* (bug 12608) Unifying the spelling of getDBkey() in the code.
* (bug 12611) Bot flag ignored in recent changes
* (bug 12617) Decimal and thousands separators for Romanian
* (bug 12567) Fix for misformatted read-only messages on edit, protect.
  Also added proper read-only checks to several special pages.
  Have removed read-only checks from the general user permission framework.
* Creating a site with a name containing '#' is no longer permitted, since the
  name will not work (but $wgSiteName is not checked if manually set).
* (bug 12695) Suppress dvips verbiage from web server error log
* (bug 12716) Unprotecting a non-protected page leaves a log entry
* Log username blocks with canonical form of name instead of input form
* (bug 11593, 12719) Fixes for overzealous invocation of thumb.php.
  Non-image handlers and full-size images may now decline it, fixing
  mystery failures when using $wgThumbnailScriptPath.
* (bug 12327) Comma in username no longer disrupts mail headers
* (bug 6436) Localization of Special:Import XML parser Error message(s).
* Security fix for API on MSIE
* (bug 12768) Database query syntax error in maintenance/storage/compressOld.inc
* (bug 12753) Empty captions in MediaWiki:Sidebar result in PHP errors
* (bug 12790) Page protection is not logged when edit-protection is used
  and move-protection is not
* (bug 12793) Fix for restricted namespaces/pages in Special:Export
* Fix for Special:Export so it doesn't ignore the page named '0'
* Don't display rollback link if the user doesn't have all required permissions
* The comment of a time-limited protection now contains the date in the default
  format
* (bug 12880) wfLoadExtensionMessages does not use $fallback from MessagesXx.php
* (bug 12885) Correction for Russian convertPlural function
* (bug 12768) Make DatabasePostgres->hasContraint() schema aware.
* (bug 12735) Truncate usernames in comments using mb_ functions.
* (bug 12892) Poor tab indexing on "delete file" form
* (bug 12660) When creating an account by e-mail, do not send the creator's IP
  address
* (bug 12931) Fix wrong global variable in SpecialVersion
* (bug 12919) Use 'deletedrevision' message as content when deleting an old file
  version
* (bug 12952) Using Nosuchusershort instead of Nosuchuser when account creation
  is disabled
* (bug 12869) Magnify icon alignment should be adjusted using linked CSS
* Fixing message cache updates for MediaWiki messages moves
* (bug 12815) Signature timestamps were always in UTC, even if the timezone code
  in parentheses after them claimed otherwise
* (bug 12732) Fix installer and searching to handle built-in tsearch2 for
  Postgres.
* (bug 12784) Change "bool" types to smallint to handle Postgres 8.3 strictness.
* (bug 12301) Allow maintenance/findhooks.php to search hooks in multiple
  directories.
* (bug 7681, 11559) Cookie values no longer override GET and POST variables.
* (bug 5262) Fully-qualified $wgStylePath no longer corrupted on XML feeds
* (bug 3269) Inaccessible titles ending in '/.' or '/..' now forbidden.
* (bug 12935, 12981) Fully-qualify archive URLs in delete, revert messages
* (bug 12938) Fix template expansion and 404 returns for action=raw with section
* (bug 11567) Fix error checking for PEAR::Mail. UserMailer::send() now returns
  true-or-WikiError, which seems to be the calling convention expected by half
  its callers already
* (bug 12846) IE rtl.css issue in RTL wikis special:Preferences when selecting
  an LTR user language
* (bug 13005) DISPLAYTITLE does not work on preview
* (bug 13004) Fix error on Postgres searches that return too many results.

== Parser changes in 1.12 ==

For help with migration to the MediaWiki 1.12 parser, please visit:

http://meta.wikimedia.org/wiki/Migration_to_the_new_preprocessor

The parser pass order has changed from

   * Extension tag strip and render
   * HTML normalisation and security
   * Template expansion
   * Main section...

to

   * Template and extension tag parse to intermediate representation
   * Template expansion and extension rendering
   * HTML normalisation and security
   * Main section...

The main effect of this for the user is that the rules for uncovered syntax
have changed.

Uncovered main-pass syntax, such as HTML tags, are now generally valid, whereas
previously in some cases they were escaped. For example, you could have "<ta" in
one template, and "ble>" in another template, and put them together to make a
valid <table> tag. Previously the result would have been "<table>".

Uncovered preprocessor syntax is generally not recognised. For example, if you
have "{{a" in Template:A and "b}}" in Template:B, then "{{a}}{{b}}" will be
converted to a literal "{{ab}}" rather than the contents of Template:Ab. This
was the case previously in HTML output mode, and is now uniformly the case in
the other modes as well. HTML-style comments uncovered by template expansion
will not be recognised by the preprocessor and hence will not prevent template
expansion within them, but they will be stripped by the following HTML security
pass.

Bug 5678 has been fixed. This has a number of user-visible effects related to
the removal of this double-parse. Please see the wiki page for examples.

Message transformation mode has been removed, and replaced with "preprocess"
mode. This means that some MediaWiki namespace messages may need to be updated,
especially ones which took advantage of the terribly counterintuitive behavior
of the former message mode.

The header identification routines for section edit and for numbering section
edit links have been merged. This removes a significant failure mode and fixes a
whole category of bugs (tracked by bug #4899). Wikitext headings uncovered by
template expansion will still be rendered into a heading tag, and will get an
entry in the TOC, but will not have a section edit link. HTML-style headings
will also not have a section edit link. Valid wikitext headings present in the
template source text will get a template section edit link. This is a major
break from previous behavior, but I believe the effects are almost entirely
beneficial.

The main motivation for making these changes was performance. The new two-pass
preprocessor can skip "dead branches" in template expansion, such as unfollowed
#switch cases and unused defaults for template arguments. This provides a
significant performance improvement in template-heavy test cases taken from
Wikipedia. Parser function hooks can participate in this performance improvement
by using the new SFH_OBJECT_ARGS flag during registration.

The pre-expand include size limit has been removed, since there's no efficient
way to calculate such a figure, and it would now be meaningless for performance
anyway. The "preprocessor node count" takes its place, with a generous default
limit.

The context in which XML-style extension tags are called has changed, so
extensions which make use of the parser state may need compatibility changes.

The new preprocessor syntax has been documented in Backus-Naur Form at:

https://www.mediawiki.org/wiki/Preprocessor_ABNF

The ExpandTemplates extension now has the ability to generate an XML parse
tree from wikitext source. This parse tree corresponds closely to the grammar
documented on that page.

=== API changes in 1.12 ===

Full API documentation is available at https://www.mediawiki.org/wiki/API

* (bug 11275) Enable descending sort in categorymembers
* (bug 11308) Allow the API to output the image metadata
* (bug 11296) Temporary fix for escaping of ampersands inside links in
  pretty-printed
  help document.
* (bug 11405) Expand templates implementation in the API
* (bug 11218) Add option to feedwatchlist to display multiple revisions for each
  page.
* (bug 11404) Provide name of exception caught in error code field of internal
  api error messages.
* (bug 11534) rvendid doesn't work
* Fixed rvlimit of the revisions query to only enforce the lower query limit if
  revision content is requested.
* Include svn revision number (if install is checked-out from svn) in siteinfo
  query.
* (bug 11173) Allow limited wikicode rendering via api.php
* (bug 11572) API should provide interface for expanding templates
* (bug 11569) Login should return the cookie prefix
* (bug 11632) Breaking change: Specify the type of a change in the recentchanges
  list as 'edit', 'new', 'log' instead of 0, 1, 2, respectively.
* Compatibility fix for PHP 5.0.x.
* Add rctype parameter to list=recentchanges that filters by type
* Add apprtype and apprlevel parameters to filter list=allpages by protection
  types and levels
* Add apdir parameter to enable listing all pages from Z to A
* (bug 11721) Use a different title for results than for the help page.
* (bug 11562) Added a user_registration parameter/field to the list=allusers
  query.
* (bug 11588) Preserve document structure for empty dataset in backlinks query.
* Outputting list of all user preferences rather than having to request them by
  name
* (bug 11206) api.php should honor maxlag
* Make prop=info check for restrictions in the old format too.
* Add apihighlimits permission, default for sysops and bots
* Add limit=max to use maximal limit
* Add action=parse to render parser output. Use it instead of action=render
  which has been removed
* Add rvtoken=rollback to prop=revisions
* Add meta=allmessages to get messages from site's messages cache.
* Use bold and italics highlighting only in API help
* Added action={block,delete,move,protect,rollback,unblock,undelete} and
  list={blocks,deletedrevs}
* Fixed sessionid attribute in action=login
* Standardized limits. Revisions and Deletedrevisions formerly using
  200 / 10000, now 500 / 5000, in line with other modules.
* Added list=allcategories module
* (bug 12321) API list=blocks reveals private data
* Fix output of wfSajaxSearch
* (bug 12413) meta=userinfo missing <query> tag
* Add list of sections to action=parse output
* Added action=logout
* Added cascade flag to prop=info&inprop=protections
* Added wlshow parameter to list=watchlist, similar to rcshow
  (list=recentchanges)
* Added support for image thumbnailing to prop=imageinfo
* action={login,block,delete,move,protect,rollback,unblock,undelete} now must be
  POSTed
* prop=imageinfo interface changed: iihistory replaced by iilimit, iistart and
  iiend parameters
* Added amlang parameter to meta=allmessages
* Added apfilterlanglinks parameter to list=allpages, replacing
  query.php?what=nolanglinks
* (bug 12718) Added action=paraminfo module that provides information about API
  modules and their parameters
* Added iiurlwidth and iiurlheight parameters to prop=imageinfo
* Added format=txt and format=dbg, imported from query.php
* Added uiprop=editcount to meta=userinfo
* Added list=users which fetches user information
* Added list=random which fetches a list of random pages
* Added page parameter to action=parse to facilitate parsing of existing pages
* Added uiprop=ratelimits to meta=userinfo
* Added siprop=namespacealiases to meta=siteinfo
* Made multiple values for ucuser possible in list=usercontribs
* (bug 12944) Added cmstart and cmend parameters to list=categorymembers
* Allow queries to have a where range that does not match the range field

== MediaWiki 1.11 ==

== MediaWiki 1.11.2 ==

March 2, 2008

This is a security release of the Fall 2007 snapshot release of MediaWiki.
Possible cross-site information leaks using the callback parameter for
JSON-formatted results in the API are prevented by dropping user credentials.

MediaWiki release versions prior to 1.11 are not vulnerable, as they do not
include the callback feature which allows client-side JavaScript on other sites
to reach API data.

Changes in this release:

* User credentials are dropped for API JSON requests using a callback
* Edit tokens are not reported for API JSON requests using a callback

== MediaWiki 1.11.1 ==

January 23, 2008

This is a security and bugfix release of the Fall 2007 snapshot release of
 MediaWiki. A potential XSS injection vector affecting api.php only for
 Microsoft Internet Explorer users has been closed.

Changes in this release:
* (bug [[bugzilla:11450|11450]]) Fix creation of objectcache table on upgrade
* (bug [[bugzilla:11462|11462]]) Fix typo in LanguageGetSpecialPageAliases hook
name
* Fix regression in LinkBatch.php breaking PHP 5.0
* Security fix for API on MSIE

To work around the vulnerability without upgrading, you may disable the API if
you don't need it:
:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;

Not vulnerable versions:
* 1.12 or later
* 1.11 >= 1.11.1
* 1.10 >= 1.10.3
* 1.9 >= 1.9.5
* 1.8 any version (if $wgEnableAPI has been left off)

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the API
functionality, however the BotQuery extension is similarly vulnerable unless
updated to the latest SVN version.

== MediaWiki 1.11.0 ==

September 10, 2007

This is the Fall 2007 snapshot release of MediaWiki.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept "ready
to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments will be
made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it
from source control: [[Download from SVN]]

This is the Summer 2007 branch release of MediaWiki.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain
it from source control: https://www.mediawiki.org/wiki/Download_from_SVN

== Changes since 1.11.0rc1 ==

A possible HTML/XSS injection vector in the API pretty-printing mode has been
found and fixed.

The vulnerability may be worked around in an unfixed version by simply
disabling the API interface if it is not in use, by adding this to
[[Manual:LocalSettings.php|LocalSettings.php]]:<br />
<code>[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;</code> <br />
(This is the default setting in 1.8.x.)

Not vulnerable versions:
* 1.11 >= 1.11.0
* 1.10 >= 1.10.2
* 1.9 >= 1.9.4
* 1.8 >= 1.8.5

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if [[Manual:$wgEnableAPI|$wgEnableAPI]] has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the faulty
function, however the [[Extension:BotQuery|BotQuery extension]] is similarly
vulnerable unless updated to the latest SVN version.

== Configuration changes since 1.10 ==

* $wgThumbUpright - Adjust width of upright images when parameter 'upright' is
  used
* $wgAddGroups, $wgRemoveGroups - Finer control over who can assign which
  usergroups
* $wgEnotifImpersonal, $wgEnotifUseJobQ - Bulk mail options for large sites
* $wgShowHostnames - Expose server host names through the API and HTML comments
* $wgSaveDeletedFiles has been removed, the feature is now enabled
unconditionally

== New features since 1.10 ==

* (bug 8868) Separate "blocked" message for autoblocks
* Adding expiry of block to block messages
* Links to redirect pages in categories are wrapped in
  <span class="redirect-in-category"></span>
* Introduced 'ImageOpenShowImageInlineBefore' hook; see docs/hooks.txt for
  more information
* (bug 9628) Show warnings about slave lag on Special:Contributions,
  Special:Watchlist
* (bug 8818) Expose "wpDestFile" as parameter $1 to "uploaddisabledtext"
* Introducing new image keyword 'upright' and corresponding variable
  $wgThumbUpright. This allows better proportional view of upright images
  related to landscape images on a page without nailing the width of upright
  images to a fix value which makes views for anon unproportional and user
  preferences useless
* (bug 6072) Introducing 'border' keyword to the [[Image:]] syntax
* Introducing 'frameless' keyword to [[Image:]] syntax which respects the
  user preferences for image width like 'thumb' but without a frame.
* (bug 7960) Link to "what links here" for each "what links here" entry
* Added support for configuration of an arbitrary number of commons-style
  file repositories.
* Added a Content-Disposition header to thumb.php output
* Improved thumb.php error handling
* Display file history on local image description pages of shared images
* Added $wgArticleRobotPolicies
* (bug 10076) Additional parameter $7 added to MediaWiki:Blockedtext
  containing, the ip, ip range, or username whose block is affecting the
* (bug 7691) Show relevant lines from the deletion log when re-creating a
  previously deleted article
* Added variables 'wgRestrictionEdit' and 'wgRestrictionMove' for JS to header
* (bug 9898) Allow viewing all namespaces in Special:Newpages
* (bug 10139) Introduce 'EditSectionLink' and 'EditSectionLinkForOther' hooks;
  see docs/hooks.txt for details
* (bug 9769) Provide "watch this page" toggle on protection form
* (bug 9886) Provide clear example "stub link" in Special:Preferences
* (bug 10055) Populate email address and real name properties of User objects
  passed to the 'AbortNewAccount' hook
* Show result of Special:Booksources in wiki content language always, it's
  normally better maintained than the generic list from the standard message
  files
* (bug 7997) Allow users to be blocked from using Special:Emailuser
* (bug 8989) Blacklist 'mhtml' and 'mht' files from upload
* (bug 8760) Allow wiki links in "protectexpiry" message
* (bug 5908) Add "DEFAULTSORTKEY" and "DEFAULTCATEGORYSORT" aliases for
  "DEFAULTSORT" magic word
* (bug 10181) Support the XCache object caching mechanism
* (bug 9058) Introduce '--aconf' option for all maintenance scripts, to provide
  a path to the AdminSettings.php file
* (bug 8781) Remind users to check file permissions for LocalSettings.php
  post-installation
* Use shared.css for all skins and oldshared.css in place of common.css for
  pre-Monobook skins.  As always, modifications should go in-wiki to MediaWiki:
  Common.css and MediaWiki:Monobook.css.
* (bug 8869) Introduce Special:Uncategorizedtemplates
* (bug 8734) Different log message when article protection level is changed
* (bug 8458, 10338) Limit custom signature length to $wgMaxSigChars Unicode
  characters
* (bug 10096) Added an ability to query interwiki map table
* On reupload, add a null revision to the image description page
* Group log output by date
* Kurdish interface latin/arabic writing system with transliteration
* Support wiki text in all query page headers
* Add 'Orphanedpages' as an alias to Special:Lonelypages
* (bug 9328) Use "revision-info-current" message in place of "revision-info"
  when viewing the current revision of a page, if available
* (bug 8890) Enable wiki text for "license" message
* Throw a showstopper exception when a hook function fails to return a value.
  Forgetting to give a 'true' return value is a very common error which tends
  to cause hard-to-track-down interactions between extensions.
* Use $wgJobClasses to determine the correct Job to instantiate for a particular
  queued task; allows extensions to introduce custom jobs
* (bug 10326) AJAX-based page watching and unwatching has been cleaned up and
  enabled by default.
* Added option to install to MyISAM
* (bug 9250) Remove hardcoded minimum image name length of three characters
* Fixed DISPLAYTITLE behavior to reject titles which don't normalise to the
  same title as the current page, and enabled per default
* Wrap site CSS and JavaScript in a <pre> tag, like user JS/CSS
* (bug 10196) Add classes and dir="ltr" to the <pre>s on CSS and JS pages (new
  classes: mw-code, mw-css, mw-js)
* (bug 6711) Add $wgAddGroups and $wgRemoveGroups to allow finer control over
  usergroup assignment.
* Introduce 'UserEffectiveGroups' hook; see docs/hooks.txt for more information
* (bug 10387) Detect and handle '.php5' extension environments at install time
* Introduce 'ShowRawCssJs' hook; see docs/hooks.txt for more information
* (bug 10404) Show rights log for the selected user in Special:Userrights
* New javascript for upload page that will show a warning if a file with the
  "destination filename" already exists.
* Add 'editsection-brackets' message to allow localization (or removal) of the
  brackets in the "[edit]" link for sections
* (bug 10437) Move texvc styling to shared.css
* Introduce "raw editing" mode for the watchlist, to allow bulk additions,
  removals, and convenient exporting of watchlist contents
* Show "undo" links in page histories
* Option to jump to specified time period in user contributions
* Improved feedback on "rollback success" page
* Show distinct 'namespaceprotected' message to users when namespace protection
  prevents page editing
* (bug 9936) Per-edit suppression of preview-on-first edit with "preview=no"
* Allow showing a one-off preview on first edit with "preview=yes"
* (bug 9151) Remove timed redirects on "Return to X" pages for accessibility.
* Link to user logs in toolbox when viewing a user page
* (bug 10508) Allow HTML attributes on <gallery>
* (bug 1962) Allow HTML attributes on <math>
* (bug 10530) Introduce optional "sp-contributions-explain" message for
  additional explanation in Special:Contributions
* (bug 10520) Preview licences during upload via AJAX (toggle with
  $wgAjaxLicensePreview)
* New Parser::setTransparentTagHook for parser extension and template
  compatibility
* Introduced 'ContributionsToolLinks' hook; see docs/hooks.txt for more
  information
* Add a message if category is empty
* Add CSS compatibility for Opera 9.5
* Remove largely untested handheld stylesheet, which was causing more trouble
  than good.  Proper handheld support will be added at a future date.  For now,
  display should be acceptable either with CSS turned off or when using a so-
  phisticated handheld browser.
* (bug 3173) Option to offer exported pages as a download, rather than
  displaying inline, as in most browsers
* Pass the user as an argument to 'isValidPassword' hook callbacks; see
  docs/hooks.txt for more information
* Introduce 'UserGetRights' hook; see docs/hooks.txt for more information
* (bug 9595) Pass new Revision to the 'ArticleInsertComplete' and
  'ArticleSaveComplete' hooks; see docs/hooks.txt for more information
* (bug 9575) Accept upload description from GET parameters
* Skip the difference engine cache when 'action=purge' is used while requesting
  a difference page, to allow refreshing the cache in case of errors
* (bug 10701) Link to Special:Listusers in default Special:Statistics messages
* Improved file history presentation
* (bug 10739) Users can now enter comments when reverting files
* Improved handling of permissions errors
* (bug 10793) "Mark patrolled" links will now be shown for users with
  patrol permissions on all eligible diff pages
* (bug 10655) Show standard tool links for blocked users in block log messages
* Show standard tool links for blocked users in Special:Ipblocklist
* Miscellaneous aesthetic improvements to Special:Ipblocklist
* (bug 10826) Added link trail with Cyrillic characters for Mongolian language
* (bug 10859) Introduce 'UserGetImplicitGroups' hook; see docs/hooks.txt for
  more information
* (bug 10832) Include user information when viewing a deleted revision
* (bug 10872) Fall back to sane defaults when generating protection selector
  labels for custom restriction levels
* Show edit count in user preferences
* Improved support for audio/video extensions
* (bug 10937) Distinguish overwritten files in upload log
* Introduce 'ArticleUpdateBeforeRedirect' hook; see docs/hooks.txt for more
  information
* Confirmation is now required when deleting old versions of files
* (bug 7535) Users can now enter comments when deleting old versions of files
* (bug 11001) Submit Special:Newpages as a GET, rather than a POST request
* The <strong></strong> around links to watched pages in change lists now
  has a class - "mw-watched"
* (bug 9002) Provide a "view/restore deleted edits" link on Special:Upload
  when a destination filename is provided that corresponds with previous
  deleted files
* Make the "invalid special page" message clearer
* Add accesskey 's' and tooltip to 'upload file' button at Special:Upload
* Introduced 'SkinAfterBottomScripts' hook; see docs/hooks.txt for
  more information
* (bug 11095) Honour "preview on first edit" preference when preloading
  text for a non-existent page
* (bug 11022) Use a more accurate page title for Special:Whatlinkshere and
  Special:Recentchangeslinked
* Add link to user contributions in normal watchlist edit mode
* (bug 9426) Add 'newsectionheaderdefaultlevel' message to allow
  modification of the heading formatting for new sections when section=new
  argument is supplied
* (bug 10836) Add 'newsectionsummary' message to allow modification of the
  text that prefixes a new section link in Recent Changes

== Bugfixes since 1.10 ==

* (bug 9712) Use Arabic comma in date/time formats for Arabic and Farsi
* (bug 9670) Follow redirects when render edit section links to transcluded
  templates.
* (bug 6204) Fix incorrect unindentation with $wgMaxTocLevel
* (bug 3431) Suppress "next page" link in Special:Search at end of results
* Don't show unblock form if the user doesn't have permission to use it
  (cosmetic change, no vulnerabilities existed)
* Subtitle success message when unblocking a block ID instead of a pseudo link
  like [[User:#123|#123]]
* Use the standard HTTP fetch functions when retrieving remote wiki pages
  through transwiki, so we can take advantage of cURL goodies if available
* Disable user JavaScript on Special:Userlogin, Special:Resetpass and
  Special:Preferences, to avoid a compromised script sniffing passwords, etc.
* (bug 9854, 3770) Clip overflow text in gallery boxes for visual cleanliness
  instead of letting it flow outside the box or trigger ugly scroll bars.
* Tooltips for print version and permalink
* Links to the MediaWiki namespace for system messages having their default
  values are no longer shown as nonexistent (e.g., in red)
* Special:Ipblocklist differentiates between empty list and no search results.
* (bug 5375) profiling does not respect read-only mode.
* (bug 7070) monobook/user.gif has antialias artifacts
* (bug 9123) Safer way when applying $wgLocalTZoffset
* (bug 9896) Documentation for $wgSquidServers and X-FORWARDED-FOR
* (bug 9417) Uploading new versions of images when using Postgres no longer
  throws warnings.
* (bug 9908) Using tsearch2 with Postgres 8.1 no longer gives an error.
* (bug 1438) Fix for diff table layout on very wide lines.
  Diff style rules have been broken out to common/diff.css,
  and the dupes removed from the default skin files.
  Skins can still override the default rules.
* (bug 1229) Balance columns in diff display evenly
* Right-align diff line numbers in RTL language display
* (bug 9332) Fix instructions in tests/README
* (bug 9813) Reject usernames containing '#' to avoid silent truncation
  of fragments during the normalisation process
* (bug 7989) RSS feeds content now use black text when using white background.
* (bug 9971) Typo in a french language message.
* (bug 9973) Changed size was shown in advanced recentchanges collapsible items
  with $wgRCShowChangedSized = false.
* Fix PHP strict standards warning in enhanced recent changes.
* (bug 5850) Added hexadecimal html entities comments for $digitTransformTable
  entries.
* (bug 7432) Change language name for Aromanian (roa-rup)
* (bug 908) Unexistent special pages now generate a red link.
* (bug 7899) Added \hline and \vline to the list of allowed TeX commands
* (bug 7993) support mathematical symbol classes
* (bug 10007) Allow Block IP to work with Postgrs again.
* Add Google Wireless Transcoder to the Unicode editing blacklist
* (bug 10083) Fix for Special:Version breakage on PHP 5.2 with some hooks
* (bug 3624) TeX: \ker, \hom, \arg, \dim treated like \sin & \cos
* (bug 10132, 10134) Restore back-compatibility Image::imageUrl() function
* (bug 10113) Fix double-click for view source on protected pages
* (bug 10117) Special:Wantedpages doesn't handle invalid titles in result
  set [now prints out a warning]
* (bug 10118) Introduced Special:Mostlinkedtemplates, report which lists
  templates with a high number of inclusion links
* (bug 10104) Fixed Database::getLag() for PostgreSQL and Oracle
* (bug 9820) session.save_path check no longer halts installation, but
  warns of possible bad values
* (bug 9978) Fixed session.save_path validation when using extended
  configuration format, e.g. "5;/tmp"
* Don't generate a diff link in the patrol log if the page doesn't exist
* (bug 10067) Translations for former skins removed from message files
* (bug 9993) Force $wgShowExceptionDetails on during installation
* (bug 9980) Validate administrator username and password during
  installation
* (bug 9383) Don't set a default value for BLOB column in rc-deleted
  database patch
* (bug 10149) Don't show full template list on section-0 edit
* (bug 9909) Ensure access to binary fields in the math table use encodeBlob()
  and decodeBlob()
* (bug 6743) Don't link broken image links to the upload form when uploads
  are disabled
* (bug 9679) Improve documentation for $wgSiteNotice
* (bug 10215) Show custom editing introduction when editing existing pages
* (bug 10223) Fix edit link in noarticletext localizations for fr, oc
* (bug 10247) Fix IP address regex to avoid false positive IPv6 matches
* (bug 9948) Workaround for diff regression with old Mozilla versions
* (bug 10265) Fix regression in category image gallery paging
* (bug 8577) Fix some weird misapplications of time zones.
  {{CURRENT*}} functions now consistently use UTC as intended, while
  {{LOCAL*}} functions return local time per server config or $wgLocaltimezone.
  Signature dates for Japanese and other languages including weekday now show
  the correct day to match the rest of the time in local time.
* Escape the output of magic variables that return page name or part of it
* (bug 10309) Initialise parser state properly in extractSections(), fixes
  some cases where section edits broke because tags were improperly stripped
* Avoid PHP notice errors when doing HTTP proxy purges for an empty list
* As intended, *skip* the HTTP proxy purges when doing HTCP purges
* (bug 9696) Fix handling of brace transformations in "pagemovedtext"
* (bug 10325) Fix regression in form action on Special:Listusers
* Fixed installation on MyISAM or old InnoDB with charset=utf8, was giving
  overlong key errors.
* Fixed zero-padding issues with MySQL 5 binary schema
* (bug 10344) Don't follow a redirect after changing its protection level
* (bug 10333) Correct date format in Slovenian
* (bug 10160) Show error message for unknown namespace on Special:Allpages and
  Special:Prefixindex; making forms prettier for RTL wikis.
* (bug 10334) Replace normal spaces before percent (%) signs with non-breaking
  spaces
* (bug 10372) namespaceDupes.php no longer ignores namespace aliases
* (bug 10198) namespaceDupes.php no longer ignores interwiki prefixes
* namespaceDupes.php should work better for initial-lowercase wikis
* (bug 10377) "Permanent links" to revisions still work if the page is moved
  and the redirect deleted
* (bug 7071) Properly handle an 'oldid' passed to view or edit that doesn't
  match the given title. Fixes inconsistencies with talk, history, edit links.
* (bug 10397) Fix AJAX watch error fallback when we receive a bogus result
* (bug 10396) Fix AJAX error when $wgScriptPath/index.php is not valid;
  using $wgScript now included in JS info
* Use native XMLHttpRequest class in preference to ActiveX on IE 7; this
  avoids the "ActiveX "Do you want to allow ActiveX?" prompt when something
  security settings are cranked this way and AJAX-y gets used.
* Delay AJAX watch initialization until click so IE 6 with ugly security
  settings doesn't prompt you until you use the link.
* (bug 10401) Provide non-redirecting link to original title in Special:Movepage
* Fix broken handling of log views for page titles consisting of one
  or more zeros, e.g. "0", "00" etc.
* Fix read permission check for special pages with subpage parameters, e.g.
  Special:Confirmemail
* Fix read permission check for unreadable page titles which are numerically
  equivalent to a whitelisted title
* '?>' closing tag removed from all files to help avoid problems with extraneous
  whitespace (broken XML feeds, etc.)
* Don't use garbled parser cache output when viewing custom CSS or JavaScript
  pages
* (bug 10406) Fix Special:Listusers filter form for non-ASCII localizations
* Fix empty message checks for message names containing &
  This corrects some odd behavior with sidebar items and custom namespaces
  containing ampersands.
* (bug 10375) Change thousands separator character to   for Latin (la)
* (bug 10477) Fix AJAX watch for Farsi on Firefox: JavaScript encoding tweak
* (bug 10496) Fix broken DISTINCT option logic in database backend
* Fix CSS media declaration for "screen, projection"; was causing some
  validation issues
* (bug 10495) $wgMemcachedDebug set twice in includes/DefaultSettings.php
* (bug 10316) Prevent inconsistent cached skin settings in gen=js by setting
  the intended skin directly in the URL.
* (bug 9903) Don't mark redirects in categories as stubs
* (bug 6965) Cannot include "Template:R" with {{R}} (magic word conflict)
* Padding parser functions now work with strings like '0' that evaluate to false
* (bug 10332) Title->userCan( 'edit' ) may return false positive
* Fix bug with <nowiki> in front of links for wikis where linkPrefixExtension is
  true
* (bug 10552) Suppress rollback link in history for single-revision pages
* (bug 10538) Gracefully handle invalid input on move success page
* Fix for Esperanto double-x-encoding in move success page
* (bug 10526) Fix toolbar/insertTags behavior for IE 6/7 and Opera (8+)
  Now matches the selection behavior on Mozilla / Safari.
  Patch by Alex Smotrov.
* Don't show non-functional toolbar buttons on Opera 7 anymore
* (bug 9151) Fix relative subpage links with section fragments
* (bug 10560) Adding a space between category letter heading and "continues"
* (bug 4650) Keep impossibly large/small counts off Special:Statistics
* (bug 10608) PHP notice when installing with PostgreSQL
* (bug 10615) Fix for transwiki import when CURL not available
* (bug 8054) Return search page for empty search requests with ugly URLs
* (bug 10572) Force refresh after clearing visitation timestamps on watchlist
* (bug 10631) Warn when illegal characters are removed from filename at upload
* Fix several JavaScript bugs under MSIE 5/Macintosh
* (bug 10591) Use Arabic numerals (0,1,2...) for the Malayam language
* (bug 10642) Fix shift-click checkbox behavior for Opera 9.0+ and 6.0
* Work around Safari bug with pages ending in ".gz" or ".tgz"
* Removed obsolete maintenance/changeuser.sql script; use RenameUser extension
* (bug 2735) "Preview" shown in title bar for action=submit on special pages
* Removed "restore" links from the deletion log embedded in Special:Undelete
* Improved error reporting and robustness for file delete/undelete.
* Improved speed of file delete by storing the SHA-1 hash in image/oldimage
* Fixed leading zero in base 36 SHA-1 hash
* Protection form no longer produces JavaScript errors
* (bug 10741) File histories show "delete" links for non-sysops
* (bug 10744) Treat "noarticletext" and "noarticletextanon" as wiki text when
  used on a non-existent page with "action=info"
* Fix escaping of raw message text when used on a non-existent page with
  "action=info"
* (bug 10683) Fix inconsistent handling of URL-encoded titles in links
  used in redirects (i.e. they now work)
* (bug 8878) Changes to $dateFormats in German localization (removing unused,
  nonexistent formats, putting time after date)
* (bug 10769) Database::update() should return boolean result
* Fix preference checkbox display for right-to-left languages which caused
  them to be hidden in IE in some cases
* Fix upload form display in right-to-left languages
* Fixed regression in blocking of username '0'
* (bug 9437) Don't overwrite edit form submission handler when setting up
  edit box scroll position preserve/restore behavior
* (bug 10805) Fix "undo" link when viewing the diff of the most recent
  change to a page using "diff=0"
* (bug 10765) img_auth.php will now refuse logged-out requests where
  $wgWhitelistRead is undefined, instead of (incorrectly) honouring them
* Fixed img_auth.php file name extraction for whitelist checking
* Tweak spacing of email preference display
* Table sorting JavaScript prefers textContent over innerText to allow hidden
  sort keys to work on Safari
* (bug 4530) Fix local name of Kurdish language
* (bug 10830) Fix local name of Haitian Creole language
* Fix invalid XHTML in Special:Protectedpages
* Fix comments in contributions and log pages for right-to-left languages
* Make installer include_path-independent, so it should work on hosts which
  disable user setting of PHP include_path setting
* glob() is horribly unreliable and doesn't work on some systems, including
  free.fr shared hosting. No longer using it in Language::getLanguageNames()
* (bug 10763) Fix multi-insert logic for PostgreSQL
* Fix invalid XHTML when viewing a deleted revision
* Fix syntax error in translations of magic words in Romanian language
* (bug 8737) Fix warnings caused by incorrect use of `/dev/null` when piping
  process error output under Windows
* (bug 7890) Don't list redirects to special pages in Special:BrokenRedirects
* (bug 10783) Resizing PNG-24 images with GD no longer causes all alpha
  channel transparency to be lost and transparent pixels to be turned black
* (bug 9339) General error pages were transforming messages and their parameters
  in the wrong order
* (bug 9026) Incorrect heading numbering when viewing Special:Statistics with
  "auto-numbered headings" enabled
* Fixed invalid XHTML in Special:Upload
* (bug 11013) Make sure dl() is available before attempting to use it to check
  available databases in installer
* Resizing transparent GIF images with GD now retains transparency by skipping
  resampling
* (bug 11065) Fix regression in handling of wiki-formatted EXIF metadata
* Double encoding broke Special:Newpages for some languages
* Adding a newline before the statistics footer, to prevent parsing problems
* Preventing the TOC from appearing in Special:Statistics
* (bug 11082) Fix check for fully-specced table names in Database::tableName
* (bug 11067) Fix regression in upload conflict thumbnail display
* (bug 10985) Resolved cached entries on Special:DoubleRedirects were being
  suppressed, breaking paging - now strikes out "fixed" results
* (bug 8393) <sup> and <sub> need to be preserved (without attributes) for
  entries in the table of contents
* (bug 11114) Fix regression in read-only mode error display during editing
* Force non-MySQL databases to use an ORDER BY in SpecialAllpages to ensure
  that the first page_title is truly the first page title.
* (bug 10836) Change the summary on creating of new section
* Inclusion of Special:Wantedpages now works again

== API changes since 1.10 ==

Full API documentation is available at https://www.mediawiki.org/wiki/API

* New properties: links, templates, images, langlinks, categories, external
  links
* Breaking Change: imagelinks renamed into imageusage (il->iu)
* Bug fix: incorrect generator behavior in some cases
* JSON format allows an optional callback function to wrap the result.
* Login module disabled until a more secure solution can be implemented
* (bug 9938) Querying by revision identifier returns the most recent revision
  for the corresponding page, rather than the requested revision
* (bug 8772) Filter page revision queries by user
* (bug 9927) User contributions queries do not accept IP addresses
* Watchlist feed now reports a proper feed item when the user is not logged in
* Watchlist feed date bug fixed - automatically shows one last day
* Watchlist feed now allows to specify number of hours to monitor
* list=allpages now returns a list instead of a map in JSON format
* Breaking Change: in json, revisions are now returned as a list, not as a map.
* Add: prop=info can show page is new flag, current page length, and visit
  counter.
* Change: Query watchlist now shows flags only when explicitly requested with
  wlparam=flags
* rc_this_oldid (textid) is no longer accessible from query watchlist
* action=usercontribs: additional filtering by ucshow=; selection of needed
  fields with ucprop=; the textid (rev_text_id) is no longer being exposed
* (bug 9970) Breaking Change: backlinks, embeddedin and imageusage now return
  lists in JSON instead of a map, and do not return anything when titles do
  not exist
* (bug 9121) Introduced indexpageids query parameter to list the page_id
  values of all returned page items
* (bug 10147) Now interwiki titles are not processed but added to a separate
  "interwiki" section of the output.
* Added categorymembers list to query for pages in a category.
* (bug 10260) Show page protection status
* (bug 10392) Include MediaWiki version details in version output
* (bug 10411) Site language in meta=siteinfo
* (bug 10391) action=help doesn't return help if format is fancy markup
* backlinks, embeddedin and imageusage lists should use (bl|ei|iu)title
  parameter instead of titles. Titles for these lists is obsolete and might stop
  working soon.
* Added prop=imageinfo - gets image properties and upload history
* (bug 10211) Added db server replication lag information in meta=siteinfo
* Added external url search within wiki pages (list=exturlusage)
* Added link enumeration (list=alllinks)
* Added registered users enumeration (list=allusers)
* Added full text search in titles and content (list=search)
* (bug 10684) Expanded list=allusers functionality
* Possible breaking change: prop=revisions no longer includes pageid for
  rvprop=ids
* Added rvprop=size to prop=revisions (The size will not be shown if it is NULL
  in the database)
* list=allpages now allows to filter by article min/max size and protection
  status
* Added site statistics (siprop=statistics for meta=siteinfo)
* (bug 10902) Unable to fetch user contributions from IP addresses
* `list=usercontribs` no longer requires that the user exist
* (bug 10971) `aufrom` parameter doesn't work with spaces
* Fix username handling issue with `auprefix` parameter
* Treat underscores as spaces for `aufrom` and `auprefix` parameters
* Added edit/delete/... token retrieval to prop=info
* Added meta=userinfo - logged-in user information, group membership, rights
* (bug 11072) Fix regression in API image history query
* (bug 11115) Adding SHA1 hash to imageinfo query
* (bug 10898) API does not return an edit token for non-existent pages
* (bug 10890) Timestamp support for categorymembers query
* (bug 10980) Add exclude redirects on backlinks
* IPv6 titles in User namespace are normalized (run cleanupTitles.php to fix any
  old stray pages)

== Maintenance script changes since 1.10 ==

* Add support for wgMaxTocLevel option in parserTests
* (bug 6823) Disable article view counter in maintenance/dumpHTML.php
* Fix maintenance/importImages.php so it doesn't barf PHP errors when no
  suitable files are found, and make the list of extensions an option (defaults
  to $wgFileExtensions)
* Add option to maintenance/createAndPromote.php to give the user bureaucrat
  permissions (--bureaucrat)
* Allow overwriting existing files with a conflicting name using
  maintenance/importImages.php
* (bug 10266) Use native newlines when rebuilding a messages file.

