Unterstütze uns! Spende jetzt!

Hinweise zu Mediawiki: Unterschied zwischen den Versionen

Aus PiratenWiki
Zur Navigation springen Zur Suche springen
K (+LTS)
Keine Bearbeitungszusammenfassung
Zeile 10: Zeile 10:
== Update Long Term Support (LTS) Version ==
== Update Long Term Support (LTS) Version ==


Bei der Wartung am 19. Oktober 2016 wurde das Wiki von LTS legacy auf die aktuelle LTS-Version aktualisiert. Diese Version wird bis 2019 gepflegt. Ein paar kleine Probleme habe ich bereits entdeckt, aber wahrscheinlich wird sich für alles eine Lösung finden. Die wichtigsten Änderungen unten im Überblick. --[[Benutzer:Uk|uk]] 20:17, 26. Okt. 2016 (CEST)
Bei der Wartung am 22. Oktober 2018 wurde das Wiki von LTS legacy auf die aktuelle LTS-Version aktualisiert. Diese Version wird bis Juni 2021 gepflegt. Ein paar kleine Probleme habe ich bereits entdeckt, aber wahrscheinlich wird sich für alles eine Lösung finden. Die wichtigsten Änderungen unten im Überblick. --[[Benutzer:Admin mw|Admin mw]] ([[Benutzer Diskussion:Admin mw|Diskussion]]) 14:25, 22. Okt. 2018 (CEST)


<pre>
<pre>
= MediaWiki 1.27.1 =
== MediaWiki 1.31.1 ==


These releases fix five security issues in core and one for the extension
This is a security and maintenance release of the MediaWiki 1.31 branch.
PdfHandler. Download links are given at the end of this email.


== Security fixes ==
=== Changes since MediaWiki 1.31.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
* (T197229) Bundle Nuke extension, it was accidentally omitted.
* (T193995) Fix undefined patchPath() method call in parser tests.
* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T198037) GitInfo: Don't try shelling out if it's disabled.
* (T151415) Log email changes.
* (T197206) Fix performance regression when multiple DB used without caching.
* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
* (T182377, T196793) Exif: Guard against uncountable tag values.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T200864) Fix pingback over-reporting on non-MySQL databases
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.


* (T139565) API: Generate head items in the context of the given title
=== Changes since MediaWiki 1.31.0-rc.2 ===
(CVE-2016-6335)
* (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
* (T137264) XSS in unclosed internal links (CVE-2016-6334)
* (T196092) Hide MySQL binary/utf-8 charset option in the installer.
* (T133147) Escape '<' and ']]>' in inline <style> blocks (CVE-2016-6333)
* (T196185) Don't allow setting $wgDBmysql5 in the installer.
* (T133147) Require login to preview user CSS pages (CVE-2016-6333)
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T132926) Do not allow undeleting a revision deleted file if it is the
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
top file (CVE-2016-6336)
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T129738) Make $wgBlockDisablesLogin also restrict logged in permissions
* (T196672) The mtime of extension.json files is now able to be zero
(CVE-2016-6332)
* (T180403) Validate $length in padleft/padright parser functions.
* (T129738) Make blocks log users out if $wgBlockDisablesLogin is true
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
(CVE-2016-6332)
* (T115333) Check read permission when loading page content in ApiParse
(CVE-2016-6331)
* (T57548) Remove support for $wgWellFormedXml = false, all output is now
well formed


The following only affects 1.27 and above and is not included in the 1.26
=== Changes since MediaWiki 1.31.0-rc.0 ===
and 1.23 upgrade:
* (T33223) Drop archive.ar_text and ar_flags.
* (T139670) Move 'UserGetRights' call before application of
* Add default edit rate limit of 90 edits/minute for all users.
Session::getAllowedUserRights() (CVE-2016-6337)
* (T187645) Use codepoint as tiebreaker when getting first-letters in
 
  IcuCollation.
The following fix is for the PdfHandler extension:
* (T191947) Don't shell during the installer if shelling out is disabled.
 
* (T194319) Improve duplicate config setting exception as part of extension
== MediaWiki 1.27.0 ==
  registration.
* (T195211) Don't require trailing slash in PSR-4 autoloader directory.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* Do not incorrectly hide namespace input field in the installer.
* (T186456) Refactor checks looking for PEAR maik libraries to be clearer.


=== PHP version requirement in 1.27 ===
=== Important pre-upgrade notes for 1.31 ===
As of 1.27, MediaWiki now requires PHP 5.5.9 or higher (see Compatibility
* If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
section). Additionally, the following PHP extensions are required:
  schema changes, and cannot have downtime to run migrateArchiveText.php and
* ctype
  apply patch-drop-ar_text.sql manually, you'll have to apply a default value
* iconv
  to the ar_text and ar_flags columns of the archive table or make those
* json
  columns nullable before upgrading to MediaWiki 1.31.
* mbstring (new requirement in 1.27)
  maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL.
* xml
* The CologneBlue and Modern skins are no longer bundled with the tarball. You
The following PHP extensions are strongly recommended:
  will need to remove the wfLoadSkin() calls from your LocalSettings.php or
* openssl
  download them separately
  (<https://www.mediawiki.org/wiki/Special:SkinDistributor>).


=== Configuration changes in 1.27 ===
=== Configuration changes in 1.31 ===
* $wgAllowMicrodataAttributes and $wgAllowRdfaAttributes were removed,
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
   now always enabled. If you use RDFa on your wiki, you now have to explicitly
   a future version. The API is now considered to be stable, secure and
   set $wgHtml5Version to 'HTML+RDFa 1.0' or 'XHTML+RDFa 1.0'.
   essential.
* $wgUseLinkNamespaceDBFields was removed.
* $wgUsejQueryThree was removed, as it is now the default. This was documented
* Deprecated $wgResourceLoaderMinifierStatementsOnOwnLine and
   as a temporary variable during the migration period, deprecated since 1.29.
  $wgResourceLoaderMinifierMaxLineLength, because there was little value in
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
   making the behavior configurable. The default values (`false` for the former,
   possible for fallback images such as png.
  1000 for the latter) are now hard-coded.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
* $wgDebugDumpSqlLength was removed (deprecated in 1.24).
   have the right to mark things patrolled.
* $wgDebugDBTransactions was removed (deprecated in 1.20).
* Wikis that contain imported revisions or CentralAuth global blocks should run
* $wgUseXVO has been removed, as it provides functionality only used by
   maintenance/cleanupUsersWithNoId.php.
  custom Wikimedia patches against Squid 2.x that probably noone uses in
* The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
  production anymore. There is now $wgUseKeyHeader that provides similar
   $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
   functionality but instead of the MediaWiki-specific X-Vary-Options header,
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
  uses the draft Key header standard.
  are not using the latest version of the Referrer Policy specification.
* $wgScriptExtension (and support for '.php5' entry points) was removed. See the
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
   deprecation notice in the release notes for version 1.25 for advice on how to
  first step of migration to human-readable section IDs that will later result
   preserve support for '.php5' entry points via URL rewriting.
  in 'html5' being the default mode.
* Password handling via the User object has been deprecated and partially
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
   removed, pending the future introduction of AuthManager. In particular:
  as upstream is inactive and has no plans to move to PHP 7.
** expirePassword(), getPasswordExpireDate(), resetPasswordExpiration(), and
* The old CategorizedRecentChanges feature, including its related configuration
  getPasswordExpired() have been removed. They were unused outside of core.
  option $wgAllowCategorizedRecentChanges, has been removed.
** The mPassword, mNewpassword, mNewpassTime, and mPasswordExpires fields are
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
  now private and will be removed in the future.
  for performance reasons, and installations with this setting will now work as
** The getPassword() and getTemporaryPassword() methods now throw
  if it was configured with 'any'.
  BadMethodCallException and will be removed in the future.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
** The ability to pass 'password' and 'newpassword' to createNew() has been
  rather than being off by default. If you wish to disable HTML tidying
  removed. The only users of it seem to have been using it to set invalid
  entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
  passwords, and so shouldn't be greatly affected.
   Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
** setPassword(), setInternalPassword(), and setNewpassword() have been
* $wgLogAutopatrol now defaults to false instead of true.
  deprecated, pending the introduction of AuthManager.
* $wgValidateAllHtml was removed and will be ignored.
** User::randomPassword() is deprecated in favor of a new method
* $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
  PasswordFactory::generateRandomPasswordString()
   1.25 release notes for more information.
** User::getPasswordFactory() is deprecated, callers should just create a
* $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
  PasswordFactory themselves.
   framework that it enables. Some extensions mistakenly used this to check
** A new constructor, User::newSystemUser(), has been added to simplify the
   whether any AJAX functionality at all should be enabled, further making this
  creation of passwordless "system" users for logged actions.
  problematic to retain.
* $wgMaxSquidPurgeTitles was removed.
* $wgDBmysql5 is now deprecated, and will be removed in a future version. It
* $wgAjaxWatch was removed. This is now enabled by default.
  has been marked as experimental ever since it was introduced.
* $wgUseInstantCommons now hotlinks Commons images by default instead of
  downloading originals and thumbnailing them locally. This allows wikis to save
  on CPU and bandwidth while reducing time to first byte for pages, even without
  a thumbnail handler. See $wgForeignFileRepos documentation for tweaks.
* (T27397) WebP is enabled by default as an uploadable filetype.
* (T48998) $wgArticlePath must now be either a full url, or start with a "/".
* $wgRateLimitLog was removed; use $wgDebugLogGroups['ratelimit'] instead.
* Deprecated API formats dbg, txt, and yaml have been removed.
* CLDRPluralRule* classes have been replaced with
  wikimedia/cldr-plural-rule-parser.
* Removed $wgProfilePerHost, $wgUDPProfilerHost, $wgUDPProfilerPort,
  $wgUDPProfilerFormatString, $wgStatsMethod, $wgAggregateStatsID,
  $wgStatsFormatString, and $wgProfileCallTree (deprecated since 1.20).
* For proper operation of LocalIdLookup with shared user tables, ensure that
  $wgSharedDB and $wgSharedTables are properly set even on the "central" wiki
  that all others are sharing from and that $wgLocalDatabases is set to the
  full list of sharing wikis on all those wikis.
* Massive overhaul to session handling:
** $wgSessionsInObjectCache is no longer supported and must be true, due to
  MediaWiki\Session\SessionManager. $wgSessionHandler is similarly no longer
  used.
** ObjectCacheSessionHandler is removed, replaced with
  MediaWiki\Session\PhpSessionHandler.
** PHP session handling in general ($_SESSION, session_id(), and so on) is
  deprecated. Use MediaWiki\Session\SessionManager instead. A new config
  variable, $wgPHPSessionHandling, is available to cause use of $_SESSION to
  issue a deprecation warning or to cause most PHP session handling to throw
  exceptions.
** Deprecated UserSetCookies hook. Session-handling extensions should generally
  be creating a custom subclass of CookieSessionProvider. Other extensions
  messing with cookies can no longer count on user data being saved in cookies
  versus other methods.
** Deprecated UserLoadFromSession hook, extensions should create a
  MediaWiki\Session\SessionProvider.
** The User cannot be loaded from session until after Setup.php completes.
  Attempts to do so will be ignored and the User will remain unloaded.
** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
  the MediaWiki\Session\Token class.
* MediaWiki will now auto-create users as necessary, removing the need for
   extensions to do so. An 'autocreateaccount' right is added to allow
  auto-creation when 'createaccount' is not granted to all users.
* Deprecated AuthPluginAutoCreate hook in favor of LocalUserCreated.
* Most cookie-handling methods in User are deprecated.
* $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
  experimental feature that has never worked.
* Login and createaccount tokens now vary by timestamp.
* LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
  return a MediaWiki\Session\Token, and tokens must be checked using that
  class's methods.
* $wgEnotifUseJobQ was removed and the job queue is always used.
* The functionality of the ApiSandbox extension has been merged into core. The
   extension should no longer be used.
* $wgPreloadJavaScriptMwUtil was removed (deprecated in 1.26).
  Extensions, skins, gadgets and scripts that use the mediawiki.util module must
  express a dependency on it.
* $wgIncludeLegacyJavaScript, deprecated in MediaWiki 1.26, now defaults false.
   Extensions, skins, gadgets and scripts that need the mediawiki.legacy.wikibits
  module should express a dependency on it.
* Removed configuration option $wgCopyrightIcon (deprecated since 1.18). Use
  $wgFooterIcons['copyright']['copyright'] instead.
* If the openssl and mcrypt PHP extensions are both unavailable, secure
  session storage (used for login) will raise an exception. This exception may
   be bypassed by setting $wgSessionInsecureSecrets = true.
* Massive overhaul to authentication:
** AuthPlugin and AuthPluginUser are deprecated.
** LoginForm and associated templates are deprecated. Extensions which called
  static LoginForm methods should be converted into authentication providers.
** The following hooks are deprecated:
*** AbortAutoAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** AbortLogin (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** AbortNewAccount (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** AddNewAccount (use LocalUserCreated instead)
*** AuthPluginSetup (create a MediaWiki\Auth\PrimaryAuthenticationProvider instead)
*** ChangePasswordForm (use AuthChangeFormFields instead, or security levels)
*** LoginUserMigrated (create a MediaWiki\Auth\PreAuthenticationProvider instead)
*** UserCreateForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
*** UserLoginForm (create a MediaWiki\Auth\AuthenticationProvider of some type instead)
** The following hooks are removed:
*** AbortChangePassword
*** LoginPasswordResetMessage
*** PrefsPasswordAudit
** The UserLoginComplete hook will no longer be called for all logins, only for
  those via the web UI. Use UserLoggedIn if you need to do something on all
  logins.
** $wgRequirePasswordforEmailChange is removed.