== Languages updated since 1.10 ==

* Afrikaans (af)
* Arabic (ar)
* Bikol (bcl)
* Bulgarian (bg)
* Catalan (ca)
* Danish (da)
* German (de)
* Greek (el)
* Esperanto (eo)
* Spanish (es)
* Estonian (et)
* Extremaduran (ext)
* Farsi (fa)
* Finnish (fi)
* Vöro (fiu-vro)
* French (fr)
* Français Cadien (frc) (new)
* Franco-Provençal/Arpetan (frp)
* Galician (gl)
* Hakka (hak)
* Hebrew (he)
* Upper Sorbian (hsb)
* Haitian (ht)
* Indonesian (id)
* Icelandic (is)
* Italian (it)
* Japanese (ja)
* Georgian (ka)
* Kabyle (kab)
* Kazakh (kk)
* Korean (ko)
* Kinaray-a (krj) (new)
* Kurdish (ku)
* Latin (la)
* Lao (lo)
* Lithuanian (lt)
* Latviešu (lv)
* Malayalam (ml)
* Bahasa Melayu (ms)
* Burmese (my)
* Low German (nds)
* Dutch (nl)
* Norwegian (no)
* Occitan (oc)
* Punjabi (Gurmukhi) (pa)
* Polish (pl)
* Piedmontese (pms)
* Portuguese (pt)
* Romani (rmy)
* Romanian (ro)
* Aromanian (roa-rup)
* Russian (ru)
* Sakha (sah)
* Sango (se) (new)
* Slovak (sk)
* Slovenian (sl)
* Shona (sn)
* Somali (so)
* Albanian (sq)
* Sundanese (su)
* Swedish (sv)
* Tamil (ta)
* Thai (th)
* Tigrinya (ti)
* Setswana (tn)
* Tok Pisin (tpi)
* Uyghur (ug)
* Volapük (vo)
* Winaray (war) (new)
* Yiddish (yi)
* Old Chinese / Late Middle Chinese (zh-classical)
* Chinese (PRC) (zh-cn)
* Chinese (Taiwan) (zh-tw)
* Cantonese (zh-yue)

== MediaWiki 1.10 ==

== MediaWiki 1.10.4 ==

March 2, 2008

* Correction for API path fix, broken in 1.10.3

== MediaWiki 1.10.3 ==

January 23, 2008

This is a security update to the Winter 2007 quarterly release. A potential
XSS injection vector affecting api.php only for Microsoft Internet Explorer
users has been closed.


To work around the vulnerability without upgrading, you may disable the API if
you don't need it:

:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;

Not vulnerable versions:
* 1.12 or later
* 1.11 >= 1.11.1
* 1.10 >= 1.10.3
* 1.9 >= 1.9.5
* 1.8 any version (if $wgEnableAPI has been left off)

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the API
functionality, however the BotQuery extension is similarly vulnerable unless
updated to the latest SVN version.

== MediaWiki 1.10.2 ==
September 10, 2007

This is a security fix update to the Spring 2007 quarterly release snapshot. A
possible HTML/XSS injection vector in the API pretty-printing mode has been
found and fixed.

The vulnerability may be worked around in an unfixed version by simply
disabling the API interface if it is not in use, by adding this to
LocalSettings.php:
:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;

Not vulnerable versions:
* 1.11 >= 1.11.0
* 1.10 >= 1.10.2
* 1.9 >= 1.9.4
* 1.8 >= 1.8.5

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the faulty
function, however the BotQuery extension is similarly vulnerable unless updated
to the latest SVN version.

== MediaWiki 1.10.1 ==
July 13, 2007

This is a bugfix update to the Spring 2007 quarterly release snapshot. A number
of fixes to improve compatibility with PostgreSQL, some versions of MySQL, and
some PHP configurations are included.

Changes since 1.10.0:

* (bug [[bugzilla:9417|9417]]) Uploading new versions of images when using
Postgres no longer  throws warnings.
* (bug [[bugzilla:9908|9908]]) Using tsearch2 with Postgres 8.1 no longer gives
an error.
* (bug [[bugzilla:9973|9973]]) Changed size was shown in advanced recentchanges
collapsible items with $wgRCShowChangedSized = false.
* Fixed installation on MyISAM or old InnoDB with charset=utf8, was giving
overlong key errors.
* Fixed zero-padding issues with MySQL 5 binary schema
* (bug [[bugzilla:9820|9820]]) session.save_path check no longer halts
installation, but warns of possible bad values
* (bug [[bugzilla:9978|9978]]) Fixed session.save_path validation when using
extended configuration format, e.g. "5;/tmp"

== MediaWiki 1.10.0 ==
May 9, 2007

This is the quarterly release snapshot for Spring 2007. See below for a full
list of changes since the 1.9.x series.

Changes since 1.10.0rc2:

* (bug [[bugzilla:9808|9808]]) Fix regression that ignored user 'rclimit'
option for Special:Contributions

== MediaWiki 1.10.0rc2 ==
May 4, 2007

THIS IS A RELEASE CANDIDATE MADE AVAILABLE FOR TESTING!
A FINAL 1.10.0 RELEASE WILL APPEAR WITHIN A FEW DAYS.

Changes since 1.10.0rc1:
* Various l10n fixes and updates
* Fix for upgrade of page_restrictions table
* (bug [[bugzilla:9780|9780]]) Fix normalization of titles with initial colon
followed by whitespace
* Fix for regression in upload: wrong size info saved into image table
* Avoid cyclic stub problems when authorization hooks do funny things with the
user and the database at load time

== MediaWiki 1.10.0rc1 ==
This is the Spring 2007 branch release of MediaWiki.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature developments
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain
it from source control: https://www.mediawiki.org/wiki/Download_from_SVN

== Configuration changes ==

* A new switch $wgCommandLineDarkBg used by maintenance scripts
  (parserTests.php). It lets you specify if your terminal use a dark background,
  the colorized output will be made lighter making things easier to read.
* The minimum permissions needed to edit a page in each namespace can now be
  customized via the $wgNamespaceProtection array. By default, editing pages in
  the MediaWiki namespace requires "editinterface" permission, as before.
* Allow restriction of autoconfirmed permission by edit count. New global
  setting $wgAutoConfirmCount (defaulting to zero, naturally).
* Added rate limiter for Special:Emailuser
* Private logs can now be created using $wgLogRestrictions
* (Bug 8590) limited HTML is now always enabled ($wgUserHtml = true).
* Deprecated $wgUseImageResize, thumbnailing will be enabled unconditionally.

== New features since 1.9 ==

* (bug 6937) Introduce "statistics-footer" message, appended to
  Special:Statistics
* (bug 6638) List block flags in block log entries
* (bugs 5051, 5376) Tooltips and accesskeys no longer require JavaScript
* Added SkinTemplateOutputPageBeforeExec hook before SkinTemplate::outputPage()
  starts page output
  (http://lists.wikimedia.org/pipermail/wikitech-l/2007-January/028554.html)
* Introduce "cascading protection" -- implicit protection on pages transcluded
  into a page protected with this option enabled
* (bug 8567) Added hook RawPageViewBeforeOutput just before the text is blown
  out in action=raw, so extensions might influence the output.
* (bug 3446) Add user preference to hide page content below diffs, can be
  overridden by adding diffonly=1 or diffonly=0 to the URL of the diff page
* Add 'purge' privilege to replace the hardcoded check for login state in
  determining whether action=purge can be done via GET. Switching the
  permission on for anons can be helpful for benchmarking.
* (bug 7842) Link back to deleted revision list from deleted revision preview
* (bug 8619) Add user-aware "unblock" link to Special:Blockip
* (bug 8522) Provide a "delete" link on Special:Brokenredirects for users with
  the appropriate permission
* (bug 8628) Add user-aware block list link to Special:Blockip
* (bug 8621) Log revisions marked as patrolled
* Introduce "BookInformation" hook; see docs/hooks.txt for more details
* Add title prefix search for Special:Undelete
* Remove full-archive list from Special:Undelete
* (bug 8136) Introduce 'ArticleUndelete' hook; see docs/hooks.txt for more info
* (bug 8712) Expose user groups as a JavaScript global
* Introduce 'CustomEditor' hook; see docs/hooks.txt for more information
* New special page, Special:Protectedpages, which shows all protected pages
  and their protection status (full protection status is not pulled out due
  to performance considerations, so it just shows "full protected" or
  "semi protected".
* (bug 4133) Allow page protections to be made with an expiry date, in the same
  format as block expiry dates. Existing protections are assumed to be infinite,
  as are protections made with the new field left blank.
* (bug 8535) Allow certain vertical alignment attributes to be used as image
  keywords
* (bug 6987) Allow perrow, widths, and heights attributes for <gallery>
* (bug 3678) Allow disabling MediaWiki:Aboutsite in the same way as
  MediaWiki:Disclaimers; Also means that if any of the footer links are
  disabled in the wiki's default language (by setting to "-"), they'll also
  be disabled in other languages too (e.g. if the user specifies uselang=fr).
* Sort log types in Special:Log
* Added a classname ("mw-toolbar-editbutton") and unique IDs to the edit
  toolbar buttons
* Hide irrelevant block options in Special:Blockip based on whether an
  IP address/range or username is listed. (Dynamic using JS.)
* (bug 9032) Make quickbarSettings localizable through Special:Allmessages
* (bug 7782) Standardisation of file info at image description pages.
* (bug 1035) View contributions / recentchanges for an IP range.
* (bug 8747) When unwatching pages from Special:Watchlist/edit, put the
  confirmation messages in a proper list with a CSS class and id.
* (bug 9118) Show relevant log fragments on deletion confirmatio page
* (bug 9009) Add username entry field to Special:Contributions
* (bug 1723) Article size in history
* (bug 9223) Disallow magic tilde sequences in page titles and usernames
* (bug 6997) Link from Special:log/block to unblock form
* (bug 9117) Link from Special:log/delete to undelete form
* Link from Special:log/protect to change protection form
* (bug 1196) Add IPv6 support added to blocks, more consistancy for IPv6
  contribs
* (bug 3984) Searching in logs by title%
* Show thumbnail of existing image if image exists already under this filename
* (bug 5546) Watchlist reflects logged actions like move, protection, undelete
* Support protocols other than HTTP in LinkFilter, use $wgUrlProtocols
* (bug 3069) Warning on upload of scaled down images
* Warning on upload of images with uppercase extension if image with lowercase
  extension exists
* (bug 4624) Namespace selection for Special:Whatlinkshere
* Introduce PageHistoryBeforeList and PageHistoryLineEnding hooks; see
  docs/hooks.txt for more information
* (bug 9397) Introduce "sp-contributions-footer" and
  "sp-contributions-footer-anon" messages, shown at the end of
  Special:Contributions as appropriate for the target
* (bug 8421) Expose current action in JavaScript globals (as 'wgAction')
* (bug 9069) Use galleries in query pages dedicated to images
* (bug 9177) Installer now warns of various conditions affecting
  session.save_path which can lead to broken session storage
* (bug 9046) Special page to list pages without language links
* (bug 9508) Special page to list articles with the fewest revisions
* Introduce 'FileUpload' hook; see docs/hooks.txt for more information
* Introduce 'SearchUpdate' hook; see docs/hooks.txt for more information
* Introduce 'mywatchlist' message; used on personal menu to link to watchlist
  page
* Introduce magic word {{NUMBEROFEDITS}}
* Introduced media handlers for file-type specific operations.
* Improved error reporting for image thumbnailing
* Added sharpening option for ImageMagick thumbnailing
* (bug 9656) Autosummaries will be generated for deletion of pages longer than
  500 characters
* Predefined block reasons added to Special:Blockip
* (bug 9196) Installer now check that zend.ze1_compatibility_mode is off
* (bug 9697) Introduce 'InternalParseBeforeLinks' hook; see docs/hooks.txt for
  more information
* 'contribsub' message changed to 'contribsub2' with two parameters to permit
  better localization.  Change is reverse-compatible and can be ignored for
  most wikis.
* Adding a 'reason' field to Special:Userrights

== Bugfixes since 1.9 ==

* (bug 7292) Fix site statistics when moving pages in/out of content namespaces
* (bug 8531) Correct local name of Lingála
* Made the PLURAL: parser function return singular on -1 per default
* Fixed up the AjaxSearch
* Fix SpecialVersion->formatCredits input. Version and Url parameters should be
  null to be treated properly with isset.
* Page restrictions moved into a new, dedicated table
* Correct tooltip accesskey hint for Opera on the Macintosh
  (uses Shift-Esc-, not Ctrl-).
* (bug 8002) Math should render left-to-right even in right-to-left wikis
* Pass e-mail and real name fields to AuthPlugin::addUser, as additional
  optional fields, which may be considered useful at registration time.
* PostgreSQL upgrade scripts fixed and updated
* (bug 8613) Fix error when viewing "Recent Changes" and using Postgres.
* Initialise site_stats table at upgrade time if data was missing
* (bug 7250) Updated Unicode normalization tables to Unicode 5.0
* Unmaintained Oracle support files have been removed.
* Use browser default for printing size, don't force to 11pt
* (bug 8632) Fix regression in page protection null edit update
* (bug 8407) Disallow indexing of "printable" versions
* (bug 8643) Correctly escape the page-specific CSS class for non-Monobook skins
* (bug 8629) Document $wgFilterCallback
* (bug 1000) Clarify warning about memory_limit in installer
* Suppress PHP warning about set_time_limit in installer when safe mode is on
* (bug 3000) Fall back to SCRIPT_NAME plus QUERY_STRING when REQUEST_URI is
  not available, as on IIS with PHP-CGI
* Missing interwiki row for English Wikipedia restored (as "wikipedia:")
* use configured cache servers for mctest.php
* bucket details in mcc.php
* fix input validation and remove debugging code in compressOld
* full ID range for moveToExternal
* fix resolveStubs.php for compatibility with older serialized data
* maximum line length for bar graphs in getLagTimes.php
* recognize specieswiki in rebuildInterwiki.inc
* profile unicode cleanup in Xml
* log slow parses in Article.php
* profile wfMsgReal
* log mkdir failures
* profile AutoLoader
* rebuild empty DjVu metadata containing ''
* security fix for DjVu metadata retrieval
* Undelete page list can use plural marker
* (bug 8638) Fix update from 1.4 and earlier
* (bug 8641) Fix order of updates to ipblocks table
* (bug 8678) Fix detection of self-links for numeric titles in Parser
* (bug 6171) Magically close tags in tables when not using Tidy.
* Sanitizer now correctly escapes lonely '>' occurring before the first wikitag.
* Ignore self closing on closing tags ( '</div />' now gives '</div>')
* (bug 8673) Minor fix for web service API content-type header
* Fix API revision list on PHP 5.2.1; bad reference assignment
* (bug 8688) Handle underscores/spaces in Special:Blockip and
  Special:Ipblocklist in a consistent manner
* (bug 8701) Check database lock status when blocking/unblocking users
* ParserOptions and ParserOutput classes are now in their own files
* (bug 8708) Namespace translations for Zealandic language
* Renamed constructor methods to PHP 5 __construct reserved name
* (bug 8715) Warn users when editing an interface message whether or not the
  message page exists
* ar: fix the 'create a new page' on search page when no exact match found
* (bug 8703) Corrected talk and image namespace name for Limburgish (li)
* (bug 8671) Expose "wpDestFile" as a parameter to "uploadtext"
* (bug 8403) Respect bad image list exceptions in galleries on wiki pages
* Allow sending per-user contribution requests to "contributions" query group
* (bug 3717) Update user count for AuthPlugin account autocreation
* (bug 8719) Firefox release notes lie! Fix tooltips for Firefox 2 on x11;
  accesskeys default settings appear to be same as Windows.
* Added an option to make Linker::userToolLinks() show the contribs link
  red when the user has no edits. Linker::userToolLinksRedContribs() is an
  alias to that which should be used to make it more self documentating.
* (bug 8749) Bring MySQL 5 table defs back into sync
* (bug 8751) Set session cookies to HTTPS-only to match other cookies
* (bug 8652) Catch exceptions generated by malformed XML in multipage media
* (bug 8782) Help text in Makefile
* (bug 8777) Suppress 'previous' link on Special:Allpages when at first page
* (bug 8774) Fix path for GNU FDL rights icon on new installs
* Fix multipage selector drop-down for DjVu images to work when title
  is passed as a query string parameter; we have to pass the title as
  a form parameter or it gets dropped from the form submission URL
* (bug 8819) Fix full path disclosure in with skins dependencies
* Fixed bug affecting HTML formatting in sortable table column titles
* Merged table sorting code into wikibits.js
* (bug 8711) Stop floats in previews from spilling into edit area
* (bug 8858) Safer handling when $wgImageLimits is changed. Added a note
  in DefaultSettings to make it clear.
* (bug 4268) Fixed data-loss bug in compressOld batch text compression
  affecting pages which had null edits (move, protect, etc) as second
  edit in a batch group. Isolated and patched by Travis Derouin.
* Fix for paths in 1.4->1.5 special-case updater script
* (bug 8789) AJAX search: IE users can now use the return key
* (bug 6844) Use <ins> and <del> tags to emphase the differences
* (bug 6684) Fix improper javascript array iteration
* (bug 4347) use MailAddress object for reply-to
* Add AlphabeticPager abstract class
* Use faster AlphabeticPager for Special:Categories
* (bug 8875) Show printable link in MonoBook sidebar for locally nonexistent
  pages; perhaps useful for categories and shared images
* Clean up session checks to better handle the case where the session was
  opened during the current request. May help with some caching corner
  cases.
* (bug 8897) Fix whitespace removal for interlanguage links with link prefix
* Add 'ParserTestTables' hook to expand the list of temporary tables copied
  by the parser test harness; use for extensions which require the presence
  of other tables while they work.
* Message names changed for AlphabeticPager introduced with r19758
  for better localisations.
* (bug 8944) The deprecated is_a() function is used in StubObjects.php
* (bug 8992) Fix a remaining raw use of REQUEST_URI in history
* (bug 8999) User.php gives "undefined user editcount" PHP notice.
* (bug 8984) Fix a database error in Special:Recentchangeslinked
  when using the Postgres database.
* Moved the main ob_start() from the default LocalSettings.php to WebStart.php.
  The ob_start() section should preferably be removed from older
  LocalSettings.php files.
* Give Content-Length header for HTTP/1.0 clients.
* Partial support for Flash cross-domain-policy filtering.
* Lazy-initialize site_stats row on load when empty. Somewhat kinder to
  dump-based installations, avoiding PHP warnings when NUMBEROFARTICLES
  and such are used.
* Add 'charset' to Content-Type headers on various HTTP error responses
  to forestall additional UTF-7-autodetect XSS issues. PHP sends only
  'text/html' by default when the script didn't specify more details,
  which some inconsiderate browsers consider a license to autodetect
  the deadly, hard-to-escape UTF-7.
    This fixes an issue with the Ajax interface error message on MSIE when
  $wgUseAjax is enabled (not default configuration); this UTF-7 variant
  on a previously fixed attack vector was discovered by Moshe BA from BugSec:
  http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type
* (bug 9044) Send a comment with action=raw pages in CSS/JS output mode
  to work around IE/Mac bug where empty pages time out verrrrryyyyy slowly,
  particularly with new keepalive-friendly HTTP on Wikipedia
* (bug 8919) Suppress paging links and related messages where there are no
  rows to list for query pages
* (bug 9057) Standardize MediaWiki: namespace for oc
* (bug 8132) Suppress "Pages in this category" heading in categories when
  there are none
* (bug 8958) Handle search operators better when using tsearch2 (Postgres)
* (bug 8799) Use redirect table for Special:BrokenRedirects and
  Special:DoubleRedirects
* (bug 8918) Enable PLURAL option for MediaWiki:showingresults and
  MediaWiki:showingresultsnum
* (bug 9122) Fix minor display issue in RTL with section edit link margin
* (bug 5805) Enable PLURAL option for some messages of watchlist and statistic
* (bug 3953) Work around poor display of parenthesis in the in other
  languages section of MonoBook skin
* (bug 8539) Enable PLURAL option for another message of recentchanges.
* (bug 8728) MediaWiki:Badfiletype split into 3 messages
* (bug 9131) Allow SpecialContributions to work with Postgres
* (bug 9155) Allow footer info to wrap in Monobook
* (bug 8847) Strip spurious #fragments from request URI to fix redirect
  loops on some server configurations
* (bug 9097) column "pr_pagetype" does not exist
* (bug 9217) Balance wfProfile calls in Skin::outputPage
* (bug 9222) PostgreSQL updater should not be version-specific
* Fix fallback implementation of mb_strlen so it works and isn't insanely
  slow for large strings, since it's used for page edit lengths
* (bug 8815) Setting password in initUser() breaks LdapAuthentication plugin
* (bug 9256) Add a quick note to index.php header comments
* Make Special:Listusers caseinsensitive for first letter
* Default tidy.conf has been moved from extensions module into includes.
* Ignore lonely '''''
* (bug 9244) When calling edit page for nonexistent section, generate error
  inside of just discarding edits, since edit links sometimes go to the wrong
  place.
* (bug 9019) No warning during upload if image description page exists, but no
  image
* (bug 8582) Allow thumbnailing when imagesize has a space.
* (bug 8716) Change math_inputhash and math_outputhash to bytea for Postgres
* (bug 9343) Correct internal name for Wolof language
* (bug 9363) Fix Postgres error on Recentchangeslinked
* (bug 5142) Fixed call of hook ArticleViewHeader
* (bug 4777) Separate prev/next messages for Special:Whatlinkshere
* Merge approx 15 missing Wikipedia language codes into wikipedia-interwiki.sql
  based on Jeff Merkey's mediawiki-1.9.3.WG-20070316.tar.gz.bz2 archive.
* (bug 9411) Fix for shared image descriptions using query-string titles
* (bug 4756) Add user tool links for self created accounts at special:log
  instead of sometimes broken block links from newuserlog extension
* (bug 5817) Special:Recentchangeslinked now shows red link for nonexistent
  target page instead of silently redirecting
* (bug 8914) Don't transform colons in {{anchorencode:}}
* (bug 9241) Handle edit section links and include size links for cached
  templates the same as the first transclusion.
* (bug 9466) "Rollback failed" page doesn't format edit comment
* (bug 9472) Invalid XHTML on cached special pages
* (bug 9472) Invalid XHTML on Special:Newpages
* (bug 4764) "My contributions" not bold when viewing own contributions
* (bug 9194) Add {{PLURAL:...}} to navigation bar of Special:Whatlinkshere
* (bug 9033) Use a more specific error message when users are not able/allowed
  to edit page protection levels due to a block, database lock or permissions
* Fixed $wgFeedLimit
* (bug 9270) Corrected help namespace name for Dutch Lower Saxon (nds-nl)
* (bug 929, 4215) Expose "rcdays" user preference in Special:Preferences
* (bug 9554) Extension-provided group name messages not used
* (bug 9565) Translate template namespace name for Hindi (hi)
* (bug 8599) Correct localized names of zh-variants
* (bug 3366) Require skins based on SkinTemplate to override the skinname
  property.
* (bug 9220) Removed obsoletes functions in install-utils.inc.
* Removed obsoletes Title::getRelatedCache and Title:touchArray
* (bug 7285) Check MySQL username length during install
* (bug 6910) Correct date/time formats in Vietnamese (vi)
* (bug 9608) Correctly use ORDER BY in dumpLinks.php
* (bug 9609) Correctly use ORDER BY in SpecialWhatlinkshere.php
* Special:Random and Special:Randomredirect now try harder to send the user to
  a random page, and will give an error message if none really can be found
  instead of sending the user to the main page like they used to
* Fix object variable used for displaying "not-patrolled" CSS class on list
* Fixed interaction of page parameter to ImagePage with the HTML file cache
* Fixed MIME type for SVG files, will be silently changed from image/svg
  to image/svg+xml after loading from the database.
* Workaround for djvutoxml bug #1704049 (poor performance). Use djvudump
  instead.
* Fixed odd behavior in ImagePage on DjVu thumbnailing errors
* (bug 5439) "Go" title search will now jump to shared/foreign Image: and
  MediaWiki: pages that have not been locally edited.
* (bug 9630) Limits links in Whatlinkshere forgot about namespace filter
* Fixed upgrade for the non-standard MySQL schemas
* Disable MySQL's strict mode at session start for MySQL 4.1+, to avoid the
  various problems that occur when it is on.
* (bug 9585) Fix regression in tidy usage in Special:Undelete previews
* (bug 3826) Normalize some invalid cookie name characters when setting
  up $wgCookiePrefix. Completes application of patch by Anders Kaseorg.
* (bug 9649) Fix RTL form alignment for Special:Movepage
* (bug 9582) Members of bot group now mark edits patrolled by default
* (bug 9669) Fix limit ordering for rebuildrecentchanges; broken since
  converted from 1.4 to 1.5 schema
* (bug 9682) Revert PHP 5.1 dependency on warning suppression for SVN info
* (bug 5959) Anchors dropped from stub links
* (bug 3348) Some additional weak password checks: password which is same
  as username will now be rejected.
* (bug 8602) Converted Special:Contributions to use an IndexPager. The
  interpretation of the offset parameter has changed, and the go parameter
  has been removed.
* (bug 6204) Fixes for indentation with $wgMaxTocLevel:
  - don't emit too many list close tags after an invisible header
  - don't emit too many final list close tags if last header is invisible
  - don't emit TOC when there are no visible headers
* (bug 7629) Fix $wgBrowserBlackList to avoid false positive on MSIE
  when certain plugins are present which alter the user agent


== Maintenance ==

* New script maintenance/language/checkExtensioni18n.php used to check i18n
  progress in the extension repository.
* Running maintenance/parserTests.php with '--record' option, will now
  automatically attempt to create the required tables
* --purge option to do additional parser-cache purging for purgeList.php
* Fix hardcoded background color in parserTests.php
* parserTests.php : removed the 'light' option for --color argument, replacing
  it with a new global switch : $wgCommandLineDarkBg
* (bug 8780) Clarify message for command-line scripts if LocalSettings.php
  exists but is not readable
* dumpBackup / importDump now work with PostgreSQL
* (bug 8975) Use "Maintenance script" as the default username for
  importImages.php and importTextFile.php scripts
* (bug 8933) Fix maintenance/reassignEdits.php script
* (bug 9440) Added "mediawikiwiki" interwiki prefix to MediaWiki.org
* (bug 2979) Import now gracefully skips invalid titles with a warning
* Restore '--norc' option for maintenance/importTextFile.php
* Help information for maintenance/importTextFile.php now easier to read on
  consoles
* Doxygen documentation now show the revision number of each file, generate
  graphs using dot and include a search engine.


== Languages updated ==

* Arabic (ar)
* Aramaic (arc)
* Aymara (ay)
* Belarusian normative (be)
* Belarusian alternative (be-x-old)
* Bulgarian (bg)
* Bihara (bh)
* Breton (br)
* Catalan (ca)
* Czech (cs)
* Danish (da)
* German (de)
* Greek (el)
* Esperanto (eo)
* Spanish (es)
* Estonian (et)
* Basque (eu)
* Finnish (fi)
* Võro (fiu-vro)
* French (fr)
* Hebrew (he)
* Hindi (hi)
* Upper Sorbian (hsb)
* Hungarian (hu)
* Armenian (hy)
* Indonesian (id)
* Italian (it)
* Japanese (ja)
* Javanese (jv)
* Georgian (ka)
* Kabyle (kab)
* Kazakh (kk)
* Korean (ko)
* Kashmiri (ks)
* Ripuarian (ksh)
* Latin (la)
* Luganda (lg)
* Limburgish (li)
* Lithuanian (lt)
* Latvian (lv)
* Marathi (mr)
* Low Saxon (nds)
* Dutch Lower Saxon (nds-nl)
* Nepali (ne)
* Nepal Bhasa (new)
* Dutch (nl)
* Occitan (oc)
* Pali (pi)
* Polish (pl)
* Romanian (ro)
* Russian (ru)
* Sanskrit (sa)
* Sicilian (scn)
* Slovak (sk)
* Sundanese (su)
* Swedish (sv)
* Tahitian (ty)
* Ukrainian (uk)
* Urdu (ur)
* Uzbek (uz)
* Vietnamese (vi)
* Zealandic (zea)
* Old Chinese / Late Middle Chinese (zh-classical)
* Chinese (PRC) (zh-cn)
* Chinese (Taiwan) (zh-tw)
* Cantonese (zh-yue)

== Compatibility ==

MediaWiki 1.10 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.

PHP 5.0.x fails on 64-bit systems due to serious bugs with array processing:
http://bugs.php.net/bug.php?id=34879
Upgrade affected systems to PHP 5.1 or higher.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.


== Upgrading ==

1.10 has several database changes since 1.9, and will not work without schema
updates.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

= MediaWiki release notes =
Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.

= MediaWiki 1.9 =

== MediaWiki 1.9.6 ==

March 2, 2008

* Correction for API path fix, broken in 1.9.5

== MediaWiki 1.9.5 ==

January 23, 2008

This is a security update to the Winter 2007 quarterly release. A potential XSS
injection vector affecting api.php only for Microsoft Internet Explorer users
has been closed.


To work around the vulnerability without upgrading, you may disable the API if
you don't need it:

:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;

Not vulnerable versions:
* 1.12 or later
* 1.11 >= 1.11.1
* 1.10 >= 1.10.3
* 1.9 >= 1.9.5
* 1.8 any version (if $wgEnableAPI has been left off)

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.2
* 1.9 <= 1.9.4
* 1.8 any version (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the API
functionality, however the BotQuery extension is similarly vulnerable unless
updated to the latest SVN version.

== MediaWiki 1.9.4 ==

September 10, 2007

This is a security and bug fix update to the Winter 2007 quarterly release.
Minor compatibility fixes for IIS 5 are included.

* (bug [[bugzilla:8847|8847]]) Strip spurious #fragments from request URI to
fix redirect loops on some server configurations
* A possible HTML/XSS injection vector in the API pretty-printing mode has been
found and fixed.

The vulnerability may be worked around in an unfixed version by simply
disabling the API interface if it is not in use, by adding this to
LocalSettings.php:

:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;

Not vulnerable versions:
* 1.11 >= 1.11.0
* 1.10 >= 1.10.2
* 1.9 >= 1.9.4
* 1.8 >= 1.8.5

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the faulty
function, however the BotQuery extension is similarly vulnerable unless updated
to the latest SVN version.

== MediaWiki 1.9.3 ==

February 20, 2007

This is a security and bug-fix update to the Winter 2007 quarterly release.
Minor compatibility fixes for IIS and PostgreSQL are included.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module, either disable
it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with ''$wgUseAjax'' off.

* ([[mediazilla:8992|8992]]) Fix a remaining raw use of REQUEST_URI in history
* ([[mediazilla:8984|8984]]) Fix a database error in
Special:Recentchangeslinked when using the PostgreSQL database.
* Add ''charset'' to Content-Type headers on various HTTP error responses to
forestall additional UTF-7-autodetect XSS issues. PHP sends only ''text/html''
by default when the script didn't specify more details, which some
inconsiderate browsers consider a license to autodetect the deadly,
hard-to-escape UTF-7. This fixes an issue with the Ajax interface error message
on MSIE when ''$wgUseAjax'' is enabled (not default configuration); this UTF-7
variant on a previously fixed attack vector was discovered by Moshe BA from
BugSec: [http://www.bugsec.com/articles.php?Security=24
http://www.bugsec.com/articles.php?Security=24]
* Trackback responses now specify XML content type

== MediaWiki 1.9.2 ==

February 4, 2007

This is a bug-fix update that fixes some installation and other minor issues
with the 1.9.1 release as well as a security issue which was introduced in the
1.9 branch.

JavaScript code which regenerated the "sortable tables" feature did not
properly sanitize input, leading to an HTML injection vulnerability.

* ([[mediazilla:8774|8774]]) Fix path for GNU FDL rights icon on new installs
* ([[mediazilla:8819|8819]]) Fix full path disclosure with skins dependencies
* ([[mediazilla:8819|8819]]) Fixed data-loss bug in compressOld batch text
compression affecting pages which had null edits (move, protect, etc) as second
edit in a batch group. Isolated and patched by Travis Derouin.
* Security fix for sortable tables JavaScript

== MediaWiki 1.9.1 ==

January 24, 2007

This is a bug-fix update that fixes some installation and upgrade issues with
the original 1.9.0 release.

* ([[mediazilla:3000|3000]]) Fall back to SCRIPT_NAME plus QUERY_STRING when
REQUEST_URI is not available, as on IIS with PHP-CGI
* Security fix for DjVu images. (Only affects servers where .djvu file  uploads
are enabled and ''$wgDjvuToXML'' is set.)
* ([[mediazilla:8638|8638]]) Fix update from 1.4 and earlier
* ([[mediazilla:8641|8641]]) Fix order of updates to ipblocks table for updates
from <=1.7
* ([[mediazilla:8673|8673]]) Minor fix for web service API content-type header
* Fix API revision list on PHP 5.2.1; bad reference assignment
* Fixed up the AjaxSearch
* Exclude settings files when generating documentation. That could expose the
database user and password to remote users.
* ar: fix the 'create a new page' on search page when no exact match found
* Correct tooltip accesskey hint for Opera on the Macintosh (uses Shift-Esc-,
not Ctrl-).
* ([[mediazilla:8719|8719]]) Firefox release notes lie! Fix tooltips for
Firefox 2 on x11; accesskeys default settings appear to be same as Windows.

== Changes since 1.8 ==

* (bug 8200) Make category lists sorted by name when using Postgres.
* (bug 7841) Support 'IGNORE' inserts for Postgres, fixes watchlist
  adding problem.
* (bug 6835) Removing the includes/Parser.php::getTemplateArgs() function,
  because it seems to be unused.
* (bug 7139) Increasing the visual width of the edit summary field on larger
  screen sizes, for the default monobook skin.
* Fix PHP notice and estimates for dumpBackup.php and friends
* Improved register_globals paranoia checks
* (bug 7545) Fix PHP version check on install
* Disable PHP exception backtrace printing unless $wgShowExceptionDetails
  is set. Backtraces may contain sensitive information in function call
  parameters.
* (bug 6164) Avoid smashing Cite state if message transformation triggers
  during bad image list check, by skipping message transformation.
  This isn't a good permanent fix.
* (bug 6918) Stopped borders and backgrounds from showing through floated
  tables in Monobook
* (bug 6868) Un-hardcode section edit link style
* (bug 3205) Stop right floats from stacking horizontally in non-Monobook skins
* Added global $wgStyleVersion to centralize bumping CSS and JS file versions
  for cache-friendly style and script updating
* (bug 7562) Fix non-ASCII namespaces on Windows/XAMPP servers
* Friendlier check for PHP 5 in command-line scripts; it's common for parallel
  PHP 4 and 5 installations to interfere on the command-line.
* Fix regression in autoconfirm permission check
* (bug 3015) Add CSS ids to subcategory and page sections on category pages
* (bug 7587) Fix erroneous id for specialpage tab, enabling informative popup
* (bug 7599) Fix thumbnail purging, PHP notices on HTCP image page purge
* (bug 7581) Update language name for cbk-zam
* (bug 7444) Update namespace translations for Telugu (te), kept old values as
  alias for compatibility
* (bug 4525) Move section links down visually to same level as headings
  (editsection links are now inside the heading elements)
* Workaround for http://bugs.php.net/bug.php?id=31892 , PATH_INFO and hence
  URLs of the style /index.php/Main_Page were broken on some CGI installations.
* (bug 7623) Validate custom HTML id's correctly in Monobook interface
* (bug 2241) Fix collision of 'w' and 'd' accesskeys
* (bug 5795) CSS class added to body based on page name for page-specific
  styling
* (bug 6276) Stopped search field from getting too large in Cologne Blue
* (bug 7644) User creations that are aborted by hooks shouldn't be counted
  against account creations per day limit
* (bug 7636) Show Firefox 2 users correct accesskey prefix
* (bug 6427) Block blocked IPs from using the mail password function
  to allow blocking of flooders
* Include common.css from classic-style skins in main HTML with the bump URL
* (bug 7607) Add Karakalpak (kaa) to Names.php and stub message file for
  linktrail
* (bug 7582) Add 'tog-nolangconversion' to MessagesEn.php.
  This key is need for languages with variants (zh, sr, kk)
* (bug 7606) MediaWiki messages for "rss" and "atom" missing
* (bug 7609) Add some more '*-summary' messages to MessagesEn.php with empty
  strings to allow better localisation via Special:Allmessages. Mark this new
  messages as optional for localisation.
* Fix user_newpass upgrade for prefixed tables (reported by Fyren)
* (bug 7663) Include language variant switcher links on Nostalgia skin
* (bug 6531) Fix PHP fatal error on installation page with bad username input.
* (bug 6977) Remove 404 link for autogenerated database documentation.
* (bug 7369) Allow "Show Changes" without requiring edit token.
* (bug 7687) Fix movetalk box checks itself when confirming a delete and move.
* (bug 7684) Obey watchcreated preference for Special:Upload watch checkbox
* (bug 7686) Include id attribute on delete form confirmation button
* Allow compound interwiki prefixes in $wgImportSources
* (bug 7304) Added redirect table to store redirect targets.
* Added querycachetwo table (similar to querycache but has two titles)
* PageArchive can now return a Revision object for more convenient processing
  of deleted revision data
* Added 'UndeleteShowRevision' hook in Special:Undelete
* Error message on attempt to view invalid or missing deleted revisions
* Remove unsightly "_" from namespace in Special:Allpages, Special:Prefixindex
* (bug 3224) Allow minor edits by bots to skip new message notification on
  user talk pages. This can be disabled by adjusting the 'nominornewtalk'
  permission. Patch by Werdna.
* (bug 7741) MATH: fixed broken syntax of underbrace etc. Fixed arrays
* Fix purging for updated SVG files
* (bug 7745) Add id attribute to search button in Monobook
* (bug 7749) MATH: added some more LaTeX symbols, e.g. parallel, diamond, ast...
* (bug 7304) Added code in Article.php to keep redirect table up to date.
* Made special page names case-insensitive and localisable. Care has been taken
  to maintain backwards compatibility.
* Used special page subpages in a few more places, instead of query parameters.
* (bug 7758) Added wrapper span to "templates used" explanation to allow CSS
  styling (class="mw-templatesUsedExplanation").
* Added {{#special:}} parser function, to give the local default title for
  special pages
* (bug 7766) Remove redundant / from AJAX requests, can break some servers
* Add tab links from extensions to classic-based skins (SkinTemplateTab hook)
  Provides better cross-skin compatibility for extensions using the modern
  skin hooks, such as Oversight
* Moved variant language links on Cologne Blue and Nostalgia to before the
  login/logout link
* Fix for parser tests with MySQL 5 in strict mode
* Added block option "enable autoblocks"
* Amend Special:Ipblocklist to note when a block has autoblock DISABLED.
* (bug 7780) Fix regression in editing redirects
* Add whitespace above "templates included on this page" using CSS, not
  hardcoded line break.
* Remove entries from redirect table on article deletion
* (bug 7788) Force section headers in new section links for users who have
  'prompt for blank edit summaries' on.
* (bug 1133) Special:Emailuser: add an option to send yourself a copy of your
  mail.
* (bug 461) Allow "Categories:" link at bottom of pages to be customized via
  pagecategorieslink message.
* Sort the list of skins in "My Preferences" -> Skins by alphabetical order.
* (bug 7785) Postgres compatibility for timestamps in RC feeds
* (bug 7550) Normalize user parameter normally on Special:Log
* (bug 7294) Fix PATH search for diff3 on install
* Various fixes related to the blocking change re: autoblocks. On inserting
  an IP block, the ipb_enable_autoblock field is now automagically blanked,
  because it doesn't make any sense for an IP. Additionally, IP blocks
  without the ipb_enable_autoblock option no longer show up as "autoblock
  disabled" on Special:Ipblocklist.
* (bug 7774) MATH: aded more amstex functions
* (bug 1182) MATH: fixed inconsistent rendering of upper case Greek letters in
  TeX
* Fix regression in streaming page dump generation
* (bug 7801) Add support for parser function hooks in parser tests
* checkUsernames.php now uses wfDebugLog instead of hardcoded path to log
* (bug 7810) Update talk namespaces for Occitan
* Allow case-sensitive URLs to be used for uploading from URLs.
* (bug 1109) Correct fix for compressed 304 responses when additional output
  buffers have been installed within the compression handler
* (bug 7819) Move automatic redirect edit summary after pre-save transform
  to work properly with subst: fun
* (bug 7826) Fix typos in two English messages.
* (bug 5365) Stop users being prompted to enter an edit summary for null edits,
  if they have selected that option in preferences.
* (bug 5936) Show an 'm' to the left of the edit summary on diff pages for minor
  edits.
* (bug 7820) Improve error reporting for uploads via URL.
* (bug 5149) When autoblocks are enabled, retroactively apply an autoblock to
  the most recently used IP of a user when they are blocked.
* Add an index on (rc_user_text,rc_timestamp) on the recentchanges table. This
  will make CheckUser.php and the new retroactive autoblock functionality
  faster.
* Fix regression in Special:Undelete for revisions deleted under MediaWiki 1.4
  with compression or legacy encoding
* (bug 6737) Fixes for MySQL 5 schema in strict mode
* Approximate height for client-side scaling fallback instead of passing -1
  into the HTML output.
* Make the DNSBL to check for proxy blocking configurable via $wgSorbsUrl
* Add experimental recording/reporting mode to parser tests runner, to
  compare changes against the previous run.
  Additional tables 'testrun' and 'testitem' are in maintenance/testRunner.sql,
  source this and pass --record option to parserTests.php
* Make the set of default parser test input files extensible via
  $wgParserTestFiles. This can now be appended to by extensions or local
  configuration files so that extension or custom tests can be automatically
  run along with the main batch.
* Run PHP install version checks on update.php so command-line updaters see
  new version requirements
* Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive
  as of MW 1.8 than it used to be. Install or upgrade now aborts with a
  warning and a request to upgrade.
* (bug 6440) Updated indexes to improve backlinking queries (links, templates,
  images)
* Switched 'anon-only' block mode to default for IP blocks
* (bug 3687, 7892) Add distinct heading for media files in category display,
  with count.
* (bug 1578) Add different icons for external links to audio, video, or PDF in
  Monobook.
* Made autoblocks block account creation if the user block has that option
  enabled.
* Add auto-summaries to blankings and large removals without summaries.
* (bug 7811) Allow preview of edit summaries.
* (bug 6839) Wikibits.js minor changes to make JS-lint happier.
* (bug 7932) Make sure that edit toolbar clears floats so it appears correctly.
* (bug 6873) When viewing old revisions, add link to diff to current version.
* (bug 3315) Provide rollback link directly on history page.
* Replace 'old-revision-navigation' message with 'revision-info' and
  'revision-nav' messages, wrapped in divs with appropriate id's.
* (bug 4178) MediaWiki:Common.js will now be included for all users if
  $wgUseSiteJs is enabled, in addition to (if applicable) MediaWiki:Monobook.js
  and user JS subpages.
* (bug 7918) "Templates used on this page" changes during preview to reflect
  any added or removed templates, and works as expected for section edits.
* (bug 7919) "Templates used on this page" is now shown for read-only pages.
* (bug 7688) When viewing diff, section anchors in autosummary jump to section
  on current page instead of loading the latest version.
* (bug 7970) Use current connection explicitly on Database::getServerVersion
* (bug 2001) Tables with class="sortable" can now be dynamically sorted via
  JavaScript.
* Added autosummary for new pages with 500 or less characters, and refactor
   the autosummary code so it's all done in one function. doEdit is getting too
   big!
* (bug 7554) The correct MIME type for SVG images is now displayed on the
  image page (image/svg+xml, not image/svg).
* (bug 7883) Added autoblock whitelisting feature, using which specific ranges
   can be protected from autoblocking. These ranges are specified, in list
  format, in the autoblock_whitelist system message.
* Added placeholders for text injection by hooks to EditPage.php
* (bug 8009) Automatic edit summary for redirects is not filled for edits in
  existing pages
* Installer support for experimental MySQL 4.1/5.0 binary-safe schema
* Use INSERT IGNORE for db-based BagOStuff add/insert, for more memcache-like
  behavior when keys already exist on add (instead of dying with an error...)
* Add a hook 'UploadForm:initial' before the upload form is generated, and two
  member variable for text injection into the form, which can be filled by the
  hooks.
* (bug 6295) Add a "revision patching" functionality, where an edit can be
  undone
  (with a functionality similar to diff rev1 rev2 | patch -R rev3 -o rev3).
  This is triggered by including &undo=revid in an edit URL. A link to a URL
  that will undo a given edit is shown on NEW revision headers on diff pages.
  The link leads to a "Show Changes" page showing what will be done to undo the
  edit.
* Fix display of link in "already rolled back" message for image/category pages
* (bug 6016) Left-aligned images should stack vertically, like right-aligned
  images, not horizontally.
* Patch from LeonWP: added UploadForm:BeforeProcessing hook in SpecialUpload.php
* Add AuthPluginSetup hook to override $wgAuth after configuration
* Fix regression in authentication hook auto-creation on login
* (bug 8110) Allow spaces in ISBNs
* (bug 8024) Introduce "send me copies of emails I send to others" preference
* Added 'EditPage::attemptSave' hook before an article is saved.
* (bug 8083) Applied patch for sk localisation
* Add a backslash character to the edit token, to prevent edits via certain
  broken proxies that mangle such characters in form submissions
* (bug 7461) Allow overwriting pages using importTextFile.php
* (bug 7946) importTextFile.php doesn't perform pre-save transform
* (bug 8117) {{REVISIONTIMESTAMP}} showed weird default if $wgLocalTZoffset set;
  now uses current time for previews and if timestamp can't be loaded from DB
* {{REVISIONTIMESTAMP}} now uses site local timezone instead of user timezone
  to ensure consistent behavior
* {{REVISIONTIMESTAMP}} and friends should now work on non-MySQL backends
* (bug 7671) Observe canonical media namespace prefix in Linker::formatComment
* Added js variable wgCurRevisionId to the output
* (bug 8141) Cleanup of Parser::doTableStuff, patch by AzaTht
* (bug 8042) Make miser mode caching limits settable via $wgQueryCacheLimit
  instead of hardcoding to 1000
* Enable QueryPage classes to override list formatting
* (bug 5485) Show number of intervening revisions in diff view
* (bug 8100) Fix XHTML validity in Taiwanese localization
* Added redirect to section feature. Use it wisely.
* Added a configuration variable allowing the "break out of framesets" feature
  to be switched on and off ($wgBreakFrames). Off by default.
* Allow Xml::check() $attribs parameter to override 'value' attribute
* DB schema change: added two columns (rc_old_len and rc_new_len) to the
  recentchanges table to store the text lengths before and after the edit
* (bug 1085) Made Special:Recentchanges show the character difference between
  the changed revisions
* Removed a redundant <strong> tag from diff pages that was causing display
  issues for some users
* (bug 8203) The keyboard shortcut for "log out" was removed, because users
  were pressing it when they intended to press the shortcut for "preview".
* (bug 8148) Handle non-removable output buffers gracefully when cleaning
  buffers for HTTP 304 responses, StreamFile, and Special:Export.
  Duplicated code merged into wfResetOutputBuffers() and wfClearOutputBuffers()
* Special:AllPages : 'next page' link now point to the first title of the next
  chunk instead of pointing to the last title of current chunk.
* (bug 4673) Special:AllPages : add a 'previous' link (new message 'prevpage')
* (bug 8121) wfRandom() was not between 0 and 1
* Add static method Parser::createAssocArgs($args), so parser functions can
  use the same code to parse arguments as the templates do.
* Change behavior of logins using the temporary e-mailed password (as stored
  in user_newpassword hash field). Instead of just logging in silently and
  leaving the previous user_password field in place indefinitely, the user
  is now prompted to set a new password.