=== New features in 1.27 ===
=== New features in 1.31 ===
* $wgDataCenterUpdateStickTTL was also added. This decides how long a user
* (T76554) User sub-pages named ….json are now protected in the same way that
  sticks to the primary DC (via cookies) after they make changes to the site.
   .js and ….css pages are, so that configuration options can safely be placed
* Added a new hook, 'UserMailerTransformContent', to transform the contents
   there.
   of an email. This is similar to the EmailUser hook but applies to all mail
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
  sent via UserMailer.
   with parentheses for grouping.
* Added a new hook, 'UserMailerTransformMessage', to transform the contents
* As a first pass in standardizing dialog boxes across the MediaWiki product,
  of an emai after MIME encoding.
   Html class now provides helper methods for messageBox, successBox, errorBox
* Added a new hook, 'UserMailerSplitTo', to control which users have to be
   and warningBox generation.
  emailed separately (ie. there is a single address in the To: field) so
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
  user-specific changes to the email can be applied safely.
   a format like "iw>Example".
* $wgCdnMaxageLagged was added, which limits the CDN cache TTL
* (T20209) Linker (used on history pages, log pages, and so on) will display
   when any load balancer uses a DB that is lagged beyond the 'max lag'
   usernames formed like "iw>Example" as interwiki links, as if by wikitext like
  setting in the relevant section of $wgLBFactoryConf.
   [[iw:User:Example|iw>Example]].
* User::newSystemUser() may be used to simplify the creation of passwordless
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
   "system" users for logged actions from scripts and extensions.
   users during an import.
* Extensions can now return detailed error information via the API when
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
   preventing user actions using 'getUserPermissionsErrors' and similar hooks
   the ParserOutput::getText() post-cache transformations.
  by using ApiMessage instances instead of strings for the $result value.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
* $wgAPIMaxLagThreshold was added to limit bot changes when databases lag
   initial page text for file uploads.
   becomes too high.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
* Skins and extensions can now use FlexBox mixins (.flex-display(@display: flex)
   hash value in the table of basic information.
  and .flex(@grow: 1, @shrink: 1, @width: auto, @order: 1)) in Less to create
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
   cross-browser-compatible FlexBox rules. Users will still need to add fallback
   ParserOutput::getText() post-cache transformation. This may be disabled by
  float rules or the like for compatibility with IE9- separately.
   passing 'deduplicateStyles' => false to that method.
* Added MWTimestamp::getTimezoneString() which returns the localized timezone
* The identity of the logged-in or IP "actor" for logged actions is being moved
   string, if available. To localize this string, see the comments of
   into a new actor table, with the rows in tables such as revision and logging
   $wgLocaltimezone in includes/DefaultSettings.php.
   referring to the actor ID instead of storing the user ID and name/IP in
* Added CentralIdLookup, a service that allows extensions needing a concept of
   every row.
   "central" users to get that without having to know about specific central
  * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
  authentication extensions.
    can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
* $wgMaxUserDBWriteDuration added to limit huge user-generated transactions.
    soon as any necessary extensions are updated.
   Regular web request transactions that takes longer than this are aborted.
   * Most code accessing rows for logged actions from the database should use
* Added a new hook, 'TitleMoveCompleting', which runs before a page move is
    the relevant getQueryInfo() methods to get the information needed to build
  committed.
    the SQL query. The ActorMigration class may also be used to get feature
* $wgCdnReboundPurgeDelay was added to provide secondary delayed purges of URLs
    -flagged information needed to access actor-related fields during the
   from CDN to mitigate DB replication lag and WAN cache purge lag.
    migration period.
* (T49162) Installer will default to setting CACHE_ACCEL as the main cache type
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
   if it is available.
   section without having to roll back the whole transaction.
* It is now possible to patrol file uploads (both for new files and new versions
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
   of existing files). Special:NewFiles has gained an option to filter by patrol
   and non-MySQL ::replace() and ::upsert() no longer roll back the whole
   status. This functionality can be disabled using $wgUseFilePatrol.
   transaction on failure.
* MediaWiki\Session infrastructure allows for easier use of session mechanisms
* (T189785) Added a monthly heartbeat ping to the pingback feature.
   other than the usual cookies.
* The CLI installer (maintenance/install.php) learned to detect and include
** SessionMetadata and SessionCheckInfo hooks allow for setting and checking
   extensions. Pass --with-extensions to enable that feature.
  custom session metadata.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
* Added MWGrants and associated configuration settings $wgGrantPermissions and
   "1" for manually patrolled and "2" for autopatrolled actions.
   $wgGrantPermissionGroups to hold configuration for authentication features
* Extensions can now set their type to "editor" if they provide an editor or
  such as OAuth that want to allow restricting the user rights a user may make
   enhance the editing experience.
   use of.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
** If you're already using the OAuth extension, these new variables are
  property in extension.json. See the documentation at
  identical to (and will replace) $wgMWOAuthGrantPermissions and
  <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
  $wgMWOAuthGrantPermissionGroups.
  for more details and an example.
* Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
* (T19099) Tabs which link to pages that don't exist (like those to uncreated
   to assert that the request comes from a particular IP range.
  discussion pages) now have a tooltip to indicate state, not just colour.
* Added bot passwords, a rights-restricted login mechanism for API-using bots.
* Whitelisted the following HTML attributes for all elements in wikitext:
  aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
* Removed "presentation" restriction on the HTML role attribute in wikitext.
  All values are now allowed for the role attribute.
* $wgContentHandlers now also supports callbacks to create an instance of the
  appropriate ContentHandler subclass.
* Added $wgAuthenticationTokenVersion, which if non-null prevents the
  user_token database field from being exposed in cookies. Setting this would
  be a good idea, but will log out all current sessions.
* $wgEventRelayerConfig was added, for managing PubSub event relay configuration,
   specifically for reliable CDN url purges.
* Requests have unique IDs, equal to the UNIQUE_ID environment variable (when
  MediaWiki is behind Apache+mod_unique_id or something similar) or a randomly-
  generated 24-character string. This request ID is used to annotate log records
   and error messages. It is available client-side via mw.config.get( 'wgRequestId' ).
  The request ID supplants exception IDs. Accordingly, MWExceptionHandler::getLogId()
   is deprecated.
* (T33313) Add a preference for watching uploads by default, also applies
  to API-based upload tools.
* $wgJpegPixelFormat was added to override chroma subsampling for JPEG image
   thumbnails created via ImageMagick. Defaults to 'yuv420', providing bandwidth
  savings versus the previous behavior on many files.
* MediaWiki\Auth infrastructure (called "AuthManager") allows for more flexible
   configuration of multiple authentication pieces that was possible with
  AuthPlugin. For example, it's now easy to plug in second-factor
   authentication, or add additional checks to the login process, or to support
  multiple login methods at once, or to support non-password-based login methods.
** Providers are configured via the global setting $wgAuthManagerConfig.
** A global, $wgDisableAuthManager, is temporarily available to disable
  AuthManager until extensions are ready to support it.
** New hook, AuthChangeFormFields, to adjust the form fields on
  AuthManager-related special pages.
** New hook, AuthManagerLoginAuthenticateAudit, for additional logging of
  AuthManager-related authentication requests.
** New hook, ChangeAuthenticationDataAudit, for additional logging of
  AuthManager-related authentication data changes.
** New hook, SecuritySensitiveOperationStatus, to work with the new mechanism
  for requiring a recent login before taking security-sensitive operations
  like changing a password.
** Two new globals, $wgChangeCredentialsBlacklist and $wgRemoveCredentialsBlacklist
  can be used to prevent the web UI and the API changing certain authentication data.
* The file upload dialog (available if you install WikiEditor or VisualEditor)
  can now be configured using $wgUploadDialog.


=== External library changes in 1.27 ===
=== External library changes in 1.31 ===
* pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
  suggested to required. These packages now must be installed via composer
  and not via PEAR itself.


==== Upgraded external libraries ====
==== Upgraded external libraries ====
* Updated oojs/oojs-ui from v0.12.12 to v0.13.3.
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/semver from v1.0.0 to v1.2.0.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* Updated liuggio/statsd-php-client to 1.0.18.
* Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
* Updated QUnit from v1.18.0 to v1.22.0.
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.


==== New external libraries ====
==== New external libraries ====
* Added wikimedia/base-convert v1.0.1.
* Added wikimedia/object-factory 1.0.0
* Added wikimedia/cldr-plural-rule-parser v1.0.0.
* Added wikimedia/relpath v1.0.3.
* Added wikimedia/running-stat v1.1.0.
* Added wikimedia/php-session-serializer v1.0.3.


==== Removed and replaced external libraries ====
==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
  text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
  'mediawiki.viewport' module instead.
* mediawiki/at-ease was replaced with wikimedia/at-ease.


=== Bug fixes in 1.27 ===
=== Bug fixes in 1.31 ===
* Special:Upload will now display correct maximum allowed file size when running
* (T90902) Non-breaking space in header ID breaks anchor.
   under HHVM (T116347).
* (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
* (T54077) The APIEditBeforeSave hook will once again give only the content of
   space.
   the section being edited, rather than the whole revision. This reverts the
* (T2087, T10897, T87753, T174639) Whitespace created by category and language
  change made in MediaWiki 1.22.
   links is now stripped rather than leaving blank lines in odd places.
* (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+


=== Action API changes in 1.27 ===
=== Action API changes in 1.31 ===
* Added list=allrevisions.
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
* generator=recentchanges now has the option to generate revids.
   removed. It has never made a difference in the output, the name was always
* ApiPageSet::setRedirectMergePolicy() was added. This allows generator
  returned regardless.
  modules to define how generator data for a redirect source gets merged
* The 'watch' and 'unwatch' parameters for action=move have been removed. They
  into the redirect destination.
   were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
* prop=imageinfo&iiprop=uploadwarning will no longer include the possibility of
  'watchlist' instead.
   "was-deleted" warning.
* Added difftotextpst to query=revisions which preforms a pre-save transform on
  the text before diffing it.
* Deprecated formats dbg, txt, and yaml have been removed.
* (T47988) The protect log event details now use new-style formatting.
* The following response properties from action=login are deprecated, and may
  be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
   handle cookies to properly manage session state.
* action=login transparently allows login using bot passwords. Clients should
  merely need to change the username and password used after setting up a bot
  password.
* action=upload no longer understands statuskey, asyncdownload or leavemessage.
* Several changes when $wgDisableAuthManager is false:
** action=login is deprecated for uses other than bot passwords.
** list=users can now indicate if a missing username is creatable.
** action=createaccount is changed in a non-backwards-compatible manner.
** Added action=query&meta=authmanagerinfo.
** Added action=clientlogin to be used to log into the main account instead of
  action=login.
** Added action=linkaccount.
** Added action=unlinkaccount.
** Added action=changeauthenticationdata.
** Added action=removeauthenticationdata.
** Added action=resetpassword.


=== Action API internal changes in 1.27 ===
=== Action API internal changes in 1.31 ===
* ApiQueryORM removed.
* ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
* The following classes have been removed:
* ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
** ApiFormatDbg
* ApiBase::getProfileTime, deprecated since 1.25, was removed.
** ApiFormatTxt
** ApiFormatYaml
* ApiBase::addTokenProperties() was removed (deprecated since 1.24).
* ApiBase::getFinalPossibleErrors() was removed (deprecated since 1.24).
* ApiBase::getFinalResultProperties() was removed (deprecated since 1.24).
* ApiBase::getRequireAtLeastOneParameterErrorMessages() was removed (deprecated since 1.24).
* ApiBase::getPossibleErrors() was removed (deprecated since 1.24).
* ApiBase::getRequireMaxOneParameterErrorMessages() was removed (deprecated since 1.24).
* ApiBase::getRequireOnlyOneParameterErrorMessages() was removed (deprecated since 1.24).
* ApiBase::getResultProperties() was removed (deprecated since 1.24).
* ApiBase::getTitleOrPageIdErrorMessage() was removed (deprecated since 1.24).
* ApiBase::parseErrors() was removed (deprecated since 1.24).
* ApiQueryBase::titleToKey(), ApiQueryBase::keyToTitle() and
  ApiQueryBase::keyPartToTitle() all removed (deprecated since 1.24).
* ApiQueryBase::checkRowCount() was removed (deprecated since 1.24).
* ApiQueryBase::getDirectionDescription() was removed (deprecated since 1.25).
* ApiQuery::getGenerators() was removed (deprecated since 1.21).
* ApiQuery::getModules() was removed (deprecated since 1.21).
* ApiQuery::getModuleType() was removed (deprecated since 1.21).
* ApiQuery::setGeneratorContinue() was removed (deprecated since 1.24).
* ApiMain::getModules() was removed (deprecated since 1.21).
* ApiBase::getVersion() was removed (deprecated since 1.21).
* ApiMain::getShowVersions() was removed (deprecated in 1.21).
* ApiMain::addModule() was removed (deprecated in 1.21).
* ApiMain::addFormat() was removed (deprecated in 1.21).
* ApiMain::getFormats() was removed (deprecated in 1.21).
* ApiPageSet::finishPageSetGeneration() was removed (deprecated in 1.21).
* ApiCreateAccount is deprecated, and will be removed soon.
 
=== Languages updated in 1.27 ===


=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
changes to languages because of Phabricator reports.


* (T113688) Change default numerals from Gurmukhi to Arabic for Punjabi locale.
* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
* (T116020) Aliases of magic words in MessagesXx.php are sorted by usage.
* (T182305) New language support: Nyungar (nys).
 
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
=== Other changes in 1.27 ===
* (T186635) New language support: Guianan Creole (gcr).
* Added dependency injection (DI) infrastructure, see docs/injection.txt for details.
* (T186647) New language support: Kumyk [къумукъ] (kum).
  It is planned to incrementally move MediaWiki code towards using DI, using the
* (T187750) New language support: Spanish formal address (es-formal).
  service locator (SL) pattern as a stepping stone.
* (T187824) New language support: Hungarian formal address (hu-formal).
* ProfilerOutputUdp was removed. Note that there is a ProfilerOutputStats class.
* (T189127) New language support: Gorontalo (gor).
* WikiPage::doDeleteArticleReal() and WikiPage::doDeleteArticle() now
  ignore the 2nd and 3rd arguments (formerly $id and $commit).
* Removed "loaderScripts" option from ResourceLoaderFileModule class.
* Removed ORM-like wrapper added in 1.20.
* LinkCache::getGoodLinks and LinkCache::getBadLinks were removed
  (deprecated in 1.26).
* WikiPage::doQuickEdit() was removed (deprecated since 1.21).
* Removed SiteObject and SiteArray classes (deprecated in 1.21).
* MessageBlobStore::getInstance() was removed (deprecated since 1.25).
* (T84937) Free external links ("autolinked" urls) will now be terminated
  by &nbsp; and HTML entity encodings of &nbsp, <, and >.
* (T36948) The default file revert message's timestamp is now in
  $wgLocaltimezone, instead of UTC.
* The default name of the 'suppress' group page has been changed from
  'Project:Oversight' to 'Project:Suppress'.
* DatabaseBase::resultObject() is now protected (use outside Database classes
  not necessary since 1.11).
* Calling ResourceLoaderFileModule::readStyleFiles() without a
  ResourceLoaderContext instance is deprecated.
* ResourceLoader::getLessCompiler() now takes an optional parameter of
  additional LESS variables to set for the compiler.
* wfBaseConvert() marked as deprecated, use Wikimedia\base_convert() directly
  instead.
* Obsolete maintenance scripts clearCacheStats.php and showCacheStats.php
  were removed. The underlying data is sent to StatsD (see $wgStatsdServer).
* Removed msg_resource_links database table and associated code.
* Removed msg_resource database table and associated code.
* Skin::getNamespaceNotice() was removed.
* wfIsConfiguredProxy() was removed (deprecated since 1.24).
* wfDebugTimer() was removed (deprecated since 1.25).
* wfIsTrustedProxy() was removed (deprecated since 1.24).
* wfGetIP() was removed (deprecated since 1.19).
* MWHookException was removed.
* OutputPage::appendSubtitle() was removed (deprecated since 1.19).
* OutputPage::loginToUse() was removed (deprecated since 1.19).
* Article::loadContent() was removed (deprecated since 1.19).
* User::editToken() was removed (deprecated since 1.19).
* Removed --force-normal option of dumpBackup.php, as it no longer served
  any useful purpose since 1.22.
* The functions processOption() and processArgs() on the BackupDumper and
  TextPassDumper classes have been removed.
* The maintenance/backupTextPass.inc file was deleted. You should include
  maintenance/dumpTextPass.php instead.
* WikiPage::getUsedTemplates() was removed (deprecated since 1.19).
* wfEmptyMsg() was removed (deprecated since 1.18).
* OutputPage::permissionRequired() was removed (deprecated since 1.18).
* OutputPage::blockedPage() was removed (deprecated since 1.18).
* User::getSkin() was removed (deprecated since 1.18).
* OutputPage::includeJQuery() was removed (deprecated since 1.17).
* WikiPage::updateRestrictions() was removed (deprecated since 1.19).
* WikiPage::testPreSaveTransform() was removed (deprecated since 1.19).
* LogPage::logName() was removed (deprecated since 1.19).
* LogPage::logHeader() was removed (deprecated since 1.19).
* wfCheckLimits() was removed (deprecated since 1.24).
* Linker::makeKnownLinkObj() was removed (deprecated since 1.16).
* Linker::makeLinkObj() was removed (deprecated since 1.16).
* wfMsgForContentNoTrans() was removed (deprecated since 1.18).
* ChangesList::usePatrol was removed (deprecated since 1.22).
* wfMsgNoTrans() was removed (deprecated since 1.18).
* Linker::makeImageLink2 was removed (deprecated since 1.20).
* Title::userIsWatching() was removed (deprecated since 1.20).
* Removed WaitForSlave maintenance script; use SELECT MASTER_POS_WAIT()
  database function directly instead.
* wfMsg() was removed (deprecated since 1.18).
* wfMsgForContent() was removed (deprecated since 1.18).
* wfMsgReal() was removed (deprecated since 1.18).
* wfMsgGetKey() was removed (deprecated since 1.18).
* wfMsgHtml() was removed (deprecated since 1.18).
* wfMsgWikiHtml() was removed (deprecated since 1.18).
* wfMsgExt() was removed (deprecated since 1.18).
* Language::armourMath() was removed (deprecated since 1.22).
* LanguageConverter::armourMath() was removed (deprecated since 1.22).
* FakeConverter::armourMath() was removed (deprecated since 1.22).
* The unused jquery.validate ResourceLoader module was removed.
* FileRepo::getRootUrl() was removed (deprecated since 1.20).
* User::generateToken() was removed (deprecated since 1.20).
* WikiPage::getRawText() was removed (deprecated since 1.21).
* ParserOutput::hasCustomDataUpdates() was removed (deprecated since 1.25).
* ParserOutput::addSecondaryDataUpdate() was removed (deprecated since 1.25).
* ParserOutput::getSecondaryDataUpdates() was removed (deprecated since 1.25).
* Gallery images with multiple caption pipes no longer concatenate them all
  together but instead pick the final one, similar to image syntax.
* XML-like parser tags (such as <gallery>), when unclosed, will be left unparsed
  rather than consume everything until the end of the page.
* New maintenance script resetUserEmail.php allows sysadmins to reset user emails in case
  a user forgot password/account was stolen.
* wfCheckEntropy() was removed (deprecated in 1.27).
* Browser support for Internet Explorer 8 lowered from Grade A to Grade C.
* ContentHandler::supportsCategories method added. Default is true.
  CategoryMembershipChangeJob updates are skipped for content that
  does not support categories.
* wikidiff difference engine is no longer supported, anyone still using it are encouraged
  to upgrade to wikidiff2 which is actively maintained and has better package availability.
* Database logic was removed from WatchedItem and a WatchedItemStore was created:
** WatchedItem::IGNORE_USER_RIGHTS and WatchedItem::CHECK_USER_RIGHTS were deprecated.
  User::IGNORE_USER_RIGHTS and User::CHECK_USER_RIGHTS were introduced.
** WatchedItem::fromUserTitle was deprecated in favour of the constructor.
** WatchedItem::resetNotificationTimestamp was deprecated.
** WatchedItem::batchAddWatch was deprecated.
** WatchedItem::addWatch was deprecated.
** WatchedItem::removeWatch was deprecated.
** WatchedItem::isWatched was deprecated.
** WatchedItem::duplicateEntries was deprecated.
** EmailNotification::updateWatchlistTimestamp was deprecated.
** User::getWatchedItem was removed.
* Unit tests don't work with external PHPUnit anymore, Composer is now the only supported
  way. Run `composer install` to install it and other dev dependencies to run unit tests.
* wl_id field added to the watchlist table.
* Revision::getRawText() was removed (deprecated since 1.21).
* WikiPage::replaceSection() was removed (deprecated since 1.21).
* Article::replaceSection() was removed (deprecated since 1.21).
* Language::getLangObj() was removed (deprecated since 1.24).
* Language::getLanguageName() was removed (deprecated since 1.20).
* Language::getLanguageNames() was removed (deprecated since 1.20).
* Language::getTranslatedLanguageNames() was removed (deprecated since 1.20).
* Language::specialPage() was removed (deprecated since 1.24).
* MediaWikiTestCase::assertException() was removed (deprecated since 1.22).
* OutputPage::getHeadItems() was removed (deprecated since 1.24).
* OutputPage::getScript() was removed (deprecated since 1.24).
* OutputPage::out() was removed (deprecated since 1.22).
* OutputPage::setAllowedModules() was removed (deprecated since 1.24).
* UserrightsPage::makeGroupNameListForLog() was removed (deprecated since 1.21).
* MediaWikiSite::newFromGlobalId() was removed (deprecated since 1.21).
* Title::newFromRedirect() was removed (deprecated since 1.21).
* Skin::commonPrintStylesheet() was removed (deprecated since 1.22).
* Skin::getCommonStylePath() was removed (deprecated since 1.24).
* Skin::newFromKey() was removed (deprecated since 1.24).
* Skin::getUsableSkins() was removed (deprecated since 1.23).
* LoadBalancer::pickRandom() was removed (deprecated in 1.21).
* Article::getUndoText() and WikiPage::getUndoText were removed (deprecated since
  1.21).
* DifferenceEngine::setText() was removed (deprecated in 1.21).
* Title::newFromRedirectArray() was removed (deprecated in 1.21).
* UserMailer::send() no longer accepts $replyto as the 5th argument and $contentType
  as the 6th. These must be passed in the options array now.
* Title::newFromRedirectRecurse() was removed (deprecated in 1.21).
* Skin::accesskey was removed (deprecated since 1.21).
* Skin::blockLink was removed (deprecated since 1.21).
* Skin::buildRollbackLink was removed (deprecated since 1.21).
* Skin::emailLink was removed (deprecated since 1.21).
* Skin::formatComment was removed (deprecated since 1.21).
* Skin::formatHiddenCategories was removed (deprecated since 1.21).
* Skin::formatLinksInComment was removed (deprecated since 1.21).
* Skin::formatRevisionSize was removed (deprecated since 1.21).
* Skin::formatSize was removed (deprecated since 1.21).
* Skin::formatTemplates was removed (deprecated since 1.21).
* Skin::generateTOC was removed (deprecated since 1.21).
* Skin::getInternalLinkAttributes was removed (deprecated since 1.21).
* Skin::getInternalLinkAttributesObj was removed (deprecated since 1.21).
* Skin::getInterwikiLinkAttributes was removed (deprecated since 1.21).
* Skin::getInvalidTitleDescription was removed (deprecated since 1.21).
* Skin::getLinkColour was removed (deprecated since 1.21).
* Skin::getRevDeleteLink was removed (deprecated since 1.21).
* Skin::getRollbackEditCount was removed (deprecated since 1.21).
* Skin::makeBrokenImageLinkObj was removed (deprecated since 1.21).
* Skin::makeCommentLink was removed (deprecated since 1.21).
* Skin::makeExternalImage was removed (deprecated since 1.21).
* Skin::makeExternalLink was removed (deprecated since 1.21).
* Skin::makeHeadline was removed (deprecated since 1.21).
* Skin::makeImageLink was removed (deprecated since 1.21).
* Skin::makeMediaLinkFile was removed (deprecated since 1.21).
* Skin::makeMediaLinkObj was removed (deprecated since 1.21).
* Skin::makeSelfLinkObj was removed (deprecated since 1.21).
* Skin::makeThumbLink2 was removed (deprecated since 1.21).
* Skin::makeThumbLinkObj was removed (deprecated since 1.21).
* Skin::normaliseSpecialPage was removed (deprecated since 1.21).
* Skin::normalizeSubpageLink was removed (deprecated since 1.21).
* Skin::processResponsiveImages was removed (deprecated since 1.21).
* Skin::revComment was removed (deprecated since 1.21).
* Skin::revDeleteLink was removed (deprecated since 1.21).
* Skin::revDeleteLinkDisabled was removed (deprecated since 1.21).
* Skin::revUserLink was removed (deprecated since 1.21).
* Skin::revUserTools was removed (deprecated since 1.21).
* Skin::specialLink was removed (deprecated since 1.21).
* Skin::splitTrail was removed (deprecated since 1.21).
* Skin::titleAttrib was removed (deprecated since 1.21).
* Skin::tocIndent was removed (deprecated since 1.21).
* Skin::tocLine was removed (deprecated since 1.21).
* Skin::tocLineEnd was removed (deprecated since 1.21).
* Skin::tocList was removed (deprecated since 1.21).
* Skin::tocUnindent was removed (deprecated since 1.21).
* Skin::tooltip was removed (deprecated since 1.21).
* Skin::tooltipAndAccesskeyAttribs was removed (deprecated since 1.21).
* Skin::userTalkLink was removed (deprecated since 1.21).
* Skin::userToolLinksRedContribs was removed (deprecated since 1.21).
* wikidiff3 is now the default and only PHP diff engine. It provides improved diff
  performance on complex changes. $wgExternalDiffEngine = 'wikidiff3' therefore
  makes no difference now. Users are still recommended to use wikidiff2 if possible,
  though.
* User::addNewUserLogEntry() was deprecated.
* User::addNewUserLogEntryAutoCreate() was deprecated.
* User::isPasswordReminderThrottled() was deprecated.
* Bot-oriented parameters to Special:UserLogin (wpCookieCheck, wpSkipCookieCheck)
  were removed.
* Installer can now be customized without patching MediaWiki code, see
  mw-config/overrides/README for details.
 