  The password-changing form is at Special:Resetpass; currently it's only
  usable for changing from the temporary password during login, but it
  could perhaps be generalized, replacing the subform in preferences.

  Once the new password is set successfully, the temporary password is wiped
  so it cannot be used to login a second time, and the login process
  is completed.
* Suppress 'mail new password' button on login form if $wgAuth forbids
  changing user passwords; it wouldn't work very well...
* Consolidate password length checks and $wgAuth manipulation into
  User::setPassword() to avoid duplicate code in different places
  that set passwords.
* User::setPassword() now throws PasswordError exceptions if the password
  is illegal or cannot be set via $wgAuth. These can be caught and a human-
  readable error message displayed by UI code.
* Added Title::isSubpage()
* (bug 8241) Don't consider user pages of User:Foo.css to be CSS subpages
* Set an explicit class on framed thumbnail inner divs and images, changed some
  CSS to use these instead of using descendent selectors.
* Accept null parameter to User::setPassword() as indicating the password
  field should be cleared to an unusable state. Login will only be possible
  after the password is reset, for instance by e-mail.
* (bug 6394) Invalidate the password set for "by e-mail" account creations
  to avoid accidental empty password creations.
* Made the show change size function work on page moves, page creations, and
  log entries. Also fixed it in the javascript recentchanges.
* (bug 8239) correctly get 50 new contributions when clicking '(50 next)'
* (bug 2259) Fix old regression where e-mail addresses were no longer
  confirmed on login with mailed password.
* Add a notification about the confirmation mail sent during account
  creation, so people don't immediately go off to request a second one.
* Add a warning on Special:Confirmemail if a code was already sent and has
  not yet expired.
* Add user_editcount field to provide data for heuristics on account use.
  Incremented on edit, with lazy initialization from past revision data.
  Can batch-initialize with maintenance/initEditCount.php (not yet friendly
  to replication environments, this will do all accounts in one query).
* Allow raw SQL subsections in Database::update() SET portion as well as
  for WHERE portion. Handy for increments and such.
* User::getOption now accept a default value to override default user values
  this makes it consistent with WebRequest::get* methods. Corrected code in
  various places accordingly.
* (bug 8264) Fix JavaScript global vars for XHTML mode
* Make $wgSiteNotice value wikitext again, for consistency with editable
  MediaWiki:Sitenotice and MediaWiki:Anonnotice.
* (bug 8044) When redirecting from the canonical name of the special page
  to the localised one, parameters/subpages are omitted
* (bug 8164) Special:Booksources should use GET for form submission
* Rewrite Special:Booksources to clean up interface and remove redundant code
* (bug 7925) Change Special:Allmessages message name filter javascript to be
  a bit more responsive and easier on the CPU
* (bug 4488) Support watching pages on deletion; introduces new user preference
* Minor restructuring of Special:Preferences; "watch pages I edit" and "watch
  pages I create" options now accessible under "Watchlist" options
* (bug 8153) <nowiki> doesn't work in site notice
* (bug 6690) wfMsgNoTrans() transforms messages
* (bug 8274) Wrap edit tools in a <div> with a specified class
* Detect PHP 5.0.x 64-bit bug and abort in WebStart.php; too many things break
  mysteriously otherwise (detection code copied from install-utils.inc)
* (bug 8295) Change handling of <center> tags in doBlockLevels() to match that
  of <div>
* (bug 8110) Make magic ISBN linking stricter: only match ten-digit sequences
  (plus optional ISBN-13 prefix) with no immediately following alphanumeric
  character, disallow multiple consecutive internal redirects
* (bug 2785) Accept optional colon prefix in links when formatting comments
* Don't show "you can view and copy the source of this page" message for
  pages which don't exist
* (bug 8310) Blank line added to top of 'post' when page is blank
* (bug 8109) Template parameters ignored in "recentchangestext"
* Gracefully skip redirect-to-fragment on WebKit versions less than 420;
  it messes up on current versions of Safari but is ok in the latest
  nightlies. Checking the version number will allow it to automatically
  work when new releases of Safari appear.
* Fix regression in thumb styles; size and padding didn't match with
  new arrangement.
* (bug 8333) Fix quick user data update on login password change on
  replication database setups. User data is now pulled from master
  instead of slave in User::loadFromDatabase, ensuring that it is
  fresh and accurate when read and then saved back into cache.
  This was breaking with the Special:Rename operation which
  automatically logs the user in with the new password after changing
  it; pulling from slave meant the record was often not the updated
  one.
* (bug 8335) Set image width to the first valid parameter found.
* (bug 8350) Fix watchlist viewing bug when using Postgres.
* (bug 6603) When warning about invalid file extensions, output the bit
  of the extension we actually checked
* (bug 7669) Drop defaults on BLOB/TEXT columns for better compatibility
  with MySQL's strict mode, often enabled by the Windows installer.
  The defaults are ignored anyway when strict mode is off...
* (bug 7685) Use explicit values for ar_text and ar_flags when deleting,
  for better compatibility with MySQL's strict mode
* Update default interwiki values to reflect changed location of ursine:
* (bug 5411) Remove autopatrol preference
* Users who have the "autopatrol" permission will have their edits marked as
  patrolled automatically
* Users who do not have the "autopatrol" permission will no longer be able
  to mark their own edits as patrolled
* Introduce 'PingLimiter' hook; see docs/hooks.txt for more information
* (bug 532) Tweaked alt text for some interface messages
* (bug 8231) Gave useful alt text to the main <img> on image pages
* (bug 371) Remove alt text for "Enlarge" icon on thumbnails
* Initialize user_editcount to 0 instead of NULL for newly created accounts
* (bug 3696) Strip LRM and RLM characters from titles to work around the
  problem some people have where titles cut-and-pasted from lists include
  the bidi override characters appended to the lists.
  A more thorough blacklist for forbidden and translatable characters would
  be wise, though, as might a cleaner method for the lists in the first place.
* Fix regression in email password resets on read-restricted sites
* Set tabindex on fields in deletion form so you don't have to tab through
  the links in the sitenotice
* (bug 8271) Show full time and date on viewer for individual deleted
  revisions
* (bug 8214) Output file size limit and actual file size in appropriate units
  on Special:Upload
* (bug 8016) Purge objectcache table during upgrade processes - use the
  --nopurge option to prevent this when running maintenance/update.php
* (bug 7612) Remove superfluous link to Special:Categories from result items
  on Special:Mostcategories
* {{PLURAL:}} now handles formatted numbers correctly
* (bug 8331) Added the change size value to watchlists; therefore made
  watchlists use RecentChange::newFromRow() instead of newFromCurRow()
* (bug 8351) Fix undo for simple reverts
* (bug 6856) User::clearNotification() does not respect read-only mode
* (bug 6853) Use a checkbox on the installer form to indicate that a superuser
  account should be used; this is clearer than the old check which relied on
  the password never being an obscure value
* Remove old unused watchlist cache, which was a leftover from the old schema
  where watchlists were more expensive to generate
* Minor cosmetic changes to Special:Userrights
* Added wgCanonicalSpecialPageName to JavaScript variables
* Fix image deleting when using Postgres.
* Output both source and destination titles in maintenance/moveBatch.php
* Added basic parser tests for language variants
* Enable selflinks and categories to be written in some of the language variants
* Prevent conversion of JavaScript code in language variants
* Output software version number in maintenance/parserTests.php
* (bug 7169) Use Ajax to watch/unwatch articles if enabled
* Make variant table caching a little more robust, using main language code
  in cache key. Probably this is still a bit wonky, though. Was breaking
  parser tests when Chinese tables were getting loaded into Serbian code.
* (bug 8380) Be nicer about blank lines in deleteBatch.php
* (bug 8401) Fix regression in SORBS lookup for some DNS setups
* Use raw file descriptor in posix_isatty() check to avoid warning on
  Linux systems with at least some versions of PHP
* (bug 5908) Allow overriding the default category sort key for all items on
  a page using {{DEFAULTSORT}}
* (bug 6449) Throw a more definitive error message when installation fails
  due to an invalid database name
* (bug 5827) Use full text for option link labels on Special:Watchlist
* (bug 8018) Allow hiding minor edits from the watchlist
* (bug 8427) MonoBook RTL IE 7.0 tweaks failed when sidebar's navigation
  section is renamed; no longer relies on first section name
* Stabilize client-side table sorting even if the underlying Javascript sort()
  implementation is unstable
* Add hook for extensions to add user information to the panel in preferences,
  next to the user name and ID.
* (bug 8392) Display protection status of transcluded pages in the edit page
  template list. Patch by Fyren, with i18n naming tweak.
* Fix for interwiki transclusion where target wiki uses query string for title
* Resolve namespaces on interwiki Title objects using canonical namespace names
  if possible (should not happen, though, outside interwiki transclusion... and
  maybe not even then, but it does)
* (bug 8447) Fix SQL typo breaking non-default $wgHitcounterUpdateFreq
* Do not allow previews of deleted images to be cached
* Add global variable $wgDefaultLanguageVariant used to set the default language
  variant of a wiki to something different than the main language code
* Add 'variant' option to parserTests - runs test with the given variant as
  preferred, utilize it for more parser tests of language variants code
* (bug 6503) Fix bug that stopped certain irrelevant links from being hidden
  for printing
* Avoid PHP warning in Creative Commons metadata when a creative commons
  license is not actually set up
* (bug 8463) Don't print external link icons for Monobook
* (bug 8461) Support watching pages on move
* (bug 8041) Work around bug with debug_backtrace when Zend Optimizer is
  loaded by skipping the function. Use wfDebugBacktrace() wrapper function.
* Reduce config file clutter by setting various script and upload paths
  based on $IP or $wgScriptPath in Setup.php. They can still be explicitly
  overridden in LocalSettings.php if desired...
* Attempt to detect redirect loops for the canonical title redirect, and
  give some hints to the poor confused administrator.
* Introduce new flag 'R' - raw output for language variant escape tags
* Advise users when updates for a query page have been disabled using
  $wgDisableQueryPageUpdate
* (bug 8413) Improve comments for $wgNamespaceRobotPolicies
* (bug 8330) Show "bytes" suffix on recent changes diff counter
  optionally... if set in rc-changes-size message (default empty for now)
* (bug 8489) Support basic links in <gallery> caption attribute
* (bug 8485) Correct Lingala number formatting
* The MediaWiki namespace is no longer pre-filled with default messages on
  install. All default messages will be removed from the MediaWiki namespace
  on upgrade.
* Recentchanges RSS/Atom feeds now use a separate message for the description
  to avoid cluttering it with useless wiki formatting
* (bug 8417) Handle EXIF unknown dates
* (bug 8372) Return nothing on empty <math> tags.
* New maintenance script to show the cached statistics : showStats.php.
* Count deleted edits when regenerating total edits in maintenance/initStats.php
* (bug 3706) Allow users to be exempted from IP blocks. The ipblock-exempt
  permission key has been added to enable this behavior, by default assigned to
  sysops.
* (bug 7948) importDump.php now warn that Recentchanges need to be rebuild.
* (bug 7667) allow XHTML namespaces customization
* (bug 8531) Correct local name of Lingála (patch by Raymond)
* Fix regression with default lock file and cache directories; threw visible
  warning with open_basedir


== 1.8 Compatibility changes ==

=== Zend Optimizer ===

A bug in some versions of PHP 5 and Zend Optimizer which was triggered under
MediaWiki 1.8.x has been worked around by disabling some internal debugging
features when Zend Optimizer is loaded. This should solve some common
"blank page" problems.

=== PHP 5.0 64-bit ===

MediaWiki now checks for a condition where PHP 5.0.x corrupts array data
on 64-bit systems and warns you to upgrade PHP to solve the problem. This
bug causes Special: pages to fail on affected systems under MediaWiki 1.8
and higher, and subtler data corruption on earlier versions.

The only known workaround is to upgrade PHP to 5.1 or later, which you
probably should do anyway for security reasons!

=== MySQL 5 ===

MediaWiki should now install and run correctly on MySQL 5.0 and higher when
MySQL's "strict mode" is enabled. (This is now the default for many Windows
installations, though it seems to remain off by default on Unix.)

This fixes errors about "cannot default default value for BLOB/TEXT fields".

=== ImageMagick ===

Note that ImageMagick older than 6.x may no longer work for image resizing
due to use of the -thumbnail option.


== 1.8 Behavior changes ==

=== Localized special pages ===

The names of Special: pages can now be localized, so links and URLs to them
are more legible in languages that aren't English.

Not all languages have included localized names yet.

=== E-mail password ===

Users are now required to set a new password for themselves when they first
log in with a newly generated e-mailed password.

Requesting passwords frequently is prevented to reduce abusive mailbombing.

=== Undo revision ===

An "undo" link now appears in diff view for easier reverting of older edits.
When GNU diff3 is available for edit conflict merging, this can make it much
easier to "undo" the changes of an older edit when there are surrounding
changes elsewhere in the page.

The changes must be manually reviewed and approved, as with conventional
full-revision reverts.

=== Blocking ===

User blocks can be set to disable the automatic blocking of IP addresses the
account logs in with.


== 1.8 Database changes ==

* new 'redirect' table stores data on page redirects
* new 'querycachetwo' table used for some cached special pages
* 'ipblocks' table adds 'ipb_enable_autoblock'
* 'recentchanges' table adds 'rc_old_len', 'rc_new_len' for size tracking
* 'user' table has added 'user_newpass_time' and 'user_editcount' fields
* some indexes have been updated on 'recentchanges'

== 1.8 Configuration changes ==

Several configuration options have changed since 1.8:

=== $wgEnableAPI ===

The experimental machine API interface is now enabled by default, read-only.
You can disable it by setting $wgEnableAPI = false; in LocalSettings.php.

=== $wgPathInfo ===

The use of PATH_INFO (the text after the script name in 'index.php/Blah')
is controlled by the $wgUsePathInfo setting. This is now explicitly disabled
for CGI, apache2filter, and ISAPI configurations of PHP, for more consistency
with the autodetection from the installer.

In some rarer configurations you may have to switch $wgUsePathInfo from false
to true or, perhaps, from true to false to make things work properly if bad
PATH_INFO data comes through the server.

The wiki now tries to detect this condition and should show you an error
message describing what to change instead of sending the browser into an
infinite redirect loop.

=== $wgScript and other path settings ===

The following configuration variables are now automatically set in Setup.php
if they are not overridden in LocalSettings.php:

from $wgScriptPath:
 + $wgScript
 |  \- $wgArticlePath
 + $wgRedirectScript
 + $wgStylePath
 + $wgUploadPath
    \- $wgLogo
     + $wgMathPath

from $IP:
 - $wgStyleDirectory
 + $wgUploadDirectory
   \- $wgMathDirectory
    + $wgTmpDirectory

Newly generated configuration files will by default include only $wgScriptPath
(hardcoded from the installer) and $IP (detected at runtime).

Old configuration files which specify all these values explicitly should
continue to work just fine, but if you use the defaults you can remove them
to reduce clutter.

=== $wgGroupPermissions ===

The sysop group now holds the "autopatrol" and "ipblock-exempt" rights by
default.

"autopatrol" replaces the preference for marking ones own edits patrolled
by default; users holding this permission will automatically have their
edits patrolled, while others cannot mark their own edits as patrolled
even if they have patrolling rights.

"ipblock-exempt" excludes the user from IP blocks; accounts which are blocked
explicitly by name will still be blocked, however. This is given to sysops
to minimize annoyance from accidental "collateral damage"; remember that a
sysop will be able to lift the block if they desire.

The bot group now holds the "nominornewtalk" right. A user with this right
will not trigger new message notifications when making minor edits to user
talk pages. This is meant to minimize annoyance from maintenance bot
processes.

=== $wgUseWatchlistCache ===

Watchlist caching has been removed. The feature was not maintained, and has
been unnecessary since switching to the 'recentchanges' database table
reduced server pressure for Wikipedia's watchlists.

=== $wgBreakFrames ===

MediaWiki in the past attempted to detect when it was embedded in a frameset
and "break out" of it, assuming it to be hostile.

This behavior is now disabled by default, but can be reenabled by setting
$wgBreakFrames to true in LocalSettings.php.


== 1.8 New settings ==

=== $wgVariantArticlePath ===

For languages with script variant support (Chinese, Serbian, and others),
it's possible to use alternate URL paths to select the variant for article
display, setting $wgVariantArticlePath.

Documentation for this setting would be useful.

=== $wgMaxMsgCacheEntrySize ===

The message cache can now skip items larger than a given size; this allows
it to better handle the primary caching case when large CSS and JS blobs are
present.

=== $wgStyleVersion ===

When making significant changes to skin stylesheets and JavaScript files,
you can append a string to this variable to tweak the generated URLs,
forcing newly rendered pages to bring in a fresh version despite server-
or browser-side caching.

Normally this will be set in the course of MediaWiki development, but
if doing development on a custom skin you may wish to poke it as well.

=== $wgRCShowChangedSize ===

Special:Recentchanges and Special:Watchlist now show the number of bytes
added or removed to an article to give an idea of the size of the edit.
This information was previously available only in the IRC update feeds.

To disable this site-wide, set $wgRCShowChangedSize to false.
(Individual users can suppress the data in custom CSS.)

Adjust $wgRCChangedSizeThreshold to trigger highlighting of particularly
large changes.

The formatting of the size figure can be adjusted through the
[[MediaWiki:Rc-change-size]] message.

=== $wgQueryCacheLimit ===

The number of rows stored for "expensive" special pages in miser mode
can now be adjusted up or down from the default 1000.

=== $wgDisableQueryPageUpdate ===

Individual "expensive" special pages can be skipped in processing by
updateSpecialPages if added to this list.

=== $wgSorbsUrl ===

The base hostname for the DNS-based proxy blacklist can now be overridden
when $wgEnableSorbs is set, to use a different blacklist instead of SORBS.
The blacklist would need to respond the same was as SORBS; any positive
response will be taken as a proxy.

=== $wgAjaxWatch ===

Experimental AJAX mode for the watch/unwatch tabs to execute inline.
Does not include the UI messages describing how to reach the watchlist,
so you may not want it on a general-audience site just yet.

=== $wgParserTestFiles ===

MediaWiki's parser test suite can now be expanded with additional test
files. Custom extensions can add their test files to this array, and
they will be run along with the main tests by maintenance/parserTests.php

= MediaWiki 1.8=

== MediaWiki 1.8.5 ==

September 10, 2007

This is a security fix update to the Fall 2006 quarterly release snapshot. A
possible HTML/XSS injection vector in the API pretty-printing mode has been
found and fixed.

The vulnerability may be worked around in an unfixed version by simply
disabling the API interface if it is not in use, by adding this to
LocalSettings.php:

:[[Manual:$wgEnableAPI|$wgEnableAPI]] = false;

(This is the default setting in 1.8.x.)

Not vulnerable versions:
* 1.11 >= 1.11.0
* 1.10 >= 1.10.2
* 1.9 >= 1.9.4
* 1.8 >= 1.8.5

Vulnerable versions:
* 1.11 <= 1.11.0rc1
* 1.10 <= 1.10.1
* 1.9 <= 1.9.3
* 1.8 <= 1.8.4 (if $wgEnableAPI has been switched on)

MediaWiki 1.7 and below are not affected as they do not include the faulty
function, however the BotQuery extension is similarly vulnerable unless updated
to the latest SVN version.

== MediaWiki 1.8.4 ==

February 20, 2007

This is a security and bug-fix update to the Fall 2006 quarterly release.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting
[[Manual:$wgUseAjax|$wgUseAjax]] is enabled.

If you are using an extension based on the optional Ajax module, either disable
it or upgrade to a version containing the fix:
* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.

* (bug [[bugzilla:8819|8819]]) Fix full path disclosure with skins dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses to
forestall additional UTF-7-autodetect XSS issues. PHP sends only 'text/html' by
default when the script didn't specify more details, which some inconsiderate
browsers consider a license to autodetect the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
[[Manual:$wgUseAjax|$wgUseAjax]] is enabled (not default configuration); this
UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA
from BugSec: http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type

== MediaWiki 1.8.3 ==

January 9, 2007

MediaWiki 1.8.3 fixes several issues in the Fall 2006 snapshot release:

* ([[mediazilla:7831|7831]]) Regression in AutoAuthenticate hook
* Run PHP install version checks on update.php so command-line updaters see new
version requirements
* Do a check for the PHP 5.0.x 64-bit bug, since this is much more disruptive
as of MW 1.8 than it used to be. Install or upgrade now aborts with a warning
and a request to upgrade.
* XSS fix in AJAX module

An XSS injection vulnerability was located in the AJAX support module,
affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional AJAX module, either disable
it or upgrade to a version containing the fix:

== MediaWiki 1.8.2 ==

October 13, 2006

MediaWiki 1.8.2 fixes several issues in the Fall 2006 snapshot release:

* ([[mediazilla:7565|7565]]) Fixed typos in German localisation
* ([[mediazilla:7562|7562]]) Fix non-ASCII namespaces on Windows/XAMPP servers

== MediaWiki 1.8.1 ==

October 11, 2006

MediaWiki 1.8.1 fixes several issues in the Fall 2006 snapshot release:

* Fix PHP notice and estimates for dumpBackup.php and friends
* Improved register_globals paranoia checks
* ([[mediazilla:7545|7545]]) Fix PHP version check on install
* Experimental web API disabled by default
* Disable PHP exception backtrace printing unless $wgShowExceptionDetails is
set. Backtraces may contain sensitive information in function call parameters.

== MediaWiki 1.8.0 ==

October 10, 2006

This is the quarterly release snapshot for Fall 2006. While the code has been
running on Wikipedia for some time, installation and upgrade bits may be less
well tested. Bug fix releases may follow in the coming days or weeks.

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept "ready
to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature development happen
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain it
from source control: [[Download from SVN]]

== Configuration changes ==
* $wgUseETag, to enable/disable sending of HTTP ETag headers (default: disabled)
* $wgLegalTitleChars now includes '+' by default for better compatibility with
importing data dumps from Wikipedia
* $wgDefaultUserOptions now includes all default option settings instead of
only overrides.

== Major new features ==
* ([[mediazilla:7098|7098]]) Add an option to disable/enable sending of HTTP
ETag headers, as it seems to result in broken behaviour in combination with
Squid 2.6 (disabled by default).
* ([[mediazilla:550|550]]) Allow blocks on anonymous users only.
* ([[mediazilla:6420|6420]]) Render thumbnails for DJVU images, support
multipage DJVU display on image pages. Added new 'page=' thumbnail option to
select a page from a multipage djvu for thumbnail generation.
* Full Postgres support is now enabled. It requires version 8.1 or better, and
needs to have both plpgsql and tsearch2 already installed.
* ([[mediazilla:6386|6386]]) fix grammatical errors in danish naming of talk
namespaces.

== Changes since 1.7 ==

* Introduced AjaxResponse object, superceding AjaxCachePolicy
* Changes to sajax_do_call: optionally accept an element to fill instead of a
  callback function; take the target function or element as a third parameter;
  pass the full XMLHttpRequest object to the handler function, instead of just
  the resultText value; use HTTP response codes to report errors.
* (bug 6562) Removed unmaintained ParserXml.php for now
* History paging overlap bug fixed
* (bug 6586) Regression in "unblocked" subtitle
* Don't put empty-page message into view-source when page text is blank
* (bug 6587) Remove redundant "allnonarticles" message
* Block improvements: Allow blocks on anonymous users only. Optionally allow
  or disallow account creation from blocked IP addresses. Prevent duplicate
  blocks. Fixed the problem of expiry and unblocking erroneously affecting
  multiple blocks. Fixed confusing lack of error message when a blocked user
  attempts to create an account. Fixed inefficiency of Special:Ipblocklist in
  the presence of large numbers of blocks; added indexes and implemented an
  indexed pager.
* (bug 6448) Allow filtering of Special:Newpages according to username
* (bug 6618) Improve permissions/error detection in Special:Lockdb
* Quick hack for extension testing: parser test doesn't create new message
  cache object.
* (bug 6299) Maintain parser's revision ID across recursive calls to fix
  {{REVISIONID}} when Cite extension is used
* (bug 6622) Removed deprecated function Image::newFromTitle
* (bug 6627) Fix regression in Special:Ipblocklist with table prefix
* Removed forced dereferencements (new() returns a reference in PHP5)
* Note about $wgUploadSizeWarning using byte
* (bug 6592) Add most viewed pages summary to Special:Statistics
* Pre-strip characters ignored in IDNs from URLs so they can't be used
  to break the blacklists for regular URLs
* Fix regression in blocking of user accounts
* (bug 6635) Fix regression searching for range blocks on Ipblocklist
* Fix regression searching Ipblocklist with ugly URLs
* (bug 6639) Use a consistent default for upload directories
* Preserve entered reason when reporting unconfirmed lock on Special:Lockdb
* (bug 6642) Don't offer to unlock the database when it isn't locked
* cleanupTitles.php changed from --dry-run option to --fix, so default
  behavior is now a non-invasive check as with namespaceDupes.php
* (bug 6660) Fix behavior of EditPage::blockedPage() when the article does
  not exist; now doesn't show the source box if the user hasn't provided it
  (blocked mid-edit) and the page doesn't exist
* Improve default value of "blockedtext"
* (bug 6680) Added localisation for Dutch bookstore list (nl)
* Renamed maintainace script redundanttrans.php to unusedMessages.php - clearer
  usage
* Fix regression which allowed some blocked users to create additional accounts
* (bug 6657) Fix Hungarian linktrail
* (bug 6751) Fix preview of blanked section with edit on first preview option
* (bug 5456) Separate MediaWiki:Search into messages for both noun and verb,
  introduced 'MediaWiki:Searchbutton'
* Made lines from initialiseMessages() appear as list items during installation
* Moved the bulk of the localisation data from the Language*.php files to the
  Messages*.php files. Deleted most of the Languages*.php files.
* Introduced "stub global" framework to provide deferred initialisation of core
  modules.
* Removed placeholder values for $wgTitle and $wgArticle, these variables will
  now be null during the initialisation process, until they are set by index.php
  or another entry point.
* Added DBA cache type, for BDB-style caches.
* Removed custom date format functions, replacing them with a format string in
  the style of PHP's date(). Used string identifiers instead of integer
  identifiers, in both the language files and user preferences. Migration should
  be transparent in most cases.
* Simplified the initialisation API for LoadBalancer objects.
* Removed the broken altencoding feature.
* Moved default user options and toggles from Language to User. Language objects
  are still able to define default preference overrides and extra user toggles,
  via a slightly different interface.
* Don't include the date option in the parser cache rendering hash unless
  $wgUseDynamicDates is enabled.
* Merged LanguageUtf8 with Language. Removed LanguageUtf8.php.
* Removed inclusion of language files from the bottom of Language.php. This is
  now consistently done from Language::factory().
* Add the name of the executing maintenance script to the debug log. Start the
  profiler during maintenance scripts.
* Added "serialized" directory, for storing precompiled data in serialized form.
* Fix regression in auto-set NS_PROJECT_TALK namespace
* Fix regression in ordering of namespaces
* (bug 6806, 6030) Added several global JS variables for article path, user
  name, page title, etc.
* hooks registered with addOnloadHook are now called at the one of the html body
  by all skins.
* Split ajax aided search from core ajax framework. Use wgUseAjax to enable the
  framework and wgAjaxSearch to enable the suggest feature for the search box.
* Added experimental installer for extensions.
  See maintenance/installExtension.php
* Added Tajic (tg) language file.
* (bug 6903) Added Cantonese localisation (zh-yue)
* Fix regression in Korean and Japanese date formatting (day of week)
* (bug 6919) Add English alias magic words for Tatar (tt) language file.
* (bug 6753) Fixed broken Kazakh linktrail (kk)
* (bug 6700) Added Kazakh language variants to Names.php
* (bug 6827) some i18n specific maintenance scripts fails after merge of
  localisation-work branch
* Throwed an exception for the deprecated functions OutputPage::sysopRequired
  and OutputPage::developerRequired - use OutputPage::permissionRequired
  instead.
* Removed the deprecated functions User::isSysop, User::isBureaucrat and
  User::isDeveloper - use User::isAllowed instead.
* (bug 769) OutputPage::permissionRequired() should suggest groups with the
  needed permission
* (bug 6971) Fix regression in Special:Export history view
* Revamped Special:Imagelist
* (bug 7000) updated MessagesPl.php
* (bug 6946) Fix unexpected behavior change with GET hits to Special:Export
* (bug 1866) Improve navigation on Special:Listusers; user now a starting
  point as with Special:Allpages, rather than a pure limit.
* Clean up tab order on Special:Blockip
* (bug 5969) Clean up tab order on Special:Userlogin forms
* (bug 3512) namespaceDupes now handles spaces and initial caps properly
* (bug 7037) Fix regression in login tab order
* (bug 7031) Report missing email on 'email password' instead of false success
* (bug 7010) Don't send email notifications for watched talk pages when user
  has selected to receive only updates for their own talk page
* Added {{CURRENTHOUR}}
* Added [[:Image:Foo.png]] style links to the pagelinks table
* Avoid duplicate revision imports with Special:Import
* (bug 7054) Validate email address before sending email confirmation message
* (bug 7061) Format title on "from (page)" links on Special:Allpages
* (bug 7044) Introduce "padleft" and "padright" colon functions
* Pass page title as parameters to "linkshere" and "nolinkshere" and update
  default message text
* Allows to upload from publicy accessible URL. Set $wgAllowCopyUploads = true;
  in LocalSettings.php
  Limited to $wgMaxUploadSize (default:100MB); URL upload is limited to sysops
  by default, and displayed as a second line if appropriate
* (bug 832) Return to user page after emailing a user
* (bug 366) Add local-system-timezone equivalents for date/time variables
* (bug 7109) Fix Atom feed version number in header links
* (bug 7075) List registered parser function hooks on Special:Version
* (bug 7059) Introduce "anchorencode" colon function
* Include SVN revision number in {{CURRENTVERSION}} output, where applicable
* Fix bug in wfRunHooks which caused corruption of objects in the hook list
* (bug 4979) Use simplified email addresses when running on Windows
* (bug 4434) Show block log fragment on Special:Blockip
* [[MediaWiki:Disambiguationspage]] may optionally contain wiki links to any
  number of disambiguation templates.
* [[Special:Disambiguations]] now shows pages in NS:0 that link to any pages
  that embed any of the templates listed at [[MediaWiki:Disambiguationspage]].
* Fix formatting of titles on Special:Undelete
* (bug 7026) Fix action=raw&templates=expand
* (bug 6976) Add namespace and direction classes to classic skins
* (bug 7144) Don't "return to main" from OutputPage::loginToUse() if the user
  can't read the main page in the first place
* (bug 7188) Fix minor borkage in HTMLForm
* (bug 6675) Replaced message 'watchthis' with new message 'watchthisupload in
  Special:Upload
* Add a quickie script dumpSisterSites.php for generating a page list in the
  format for WSR-1 SisterSites support
* (bug 7223) Monobook.js is used for site content, should not be localized
* Set default disabled values for DjVu render options
* Added Xml::option() for generating <option>s easily
* Localized page numbers in drop-down for DjVu page selection
* Fixed linktrail for vi
* (bug 6893) "Call to a member function exists() on a non-object" on
  trackback.php with bad input
* (bug 6886) PHP undefined offset on bad input to Special:Revisiondelete
* (bug 6887) PHP error for call to getId() on bad input to
  Special:Revisiondelete
* (bug 6888) PHP error for call to getTimestamp() on bad input to
  Special:Revisiondelete
* (bug 7252) Use dvipng support in texvc math rastrization. dvipng is required
  if texvc is rebuilt.
* (bug 7279) Use wfBaseName in place of basename() in more places
* Clear newtalk marker on diff links with explicit current revision number
* (bug 7064) Replace hard-coded empty message checks with wfEmptyMsg calls
* (bug 6777) Remove some PHP 4 compat cruft
* Add --user, --comment, and --license options to importImages.php
* (bug 6216) The immobile namespace message does not mention the source page
* (bug 7299) Normalize username filter on Special:Newpages
* (bug 7306) RTL text in an LTR wiki breaks appearance of Special:Recentchanges
* (bug 7312) Don't emit SET NAMES utf8 if connection failed
* (bug 7305) Proper compare for bot check on RC notify, should fix overrides
  that force edits by non-bot users to bot mode
* Set Vary: Cookie on action=raw generated CSS and JS, to ensure that user
  preferences don't get stuck in proxy caches for other people
* (bug 7324) Fix error message for failure of Database::sourceFile()
* (bug 7309) Plurals: use singular form for zero in French and Brazilian
  Portuguese
* Add page_no_title_convert field to support language variant conversion
  for page titles which shouldn't be converted on display/linking
* Lazy extraction of text chunks in Revision objects, may reduce hits to
  external storage when actual text content is not used
* Added experimental $wgRevisionCacheExpiry to cache extracted revision text
  in $wgMemc, to further reduce hits to external storage.
  Set to 0 (disabled) by default.
* Minor changes to the installer.
* Remove ":" for 'youremail' and 'yourrealname' in
  includes/templates/Userlogin.php so that ":" could be used in i18n for
  Special:Preferences (like 'username' and 'uid').
* Fix layout for Special:Preferences->Date and Time (position for
  'timezonetext').
* Updates to language variant code for Serbian et al
* (bug 6756) Enabling RTL direction for kk-cn
* (bug 6701) Kazakh language variants in MessagesEn.php
* (bug 7335) SVN revision check in Special:Version fails on SVN 1.4 working copy
* (bug 6518) Replaced 'lastmodified' with 'lastmodifiedat' and 'lastmodifiedby'
  with 'lastmodifiedatby' with separated parameters for date and time to allow
  better localisation. Updated all message files to display the old format for
  compatibility.
* (bug 7357) Make supposedly static methods of Skin actually static
* Added info text to Special:Deadendpages and Special:Lonelypages
* Fix regression in cachability of generated CSS and JS for MonoBook skin,
  while avoiding clobbering of different users' cached data
* (bug 6849) Block @ from usernames; interferes with multi-database tools and
  was meant to be banned years ago... For now existing accounts will not be
  prevented fromm login.
* (bug 6092) Introduce magic words {{REVISIONDAY}}, {{REVISIONDAY2},
  {{REVISIONMONTH}}, {{REVISIONYEAR}} and {{REVISIONTIMESTAMP}}
* (bug 7425) Preceeding whitespace in [[...]] breaks subpages
* Try to reconnect after transitory database errors in dumpTextPass.php
* (bug 6023) Fixed mismatch of 0/NULL for wl_notificationtimestamp; now
  notification mails are working after 'Mark all pages visited' button on
  Special:Watchlist is clicked
* Made {{INT:}} a core parser function instead of a special case. The syntax
  and behavior is largely unchanged.
* (bug 7448) Fixing the native name for Ewe (ee)
* (bug 6864) Replace message 'editing' with new message 'editinguser' in
  Special:Userrights to allow better localisation
* Add '*-summary' for special pages to MessagesEn.php to allow
  customizing/translation directly through Special:Allmessages
* (bug 6130, bug 5818) Replaced message 'go'  with the new message
  'searcharticle' in skins to allow better localisation
* Add + to $wgLegalTitleChars by default. Some sites may have occasional
  problems with hard-to-reach pages, but it should be less trouble than
  "I can't import dumps from Wikipedia" complaints
* (bug 7460) Revert broken patch for bug 7226 which slows down
  Special:Allmessages by a factor of 16
* Committed a bunch of live hacks from Wikimedia servers
* (bug 6889) PHP notices in thumb.php with missing params
* Cleaner error behavior on thumb.php with invalid page selection
* (bug 6617) Validate timestamps on Special:Undelete
* Do fewer unnecessary full writes of user rows; only update user_touched
  for watch/unwatch, group membership change, and login operations
* Restructured the languages directory, to avoid problems when people
  untar MW 1.8 over the top of a 1.7 installation.
* (bug 6890) SQL query error on bad input to Pager lists
  due to negative LIMIT clause, caused by integer wraparound.
* Fixed various bugs related to table prefixes, especially the interaction
  between table prefixes and memcached, which was formerly completely broken.
* (bug 7004) PHP iconv() notice on bad password input to Special:Userlogin.
* (bug 6826) Extend pre-save transform context link ("pipe trick")
  syntax to pages with commas in title
* Use ImageMagick -thumbnail option instead of -resize to avoid including
  excessive metadata in thumbs (requires ImageMagick 6.0.0 or newer).
* (bug 7499) Corrections to Swedish talk namespace names
* (bug 7508) Added option to compress HTML pages by dumpHTML.php
* (bug 7519) Add plural in SpecialWatchlist
* (bug 7459) Magic word variables are always case sensitive
* Replaced {{SERVER}}{{localurl:xxx}} with {{fullurl:xxx}} in localisation files
* Fix regression in Special:Watchlist text header
* (bug 7510) Update article counts etc on undelete
* (bug 7520) Update article counts on XML import
* (bug 7526) Make $wgDefaultUserOptions work again
* (bug 7472) Localize Help namespace for Basque
* (bug 7529) Including a non-existent category in an article places that article
  in the category
* (bug 4528) Lack of important LaTeX functions stackrel, rightleftharpoon
* (bug 6721) missing symbols ulcorner, urcorner, llcorner, lrcorner,
  twoheadrightarrow, twoheadleftarrow
* (bug 7367) Hyphens sometimes erroneously appended to equations when not
  converted to PNG
* Add "title" to the opensearch link to allow automatic adding of the search
  engine in Firefox 2
* (bug 7537) Add php5 to $wgFileBlacklist
* (bug 6929) Restore AutoAuthenticate hook

== Languages updated ==
* Albanian (sq)
* Bashkir (ba)
* Bavarian (bar) stub file
* Belarusian (be)
* Bishnupriya (bpy) stub file
* Brazilian Portuguese (pt-br)
* Cantonese (zh-yue)
* Catalan (ca)
* Czech (cs)
* Dutch (nl)
* English (en)
* Finnish (fi)
* French (fr)
* Georgian (ka)
* German (de)
* Hebrew (he)
* Hungarian (hu)
* Indonesian (id)
* Japanese (ja)
* Korean (ko)
* Latin (la)
* Lojban (jbo)
* Macedonian (mk)
* Mazandarani (mzn)
* Polish (pl)
* Portuguese (pt)
* Ripuarian (ksh)
* Romani (rmy)
* Russian (ru)
* Slovak (sk)
* Spanish (es)
* Tajic (tg)
* Tatar (tt)
* Telugu (te)
* Uzbek (uz)
* Yiddish (yi)

== Compatibility ==
MediaWiki 1.8 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At
this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.