=== Compatibility ===
 
MediaWiki 1.27 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
 
MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.


The supported versions are:
=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
* The OutputPage class constructor now requires a context parameter.
  Instantiating without context was deprecated in 1.18.
* The mw.page JavaScript singleton, deprecated in 1.30, was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
  ::onArticleEdit() methods, deprecated in 1.24, were removed.
* Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
  removed. Use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
  DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
  no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
  'byText' or ->setBlocker(). Callers should either ensure the blocker exists
  locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were
  deprecated in 1.27, have been removed:
  * WatchedItem::getTitle()
  * WatchedItem::fromUserTitle()
  * WatchedItem::addWatch()
  * WatchedItem::removeWatch()
  * WatchedItem::isWatched()
  * WatchedItem::duplicateEntries()
  * WatchedItem::IGNORE_USER_RIGHTS
  * WatchedItem::CHECK_USER_RIGHTS
  * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
  HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
  The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
  default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have
  been removed:
  * PreparedEdit->newText
  * PreparedEdit->oldText
  * PreparedEdit->pst
* ParserOutput objects which are generated using a non-default value for
  ParserOptions::setWrapOutputClass() can no longer be added to the parser
  cache.
* The following deprecated methods from the OutputPage class have been removed:
  * OutputPage::addExtensionStyle(); deprecated in 1.27
  * OutputPage::getExtStyle(); deprecated in 1.27
  * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
  * OutputPage::setSquidMaxage(); deprecated in 1.27
  * OutputPage::readOnlyPage(); deprecated in 1.25
  * OutputPage::rateLimited(); deprecated in 1.25
  * Additionally, the protected OutputPage::$mExtStyles array, only accessed
    through the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
  were removed:
  * $isCssJsSubpage — use ::isUserConfigPage()
  * $isCssSubpage — use ::isUserCssConfigPage()
  * $isJsSubpage — use ::isUserJsConfigPage()
  * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
  * ::getSummaryInput() – use ::getSummaryInputWidget()
  * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
  * ::getCheckboxes() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
  * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
* ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on
  the response object, and were deprecated in 1.27, have been removed:
  * ::setCookie()
  * ::clearCookie()
  * ::setExtendedLoginCookie()
  Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27 have
  been removed:
  * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
  * ::getPasswordFactory() – create a PasswordFactory directly
  * ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
  been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
  use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
  can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
  Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when
  DBO_TRX is set results in an exception. Calling Database::commit() explicitly
  for an implicit transaction also results in an exception. Previously these
  were logged as errors. The startAtomic() and endAtomic() methods, or
  AtomicSectionUpdate should be used instead.
* The global function wfOutputHandler() was removed, use the its replacement
  MediaWiki\OutputHandler::handle() instead. The global function was only
  sometimes defined. Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
  deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
  ::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
  use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
  ResourceLoaderModule::getLessVars() to expose local variables instead of
  global ones.
* As part of work to modernise user-generated content clean-up, a config option
  and some methods related to HTML validity were removed without deprecation.
  The public methods MWTidy::checkErrors() and the path through which it was
  called, TidyDriverBase::validate(), are removed, as are the testing methods
  MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
  The $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies
  the RESTRICT_DEFAULT Firejail restriction by default.
* The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
  deprecated in 1.26, were removed.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
  Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.


* MySQL 5.0.3 or later
=== Deprecations in 1.31 ===
* PostgreSQL 8.3 or later
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
* SQLite 3.3.7 or later
  RevisionRecord and its subclasses.
* Oracle 9.0.1 or later
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* Microsoft SQL Server 2005 (9.00.1399)
* The global function wfCountDown is now deprecated in favor of
  Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
  have been deprecated in favor of similar methods that also return the tables
  to select from and the join conditions for those tables.
  * Block::selectFields() → Block::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
  * LocalFile::selectFields() → LocalFile::getQueryInfo()
  * LocalFile::getCacheFields() with a prefix no longer works
  * LocalFile::getLazyCacheFields() with a prefix no longer works
  * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
  * Revision::selectFields() → Revision::getQueryInfo()
  * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
  * User::selectFields() → User::getQueryInfo()
  * WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
  should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
  override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
  Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated; use instead the hook
  RevisionRecordInserted. RevisionInsertComplete is still called, but the second
  and third parameter will always be null. Hard deprecation is scheduled for 1.32.
* The following methods that get and set ParserOutput state are deprecated.
  Callers should use the new stateless $options parameter to
  ParserOutput::getText() instead.
  * ParserOptions::getEditSection()
  * ParserOptions::setEditSection()
  * ParserOutput::getEditSectionTokens()
  * ParserOutput::setEditSectionTokens()
  * ParserOutput::getTOCEnabled()
  * ParserOutput::setTOCEnabled()
  * OutputPage::enableSectionEditLinks()
  * OutputPage::sectionEditLinksEnabled()
  * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
    are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
  Setting template variables by reference allowed violating the principle of
  data being immutable once added to the skin template. In practice, this method
  was not being used for that. Rather, setRef() existed as memory optimisation
  for PHP 4.
* QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
  favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
  wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
  'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced class
  \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
  used instead.
* CommentStore::newKey is deprecated. Instead, get an instance from
  MediaWikiServices.
* The following CommentStore methods have had their signatures changed to
  introduce a $key parameter, usage of the methods on instances retrieved from
  CommentStore::newKey will remain unchanged but deprecated:
  * CommentStore::getFields
  * CommentStore::getJoin
  * CommentStore::getComment
  * CommentStore::getCommentLegacy
  * CommentStore::insert
  * CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are
  deprecated:
  * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
  * Title::isCssOrJsPage – use ::isSiteConfigPage
  * Title::isCssJsSubpage – use ::isUserConfigPage
  * Title::isCssSubpage – use ::isUserCssConfigPage
  * Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
  * Parser::serializeHalfParsedText()
  * Parser::unserializeHalfParsedText()
  * Parser::isValidHalfParsedText()
  * StripState::getSubState()
  * StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
  deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
  used instead.
* The function wfShellWikiCmd() has been deprecated, use
  MediaWiki\Shell::makeScriptCommand().
* In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
  will be allowed to provide any HTMLForm object rather than PreferencesForm.


=== Upgrading ===
=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was dropped entirely. Opera 15+
  continues at Grade A.
* Multi-content-revision capability was introduced into the storage layer. See
  <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext.
  Links written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
  wikitext table captions, wikitext table headings, wikitext table cells. HTML
  headings, HTML list items, HTML table captions, HTML table headings, HTML
  table cells will not have this trimming behavior.


1.27 has several database changes since 1.26, and will not work without schema
== MediaWiki 1.30.1 ==
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).


If upgrading from before 1.11, and you are using a wiki as a commons
This is a security and maintenance release of the MediaWiki 1.30 branch.
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.


If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
=== Changes since MediaWiki 1.30.0 ===
new database fields are filled with data.
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
  include extensions. Pass --with-extensions to enable that feature.
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker.
* (T179190) selenium: Move logic for running tests from package.json to selenium.sh
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* Add default edit rate limit of 90 edits/minute for all users.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* oojs/oojs-ui updated to remove an unnecessary dependancy.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T193995) Fix undefined patchPath() method call in parser tests.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.
* (T190539) Explicitly require Postgres 9.1.
* (T118420) Unbreak Oracle installer.


If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
== MediaWiki 1.30 ==
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.


Don't forget to always back up your database before upgrading!
=== Changes since MediaWiki 1.30.0-rc.0 ===
* Upgraded Moment.js from v2.15.0 to v2.19.3.
* Add ip_changes to postgres/tables.sql.
* Skip null shell parameters.
* Add wfWaitForSlaves() to maintenance/migrateComments.php.
* (T182245) Fix join conditions in ImageListPager.
* (T178626) Revert #contentSub and #jump-to-nav margin changes.


See the file UPGRADE for more detailed upgrade instructions.
=== MySQL version requirement in 1.30 ===
As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
section).


For notes on 1.26.x and older releases, see HISTORY.
=== Configuration changes in 1.30 ===
* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
  unexpected behavior when code uses locale-sensitive string comparisons. For
  example, the Scribunto extension considers "bar" < "Foo" in most locales
  since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
  documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is
  deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain
  class names. This is intended for extensions that want control over the
  instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative
  to plain class names, using the 'factory' key in the module description
  array. This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
  of IP ranges that can be queried at Special:Contributions.
* (T45547) $wgUsePigLatinVariant added (off by default).
* (T152540) MediaWiki now supports a section ID escaping style that allows to display
  non-Latin characters verbatim on many modern browsers. This is controlled by the
  new configuration setting, $wgFragmentMode.
* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version,
  use $wgFragmentMode to migrate off it to a modern alternative.
* $wgExternalInterwikiFragmentMode was introduced to control how fragments in
  sinterwikis going outside of current wiki farm are encoded.
* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'.
  This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki
  auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly
  requested through the configuration parameter $wgDBservers.
* $wgOOUIEditPage was removed, as it is now the default. This was documented as a
  temporary variable during the migration period.


=== New features in 1.30 ===
* (T37247) Output from Parser::parse() will now be wrapped in a div with
  class="mw-parser-output" by default. This may be changed or disabled using
  ParserOptions::setWrapOutputClass().
* (T163562) Added ability to search for contributions within an IP ranges
  at Special:Contributions.
* Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
  specific tags to be added by users.
* Added a 'ParserOptionsRegister' hook to allow extensions to register
  additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a
  LanguageConverter variant.  This allows English-speaking developers
  to develop and test LanguageConverter more easily.  Pig Latin can be
  enabled by setting $wgUsePigLatinVariant to true.
* Added RecentChangesPurgeRows hook to allow extensions to purge data that
  depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
* (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
  'watchlistunwatchlinks' preference option is enabled). With JavaScript
  enabled, these links toggle so the user can also re-watch pages that have
  just been unwatched.
* Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
  MediaHandlerFactory for parser tests.
* Edit summaries, block reasons, and other "comments" are now stored in a
  separate database table. Use the CommentFormatter class to access them.
** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
  can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
  soon as any necessary extensions are updated.
* (T138166) Added ability for users to prohibit other users from sending them
  emails with Special:Emailuser. Can be enabled by setting
  $wgEnableUserEmailBlacklist to true.
* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect.
  Instead, users using browsers that do not support Unicode will be unable to edit
  and should upgrade to a modern browser instead.


= MediaWiki 1.26 =
=== External library changes in 1.30 ===


== MediaWiki 1.26.2 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.1 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.26.1.
== MediaWiki 1.26.1 ==
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.0 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
  that do not begin with a slash. This enabled trivial XSS attacks.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
  error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
  with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki
* Fixed ConfigException in ExpandTemplates due to AlwaysUseTidy.
* Fixed stray literal \n in Special:Search.
* Fix issue that breaks HHVM Repo Authorative mode.
* (T120267) Work around APCu memory corruption bug
== MediaWiki 1.26.0 ==
=== Configuration changes in 1.26 ===
* $wgPasswordResetRoutes['email'] = true by default.
* $wgEnableParserCache was deprecated, set $wgParserCacheType to CACHE_NONE
  instead if you want to disable the parser cache.
* New-style continuation is now the default for API action=continue. Clients may
  use the 'rawcontinue' parameter to receive raw query-continue data, but the
  new style is encouraged as it's harder to implement incorrectly.
* Deprecated API formats dump and wddx have been completely removed.
* (T7645) The "Signature" button on the edit toolbar is now hidden by default
  in non-talk namespaces. A new configuration variable,
  $wgExtraSignatureNamespaces, controls in which subject (non-talk) namespaces
  the "Signature" button on the edit toolbar will be displayed.
* $wgResourceLoaderUseESI was deprecated and removed. This was an experimental
  feature that was never enabled by default.
* $wgResourceLoaderExperimentalAsyncLoading was deprecated and removed.
  This experimental feature was never enabled by default and is obsolete as of
  MediaWiki 1.26, in where ResourceLoader became fully asynchronous.
* $wgMasterWaitTimeout was removed (deprecated in 1.24).
* Fields in ParserOptions are now private. Use the accessors instead.
* Custom LESS functions (defined via $wgResourceLoaderLESSFunctions or
  in extension.json) have been removed, after being deprecated in 1.24.
* $wgAlwaysUseTidy has been removed.
* ResetSessionID hook has been removed. Nothing seems to use it.
* Certain AuthPlugin methods are deprecated in favor of new hooks:
** AuthPlugin::initUser() is replaced by LocalUserCreated.
** AuthPlugin::updateUser() is replaced by UserLoggedIn.
** AuthPlugin::updateExternalDB() is replaced by the existing UserSaveSettings.
** AuthPlugin::updateExternalDBGroups() is replaced by UserGroupsChanged.
** AuthPluginUser::isHidden() is replaced by UserIsHidden.
** AuthPluginUser::isLocked() is replaced by UserIsLocked.
* The UserRights hook is deprecated in favor of the new UserGroupsChanged hook.
* AuthPlugin::initUser() and AuthPlugin::updateUser() should no longer replace
  the passed User object.
* $wgBlockAllowsUTEdit is now set to true by default. This allows
  blocked users to edit their talk pages unless explicitly disabled
  when they are being blocked.
=== New features in 1.26 ===
* (T51506) Now action=info gives estimates of actual watchers for a page.
  See $wgRCMaxAge, $wgWatchersMaxAge and $wgUnwatchedPageSecret
  to learn how to configure if needed.
* Change tags can now be hidden in the interface by disabling the associated
  "tag-<id>" interface message.
* ':' (colon) is now invalid in usernames for new accounts. Existing accounts
  are not affected.
* Added a new hook, 'LogException', to log exceptions in nonstandard ways.
* Revive the 'SpecialSearchResultsAppend' hook which occurs after the list of
  search results are rendered. The initial use case is to append a "give us
  feedback" link beneath the search results.
* Added a new hook, 'RejectParserCacheValue', which allows extensions to
  reject an otherwise-successful parser cache lookup. The intent is to allow
  extensions to manage the eviction of archaic HTML output from the cache.
* (T68699) The expiration of the UserID and Token login cookies
  ($wgExtendedLoginCookieExpiration) can be configured independently of the
  expiration of all other cookies ($wgCookieExpiration).
* (T50519) Support for generating JPEG/PNG thumbnails from WebP images added
  if ImageMagick is used as image scaler ($wgUseImageMagick = true). Uploading
  of WebP images still disabled by default. Add $wgFileExtensions[] =
  'webp'; to LocalSettings.php to enable uploading of WebP images.
* Added new hooks 'EnhancedChangesListModifyLineData' &
  'EnhancedChangesListModifyBlockLineData', to modify the data used to build
  lines in enhanced recentchanges and watchlist.
* Caches that need purging ability now use the WANObjectCache interface.
  This corresponds to a new $wgMainWANCache setting, which defaults to using
  the $wgMainCacheType settings.
* Callers needing fast light-weight data stores use $wgMainStash to select
  the store type from $wgObjectCaches. The default is the local database.
* Interface message overrides in the MediaWiki namespace will now be cached in
  memcached and APC (if available), rather than memcached and local files.
* Added a new hook, 'RandomPageQuery', to allow modification of the query used
  by Special:Random to select random pages.
* $wgTransactionalTimeLimit was added, which controls the request time limit
  for potentially slow POST requests that need to be as atomic as possible.
* ResourceLoader now loads all scripts asynchronously. The top-queue and
  startup modules are no longer synchronously loaded.
* 'mediawiki.ui.button' styles are no longer unconditionally loaded on every
  page. During the deprecation period, the styles will only be loaded on pages
  which contain 'mw-ui-button' in their HTML. Starting in 1.28, the styles will
  only be loaded if explicitly required.
* If search returns zero results and current search engine has a "did you mean"
  suggestion, results for suggestion will be shown. Can be disabled by setting
  $wgSearchRunSuggestedQuery to false.
* Added several JavaScript libraries for uploading files to MediaWiki
  from the client-side. See documentation for mw.Upload and its
  subclasses for more information.
* Added OOUI dialogs and layout for file upload interfaces. See
  documentation for mw.Upload.Dialog, mw.Upload.BookletLayout and its
  subclasses for more information.
=== extension.json changes in 1.26 ===
* (T99344) The extension.json schema is now versioned. All extensions
  and skins should set a "manifest_version" property corresponding to
  the schema version they were written for. The only supported version
  currently is "1".
* (T102523) The error message if a non-array attribute is set was improved.
* (T107646) Configuration settings can now specify how they should be merged,
  which is necessary for arrays using integer keys.
* (T110389) Adding namespaces through extension.json now actually works
* $wgNamespaceProtection can now be set in extension.json.
* $wgCapitalLinkOverrides can now be set in extension.json.
* (T97186) Extensions using a custom prefix for their configuration settings
  can now set a "_prefix" key to override the default of "wg".
* (T99084) Extensions can now specify what MediaWiki core versions they
  depend upon.
* (T105236) The extension.json schema now validates custom classes in
  the "ResourceModules" property properly.
=== External library changes in 1.26 ===
==== Upgraded external libraries ====
==== Upgraded external libraries ====
* Updated es5-shim from v4.0.0 to v4.1.5.
* Updated justinrainbow/json-schema from v3.0 to v5.2.
* Updated json2 from revision 2014-02-04 to 2015-05-03.
* Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
* Updated Sinon.JS from 1.10.3 to 1.15.4.
* Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
* Updated jQuery Client from v1.0.0 to v2.0.0.
* Updated wikimedia/relpath from v1.0.3 to v2.0.0.
* Updated QUnit from v1.17.1 to v1.18.0.
* Updated OOjs from v2.0.0 to v2.1.0.
* Updated liuggio/statsd-php-client from v1.0.12 to v1.0.16.
* Updated OOUI from v0.21.1 to v0.23.0.
* Updated oojs/oojs-ui from v0.11.3 to v0.12.12.
* Updated QUnit from v1.23.1 to v2.4.0.
* Updated wikimedia/cdb from v1.0.1 to v1.3.0.
* Updated phpunit/phpunit from v4.8.35 to v4.8.36.
* Updated wikimedia/utfnormal from v1.0.2 to v1.0.3.
* Upgraded Moment.js from v2.15.0 to v2.19.3.
* Updated wikimedia/composer-merge-plugin from v1.0.0 to v1.3.0.
* Updated zordius/lightncandy from v0.18 to v0.21.


==== New external libraries ====
==== New external libraries ====
* Added composer/semver v1.0.0.
* The class \TestingAccessWrapper has been moved to the external library
* Added mediawiki/at-ease v1.1.0.
  wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
* Added wikimedia/assert v0.2.2.
* Purtle, a fast, lightweight RDF generator.
* Added wikimedia/ip-set v1.0.1.
* Added wikimedia/wrappedstring v2.0.0.


==== Removed and replaced external libraries ====
==== Removed and replaced external libraries ====
* Replaced leafo/lessphp v0.5.0 with oyejorge/less.php v1.7.0.9.
*


=== Bug fixes in 1.26 ===
=== Bug fixes in 1.30 ===
* (T53283) load.php sometimes sends 304 response without full headers
* (T151633) Ordered list items use now Devanagari digits in Nepalese
* (T65198) Talk page tabs now have a "rel=discussion" attribute
  (thanks to Sfic)
* (T98841) {{msgnw:}} now preserves comments even when subst: is not used.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
  value if set to an empty string.


=== Action API changes in 1.26 ===
=== Action API changes in 1.30 ===
* New-style continuation is now the default for action=continue. Clients may
* (T37247) action=parse output will be wrapped in a div with
   use the 'rawcontinue' parameter to receive raw query-continue data, but the
  class="mw-parser-output" by default. This may be changed or disabled using
  new style is encouraged as it's harder to implement incorrectly.
   the new 'wrapoutputclass' parameter.
* Deprecated API formats dump and wddx have been completely removed.
* When errorformat is not 'bc', abort reasons from action=login will be
* API action=query&list=tags: The displayname can now be boolean false if the
   formatted as specified by the error formatter parameters.
   tag is meant to be hidden from user interfaces.
* action=compare can now handle arbitrary text, deleted revisions, and
* action=import no longer allows both the namespace= and rootpage= parameters
   returning users and edit comments.
  to be set. If they are both set, the value of rootpage= will be ignored.
* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
* prop=revision output in enum mode is now sorted by timestamp rather than
   'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
   revision ID. This usually won't make any difference.
   parameters to prop=revisions are deprecated, as are the similarly named
* (T102645) Namespace list from meta=siteinfo&siprop=namespaces is now an array
   parameters to prop=deletedrevisions, list=allrevisions, and
   with formatversion=2.
   list=alldeletedrevisions. Use action=compare, action=parse, or
* Various other output from meta=siteinfo will now always be arrays instead of
   action=expandtemplates instead.
   sometimes being numerically-indexed objects with formatversion=2.
* When errors about users being blocked are returned, they now include
   information about the relevant block.
* (T99926) list=random has higher limits, in line with other API modules.
* list=random's rnredirect parameter is deprecated in favor of a new
  rnfilterredir parameter that also allows for listing both redirects and
   non-redirects.
* list=random now supports continuation.
* API responses to GET requests may now include ETag and Last-Modified headers,
   and will honor corresponding If-None-Match and If-Modified-Since on such
  requests.


=== Action API internal changes in 1.26 ===
=== Action API internal changes in 1.30 ===
* New metadata item ApiResult::META_KVP_MERGE to allow for merging the KVP key
* ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
  into the value when the value is an assoc.
   deprecated. The existing message should be split between "apihelp-*-summary"
* API action modules may now provide values for the RFC 7232 ETag and
   and "apihelp-*-extended-description".
   Last-Modified headers. The API will check these against If-None-Match and
* (T123931) Individual values of multi-valued parameters can now be marked as
   If-Modified-Since request headers on GET requests and avoid executing the
  deprecated.
  module when appropriate.
 
=== Languages updated in 1.26 ===


=== Languages updated in 1.30 ===
MediaWiki supports over 350 languages. Many localisations are updated
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
changes to languages because of Phabricator reports.


* Languages added:
* Added: kbp (Kabɩyɛ / Kabiyè)
** ase (American sign language), thanks to translator Icemandeaf
* Added: skr (Saraiki, سرائیکی)
** dty (डोटेली/Doteli), thanks to translators जनक राज भट्ट, बिप्लब आनन्द,
* Added: tay (Tayal / Atayal)
  मेश सिंह बोहरा, and राम प्रसाद जोशी
* Removed: tokipona (Toki Pona)
** luz (لئری دوٙمینی / Southern Luri)
** olo (Livvinкarjala / Livvi-Karelian), thanks to translators Denö, Hiloin Natoi,
  Ilja.mos, and Mashoi7


=== Other changes in 1.26 ===
==== Pig Latin added ====
* ChangeTags::tagDescription() will return false if the interface message
* (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
  for the tag is disabled.
   for easier variant development and testing. Disabled by default. It can be
* Added PageHistoryPager::doBatchLookups hook.
   enabled by setting $wgUsePigLatinVariant to true.
* Added $wikiId parameter to FormatAutocomments hook.
* Added ParserCacheSaveComplete to ParserCache
* supportsDirectEditing and supportsDirectApiEditing methods added to
  ContentHandler, to provide a way for ApiEditPage and EditPage to check
  if direct editing of content is allowed. These methods return false,
  by default for the ContentHandler base class and true for TextContentHandler
  and it's derivative classes (everything in core). For Content types that
  do not support direct editing, an alternative mechanism should be provided
  for editing, such as action overrides or specific api modules.
* mediaWiki.confirmCloseWindow now returns an object of functions, instead of
  one function. The callback can't be called directly any more. The callback
  function is replaced with confirmCloseWindow.release().
* BREAKING CHANGE: Added an optional ResouceLoaderContext parameter to
  ResourceLoaderModule::getDependencies(). Extension classes that override that
  method should be updated. If they aren't updated, PHP Strict standards
  warnings will appear when E_STRICT error reporting is enabled. Note: in the
  near future, this parameter will probably become non-optional.
* Removed maintenance script deleteImageMemcached.php.
* MWFunction::newObj() was removed (deprecated in 1.25).
  ObjectFactory::getObjectFromSpec() should be used instead.
* The parser will no longer randomize the string it uses to mark the place of
  items that were stripped during parsing. It will use a fixed string instead.
  This causes the parser to re-use the regular expressions it uses to search
  and replace markers rather than generate novel expressions on each parse.
  Re-using regular expressions will improve performance on HHVM and the
  forthcoming PHP 7. The interfaces changes accompanying this change are:
  - Parser::getRandomString() and Parser::uniqPrefix() have been deprecated.
   - The $uniq_prefix argument for Parser::extractTagsAndParams() and the
    $prefix argument for StripState::_construct() are deprecated and their
    value is ignored.
* wfSuppressWarnings() and wfRestoreWarnings() were split into a separate library,
  mediawiki/at-ease, and are now deprecated. Callers should use
  MediaWiki\suppressWarnings() and MediaWiki\restoreWarnings() directly.
* The Block class constructor now takes an associative array of parameters
  instead of many optional positional arguments. Calling the constructor the old
  way will issue a deprecation warning.
* The jquery.mwExtension module was deprecated.
* $wgSpecialPageGroups was removed (deprecated in 1.21).
* SpecialPageFactory::setGroup was removed (deprecated in 1.21).
* SpecialPageFactory::getGroup was removed (deprecated in 1.21).
* DatabaseBase::ignoreErrors() is now protected.
* BREAKING CHANGE: mediawiki.legacy.ajax has been removed, following
  a lengthy deprecation period.
* The ScopedPHPTimeout class was removed.
* Removed maintenance script fixSlaveDesync.php.
* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
  are deprecated. Applications using those can work via the OAuth
   extension instead. New tokens types should not be added.
* DatabaseBase::errorCount() was removed (unused).
* $wgDeferredUpdateList was removed.
* DeferredUpdates::addHTMLCacheUpdate() was removed.