== Upgrading ==
Some minor database changes have been made since 1.7:
* new fields and indexes on ipblocks
* index change on recentchanges

Several changes from 1.5 and 1.6 do require updates to be run on upgrade. To
ensure that these tables are filled with data, run refreshLinks.php after the
upgrade.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!

=== Caveats ===
Some output, particularly involving user-supplied inline HTML, may not produce
100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType
= "application/xhtml+xml"; to test for remaining problem cases, but this is not
recommended on live sites. (This must be set for MathML to display properly in
Mozilla.)

= MediaWiki 1.7=

== MediaWiki 1.7.3 ==

February 20, 2007

This is a security and bug-fix update to the Summer 2006 quarterly release.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting
[[Manual:$wgUseAjax|$wgUseAjax]] is enabled.

If you are using an extension based on the optional Ajax module, either disable
it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with
[[Manual:$wgUseAjax|$wgUseAjax]] off.

* Add 'charset' to Content-Type headers on various HTTP error responses to
forestall additional UTF-7-autodetect XSS issues. PHP sends only 'text/html' by
default when the script didn't specify more details, which some inconsiderate
browsers consider a license to autodetect the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
[[Manual:$wgUseAjax|$wgUseAjax]] is enabled (not default configuration); this
UTF-7 variant on a previously fixed attack vector was discovered by Moshe BA
from BugSec: http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type

== MediaWiki 1.7.2 ==

January 9, 2007

* Note about $wgUploadSizeWarning using byte
* Update to German bookstore list (de)
* (bug [[bugzilla:6680|6680]]) Added localisation for Dutch bookstore list (nl)
* (bug [[bugzilla:6708|6708]]) Minor updates to Russian translation (ru)
* (bug [[bugzilla:6730|6730]]) Clearer usage of message 'titlematch' in German
translation (de)
* Added direction mark to Special:Listredirects
* XSS fix in AJAX module

An XSS injection vulnerability was located in the AJAX support module,
affecting MediaWiki 1.6.x and up when the optional setting
[[Manual:$wgUseAjax|$wgUseAjax]] is enabled.

There is no danger in the default configuration, with
[[Manual:$wgUseAjax|$wgUseAjax]] off.

If you are using an extension based on the optional AJAX module, either disable
it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.0rc2
* 1.8: fixed in 1.8.3
* 1.7: fixed in 1.7.2
* 1.6: fixed in 1.6.9


== MediaWiki 1.7.1 ==

July 8, 2006

MediaWiki 1.7.1 is a security and bugfix maintenance release of the Summer 2006
snapshot:

A potential HTML/JavaScript-injection vulnerability in a debugging script has
been fixed. Only versions and configurations of PHP vulnerable to the $GLOBALS
overwrite vulnerability are affected.

As a workaround for existing installs, profileinfo.php may simply be deleted if
it's not being used.

* Fix for 'emailconfirmed' implicit user group
* Fix for upgrades on some versions of MySQL 4.0.x
* Fixed potential XSS in profileinfo.php
* Installer now shows clear error message about old PHP versions rather than a
confusing parse error

== MediaWiki 1.7.0 ==
July 6, 2006

This is the quarterly release snapshot for Summer 2006. While the code
has been running on Wikipedia for some time, installation and upgrade
bits may be less well tested. Bug fix releases may follow in the coming
days or weeks.

MediaWiki is now using a "[[w:en:Continuous_integration|continuous
integration]]" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature development happen
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain
it from source control: [[Download from SVN]]

== Changes since 1.6 ==

* (bug 5458) Fix double-URL encoding in block log link in contribs and contribs
  link in block log
* (bug 5462) Bogus missing patch warning in updater
* (bug 5461) Use of deprecated "showhideminor" in Special:Recentchangeslinked
* PHP warning when allow_call_time_pass_reference is off
* Update to Finnish localization
* (bug 5467) Link to page histories in watchlist edit mode
* Further additions to Hebrew localisation
* (bug 5476) Invalid xhtml in German localization
* (bug 5479) Id translation for preferences tabs caption
* (bug 5493) Id translation for special pages
* Added skinname and style path parameters to CBT version of MonoBook
* Include subversion revision number in Special:Version if available
* (bug 5344) Fix regression that broke slashes in extension tag parameters
* Improve Special:Log performance on big log sets
* (bug 5507) Changed mediawiki:logouttext from plain to wikitext
* (bug 4760) Prevent creation of entries in protection log when protection
  levels haven't changed
* (bug 861) Show page protection/unprotection events in histories
* (bug 5499) Don't clear the tag strip state when asked not to clear state.
  Fixes regression with use of <ref> in a template breaking <nowiki> etc.
* Minor improvements to English language files
* Display the anon talk page info message on anon talk pages again
  (moved outside the parser cache)
* Optional {{DISPLAYTITLE|title with markup}} magic word
  Deactivated by default, set "$wgAllowDisplayTitle = true" in LocalSettings.php
  to activate
* Cleaned SpecialContributions a bit
* Added a table to track interlanguage links
* (bug 5544) Fix redirect arrow in Special:Listredirects for right-to-left
  languages
* Replace "doubleredirectsarrow" with a content language check that picks the
  appropriate arrow
* (bug 5537) Add stub language file for Samogitian (bat-smg); inherits
  Lithuanian (lt)
* Don't force edit summaries when a user is editing their own user/talk page
* (bug 5510) Warning produced when using {{SUBPAGENAME}} in some namespaces
* (bug 385) Installer support for PostgreSQL, fixes for PG compatibility
* PersistentObject removed; it doesn't do anything and was broken besides.
  All extensions using it have been corrected.
* Propagate ISBN number for Booksources in LanguageNo.php
* (bug 5548) Improvements to Indonesian localisation [patch: Ivan Lanin]
* Add TALKSPACE, SUBJECTSPACE, TALKPAGENAME, SUBJECTPAGENAME (and encoded forms
  for all) magic words
* (bug 5403) Fix Special:Newpages RSS/Atom feeds
* Reject malformed addresses in X-Forwarded-For entries
* (bug 3359) Add hooks on completion of file upload
* (bug 5559) Improve detection of ImageMagick [patch: Greg Turnquist]
* (bug 5475) New pages feeds ignore "limit" argument
* (bug 5184) CSS misapplied to elements in Special:Allmessages due to
  conflicting anchor identifiers
* (bug 5519) Allow sidebar cache to be disabled; disable it by default.
* Maintenance script to import the contents of a text file into a wiki page
* Add $wgReservedUsernames configuration directive to block account creation/use
* (bug 5576) Remove debugging hack in session check
* (bug 5426) Lowercase treatment of titles in rights log leads to broken links
  on Special:Log
* Minor improvements to French localisation files
* (bug 5181) Update "nogomatch" for Slovak
* (bug 5594) Id translation up to # Login and logout pages section
* (bug 5536) Use content language for editing help link
* Improvements to German localisation files
* (bug 5570) Problems using <special page>/parameter link form for long titles
* (bug 3884) Add $user parameter to AddNewUser hook, call it for by-email
  registrations as well as self-registrations.
* (bug 4327) Report age of cached data sets in query pages
* (bug 4662) Fix Safari check in wikibits.js
* (bug 4663) Edit toolbar enabled in compatible versions of Safari
* (bug 5572) Edit toolbar enabled in compatible versions of Konqueror (3.5+)
* (bug 5235) Edit toolbar tooltips no longer show JavaScript junk in Opera
* Edit toolbar now works in pure XHTML mode (application/xhtml+xml)
* Add watchlist clear function to allow quick purging of all items
* (bug 5625) Additional namespace translations for Welsh
* Add meta tag and JavaScript variables to cached special pages which provides
  the timestamp of the last update, in YYYYMMDDHHMMSS format.
* (bug 5628) More translations for MessagesHr.php
* (bug 5595) Localisation for Bosnian language (bs)
* (bug 2910) Default view preferences for watchlists
* Add "hide bot edits from the watchlist" user preference
* (bug 5250) Introduce Special:Unusedtemplates
* Add user preference setting for an extended watchlist, showing all recent
  edits up to a certain edit, and not just the latest edit.
* Made MessageRo.php more general
* (bug 5640) Indonesian localisation improvements
* (bug 5592) Actions are logged with the default language for the
   wiki, not the language of the user performing the operation.
* (bug 5644) Error in LanguageBs.php file
* (bug 5646) Compare for identical types in wfElement()
* (bug 5472) Language::userAdjust()->minDiff not initialized on else condition
* (bug 5386) LanguageMk.php: updated namespaces translations
* (bug 5422) Stub for Romani (rmy) language which extends ro
* Fix linktrail for LanguageSr
* (bug 5664) Fix Bosnian linktrail
* (bug 3825) Namespace filtering on Special:Newpages
* (bug 1922) When Special:Wantedpages is cached, mark links to pages
  which have since been created
* (bug 5659) Change grammar hacks for Bosnian Wikimedia namespaces.
  This sort of special casing should be removed and fixed properly.
* Remove useless whitespace from Special:Brokenredirects header
* Treat "allmessagesnotsupporteddb" as wikitext when echoing; change default
  text
* (bug 5497) Regression in HTML normalization in 1.6 (unclosed <li>,<dd>,<dt>)
* (bug 5709) Allow customisation of separator for categories
* (bug 5684) Introduce Special:Randomredirect
* (bug 5611) Add a name attribute to the text box containing source text in
  read-only pages
* Indicate when a protected page is an interface message ("protectedinterface")
* (bug 4259) Indicate when a protected page being edited is an interface message
  ("editinginterface")
* (bug 4834) Fix XHTML output when using $wgMaxTocLevel
* Pass login link to "whitelistedittext" containing 'returnto' parameter
* (bug 5728): mVersion missing from User::__sleep() leading to constant cache
  miss
* Updated maintenance/transstat.php so it can show duplicate messages
* Improvements to update scripts; print out the version, check for superuser
  credentials before attempting a connection, and produce a friendlier error if
  the connection fails
* (bug 5005) Fix XHTML <gallery> output.
* (bug 5315) "Expires: -1" HTTP header made strictly valid (using 1970 date).
* (bug 4825) note in DefaultSettings.php about 'profiling' table creation
* Remove unneeded extra whitespace at top of Special:Categories
* (bug 5679) time units are now using local numerals
* (bug 5751) Updates to Portuguese localisation files
* (bug 5741) Introduce {{NUMBEROFUSERS}} magic word
* (bug 93) <nowiki> tags and tildes in templates
* The returnto parameter is now actually used by SpecialUserlogin.php
* Parser can now know that it is parsing an interface message
* (bug 4737) MediaWiki:Viewcount supports {{PLURAL}} now
* Fix bug in wfMsgExt under PHP 5.1.2
* (bug 5761) Project talk namespace broken in Xal, Os, Udm and Cv
* Rewrite reassignEdits script to be more efficient; support optional updates to
  recent changes table; add reporting and silent modes
* Cleaned up formatNum usage in langfiles
* (bug 5716) Warn when a user tries to upload a file which was previously
  deleted
* (bug 5565) Add a class attribute to the table on Special:Allpages
* "lang=xx" option for parser test cases to set content language
* (bug 5764) Friulian translation updated
* (bug 5757) Fix premature cutoff in LanguageConverter with extra end markers
* (bug 5516) Show appropriate "return to" link on blocked page
* (bug 5377) Do not auto-login when creating an account as another user
* (bug 5284) Special redirect pages should remember parameters
* Suppress 7za output on dumpBackup
* (bug 5338) Reject extra initial colons in title
* (bug 5487) Escape self-closed HTML pair tags
* Add "raw suffix" magic word for some magic words, e.g. {{NUMBEROFUSERS|R}}
  will produce a count minus formatting
* Fix Parser::cleanSig() to use Parser::startExternalParse() and choose an
  appropriate output format given the scope of the clean
* (bug 5593) Change "bureaucrat log" to "rights log"
* Show a boilerplate "(none)" in place of a blank within the log action text for
  user rights
* (bug 137) Commented out translations for copyrightwarning which mention GNU
  FDL
* (bug 5723) Don't count pages linked to from the MediaWiki namespace as
  "wanted"
* (bug 5696) Add a third parameter, $3, to "rcnote", passing the current time
  formatted according to the current user's settings
* (bug 5780) Thousands and decimal separators for Norwegian
* Updated initStats maintenance script
* (bug 5767) Fix date formats in Vietnamese locale
* (bug 361) URL in URL, they were almost fixed. Now they are.
* (bug 4876) Add __NEWSECTIONLINK__ magic word to force the "new section"
  link/tab to show up on specific pages on demand
* Bidi-aid on list pages
* (bug 5782) Allow entries in the bad image list to use canonical namespace
  names
* (bug 5789) Treat "loginreqpagetext" as wikitext
* Sanitizer: now handles nested <li> in <ul> or <ol>
* (bug 5796) We require MySQL >=4.0.14
* Add 'EmailConfirmed' hook
* New findhooks.php script to find undocumented hooks.
* Silently ignore errors on profiling table update.
* (bug 5801) Correct handling of underscores in Special:Listusers
* Clean up Special:Listusers; add an "(all)" label to the group selection box
* (bug 5812) Use appropriate link colour in Special:Mostlinked
* (bug 5802) {{CURRENTMONTHNAME}} variable broken in Vietnamese locale
* (bug 5817) Appropriate handling for Special:Recentchangeslinked where the
  target page doesn't exist
* Special:Randompage now additionally accepts English namespace name as
  parameter
* (bug 2981) Really fixed linktrail for Tamil (ta)
* Disallow substituting Special pages when included into a page
* (bug 5587) Clean up the languages from references to the Groups special page
* Added new group-X and group-X-member messages
* Rewritten removeUnusedAccounts to be more efficient, print names of inactive
  accounts
* Redirect Special:Userlist to Special:Listusers
* Introduce $wgAllowTitlesInSVG, which allows the <title> attribute in uploaded
  files bearing the image/svg MIME type. Disabled by default due to the vast
  majority of web servers being hideously misconfigured. See DefaultSettings.php
  for more details.
* Changed default LocalSettings.php to append the previous include path when
  setting it
* (bug 5837) Use "members" for the value descriptor in Special:Categories,
  Special:Wantedcategories and Special:Mostlinkedcategories.
* (bug 3309) Allow comments when undeleting pages
* Clean up Special:Undelete a bit
* (bug 5805) messages nbytes, ncategories can now use {{plural:}}
* Clean up Special:Imagelist a bit
* (bug 5838) Namespace names for Nds-NL
* (bug 5749) Added Tyvan language files
* (bug 5791) Fix SQL syntax in Special:BrokenRedirects, was causing incorrect
  data to show
* (bug 5839) Prevent access to Special:Confirmemail for logged-out users
* (bug 5853) Update for Portuguese messages (pt)
* (bug 5851) Use Cyrillic for Kirghiz language name
* (bug 5841) Allow the 'EditFilter' hook to return a non-fatal error message
* (bug 5846) Link to individual group description pages in Special:Listusers
* (bug 5857) Update for German localisation (de)
* (bug 5858) Update for Russian language (ru)
* (bug 5860) Update for Indonesian language (id)
* (bug 1120) Update for Czech language (Cs)
* Added many missing formatNum calls
* Added grammar function to Belarusian (be)
* (bug 5819) Add 'PersonalUrls' hook
* (bug 5862) Update of Belarusian language (be)
* (bug 5886) Update for Portuguese messages (pt)
* (bug 5586) <gallery> treated text as links
* (bug 5878) Update for Indonesian language (id)
* (bug 5697) Update for Malay language (ms)
* (bug 5890) Update for German language (de)
* (bug 5889) Name for Sindhi language should appear as سنڌي
* --force-normal parameter on dump scripts to force check for ICU extension
* (bug 5895) Update for Dutch language (nl)
* (bug 5891) Linktrail for Polish language (pl)
* User::isBureaucrat , User::isDeveloper , User::isSysop deprecated in
  v1.6 now die with a backtrace. They will be removed in v1.8
* dumpTextPass now skips goes to database for entries that were blank in the
  previous dump, as this may indicate a broken dump.
* dumpTextPass progress includes percentage of items prefetched
* dumpTextPass can now use 7zip files for prefetch
* (bug 5915) Update to Indonesian localisation (id)
* (bug 5913) Update for German localisation (de)
* (bug 5905) Plural support for Bosnian localisation (bs)
* Groups which won't hit the rate limiter now configurable with
  $wgRateLimitsExcludedGroups
* (bug 5806) {{plural:}} support instead of "twin" MediaWiki messages
* (bug 5931) Update for Polish language (pl)
* Ignore the user and user talk namespaces on Special:Wantedpages
* Introduce NUMBEROFPAGES magic word
* (bug 5833) Introduce CURRENTVERSION magic word
* (bug 5370) Allow throttling of password reminder requests with the rate
  limiter
* (bug 5683) Respect parser output marked as uncacheable when saving
* (bug 5918) Links autonumbering now work for all defined protocols
* (bug 5935) Improvement to German localisation (de)
* (bug 5937) Register links from gallery captions with the parent parser output
  object so that link tables receive those updates too
* (bug 5845) Introduce BASEPAGENAME and BASEPAGENAMEE magic words
* (bug 5941) Use content language when getting the administrator page title for
  Special:Statistics
* (bug 5949) Update to Indonesian localisation (id)
* (bug 5862) Update of Belarusian translation (be)
* (bug 5950) Improvements to French localisation
* (bug 5805) {{plural:}} support for counters in some special pages
* (bug 5952) Improvement to German localisation (de)
* Rename conflicting metadata help message to "metadata_help" (was "metadata")
  and treat it as wiki text
* Improve preferences input filtering
* Maintenance script to import multiple files into the wiki
* (bug 5957) Update for Hebrew language (he)
* (bug 5962) Update for Italian language (it)
* (bug 5961) Update for Portuguese localisation (pt)
* (bug 5849) Remove some hard-coded references to "Wikipedia" in messages
* (bug 5967) Improvement to German localisation (de)
* (bug 5962) Update for Italian language (it)
* Suppress images in galleries which appear on the bad image list (when
  rendering for a wiki page; galleries in special pages and categories are
  unaffected)
* Maintenance script to remove orphaned revisions from the database
* (bug 5991) Update for Russian language (ru)
* (bug 6001) PAGENAMEE and FULLPAGENAMEE don't work in FULLURL and LOCALURL
  magic words
* (bug 5958) Switch Uzbek language name to use latin script
* (bug 839) Add URLENCODE magic word
* (bug 6004) Update for Polish language (pl)
* (bug 5971) Improvement to German localisation (de)
* (bug 4873) Don't overwrite the subtitle navigation when viewing a redirect
  page that isn't current
* (bug 2203) Namespace updates for Thai
* Fix breakage in parser test suite which caused incorrect reporting of the
  failure of {{NUMBEROFFILES}}. Now initialises the site_stats table with some
  dumb data. Updated the expected output for {{NUMBEROFARTICLES}} to reflect
  this.
* (bug 6009) Use {{ns:project}} in messages where appropriate
* (bug 6012) Update to Indonesian localisation (id)
* (bug 6017) Update list of bookstores in German localisation files
* (bug 5187) Allow programmatically bypassing username validation, for scripts
* (bug 6025) SpecialImport: wrong message when no file selected
* (bug 6015) EditPage: add spacing in the boxes "edit is minor" and "watch this"
* (bug 6018) Userrights: new message when no user specified ('nouserspecified')
* (bug 2015) Add "\sim" to ~ conversion for HTML rendering
* (bug 6029) Improvement to German localisation (de)
* (bug 5015) Update be: magic words
* (bug 3974) Add parameter for site URL to "passwordremindertext"
* (bug 6039) Update for Portuguese localisation (pt)
* (bug 764) Add CREATE TEMPORARY TABLES to default database permissions
* Big update to Swedish localisation (sv)
* Use appropriate HTML functions to create the tool links on image pages, so
  they don't look garbled when tidy isn't on
* (bug 5511) Fix URL-encoding of usernames in links on Special:Ipblocklist
* (bug 6046) Update to Indonesian localisation (id) #15
* (bug 5523) $wgNoFollowNsExceptions to allow disabling rel="nofollow" in
  specially-selected namespaces.
* (bug 6055) Fix for HTML/JS injection bug in variable handler (found by Nick
  Jenkins)
* Reordered wiki table handling and __TOC__ extraction in the parser to better
  handle some overlapping tag cases.
* Only the first __TOC__ is now turned into a TOC
* (bug 4610) Indicate patrolled status on watchlists and allow users to mark
  changes as patrolled using the diff links there
* Add 'DiffViewHeader' hook called before diff page output
* (bug 6051) Improvement to German localisation (de)
* (bug 6054) Update to Indonesian localisation (id) #16
* Add {{CURRENTTIMESTAMP}} magic word
* (bug 6061) Improper escaping in some html forms
* (bug 6065) Remove underscore when using NAMESPACE and TALKSPACE magics.
* (bug 6074) Correct squid purging of offsite upload URLs
* To simplify the lives of extension developers, the logging type arrays
  can now be appended to directly by an extension setup function. It is
  no longer necessary to write four separate functions just to add a
  custom log type.
* (bug 6057) Count "licenses" as a message (and show it in Special:Allmessages)
* Added $wgGrammarForms global
* Fixed hardcoded 'done.' when removing watchlist entries.
* (bug 5962) Update for Italian language (it)
* (bug 6086) Remove vestigial attempt to call Article::validate()
* wfHostname() function for consistent server hostname use in debug messages
* Send thumbnailing error messages to 'thumbnail' log group
* wfShellexec() now accepts an optional parameter to receive the exit code
* Failed, but not zero-length, thumbnail renderings are now removed.
  Should help clean up when rsvg fails in weird ways.
* (bug 6081) Change description for Turkmen language
* Increase robustness of parser placeholders; fixes some glitches when
  adjacent to identifier-ish constructs such as URLs.
* Shut up the parser test whining about files in a temp directory.
* (bug 6098) Add Aragonese language support (an)
* (bug 6101) Update for Russian language (ru)
* Add $wgIgnoreImageErrors to suppress error messages for thumbnail rendering
  problems. If errors are transitory, this should reduce annoying messages
  making it into cached display.
* (bug 6103) Wrap self-links in a CSS class ("selflink")
* (bug 6102) For consistency with other markup, normalize all HTML-encoded
  character entities in URLs, not just ampersands. This allows use of eg
  = when making URLs for template parameters.
* Markup anality: escape </ as <\/ in toolbar javascript for pure correctness
  under HTML-compatible browsers.
* (bug 5077) Added hook 'BeforePageDisplay' to SkinTemplate::outputPage
* Replace fatally changed 'uploadnewversion' with 'uploadnewversion-linktext'
* (bug 472) Syndication feeds for the last few edits of page history
* Format edit comments in Recent Changes feed
* Switch incorrectly ordered column headers on Recent Changes feed diffs
* (bug 6117) Use message for history feed description, add German localization
* (bug 1017) fixed thumbnails of animated gifs.
* Add APC as object caching option
* Update to Albanian localization (sq)
* (bug 6099) Introduce {{DIRECTIONMARK}} magic word (with {{DIRMARK}} as an
  alias)
* Use optimized php5-only microtime()
* Add possibility to store local message cache as PHP executable script
* Fix profiling table definition
* (bug 6040) Run pre-save transform before calculating the diff. when doing a
  "show changes" operation in the editor
* (bug 4033) Respect $wgStyleDirectory when checking available skins
* Remove hideous backslashes from MessagesBr.php
* Fix APC object cache issues, add functionality to installer
* (bug 6133) Update strip state as we work. This mostly fixes extensions
  used in Cite.php <ref> tags when Tidy is on.
* (bug 6139) Workaround for transclusion oddities in Vietnamese upload text
* (bug 6136) Update to Catalan language (ca)
* Update to Japanese localization (ja)
* Add /usr/local/bin to the diff3 search paths in the installer
* (bug 6106) Update to Indonesian localisation (id) #17
* (bug 6125) Add links to edit old versions to diff views
* (bug 5127) Auto edit summary when creating/editing redirect page
* (bug 3926) Introduce {{#language:}} magic word
* Fix section links from edit comments for [[:Image:Bla.jpg]] in section titles
* (bug 6126) Allow fallback to customized primary language when user language
  message contains '-'; fixes licenses selector on Commons configuration after
  recent addition of the message to Messages.php
* (bug 5527) Batch up job queue insertions for, hopefully, better survivability
  of lock contention etc. Duplicates are now removed at pop time instead of
  at insert time.
* When showing the "blah has been undeleted" page, make sure it's a blue link
* parserTests.php accepts a --file parameter to run an alternate test sutie
* parser tests can now test extensions using !!hooks sections
* Fix oddity with open tag parameters getting stuck on </li>
* (bug 5384) Fix <!-- comments --> in <ref> extension
* Nesting of different tag extensions and comments should now work more
  consistently and more safely. A cleaner, one-pass tag strip lets the
  'outer' tag either take source (<nowiki>-style) or pass it down to
  further parsing (<ref>-style). There should no longer be surprise
  expansion of foreign extensions inside HTML output, or differences
  in behavior based on the order tags are loaded.
* (bug 885) Pre-save transform no longer silently appends close tags
* Pre-save transform no longer changes the case of close tags
* (bug 6164) Fix regression with <gallery> resetting <ref> state
* Hackaround for IE 7 wrapping bug in MonoBook footer
* New message sp-newimages-showfrom replaces rclistfrom on special:newimages
* Improve handling of ;: definition list construct with overlapping or
  nested HTML tags
* (bug 6171) Fix sanitizing of HTML-elements with an optional closing
  tag. The sanitizer still needs to learn how to make well-formed XML
  in this case.
* Fix fatal error when specifying illegal name for manual thumbnail
* (bug 6184) Use shinier Linker::userLink() to make user links in
  Special:Undelete
* (bug 6170) Update for Kashubian translation (csb)
* (bug 6191) Update to Indonesian translation (id) #18
* (bug 6114) Update to Walloon localization (wa)
* Added $wgNamespaceRobotPolicies to allow customisation of robot policies on a
  per-namespace basis.
* Add <ol> to the list of block elements for doBlockLevels; avoids <p>s being
  interspersed into your ordered lists.
* (bug 5021) Transcluding the same special page twice now works
* Add 'SiteNoticeBefore' and 'SiteNoticeAfter' hooks
* (bug 6182) Date passed in "sp-newimages-showfrom" not adjusted to user time
  preferences
* (bug 2587) Fix for section editing with comment prefix
* (bug 2607) Fix for section editing with mix of wiki and HTML headings
* (bug 3342) Fix for section editing with headings wrapped in <noinclude>
* (bug 3476) Fix for section editing with faux headings in extensions
* (bug 5272) Fix for section editing with HTML-heading subsections
* Fix for bogus wiki headings improperly detected with following text
* Fix for HTML headings improperly not detected with preceding/following text
* Section extraction and replacement functions merged into one implementation
  on the Parser object, so they can't get out of sync with each other.
* Edit security precautions in raw HTML mode, etc
* (bug 6197) Update to Indonesian translation (id) #19
* (bug 6175) Improvement to German translation (de)
* Redirect Special:Logs to Special:Log
* (bug 6206) Linktrail for Swedish localization (se)
* (bug 3202) Attributes now allowed on <pre> tags
* Sanitizer::validateTagAttributes now available to discard illegal/unsafe
  attribute values from an array.
* (bug 3837) Leave <center> as is instead of doing an unsafe text replacement
  to <div class="center">. <center> is perfectly valid in the target doctype
  (XHTML 1.0 Transitional), while the replacement didn't catch all cases and
  could even result in invalid output from valid input.
* (bug 4280) Use 'noindex,nofollow' instead of 'noindex,follow' for default
  meta robots tag on diff view and special pages. Should reduce impact of
  robots on scrolling special pages, diffs etc on sites where robots.txt
  doesn't forbid access.
* Regression fix: suppress warning about session failure when clicking to
  edit with 'preview on first edit' enabled.
* (bug 6230) Regression fix: <nowiki> in [URL link text]
* Added AutoLoader.php, which loads classes without need of require_once()
* (bug 5981) Add plural function Slovenian (sl)
* (bug 5945) Introduce {{CONTENTLANGUAGE}} magic word
* {{PLURAL}} can now take up to five forms
* (bug 6243) Fix email for usernames containing dots when using PEAR::Mail
* Remove a number of needless {{ns:project}}-type transforms from messages
  files. These usages already have separate label text. Such transforms are
  wasteful on each page view.
* Update to Yiddish localization (yi)
* (bug 6254) Update to Indonesian translation (id) #20
* (bug 6255) Fix transclusions starting with "#" or "*" in HTML attributes
* Whitespace now normalized more or less properly in HTML attributes
* Fix regression(?) in behavior of initial-whitespace-pre in <center>
* (bug 6260) Update to Interlingua localization (ia)
* Update to Vlax Romany localization (rmy)
* Update to Latin translation (la)
* Update to Dutch translation (nl)
* Avoid some notices in page history with bad input
* Use double quoted consistently on attributes in linker output; preparing
  for new normalization code when tidy not in use
* Replace "nogomatch" with "noexactmatch" and place the magic colon in the
  messages themselves. Some minor tweaks to the actual message content.
* Introduce $wgContentNamespaces which allows for articles to exist in
  namespaces other than the main namespace, and still be counted as valid
  content in the site statistics.
* (bug 5932) Introduce {{PAGESINNAMESPACE}} magic word
* Disable $wgAllowExternalImages by default.
* (bug 2700) Nice things like link completion and signatures now work in
  <gallery> tags.
* Cancel output buffering in StreamFile; when used inside gzip buffering this
  could cause funny timeout behavior as the Content-Length was wrong.
* Return correct content-type header with 304 responses for StreamFile;
  it confuses Safari if you let it return "text/html".
* (bug 6280) Correct GRAMMAR for Slovenian localisation (sl)
* (bug 6162) Change date format for Dutch Low Saxon (nds-nl)
* (bug 6296) Update to Indonesian localisation (id) #21
* Introduce EditFormPreloadText hook, see docs/hooks.txt for more information
* (bug 4054) Add "boteditletter" to recent changes flags
* Update to Catalan localization (ca)
* (bug 2099) Deleted image files can now be archived and undeleted.
  Set $wgSaveDeletedFiles on and an appropriate directory path in
  $wgFileStore['deleted']['directory']
* (bug 6324) Fix regression in enhanced RC alignment
* Introduce {{NUMBEROFADMINS}} magic word
* Update to Slovak translation (sk)
* Update to Alemannic localization (gsw)
* (bug 6300) Bug fixes for sr: variants
* namespaceDupes.php can now accept an arbitrary prefix, for checking rogue
  interwikis and such. Not yet fully automated.
* (bug 6344) Add Special:Uncategorizedimages page
* (bug 6357) Update to Russian translation (ru)
* Workaround possible bug in Firefox nightlies by properly removing the
  Content-Encoding header instead of sending explicit 'identity' value
  in StreamFile
* (bug 6304) Show timestamp for current revision in diff pages
* Vertically align current version with old version header in diff display
* (bug 6174) Remove redundant "emailforlost" message
* (bug 6189) Show an error to an unprivileged user trying to create account
* (bug 6365) Show user information in the "old revision" navigation links
* Introduce 'FetchChangesList' hook; see docs/hooks.txt for more information
* (bug 6345) Update to Indonesian localisation (id) #22
* (bug 6279) Add genitive month names to Slovenian localisation
* (bug 6351) Update to German translation (de)
* Respect language directionality when displaying arrow in
  Special:Brokenredirects
* Remove unused "validation" table definitions from the schema files
* (bug 6398) Work around apparent PCRE bug breaking section editing when
  massively-indented preformatted text immediately followed a header
* (bug 6392) Fix misbehaving <br /> in preferences form
* Add translated magic words to Hebrew localization
* (bug 6396) Change name for Chuvash language
* Introduce optional (off by default) language selector bar for user login
  and registration. Customisable via the "loginlanguagelinks" message, the
  links will preserve "returnto" values. If the user creates an account while
  using such a link, then the language in use will be saved as their language
  preference.
* Make sure '~~~' '~~~~' '~~~~~' are removed in Nickname preference.
* Rename "ipusuccess" to "unblocked", change the format (now wiki text)
* (bug 2316) Add "caption" attribute to <gallery> tag
* Allow setting the skin object that ImageGallery will use; needed during parse
  operations (the skin must come from the ParserOptions, not $wgUser)
* Fix notice in MacBinary detection debug data for files of certain lengths
* (bug 6131) Add type detection for DjVu files, allowing them to be uploaded
  with validity checking and size detection. No inline thumbnailing yet,
  but could be added in the future.
* (bug 6423) Don't update newtalk flag if page content didn't change (null edits
  were causing the newtalk flag to trigger inappropriately)
* Parser functions are now set using magic words.
* (bug 6428) Incorrect form action URL on Special:Newimages with hidebots = 0
  set
* (bug 4990) Show page source to blocked users on edits, or their modified
  version if blocked during an edit
* (bug 5903) When requesting the raw source of a non-existent message page,
  return blank content (as opposed to the message key)
* Improve default blank content of MediaWiki:Common.css and
  MediaWiki:Monobook.css
* (bug 6434) Allow customisation of submit button text on Special:Export
* (bug 6314) Add user tool links on page histories
* Fix display of file-type icons in galleries when $wgIgnoreImageErrors is off
* (bug 6438) Update to Indonesian translation (id) #23
* Adding the language code parameter to the hook "LanguageGetMagic", to allow
  localizble extensions magic words.
* Update to Romanian translation (ro)
* Update to Esperanto translation (eo)
* Check for preg_match() existence when installing and die out whining about
  PCRE if it's not there, instead of throwing a fatal error
* (bug 672) Add MathAfterTexvc hook
* Update to Piedmontese localization (pms)
* dumpBackup can optionally compress via dbzip2
* (bug 2483) Run link updates on change via XML import
* (bug 2481) List imported pages during Special:Import
* (bug 2482) Log and RC entries for Special:Import events
* Allow fetching all revisions from transwiki Special:Import
* Allow fetching all revisions from Special:Export GET request
* Disable output buffering on Special:Export; should help with streaming
  large numbers of history items.
* Allow setting a maximum number of revisions for history Special:Export;
  pages with more than $wgExportMaxHistory revisions are excluded from
  export when history is requested.
* Fix transwiki import of pages with space in name
* Save null edit when importing pages through Special:Import
* Update to Korean translation (ko)
* Show a more specific message when an anonymous user tries to access
  Special:Watchlist
* (bug 3278) Paging links in Special:Prefixindex
* Added Latvian localization (lv)
* (bug 6472) Fix regression in Special:Export with multiple pages
* Update to Macedonian translation (mk)
* Allow page moves over historyless self-redirects. Such are usually created
  as part of namespace rearrangements, and it's easier to clean them up if
  we can move over them.
* Show some error results in moveBatch.php
* (bug 6479) Allow specification of the skin to use during HTML dumps
* (bug 6461) Link to page histories in Special:Newpages
* (bug 6484) Don't do message transformations when preloading messages for
  editing
* (bug 6201) Treat spaces as underscores in parameters to {{ns:}}
* (bug 6006) Allow hiding the password change fields using an authentication
  plugin
* (bug 6489) Use appropriate link colour on Special:Shortpages
* Added formatnum magic word
* Added Javanese localization (jv)
* (bug 6491) Apply bad image list in category galleries
* (bug 6488) Show relevant log fragment in Special:Movepage
* Fix potential PHP notice in Special:Blockme when $wgBlockOpenProxies is true
* Use mysql_real_escape_string instead of addslashes for string escaping in
  the MySQL Database class. This may fix some rare breakage with binary fields.
  Note that MediaWiki does not support the multibyte character sets where a
  "dumb" byte replacement can be actively dangerous; UTF-8 is always safe
  in this regard due to the bit patterns which make head and tail bytes
  distinct.
* (bug 6497) Use $wgMetaNamespaceTalk for Esperanto if set
* (bug 6498) Use localized forms for image size in Special:Undelete
* (bug 6485) Update to Indonesian translation (id) #24
* Extension messages translation is now possible.
* Add target namespace override selector for transwiki imports.
  $wgImportTargetNamespace specifies the default, to be used for
  Wiktionary's 'Transwiki:' namespace etc.
* (bug 6506) Update to German localisation (de)
* (bug 502) Avoid silly tabs on bad title by using virtual special page
* (bug 6511) Add diff links to old revision navigation bar
* (bug 6511) Replace 'oldrevisionnavigation' message with
  'old-revision-navigation'
* Fix regression in Polish genitive month forms
* (bug 4037) Make input handling in Special:Allpages and Special:Prefixindex
  more consistent: Accept just a namespace prefix and a colon, reject input
  with interwiki prefixes, otherwise do what Title::makeTitleSafe() does.
* (bug 6516) Update to Russian translation
* New 'allpagesbadtitle' message for Special:Allpages, based on 'badtitletext'.
* Rename "searchquery" to "searchsubtitle" and support wiki text in it
* Introduce updateArticleCount maintenance script which uses a better check that
  reflects what Article::isCountable() tests for
* Introduce 'BadImage' hook; see docs/hooks.txt for more information
* Add "searchsubtitleinvalid" message for searches that are not valid titles.
* (bug 5962) Update to Italian localisation
* (bug 6530) Update to Indonesian localisation (id) #25
* (bug 6523) Fix SVG issue in rebuildImages.php
* (bug 6512) Link to page-specific logs on page histories
* (bug 6504) Allow configuring session name with $wgSessionName
* (bug 6185) Add standard user tool links to log page views
* Update to Venetian translation (vec)
* Update to Slovenian translation (sl)
* Add standard user tool links to deleted revision list
* Separate out EditPage's getContent bits from regular Article getContent.
  Cleans up read-only-mode warning on empty pages and neats up some code.
* (bug 6565) Strict JavaScript writing
* (bug 6570) Update to Indonesian localisation (id) #26
* Added Telugu translation (te)
* Update to Catalan translation (ca)
* (bug 6560) Avoid PHP notice when trimming ISBN whitespace
* Added namespace translation to Kannada (ka)
* (bug 6566) Improve input validation on timestamp conversion
* Implicit group "emailconfirmed" for all users whose email addresses are
  confirmed
* (bug 6577) Avoid multiline parser breakage on <pre> with newline in attribute
* (bug 6771) Make old revisions of MediaWiki pages available with action=raw


== Compatibility ==
MediaWiki 1.7 requires PHP 5 (5.1 recommended). PHP 4 is no longer supported.