= MediaWiki 1.25 =
=== Other changes in 1.30 ===
* The use of an associative array for $wgProxyList, where the IP address is in
  the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
  Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
* mw.user.bucket (deprecated in 1.23) was removed.
* LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
  deprecated. There are no known callers.
* File::getStreamHeaders() was deprecated.
* MediaHandler::getStreamHeaders() was deprecated.
* Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
  used instead.
* MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
  should be used instead.
* The ExtractThumbParameters hook (deprecated in 1.21) was removed.
* The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
  deprecated in 1.24) were removed.
* wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
  BagOStuff::makeGlobalKey() should be used instead.
* (T146304) Preprocessor handling of LanguageConverter markup has been improved.
  As a result of the new uniform handling, '-{' may need to be escaped
  (for example, as '-<nowiki/>{') where it occurs inside template arguments
  or wikilinks.
* (T163966) Page moves are now counted as edits for the purposes of
  autopromotion, i.e., they increment the user_editcount field in the database.
* Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
  manipulating Special:Log and Special:NewPages lines.
* The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
  PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding
  hooks have an additional parameter, for manipulating HTML data attributes of
  RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the
  $data['attribs'] subarray.
* (T130632) The OutputPage::enableTOC() method was removed.
* WikiPage::getParserOutput() will now throw an exception if passed
  ParserOptions that would pollute the parser cache. Callers should use
  WikiPage::makeParserOptions() to create the ParserOptions object and only
  change options that affect the parser cache key.
* Article::viewRedirect() is deprecated.
* IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
* DeprecatedGlobal no longer supports passing in a direct value, it requires a
  callable factory function or a class name.
* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton()
  are all deprecated. The main ParserCache instance should be obtained from
  MediaWikiServices instead. Access to the underlying BagOStuff is possible
  through the new ParserCache::getCacheStorage() method.
* .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
* Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
  escapeIdForLink() or escapeIdForExternalInterwiki() instead.
* Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
  Sanitizer functions or, if possible, Title::getFragmentForURL().
* Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
  nothing and is deprecated.
* mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
  escapeIdForLink().
* MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
* WikiImporter now requires the second parameter to be an instance of the Config,
  class. Prior to that, the Config parameter was optional (a behavior deprecated in
  1.25).
* Removed 'jquery.mwExtension' module. (deprecated since 1.26)
* mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
  any more.
* CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
  The namespaced classes in the Cdb namespace should be used instead.
* IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
  should be used instead.
* RunningStat class (deprecated in 1.27) was removed. The namespaced
  RunningStat\RunningStat should be used instead.
* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed.
  The MemcachedClient class should be used instead.
* EditPage underwent some refactoring and deprecations:
  * EditPage::isOouiEnabled() is deprecated and will always return true.
  * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please
    use ::getSummaryInputWidget() instead.
  * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
    use ::getCheckboxesWidget() instead.
  * Creating an EditPage instance without calling EditPage::setContextTitle() should
    be avoided and will be deprecated in a future release.
  * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
  * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The
    corresponding methods from Title should be used instead.
  * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
  * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters
    ::getArticle() and ::getTitle() should be used instead.
  * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut,
    and $wgLang is no longer supported and won't work. The IContextSource returned from
    EditPage::getContext() must be modified instead.
* Parser::getRandomString() (deprecated in 1.26) was removed.
* Parser::uniqPrefix() (deprecated in 1.26) was removed.
* Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
  $uniq_prefix was deprecated in 1.26 and has now been removed.
* (T172514) The following tables have had their UNIQUE indexes turned into proper
  PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks,
  langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats,
  templatelinks, text, transcache, user_former_groups, user_properties.
* IDatabase::nextSequenceValue() is no longer needed by any database backends
  (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a
  PRIMARY KEY.
* (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
  page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
  user_properties.up_user have all been made unsigned on MySQL.
* DB_SLAVE is deprecated. DB_REPLICA should be used instead.
* wfUsePHP() is deprecated.
* wfFixSessionID() was removed.
* wfShellExec() and related functions are deprecated, use Shell::command(). This also
  slightly changes the behavior of how execution time limits are calculated when only
  some of defaults are overridden per-call. When in doubt, always override both wall
  clock and CPU time.
* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending
  user object. Using the method without the second argument is deprecated.
* (T67297) Browsers that don't support Unicode will have their edits rejected.
* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future
  release. For notifying the user of an event, the Notifications ("Echo") system
  should be used instead.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.


== MediaWiki 1.25.5 ==
== MediaWiki 1.29.3 ==


This is a maintenance release of the MediaWiki 1.25 branch.
This is a security and maintenance release of the MediaWiki 1.29 branch.


=== Changes since 1.25.4 ===
=== Changes since 1.29.2 ===
* (T121892) Fix fatal error on some Special pages, introduced in 1.25.4.
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T180551) Fix LanguageSrTest for language converter
* (T180552) Fix langauge converter parser test with self-close tags
* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
* (T180485) InputBox: Have inputbox langconvert certain attributes
* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
* (T172927) Drop vendor from MW release branch
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
  include extensions. Pass --with-extensions to enable that feature.
* (T182381) Mask deprecated call in WatchedItemUnitTest
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* The karma qunit tests would fail on some configuration due to headers already
  sent. Check headers_sent() before sending cpPosTime headers
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker
* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
  fails under SQLite.
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* (T179190) selenium: Move test running logic from package.json to selenium.sh.
* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
* Add default edit rate limit of 90 edits/minute for all users.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T194237) Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T118420) Unbreak Oracle installer.


== MediaWiki 1.25.4 ==
== MediaWiki 1.29.2 ==


This is a security and maintenance release of the MediaWiki 1.25 branch.
This is a security and maintenance release of the MediaWiki 1.29 branch.


=== Changes since 1.25.3 ===
=== Changes since 1.29.1 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
  that do not begin with a slash. This enabled trivial XSS attacks.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
* Fixed login button label to accept RawMessage.
   error.
* Fixed case of SpecialRecentChanges class usage.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T174255) Declare uploadCount property in importDump.php.
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
* (T163646) Pass a string not an int to mysql_real_escape_string().
  with '@' as file uploads
* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
  longer be shorter than $wgMinimalPasswordLength
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
   sends non-standard url escaping.
  result in improper blocks being issued
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
* (T128209) SECURITY: Reflected File Download from api.php.
  and related pages no longer use HTTP redirects and are now redirected by
* (T134100) SECURITY: Do not reveal if user exists during login failure.
  MediaWiki
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T103237) $wgUseGzip had no effect when using file cache.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T114606) mw.notify was not correctly fixed to the page if
* (T180237) SECURITY: Protect vendor folder with .htaccess.
   initialized while not at the top of the page.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* Fix issue that breaks HHVM Repo Authorative mode.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
   branches in the previous security release.
* (T200861) Fix total breakage of SQLite web upgrade.


== MediaWiki 1.25.3 ==
== MediaWiki 1.29.1 ==


This is a security and maintenance release of the MediaWiki 1.25 branch.
This is a maintenance release of the MediaWiki 1.29 branch.


=== Changes since 1.25.2 ===
The SpamBlacklist and PdfHandler extensions were missing from the generated
packages.


* (T98975) Fix having multiple callbacks for a single hook.
=== Changes since 1.29.1 ===
* (T107632) maintenance/refreshLinks.php did not always remove all links
* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
  pointing to nonexistent pages.
* (T172061) Fix fatal when passing a category to refreshLinks.php.
* (T104142) $wgEmergencyContact and $wgPasswordSender now use their default
  value if set to an empty string.
* (T62174) Provide fallbacks for use of mb_convert_encoding() in
  HtmlFormatter. It was causing an error when accessing the api help page
  if the mbstring PHP extension was not installed.
* (T105896) Confirmation emails would sometimes contain invalid codes.
* (T105597) Fixed edit stash inclusion queries.
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
  first
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails


== MediaWiki 1.25.2 ==
== MediaWiki 1.29 ==


This is a security and maintenance release of the MediaWiki 1.25 branch.
=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
  expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
  determines whether to set a cookie when a user is autoblocked. Doing so means
  that a blocked user, even after logging out and moving to a new IP address,
  will still be blocked.
* The resetpassword right and associated password reset capture feature has
  been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
  or boolean false. This should be compatible with at least MediaWiki 1.23 if
  not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
  policies.
* Subpages are now enabled by default in the Template namespace. Set
  $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
  added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
  fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
  'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.


=== Changes since 1.25.1 ===
=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
  if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
  exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
  dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
  downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
  via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
  from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
  of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
  browsers had poor support for them, but modern browsers handle them fine.
  This might affect some forms that used them and only worked because the
  attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
  structures filters into user-friendly groups.  This has corresponding
  changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
  Because this change can cause problems for extensions and on-wiki
  scripts depending on the exact HTML, the old version is still available
  and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
  This will be removed later and OOjs UI will become the only option.
  To make testing easier, users can also force either mode by adding
  &ooui=true or &ooui=false to the action=edit URL.


* (T94116) SECURITY: Compare API watchlist token in constant time
=== External library changes in 1.29 ===
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
  Special:DeletedContributions
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
  policy of Wikimedia Commons.
* (T100767) Setting a configuration setting for skin or extension to
  false in LocalSettings.php was not working.
* (T100635) API action=opensearch json output no longer breaks when
  $wgDebugToolbar is enabled.
* (T102522) Using an extension.json or skin.json file which has
  a "manifest_version" property for 1.26 compatability will no longer
  trigger warnings.
* (T86156) Running updateSearchIndex.php will not throw an error as
  page_restrictions has been added to the locked table list.
* Special:Version would throw notices if using SVN due to an incorrectly
  named variable. Add an additional check that an index is defined.


== MediaWiki 1.25.1 ==
==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.


This is a bug fix release of the MediaWiki 1.25 branch.
==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.


=== Changes since 1.25 ===
==== Removed and replaced external libraries ====
* (T100351) Fix syntax errors in extension.json of ConfirmEdit extension
 
== MediaWiki 1.25.0 ==


=== Configuration changes in 1.25 ===
=== Bug fixes in 1.29 ===
* $wgPageShowWatchingUsers was removed.
* (T62604) Core parser functions returning a number now format the number according
* $wgLocalVirtualHosts has been added to replace $wgConf->localVHosts.
  to the page content language, not wiki content language.
* $wgAntiLockFlags was removed.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
* $wgJavaScriptTestConfig was removed.
   highlight prefix matches in the results.
* Edit tokens returned from User::getEditToken may change on every call. Token
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
   validity must be checked by passing the user-supplied token to
* Special:Allpages can no longer be filtered by redirect in miser mode.
  User::matchEditToken rather than by testing for equality with a
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
  newly-generated token.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
* (T74951) The UserGetLanguageObject hook may be passed any IContextSource
   to interwiki links.
  for its $context parameter. Formerly it was documented as receiving a
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  RequestContext specifically.
   $wgAdvancedSearchHighlighting is true.
* Profiling was restructured and $wgProfiler now requires an 'output' parameter.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  See StartProfiler.sample for details.
   their values out of the logs.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  might be a flash policy directive configurable.
   token.
* ApiOpenSearch now supports XML output. The OpenSearchXml extension should no
* (T156184) SECURITY: Escape content model/format url parameter in message.
  longer be used. If extracts and page images are desired, the TextExtracts and
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
   PageImages extensions are required.
   declaration.
* $wgOpenSearchTemplate is deprecated in favor of $wgOpenSearchTemplates.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
* Edits are now prepared via AJAX as users type edit summaries. This behavior
   in it's fallback chain when trying to work out where to write the cache.
   can be disabled via $wgAjaxEditStash.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
* (T46740) The temporary option $wgIncludejQueryMigrate was removed, along
   syntax's link parameter.
  with the jQuery Migrate library, as indicated when this option was provided in
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  MediaWiki 1.24.
   it.
* ProfilerStandard and ProfilerSimpleTrace were removed. Make sure that any
  StartProfiler.php config is updated to reflect this. Xhprof is available
   for zend/hhvm. Also, for hhvm, one can consider using its xenon profiler.
* Default value of $wgSVGConverters['rsvg'] now uses the 'rsvg-convert' binary
  rather than 'rsvg'.
* Default value of $wgSVGConverters['ImageMagick'] now uses transparent
   background with white fallback color, rather than just white background.
* MediaWikiBagOStuff class removed, make sure any object cache config
  uses SqlBagOStuff instead.
* The 'daemonized' flag must be set to true in $wgJobTypeConf for any redis
   job queues. This means that mediawiki/services/jobrunner service has to
   be installed and running for any such queues to work.
* $wgAutopromoteOnce no longer supports the 'view' event. For keeping some
   compatibility, any 'view' event triggers will still trigger on 'edit'.
* $wgExtensionDirectory was added for when your extensions directory is somewhere
   other than $IP/extensions (as $wgStyleDirectory does with the skins directory).


=== New features in 1.25 ===
=== Action API changes in 1.29 ===
* (T64861) Updated plural rules to CLDR 26. Includes incompatible changes
* Submitting sensitive authentication request parameters to action=login,
   for plural forms in Russian, Prussian, Tagalog, Manx and several languages
   action=clientlogin, action=createaccount, action=linkaccount, and
   that fall back to Russian.
   action=changeauthenticationdata in the query string is now an error. They
* (T60139) ResourceLoaderFileModule now supports language fallback
   should be submitted in the POST body instead.
   for 'languageScripts'.
* The capture option for action=resetpassword has been removed
* Added a new hook, "ContentAlterParserOutput", to allow extensions to modify the
* action=clearhasmsg now requires a POST.
  parser output for a content object before links update.
* (T47843) API errors and warnings may be requested in non-English languages
* (T37785) Enhanced recent changes and extended watchlist are now default.
   using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
  Documentation: https://meta.wikimedia.org/wiki/Special:MyLanguage/Help:Enhanced_recent_changes
* API error codes may have changed. Most notably, errors from modules using
  and https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:$wgDefaultUserOptions.
   parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* (T69341) SVG images will no longer be base64-encoded when being embedded
* ApiPageSet-using modules will report the 'invalidreason' using the specified
   in CSS. This results in slight size increase before gzip compression (due to
   'errorformat'.
  percent-encoding), but up to 20% decrease after it.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
* Update jStorage to v0.4.12.
   'errors' subelements (as applicable) instead of 'message'.
* MediaWiki now natively supports page status indicators: icons (or short text
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
  snippets) usually displayed in the top-right corner of the page. They have
* action=move now reports errors when moving the talk page as an array under
  been in use on Wikipedia for a long time, implemented using templates and CSS
   key 'talkmove-errors', rather than using 'talkmove-error-code' and
   absolute positioning.
   'talkmove-error-info'. The format for subpage move errors has also changed.
  - Basic wikitext syntax: <indicator name="foo">[[File:Foo.svg|20px]]</indicator>
* action=revisiondelete no longer includes a "rendered" property on warnings
  - Usage instructions: https://www.mediawiki.org/wiki/Help:Page_status_indicators
  and errors for each item. Use errorformat=wikitext if you're wanting parsed
  - Adjusting custom skins to support indicators:
   output.
    https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Skinning#Page_status_indicators
* action=rollback no longer returns a "messageHtml" property. Use
* Edit tokens may now be time-limited: passing a maximum age to
   errorformat=html if you're wanting HTML formatting of error messages.
  User::matchEditToken will reject any older tokens.
* action=upload now reports optional stash failures as an array under key
* The debug logging internals have been overhauled, and are now using the
   'stasherrors' rather than a 'stashfailed' text string.
   PSR-3 interfaces.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
* Update CSSJanus to v1.1.1.
   no longer returns a 'message' on success.
* Update lessphp to v0.5.0.
* Added action=validatepassword to validate passwords for the account creation
* Added a hook, "ApiOpenSearchSuggest", to allow extensions to provide extracts
   and password change forms.
  and images for ApiOpenSearch output. The semantics are identical to the
* action=purge now requires a POST.
  "OpenSearchXml" hook provided by the OpenSearchXml extension.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
* PrefixSearchBackend hook now has an $offset parameter. Combined with $limit,
   which returns a list of languages with active LanguageConverter instances.
   this allows for pagination of prefix results. Extensions using this hook
* action=query&query=allpages will no longer filter redirects using a database
  should implement supporting behavior. Not doing so can result in undefined
   query in miser mode. This may result in less results being returned than were
  behavior from API clients trying to continue through prefix results.
   requested.
* Update jQuery from v1.11.1 to v1.11.3.
* External libraries installed via composer will now be displayed
  on Special:Version in their own section. Extensions or skins that are
  installed via composer will not be shown in this section as it is assumed
  they will add the proper credits to the skins or extensions section. They
  can also be accessed through the API via the new siprop=libraries to
  ApiQuerySiteInfo.
* Update QUnit from v1.14.0 to v1.16.0.
* Update Moment.js from v2.8.3 to v2.8.4.
* Special:Tags now allows for manipulating the list of user-modifiable change
   tags.
* Added 'managetags' user right and 'ChangeTagCanCreate', 'ChangeTagCanDelete',
   and 'ChangeTagCanCreate' hooks to allow for managing user-modifiable change
  tags.
* Added 'ChangeTagsListActive' hook, to separate the concepts of "defined" and
   "active" formerly conflated by the 'ListDefinedTags' hook.
* Added TemplateParser class that provides a server-side interface to cachable
   dynamically-compiled Mustache templates (currently uses lightncandy library).
* Clickable anchors for each section heading in the content are now generated
   and appear in the gutter on hovering over the heading.
* Added 'CategoryViewer::doCategoryQuery' and 'CategoryViewer::generateLink' hooks
  to allow extensions to override how links to pages are rendered within NS_CATEGORY
* (T19665) Special:WantedPages only lists page which having at least one red link
  pointing to it.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
  used for conditional registration of API modules.
* New hook 'EnhancedChangesList::getLogText' to alter, remove or add to the
   links of a group of changes in EnhancedChangesList.
* A full interface for StatsD metric reporting has been added to the context
   interface, reachable via IContextSource::getStats().
* Move the jQuery Client library from being mastered in MediaWiki as v0.1.0 to a
  proper, published library, which is now tagged as v1.0.0.
* A new message (defaulting to blank), 'editnotice-notext', can be shown to users
   when they are editing if no edit notices apply to the page being edited.
* (T94536) You can now make the sitenotice appear to logged-in users only by
  editing MediaWiki:Anonnotice and replacing its content with "". Setting it to
  "-" (default) will continue disable it and fallback to MediaWiki:Sitenotice.
* Modifying the tagging of a revision or log entry is now available via
   Special:EditTags, generally accessed via the revision-deletion-like interface
  on history pages and Special:Log is likely to be more useful.
* Added 'applychangetags' and 'changetags' user rights.
* (T35235) LogFormatter subclasses are now responsible for formatting the
   parameters for API log event output. Extensions should implement the new
  getParametersForApi() method in their log formatters.