If you are unable to run PHP 5, you may have to stick with 1.6 for now.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.

Experimental Oracle support has been dropped as it is unmaintained.

== Upgrading ==
Several changes to the database have been made from 1.6:

* A new "langlinks" table tracks interlanguage links
* A new "filearchive" table stores information on deleted files
* A new "querycache_info" table stores information on query page updates

To ensure that these tables are filled with data, run refreshLinks.php after
the upgrade.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!

== Configuration changes ==

Some configuration options have changed:
* $wgAllowExternalImages now defaults to off for increased security.
* $wgLocalTZoffset was in hours, it is now using minutes.
* Extensions may register special pages via the $wgSpecialPages array without
forcing an early load of the SpecialPage.php class file.

== Major new features ==

* Deleted files can now be archived and undeleted, if you set up an appropriate
non-web-accessible directory. Set $wgSaveDeletedFiles on and an appropriate
directory path in $wgFileStore['deleted']['directory']
* Experimental PostgreSQL support has been updated. It may or may not be in
usable shape; those interested in PostgreSQL are encouraged to follow 1.8
development.

=== Caveats ===
Some output, particularly involving user-supplied inline HTML, may not
produce 100% valid or well-formed XHTML output. Testers are welcome to
set $wgMimeType = "application/xhtml+xml"; to test for remaining problem
cases, but this is not recommended on live sites. (This must be set for
MathML to display properly in Mozilla.)

= MediaWiki 1.6 =

== MediaWiki 1.6.12 ==

February 7, 2009

This is a security update to the Spring 2006 quarterly release.

A number of cross-site scripting (XSS) security vulnerabilities were discovered
in the web-based installer (config/index.php). These vulnerabilities all
require a live installer -- once the installer has been used to install a
wiki,  it is deactivated.

Note that cross-site scripting vulnerabilities can be used to attack any
website in the same cookie domain. So if you have an uninstalled copy of
MediaWiki on the same site as an active web service, MediaWiki could be used to
attack the active service.

If you are hosting an old copy of MediaWiki that you have never installed, you
are advised to remove it from the web.

== MediaWiki 1.6.11 ==

December 15, 2008

This is a security update to the Spring 2006 quarterly release.

David Remahl of Apple's Product Security team has identified a number of
security issues in previous releases of MediaWiki. Subsequent analysis by the
MediaWiki development team expanded the scope of these vulnerabilities. The
issues with a significant impact are as follows:

* An XSS vulnerability affecting Internet Explorer clients for all MediaWiki
installations with uploads enabled. [CVE-2008-5250]
* An XSS vulnerability affecting clients with SVG scripting capability (such as
Firefox 1.5+), for all MediaWiki installations with SVG uploads enabled.
[CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all MediaWiki
installations since the feature was introduced in 1.3.0. [CVE-2008-5252]

XSS (cross-site scripting) vulnerabilities allow an attacker to steal an
authorised user's login session, and to act as that user on the wiki. The
authorised user must visit a web page controlled by the attacker in order to
activate the attack. Intranet wikis are vulnerable if the attacker can
determine the intranet URL, even if the attacker cannot access it.

CSRF vulnerabilities allow an attacker to act as an authorised user on the
wiki, but unlike an XSS vulnerability, the attacker can only act as the user in
a specific and restricted way. The present CSRF vulnerability allows pages to
be edited, with forged revision histories. Like an XSS vulnerability, the
authorised user must visit the malicious web page to activate the attack.

Rather than backport our SVG validation code to this ancient branch, we have
instead disabled SVG uploads. To enable SVG uploads, please upgrade to
MediaWiki 1.13.3 or later.

The other two issues have been fixed.

== MediaWiki 1.6.10 ==

February 20, 2007

This is a security and bug-fix update to the Spring 2006 quarterly release.

An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7
charset autodetection was located in the AJAX support module, affecting MSIE
users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled.

If you are using an extension based on the optional Ajax module, either disable
it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.3
* 1.8: fixed in 1.8.4
* 1.7: fixed in 1.7.3
* 1.6: fixed in 1.6.10

There is no known danger in the default configuration, with $wgUseAjax off.

* ([[mediazilla:8819|bug 8819]]) Fix full path disclosure with skins
dependencies
* Add 'charset' to Content-Type headers on various HTTP error responses to
forestall additional UTF-7-autodetect XSS issues. PHP sends only 'text/html' by
default when the script didn't specify more details, which some inconsiderate
browsers consider a license to autodetect the deadly, hard-to-escape UTF-7.
This fixes an issue with the Ajax interface error message on MSIE when
$wgUseAjax is enabled (not default configuration); this UTF-7 variant on a
previously fixed attack vector was discovered by Moshe BA from BugSec:
http://www.bugsec.com/articles.php?Security=24
* Trackback responses now specify XML content type

== MediaWiki 1.6.9 ==

January 9, 2007

* ([[mediazilla:6621|bug 6621]]) Backported German translation for
'eauthentsent'

* ([[mediazilla:6680|bug 6680]]) Added localisation for Dutch bookstore list
(nl)
* ([[mediazilla:6730|bug 6730]]) Clearer usage of message 'titlematch' in
German translation (de)
* XSS fix in AJAX module

An XSS injection vulnerability was located in the AJAX support module,
affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax is
enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional AJAX module, either disable
it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.0rc2
* 1.8: fixed in 1.8.3
* 1.7: fixed in 1.7.2
* 1.6: fixed in 1.6.9

== MediaWiki 1.6.8 ==

July 8, 2006

MediaWiki 1.6.8 is a security and bugfix maintenance release of the Spring 2006
snapshot:

A potential HTML/JavaScript-injection vulnerability in a debugging script has
been fixed. Only versions and configurations of PHP vulnerable to the $GLOBALS
overwrite vulnerability are affected.

As a workaround for existing installs, profileinfo.php may simply be deleted if
it's not being used.

* ([[mediazilla:5957|bug 5957]]) Updates to Hebrew translation (he)
* Respect language directionality when displaying arrow in
Special:Brokenredirects
* ([[mediazilla:6415|bug 6415]]) Typo in Parser.php
* Fixed potential XSS in profileinfo.php

== MediaWiki 1.6.7 ==

June 6, 2006

MediaWiki 1.6.7 is a security and bugfix maintenance release of the Spring 2006
snapshot:

An HTML/JavaScript-injection vulnerability in the edit form has been closed.
This vulnerability was new in 1.6.0; MediaWiki versions 1.5.x or earlier are
not affected.

Extensions, comments, and <nowiki><nowiki></nowiki> sections are now handled in
a one-pass way which is more reliable and safer. Under earlier versions of
MediaWiki, certain extensions could be abused to inject HTML/JavaScript into
the page.

Additional precautions are made against offsite form submissions when the
restricted raw HTML mode is enabled.

Some small localization and user interface updates are also included.

*([[MediaZilla:6051|bug 6051]]) Improvement to German localisation (de)
*([[MediaZilla:6017|bug 6017]]) Update bookstore list for German language (de)
*([[MediaZilla:6138|bug 6138]]) Minor grammar tweak in "loginreqlink"
*([[MediaZilla:5957|bug 5957]]) Update for Hebrew language (he)
*Increase robustness of parser placeholders; fixes some glitches when adjacent
to identifier-ish constructs such as URLs.
*([[MediaZilla:5384|bug 5384]]) Fix <nowiki><!-- comments --> in <ref></nowiki>
extension
*Nesting of different tag extensions and comments should now work more
consistently and more safely. A cleaner, one-pass tag strip lets the 'outer'
tag either take source (<nowiki><nowiki></nowiki>-style) or pass it down to
further parsing (<nowiki><ref></nowiki>-style). There should no longer be
surprise expansion of foreign extensions inside HTML output, or differences in
behavior based on the order tags are loaded.
*([[MediaZilla:885|bug 885]]) Pre-save transform no longer silently appends
close tags
*Pre-save transform no longer changes the case of close tags
*Edit security precautions in raw HTML mode, etc

== MediaWiki 1.6.6 ==

May 23, 2006

MediaWiki 1.6.6 is a security and bugfix maintenance release.

An XSS injection vector in brace replacement has been fixed, as have some
potential problems with table parsing. Upgrading is strongly recommended for
all users of 1.6. MediaWiki versions 1.5 and earlier are not affected.

Additionally some localization and user interface updates are included.

* Correct "revertpage" message in English
* ([[MediaZilla:5507|bug 5507]]) Logouttext now uses wiki markup
* (bugs [[MediaZilla:5857|5857]], [[MediaZilla:5957|5957]]) Update for German
localisation (de)
* ([[MediaZilla:5586|bug 5586]]) <nowiki><gallery></nowiki> treated text as
links
* ([[MediaZilla:5957|bug 5957]]) Update for Hebrew language (he)
* ([[MediaZilla:6025|bug 6025]]) SpecialImport: wrong message when no file
selected
* ([[MediaZilla:6015|bug 6015]]) EditPage: add spacing in the boxes "edit is
minor" and "watch this"
* ([[MediaZilla:6018|bug 6018]]) Userrights: new message when no user specified
('nouserspecified')
* ([[MediaZilla:6055|bug 6055]]) Fix for HTML/JS injection bug in variable
handler (found by Nick Jenkins)
* Reordered wiki table handling and <nowiki>__TOC__</nowiki> extraction in the
parser to better handle some overlapping tag cases.
* Only the first <nowiki>__TOC__</nowiki> is now turned into a TOC.
* ([[MediaZilla:361|bug 361]]) URL in URL, they were almost fixed. Now they are.

== MediaWiki 1.6.5 ==

May 2, 2006

* Rolled back the buggy patch for [[MediaZilla:5497|bug 5497]].

== MediaWiki 1.6.4 ==

May 2, 2006

* Further improvements to Hebrew localisation
* ([[MediaZilla:5544|bug 5544]]) Fix redirect arrow in Special:Listredirects
for right-to-left languages
* Replace "doubleredirectsarrow" with a content language check that picks the
appropriate arrow
* Remove live debugging hack which caused errors with certain database names
* ([[MediaZilla:5510|bug 5510]]) Warning produced when using
<nowiki>{{SUBPAGENAME}}</nowiki> in some namespaces
* ([[MediaZilla:5548|bug 5548]]) Improvements to Indonesian localisation
[patch: Ivan Lanin]
* ([[MediaZilla:5403|bug 5403]]) Fix Special:Newpages RSS/Atom feeds
* ([[MediaZilla:3359|bug 3359]]) Add hooks on completion of file upload
* ([[MediaZilla:5184|bug 5184]]) CSS misapplied to elements in
Special:Allmessages due to conflicting anchor identifiers
* ([[MediaZilla:5519|bug 5519]]) Allow sidebar cache to be disabled; disable it
by default.
* Add $wgReservedUsernames configuration directive to block account creation/use
* ([[MediaZilla:5576|bug 5576]]) Remove debugging hack in session check
* ([[MediaZilla:5181|bug 5181]]) Update "nogomatch" for Slovak
* ([[MediaZilla:5594|bug 5594]]) Id translation up to '# Login and logout
pages' section
* ([[MediaZilla:5536|bug 5536]]) Use content language for editing help link
* Minor improvements to English language files
* Improvements to German localisation files
* ([[MediaZilla:5628|bug 5628]]) Translations for MessagesHr.php
* (bugs [[MediaZilla:5595|5595]], [[MediaZilla:5644|5644]]) Localisation for
Bosnian language (bs)
* ([[MediaZilla:5592|bug 5592]]) Actions are logged with the default language
for the wiki, not the language of the user performing the operation.
* ([[MediaZilla:5646|bug 5646]]) Compare for identical types in wfElement()
* Fix for concurrency problem in job queue (image description page invalidation)
* ([[MediaZilla:5497|bug 5497]]) regeression in HTML normalization in 1.6
(unclosed <nowiki><li>,<dd>,<dt></nowiki>)
* ([[MediaZilla:5709|bug 5709]]) Allow customisation of separator for categories
* ([[MediaZilla:4834|bug 4834]]) Fix XHTML output when using $wgMaxTocLevel
* Improvements to update scripts; print out the version, check for superuser
credentials before attempting a connection, and produce a friendlier error if
the connection fails
* ([[MediaZilla:5005|bug 5005]]): Fix XHTML <nowiki><gallery></nowiki> output.
* ([[MediaZilla:5315|bug 5315]]) "Expires: -1" HTTP header made strictly valid
(using 1970 date).
* ([[MediaZilla:4825|bug 4825]]): note in DefaultSettings.php about 'profiling'
table creation
* Remove unneeded extra whitespace at top of Special:Categories
* Rewrite reassignEdits script to be more efficient; support optional updates
to recent changes table; add reporting and silent modes
* Updated initStats maintenance script
* ([[MediaZilla:5723|bug 5723]]) Don't count pages linked to from the MediaWiki
namespace as "wanted"
* ([[MediaZilla:5789|bug 5789]]) Treat "loginreqpagetext" as wikitext
* ([[MediaZilla:5796|bug 5796]]) We require MySQL >=4.0.14

== MediaWiki 1.6.3 ==

April 10, 2006

* Fix disappearing red-linked items in the watchlist editing view
* ([[MediaZilla:5512|bug 5512]]) Spacing in "page has a history" deletion
warning
* ([[MediaZilla:5508|bug 5508]]) Switch ENGINE in table statements back to
TYPE; fixes regression where some versions of MySQL 4.0.x wouldn't work
* Added note about [[Manual:$wgUrlProtocols|$wgUrlProtocols]] format change

== MediaWiki 1.6.2 ==

April 8, 2006

* Further improvements to Hebrew localisation
* Fix 'copyright' message for Romanian
* ([[MediaZilla:5476|bug 5476]]) Invalid xhtml in German localization
* ([[MediaZilla:5479|bug 5479]]) Id translation for preferences tabs caption
* ([[MediaZilla:5493|bug 5493]]) Id translation for special pages
* Additional path fixes in the updater
* ([[MediaZilla:5344|bug 5344]]) Fix regression that broke slashes in extension
tag parameters

== MediaWiki 1.6.1 ==

April 5, 2006

Some minor issues in the 1.6.0 release have been corrected:
* ([[MediaZilla:5458|bug 5458]]) Fix double-URL encoding in block log link in
contribs and contribs link in block log
* ([[MediaZilla:5462|bug 5462]]) Bogus missing patch warning in updater
* ([[MediaZilla:5461|bug 5461]]) Use of deprecated "showhideminor" in
Special:Recentchangeslinked
* PHP warning when allow_call_time_pass_reference is off
* Update to Finnish localization

== MediaWiki 1.6.0 ==

April 5, 2006

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept "ready
to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature development will take
place on the development trunk and will appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can [[Download
from SVN|obtain it from source control]].

=== What's new in 1.6 ===

'''User interface:'''
* The account creation form has been separated from the user login form.
* Page protection/unprotection uses a new, expanded form

'''Templates:'''
* Categories and "what links here" now update as expected when adding or
removing links in a template.
* Template parameters can now have default values, as <nowiki>{{{name|default
value}}}</nowiki>

'''Uploads:'''
* Optional support for rasterizing SVG images to PNG for inline display

'''Feeds:'''
* Feed generation upgraded to Atom 1.0
* Diffs in RSS and Atom feeds are now colored for improved readability.

'''Database:'''
* MySQL 3.23.x support dropped; 4.0 or later required
* Experimental support for Unicode mode of MySQL 4.1/5.0 (moderately tested)
* Experimental Oracle support (not well tested!)

'''Anti-spam extension support:'''
* [[meta:SpamBlacklist extension|SpamBlacklist extension]] now has support for
automated cleanup.
* Support for a [[meta:ConfirmEdit extension|captcha extension]] to restrict
automated spam edits.

Numerous bug fixes and other behind-the-scenes changes have been made; see the
file HISTORY for a complete change list.

== Changes since 1.5 ==

* (bug 2885) More PHP 5.1 fixes: skin, search, log, undelete

Code quality:
* Use strval() to make sure we don't accidentally get null on bad revision
  text loads or other fields mucking up XML export output
* Clean up duplicate code for selection of changeslist style
* Correct blob caching to reduce redundant blob loads on backups
* (bug 3182) Clear link cache during import to prevent memory leak
* Fixed possible infinite loop in formatComment
* Wrap message page insertions in a transaction to speed up installation
* Avoid notice warning on edit with no User-Agent header
* (bug 3649) Remove obsolete, broken moveCustomMessages script
* Avoid numerous redundant latest-revision lookups in history
* Require PHP 4.3.2 or higher strictly now.
* Tweak infinite-template-handling loop for PHP 5.1.1 string handling change
* Remove unused OutputPage::addCookie()
* Fix for short_open_tag off again; please don't break this, guys
* (bug 4507) Adjust FULLPAGENAMEE escaping to standard form
* (bug 5302) Merge the two #p-search .pBody statements in monobook css.

Database:
* Finally dropped MySQL 3.23.x support
* Oracle support
* (bug 3056) MySQL 3 compatibility fix: USE INDEX instead of FORCE INDEX
* Update all stats fields on recount.sql
* (bug 3227) Fix SQL injection introduced in experimental code
* Fix table prefix usage in Block::enumBlocks
* (bug 3448) Set page_len on undelete
* (bug 3506) Avoid MySQL error when Listusers returns no results
* Skip update of disused 'rc_cur_time' field (todo: discard the field)
* (bug 3735) Fix to run under MySQL 5's strict mode
* (bug 3786) Experimental support for MySQL 4.1/5.0 utf8 charset mode
  NOTE: Enabling this may break existing wikis, and still doesn't
  work for all Unicode characters due to MySQL limitations.
* MySQL 5.0 strict mode fix for moving unwatched pages
* Ability to set the table name for external storage servers
* Update ipblocks table in MySQL 5 table defs
* Removed FulltextStoplist.php, no longer used (was for MySQL 3.x workaround)
* Added templatelinks table, to track template inclusions. User-visible effects
  will be:
  * (inclusion) tag for inclusions in Special:Whatlinkshere
  * More accurate list of used templates on the edit page
  * More reliable cache invalidation when templates outside the template
    namespace are changed
* Respect database prefix in dumpHTML.inc
* Removed read-only check from Database::query()
* Added externallinks table, to track links to arbitrary URLs
* Added job table, for deferred processing of jobs. The immediate application is
  to complete the link table refresh operation when templates are changed.
* Don't change the password of the MySQL root user.

Documentation:
* (bug 3306) Document $wgLocalTZoffset

Hooks:
(list not complete)
* Move ArticleSave hook execution into Article insert/update functions,
  so they get called on non-EditPage actions that use these functions
  to create or update pages.
* Added EditFilter hook, and output callback on EditPage::showEditForm()
  for a place to add in captcha-type extensions in the edit flow
* (bug 3684) Fix typo in fatal error backtraces in Hooks.php
* Fix for hook callbacks on objects containing no fields
* Add a hook for additional user creation throttle / limiter extensions
* Use $wgOut->parse() in wfGetSiteNotice() instead of creating a new parser
  instance. This allows use of extension hooks if required.
* Added AutoAuthenticate hook for external User object suppliers
* Added 'PageRenderingHash' hook for changing the parser cache hash key
  from an extension that changes rendering based on nonstandard options.
* Add 'GetInternalURL' hook to match the GetFullURL and GetLocalURL ones
* (bug 4456) Add hook for marking article patrolled
* Add UserRights hook, fires after a user's group memberships are changed

Images:
* Support SVG rendering with rsvg
* Cap arbitrary SVG renders to given image size or $wgSVGMaxSize pixels wide
* (bug 3127) Render large SVGs at image page size correctly
* Fix scaling of non-integer SVG unit sizes
* (bug 2800) Don't scale up small images on |thumb| without explicit size
* Use the real file link instead of the default-size rasterized version for
  large SVG images on image description page
* Include the file name/type/size line for non-resized images
* (bug 3489) PHP 5.1 compat problem with captioned images
* (bug 3643) Fix image page display of large images with resizing disabled
* Added a limit to the size of image files which can be thumbnailed
* (bug 3806) Gracefully fall back to client-side scaling on |thumb| image
  that passes $wgMaxImageArea
* (bug 153) Adjust thumbnail size calculations to match consistently;
  patch by David Benbennick
* (bug 4162) Add $wgThumbnailEpoch timestamp to force old thumbs to
  be rerendered on demand, sitewide
* (bug 1850) Additional fixes so existing local and remote images
  get a blue link even if there's no local description page
* Avoid FATAL ERROR when creating thumbnail of non-existing image
* (bug 4207) Wrong image size when using 100x200px syntax to scale image up
  patch by David Benbennick
* Don't delete thumbnails when refreshing exif metadata. This caused thumbs
  to vanish mysteriously from time to time for files that didn't have metadata.
* (bug 4426) Add link to user_talk page on image pages
* Support a custom convert command for thumbnailing. See DefaultSettings.php
  and the comments for $wgCustomConvertCommand, for more information.
* UserCan hook now allows advisory return values, rather than mandatory ones.

Installer:
* (bug 3782) Throw fatal installation warning if mbstring.func_overload on.
  Why do people invent these crazy options that change language semantics?
* Fixed installer bugs 921 and 3914 (issues with using root and so forth)
* (bug 4258) Use ugly urls for ISAPI by default
  patch by Rob Church
* Improve installer
    * Use a superuser account (such as root), if specifed, to create tables
    * Don't overwrite conservative permissions on the mySQL user with ALL
      permissions, if said user exists
    * Changes to some of the wording of explanations for fields
* (bug 1734) granting db permissions failed with db usernames containg '-'
* Add basic check for session support in PHP and die if not present

Maintenance:
* Fix problem reported on mailing list where re-initialising stats didn't work
  (can't insert duplicate rows with the same id field)
* Added --conf option to command line scripts, allowing the user to specify a
  different LocalSettings.php.
* Maintenance script to delete unused text records
* Maintenance script to delete non-current revisions
* Maintenance script to wipe a page and all revisions from the database
* Maintenance script to reassign edits from one user to another
* Maintenance script to find and remove links to a given domain
  (cleanupSpam.php)
* Fix --report interval option for dumpTextPass

i18n / Languages:
* Partial support for Basque language (from wikipedia and meta)
* (bug 3141) Partial support for Breton language (thanks Fulup).
* Support for venitian language
* (bug 1334) LanguageGa.php update
* Finnish date format was hardcoded, now implemented properly
* (bug 3190) Added some date format choices for language sr
* (bug 2753) Some namespaces were not translated in LanguageTa.php (Tamil)
* (bug 3204) Fix typo breaking special pages in fy localization
* (bug 3177) Estonian date formats not implemented in LanguageEt.php
* (bug 1020) Changing user interface language does not work immediately
* (bug 3271) Updated LanguageNn.php for HEAD
* Experimental feature to allow translation of block expiry times
  Implementation only for Finnish currently
* (bug 3304) Language file for Croatian (LanguageHr.php)
* (bug 2143) Update Vietnamese interface
* (bug 3063) Remove some hardcodings from Hebrew localisation
* (bug 3408) Bulgarian formatNum corrected
* (bug 1512) Disable x-code interp on Esperanto URLs for now, it does more
  harm than good under current system by breaking incoming URLs with "ux".
  (Editing is not affected, just URLs.)
* (bug 1423) LanguageJa.php update
* Fix language name for dv
* (bug 3503) Update LanguageSq.php from sq.wikipedia.org messages
* (bug 3629) Fix date & time format for Frisian
* (bug 3334) Namespace changes for Polish
* (bug 3580) Change default Dutch language file to more neutral
* (bug 3656) LanguageHr.php - added convertPlural
* (bug 3414) LanguageBe.php - added convertPlural
* (bug 3163) Full translation of LanguageBr
* (bug 3617) Update for portuguese language (pt)
* Namespaces hacks on LanguagePl
* (bug 3682) LanguageSr.php - added convertPlural
* (bug 3694) LanguageTr.php update
* (bug 3711) Removed invisible unicode characters from LanguageHu
* (bug 2981) Linktrail for Tamil (ta)
* (bug 3722) Update of Arabic language (ar) Namespace changes
* Removed hardcoded Norwegian (no) project namespaces
* (bug 2324) image for redirects should be without text and oriented according
  to content language
* (bug 3666) Don't spew PHP warnings in prefs on unrecognized site language
* (bug 3817) Use localized date formats in preferences; 'no preference' option
  localizable as 'datedefault' message. Tweaked lots of languages files...
* (bug 2721) Regression: Use European number separators for vi: wikis
* (bug 3961) minor languageDe changes
* (bug 1984) LanguageKo.php (Korean) update
* (bug 3804) update of LanguageWa.php file
* (bug 3886) Update for Portuguese language (pt)
* (bug 4020) Update namespaces for ms
* (bug 3922) bidi embedding overrides on category links
* (bug 4061) Update of Slovene namespace names (LanguageSl.php)
* (bug 4064) LanguageDe comma changes
* (bug 3922) Further tweaks to bidi overrides in category list for old
  versions of Safari and Konqueror
* Fix custom namespaces on wikis set for Portuguese
* (bug 4153) Fix block length localizations in Greek
* (bug 3844) ab: av: ba: ce: & kv: now inherit from LanguageRu.php
             ii: & za: now inherit from LanguageZn_cn.php
* (bug 4165) Correct validation for user language selection (data taint)
* (bug 4192) Remove silly 'The Free Encyclopedia' default sitesubtitle
* Use content-lang for sitenotice
* (bug 4233) Update LanguageJa.php
* (bug 4279) Small correction to LanguageDa.php
* (bug 4108, 4336) Remove trailing whitespace from various messages, which
  mucks up message updating to create dupe entries
* (bug 4389) Fix math options on zh-hk and zh-tw (but not localized)
* (bug 4392) Update of LanguageSr.php
* (bug 4382) Frisian numeric format
* (bug 4424) Update for Spanish language (es) 100% messages translated
* (bug 4425) Typos in Polish translation
* (bug 4436) Update for Turkish language (tr)
* (bug 4413) Update of Farsi language file (LanguageFa.php)
* Update for LanguageSr (Serbian): magic words
* (bug 137) MediaWiki:Copyrightwarning hardcoding
* (bug 4457) Update for Portuguese language (pt)
* convertPlural breakage fixed a little
* (bug 4144) Support for Sudanese language (Basa Sunda)
* Big cleanup:
 - Removed obsolote, badly or untranslated messages
 - Removed references to wikipedia/wikimedia etc in messages
 - Other cleanup, like removing html and javascript and extension calls
 - Removed hardcoded namespaces: Tt, Ms, Ia, Ga, Fo, Bn, Csb, He, Nv, Oc, Tlh
 - Removed some useless backwards compatibility hacks
 - Fixed formatnum on many languages
* wgAmericanDates check produced incorrect results in languages that don't have
  a such distinction
* (bug 4548) Update for Portuguese language (pt): time format
* (bug 4530) Use consistent name for Kurdish
* Tweak default "upload disabled" text
* (bug 4504) Use site language for namespace name resolution
* (bug 4510) Correct Barnes & Noble bookstore URLs
* (bug 3991) Allow the operation of wikicode on Protect move only text
* (bug 4267) Switch dv sd ug ks arc languages to RTL
* Default main page content improved per bug 4690
* (bug 4615) Update for Portuguese language (pt)
* Separated MessagesSl.php as the other languages.
* (bug 4960) Add additional namespaces variants to Yiddish for compatibility
* (bug 4805) Removed more wikipedia-references from MessagesUk.php
* (bug 5015) Update magic words translation in LanguageBe.php
* (bug 4859) Update for Portuguese messages (pt)
* (bug 4788) One string for MessagesPl
* Restriction types now use restriction-* messages instead of ui messages
* (bug 4685) Slovenian LanguageSl.php hardcodes project namespace
* (bug 5097) Fix Hungarian language (hu): thousands separator
* (bug 5098) Update for Portuguese messages (pt)
* (bug 5113) Spelling error in French language file
* (bug 5105) Magic words for LanguageAr.php
* (bug 3993) Variants for Serbian language
* Typo in English messages file
* (bug 4114) Spacing in watchlist rows (in editing mode)
* Update default "exporttext" to reflect that Special:Import exists
* (bug 4960) Add additional namespaces variants to Yi projects: Yiddish Wikinews
  fix
* (bug 5357) Add the icon near the user name also in RTL interfaces
* (bug 5156) Update for Hebrew language (he)
* (bug 4497,4704,5010) Added some new language codes.
* (bug 5362) Piedmontese added
* (bug 5349) Update for Portuguese messages (pt)
* (bug 3573) Finished full Greek translation: namespaces
* (bug 5288) Initial localisation for Az
* (bug 4361) Fix "allmessagesnotsupportedui" so it doesn't refer to nonexisting
  page
* Tweak wording of "allmessagesnotsupporteddb"

Parser:
* (bug 2522) {{CURRENTDAY2}} now shows the current day number with two digits
* (bug 3210) Fix Media: links with remote image URL path
* (bug 3405) Don't use raw letters as aliases of MSGNW: and SUBST:
* (bug 3412) Clean up date format handling so ~~~~-sigs work with default
  format as designed. Documentation comments updated.
* Fix Parser::unstrip on PHP 5.1.0RC4
* (bug 3797) Don't expand variables and sigs in comments
* Allow parser cache on redirect targets
* Run wikitext-escaping on plaintext sigs (no wiki markup, just name)
* Check for unbalanced HTML tags on raw sigs (markup allowed, but show
  a warning in prefs and use default sig if not balanced)
* Respect <noinclude> and <includeonly> during {{subst:}} expansion as well as
  ordinary templates.
* Support <includeonly> in templates loaded through preload= parameter
* (bug 3979) Save correct {{REVISIONID}} into parser cache on edit
* Substitute {{REVISIONID}} correctly in diff display
* (bug 1850) Allow red-links on image pages linked with [[:image:foo]]
* Fix XML validity checks in parser tests on PHP 5.1
* (bug 4377) "[" is not valid in URLs
* (bug 4453) fix for __TOC__ dollar-number breakage
* Convert unnecessary URL escape codes in external links to their equivalent
  character before doing anything with them. This prevents certain kinds of
  spam filter evasion.
* (bug 4783) : Fix for "{{ns:0}} does not render"
* Improved support for interwiki transclusion
* (bug 1850) Image link to nonexistent file fixed.
* (bug 5167) Add {{SUBPAGENAME}} and {{SUBPAGENAMEE}} variables
* (bug 4949) Missing : in "addedwatchtext" for English and Spanish
* Allow user-defined functions, which work in a similar way to {{GRAMMAR:}}
  etc. Registered via an interface similar to tag hooks.

Upload:
* (bug 2527) Always set destination filename when new file is selected
* (bug 3076) Support MacBinary-encoded uploads from IE/Mac
* (bug 2554) Tell users they are uploading too large file
* Support for a license selection box on Special:Upload, configurable from
  MediaWiki:Licenses
* Add 'reupload' and 'reupload-shared' permission keys to restrict new uploads
  overwriting existing files; default is the old behavior (allowed).