==== External libraries ====
=== Action API internal changes in 1.29 ===
* MediaWiki now requires certain external libraries to be installed. In the past
* New methods were added to ApiBase to handle errors and warnings using i18n
  these were bundled inside the Git repository of MediaWiki core, but now they
   keys. Methods for using hard-coded English messages were deprecated:
  need to be installed separately. For users using the tarball, this will be taken
   * ApiBase::dieUsage() was deprecated
   care of and no action will be required. Users using Git will either need to use
   * ApiBase::dieUsageMsg() was deprecated
   composer to fetch dependencies or use the mediawiki/vendor repository which includes
   * ApiBase::dieUsageMsgOrDebug() was deprecated
   all dependencies for MediaWiki core and ones used in Wikimedia deployment. Detailed
   * ApiBase::getErrorFromStatus() was deprecated
   instructions can be found at:
  * ApiBase::parseMsg() was deprecated
   https://www.mediawiki.org/wiki/Download_from_Git#Fetch_external_libraries
  * ApiBase::setWarning() was deprecated
* The following libraries are now required:
* ApiBase::$messageMap is no longer public. Code attempting to access it will
** psr/log
  result in a PHP fatal error.
  This library provides the interfaces set by the PSR-3 standard (http://www.php-fig.org/psr/psr-3/)
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  which are used by MediaWiki internally via the
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  MediaWiki\Logger\LoggerFactory class.
  code for ApiBase::parseMsg() will no longer work.
  See the structured logging RfC (https://www.mediawiki.org/wiki/Special:MyLanguage/Requests_for_comment/Structured_logging)
* UsageException is deprecated in favor of ApiUsageException. For the time
  for more background information.
  being ApiUsageException is a subclass of UsageException to allow things that
** cssjanus/cssjanus
  catch only UsageException to still function properly.
  This library was formerly bundled with MediaWiki core and has been removed.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
  It automatically flips CSS for RTL support.
  ApiErrorFormatter_BackCompat, note that the result format has changed and
** leafo/lessphp
  various methods now take a module path rather than a module name.
  This library was formerly bundled with MediaWiki core and has been removed.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
  It compiles LESS files into CSS.
  from the message key, and maps some message keys for backwards compatibility.
** wikimedia/cdb
* API parameters may now be marked as "sensitive" to keep their values out of
  This library was formerly a part of MediaWiki core, and has been moved into a separate library.
  the logs.
  It provides CDB functions which are used in the Interwiki and Localization caches.
  More information about the library can be found at https://www.mediawiki.org/wiki/Special:MyLanguage/CDB.
** liuggio/statsd-php-client
  This library provides a StatsD client API for logging application metrics to a remote server.


=== Bug fixes in 1.25 ===
=== extension.json changes in 1.29 ===
* (T73003) No additional code will be generated to try to load CSS-embedded
* Extensions must set a value for "manifest_version" in their extension.json
  SVG images in Internet Explorer 6 and 7, as they don't support them anyway.
   or skin.json files. See
* (T69021) On Special:BookSources, corrected validation of ISBNs (both
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#manifest_version>
   10- and 13-digit forms) containing "X".
  for details.
* Page moving was refactored into a MovePage class. As part of that:
* Extensions can now specify dependencies upon other extensions by using the
** The AbortMove hook was removed.
  "requires" key. See
** MovePageIsValidMove is for extensions to specify whether a page
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#requires> for
  cannot be moved for technical reasons, and should not be overridden.
  more details.
** MovePageCheckPermissions is for checking whether the given user is
* (T151136) Functions set as the "callback" now recieve that extension's credits
  allowed to make the move.
   information as the first argument.
** Title::moveNoAuth() was deprecated. Use the MovePage class instead.
* (T149597) "PasswordPolicy" can be set in extension.json.
** Title::moveTo() was deprecated. Use the MovePage class instead.
** Title::isValidMoveOperation() broken down into MovePage::isValidMove()
  and MovePage::checkPermissions().
* (T18530) Multiple autocomments are now formatted in an edit summary.
* (T70361) Autocomments containing "/*" are parsed correctly.
* The Special:WhatLinksHere page linked from 'Number of redirects to this page'
  on action=info about a file page does not list file links anymore.
* (T78637) Search bar is not autofocused unless it is empty so that proper scrolling using arrow keys is possible.
* (T50853) Database::makeList() modified to handle 'NULL' separately when building IN clause
* (T85192) Captcha position modified in Usercreate template. As a result:
** extrafields parameter added to Usercreate.php to insert additional data
** 'extend' method added to QuickTemplate to append additional values to any field of data array
* (T86974) Several Title methods now load from the database when necessary
   (instead of returning incorrect results) even when the page ID is known.
* (T74070) Duplicate search for archived files on file upload now omits the extension.
  This requires the fa_sha1 field being populated.
* Removed rel="archives" from the "View history" link, as it did not pass
  HTML validation.
* $wgUseTidy is now set when parserTests are run with the tidy option to match
  output on wiki.
* (T37472) update.php will purge ResourceLoader cache unless --nopurge is passed to it.
* (T72109) mediawiki.language should respect $wgTranslateNumerals in convertNumber().


=== Action API changes in 1.25 ===
=== Languages updated in 1.29 ===
* (T67403) XML tag highlighting is now only performed for formats
  "xmlfm" and "wddxfm".
* action=paraminfo supports generalized submodules (modules=query+value),
  querymodules and formatmodules are deprecated
* action=paraminfo no longer outputs descriptions and other help text by
  default. If needed, it may be requested using the new 'helpformat' parameter.
* action=help has been completely rewritten, and outputs help in HTML
  rather than plain text.
* Hitting api.php without specifying an action now displays only the help for
  the main module, with links to submodule help.
* API help is no longer displayed on errors.
* 'uselang' is now a recognized API parameter; "uselang=user" may be used to
  explicitly select the language from the current user's preferences, and
  "uselang=content" may be used to select the wiki's content language.
* Default output format for the API is now jsonfm.
* Simplified continuation will return a "batchcomplete" property in the result
  when a batch of pages is complete.
* Pretty-printed HTML output now has nicer formatting and (if available)
  better syntax highlighting.
* Deprecated list=deletedrevs in favor of newly-added prop=deletedrevisions and
  list=alldeletedrevisions.
* prop=revisions will gracefully continue when given too many revids or titles,
  rather than just ignoring the extras.
* prop=revisions will no longer die if rvcontentformat doesn't match a
  revision's content model; it will instead warn and omit the content.
* If the user has the 'deletedhistory' right, action=query's revids parameter
  will now recognize deleted revids.
* prop=revisions may be used as a generator, generating revids.
* (T68776) format=json results will no longer be corrupted when
  $wgMangleFlashPolicy is in effect. format=php results will cleanly return an
  error instead of returning invalid serialized data.
* Generators may now return data for the generated pages when used with
  action=query.
* Query page data for generator=search and generator=prefixsearch will now
  include an "index" field, which may be used by the client for sorting the
  search results.
* ApiOpenSearch now supports XML output.
* ApiOpenSearch will now output descriptions and URLs as array indexes 2 and 3
  in JSON format.
* (T76051) list=tags will now continue correctly.
* (T76052) list=tags can now indicate whether a tag is defined.
* (T75522) list=prefixsearch now supports continuation
* (T78737) action=expandtemplates can now return page properties.
* (T78690) list=allimages now accepts multiple pipe-separated values
  for the 'aimime' parameter.
* prop=info with inprop=protections will now return applicable protection types
  with the 'restrictiontypes' key.
* (T85417) When resolving redirects, ApiPageSet will now add the targets of
  interwiki redirects to the list of interwiki titles.
* (T85417) When outputting the list of redirect titles, a 'tointerwiki'
  property (like the existing 'tofragment' property) will be set.
* Added action=managetags to allow for managing the list of
  user-modifiable change tags. Actually modifying the tagging of a revision or
  log entry is not implemented yet.
* list=tags has additional properties to indicate 'active' status and tag
  sources.
* siprop=libraries was added to ApiQuerySiteInfo to list installed external libraries.
* (T88010) Added action=checktoken, to test a CSRF token's validity.
* (T88010) Added intestactions to prop=info, to allow querying of
  Title::userCan() via the API.
* Default type param for query list=watchlist and list=recentchanges has
  been changed from all types (e.g. including 'external') to 'edit|new|log'.
* Added formatversion to format=json. Still "experimental" as further changes
  to the output formatting might still be made.
* (T73020) Log event details are now always under a 'params' subkey for
  list=logevents, and a 'logparams' subkey for list=watchlist and
  list=recentchanges.
* Log event details are changing formatting:
  * block events now report flags as an array rather than as a comma-separated
    list.
  * patrol events now report the 'auto' flag as a boolean (absent/empty string
    for BC formats) rather than as an integer.
  * rights events now report the old and new group lists as arrays rather than
    as comma-separated lists.
  * merge events use new-style formatting.
  * delete/event and delete/revision events use new-style formatting.
* The root node and various other nodes will now always be an object in formats
  such as json that distinguish between arrays and objects.
  * Except for action=opensearch where the spec requires an array.
 
=== Action API internal changes in 1.25 ===
* ApiHelp has been rewritten to support i18n and paginated HTML output.
  Most existing modules should continue working without changes, but should do
  the following:
  * Add an i18n message "apihelp-{$moduleName}-description" to replace getDescription().
  * Add i18n messages "apihelp-{$moduleName}-param-{$param}" for each parameter
    to replace getParamDescription(). If necessary, the settings array returned
    by getParams() can use the new ApiBase::PARAM_HELP_MSG key to override the
    message.
  * Implement getExamplesMessages() to replace getExamples().
* Modules with submodules (like action=query) must have their submodules
  override ApiBase::getParent() to return the correct parent object.
* The 'APIGetDescription' and 'APIGetParamDescription' hooks are deprecated,
  and will have no effect for modules using i18n messages. Use
  'APIGetDescriptionMessages' and 'APIGetParamDescriptionMessages' instead.
* Api formatters will no longer be asked to display the help screen on errors.
* ApiMain::getCredits() was removed. The credits are available in the
  'api-credits' i18n message.
* ApiFormatBase has been changed to support i18n and syntax highlighting via
  extensions with the new 'ApiFormatHighlight' hook. Core syntax highlighting
  has been removed.
* ApiFormatBase now always buffers. Output is done when
  ApiFormatBase::closePrinter is called.
* Much of the logic in ApiQueryRevisions has been split into ApiQueryRevisionsBase.
* The 'revids' parameter supplied by ApiPageSet will now count deleted
  revisions as "good" if the user has the 'deletedhistory' right. New methods
  ApiPageSet::getLiveRevisionIDs() and ApiPageSet::getDeletedRevisionIDs() are
  provided to access just the live or just the deleted revids.
* Added ApiPageSet::setGeneratorData() and ApiPageSet::populateGeneratorData()
  to allow generators to include data in the action=query result.
* New hooks 'ApiMain::moduleManager' and 'ApiQuery::moduleManager', can be
  used for conditional registration of API modules.
* Added ApiBase::lacksSameOriginSecurity() to allow modules to easily check if
  the current request was sent with the 'callback' parameter (or any future
  method that breaks the same-origin policy).
* Profiling methods in ApiBase are deprecated and no longer need to be called.
* ApiResult was greatly overhauled. See inline documentation for details.
* ApiResult will automatically convert objects to strings or arrays (depending
  on whether a __toString() method exists on the object), and will refuse to
  add unsupported value types.
  * An informal interface, ApiSerializable, exists to override the default
    object conversion.
* ApiResult/ApiFormatBase "raw mode" is deprecated.
* ApiFormatXml now assumes defaults and so on instead of throwing errors when
  metadata isn't set.
* (T35235) LogFormatter subclasses are now responsible for formatting log event
  parameters for the API.
* Many modules have changed result data formats. While this shouldn't affect
  clients not using the experimental formatversion=2, code using
  ApiResult::getResultData() without the transformations for backwards
  compatibility may need updating, as will code that wasn't following the old
  conventions for API boolean output.
* The following methods have been deprecated and may be removed in a future
  release:
  * ApiBase::getDescription
  * ApiBase::getParamDescription
  * ApiBase::getExamples
  * ApiBase::makeHelpMsg
  * ApiBase::makeHelpArrayToString
  * ApiBase::makeHelpMsgParameters
  * ApiBase::getModuleProfileName
  * ApiBase::profileIn
  * ApiBase::profileOut
  * ApiBase::safeProfileOut
  * ApiBase::getProfileTime
  * ApiBase::profileDBIn
  * ApiBase::profileDBOut
  * ApiBase::getProfileDBTime
  * ApiBase::getResultData
  * ApiFormatBase::setUnescapeAmps
  * ApiFormatBase::getWantsHelp
  * ApiFormatBase::setHelp
  * ApiFormatBase::formatHTML
  * ApiFormatBase::setBufferResult
  * ApiFormatBase::getDescription
  * ApiFormatBase::getNeedsRawData
  * ApiMain::setHelp
  * ApiMain::reallyMakeHelpMsg
  * ApiMain::makeHelpMsgHeader
  * ApiResult::setRawMode
  * ApiResult::getIsRawMode
  * ApiResult::getData
  * ApiResult::setElement
  * ApiResult::setContent
  * ApiResult::setIndexedTagName_recursive
  * ApiResult::setIndexedTagName_internal
  * ApiResult::setParsedLimit
  * ApiResult::beginContinuation
  * ApiResult::setContinueParam
  * ApiResult::setGeneratorContinueParam
  * ApiResult::endContinuation
  * ApiResult::size
  * ApiResult::convertStatusToArray
  * ApiQueryImageInfo::getPropertyDescriptions
  * ApiQueryLogEvents::addLogParams
* The following classes have been deprecated and may be removed in a future
  release:
  * ApiQueryDeletedrevs
 
=== Languages updated in 1.25 ===


MediaWiki supports over 350 languages. Many localisations are updated
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
changes to languages because of Phabricator reports.


* Languages added:
* Based as always on linguistic studies on intelligibility and language
** awa (अवधी / Awadhi), thanks to translator 1AnuraagPandey;
  knowledge by geography, language fallbacks have been expanded. When a
** bgn (بلوچی رخشانی / Western Balochi), thanks to translators
  translation is missing in the user's preferred interface language, the
  Baloch Afghanistan, Ibrahim khashrowdi and Rachitrali;
  corresponding translation for the fallback language will be used instead.
** ses (Koyraboro Senni), thanks to translator Songhay.
  English will only be used as last resort when there are no translations.
* (T66440) Kazakh (kk) wikis should no longer forcefully reset the user's
  Some configurations (such as date formats and gender namespaces) have also
  interface language to kk where unexpected.
  been updated when using the fallback language's configuration was inadequate.
* The Chinese conversion table was substantially updated to fix a lot of
  The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
  bugs and ensure better reading experience for different variants.
  ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
  sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.


=== Other changes in 1.25 ===
==== No fallback for Ukrainian ====
* (T45591) Links to MediaWiki.org translatable help were added to indicators,
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
  mostly in special pages. Local custom target titles can be placed in the
  language will now use the default fallback language: English. When a translation
  relevant '(namespace-X|action name|special page name)-helppage' system
  to Ukrainian is not available, an English string will be shown.
   message. Extensions can use the addHelpLink() function to do the same.
 