Security:
* (bug 3244) Fix remote image loading hack, JavaScript injection on MSIE
* (bug 3280) Respect 'move' group permission on page moves
* (bug 2613) Clear saved passwords from the form
* IP privacy fix for blocklist search on autoblocks
* Security fix for <math>
* Security fix for tables
* Security fix for Special:Upload license selection list
* Add UploadVerification hook for custom file upload validation/security checks
* Blacklist additional MSIE CSS safety tricks
* Fix meta robots tag on Special:Version again to avoid listing vulnerable
  versions for convenient harvesting by automated worms
* Sanitizer CSS comment processing order fix
* Forbid usernames that can be interpreted as titles with namespaces, as that
  leads to hard-to-manage names.
* (bug 4071) Generate passwords long enough for $wgMinimalPasswordLength
* Add createpage and createtalk permission keys, allowing a quick
  switch to disable page creation for anonymous users.
* (bug 675) Add page protection level for unregistered/new accounts
* User::isNewbie now uses the registration date and $wgAutoconfirmAge
* Add 'deletedhistory' permission key for ability to view deleted history
  list via Special:Undelete. Default is off, replicating the 1.5 behavior,
  but it can be turned back on for random users to replicate the previous
  1.6 dev behavior.
* Set cookies to secure mode based on use of HTTPS or $wgCookieSecure
* (bug 4371) Disallow tilde character in signatures
* Removed broken wgAllowAnonymousMinor and added new group right minoredit
* Added detection for WMF files (application/x-msmetafile), added this
  MIME type to the default blacklist. Prevented inline display of images
  which are not of known image types. This is in response to
  https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability
* Blocked users can no longer roll back, change the protection of, or
  delete/undelete pages
* Protect against spoofing of X-Forwarded-For header
* XSS issue : now sanitize search query input (fixed in 1.5rc3)
* Remove deprecated $wgOnlySysopsCanPatrol references; use
  User::isAllowed( 'patrol' )
  per bug 5282. Patch by Alan Harder.
* Prevent registration/login with the username "MediaWiki default"

Special Pages:
* Rearranged Special:Movepage form to reduce confusion between destination
  title and reason input boxes
* (bug 1956) Hide bot uploads from Special:Newimages
* (bug 3220) Fix escaping of block URLs in Recentchanges
* (bug 3284) Ipblocklist paging, substring search
* Allow filtering of robot edits in Special:Watchlist by setting
  $wgFilterRobotsWL = true.
* Fix interlanguage links on special pages when extra namespaces configured
* (bug 3475) anon contrib links on Special:Newpages
* Special:Import/importDump fixes: report XML parse errors, accept <minor/>
* (bug 2369) Add separate message for input box on Special:Prefixindex
* (bug 3798) DoubleRedirects no longer has hard coded arrows
* (bug 3803) Fix links on Special:Wantedcategories with miser mode off
* Fix Special:BrokenRedirects on MySQL 5.0
* (bug 3807) Fix 'all' in namespaces drop-down on contribs, rc
* Fail gracefully on invalid namespace in Special:Newpages
* (bug 3762) Define missing Special:Import UI messages
* (bug 3761) Avoid deprecation warnings in Special:Import
* (bug 2894) Enhanced Recent Changes link fixes
* (bug 4059) fix 'hide minor edits' on Recentchangeslinked
* (bug 146) List number of category members in Special:Categories
  (patch by Joel Nothman)
* (bug 4090) Fix diff links in Special:Recentchangeslinked
* (bug 4093) '&bot=1' in Special:Contributions now propagate to other links
* Fix display of old recentchanges records for page moves
* (bug 360) Let Whatlinkshere track [[:image:foo]] links
* (bug 3073) Keep search parameter on paging in Special:Newimages
* Removed Special:Validate, it's been superseded by the Review extension
* (bug 4359) red [[user:#id]] links generated in [[special:Log]]
* (bug 1996) Special page to list redirects
* (bug 4334) Add "watch" links to Special:Unwatchedpages
* Generate target user page links in Special:Ipblocklist where appropriate
  (i.e. not an autoblock)
* Generate link to talk page of the blocker in Special:Ipblocklist, move
  contribs. link of the target next to their name
* (bug 2714) Backlink from special:whatlinkshere was hard set as 'existing'
* Move parentheses out of <a> link in Special:Contributions
* (bug 3192): properly check 'limit' parameter on Special:Contributions
* (bug 3187) watchlist text refer to unexistent "Stop watching" action
* Add block, block log and general log links to Special:Contributions
* Add contributions link to block log items
* Added optional "hide own edits" feature to Special:Recentchanges
* (bug 5018) Anchors for each message in Special:Allmessages
* Introduce $wgWantedPagesThreshold per bug 5011; Special:Wantedpages will not
  list pages with less than this number of links. Defaults to 1.
* (bug 4319) Don't show a "create account" link on the login form when
  account creation is disabled.
* JavaScript filter for Special:Allmessages
* (bug 3047) Don't mention talk pages on Special:Movepage when there isn't one
* Show links to user page, talk page and contributions page on Special:Newpages
* Special:Export can now export a list of all contributors to an article (off by
  default)
* (bug 5372) Add number of files to Special:Statistics
* (bug 2871) Links to talk pages in watchlist editing view
* (bug 5385) Allow hiding anonymous edits on Special:Recentchanges
* (bug 2544) Illogical error reporting order in Special:Userlogin
* (bug 5409) Hide "show/hide patrolled edits" in Special:Recentchanges if
  patrolling is disabled
* (bug 5447) Convert first letter of username to uppercase before searching in
  Special:Listusers
* (bug 759) Wrap redirects on the watchlist editing page in a span, class
  "watchlistredir"
* (bug 1862) Namespace filtering in watchlists

Misc.:
* PHP 4.1 compatibility fix: don't use new_link parameter to mysql_connect
  if running prior to 4.2.0 as it causes the call to fail
* (bug 3117) Fix display of upload size and type with tidy on
* (bug 2323) Remove "last" tabindex from history page
* (bug 3116) Division by zero on [[Image:Foo.png|123x123px|]]
* Fix display of read-only lockfile message
* Include software-visible client IP address in Special:Version comment
  as a proxy debugging aid
* (bug 3170) Page Title failed to obey MediaWiki:Pagetitle.
  wikititlesuffix was removed
* Add ability to break off certain debug topics into additional log files;
  use $wgDebugLogGroups to configure and wfDebugLog() to log.
* Edit conflict on recreation of deleted page
* (bug 3216) Don't show empty warning page when no warnings.
* (bug 3218) Use proper quoting on history Compare Revisions button
* Fix upgrade from 1.4 due to version number check breakage [for rc future]
* Fix upgrade from 1.4 with no old revisions
* Remove "info" editing toolbar that was shown in browsers which do not
fully support the editing toolbar, but was found to be too confusing.
* Don't override edit conflict suppression on section edits; section merging
  should provide the expected transparency here and fits usage patterns better.
* (bug 3292) Fix move-over-redirect test when current entries are not plaintext
* (bug 2078) Don't hide watch tab on preview
* Fix regressions in ChangesList traditional layout
* Fix edit on double-click for move-protected pages in Classic skin
* (bug 3485) Fix bogus warning about filename capitalization when off
* (bug 2570) Add 'watch this page' checkbox on uploads, watch uploads
  by default when 'watchdefault' option is on
* Add options to dumpBackup.php for making split/partial dumps by page id
* Added filter options, compression piping, and multiple output streams for
  dumpBackup.php
* (bug 3595) Warn and abort if importDump.php called in read-only mode.
* (bug 3598) Update message cache on message page deletion, patch by Tietew
* Added separate noarticletext and newarticletext messages for logged in and
  anon users.
* (bug 3332) Installation now uses Monobook, validates, plus usability
  improvements.
* (bug 3660) Update diff3 detection to work with Windows/Cygwin
* (bug 2330) Don't do funny thinks with "links" in MediaWiki:Undeletedtext
* Two-pass data dump for friendliness to the DB (--stub, then dumpTextPass.php)
* Data dump 'prefetch' mode to read normalized text from a prior dump
  (requires PHP 5, XMLReader extension)
* (bug 2773) Print style sheet no longer overrides RTL text direction
* (bug 2938) Update MediaWiki:Exporttext to be more general
* Various fixes
* Fix wfMsg*() replacements; args containing literal $[2-9] were wiped
* Added @import for [[MediaWiki:Common.css]] to all skins
* Edit box now remembers scrollbar position on preview
* (bug 3816) Throw edit conflict instead of fatal error when a page is
  moved or deleted during section edit
* (bug 3771) Handle internal functions in backtrace in wfAbruptExit()
* (bug 3291) 'last' diff link for last history line when not at end
* (bug 3667) Add missing global in page move code
* (bug 2885) Remove unnecessary reference parameter which broke classic skin
  talk notification on PHP 5.0.5
* (bug 3852) "Redirected from" link no longer obscured on double-redirects
* changed directory hierarchy in images/math/. System upgrades from old to
  new hierarchy on the fly.
* (bug 3487) Fix category edit preview with preview-on-bottom
* (bug 918) Search index incorrectly joined words at == headings ==
* (bug 3877) Render math images into temp directory, then move to hashed
  subdir so you can render new math images and have them work
* (bug 2392) Fix Atom items content type, upgrade to Atom 1.0
* Allow $wgFeedCacheTimeout of 0 to disable feed caching
* Fix WebRequest::getRequestURL() to strip off the host bits squid prepends
* Require POST for action=purge, to stop bots from purging the cache
* Added local message cache feature ($wgLocalMessageCache), to reduce bandwidth
  requirements to the memcached server.
* (bug 3562) for go search, try Caps-Variants-Broken-At-Non-Whitespace
* (bug 2569) Use PATH_SEPARATOR instead of trying to guess based on
  DIRECTORY_SEPARATOR (was wrong on NetWare)
* (bug 2740) Accept image deletions on 'enter' submit from MSIE
* (bug 3939) Don't try to load text for interwiki redirect target
* (bug 3948) Avoid notice warning in debug statement in bad search
* Recognize Special:Search consistently so read whitelist works
* (bug 3999) Change atom 1.0 feed id; had been unnecessarily complex due to
  unclear language in the spec. Now using the URL, same as the permalink,
  which someone else will probably whine about because it's not 'perma'
  enough or something.
* (bug 4014) Fix include mode for Allpages on small page sets
* (bug 3996) Fix text for new entries in RC RSS/Atom feed
* (bug 3065) Update both watched namespaces when renaming pages
* Changed mail form to have a bigger message entry box (like for editing
  a page
* Fix ulimit parameters for wfShellExec when memory_limit is specified in 'm'
* (bug 2111) Collapsable exif metadata table, clean up display
* Reduce fractions in display of exif exposure time
* (bug 4048) Optional footer link to site privacy policy
* Don't die() when update.php reaches the end of the warning count
* (bug 1915) Fix edit links when 'direction' used with 'oldid';
  using revision ID reported via OutputPage; Skin::editUrlOptions()
* Remove obsolete 'redirect=no' on some edit links
* Include oldid for the second revision on edit link on diff view
* (bug 4035) Fix prev/next revision links on edit page
* (bug 4100, 3049) Add 'edittools' message to hold edit tools, put it
  on Special:Upload as well as edit, rearrange edit page pieces a bit.
  Copyright warning now above the buttons to ensure it's visible,
  template list at the bottom so it can grow.
* Optional summary parameter to action=rollback, for user javascript
* (bug 4167) Fix regression caused by patch for bug 153
* (bug 4169) Use $wgLegalTitleChars in pipe trick conversions
* (bug 4170) Decode HTML character escapes in sort key
* (bug 4201) Fix user-talk mode for Enotif, and general code cleanup
* (bug 4214) Skip redundant action text inserts into the HTML <title>
* (bug 4212) Skip redundant meta-robots tag for default settings
* Fix regression: old version missing from edit links in Nostalgia skin
* (bug 1600) Trigger edit conflict on duplicate section=new submissions
* (bug 4001) Use local variables properly in wikibits.js akeytt()
* Fix regression: old version missing from edit links on CSS/JS pages
* (bug 3211) Include Date, To mail headers when using PEAR::Mail
* (bug 3407) Fix encoding of subject and from/to headers on notification
  mails; userMailer() now takes a MailAddress wrapper object instead of
  a raw string to abstract things a level.
* Fixed --server override on dumpTextPass.php
* Added plugin interface for dumpBackup, so additional filters and output
  sink types can be registered at runtime from an extension
* (bug 349) Fix for some numeric differences not being highlighted
  patch by Andrius Ramanauskas
* (bug 4298) Include rc_id on enhanced RC singleton diff links for patrolling
* Did some refactoring on ChangesList.php merging dupe code
* (bug 1586) Fix interwiki generator for wikimedia obscure domains
* (bug 3493) Mark edits patrolled when they are reverted
  patch by Leon Planken
* Removed experimental Amethyst skin from default set
* Upgrade old skin preferences properly at Special:Preferences
  (used to spontaneously switch to Classic skin for old numeric pref records)
* (bug 3424) Update page_touched for category members on category page creation
* Log views show message when no matches
* Fix raw sitenotice display on database error
* Fix autoconfirm check for old accounts
* (bug 4368) Don't show useless empty preview on new section creation
* Don't show useless empty preview on new page creation
* (bug 4411) Fix messages diff link for classic skin
* (bug 4385) Separate parser cache entries for non-editing users, so section
  edit links don't vanish / appear unwanted on protected pages
* (bug 2726, 3397) Fix [[Special:]] and [[:Image]] links in action=render
* (bug 4419) Remove obsolete magnify.png.old
* Removed $wgUseCategoryMagic option, categories are now enabled unconditionally
* (bug 3318) UI workarounds for disabled items in license selector
  MSIE/Win: items now grayed out, JS will revert to 'non selected' if clicked
  Safari: JS will revert to 'non selected' if clicked (but not gray)
  MSIE/Mac: indented items now visible (JS hack)
* (bug 714) "plainlinks" class issues in IE, Opera
* (bug 4317) Inconsistent "broken redirects" messages
* Default interface text for "selflinks" tweaked
* (bug 3194) default implementation of translateBlockExpiry
  which uses ipboptions
* (bug 4446) $wgExportAllowHistory option to explicitly disable history in
  Special:Export form, 'exportnohistory' message to translate live hack.
* Maintenance script to delete unused user accounts
* (bug 912) Search box easier to reach in text browsers (lynx, links)
* $wgParserCacheExpireTime added
* Skip loading of RecentChange.php except where needed
* Enforce $wgSVGMaxSize when rendering, even for SVGs with a very large source
  size. This is necessary to limit server memory usage.
* Cleanup and error checking on Special:Listredirects
* Clear up some instances of old OutputPage::sysopRequired() function usage
* Improve "upload disabled" notice
* Move parts of index.php to include/Wiki.php in an attempt to both cleanup
  index.php and create a MediaWiki-class mediaWiki base object
* (bug 4104) Added OutputPageBeforeHTML hook for tweaking primary wiki output
  HTML on final output (cached or not)
* Avoid PHP notice on command-line scripts if empty argument is passed ('')
* (bug 4571) Partial fix hack for {{fulllurl:}} in action=render
* (bug 3502) Bowtie symbol for TeX
* (bug 4000) Support for \textstyle et al. in <math>
* (bug 1663) support color in TeX formulas
* (bug 2026) missing glue around \not= (TeX)
* (bug 4576) Missing '>' broke license selector's first option in IE, Opera
* Override $wgLocaltimezone in parser tests for us outside Iceland and UK
* Fix extra whitespace at end of Wiki.php, DESTROYS XML OUTPUT
* Remove redundant 'echo' statements from MonoBook.php
* (bug 1103) Fix up redirect handling for images, categories
  Redirects are now followed from the top-level, outside of the Article
  content loading and viewing, for clarity and consistency.
* (bug 4104) 'OutputPageBeforeHTML' hook to postprocess article HTML on
  page view (comes after parser cache, if used). Patch by ThomasV.
* Linker::formatComment corrupted the passed title object on PHP 5
  if the comment included a section link. Use clone() to make a safe copy.
* Add wfClone() wrapper since we're still using PHP 4 on some servers.
* Remove obsolete killthread.php
* Added wfDie() wrapper, and some manual die(-1), to force the return code
  to the shell to return nonzero when we crap out with an error.
* Allow input of the stub from a compressed file instead of stdin
  for dumpTextPass.php; easier to get errors back on the shell
* Added an attractive space on the namespace selector on contribs
* Move PHP 5-friendly XHTML doctype hack to Sanitizer, use for sig checks.
  Fixes use of named entities in sigs on PHP 5
* (bug 4482) Include move comment on the null edit as well as the redirect
* (bug 3990) Use existing session name if session.auto_start is on
  Fixes checks for open sessions, such as the cookie warning on login.
  Patch by Zbigniew Braniecki.
* Add cache-safe alternate sitenotice for anonymous users.
  (MediaWiki:Anonnotice) This is displayed instead of the regular sitenotice,
  if it exists. If not, the regular sitenotice shows. If that doesn't exist,
  the value of $wgSiteNotice is used, and if that's null, then nothing is shown.
* Spit the generated LocalSettings code out during the installer as an aid
  to debugging issues. (Keep this?)
* Use __FILE__ to form path in new LocalSettings.php, so it stays accurate
  when the directory is relocated for typical usage.
* Auto-update $wgCacheEpoch when LocalSettings.php changes on new installs.
  For typical usage this will be a light burden and should reduce confusion
  when the configuration is edited.
* Fix $wgCacheEpoch's effect on client-side caching.
* (bug 1122) gray out 'older revision' when viewing first article revision.
* Clearer message in DefaultSettings.php: edit LocalSettings.php instead
* MonoBook skin top link id changed from "contentTop" to "top" (shared with
  name attribute)
* (bug 3350) Missing label for move talk page checkbox.
* (bug 2108) Sort entries when using category browser
* (bug 2393) Fix MIME type for Atom feeds ( application/rss+atom )
* Add ".deps.php" include-file preloaders for some dynamically-loaded
  language and skin classes. Should help with the broken base-class
  problem under PHP 5 with APC as opcode cache. See details:
  https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/4NVSC4LAZX6ACO77QVLRQYAWULAJCKJ2/
* Small changes to tabs in Monobook skin c/o Chris Ware
* (bug 4679) Work around buggy basename() function in PHP5, which breaks
  uploads of files starting with multibyte characters on Linux.
  wfBaseName() doesn't suffer this bug, and understands backslash on
  both Unix and Windows.
* (bug 3603) headscripts variable not hooked up to MonoBook skin
* Allow local cdb-based interwiki cache
* Use the "block", not the "protect" permission, when determining whether to
  show a "block user" link in the toolbox
* Fix backup dump text prefetch for XMLReader constant changes in PHP 5.1
* Suppress useless percentage indicator on output from 7za during dumps
* (bug 4633) Add (previous 200) (next 200) also above catlinks
* (bug 4686) Fix regression where ?diff=0&oldid=0 caused fatal error on
  pages with only one revision. Fixes message diff link on first edit.
* Fix dependence on hardcoded UNIQ_PREFIX in LanguageConverter.php
* Do not check lag on external storage servers
* Do not tidy interface messages (unless full tidy is set)
* Do not trust equality propagation and give more hints to MySQL
  optimizer for revision fetches (avoids index scans)
* Use revision rate for ETA in dump generation; it tends to be more stable
  than the per-page count for full-history dumps.
* Include timestamp in wfDebugLog breakouts
* (bug 4469) Namespace-specific notice to be displayed below site-notice
  Edit messages like "MediaWiki:Namespacenotice-" plus namespace name
  which is blank for main namespace, or like e.g. "User_talk"
* Adjust user login/creation form hooks to work with a captcha plugin
* (bug 1284) Inline styles for diffs in Recent Changes RSS/Atom feeds
* (bug 4824) IE7 beta 2 broke compatibility with PNG logo workarounds,
  and seems to work ok with other bits. No longer including the IE
  workarounds JavaScript for IE 7 and above.
* Fix extra namespace for Bulgarian
* (bug 4303) Add $wgFavicon to change the shorticon icon link from
  the default /favicon.ico or disable it (if set to false)
* (bug 3347) strip linebreaks in math error source
* (bug 4841) Warning for non-logged-in edits
* (bug 4867) Leave invalid EXIF date fields unformatted instead of
  showing a bogus current timestamp
* Reset $wgActionPaths during parser test; corrects some false failures
  in the automated test report.
* (bug 4875) Define a div containing the shared image description
* (bug 4860) Expose Title->userCan() as Hooks
* (bug 4828) Fix genitive month-name variable for cs, pl, uk
* (bug 4842) Fix 'show number of watching users' with enhanced RC
* (bug 4889) Fix image talk namespace for Tamil
* (bug 4147) Added cleanupWatchlist.php to clear out bogus watchlist entries
* (partial bug 3456) Disable auto redirect to Main Page after account creation
* (bug 4824) Separate out IE7 CSS compat hacks, fix for RTL pages
* Added support for wikidiff2 and similar external diff engines.
* Allow cookies to be shared between multiple wikis with a shared user database
* Blocking some Unicode whitespace characters in usernames. Should check
  if some or all should be blocked from all page titles.
* Unknown log types no longer throw notices everywhere in RecentChanges
* (bug 4502, 5017) Don't render potentially hostile deleted page contents
  on Special:Undelete by default; show source, with an optional preview.
  The revisions list no longer shows the latest text by default, so it can
  still be operated if the text is hostile.
* (bug 5013) Check for existence on "return to" links
* Removed trailing whitespace on a bunch more messages.
* Fix missing bad title check in Special:Booksources
* Remove empty booksources string in fy
* Avoid corrupting <gallery> inside <!-- comment -->
* Remove legacy PHPTal code, hasn't been maintained in ages.
* Tweak Userlogin include order for APC issue
* Don't try to link to current page on protection tab
* More exact checking in Title::equals() to fox moves of numerically similar
  page titles. (Odd hex title bug on 64-bit.)
* Fix explicit s-maxage=0 on raw pages; should help with proxy issues in
  generated stylesheets... hopefully...
* (bug 4685) More fixes for Slovenian project namespace
* Fixed and enhanced a little the Live Preview, which had been broken for some
  time
* Added article size limit, $wgMaxArticleSize
* (bug 4974) Don't follow redirected talk page on "new messages" link
* (bug 4970) Make category paging limits configurable
* (bug 4535) Warn user when editing CSS or JS subpage of a skin that doesn't
  exist
* Make Live Preview an user preference, still controllable by the global
  variable
* Rename the stub LanguageAls / LanguageGem_alsation to LanguageGsw to follow
  updated language code assignments
* (bug 5081) Remove bogus fix for invalid characters in links which simply
  broke use of legitimate multiple whitespace characters in bracketed link.
* (bug 4838) Add relative oldids (prev, next, cur) for raw pages
  Patch by Lupin
* (bug 5086) Force image resize dimensions on ImageMagick, as for instance
  "-resize 100x35!"; some thumbs were off due to differences in rounding and
  would be generated smaller than expected.
* (bug 5062) Width sometimes one pixel short when using maximum heights
* Purge thumbnails and metadata cache for action=purge on an image page
* (bug 4273) Bounce back with a message when attempting to submit a new comment
  with an empty main textbox (user probably hit Enter in subject field)
* (bug 5141) Gracefully handle the new account link when createaccount off
* (bug 5150 and related) Fix missing ID attribute in HTML namespace selector
* (bug 5152) Proper HTML escaping on subpage breadcrumbs
* (bug 4855) Section edit links now have the section name in the title
  attribute.
* (bug 2115) Support shift-selecting multiple checkboxes with JavaScript.
* (bug 5161) Don't try to load template list for nonexistent pages
* (bug 5228) Workaround for broken LanguageConverter title overrides; avoid
  unnecessary hidden UI work when watch/unwatch is performed on edit
* Fixed bogus master fallback in external storage
* (bug 5246) Add speak:none to "hiddenStructure" class in main.css
* Further work on rev_deleted; changed to a bitfield with several data-hiding
  options. Not yet ready for production use; Special:Revisiondelete is
  incomplete, and the flags are not preserved across page deletion/undeletion.
  To try it; add the 'deleterevision' permission to a privileged group.
* (bug 5270) Fix broken linktrail for br, cv, fr, hr, nn, oc, ta, wa
* Add a clickable contribs link in user tool links (rc, watchlist, diff view)
  to see how people like it. (There was one in the old hacked-up diff view.)
* (bug 5236) Load wikibits.js before site-customized javascript
* (bug 4119) Workaround for <nowiki> following link in Walloon; remove capitals
  from linktrail, as they're not used anywhere else.
* (bug 4781) Output links with the percent-encoding they're supplied with;
  save the normalization for internal link storage. The normalization is a bit
  buggy and can make incorrect foldings in the query string and such, so isn't
  reliable beyond the hostname where it's used for the spam bulk checker.
* Don't URL-decode in the title attribute for URL links; it can produce false
  results that don't code back to their original values.
* (bug 4611) Add user preference (default on) to add new pages to creators's
  watchlist
* (bug 5286) Fix regression in display of missing/bad revision IDs
* (bug 4729) Add user preference that marks a user's edits as patrolled if user
  is able to
* (bug 4630) Add user preference to prompt users when entering blank edit
  summaries
* Added optional suggest feature for the search box. Set wgUseAjax to true to
  enable it.
* (bug 5277) Use audio/midi rather that audio/mid
* (bug 5410) Use namespace name when a custom namespace's nstab-NS message is
  nonexistent
* (bug 5432) Fix inconsistencies in cookie names when using table prefixes
* Additional protections against HTML breakage in table parsing
* (bug 5355) Include skin name and style JS settings in page source;
  fixes regression where Opera 6/7 and KHTML CSS fixes weren't applied
  when wikibits.js was moved up before user JS inclusion.
* Added $wgColorErrors: if set, database error messages will be highlighted
  when running command-line scripts in a Unix terminal.
* (bug 5195) rebuildrecentchanges.php works again; Database::insertSelect now
  has a parameter for select options.
* Fix updateSearchIndex.php for new schema
* Fix bogus "filename too short" error when uploading files with a period in the
  base name, e.g. "Mr. Zee.png"
* (bug 2139) Show page title in subtitle when viewing "read only" page
* (bug 5452) Update language name for Cree

== Compatibility ==

Older PHP 4.2 and 4.1 releases are no longer supported; PHP 4 users must
upgrade to 4.3 or later.

MediaWiki 1.6 is the last major version to support PHP 4; future versions will
require PHP 5.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.

== Upgrading ==

Several changes to the database have been made from 1.5; these are relatively
minor but do require that the update process be run before the new code will
work properly:

* A new "templatelinks" table tracks template inclusions.
* A new "externallinks" table tracks URL links; this can be used by a mass
spam-cleanup tool in the SpamBlacklist extension.
* A new "jobs" table stores a queue of pages to update in the background; this
is used to update links in including pages when templates are edited.

To ensure that these tables are filled with data, run refreshLinks.php after
the upgrade.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!

=== Caveats ===

Some output, particularly involving user-supplied inline HTML, may not produce
100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType
= "application/xhtml+xml"; to test for remaining problem cases, but this is not
recommended on live sites. (This must be set for MathML to display properly in
Mozilla.)


= MediaWiki 1.5 =

== MediaWiki 1.5.9 ==
* (bug 3359) Add hooks on completion of file upload

== MediaWiki 1.5.8 ==

March 26, 2006

MediaWiki 1.5.8 is a security and bugfix maintenance release.

A bug in decoding of certain encoded links could allow injection of raw
HTML into page output; this could potentially lead to XSS attacks.

Some minor UI fixes were also made, see the change log at the bottom of
this file.


== MediaWiki 1.5.7 ==

March 2, 2006

MediaWiki 1.5.7 is a bugfix maintenance release.

Most importantly, a security issue in the installer has been fixed. The bug
affects new installations of 1.5.6 only. If the user specified the MySQL root
password, to allow the installer to create an unprivileged account, the
installer would not only create the new account but also change the root
password to be equal to the password of the new account.

Anyone affected by this bug will need to change the root password back
manually. For information about how to change passwords in MySQL please see:
http://dev.mysql.com/doc/refman/5.1/en/passwords.html

This version includes fixes for compatibility with Internet Explorer 7
beta 2, and various other bugs; see the full changelog at the end of
the release notes.


== MediaWiki 1.5.6 ==

January 19, 2006

MediaWiki 1.5.6 is a security and bugfix maintenance release.

A bug in edit comment formatting could send PHP into an infinite loop
if certain malformed links were included. In most installations, this
would cause the script to fail after PHP's 30-second failsafe timeout.

Some improvements have been made to the installer which should make
installation possible on a system with a broken MySQL "root" account.

For several other minor fixes, see the complete changelog at the end
of this file.


== MediaWiki 1.5.5 ==

January 5, 2006

MediaWiki 1.5.5 is a security and bugfix maintenance release.

Detection for uploads of Windows Metafile (.wmf) images has been added
to help protect against a client-side vulnerability in unpatched Microsoft
Windows operating systems.

Sites which have enabled uploads and added non-standard file types
(such as .ogg, .doc, or .pdf) should upgrade to this release to ensure
that malicious .wmf files can't be uploaded with a fake extension;
such files could put visitors to the site at risk.

For more details on this, see:
https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

Additionally, a maintenance script removeUnusedAccounts.php has been added;
this replaces an older Perl script which had not been updated for the new
schema in 1.5.


== MediaWiki 1.5.4 ==

December 21, 2005

MediaWiki 1.5.4 is a security and bugfix maintenance release.

A hardcoded internal placeholder string has been replaced with a random
one. This closes a hole where security checks in inline style attributes
could be bypassed, injecting JavaScript code that could execute in
Microsoft Internet Explorer.

Other browsers would not be vulnerable.

Several minor fixes are included in this release, most notably a fix
to clear the "you have new messages" flag properly for usernames
containing spaces when e-mail notification is enabled.

See the changelog at the end of the release notes for a full list of
fixes.


== MediaWiki 1.5.3 ==

December 4, 2005

MediaWiki 1.5.3 is a security and bugfix maintenance release.

Validation of the user language option was broken by a code change in
May 2005, opening the possibility of remote code execution as this
parameter is used in forming a class name dynamically created with
eval().

The validation has been corrected in this version. All prior 1.5 release
and prelease versions are affected; 1.4 and earlier and not affected.

Additionally several bugs have been fixed; see the changelog later in
this file for a complete list.


== MediaWiki 1.5.2 ==

November 2, 2005

MediaWiki 1.5.2 is a bugfix maintenance release.

A change in PHP 4.4.1 and PHP 5.1.0RC broke handling of extension and
<pre> sections, causing garbage data to be inserted in output and saved
edits. This version works around the change.

Several other glitches with MySQL 5.0 and PHP 5.0.5 were also fixed;
see the change log below for a complete list.


== MediaWiki 1.5.1 ==

October 26, 2005

MediaWiki 1.5.1 is a bugfix and security maintenance release, and is a
recommended upgrade for all installations.

This release includes further corrections to the inline CSS style sanitation
which works around a JavaScript "feature" on Microsoft Internet Explorer.
Users of Microsoft Internet Explorer for Windows may be vulnerable to
XSS injections on prior versions; users of standards-compliant browsers
are not vulnerable.

Major fixes include:
* Image pages work again with resizing disabled
* Works in MySQL 5.0 strict mode

There is experimental support in this release for explicitly declaring
the UTF-8 charset in the database; this has been tested with MySQL 5.0.15
but should work on 4.1 as well.

IMPORTANT: Changing this setting on an existing wiki may produce interesting
data corruption, depending on server configuration. Page contents should,
usually, be unaffected, but page titles and other items may be. Limitations
in MySQL's Unicode support mean that characters outside the BMP cannot be used
in page titles or various other fields when using this mode.

Table definitions are in maintenance/mysql5/tables.sql, and the runtime
option to send 'SET NAMES utf8' is set by $wgDBmysql5 = true.

(MySQL 3.23.x and 4.0.x do not support character set declarations; on these
versions MediaWiki simply works with UTF-8 data and MySQL is blissfully
unaware of it.)



== MediaWiki 1.5.0 final ==

October 5, 2005

MediaWiki 1.5.0 is the new stable release branch of MediaWiki, and is
recommended for all new installations.

Any wikis running a 1.5 beta or release candidate are strongly recommended
to upgrade to the final release, which includes a number of bug fixes and
a security fix for CSS bugs in Microsoft Internet Explorer.

IMPORTANT: Running a 1.3 or 1.4 wiki and don't want to jump to 1.5 yet?
Be sure to upgrade to 1.3.17 or 1.4.11, also released today. Versions
prior to 1.3.16 and 1.4.10 have a serious data corruption bug which is
triggered by a spambot known to operate in the wild.


=== What's new in 1.5? ===

Schema:
  The core table schema has changed significantly. This should make better
  use of the database's cache and disk I/O, and make significantly speed up
  rename and delete operations on pages with very long edit histories.

  Unfortunately this does mean upgrading a wiki of size from 1.4 will require
  some downtime for the schema restructuring, but future storage backend
  changes should be able to integrate into the new system more easily.

Permalinks:
  The current revision of a page now has a permanent 'oldid' number assigned
  immediately, and the id numbers are now preserved across deletion/undeletion.
  A permanent reference to the current revision of a page is now just a matter
  of going to the 'history' tab and copying the first link in the list.

Page move log:
  Renames of pages are now recorded in Special:Log and the page history.
  A handy revert link is available from the log for sysops.

Editing diff:
  Ever lost track of what you'd done so far during an edit? A 'Show diff'
  button on the edit page now makes it easy to remember.

Uploads:
  It's now possible to specify the final filename of an upload distinct
  from the original filename on your disk.

  An image link for a missing file will now take you straight to the upload
  page.

  More metadata is pre-extracted from uploaded images, which will ease pressure
  on disk or NFS volumes used to store images. EXIF metadata is displayed on
  the image description page if PHP is configured with the necessary module.

  If .svg files are added to the upload whitelist, you can choose to render
  them to rasterized .png images for inline display using one of several
  external helper programs. See DefaultSettings.php for SVG options.

User accounts:
  There are some changes to the user permissions system, with assignable
  groups. Note that this does *not* allow you to make pages which are only
  accessible to certain groups.

  For details see: https://www.mediawiki.org/wiki/Manual:User_rights

E-mail:
  User-to-user e-mail can now be restricted to require a mail-back confirmation
  first to reduce potential for abuse with false addresses.

  Updates to user talk pages and watchlist entries can optionally send e-mail
  notifications.

External hooks:
  A somewhat experimental interface for hooking in an external editor
  application is included.

And...
  A bunch of stuff we forgot to mention.


=== What's gone? ===

Latin-1:
  Wikis must now be encoded in Unicode UTF-8; this has been the default for
  some time, but some languages could optionally be installed in Latin-1 mode.
  This is no longer supported.

  You can check if your current wiki is in Latin-1 mode by using your browser's
  "view source"; look for a line like this:

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

  If it says charset=utf-8, you're ready. If it says charset=iso8859-1,
  you may need to convert your data. (English-language wikis avoiding
  any accented characters may be able to get away without conversion.)

MySQL 3.x:
  Some optimization hacks for MySQL 3.x have been removed as part of the schema
  clean-up (specifically, the inverse_timestamp fields).

  MediaWiki 1.5 may still run on 3.x, but wikis of non-trivial size should
  very seriously consider upgrading to a more modern release. MySQL 3.x support
  will probably be entirely dropped in the next major release.

Special:Maintenance
  These tools were, ironically enough, not really maintained. This special
  page has been removed; insofar as some of its pieces were useful and haven't
  already been supplanted by other special pages they should be rewritten in
  an efficient and safe manner in the future.


=== Caveats ===

Upgrade:
  Wikis in Latin-1 encoding are no longer supported; only Unicode UTF-8.
  A new option $wgLegacyEncoding is provided to allow on-the-fly recoding of
  old page text entries, but other metadata fields (titles, comments etc) need
  to be pre-converted. The standard upgrade process does not yet fully automate
  this, but you can try the alternate partial-upgrader in upgrade1_5.php.

  The upgrade from 1.4 to 1.5 schema has not been tested for all cases, so
  it's possible you may experience problems in some combinations.

Backups:
  The text entries of deleted pages are no longer removed from the main
  text table on deletion. If you provide public backup dumps of your databases,
  you will probably want to use the new XML-format dump generator, available
  as maintenance/dumpBackup.php.

  For more information on how we run our own public data dumps at Wikimedia,
  see http://meta.wikimedia.org/wiki/Data_dumps

PostgreSQL:
  The table definitions for PostgreSQL install are out of date. PostgreSQL
  support may return in later releases, pending appropriate patches.

MySQL 4.1+:
  Some users may encounter installation problems with MySQL 4.1 or higher
  due to strange charset encoding / collation configurations. Try setting
  to 'latin1' or 'utf8' if you encounter problems.



== MediaWiki 1.5 release candidate 4 ==

August 29, 2005

MediaWiki 1.5rc4 is a preview release of the new 1.5 release series.
It fixes compatibility with PHP 5.1, and corrects two cross-site scripting
security bugs:

* <math> tags were handled incorrectly when TeX rendering support is off,
  as in the default configuration.
* Extension or <nowiki> sections in Wiki table syntax could bypass HTML
  style attribute restrictions for cross-site scripting attacks against
  Microsoft Internet Explorer

Wikis where the optional math support has been *enabled* are not vulnerable
to the first, but are vulnerable to the second.



== MediaWiki 1.5 release candidate 3 ==

August 24, 2005

MediaWiki 1.5rc3 is a preview release of the new 1.5 release series.
It fixes several major problems in 1.5rc2:

* Fixed a cross-site scripting injection in the search form
  (broken since 1.5beta1)

* Fixed upgrades from 1.4 database schema
  (broken since 1.5rc2)

1.3 and 1.4 releases are not vulnerable to the XSS bug, but anyone
running an earlier 1.5 beta or release candidate should upgrade
immediately.


== MediaWiki 1.5 release candidate 2 ==

August 23, 2005

MediaWiki 1.5rc2 is a preview release of the new 1.5 release series.
Numerous bug fixes since last beta, plus a security fix; see change
log below for full details.

A flaw in the interaction between extensions and HTML attribute
sanitization was discovered which could allow unauthorized use
of offsite resources in style sheets, and possible exploitation
of a JavaScript injection feature on Microsoft Internet Explorer.

This version expands the returned text and properly checks it
before output.

A 1.5rc1 release was mistakenly made from the incorrect source code
branch; 1.5rc2 is identical to the actual 1.5rc1 in revision control
except for version number.


== MediaWiki 1.5 beta 4 ==

July 30, 2005

MediaWiki 1.5 beta 4 is a preview release of the new 1.5 release series.
A number of bugs have been fixed since beta 3; see the full changelist below.


== MediaWiki 1.5 beta 3 ==

July 7, 2005

MediaWiki 1.5 beta 3 is a preview release of the new 1.5 release
series, with a security update over beta 2.

Incorrect escaping of a parameter in the page move template could
be used to inject JavaScript code by getting a victim to visit a
maliciously constructed URL. Users of vulnerable releases are
recommended to upgrade to this release.

Vulnerable versions:
* 1.5 preview series: n <= 1.5beta2 vulnerable, fixed in 1.5beta3
* 1.4 stable series: 1.4beta6 <= n <= 1.4.5 vulnerable, fixed in 1.4.6
* 1.3 legacy series: not vulnerable

This release also includes several bug fixes and localization updates.
See the changelog at the end of this file for a detailed list.



== MediaWiki 1.5 beta 2 ==

July 5, 2005

MediaWiki 1.5 beta 2 is a preview release of the new 1.5 release series.
While most exciting new bugs should have been ironed out at this point,
third-party wiki operators should probably not run this beta release
on a public site without closely following additional development.

Anyone who _has_ been running beta 1 is very very strongly advised to
upgrade to beta 2, as it fixes many bugs from the previous beta including
a couple of HTML and SQL injections.

This release should be followed by one or two release candidates and
a 1.5.0 final within the next few weeks.

Beta upgraders, note there are some minor database changes. For upgrades
from 1.4, see the file UPGRADE for details on significant database and
configuration file changes.

Beta 2 includes a preliminary command-line XML wiki dump importer tool,
maintenance/importDump.php, paired with maintenance/dumpBackup.php.
These use the same format as Special:Export and Special:Import, able
to package a wiki's entire page set independent of the backend database
and compression format.


== MediaWiki 1.5 beta 1 ==

June 26, 2005

MediaWiki 1.5 beta 1 is a preview release, pretty much feature complete,
of the new 1.5 release series. There are several known and likely a number
of unknown bugs; it is not recommended to use this release in a production
environment but would be recommended for testing in mind of an upcoming
deployment.

A number of significant changes have been made since the alpha releases,
including database changes and a reworking of the user permissions settings.
See the file UPGRADE for details of upgrading and changing your prior
configuration settings for the new system.



== MediaWiki 1.5 alpha 2 ==

June 3, 2005

MediaWiki 1.5 alpha 2 includes a lot of bug fixes, feature merges,
and a security update.

Incorrect handling of page template inclusions made it possible to
inject JavaScript code into HTML attributes, which could lead to
cross-site scripting attacks on a publicly editable wiki.

Vulnerable releases and fix:
* 1.5 prerelease: fixed in 1.5alpha2
* 1.4 stable series: fixed in 1.4.5
* 1.3 legacy series: fixed in 1.3.13
* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended


== MediaWiki 1.5 alpha 1 ==

May 3, 2005

This is a testing preview release, being put out mainly to aid testers in
finding installation bugs and other major problems. It is strongly recommended
NOT to run a live production web site on this alpha release.

**  WARNING: USE OF THIS ALPHA RELEASE MAY INFEST YOUR HOUSE WITH  **
**  TERMITES, ROT YOUR TEETH,  GROW HAIR ON YOUR PALMS, AND PASTE  **
**  INNUENDO  INTO  YOUR  C.V.  RIGHT  BEFORE  A  JOB  INTERVIEW!  **
**  DON'T SAY WE DIDN'T WARN YOU, MAN. WE TOTALLY DID RIGHT HERE.  **


=== Smaller changes since 1.4 ===

Various bugfixes, small features, and a few experimental things:

* 'live preview' reduces preview reload burden on supported browsers
* support for external editors for files and wiki pages:
  https://www.mediawiki.org/wiki/Manual:External_editors
* Schema reworking:
  https://www.mediawiki.org/wiki/Proposed_Database_Schema_Changes/October_2004
* (bug 15) Allow editors to view diff of their change before actually submitting
  an edit
* (bug 190) Hide your own edits on the watchlist
* (bug 510): Special:Randompage now works for other namespaces than NS_MAIN.
* (bug 1015) support for the full wikisyntax in <gallery> captions.
* (bug 1105) A "Destination filename" (save as) added to Special:Upload Upload.
* (bug 1352) Images on description pages now get thumbnailed regardless of
  whether the thumbnail is larger than the original.
* (bug 1662) A new magicword, {{CURRENTMONTHABBREV}} returns the abbreviation of
  the current month
* (bug 1668) 'Date format' supported for other languages than English, see:
  https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/5SH5IDCNYZTRBQQZ33GS7WYDEJ3PSEZE/
* (bug 1739) A new magicword, {{REVISIONID}} give you the article or diff
  database revision id, useful for proper citation.
* (bug 1998) Updated the Russian translation.
* (bug 2064) Configurable JavaScript mimetype with $wgJsMimeType
* (bug 2084) Fixed a regular expression in includes/Title.php that was accepting
  invalid syntax like #REDIRECT [[foo] in redirects
* It's now possible to invert the namespace selection at Special:Allpages and
  Special:Contributions
* No longer using sorbs.net to check for open proxies by default.
* What was $wgDisableUploads is now $wgEnableUploads, and should be set to true
  if one wishes to enable uploads.
* Supplying a reason for a block is no longer mandatory
* Language conversion support for category pages
* $wgStyleSheetDirectory is no longer an alias for $wgStyleDirectory;
* Special:Movepage can now take parameters like Special:Movepage/Page_to_move
  (used to just be able to take parameters via a GET request like
  index.php?title=Special:Movepage&target=Page_to_move)
* (bug 2151) The delete summary now includes editor name, if only one has edited
  the article.
* (bug 2105) Fixed from argument to the PHP mail() function. A missing space
  could prevent sending mail with some versions of sendmail.
* (bug 2228) Updated the Slovak translation
* ...and more!


=== Changes since 1.5alpha1 ===

* (bug 73) Category sort key is set to file name when adding category to
  file description from upload page (previously it would be set to
  "Special:Upload", causing problems with category paging)
* (bug 419) The contents of the navigation toolbar are now editable through
  the MediaWiki namespace on the  MediaWiki:navbar page.
* (bug 498) The Views heading in MonoBook.php is now localizable
* (bug 898) The wiki can now do advanced sanity check on uploaded files
  including virus checks using external programs.
* (bug 1692) Fix margin on unwatch tab
* (bug 1906) Generalize project namespace for Latin localization, update
  namespaces
* (bug 1975) The name for Limburgish (li) changed from "Lèmburgs" to "Limburgs
* (bug 2019) Wrapped the output of Special:Version in <div dir='ltr'> in order
  to preserve the correct flow of text on RTL wikis.
* (bug 2067) Fixed crash on empty quoted HTML attribute
* (bug 2075) Corrected namespace definitions in Tamil localization
* (bug 2079) Removed links to Special:Maintenance from movepagetext message
* (bug 2094) Multiple use of a template produced wrong results in some cases
* (bug 2095) Triple-closing-bracket thing partly fixed
* (bug 2110) "noarticletext" should not display on Image page for "sharedupload"
  media
* (bug 2150) Fix tab indexes on edit form
* (bug 2152) Add missing bgcolor to attribute whitelist for <td> and <th>
* (bug 2176) Section edit 'show changes' button works correctly now
* (bug 2178) Use temp dir from environment in parser tests
* (bug 2217) Negative ISO years were incorrectly converted to BC notation
* (bug 2234) allow special chars in database passwords during install
* Deprecated the {{msg:template}} syntax for referring to templates, {{msg: is
  now the wikisyntax representation of wfMsgForContent()
* Fix for reading incorrectly re-gzipped HistoryBlob entries
* HistoryBlobStub: the last-used HistoryBlob is kept open to speed up
  multiple-revision pulls
* Add $wgLegacySchemaConversion update-time option to reduce amount of
  copying during the schema upgrade: creates HistoryBlobCurStub reference
  records in text instead of copying all the cur_text fields. Requires
  that the cur table be left in place until/unless such fields are migrated
  into the main text store.
* Special:Export now includes page, revision, and user id numbers by
  default (previously this was disabled for no particular reason)
* dumpBackup.php can dump the full database to Export XML, with current
  revisions only or complete histories.
* The group table was renamed to groups because "group" is a reserved word in
  SQL which caused some inconveniances.
* New fileicons for c, cpp, deb, dvi, exe, h, html, iso, java, mid, mov, o,
  ogg, pdf, ps, rm, rpm, tar, tex, ttf and txt files based on the KDE
  crystalsvg theme.
* Fixed a bug in Special:Newimages that made it impossible to search for '0'
* Added language variant support for Icelandic, now supports "Íslenzka"
* The #p-nav id in MonoBook is now #p-navigation
* Putting $4 in msg:userstatstext will now give the percentage of
  admnistrators out of normal users.
* links and brokenlinks tables merged to pagelinks; this will reduce pain
  dealing with moves and deletes of widely-linked pages.
* Add validate table and val_ip column through the updater.
* Simple rate limiter for edits and page moves; set $wgRateLimits
  (somewhat experimental; currently needs memcached)
* (bug 2262) Hide math preferences when TeX is not enabled
* (bug 2267) Don't generate thumbnail at the same size as the source image.
* Fix rebuildtextindex.inc for new schema
* Remove linkscc table code, no longer used.
* (bug 2271) Use faster text-only link replacement in image alt text
  instead of rerunning expensive link lookup and HTML generation.
* Only build the HTML attribute whitelist tree once.
* Replace wfMungeToUtf8 and do_html_entity_decode with a single function
  that does both numeric and named chars: Sanitizer::decodeCharReferences
* Removed some obsolete UTF-8 converter functions
* Fix function comment in debug dump of SQL statements
* (bug 2275) Update search index more or less right on page move
* (bug 2053) Move comment whitespace trimming from edit page to save;
  leaves the whitespace from the section comment there on preview.
* (bug 2274) Respect stub threshold in category page list
* (bug 2173) Fatal error when removing an article with an empty title from the
  watchlist
* Removed -f parameter from mail() usage, likely to cause failures and bounces.
* (bug 2130) Fixed interwiki links with fragments
* (bug 684) Accept an attribute parameter array on parser hook tags
* (bug 814) Integrate AuthPlugin changes to support Ryan Lane's external
  LDAP authentication plugin
* (bug 2034) Armor HTML attributes against template inclusion and links munging

=== Changes since 1.5alpha2 ===

* (bug 2319) Fix parse hook tag matching
* (bug 2329) Fix title formatting in several special pages
* (bug 2223) Add unique index on user_name field to prevent duplicate accounts
* (bug 1976) fix shared user database with a table prefix set
* (bug 2334) Accept null for attribs in wfElement without PHP warning
* (bug 2309) Allow templates and template parameters in HTML attribute zone,
  with proper validation checks. (regression from fix for 2304)
* Disallow close tags and enforce empty tags for <hr> and <br>
* Changed user_groups format quite a bit.
* (bug 2368) Avoid fatally breaking PHP 4.1.2 in a debug line
* (bug 2367) Insert correct redirect link record on page move
* (bug 2372) Fix rendering of empty-title inline interwiki links
* (bug 2384) Fix typo in regex for IP address checking
* (bug 650) Prominently link MySQL 4.1 help page in installer if a possible
  version conflict is detected
* (bug 2394) Undo incompatible breakage to {{msg:}} compatibility includes
* (bug 1322) Use a shorter cl_sortkey field to avoid breaking on MySQL 4.1
  when the default charset is set to utf8
* (bug 2400) don't send confirmation mail on account creation if
  $wgEmailAuthentication is false.
* (bug 2172) Fix problem with nowiki beeing replaced by marker strings
  when a template with a gallery was used.
* Guard Special:Userrights against form submission forgery
* (bug 2408) page_is_new was inverted (whoops!)
* Added wfMsgHtml() function for escaping messages and leaving params intact
* Fix ordering of Special:Listusers; fix groups list so it shows all groups
  when searching for a specific group and can't be split across pages
* (bug 1702) Display a handy upload link instead of a useless blank link
  for [[media:]] links to nonexistent files.
* (bug 873) Fix usage of createaccount permission; replaces $wgWhitelistAccount
* (bug 1805) Initialise $wgContLang before $wgUser
* (bug 2277) Added Friulian language file
* (bug 2457) The "Special page" href now links to the current special page
  rather than to "".
* (bug 1120) Updated the Czech translation
* A new magic word, {{SCRIPTPATH}}, returns $wgScriptPath
* A new magic word, {{SERVERNAME}}, returns $wgServerName
* A new magic word, {{NUMBEROFFILES}}, returns the number of rows in the image
  table
* Special:Imagelist displays titles with " " instead of "_"
* Less gratuitous munging of content sample in delete summary
* badaccess/badaccesstext to supercede sysop*, developer* messages
* Changed $wgGroupPermissions to more cut-n-paste-friendly format
* 'developer' group deprecated by default
* Special:Upload now uses 'upload' permission instead of hardcoding login check
* Add 'importupload' permission to disable direct uploads to Special:Import
* (bug 2459) Correct escaping in Special:Log prev/next links
* (bug 2462 etc) Taking out the experimental dash conversion; it broke too many
  things for the current parser to handle cleanly
* (bug 2467) Added a Turkish language file
* Fixed a bug in Special:Contributions that caused the namespace selection to
  be forgotten between submits
* Special:Watchlist/edit now has namespace subheadings
* (bug 1714) the "Save page" button now has right margin to separate it from
  "Show preview" and "Show changes"
* Special:Statistics now supports action=raw, useful for bots designed to
  harwest e.g. article counts from multiple wikis.
* The copyright confirmation box at Special:Upload is now turned off by default
  and can be turned back on by setting $wgCopyrightAffirmation to a true value.
* Restored prior text for password reminder button and e-mail, replacing
  the factually inaccurate text that was there.
* (bug 2178) Fix temp dir check again
* (bug 2488) Format 'deletedtext' message as wikitext
* (bug 750) Keep line endings consistent in LocalSettings.php
* (bug 1577) Add 'printable version' tab in MonoBook for people who don't
  realize you can just hit print to get a nicely formatted printable page.
* Trim whitespace from option values to weather line-ending corruption problems
* Fixed a typo in the Romanian language file (NS_MESIA => NS_MEDIA)
* (bug 2504) Updated the Finnish translation
* (bug 2506, 2512) Updated the Nynorsk translation
* (bug 996) Replace $wgWhitelistEdit with 'edit' permission; fixup UPGRADE
  documentation about edit and read whitelists.
* (bug 2515) Fix incremental link table update
* Removed some wikipedia-specifica from LanguageXx.php's
* (bug 2496) Allow MediaWiki:edithelppage to point to external page
* Added a versionRequired() function to OutputPage, useful for extension
  writers that want to control what version of MediaWiki their extension
  can be used with.
* Serialized user objects now checked for versioning
* Fix for interwiki link regression
* Printable link shorter in monobook
* Experimental Latin-1-and-replication-friendly upgrader script
* (bug 2520) Don't show enotif options when disabled

== Changes since 1.5beta1 ==

* (bug 2531) Changed the interwiki name for sh (Serbocroatian) to
  Srpskohrvatski/Српскохрватски (was Српскохрватски (Srbskohrvatski))
* Nonzero return code for command-line scripts on wfDebugDieBacktrace()
* Conversion fix for empty old table in upgrade1_5.php
* Try reading revisions from master if no result on slave
* (bug 2538) Suppress notice on user serialized checks
* Fix paging on Special:Contributions
* (bug 2541) Fix unprotect tab
* (bug 1242) category list now show on edit page
* Skip sidebar entries where link text is '-'
* Convert non-UTF-8 URL parameters even if referer is local
* (bug 2460) <img> width & height properly filled when resizing image
* (bug 2273) deletion log comment used user interface language
* Try reading revision _text_ from master if no result on slave
* Use content-language message cache for raw view of message pages
* (bug 2530) Not displaying talk pages on Special:Watchlist/edit
* Fixed a bug that would occour if $wgCapitalLinks was set to false, a user
  agent could create a username that began with a lower case letter that was
  not in the ASCII character set ( now user $wgContLang->ucfirst() instead of
  PHP ucfirst() )
* Moved the user name / password validity checking from
  LoginForm::addNewAccountInternal() to two new functions,
  User::isValidUserName() and User::isValidPassword(), extensions can now do
  these checks without rewriting code.
* Fix $wgSiteNotice when MediaWiki:Sitenotice is set to default '-'
* Fixed a bug where the watchlist count without talk pages would be off by a
  factor of two.
* upgrade1_5.php uses insert ignore, allows to skip image info initialization
* Fix namespaces in category list.
* Add rebuildImages.php to update image metadata fields
* Special:Ancientpages is expensive in new schema for now
* (bug 2568) Fixed a logic error in the Special:Statistics code which caused
  the displayed percentage of admins to be totally off.
* (bug 2560) Don't show blank width/height attributes for missing size
* Don't show bogus messages about watchlist notifications when disabled
* Don't show old debug messages in watchlist
* (bug 2576) Fix recording of transclusion links
* (bug 2577) Allow sysops to enter non-standard block times
* Fixed a bug where Special:Contributions wouldn't remember the 'invert'
  status between next/previous buttons.
* Move MonoBook printable link from tab to sidebar
* (bug 2567) Fix HTML escaping on category titles in list
* (bug 2562) Show rollback link for current revisions on diff pages
* (bug 2583) Add --missinig option on rebuildImages.php to add db entries
  for uploaded files that don't have them
* (bug 2572) Fix edit conflict handling
* (bug 2595) Show "Earlier" and "Latest" links on history go to the first/last
  page in the article history pager.
* Don't show empty-page text in 'Show changes' on new page
* (bug 2591) Check for end, fix limits on Whatlinkshere
* (bug 2584) Fix output of subcategory list
* (bug 2597) Don't crash when undeleting an image description page
* (bug 2564) Don't show "editingold" warning for recent revision
* Various code cleanup and HTML escaping fixlets
* Copy IRC-over-UDP update option from REL1_4
* (bug 2548) Keep summary on 'show changes' of section edit
* Move center on toc to title part to avoid breaking .toc style usage
* HTML sanitizer: correct multiple attributes by keeping last, not first
* (bug 2614) Fix section edit links on diff-to-current with oldid set
  Also fix navigation links on current-with-oldid view.
* (bug 2620) Return to prior behavior for some more things (such as
  subpage parent links) on current-diff view.
* (bug 2618) Fix regression from another fix; show initial preview for
  categories only if the page does not exist.
* (bug 2625) Keep group & user settings when paging in Listusers
* (bug 2627) Fix regression: diff radio button initial selection
* Copy fix for old search URLs with Lucene search plugin from REL1_4
* (bug 619) Don't use incompatible diff3 executable on non-Linux systems.
* (bug 2631) Fix Hebrew namespaces.
* (bug 2630) Indicate no-longer-valid cached entries in BrokenRedirects list
* (bug 2644, 2645) "cur" diff links in page history, watchlist and
  recentchanges should specify current ID explicitly.
* (bug 2609) Fix text justification preferenced with MonoBook skin.
* (bug 2594) Display article tab as red for non-existent articles.
* (bug 2656) Fix regression: prevent blocked users from reverting images
* (bug 2629) Automatically capitalize usernames again instead of
  rejecting lowercase with a useless error message
* (bug 2661) Fix link generation in contribs
* Add support for &preload=Page_name (load text of an existing page into
edit area) and &editintro=Page_name (load text of an existing page instead
of MediaWiki:Newpagetext) to &action=edit, if page is new.
* (bugs 2633, 2672, 2685, 2695) Fix Estonian, Portuguese, Italian, Finnish and
  Spanish numeric formatting
* Fixed Swedish numeric formatting
* (bug 2658) Fix signature time, localtime to match timezone offset again
* Files from shared repositories (e.g. commons) now display with their
  image description pages when viewed on local wikis.
* Restore compatibility namespace aliases for French Wikipedia
* Fix diff order on Enhanced RC 'changes' link
* (bug 2650) Fix national date type display on wikis that don't support
  dynamic date conversion.
* FiveUpgrade: large table hacks, install iw_trans update before links
* (bug 2648) Rename namespaces in Afrikaanse
* Special:Booksources checks if custom list page exists before using it
* (bug 1170) Fixed linktrail for da: and ru:
* (bug 2683) Really fix apostrophe escaping for toolbox tips
* (bug 923) Fix title and subtitle for rclinked special page
* (bug 2642) watchdetails message in several languages used  <a></a> instead of
  [ ]
* (bug 2181) basic CSB language localisation by Tomasz G. Sienicki (thanks for
  the patch)
* Fix correct use of escaping in edit toolbar bits
* Removed language conversion support from Icelandic
* (bug 2616) Fix proportional image scaling, giving correct height
* (bug 2640) Include width and height attributes on unscaled images
* Workaround for mysterious problem with bogus epoch If-Last-Modified reqs
* (bug 1109) Suppress compressed output on 304 responses
* (bug 2674) Include some site configuration info in export data:
  namespaces definitions, case-sensitivity, site name, version.
* Use xml:space="preserve" hint on export <text> elements
* Make language variant selection work again for zh

== Changes since 1.5beta2 ==

* Escaped & correctly in Special:Contributions
* (bug 2534) Hide edit sections with CSS to make right click to edit section
  work
* (bug 2708) Avoid undefined notice on cookieless login attempt
* (bug 2188) Correct template namespace for Greek localization
* Fixed number formatting for Dutch
* (bug 1355) add class noprint to commonPrint.css
* (bug 2350) Massive update for Limburgish (li) language using Wikipédia
* Massive update for Arab (ar) language using Wikipédia
* (bug 1560) Massive update for Kurdish (ku) language using Wikipédia
* (bug 2709) Some messages were not read from database
* (bug 2416) Don't allow search engine robots to index or follow nonexisting
  articles
* Fix escaping in page move template.
* (bug 153) Discrepancy between thumbnail size and <img> height attribute

== Changes since 1.5beta3 ==

* Fix talk page move handling
* (bug 2721) New language file for Vietnamese with the Vietnamese number
  notation
* (bug 2749)   would appear as a literal in image galleries for Cs, Fr,
  Fur, Pl and Sv
* (bug 787) external links being rendered when they only have one slash
* Fixed a missing typecast in Language::dateFormat() that would cause some
  interesting errors with signitures.
* (bug 2764) Number format for Nds
* (bug 1553) Stop forcing lowercase in Monobook skin for German language.
* (bug 1064) Implements Special:Unusedcategories
* (bug 2311) New language file for Macedonian
* Fix nohistory message on empty page history
* Fix fatal error in history when validation on
* Cleaned up email notification message formatting
* Finally fixed Special:Disambiguations that was broke since SCHEMA_WORK
* (bug 2761) fix capitalization of "i" in Turkish
* (bug 2789) memcached image metadata now cleared after deletion
* Add serialized version number to image metadata cache records
* (bug 2780) Fix thumbnail generation with GD for new image schema
* (bug 2791) Slovene numeric format
* (bug 655) Provide empty search form when searching for nothing
* Nynorsk numeric format fix
* (bug 2825) Fix regression in newtalk notifications for anons w/ enotif off
* (bug 2833) Fix bug in previous fix
* With $wgCapitalLinks off, accept off-by-first-letter-case in 'go' match
* Optional parameters for [[Special:Listusers]]
* (bug 2832) [[Special:Listadmins]] redirects to [[Special:Listusers/sysop]]
* (bug 785) Parser did not get out of <pre> with list elements
* Some shared upload fixes
* (bug 2768) section=new on nonexistent talk page does not add heading
* support preload= parameter for section=new
* show comment subject in preview when using section=new
* use comment form when creating a new talk page
* (bug 460) Properly handle <center> tags as a block.
* Undo inconsistent editing behavior change
* (bug 2835) Back out fix for bug 2802, caused regressions in category sort
* PHP 4.1.2 compatibility fix: define floatval() equivalent if missing
* (bug 2901) Number format for Catalan
* Special:Allpages performance hacks: index memcached caching, removed
  inverse checkbox, use friendlier relative offsets in index build
* Bring back "Chick" skin for mobile devices. It needs testing.
* Fix spelling of $wgForwardSearchUrl in DefaultSettings.php
* Specify USE INDEX on Allpages chunk queries, sometimes gets lost
  due to bogus optimization
* (bug 275) Section duplication fix
* Remove unused use of undefined variable in UserMailer
* Fix notice on search index update due to non-array
* (bug 2885) Fix fatal errors and notices in PHP 5.1.0beta3
* (bug 2931) Fix additional notices on reference use in PHP 4.4.0
* (bug 2774) Add three new $wgHooks to LogPage which enable extensions to add
  their own logtypes, see extensions/Renameuser/SpecialRenameuser.php for an
  example of this.
* (bug 740) Messages from extensions now appear in Special:Allmessages
* (bug 2857) fixed parsing of lists in <pre> sections
* (bug 796) Trackback support
* Fix 1.5 regression: weird, backwards diff links on new pages in enhanced RC
  are now suppressed as before.
* New skin: Simple
* "uselang" and "useskin" URL parameters can now be used in the URL when
  viewing a page, to change the language and skin of a page respectively.
* Skins can now be previewed in preferences
* (bug 2943) AuthPlugin::getCanonicalName() name canonicalization hook,
  patch from robla
* Wrap revision insert & page update in a transaction, rollback on late
  edit conflict.
* (bug 2953) 'other' didn't work in Special:Blockip when localized
* (bug 2958) Rollback and delete auto-summary should be in the project's
  content language
* Removed useless protectreason message
* Spelling fix: $wgUrlProtcols -> $wgUrlProtocols
* Switch Moldovan local name to cyrillic
* Fix typo in undefined array index access prevention
* (bug 2947) Update namespaces for sr localization
* (bug 2952) Added Asturian language file with translated namespaces
* (bug 2676) Apply a protective transformation on editing input/output
  for browsers that hit the Unicode blacklist. Patch by plugwash.
* (bug 2999) Fix encoding conversion of pl_title in upgrade1_5.php
* compressOld.php disabled, as it's known to be broken.


=== Changes since 1.5beta4 ===

* Fix Special:Allmessages under PHP 5
* (bug 2911) Special:Watchlist allowed only one type of limit at a time
* (bug 693) Special:Allmessages is excessively wide and redundant
* (bug 3001) Updated and applied live hack for recentchanges-based watchlist
* (bug 145) Finish 'exclude redirect' implementation in search form
* Rearranged Special:Movepage form to reduce confusion between destination
  title and reason input boxes
* (bug 2527) Always set destination filename when new file is selected
* (bug 3056) MySQL 3 compatibility fix: USE INDEX instead of FORCE INDEX
* PHP 4.1 compatibility fix: don't use new_link parameter to mysql_connect
  if running prior to 4.2.0 as it causes the call to fail
* (bug 3117) Fix display of upload size and type with tidy on
* (bug 1487) invalid html on empty list in banlist
* (bug 3017) Hotkey conflict for delete and show changes
* made pixel unit translateable and blocklistline now eats infiniteblock
  and expiringblock
* (bug 3092) Wrong numerical separator for big numbers in Serbian.
* (bug 2855) Credit for a uniq author showed its realname even with
  $wgAllowRealName=false.
* New special page: SpecialMostlinked
* (bug 2393) Fix MIME type for Atom feeds ( application/rss+atom )
* Fix display of read-only lockfile message
* Added a new hook, 'AddNewAccount', which is run after account creation
* Update all stats fields on recount.sql
* Include software-visible client IP address in Special:Version comment
  as a proxy debugging aid
* (bug 3162) Fix 'undefined property page_is_new' error on watchlist
* (bug 1734) granting db permissions failed with db usernames containg '-'
* (bug 3170) wikititlesuffix was removed, use pagetitle instead
* (bug 3187) watchlist text refer to unexistent "Stop watching" action
* (bug 3190) Added some date format choices for language sr
* (bug 1334) LanguageGa.php update
* (bug 1020) Changing user interface language does not work immediately
* (bug 2753) Some namespaces were not translated in LanguageTa.php (Tamil)
* (bug 3204) Fix typo breaking special pages in fy localization
* (bug 3210) Fix Media: links with remote image URL path
* (bug 3220) Fix escaping of block URLs in Recentchanges
* (bug 3238): Updated LanguageNn.php for 1_5 branch
* (bug 3192): properly check 'limit' parameter on Special:Contributions
* (bug 3244) Fix remote image loading hack, JavaScript injection on MSIE
* Fix URL sanitization in HTML attributes, which broke in this branch
* (bug 3475) anon contrib links on Special:Newpages


=== Changes since 1.5rc2 ===

* Fix upgrade from 1.4 due to version number check breakage
* Fix upgrade from 1.4 with no old revisions
* (bug 2108) Sort entries when using category browser
* XSS issue : now sanitize search query input


=== Changes since 1.5rc3 ===

* (bug 3280) Respect 'move' group permission on page moves
* (bug 2885) More PHP 5.1 fixes: skin, search, log, undelete
* Security fix for <math>
* Security fix for tables


=== Changes since 1.5rc4 ===

* (bug 3292) Fix move-over-redirect test when current entries are not plaintext
* (bug 2078) Don't hide watch tab on preview
* (bug 3306) Document $wgLocalTZoffset
* Support SVG rendering with rsvg
* Cap arbitrary SVG renders to given image size or $wgSVGMaxSize pixels wide
* (bug 3127) Render large SVGs at image page size correctly
* (bug 3448) Set page_len on undelete
* (bug 2800) Don't scale up small iamges on |thumb| without explicit size
* Use the real file link instead of the default-size rasterized version for
  large SVG images on image description page
* Include the file name/type/size line for non-resized images
* (bug 3412) Clean up date format handling so ~~~~-sigs work with default
  format as designed. Documentation comments updated.
* (bug 1423) LanguageJa.php update
* (bug 3405) Don't use raw letters as aliases of MSGNW: and SUBST:
* (bug 3485) Fix bogus warning about filename capitalization when off
* (bug 2792) Update rebuildrecentchanges.inc for new schema
* Special:Import/importDump fixes: report XML parse errors, accept <minor/>
* (bug 3489) PHP 5.1 compat problem with captioned images
* (bug 3350) Missing label for move talk page checkbox.
* (bug 2570) Add 'watch this page' checkbox on uploads, watch uploads
  by default when 'watchdefault' option is on
* (bug 3182) Clear link cache during import to prevent memory leak
* (bug 3573) Full Greek Translation
* (bug 3595) Warn and abort if importDump.php called in read-only mode.
* (bug 3598) Update message cache on message page deletion, patch by Tietew
* Blacklist additional MSIE CSS safety tricks


=== Changes since 1.5.0 ===

* (bug 3629) Fix date & time format for Frisian
* (bug 3641) Fix handling of unrecognized file uploads with known extensions
* (bug 3643) Fix image page display of large images with resizing disabled
* Fix meta robots tag on Special:Version again to avoid listing vulnerable
  versions for convenient harvesting by automated worms
* (bug 3684) Fix typo in fatal error backtraces in Hooks.php
* Backport fix for reference usage notice in Special:Search on PHP 4.4.0
* Backport database connect error display fix from HEAD
* (bug 2773) Print style sheet no longer overrides RTL text direction
* MonoBook skin top link id changed from "contentTop" to "top" (shared with
  name attribute)
* Wrap message page insertions in a transaction to speed up installation
* Fix Special:MovePage invalid HTML attribute for reason textarea
* Avoid notice warning on edit with no User-Agent header
* (bug 3734) Swapped out obsolete recount.sql with initStats.php
* (bug 3735) Fix to run under MySQL 5's strict mode
* (bug 3786) Experimental support for MySQL 4.1/5.0 utf8 charset mode
  NOTE: Enabling this may break existing wikis, and still doesn't
  work for all Unicode characters due to MySQL limitations.
* Sanitizer CSS comment processing order fix


=== Changes since 1.5.1 ===

* Fix Special:BrokenRedirects on MySQL 5.0
* (bug 3809) Backport fix for detecting diff3 failure
* MySQL 5.0 strict mode fix for moving unwatched pages
* (bug 3782) Throw fatal installation warning if mbstring.func_overload on.
  Why do people invent these crazy options that change language semantics?
* (bug 3762) Define missing Special:Import UI messages
* (bug 3771) Handle internal functions in backtrace in wfAbruptExit()
* (bug 3649) Remove obsolete, broken moveCustomMessages script
* (bug 3667) Add missing global in page move code
* (bug 3761) Avoid deprecation warnings in Special:Import
* (bug 2885) Remove unnecessary reference parameter which broke classic skin
  talk notification on PHP 5.0.5
* (bug 3845) Update attribute.php for 1.5 schema
* Fix Parser::unstrip on PHP 4.4.1 and PHP 5.1.0RC4


=== Changes since 1.5.2 ===

* (bug 3612) Remove old broken version of maintenance/compressOld.php
  The working version is in maintenance/storage/compressOld.php
* (bug 2740) Accept image deletions on 'enter' submit from MSIE
* (bug 3933) specify XML namespace for Atom 0.3 feeds
* (bug 3939) Don't try to load text for interwiki redirect target
* (bug 3948) Avoid notice warning in debug statement in bad search
* Recognize Special:Search consistently so read whitelist works
* (bug 4013) typo in fr
* (bug 3996) Fix text for new entries in RC RSS/Atom feed
* (bug 2894) Enhanced Recent Changes link fixes
* (bug 3065) Update both watched namespaces when renaming pages
* Move parentheses out of <a> link in Special:Contributions
* (bug 4071) Generate passwords long enough for $wgMinimalPasswordLength
* (bug 4035) Fix prev/next revision links on edit page
* (bug 4165) Correct validation for user language selection (data taint)
* Clearer message in DefaultSettings.php: edit LocalSettings.php instead


=== Changes since 1.5.3 ===

* (bug 3805) Clear 'new messages' flag properly in enotif mode
  for usernames containing spaces
* (bug 2714) Backlink from special:whatlinkshere was hard set as 'existing'
* (bug 4249) Typo in entities2literals.pl
* (bug 4233) Update for japanese language
* (bug 4279) Small correction to LanguageDa.php
* (bug 4267) Switch dv sd ug ks arc languages to RTL
* (bug 3991) Allow the operation of wikicode on Protect move only text
* Added AutoAuthenticate hook for external User object suppliers
* Parser internal placeholder string now fully randomized for safety

=== Changes since 1.5.4 ===

* Maintenance script to delete unused user accounts
* Added detection for WMF files (application/x-msmetafile), added this
  MIME type to the default blacklist. Prevented inline display of images
  which are not of known image types. This is in response to
  https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

=== Changes since 1.5.5 ===

* (bug 4258) When installing under IIS, $wgArticlePath = "$wgScript?title=$1"
  should be set
* (bug 4510) Correct Barnes & Noble bookstore URLs
* (bug 4504) Use site language for namespace name resolution
* Installer fixes from HEAD backported; now uses a more sensible method of
  establishing which mySQL user to use, which clears up bug 921 et al. Minor
  changes to installer.
* Fix problem reported on mailing list where re-initialising stats didn't work
  (can't insert duplicate rows with the same id field)
* (bug 1122) gray out 'older revision' when viewing first article revision.
* Respect database prefix in dumpHTML.inc
* Minor improvements to removeUnusedAccounts.php maintenance script
* Fix for single-digit week numbers from {{CURRENTWEEK}}, broken by PHP 4.4.1
* Removed read-only check from Database::query()
* Added --conf option to command line scripts, allowing the user to specify a
  different LocalSettings.php.

=== Changes since 1.5.6 ===

* Default main page content improved per bug 4690
* Fix dependence on hardcoded UNIQ_PREFIX in LanguageConverter.php
* Fixed Special:Unlockdb
* Maintenance script to delete unused text records
* Maintenance script to delete non-current revisions
* Maintenance script to wipe a page and all revisions from the database
* (bug 4768) Wrong Russian translation (typo)
* Performance bugfix: propagate equality manually for Revision fetches
* (bug 4773) PHP fatal error when invalid title passed to Special:Export
* Added missing table defs. for transcache to installer schemas
* (bug 4824) IE7 beta 2 broke compatibility with PNG logo workarounds,
  and seems to work ok with other bits. No longer including the IE
  workarounds JavaScript for IE 7 and above.
* (bug 2532) Image directory structure migration bug
* (bug 4881) Correction to the fix for 1487; Ipblocklist showed 'no blocks'
  message at the end of the list even if there were blocks.
* (bug 4805) Removed more wikipedia-references from LanguageUk.php
* Introduce $wgWantedPagesThreshold per bug 5011; Special:Wantedpages will not
  list pages with less than this number of links. Defaults to 1.
* Allow customisation of paging limits for items in categories using the
  $wgCategoryPagingLimit global, per bug 4970.
* Improve "nogomatch" text to make it more obvious that a page can be created.
* (bug 5113) Spelling error in French language file
* Don't change the password of the MySQL root user.

=== Changes since 1.5.7 ===

* (bug 5180) User login page shows inappropriate email blurb
* Add the "AbortNewAccount" hook on account creation; see hooks.txt for more
  info.
* Update default "exporttext" to reflect that Special:Import exists
* Add links to useful material to the default main page content
* Fix fragment HTML injection

=== Changes since 1.5.8 ===

* Fixed obvious mistakes in Finnish (fi) translation
* Fixed obvious mistakes in Kurdish (ku) translation
* Merge two #p-search .pBody statements i monobook/main.css
* (bug 5156) Update for Hebrew language (he) translation
* Add the "UserRights" hook on user group changes; see hooks.txt for more info.
* Translated "listingcontinuesabbrev" for German

=== Caveats ===

Some output, particularly involving user-supplied inline HTML, may not
produce 100% valid or well-formed XHTML output. Testers are welcome to
set $wgMimeType = "application/xhtml+xml"; to test for remaining problem
cases, but this is not recommended on live sites. (This must be set for
MathML to display properly in Mozilla.)

= MediaWiki 1.4 =

== MediaWiki 1.4.15 ==

(released March 26, 2006) MediaWiki 1.4.15 is a security maintenance release. A
bug in decoding of certain encoded links could allow injection of raw HTML into
page output; this could potentially lead to XSS attacks. Additionally, this
release may display more correctly in IE7 betas.

== MediaWiki 1.4.14 ==
(released January 19, 2006) MediaWiki 1.4.14 is a security and bugfix
maintenance release. A bug in edit comment formatting could send PHP into an
infinite loop if certain malformed links were included. In most installations,
this would cause the script to fail after PHP's 30-second failsafe timeout. For
several other minor fixes, see the complete changelog at the end of this file.

== MediaWiki 1.4.13 ==
(released January 5, 2006) MediaWiki 1.4.13 is a security maintenance
release.Detection for uploads of Windows Metafile (.wmf) images has been added
to help protect against a client-side vulnerability in unpatched Microsoft
Windows operating systems. Sites which have enabled uploads and added
non-standard file types (such as .ogg, .doc, or .pdf) should upgrade to this
release to ensure that malicious .wmf files can't be uploaded with a fake
extension; such files could put visitors to the site at risk. For more details
on this, see: https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

== MediaWiki 1.4.12 ==
(released 2005-11-02) MediaWiki 1.4.12 is a bugfix and security maintenance
release. A change in PHP 4.4.1 broke handling of extension and
<nowiki><pre></nowiki> sections, causing garbage data to be inserted in output
and saved edits. This version works around the change. This release includes
further corrections to the inline CSS style sanitation which works around a
JavaScript "feature" on Microsoft Internet Explorer. Users of Microsoft
Internet Explorer for Windows may be vulnerable to XSS injections on prior 1.4
releases; users of standards-compliant browsers are not vulnerable.

== MediaWiki 1.4.11 ==
(released 2005-10-05) MediaWiki 1.4.11 is a security maintenance release.
Unsafe handling of CSS by Microsoft Internet Explorer could be exploited to
produce cross-site scripting attacks by JavaScript injection to clients running
that browser. This release blacklists several additional variants from use in
HTML inline style attributes. All publicly accessible wikis are recommended to
upgrade to reduce the risk to visitors using Microsoft web browsers. Note: the
MediaWiki 1.4.x series is not compatible with PHP 5.0.5 or higher. Upgrade to
the 1.5.0 release if you require this version of PHP 5.

== MediaWiki 1.4.10 ==
(released 2005-09-21) MediaWiki 1.4.10 is a security maintenance release. A bug
in edit submission handling could cause corruption of the previous revision in
the database if an abnormal URL was used, such as those used by some spambots.
Affected releases:
* 1.4.x <= 1.4.9; fixed in 1.4.10
* 1.3.x <= 1.3.15; fixed in 1.3.16
1.5 release candidates are not affected by this problem. All publicly editable
wikis are strongly recommended to upgrade immediately.
1.4 releases can be manually patched by changing this bit in EditPage.php:

<syntaxhighlight lang="php">
function importFormData( &$request ) {
        if( $request->wasPosted() ) {
</syntaxhighlight>
to:
<syntaxhighlight lang="php">
    function importFormData( &$request ) {
        if( $request->getVal( 'action' ) == 'submit' && $request->wasPosted() )
        {
</syntaxhighlight>
== MediaWiki 1.4.9 ==
(released 2005-08-29) MediaWiki 1.4.9 is a security maintenance release. It
corrects two cross-site scripting security bugs:
* <nowiki><math></nowiki> tags were handled incorrectly when TeX rendering
support is off, as in the default configuration.
* Extension or <nowiki><nowiki></nowiki> sections in Wiki table syntax could
bypass HTML style attribute restrictions for cross-site scripting attacks
against Microsoft Internet Explorer Wikis where the optional math support has
been *enabled* are not vulnerable to the first, but are vulnerable to the
second.

== MediaWiki 1.4.8 ==
(released 2005-08-23) MediaWiki 1.4.8 is a bug fix and security maintenance
release. A flaw in the interaction between extensions and HTML attribute
sanitization was discovered which could allow unauthorized use of offsite
resources in style sheets, and possible exploitation of a JavaScript injection
feature on Microsoft Internet Explorer. This version expands the returned text
and properly checks it before output. Additionally, an update to
skins/MonoBook.php ensures that sites using the default MonoBook skin will
display correctly in the Internet Explorer 7 beta. (1.3 and 1.5 are not
affected by this bug.)

== MediaWiki 1.4.7 ==
(released 2005-07-16)
MediaWiki 1.4.7 is a bug fix release. Those affected by the following problems
in 1.4.6 should upgrade:
* Watchlist breakage on MySQL 3.23.x and with table prefix enabled
* Possible breakage in watchlist, some image resizing modes on PHP 4.1.2 1.4.6
included a fix for a cross-site scripting vulnerability, so anyone running
older 1.4 releases is very strongly encouraged to upgrade as well. Note to
upgraders: this version of MediaWiki is known to produce a large number of
notice-level warnings under the newly released PHP 4.4.0. These appear however
to be harmless; if you encounter them add this to your LocalSettings.php to
suppress the notices: error_reporting( E_ALL & ~E_NOTICE ); PHP 5.1.0beta3 is
known to be incompatible at this time.

== MediaWiki 1.4.6 ==
(released 2005-07-07) MediaWiki 1.4.6 is a bug fix and security update release.
Incorrect escaping of a parameter in the page move template could
be used to inject JavaScript code by getting a victim to visit a maliciously
constructed URL. Users of vulnerable releases are recommended to upgrade to
this release. Vulnerable versions:
* 1.5 preview series: n <= 1.5beta2 vulnerable, fixed in 1.5beta3
* 1.4 stable series: 1.4beta6 <= n <= 1.4.5 vulnerable, fixed in 1.4.6
* 1.3 legacy series: not vulnerable This release also includes fixes for some
rare bug annoying HTTP errors, a PHP 4.1.2 breakage bug, and works around some
template limitations introduced in 1.4.5. See the changelog at the end of this
file for a detailed list of bugs fixed.

== MediaWiki 1.4.5 ==
(released 2005-06-03) MediaWiki 1.4.5 is a security update and bugfix release.
Incorrect handling of page template inclusions made it possible to inject
JavaScript code into HTML attributes, which could lead to cross-site scripting
attacks on a publicly editable wiki. Vulnerable releases and fix:
* 1.5 prerelease: fixed in 1.5alpha2
* 1.4 stable series: fixed in 1.4.5
* 1.3 legacy series: fixed in 1.3.13
* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended This
release also includes a number of bug fixes (see changelog below) and merges
some large-server load balancing patches from Wikipedia. An experimental rate
limiter for page edits and moves can be enabled with global, per-IP,
per-subnet, or per-user bases. See configuration options in
includes/DefaultSettings.php

== MediaWiki 1.4.4 ==
(released 2005-05-04) MediaWiki 1.4.4 is a bugfix release for the 1.4 stable
release series. Some bugs in the installer/updater and refreshLinks maintenance
script were introduced in the last release and have been corrected.

== MediaWiki 1.4.3 ==

(released 2005-04-28)

MediaWiki 1.4.3 is a bugfix release for the 1.4 stable release series.

Chiefly, this fixes a compatibility problem with PHP 5 and a minor link
table corruption bug on initial page save.


== MediaWiki 1.4.2 ==

(released 2005-04-20)

MediaWiki 1.4.2 is a security and bug fix release for the 1.4 stable release
series.

A cross-site scripting injection vulnerability was discovered, which
affects only MSIE clients and is only open if MediaWiki has been
manually configured to run output through HTML Tidy ($wgUseTidy).

Several other bugs are fixed in this release, see the changelog below.

All new installations are highly recommended to use 1.4.2 instead of
1.3.x; 1.3.x users should consider upgrading for bug fixes and new
features. Ealier 1.4.x release and beta users should upgrade to this
release for relevant bug fixes; see the changelog later in this file.


If you have trouble, remember to read this whole file and the online FAQ page
before asking for help:

https://www.mediawiki.org/wiki/Manual:FAQ


=== READ THIS FIRST: Upgrading ===

If upgrading from an older release, see the notes in the file UPGRADE.
There are a couple of minor database changes from the beta releases,
and somewhat larger changes from 1.3.x.

Upgrading from a previous 1.4.x stable release installation should
generally only require copying the new files over the old ones.


==== READ THIS FIRST, TOO: MySQL 4.1 AND 5.0 ====

MySQL 5.0 is a beta release, not yet ready for production use. If you
are using it, the notes below about 4.1 apply to you too.

If you have the choice of MySQL 4.0 or MySQL 4.1 and don't need 4.1 for
some other application, you should consider sticking with 4.0 for the
moment. 4.1 may require you to do extra fiddling to get things to work
due to changes that aren't fully backwards-compatible.

MySQL 4.1 has changed the authentication protocol in an incompatible
way; many PHP installations still use the older client libraries and
CANNOT CONNECT TO THE SERVER WITH A PASSWORD without some changes.

See: http://dev.mysql.com/doc/mysql/en/Old_client.html

If MySQL is set with utf-8 as the default character set, installation
may fail with "key too long" errors. Set the default charset to 'latin1'
for installation and it should work.

The mysqldump backup generator now applies an automatic conversion to
UTF-8, which may irretrivably corrupt your data. Pass the -charset option
with the original default charset (eg 'latin1') to skip the conversion.


==== READ THIS FIRST IF RUNNING ON A WINDOWS SERVER ====

MediaWiki is tested and deployed primarily under the Apache web server
on Linux Unix systems. There are known to be problems running on
Microsoft's IIS which are not fully resolved. If you have a choice,
try running under Apache on Windows, or on a Unix/Linux box instead.