* The skin autodiscovery mechanism, deprecated in MediaWiki 1.23, has been
=== Other changes in 1.29 ===
  removed. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery for
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
   migration guide for creators and users of custom skins that relied on it.
   SearchEngineFactory::getSearchEngineClass() instead.
* Javascript variables 'wgFileCanRotate' and 'wgFileExtensions' now only
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
  available on Special:Upload.
   required as all sessions are stored in Object Cache now.
* (T58257) Set site logo from mediawiki.skinning.interface module instead of
* MWHttpRequest::execute() should be considered to return a StatusValue; the
   inline styles in the HTML.
   Status return type is deprecated.
* Removed ApiQueryUsers::getAutoGroups(). (deprecated since 1.20)
* User::edits() (deprecated in 1.21) was removed.
* Removed XmlDumpWriter::schemaVersion(). (deprecated since 1.20)
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Removed LogEventsList::getDisplayTitle(). (deprecated since 1.20)
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
* Removed Preferences::trySetUserEmail(). (deprecated since 1.20)
  were removed.
* Removed mw.user.name() and mw.user.anonymous() methods. (deprecated since 1.20)
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
* Removed 'ok' and 'err' parameters in the mediawiki.api modules. (deprecated
  were removed.
   since 1.20)
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
* Removed 'async' parameter from the  mw.Api#getCategories() method. (deprecated
   instead.
  since 1.20)
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Removed 'jquery.json' module. (deprecated since 1.24)
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
  Use the 'json' module and global JSON object instead.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* Deprecated OutputPage::readOnlyPage() and OutputPage::rateLimited().
* WikiPage::getText() (deprecated in 1.21) was removed.
  Also, the former will now throw an MWException if called with one or more
* Article::fetchContent() (deprecated in 1.21) was removed.
  arguments.
* User::getPassword() (deprecated in 1.27) was removed.
* Removed hitcounters and associated code.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* The "temp" zone of the upload respository is now considered private. If it
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
  already exists (such as under the images/ directory), please make sure that
* Class FSRepo (deprecated in 1.19) was removed.
  the directory is not web readable (e.g. via a .htaccess file).
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
* BREAKING CHANGE: In the XML dump format used by Special:Export and
  \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
  dumpBackup.php, the <model> and <format> tags now apprear before the <text>
* Class ImageGallery (deprecated in 1.22) was removed.
  tag, instead of after the <text> and <sha1> tags.
   Use ImageGalleryBase::factory instead.
  The new schema version is 0.10, the new schema URI is:
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
  https://www.mediawiki.org/xml/export-0.10.xsd
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
* MWFunction::call() and MWFunction::callArray() were removed, having being
   emit warnings). Create a subclass of Action and add it to $wgActions instead.
  deprecated in 1.22.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Deprecated the getInternalLinkAttributes, getInternalLinkAttributesObj,
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
  and getInternalLinkAttributes methods in Linker, and removed
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
  getExternalLinkAttributes method, which was deprecated in MediaWiki 1.18.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Removed Sites class, which was deprecated in 1.21 and replaced by SiteSQLStore.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* Added wgRelevantArticleId to the client-side config, for use on special pages.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* Deprecated the TitleIsCssOrJsPage hook. Superseded by the
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
  ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
   and outdated lists of errors/warnings returned by the API, are now deprecated.
* Deprecated the TitleIsWikitextPage hook. Superseded by the
* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
   ContentHandlerDefaultModelFor hook since MediaWiki 1.21.
  URLs to continue to work, set up redirects. In Apache, this can be done by enabling
* Changed parsing of variables in schema (.sql) files:
  mod_rewrite and adding the following rules to your configuration:
** The substituted values are no longer parsed. (Formerly, several passes
  were made for each variable, so depending on the order in which variables
  were defined, variables might have been found inside encoded values. This
  is no longer the case.)
** Variables are no longer string encoded when the /*$var*/ syntax is used.
  If string encoding is necessary, use the '{$var}' syntax instead.
** Variable names must only consist of one or more of the characters
  "A-Za-z0-9_".
** In source text of the form '{$A}'{$B}' or `{$A}`{$B}`, where variable A
  does not exist yet variable B does, the latter may not be replaced.
  However, this difference is unlikely to arise in practice.
* (T67278) RFC, PMID, and ISBN "magic links" must be surrounded by non-word
  characters on both sides.
* The FormatAutocomments hook will now receive $pre and $post as booleans,
   rather than as strings that must be prepended or appended to $comment.
* (T30950, T31025) RFC, PMID, and ISBN "magic links" can no longer contain
  newlines; but they can contain &nbsp; and other non-newline whitespace.
* The 'mediawiki.action.edit' ResourceLoader module no longer generates the edit
  toolbar, which has been moved to a separate 'mediawiki.toolbar' module. If you
  relied on this behavior, update your scripts' dependencies.
* HTMLForm's 'vform' display style has been separated to a subclass. Therefore:
  * HTMLForm::isVForm() is now deprecated.
  * You can no longer do this:
      $form = new HTMLForm( );
      $form->setDisplayFormat( 'vform' ); // throws exception
    Instead, do this:
      $form = HTMLForm::factory( 'vform', … );
* Deprecated Revision methods getRawUser(), getRawUserText() and getRawComment().
* BREAKING CHANGE: mediawiki.user.generateRandomSessionId:
  The alphabet of the prior string returned was A-Za-z0-9 and now it is 0-9A-F
* (T87504) Avoid serving SVG background-images in CSS for Opera 12, which
  renders them incorrectly when combined with border-radius or background-size.
* Removed maintenance script dumpSisterSites.php.
* DatabaseBase class constructors must be called using the array argument style.
  Ideally, DatabaseBase:factory() should be used instead in most cases.
* Deprecated ParserOutput::addSecondaryDataUpdate and ParserOutput::getSecondaryDataUpdates.
  This is a hard deprecation, with getSecondaryDataUpdates returning an empty array and
  addSecondaryDataUpdate throwing an exception. These functions will be removed in 1.26,
  since they interfere with caching of ParserOutput objects.
* Introduced new hook 'SecondaryDataUpdates' that allows extensions to inject custom updates.
* Introduced new hook 'OpportunisticLinksUpdate' that allows extensions to perform
  updates when a page is re-rendered.
* EditPage::attemptSave has been modified not to call handleStatus itself and
  instead just returns the Status object. Extension calling it should be aware of
  this.
* Removed class DBObject. (unused since 1.10)
* wfDiff() is deprecated.
* The -m (maximum replication lag) option of refreshLinks.php was removed.
  It had no effect since MediaWiki 1.18 and should be removed from any cron
  jobs or similar scripts you may have set up.
* (T85864) The following messages no longer support raw html: redirectto,
  thisisdeleted, viewdeleted, editlink, retrievedfrom, version-poweredby-others,
  retrievedfrom, thisisdeleted, viewsourcelink, lastmodifiedat, laggedslavemode,
  protect-summary-cascade
* All BloomCache related code has been removed. This was largely experimental.
* $wgResourceModuleSkinStyles no longer supports per-module local or remote paths. They
   can only be set for the entire skin.
* Removed global function swap(). (deprecated since 1.24)
* Deprecated the ".php5" file extension entry points and the $wgScriptExtension
  configuration variable. Refer to the ".php" files instead. If you want
  ".php5" URLs to continue to work, set up redirects. In Apache, this can be
  done by enabling mod_rewrite and adding the following rules to your
  configuration:


     RewriteEngine On
     RewriteEngine On
     RewriteBase /
     RewriteBase /
     RewriteRule ^(.*)\.php5 $1.php [R=301,L]
     RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
  Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
  Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
  Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
  Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
  Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
  Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
  or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
  or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
  now required to have a getGroupMemberships() method. See UserRightsProxy for
  an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
  instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
  User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
  Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
  User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
  UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
  see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
  and subclasses.  It should only break if you call buildMainQueryConds
  (changed to buildQuery with new signature) or doMainQuery (new
  signature).  Subclasses are likely to call at least doMainQuery
  (possibly both), but other classes might too, because they were
  public.
  Also, some related hooks were deprecated, but this is not yet a
  breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  WikiPage::PURGE_* constants are deprecated, and the functions will always
  return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
  'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
  if you don't actually care about checkboxes and just want to add some HTML
  to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
  rather than <strong> tags. The old class name, "selflink", was deprecated
  and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
  Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
  is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
  webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
  opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
  ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
  addClickHandler, removeHandler, getElementsByClassName, getInnerText,
  setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
  mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
  escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
  tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
  'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
  deprecated (T30856). This old code dates from 2006, and was replaced in the
  MediaWiki release tarball and in Wikimedia production by the WikiEditor
  extension in 2010. It is only shown to users if no other editor was
  installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
  addModuleStyles() is deprecated and will log a warning server-side.


* The global importScriptURI and importStylesheetURI functions, as well as the
== MediaWiki 1.28.3 ==
  loadedScripts object, from wikibits.js (deprecated since 1.17) now emit
  warnings through mw.log.warn when accessed.


= MediaWiki 1.24 =
This is a security and maintenance release of the MediaWiki 1.28 branch.


== MediaWiki 1.24.6 ==
=== Changes since 1.28.2 ==
* (T168856) Allow SVGs created by Dia to be uploaded.
* (T157545) Add missing doUpdates() call to refreshLinks.php.
* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
* (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
* (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
* (T167798) Fix phrase search and highlighting for phrase queries.
* (T151136) Provide credits information to callbacks in extension registration.
* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
* (T168337) Fix ErrorPageError to work from non-UI contexts.
* (T143788) Backports for PHP 7.0 and 7.1 support.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T174255) Declare uploadCount property in importDump.php.
* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.


This is a maintenance release of the MediaWiki 1.24 branch.
== MediaWiki 1.28.2 ==


=== Changes since 1.24.5 ===
Due to a packaging error, the wrong version of the SyntaxHighlight extension was
* (T121892) Fix fatal error on some Special pages, introduced in 1.24.5.
included in the tarball version of MediaWiki 1.28.1. The version included had a
serious security issue in it (T158689). There was also some minor code fixes in
MediaWiki itself since 1.28.1, but none of them were security relevant.


== MediaWiki 1.24.5 ==
== MediaWiki 1.28.1 ==


This is a security and maintenance release of the MediaWiki 1.23 branch.
This is a security and maintenance release of the MediaWiki 1.28 branch.


=== Changes since 1.24.4 ===
=== Changes since 1.28.0 ===
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
  that do not begin with a slash. This enabled trivial XSS attacks.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
  error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
  with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki
* (T103237) $wgUseGzip had no effect when using file cache.


== MediaWiki 1.24.4 ==
* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
  more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
  circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.


This is a security and maintenance release of the MediaWiki 1.24 branch.
== MediaWiki 1.28 ==


=== Changes since 1.24.3 ===
=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
  errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.


* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
=== Changes since 1.28.0-rc0 ===
* (T68650) Fix indexing of moved pages with PostgreSQL. Requires running
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
   update.php to fix.
  comment to a machine-readable JavaScript config option 'wgPageParseReport'
* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
   have been undone. They caused the human-readable limit report to be shown
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
  incompletely or not at all. ParserOutput::setLimitReportData() and
* (T95589) SECURITY: RevDel: Check all revisions for suppression, not just the
  getLimitReportData() behave as they did in MediaWiki 1.27 again.
   first
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails
  the text of subheadings on a category page when creating it. This wasn't
  working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
   canonical pretty URL when a non-pretty URL is used. It resulted in redirect
  loops in some clients and in some server configurations. This undoes a change
  made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.


== MediaWiki 1.24.3 ==
=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  made by MediaWiki via a proxy. Relying on the http_proxy environment
  variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
  access to session data, which includes the session user and the session
  user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
  is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
  local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  signifies local uploads. A value of `[]` (empty array) now means that
  no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
  for Esperanto language character conversion. You are now recommended to use
  input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
  https://www.mediawiki.org/beacon with basic information about the local
  MediaWiki installation. This data includes, for example, the type of system,
  PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
  to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
  instead of just administrators ('sysop'). Documentation for this feature is
  available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
  of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
  a tracking category will be added to help identify usage and make it easier to migrate
  away from. If you depend upon magic link functionality, it is requested that you comment
  on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
  explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
  in upcoming Content-Security-Policy feature's reporting.


This is a security and maintenance release of the MediaWiki 1.24 branch.
=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
  maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  a 'numeric' collation is also available. If migrating from another
  collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
  month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  appropriate for sending multi-valued parameters. This defaults to true when
  the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
  MediaWiki will wait for the replica databases to synchronize with the master database
  while it renders the HTML output. However, if the output is a redirect to another wiki
  on the wiki farm with a different domain, MediaWiki will instead alter the redirect
  URL to include a ?cpPosTime parameter that triggers the database synchronization when
  the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules.


=== Changes since 1.24.2 ===
=== External library changes in 1.28 ===


* (T94116) SECURITY: Compare API watchlist token in constant time
==== Upgraded external libraries ====
* (T97391) SECURITY: Escape error message strings in thumb.php
* Updated es5-shim from v4.1.5 to v4.5.8
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
* Updated composer/semver from v1.4.1 to v1.4.2
  Special:DeletedContributions
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4
* Update jQuery from v1.11.2 to v1.11.3.
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
  policy of Wikimedia Commons.


== MediaWiki 1.24.2 ==
==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1


This is a security and maintenance release of the MediaWiki 1.24 branch.
=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
  Session::getAllowedUserRights()


=== Changes since 1.24.1 ===
=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
  (deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
  now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
  action=login is now deprecated and outputs a warning. They should be submitted
  in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
  action=createaccount, action=linkaccount, and action=changeauthenticationdata
  in the query string is now deprecated and outputs a warning. They should be
  submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  instead of the pipe character. This will be useful if some of the multiple
  values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
  contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
  ApiPageSet may contain entries where the 'from' value is percent-encoded as
  the raw value cannot be represented in a valid API response. These are
  indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
  module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
  named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
  the 'TitleIsAlwaysKnown' hook) are output in various modules.


* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
=== Action API internal changes in 1.28 ===
   to prevent various DoS attacks.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
   interact with ApiParse and ApiExpandTemplates.
  likelihood of DoS.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* ApiBase::getResultData() was removed (deprecated since 1.25)
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* (T64685) SECURITY: Allow setting maximal password length to prevent DoS when
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
  using PBKDF2.
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
  prevent XSS and protect viewer's privacy.
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
  loading these special pages when $wgAutoloadAttemptLowercase is false.
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* (bug T70087) Fix Special:ActiveUsers page for installations using
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
   PostgreSQL.
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
   and running update.php to fix.
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
   'show' parameters to existing API query modules. A query module can enable
  these hooks by passing an array for $hookData to ApiQueryBase::select() and
  by calling ApiQueryBase->processRow() before adding a row's data to the
   result.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.


== MediaWiki 1.24.1 ==
=== Languages updated in 1.28 ===


This is a security and maintenance release of the MediaWiki 1.24 branch.
MediaWiki supports over 375 languages. Many localisations are updated
 
regularly. Below only new and removed languages are listed, as well as
=== Changes since 1.24.0 ===
changes to languages because of Phabricator reports.
 
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
  could lead to xss. Permission to edit MediaWiki namespace is required to
  exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
  part of its name.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Fixed a couple of entries in RELEASE-NOTES-1.24.
* (bug T76168) OutputPage: Add accessors for some protected properties.
* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.


== MediaWiki 1.24.0 ==
* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
  BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
  Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.