If you're having trouble with blank pages on IIS and can't switch,
try the workaround suggested in this bug report:
http://bugzilla.wikimedia.org/show_bug.cgi?id=1763


=== New features ===

* 'Recentchanges Patrol' to mark new edits that haven't yet been viewed.
* New, searchable deletion/upload/protection logs
* Image gallery generation (Special:Newimages and <gallery> tag)
* SVG rasterization support (requires external support tools)
* Users can select from the available localizations to override the
  default user interface language.
* Traditional/Simplified Chinese conversion support
* rel="nofollow" support to combat linkspam

The current implementation adds this attribute to _all_ external URL
links in wiki text (but not internal [[wiki links]] or interwiki links).
To disable the attribute for _all_ external links, add this line to your
LocalSettings.php:

  $wgNoFollowLinks = false

For background information on nofollow see:

  http://www.google.com/googleblog/2005/01/preventing-comment-spam.html


=== Installation and compatibility ===

* The default MonoBook theme now works with PHP 5.0
* Installation on systems with PHP's safe mode or other oddities
  should work more reliably, as MonoBook no longer needs to
  create a compiled template file for the wiki to run.
* A table prefix may be specified, to avoid conflicts with other
  web applications forced to share a database.
* More thorough UTF-8 input validation; fixes non-ASCII uploaded
  filenames from Safari.
* Command-line database upgrade script.


=== Customizability ===

* Default user options can now be overridden in LocalSettings.
* Skins system more modular: templates and CSS are now in /skins/
  New skins can be dropped into this directory and used immediately.
* More extension hooks have been added.
* Authentication plugin hook.
* More internal code documentation, generated with phpdoc:
  https://doc.wikimedia.org/mediawiki-core/master/php/html/


=== Optimization ===

* For many operations, MediaWiki 1.4 should run faster and use
  less memory than MediaWiki 1.3. Page rendering is up to twice
  as fast. (Use a PHP accelerator such as Turck MMCache for best
  results with any PHP application, though!)
* The parser cache no longer requires memcached, and is enabled
  by default. This avoids a lot of re-rendering of pages that
  have been shown recently, greatly speeding longer page views.
* Support for compiled PHP modules to speed up page diff and
  Unicode validation/normalization. (Requires ability to compile
  and load PHP extensions).


=== What isn't ready yet ===

* A new user/groups permissions scheme has been held back to 1.5.
* An experimental SOAP interface will be made available as an extension
* PostgreSQL support is largely working, minus search and the installer.
  You can perform a manual installation.
* E-mail notification of watched page changes and verification of
  user-submitted e-mail addresses is not yet included.
* Log pages are not automatically imported into the new log table
  at upgrade time. A script to import old text log entries is
  incomplete, but may be available in later point releases.
* Some localizations are still incomplete.



== Changelog ==

=== Important security updates ===

A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases
prior to 1.4rc1 should upgrade immediately.

==== Cross-site scripting vulnerability ====

XSS injection points can be used to hijack session and authentication
cookies as well as more serious attacks.

* Media: links output raw text into an attribute value, potentially
  abusable for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and
  Safari MIME-type autodetection bugs.

As of 1.3.10/1.4beta6, per-user customized CSS and JavaScript is disabled
by default as a general precaution. Sites which want this ability may set
$wgAllowUserCss and $wgAllowUserJs in LocalSettings.php.


==== Cross-site request forgery ====

An attacker could use JavaScript-submitted forms to perform various
restricted actions by tricking an authenticated user into visiting
a malicious web page. A fix for page editing in 1.3.10/1.4beta6 has
been expanded in this release to other forms and functions.

Authors of bot tools may need to update their code to include the
additional fields.


==== Directory traversal ====

An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the
web server, and confirm existence of files not deletable.


==== Older issues ====

Note that 1.4 beta releases prior to beta 5 include an input validation
error which could lead to execution of arbitrary PHP code on the server.
Users of older betas should upgrade immediately to the current version.


Beta 6 also introduces the use of rel="nofollow" attributes on external
links in wiki pages to reduce the effectiveness of wiki spam. This will
cause participating search engines to ignore external URL links from wiki
pages for purposes of page relevancy ranking.


=== Misc bugs fixed in beta 1 ===

* (bug 95) Templates no longer limited to 5 inclusions per page
* New user preference for limiting the image size for images on image
  description pages
* (bug 530) Allow user to preview article on first edit
* (bug 479) [[RFC 1234]] will now make an internal link
* (bug 511) PhpTal skins shown bogus 'What links here' etc on special pages
* (bug 770) Adding filter and username exact search match for Special:Listusers
* (bug 733) Installer die if it can not write LocalSettings.php
* (bug 705) Various special pages no more show the rss/atom feed links
* (bug 114) use category backlinks in Special:Recentchangeslinked

=== Beta 2 fixes ===

* (bug 987) Reverted bogus fix for bug 502
* (bug 992) Fix enhanced recent changes in PHP5
* (bug 1009) Fix Special:Makesysop when using table prefixes
* (bug 1010) fix broken Commons image link on Classic & Cologne Blue
* (bug 985) Fix auto-summary for section edits
* (bug 995) Close <a> tag
* (bug 1004) renamed norsk language links (twice)
* Login works again when using an old-style default skin
* Fix for load balancing mode, notify if using old settings format
* (bug 1014) Missing image size option on old accounts handled gracefully
* (bug 1027) Fix page moves with table prefix
* (bug 1018) Some pages fail with stub threshold enabled
* (bug 1024) Fix link to high-res image version on Image: pages
* (bug 1016) Fix handling of lines omitting Image: in a <gallery> tag
* security fix for image galleries
* (bug 1039) Avoid error message in certain message cache failure modes
* Fix string escaping with PostgreSQL
* (bug 1015) [partial] -- use comment formatter on image gallery text
* Allow customization of all UI languages
* use $wgForceUIMsgAsContentMsg to make regular UI messages act as content
* new user option for zh users to disable language conversion
* Defer message cache initialization, shaving a few ms off file cache hits
* Fixed Special:Allmessages when using table prefixes
* (bug 996) Fix $wgWhitelistRead to work again
* (bug 1028) fix page move over redirect to not fail on the unique index

=== Beta 3 fixes ===

* Hide RC patrol markers when patrol is disabled or not allowed to patrol.
* Fix language selection for upgraded accounts
* (bug 1076) navigation links in QueryPage should be translated by wgContLang.
* (bug 922) bogus DOS line endings in LanguageEl.php
* Fix index usage in contribs
* Caching and load limiting options for Recentchanges RSS/Atom feed
* (bug 1074) Add stock icons for non-image files in gallery/Newimages
* Add width and height attributes on thumbs in gallery/Newimages
* Enhance upload extension blacklist to protect against vulnerable
  Apache configurations

=== Beta 4 fixes ===

* (bug 1090) Fix sitesupport links in CB/classic skins
* Gracefully ignore non-legal titles in a <gallery>
* Fix message page caching behavior when $wgCapitalLinks is turned off
  after installation and the wiki is subsequently upgraded
* Database error messages include the database server name/address
* Paging support for large categories
* Fix image page scaling when thumbnail generation is disabled
* Select the content language in prefs when bogus interface language is set
* Fix interwiki links in edit comments
* Fix crash on banned user visit
* Avoid PHP warning messages when thumbnail not generated
* (bug 1157) List unblocks correctly in Special:Log
* Fix fatal errors in LanguageLi.php
* Undo overly bright, difficult to read colors in Cologne Blue
* (bug 1162) fix five-tilde date inserter
* Add raw signatures option for those who simply must have cute sigs
* (bug 1164) Let wikitext be used in Loginprompt and Loginend messages
* Add the dreaded <span> to the HTML whitelist
* (bug 1170) Fix Russian linktrail
* (bug 1168) Missing text on the bureaucrat log
* (bug 1180) Fix Makesysop on shared-user-table sites
* (bug 1178) Fix previous diff link when using 'oldid=0'
* (bug 1173) Stop blocked accounts from reverting/deleting images
* Keep generated stylesheets cache-separated for each user
* (bug 1175) Fix "preview on first edit" mode
* Fix revert bug caused by bug 1175 fix
* Fix CSS classes on minor, new, unpatrolled markers in enhanced RC
* Set MySQL 4 boolean search back to 'and' mode by default
* (bug 1193) Fix move-only page protection mode
* Fix zhtable Makefile to include the traditional manual table
* Add memcache timeout for the zh conversion tables
* Allow user customization of the zh conversion tables through
  Mediawiki:zhconversiontable
* Add zh-min-man (back) to language names list
* Ported $wgCopyrightIcon setting from REL1_3A
* (bug 1218) Show the original image on image pages if the thumbnail would be
  bigger than the original image
* (bug 1213) i18n of Special:Log labels
* (bug 1013) Fix jbo, minnan in language names list
* Added magic word MAG_NOTITLECONVERT to indicate that the title of the page
  do not need to be converted. Useful in zh:
* (bug 1224) Use proper date messages for date reformatter
* (bug 1241) Don't show 'cont.' for first entry of the category list
* (bug 1240) Special:Preferences was broken in Slovenian locale when
  $wgUseDynamicDates is enabled
* Added magic word MAG_NOCONTENTCONVERT to suppress the conversion of the
  content of an article. Useful in zh:
* write-lock for updating the zh conversion tables in memcache
* recursively parse subpages of MediaWiki:Zhconversiontable
* (bug 1144) Fix export for fy language
* make removal of an entry from zhconversiontable work
* (bug 752) Don't insert newline in link title for url with %0a
* Fix missing search box contents in MonoBook skin
* Add option to forward search directly to an external URL (eg google)
* Correctly highlight the fallback language variant when the selected
  variant is disabled. Used in zh: only for now.

=== Beta 5 fixes ===

* (bug 1124) Fix ImageGallery XHTML compliance
* (bug 1186) news: in the middle of a word
* (bug 1283) Use underlining and borders to highlight additions/deletions
  in diff-view
* Use user's local timezone in Special:Log display
* Show filename for images in gallery by default (restore beta 3 behavior)
* (bug 1201) Double-escaping in brokenlinks, imagelinks, categorylinks,
  searchindex
* When using squid reverse proxy, cache the redirect to the Main_Page
* (bug 1302) Fix Norwegian language file
* (bug 1205) Fix broken article saving in PHP 5.1
* (bug 1206) Implement CURRENTWEEK and CURRENTDOW magic keyword (will give
  number of the week and number of the day).
* (bug 1204) Blocks do not expire automatically
* (bug 1184) expiry time of indefinite blocks shown as the current time
* (bug 1317) Fix external links in image captions
* (bug 1084) Fix logo not rendering centrally in IE
* (bug 288) Fix tabs wrapping in IE6
* (bug 119) Fix full-width tabs with RTL text in IE
* (bug 1323) Fix logo rendering off-screen in IE with RTL language
* Show "block" link in Special:Recentchanges for logged in users, too, if
  wgUserSysopBans is true.
* (bug 1326) Use content language for '1movedto2' in edit history
* zh: Fix warning when HTTP_ACCEPT_LANGUAGE is not set
* zh: Fix double conversion for zh-sg and zh-hk
* (bug 1132) Fix concatenation of link lists in refreshLinks
* (bug 1101) Fix memory leak in refreshLinks
* (bug 1339) Fix order of @imports in Cologne Blue CSS
* Don't try to create links without namespaces ([[Category:]] link bug)
* Memcached data compression fixes
* Several valid XHTML fixes
* (bug 624) Fix IE freezing rendering whilst waiting for CSS with MonoBook
* (bug 211) Fix tabbed preferences with XHTML MIME type
* Fix for script execution vulnerability.

=== Beta 6 fixes ===

* (bug 1335) implement 'tooltip-watch' in Language.php
* Fix linktrail for nn: language
* (bug 1214) Fix prev/next links in Special:Log
* (bug 1354) Fix linktrail for fo: language
* (bug 512) Reload generated CSS on preference change
* (bug 63) Fix displaying as if logged in after logout
* Set default MediaWiki:Sitenotice to '-', avoiding extra database hits
* Skip message cache initialization on raw page view (quick hack)
* Fix notice errors in wfDebugDieBacktrace() in XML callbacks
* Suppress notice error on bogus timestamp input (returns epoch as before)
* Remove unnecessary initialization and double-caching of parser variables
* Call-tree output mode for profiling
* (bug 730) configurable $wgRCMaxAge; don't try to update purged RC entries
* Add $wgNoFollowLinks option to add rel="nofollow" on external links
  (on by default)
* (bug 1130) Show actual title when moving page instead of encoded one.
* (bug 925) Fix headings containing <math>
* (bug 1131) Fix headings containing interwiki links
* (bug 1380) Update Nynorsk language file
* (bug 1232) Fix sorting of cached Special:Wantedpages in miser mode
* (bug 1217) Image within an image caption broke rendering
* (bug 1384) Make patrol signs have the same width for page moves as for edits
* (bug 1364) fix "clean up whitespace" in Title:SecureAndSplit
* (bug 1389) i18n for proxyblocker message
* Add fur/Furlan/Friulian to language names list
* Add TitleMoveComplete hook on page renames
* Allow simple comments for each translation rules in MW:Zhconversiontable
* (bug 1402) Make link color of tab subject page link on talk page indicate
  whether article exists
* (bug 1368) Fix SQL error on stopword/short word search w/ MySQL 3.x
* Translated Hebrew namespace names
* (bug 1429) Stop double-escaping of block comments; fix formatting
* (bug 829) Fix URL-escaping on block success
* (bug 1228) Fix double-escaping on & sequences in [enclosed] URLs
* (bug 1435) Fixed many CSS errors
* (bug 1457) Fix XHTML validation on category column list
* (bug 1458) Don't save if edit form submission is incomplete
* Logged-in edits and preview of user CSS/JS are now locked to a session token.
* Per-user CSS and JavaScript subpage customizations now disabled by default.
  They can be re-enabled via $wgAllowUserJs and $wgAllowUserCss.
* Removed .ogg from the default uploads whitelist as an extra precaution.
  If your web server is configured to serve Ogg files with the correct
  Content-Type header, you can re-add it in LocalSettings.php:
    $wgFileExtensions[] = 'ogg';

=== RC1 fixes ===

* Fix notice error on nonexistent template in wikitext system message
* (bug 1469) add missing <ul> tags on Special:Log
* (bug 1470) remove extra <ul> tags from Danish log messages
* Fix notice on purge w/ squid mode off
* (bug 1477) hide details of SQL error messages by default
  Set $wgShowSQLErrors = true for debugging.
* (bug 1430) Don't check for template data when editing page that doesn't exist
* Recentchanges table purging fixed when using table prefix
* (bug 1431) Avoid redundant objectcache garbage collection
* (bug 1474) Switch to better-cached index for statistics page count
* Run Unicode normalization on all input fields
* Fix translation for allpagesformtext2 in LanguageZh_cn and LanguageZh_tw
* Block image revert without valid login
* (bug 1446) stub Bambara (bm) language file using French messages
* (bug 1432) Update Estonian localization
* (bug 1471) unclosed <p> tag in Danish messages
* convertLinks script fixes
* Corrections to template loop detection
* XHTML encoding fix for usernames containing & in Special:Emailuser
* (for zh) Search for variant links even when conversion is turned off,
  to help prevent duplicate articles.
* Disallow ISO 8859-1 C1 characters and "no-break space" in user names
  on Latin-1 wikis.
* Correct the name of the main page it LanguageIt
* Allow Special:Makesysop to work for usernames containing SQL special
  characters.
* Fix annoying blue line in Safari on scaled-down images on description page
* Increase upload sanity checks
* Fix XSS bug in Media: links
* Add cross-site form submission protection to various actions
* Fix fatal error on some dubious page titles
* Stub threshold displays correctly again


=== 1.4.0 final fixes ===

* (bug 65) Fix broken interwiki link encoding on Latin-1 wikis; force to UTF-8
* (bug 563) Fix UTF-8 interwiki URL redirects via Latin-1 wikis
* (bug 1536) Fix page info
* Support os (Ossetic) as language code, using Russian localization base
* (bug 1610) Support non (Old Norse) as language code, using Icelandic
  localization base
* (bug 1618) Properly list custom namespaces in Special:Allpages
* (bug 1622) Remove trailing' >' when using category browser
* (bug 1570) Fix php 4.2.x error on conflict merging
* (bug 1585) Fix page title on post-login redirection page
* Run UTF-8 validation on old text in Recentchanges RSS diffs
* (bug 1642) fix a mime type typo in img_auth.php
* Automated interwiki redirects only for local interwikis
* Respect read-only mode on block removals
* Trim old illegal characters from syndication feeds
* Reduce message cache outage recovery delay from 1 day to 5 minutes
* (bug 1403) Update Finnish localization
* (bug 1478) Punjabi localization
* (bug 1667) Update script 5 second countdown.
* (bug 1057) Fix logging table encoding (error on MySQL 4.1)
* (bug 1680) Fix linktrail for fo
* (bug 1653) Removing hardcoded messages in Special:Allmessages
* (bug 1594) Render a hyphen in a formula as − in HTML
* (bug 1495) Fall back to default language MediaWiki: for custom messages
* (bug 1617) Show different error messages for "user does not
    exist" and "wrong password" when using AuthPlugin
* (bug 1532), (bug 1544) Changed language names for
    'bn', 'bo', 'dv', 'dz', 'ht', 'ii', 'li', 'lo', 'ng', 'or', 'pa', 'si',
    'ti', 've'
* Fix editing on non-Esperanto wiki with user language pref set to Esperanto
* Make conversion table for zh-sg default to zh-cn, and zh-hk default to zh-tw
* Fix PHP notice in MonoBook when counters disabled
* (bug 1696) Update namespaces, dates in uk localization
* (bug 551) Installer warns about magic_quotes_runtime and magic_quotes_sybase
  instead of trying to install with corrupt table files
* Installer no longer tries to move non-default MediaWiki: pages into Template:
* User-to-user email disabled by default ($wgEnableUserEmail)


=== 1.4.1 fixes ===

* (bug 1720) fix genitive month names for uk
* (bug 1704) fixed untranslateable string in Special:Log
* (bug 1638) Added Belrusian language file
* (bug 1736) typo in SpecialValidate.php
* (bug 73) Upload doesn't run edit updates on description page (links,
  search index and categories)
* (bug 646) <math> fails to recognize \ll and \gg
* (bug 926) \div element from TeX not supported in <math> element
* (bug 1147) add \checkmark to whitelist in texutil.ml
* (bug 937) \limits function from LaTeX not supported in <math> element
* Support for manually converting article title to different Chinese
  variants (for zh)
* (bug 1488, bug 1744) Fix encoding for preferences, dates in Latin-1 mode
* (bug 1042) Fix UTF-8 case conversion for PHP <4.3 with mbstring extension
* Fix code typo that broke article credits display
* Installation fixes for running under IIS
* (bug 1556) login page tab order. "remember" checkbox now come after password.
* SQL debug log fixlets
* (bug 1815) Fix namespace in old revision display with mismatched title
* (bug 1788) Fix link duplication when edit/upload comment includes newlines
* Change default on $wgSysopUserBans and $wgSysopRangeBans to true
* Fix link conversion for URL request
* (bug 1851) Updated download URL for the SCIM packages used by zhtable
* (bug 1853) Try stripping quotes from term for 'go' title match
* Fix missing function in Latin1 mode
* (bug 1860) Anchors of interwiki links did not get normalized
* (bug 1847) accept lowercase x in ISBN, do not accept invalid A-W,Y,Z
* Fix link conversion for URL request, hopefully without breaking the wiki
* (bug 1849) New option allows to consider categorized images as used on
  Special:Unusedimages
* Localized category namespace for ka (Georgian)
* (bug 1107) Work around includes problem in installer when parent dir is not
  readable by the web server
* (bug 1927) Incorrect escaping on wikitext message in Blockip


=== 1.4.2 fixes ===

* Fix math options in Finnish localization
* Use in-process Tidy extension if available when $wgUseTidy is on
* (bug 1933) Fix PATH_INFO usage under IIS with PHP ISAPI module
* (bug 1188) <nowiki> in {{subst:}} includes fixed
* (bug 1936) <!-- comments --> in {{subst:}} includes fixed
* Fix a potential MSIE JavaScript injection vector in Tidy mode


=== 1.4.3 fixes ===

* (bug 1636) Refs like ţ were misinterpreted as octal in some places
* (bug 1163) Special:Undelete showed oldest revision instead of newest
* (bug 1938) Fix escaping of illegal character references in link text
* (bug 1997) Fix for error on display of renamed items in Recentchanges on PHP5
* (bug 1949) Profiling typo in rare error case
* (bug 1963) Fix deletion log link when $wgCapitalLinks is off
* (bug 1970) Don't show move tab for immobile pages
* (bug 1770) Page creation recorded links from the 'newarticletext' message
* Optional change to the site_stats table. When applied, this removes the need
  for expensive queries in Special:Statistics.


=== 1.4.4 fixes ===

* (bug 725) Let dir="ltr" attribute work again in MonoBook on RTL languages
* (bug 2024) Skip JavaScript error for custom skins where .js message not set
* (bug 2025) Updated Indonesian localization
* (bug 2039) Updated Lithuanian localization


=== Caveats ===

Some output, particularly involving user-supplied inline HTML, may not
produce 100% valid or well-formed XHTML output. Testers are welcome to
set $wgMimeType = "application/xhtml+xml"; to test for remaining problem
cases, but this is not recommended on live sites. (This must be set for
MathML to display properly in Mozilla.)


For notes on 1.3.x and older releases, see HISTORY.


=== Online documentation ===

Documentation for both end-users and site administrators is currently being
built up on MediaWiki.org, and is covered under the GNU Free Documentation
License:

  https://www.mediawiki.org/


=== Mailing list ===

A MediaWiki-l mailing list has been set up distinct from the Wikipedia
wikitech-l list:

  http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:
  http://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.


=== IRC help ===

There's usually someone online in #mediawiki on irc.freenode.net

=MediaWiki 1.3=

== MediaWiki 1.3.18 ==
(released 2005-11-02)
MediaWiki 1.3.18 is a bugfix and security maintenance release. A change in PHP
4.4.1 broke handling of extension and <nowiki><pre></nowiki> sections, causing
garbage data to be inserted in output and saved edits. This version works
around the change. This release includes further corrections to the inline CSS
style sanitation which works around a JavaScript "feature" on Microsoft
Internet Explorer. Users of Microsoft Internet Explorer for Windows may be
vulnerable to XSS injections on prior 1.3 releases; users of
standards-compliant browsers are not vulnerable.

== MediaWiki 1.3.17 ==
(released 2005-10-05)
MediaWiki 1.3.17 is a security maintenance release. Unsafe handling of CSS by
Microsoft Internet Explorer could be exploited to produce cross-site scripting
attacks by JavaScript injection to clients running that browser. This release
blacklists several additional variants from use in HTML inline style
attributes. All publicly accessible wikis are recommended to upgrade to reduce
the risk to visitors using Microsoft web browsers.Note: the MediaWiki 1.3.x
series is not compatible with PHP 5.0.5 or higher. Upgrade to the 1.5.0 release
if you require this version of PHP 5.

== MediaWiki 1.3.16 ==
(released 2005-09-21)
MediaWiki 1.3.16 is a security maintenance release. A bug in edit submission
handling could cause corruption of the previous revision in the database if an
abnormal URL was used, such as those used by some spambots. Affected releases:
* 1.4.x <= 1.4.9; fixed in 1.4.10
* 1.3.x <= 1.3.15; fixed in 1.3.16
1.5 release candidates are not affected by this problem. All publicly editable
wikis are strongly recommended to upgrade immediately.
1.3 releases can be manually patched by changing this bit in
{{manual|EditPage.php}}:
<syntaxhighlight lang="php">
    if( $this->tokenOk( $request ) ) {
        $this->save    = $request->wasPosted() && !$this->preview;
    } else {
</syntaxhighlight>
to:
<syntaxhighlight lang="php">
    if( $this->tokenOk( $request ) ) {
        $this->save    = $request->getVal( 'action' ) == 'submit' &&
                         $request->wasPosted() && !$this->preview;
    } else {
</syntaxhighlight>

== MediaWiki 1.3.15, 2005-08-29 ==
MediaWiki 1.3.15 is a security maintenance release. It corrects across-site
scripting security bug:
* <nowiki><math></nowiki> tags were handled incorrectly when TeX rendering
support is off, as in the default configuration. Wikis where the optional math
support has been *enabled* are not vulnerable. The 1.3.x series is no longer
maintained except for security fixes; new users and those seeking bug fixes
should upgrade to 1.4.9 or 1.5.0.

== MediaWiki 1.3.14, 2005-08-23 ==
MediaWiki 1.3.14 is a security maintenance release. A flaw in the interaction
between extensions and HTML attribute sanitization was discovered which could
allow unauthorized use of offsite resources in style sheets, and possible
exploitation of a JavaScript injection feature on Microsoft Internet Explorer.
The 1.3.x series is no longer maintained except for security fixes; new users
and those seeking bug fixes should upgrade to 1.4.8 or 1.5.0. Existing 1.3.x
installations not willing to upgrade to the current stable release should apply
the change manually:
In includes/Parser.php, function {{code|inline=y|lang=php|fixTagAttributes()}}
add:
<syntaxhighlight lang="php">
       # Any placeholder items should have been unstripped already before
       # we got to this point. Raw text inserted later could be dangerous.
       if( strpos( $t, UNIQ_PREFIX ) !== false ) {
           wfDebug( "Parser::fixTagAttributes found stripped data placeholder;
           dropping attributes\n" );
           $t = '';
       }
</syntaxhighlight>
If you are actively using extensions to generate HTML attribute values, upgrade
to 1.4 or 1.5 for a more thorough fix.

== MediaWiki 1.3.13, 2005-06-03 ==
MediaWiki 1.3.13 is a security maintenance release. Incorrect handling of page
template inclusions made it possible to inject JavaScript code into HTML
attributes, which could lead to cross-site scripting attacks on a publicly
editable wiki. Vulnerable releases and fix:
* 1.5 prerelease: fixed in 1.5alpha2
* 1.4 stable series: fixed in 1.4.5
* 1.3 legacy series: fixed in 1.3.13
* 1.2 series no longer supported; upgrade to 1.4.5 strongly recommended The
1.3.x series is no longer maintained except for security fixes; new users and
those seeking general bug fixes should install 1.4.5. Existing 1.3.x
installations not willing or able to upgrade to the current stable relase
should update the installation to 1.3.13; only includes/Parser.php has changed
from 1.3.12.

== MediaWiki 1.3.12, 2005-02-20 ==
MediaWiki 1.3.12 is a security maintenance release. A cross-site scripting
injection vulnerability was discovered, which affects only MSIE clients and is
only open if MediaWiki has been manually configured to run output through HTML
Tidy ($wgUseTidy). The 1.3.x series is no longer maintained except for security
fixes; new users and those seeking bug fixes should upgrade to 1.4.2. Existing
1.3.x installations using Tidy not willing to upgrade to the current stable
relase should either turn off Tidy or update the installation to 1.3.12.

== MediaWiki 1.3.11, 2005-02-20 ==
MediaWiki 1.3.11 is a security release.
A security audit found and fixed a number of problems. Users of MediaWiki
1.3.10 and earlier should upgrade to 1.3.11; users of 1.4 beta releases should
upgrade to 1.4rc1.

=== Cross-site scripting vulnerability ===
XSS injection points can be used to hijack session and authentication cookies
as well as more serious attacks.
* Media: links output raw text into an attribute value, potentially abusable
for JavaScript injection. This has been corrected.
* Additional checks added to file upload to protect against MSIE and Safari
MIME-type autodetection bugs.
As of <code>1.3.10/1.4beta6</code>, per-user customized CSS and JavaScript is
disabled by default as a general precaution. Sites which want this ability may
set {{wg|AllowUserCss}} and {{wg|AllowUserJs}} in LocalSettings.php.

=== Cross-site request forgery ===
An attacker could use JavaScript-submitted forms to perform various restricted
actions by tricking an authenticated user into visiting a malicious web page. A
fix for page editing in 1.3.10/1.4beta6 has been expanded in this release to
other forms and functions. Authors of bot tools may need to update their code
to include the additional fields.

=== Directory traversal ===
An unchecked parameter in image deletion could allow an authenticated
administrator to delete arbitary files in directories writable by the web
server, and confirm existence of files not deletable.

== MediaWiki 1.3.10, 2005-02-03 ==
MediaWiki 1.3.10 is a security release.
An attacker could craft a URL which, when visited by a particular logged-in
user, would execute arbitrary JavaScript code on the user's browser in the
wiki's site context. This attack has been blocked, and as an extra precaution
the user CSS and JavaScript subpage support is now disabled by default. Sites
which want this ability may set {{wg|AllowUserCss}} and {{wg|AllowUserJs}} in
{{manual|LocalSettings.php}}. Additional protections have been added against
off-site form submissions
hijacking user credentials. Authors of bot tools may need to update their code
to include additional fields. All wikis running 1.3.x are strongly urged to
upgrade to 1.3.10.
Changes from 1.3.9:
* Logged-in edits and preview of user CSS/JS are now locked to a session token.
* Per-user CSS and JavaScript subpage customizations now disabled by default.
They can be re-enabled via {{wg|AllowUserJs}} and {{wg|AllowUserCss}}.
* Removed .ogg from the default uploads whitelist as an extra precaution. If
your web server is configured to serve Ogg files with the correct Content-Type
header, you can re-add it in LocalSettings.php: {{wg|FileExtensions}}<code>[] =
'ogg'</code>

== MediaWiki 1.3.9, 2004-12-12 ==
MediaWiki 1.3.9 is a security and bug fix release.
A flaw in upload handling has been found which may allow upload and  execution
of arbitrary scripts with the permissions of the web server. Only wikis that
have enabled uploads and have a vulnerable Apache  configuration will be
affected, but to be safe all wikis should upgrade. Wikis with uploads available
should either disable uploads or upgrade to 1.3.9 immediately; if other files
are customized and require merging changes,
includes/{{manual|SpecialUpload.php}} may be replaced individually to add the
fix. (It is also recommended to configure your web server to disable script
execution in the 'images' subdirectory where uploads are placed, which prevents
most attacks even if the wiki fails.)
Changes from 1.3.8:
* Backported "Templates used in this page"-feature of EditPage
* Allow "MySkin" as a default skin.
* ({{bugzilla|938}}) Parse namespaces correctly on self-interwiki links
* ({{bugzilla|1010}}) fix broken Commons image link on [[Skin:Classic|Classic]]
& [[Skin:Cologne Blue|Cologne Blue]]
* ({{bugzilla|1004}}) Norsk language names for interwiki links changed, Nauruan
language name changed
* Enhance upload extension blacklist to protect against vulnerable Apache
configurations

== MediaWiki 1.3.8, 2004-11-15 ==
MediaWiki 1.3.8 is a bugfix release. Those running wikis with uploads enabled
are strongly recommended to upgrade as this fixes several problems with
overwriting previously-uploaded files.
Changes from 1.3.7:
* ({{bugzilla|506}}) fix {{code|inline=y|lang=html|array_key_exists()}} warning
for IIS servers using ISAPI mode
* ({{bugzilla|718}}) fix bad charset in (file) cached pages
* use local numerals in category page (for Hindi et al)
* alias month abbreviations to month names in Hindi
* add localized numerals for Gujarati and Kannada
* fix Category and project namespaces for Hindi
* Don't output bogus timestamp on [[Special:RecentChanges]] if no entries
* Correct template include path which broke some but not all Windows installs
* Fix edit form submission problem with some PHP versions
* Disallow unreachable titles with %XX hex codes
* Allow page [[0]] to be renamed
* ({{bugzilla|774}}) when saving with <code>section=new</code>, return to the
anchor as with existing numbered section edits
* Experimental shared upload overlay area (disabled by default)
* ({{bugzilla|806}}) Removed some "Wikipedia" hardcoding in German localization
* User option localization fix for some extensions
* ({{bugzilla|809}}) now try to load the mysql php extension if it isn't loaded
* ({{bugzilla|848}}) fix error message in [[Special:Newpages]] RSS and Atom
feeds
* ({{bugzilla|26}}) fix cache headers on anon talk page notification
* ({{bugzilla|874}}) added 'cgi' to {{wg|FileBlacklist}}
* ({{bugzilla|862}}) localize date and time format for Finnish
* ({{bugzilla|548}}) Don't overwrite images until the user confirms it

== MediaWiki 1.3.7, 2004-10-18 ==
Changes from 1.3.6:
* Fix protected-page related security issue.

== MediaWiki 1.3.6, 2004-10-14 ==
Changes from 1.3.5:
* ({{bugzilla|296}}) Variables in user interface messages are no longer
substituted at install time, so changes to the site name etc should be easier
to make
* ({{bugzilla|149}}) [[Special:RecentChanges]] "changes from" link preserves
limit
* ({{bugzilla|433}}) tooltip for "Undelete" tab now labeled correctly
* ({{bugzilla|439}}) unclickable "Move" tab no longer displays on protected
pages
* ({{bugzilla|484}}) graceful deletion of images where the actual file is
missing
* ({{bugzilla|686}}) fixed [[plural]]s in Catalan localization
* Fixed potential HTML/JavaScript injection attack in the
[[Extension:UnicodeConverter|UnicodeConverter]] extension. (This extension is
not enabled by default.)
* Fixed potential HTML/JavaScript injection attack via raw page views to a
maliciously crafted wiki page.
* ({{bugzilla|187}}, {{bugzilla|669}}) Fixed centered thumbnails, using
{{code|inline=y|lang=html|<div>}} instead of {{code|inline=y|lang=html|<span>}}.
* catch MySQL error 2000 during installation.
* ({{bugzilla|704}}) Removed misleading LocalSettings.sample
* Fix cross site scripting bugs in [[Special:Ipblocklist]],
[[Special:EmailUser]]
* Fix SQL injection and cross site scripting bugs in Special:Maintenance
* Fix cross site scripting bugs and possible filename validation vulnerability
in ImagePage.
* and more of that sort

== MediaWiki 1.3.5, 2004-09-30 ==
Changes from 1.3.4:
* Clean up input validation in 'raw' page output mode which was a potential
cross-site scripting opportunity.

== MediaWiki 1.3.4, 2004-09-28 ==
=== SECURITY NOTE ===
As of 1.3.4, MediaWiki performs some screening of newly uploaded files for
validity. (Some)  corrupt image files, and HTML files mistakenly or maliciously
masquerading as images, should now be rejected. These checks protect against
Internet Explorer security holes relating to type autodetection which are a
potential cross-site scripting attack vector, and also rejects at least one
known version of the "JPEG virus" which might attack unpatched clients. If you
already have invalid files uploaded this will not protect against them. If you
have expanded the <code>filetype</code> whitelist or disabled the strict type
checking, other dangerous file types may still get through. You should always
be careful when allowing uploads!
Changes from 1.3.3:
* Fixed lots of template-related bugs, esp. for cases where template variables
are used for links, images, etc.
* Fixed transformation of page messages when viewing [[Special:Allmessages]]
* Handle "ISBN ISBN 1234" correctly
* Fixed warning on Category pages
* Fixed some bad error messages on login page
* Fixed history entry for initial main page on install
* Removed problematic <code>{</code> and <code>}</code> from legal title
characters
* Strip leading blank from output in preformatted text.
* Fixed problem when moving pages to titles with '#' in
* Optional {{wg|RawHtml}} for raw {{code|inline=y|lang=html|<html>}} sections.
Use only on limited- participation 'trusted' wikis, as it does not protect
against cross-site scripting attacks. For security, this option can only be
enabled if in {{wg|WhitelistEdit}} mode.
* Fixed problem where pages which were created as a redirect following a move
never showed on [[Special:Randompage]].
* Fixed line spacing on printed table of contents
* Allow links to pages with names of the form [[RFC 1234]]
* Fixed broken edit links being shown for sections from included templates
* Verify that uploaded image files are of the claimed type.

== MediaWiki 1.3.3, 2004-09-09 ==
Changes from 1.3.2:
* Fix for long numeric page titles
* Fix Go search for "0", numeric almost-self-links
* Avoid caching of pages with "You have new messages" headers
* Fix for upgrades as non-root users from 1.2 command-line installs.
* Fix for {{wg|DebugDumpSql}} debug mode.
* {{wg|ExtraNamespaces}} setting for configuring additional namespaces (see
note in {{manual|DefaultSettings.php}})
* 'recache' on query pages now disabled when miser mode is on; special case the
global settings in your {{manual|LocalSettings.php}} to do automatic updates.
* Don't block UTF-8 titles containing byte 0xA0 (bug added in 1.3.2)
* Watch/unwatch tabs now shown on edit pages in MonoBook.
* Fix default skin in Irish localization (ga)
* Add Traditional Chinese localization (zh-tw)
* Changed default sortkey of subcategories. Don't include "Category:"-prefix
any longer
* More helpful info on spam catcher.
* Allow larger offsets for queries such as [[Special:Listusers]]
* Semicolon (;) added to French non-break space rules
* Possible fix for some install errors with path names permission problems.
* Removed [[Project:All system messages]], which has been superseded by the
much faster [[Special:Allmessages]]. This speeds up installation considerably.

== MediaWiki 1.3.2, 2004-08-30 ==
Changes from 1.3.1:
* Fix namespaced page creation links when no go match
* When cookies are disabled, don't show login screen twice
* Install should no longer die when PHP is pre-configured to compress output
* Fixed bug that caused long Japanese pages to time out with Tidy active
* When session.handler is set incorrectly, try automatic override to 'files'
* Watch/Unwatch links back to the affected page instead of Main Page
* Upload link no longer displayed on Monobook if uploading is disabled
* Special:Allmessages faster, shows correct original text, works in safe mode

== MediaWiki 1.3.1, 2004-08-14 ==
Changes from 1.3.0:
* Watchlist parameters now work with register_globals off
* Fixed parsing of ''italics'' and '''bold''' mark-up (again)
* Special:Allpages display is more sensible on smaller wikis
* Fixed XHTML parsing error in classic skins
* Moved pages update watchlist correctly
* Fixed rebuildall.php on case-sensitive Unix filesystems
* Disabled file cache compression by default due to incompatibility with output
buffer compression (ob_gzhandler)
* New magic word {{code|inline=y|PAGENAMEE}} (URL-escaped version of
{{code|inline=y|PAGENAME}})
* Installation avoids blank username; better message on missing XML module
* {{wg|WhitelistAccount}} no longer breaks all logins.

== MediaWiki 1.3.0, 2004-08-11 ==
Look & layout:
* New default layout '[[Skin:MonoBook|MonoBook]]' (available on PHP4 only
currently)
* Print stylesheet now built-in to every page
* More or less correct XHTML 1.0 (served as text/html by default)
Wiki features:
* Image captions can now include links and other basic formatting
* Image bounding box can be specified instead of width, e.g. as 100x100px,
making the image not wider than 100px and not higher than 100px, keeping aspect
ratio.
* Templates have been expanded with parameters, and separated from the
MediaWiki: localization scheme.
* Categories more or less work
* added a special page for listing users with sysop rights.
Editing:
* Automatic merging of edit conflicts that don't directly interfere
* Edit summaries can now include basic formatting and links
Metadata and output:
* Linked Creative Commons copyright metadata (optional)
* RSS 2.0 & Atom 0.3 feeds for Recent Changes, New Pages
Optional modules:
* WikiHiero hieroglyphic module can be added (separate download)
* Timeline module can be added (separate download). Requires ploticus.
* TeX now has an experimental MathML output mode (incomplete!)
Installation and upgrading:
* The old install.php and update.php have been removed. In-place installation
introduced in 1.2 is now the standard installation and upgrade method, see
INSTALL and UPGRADE for directions.
Database:
* The links table has been changed to use a cur_id for l_from. The link tables
must be converted on upgrade, which may entail some downtime.
Code and compatibility:
* Should now run clean with error reporting set to E_ALL.
* register_globals hack from 1.2 has been replaced with safer code
* Bundled PHPTAL 0.7.0 from http://phptal.sourceforge.net/ (with some patches)
* Most image-related code moved to Image.php
* More fixes for PHP 4.1.2 (thanks to Asheesh Laroia)
* URL encoding fix for anchors
* All languages now available in UTF-8 mode
* Various other fixes

=== Caveats ===
Some output, particularly involving user-supplied inline HTML, may not produce
100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType
= "application/xhtml+xml"; to test for remaining problem cases, but this is not
recommended on live sites. (This must be set for MathML to display properly in
Mozilla.) The new 'MonoBook' skin is not compatible with PHP 5 due to bugs in
the underlying PHPTAL library. It will be automatically disabled when running
on PHP5; the older look and feel will be used instead.