=== Configuration changes in 1.24 ===
=== Other changes in 1.28 ===
* MediaWiki will no longer run if register_globals is enabled. It has been
* (T128697) Improved handling of large diffs.
   deprecated for 5 years now, and was removed in PHP 5.4. For more information
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
  about why, see <https://www.mediawiki.org/wiki/register_globals>.
   use or update a custom session provider if needed.
* MediaWiki now requires PHP's iconv extension. openSUSE users may need to
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
   install the php5-iconv package. Users of other systems may need to add
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
  extension=iconv.so to php.ini or recompile PHP without --without-iconv.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* MediaWiki will no longer function if magic quotes are enabled. It has
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
  been deprecated for 5 years now, and was removed in PHP 5.4.
   login and visiting the login page while already logged in.
* The server's canonical hostname is available as $wgServerName, which is
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
  exposed in both mw.config and ApiQuerySiteInfo.
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* Introduced $wgPagePropsHaveSortkey as a backwards-compatibility switch,
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
   for using the old schema of the page_props table, in case the respective
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
   schema update was not applied.
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
* $wgSearchEverythingOnlyLoggedIn was removed as the 'searcheverything'
   MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
  user option was removed. Use $wgNamespacesToBeSearchedDefault instead or
  were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
  if you used to have $wgDefaultUserOptions['searcheverything'] = 1.
   respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* $wgMasterWaitTimeout has been deprecated.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* $wgDBClusterTimeout has been removed.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
* $wgProxyKey has been removed. It is no longer used by MediaWiki core.
  * Skin::commentBlock() (use Linker::commentBlock() instead)
   Ensure $wgSecretKey is set in LocalSettings.php.
   * Skin::generateRollback() (use Linker::generateRollback() instead)
* $wgExtraInterlanguageLinkPrefixes is a new configuration variable that
   * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
   contains an array of interwiki prefixes that should be treated as language
   * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
   prefixes (i.e. turned into interlanguage links when $wgInterwikiMagic is set
   * Skin::userLink() (use Linker::userLink() instead)
   to true).
  * Skin::userToolLinks() (use Linker::userToolLinks() instead)
* $wgParserTestRemote has been removed.
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
* $wgCountTotalSearchHits has been removed. If you're concerned about efficiency
   disabled.
  of search, you should use something like CirrusSearch instead of built in
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
   search.
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
* Users in the 'sysop' group have access to Special:MergeHistory by default.
  Use ...->stashFile()->getFileKey() instead.
* $wgFileStore was removed after having been deprecated in 1.17. Alternative
* "Public domain" was removed as a wiki license option from the installer, in
  configurations are $wgDeletedDirectory and $wgHashedUploadDirectory.
   favour of CC-0.
* The deprecated $wgUseCommaCount variable has been removed.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
* $wgEnableSorbs and $wgSorbsUrl have been removed.
  on requests needed by primary providers even if all primaries need them.
* The UserCryptPassword and UserComparePassword hooks are no longer called.
   Primary providers are discouraged from returning multiple REQUIRED requests.
  Any extensions using them must be updated to use the Password Hashing API.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
* $wgCompiledFiles has been removed.
  will no longer be automatically infused. You should call `OO.ui.infuse()`
* $wgSortSpecialPages was removed, the listing on Special:SpecialPages is
  on them yourself from your JavaScript code.
   now always sorted.
* parserTests.php has moved to tests/parser/parserTests.php
* $wgSpecialPages may now use callback functions as an alternative to plain class names.
* The command line options specific to parser tests have been removed from
   This allows more control over constructor parameters.
   phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
* $wgHTCPMulticastAddress, $wgHTCPMulticastRouting and $wgHTCPPort were removed.
   Instead of --keep-uploads, use the same option to parserTests.php, but you
* $wgRC2UDPAddress, $wgRC2UDPInterwikiPrefix, $wgRC2UDPOmitBots, $wgRC2UDPPort
   must specify a directory with --upload-dir.
  and $wgRC2UDPPrefix have been removed.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* The default password type for MediaWiki has been changed from MD5 to PBKDF2.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
   Password hashes will automatically be updated as users log in. If necessary, the
  migrate to using the same functions on a ProxyLookup instance, obtainable from
   old MD5 hashing can be restored by changing $wgPasswordDefault to 'B'. In addition,
   MediaWikiServices.
   there is a maintenance script wrapOldPassword.php that can wrap all passwords in
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
  PBKDF2 (or the hashing algorithm of your choice) if you don't want to wait for your
   ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
   users to log in.
   ShowRawCssJs hooks will now emit deprecation warnings if used.
* $wgImportSources can now either be a regular array, or an associative map
* (T68404) CSS3 attr() function with url type is no longer allowed
   specifying subprojects on the interwiki map of the target wiki, or a mix of
   in inline styles.
   the two. Existing configurations will still work.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
* Users must be able to edit through a page's protection to be able to delete it.
* The default thumb size ($wgDefaultUserOptions['thumbsize']) is now 300px, up from
   180px. If you have altered the number of entries in $wgThumbLimits for your wiki, you
  may need to adjust your default user settings to compensate for the index change.
* $wgDeferredUpdateList is now deprecated, you should use DeferredUpdates::addUpdate()
   instead.
   instead.
* $wgCanonicalLanguageLinks has been removed. Per Google recommendations, we
  will not send a rel=canonical pointing to a variant-neutral page, however
  we will send rel=alternate.
* $wgResourceLoaderLESSFunctions has been deprecated and will be removed in the future.
* $wgGoToEdit has been removed. Use the SpecialSearchNogomatch hook for similar
  functionality.
=== New features in 1.24 ===
* Added new hook WatchlistEditorBeforeFormRender, allowing subscribers to
  manipulate the list of pages and/or preload lots of data at once.
* Added new argument &$link in hook WatchlistEditorBuildRemoveLine, allowing the
  link to the title to be changed.
* Added a new hook, "WhatLinksHereProps", to allow extensions to annotate
  WhatLinksHere entries.
* Added a new hook, "ContentGetParserOutput", to customize parser output for
  a given content object.
* Deprecated the hook "ShowRawCssJs", use "ContentGetParserOutput" instead.
* HTMLForm's HTMLTextField now supports the 'url' type.
* HTMLForm fields may now be dynamically hidden based on the values of other
  fields in the form.
* HTMLForm now supports multiple copies of an input field or set of input
  fields, e.g. the form may request "one or more usernames" without having to
  have the user enter delimited list of names into a text field.
* Added a new hook, "SidebarBeforeOutput", to allow to edit the structure of
  the sidebar just before its display.
* (bug 49156) Added the mediawiki.cookie ResourceLoader module, which wraps
  jquery.cookie so that getting/setting a cookie is syntactically and
  functionally similar to using the WebRequest::getCookie() and
  WebResponse::setcookie() methods.
* (bug 44740) jQuery upgraded from 1.8.3 to 1.11.1. A new configuration option,
  $wgIncludejQueryMigrate, also loads the jQuery Migrate hack to let extensions
  and gadgets use the long-deprecated functions that were removed in jQuery 1.9.
  This option is turned off by default, and will be removed in MediaWiki 1.25.
* (bug 47076) jQuery UI upgraded from 1.8.24 to 1.9.2.
* Changes to content typography (fonts, etc.). See
  https://www.mediawiki.org/wiki/Typography_refresh for further information.
* WikitextContent will now render redirects with the expected "redirect"
  header, rather than as an ordered list. Code calling Article::viewRedirect
  can probably be changed to no longer special-case redirects.
* Header font set to a serif font stack. See
  https://www.mediawiki.org/wiki/Typography_refresh for further information.
* (bug 65567) Added a new hook, "BeforeHttpsRedirect", to allow cancellation of
  the HTTP to HTTPS redirect due to forceHTTPS cookie, userRequires, etc. This
  is only for page views, since this hook doesn't affect UserLogin, OAuth,
  CentralAuth, etc. ATTENTION: This hook is likely to be removed soon due to
  overall design of the system.
* (bug 17367) It is now possible to add pages to your watchlist from
  Special:UnwatchedPages without reloading the special page.
* New methods setVolatile and isVolatile are added to PPFrame, so that
  extensions such as Cite.php can mark that their output is volatile and
  shouldn't be cached.
* (bug 52817) Advanced search options are now saved on the search page itself,
  rather than in a dedicated pane in the preferences panel.
* (bug 44591) The dropdown actions menu (little triangle next to page tabs) in
  the Vector skin has gained a label that should make it more discoverable.
* MWCryptHKDF added for fast, cryptographically secure random number generation
  that won't deplete openssl's entropy pool.
* ResourceLoader: File modules can now provide a skip function that uses an
  inline feature test to bypass loading of the module.
* (bug 20210) Special pages may now provide autocompletion of their subpage
  names in search suggestions. Right now the only useful implementation is in
  Special:Log, but more are to come.
* Special:MostLinkedTemplates is no longer limited to transclusions from the
  Template namespace.
* Skins can now use 'remoteSkinPath' when defining ResourceLoader modules.
  This works the same as 'remoteExtPath' but is relative to the skins/ folder
  instead of the extensions/ folder.
* Added the json2.js polyfill for the ES5 JSON.stringify and JSON.parse methods.
  Exposed as module "json" with a skip function to optimise loading.
* Extensions and skins may now use 'namemsg' in $wgExtensionCredits in addition
  to 'name', to allow for the name to be localizable. 'name' should still be
  specified for backwards-compatibility and to define the path Special:Version
  uses to find extension license information.
* Browser tests are now included to verify basic wiki functionality in developer
  environments. For details on running tests, see tests/browser/README.mediawiki.
* Upgrade jStorage to v0.4.10.
* {{!}} is now a magic word that produces the | character. This removes the need
  for Template:! for purposes such as passing pipes inside of parameters.
* (bug 20790) The block log snippet on Special:Contributions and while
  editing user and user talk pages now works for IP range blocks.
* (bug 9360) Added ability to change the page language for MediaWiki pages using
  Special:PageLanguage. All pages are set to wiki language by default.
  The feature needs to be enabled with $wgPageLanguageUseDB=true and
  permission needs to be set for 'pagelang'.
* Upgrade Moment.js to v2.8.3.
* (bug 67042) Added support for the HTML5 <rtc> tag for East Asian typography.
* Upgrade Sinon.JS to 1.10.3.
* Added the es5-shim polyfill for older or non-compliant javascript engines.
* Upgrade jQuery Cookie to v1.3.1.
* (bug 20476) Add a "viewsuppressed" user right to be able to view
  suppressed content but not suppress it ("suppressrevision" right).
* (bug 66440) The MediaWiki web installer will now allow you to choose the skins
  to enable (from the ones included in download tarball) and decide which one
  should be the default.
* (bug 68085, 68802) Links like [[localInterwikiPrefix:languageCode:pageTitle]],
  where localInterwikiPrefix is a member of the $wgLocalInterwikis array, will
  no longer be displayed in the sidebar when $wgInterwikiMagic is true. In a
  similar way, links like [[localInterwikiPrefix:File:Image.png]] and
  [[localInterwikiPrefix:Category:Hello]] will now render as regular links, and
  will not include the file or add the page to the category.
* New special page, MyLanguage, to redirect users to subpages with localised
  versions of a page. (Integrated from Extension:Translate)
* MediaWiki now supports multiple password types, including bcrypt and PBKDF2.
  The default type can be changed with $wgPasswordDefault and the type
  configurations can be changed with $wgPasswordConfig.
* Skins can now define custom styles for default ResourceLoader modules using
  the $wgResourceModuleSkinStyles global. See the Vector skin for examples.
* (bug 4488) There is now a preference to watch pages where the user has
  rollbacked an edit by default.
* (bug 15484) Users will now be redirected to the login page when they need to
  log in, rather than being shown a page asking them to log in and having to click
  another link to actually get to the login page.
* A JsonContent and JsonContentHandler were added for extensions to extend.
* (bug 35045) Redirects to sections will now update the URL in browser's address
  bar using the HTML5 History API. When [[Dog]] redirects to [[Animals#Dog]],
  the user will now see "Animals#Dog" in their browser instead of "Dog#Dog".
* API token handling has been rewritten. Any API module using tokens will need
  to be updated. See the entry below under "Action API internal changes".
* Added HTMLAutoCompleteSelectField.
* Added a new hook, "SkinPreloadExistence", to allow extensions to add titles to
  link existence cache before the page is rendered.
* Config::set() was moved to its own interface, MutableConfig. GlobalVarConfig::set()
  is now deprecated, does not implement MutableConfig.
* A MutableConfig named HashConfig was added, that stores an array of configuration
  settings.
* (bug 69418) A MultiConfig implementation was added that supports fallback
  to multiple Config instances.
* Update CSSJanus to v1.1.0.
* Added FormatJson::parse() returning status with result or localized error message
* Added DeletedContribsPager::reallyDoQuery hook allowing extensions to data to
  Special:DeletedContributions
* Added DeletedContributionsLineEnding hook allowing extensions to format
  Special:DeletedContributions lines
* (T69525) You can now make MediaWiki speed up its thumbnail rendering by using
  intermediary thumbnails. $wgThumbnailBuckets must be set to a list of target
  thumbnail widths; when a new thumbnail needs to be rendered, MediaWiki will
  find the smallest bucket smaller than the original but larger than the target
  width + $wgThumbnailMinimumBucketDistance, and it will scale that thumbnail,
  rather than the original, down to the target size at greater speed in return
  for minor loss of fidelity.
=== Bug fixes in 1.24 ===
* (bug 50572) MediaWiki:Blockip should support gender
* (bug 49116) Footer copyright notice is now always displayed in user language
  rather than content language (same as copyright notice for editing interface).
* (bug 62258) A bug was fixed in File::getUnscaledThumb when a height
  restriction was present in the parameters. Images with both the "frame"
  option and a size specification set will now always ignore the provided
  size and display an unscaled image, as the documentation has always
  claimed it would.
* (bug 39035) Improved Vector skin performance by removing collapsibleNav,
  which used to collapse some sidebar elements by default.
  This removes -list id suffixes like p-lang-list: instead of using things like
  #p-lang-list, you can do #p-lang .body ul.
* (bug 890) Links in Special:RecentChanges and Special:Watchlist no longer
  follow redirects to their target pages.
* Parser now dies early if called recursively, instead of producing subtle bugs.
* (bug 14323) Redirect pages, when viewed with redirect=no, no longer hide the
  remaining page content.
* (bug 52587) Maintenance script deleteBatch.php no longer follows redirects
  in the file namespace and delete the file on the target page. It will still
  however delete the redirect page.
* (bug 22683) {{msgnw:}} and other uses of PPFrame::RECOVER_ORIG will correctly
  recover the original code of extension tags.
* (bug 65757) MSSQL: Update script drops unnamed constraints to be prepared
  for future updates. Because it's doing so heuristically, it may fail or drop
  wrong constraints.
* (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
* $wgRunJobsAsync now works with private wikis (e.g. read requires login).
* (bugs 57238, 65206) Blank pages can now be directly created.
* (bug 69789) Title::getContentModel() now loads from the database when
  necessary instead of incorrectly returning the default content model.
* (bug 69249) wfBaseConvert() now works around PHP Bug #50175 when using GMP.
* (bug 57909) URLs in the externallinks table will no longer have certain
  characters decoded in the query string.
* (bug 67368) LESS mixins like .background-image() correctly flip image
  references for RTL stylesheets now.
=== Action API changes in 1.24 ===
* action=parse API now supports prop=modules, which provides the list of
  ResourceLoader modules that should be used to enhance the parsed content.
* action=query&meta=siteinfo&siprop=interwikimap returns a new "protorel"
  field which is true if protocol-relative urls can be used to access
  a particular interwiki map entry.
* list=logevents now provides logpage, which is the page ID from the
  logging table, if ids are requested and the user has the permissions.
* action=edit now requires that appendtext, prependtext, or section=new be used
  when using the 'redirect' parameter, to prevent clients accidentally
  overwriting the target page with the content of the redirect.
* list=logevents will now return an error if both letitle and leprefix are
  specified.
* list=logevents has a new parameter, lenamespace, to allow filtering by
  namespace.
* action=expandtemplates has a new parameter, prop, and a new output format.
  The old format is still used if prop isn't provided, but this is deprecated.
* meta=userinfo can now return the count of unread pages on the watchlist.
* list=watchlist can now filter by unread status.
* The deprecated action=parse&prop=languageshtml has been removed.
* (bug 48071) action=setnotificationtimestamp no longer throws PHP or database
  errors when no pages are given.
* (bug 60734) Actions that use ApiPageSet (e.g. purge, watch,
  setnotificationtimestamp) will now include continuation information when
  using a generator.
* Removed 'props' and 'errors' from action=paraminfo, as they have extremely
  limited use and are generally inaccurate, unmaintained, and impossible to
  properly maintain.
* Formats dbg, dump, txt, wddx, and yaml are now deprecated.
* action=paraminfo now indicates when a parameter is specifying a submodule.
* The iwurl parameter to prop=iwlinks is deprecated in favor of iwprop=url, for
  parallelism with prop=langlinks.
* All tokens should be fetched from action=query&meta=tokens; all other methods
  of fetching tokens are deprecated. The value needed for meta=tokens's 'type'
  parameter for each module is documented in the action=help output and is
  returned from action=paraminfo.
* New action ClearHasMsg that can be used to clear HasMsg flag.
* The cmstartsortkey and cmendsortkey parameters to list=categorymembers are
  deprecated in favor of cmstarthexsortkey and cmendhexsortkey.
* (bug 63326) Add blockedtimestamp field to output of blockinfo property for
  the list=allusers and list=users modules.
* prop=imageinfo no longer requires iiurlwidth to be set when using iiurlparam.
* Added prop=linkshere, prop=fileusage, and prop=transcludedin, which are
  roughly equivalent to list=backlinks, list=imageusage, and list=embeddedin
  but can work on a list of titles (including titles from a generator).
* prop=redirects can now filter returned redirects by namespace.
=== Action API internal changes in 1.24 ===
* Methods for handling continuation are added to ApiResult, so actions other
  than query that use generators can easily support continuation.
* $wgAPIModules (and the related $wgAPIFormatModules, $wgAPIMetaModules,
  $wgAPIPropModules, and $wgAPIListModules settings) now allow API modules
  to be specified using a "module spec" array instead of a plain class name.
  A "module spec" is an associative array containing at least the 'class' key
  for the module's class, and optionally a 'factory' key for the factory function
  to use for the module. This is intended for extensions that want control over
  the instantiation of their API modules, to allow for proper dependency
  injection.
* A new param type 'submodule' is available. Parameters of this type will take
  the list of valid values from the module's ApiModuleManager for the group
  corresponding to the parameter name.
* The 'APIGetPossibleErrors' and 'APIGetResultProperties' hooks are no longer used.
* API token handling has been rewritten. Any API module using tokens will need
  to be updated:
  * ApiBase::needsToken now returns a token type instead of boolean true when a
    token is needed. Returning true will throw an exception. See documentation
    of that method for details.
  * Information for the 'token' parameter is automatically set by ApiBase
    getFinalParams and getFinalParamDescription.
  * ApiBase::getTokenSalt has been removed.
  * The hooks APIQueryInfoTokens, APIQueryRevisionsTokens,
    APIQueryRecentChangesTokens, APIQueryUsersTokens, and
    ApiTokensGetTokenTypes are deprecated, but are still called to support
    backwards-compatible token access.
* ApiBase::validateLimit and ApiBase::validateTimestamp are now protected.
* ApiQueryRedirects was removed; prop=redirects is now implemented by
  ApiQueryBacklinksProp along with the newly-added prop modules.
* The following methods have been deprecated and may be removed in a future
  release:
  * ApiBase::getResultProperties
  * ApiBase::getFinalResultProperties
  * ApiBase::addTokenProperties
  * ApiBase::getRequireOnlyOneParameterErrorMessages
  * ApiBase::getRequireMaxOneParameterErrorMessages
  * ApiBase::getRequireAtLeastOneParameterErrorMessages
  * ApiBase::getTitleOrPageIdErrorMessage
  * ApiBase::getPossibleErrors
  * ApiBase::getFinalPossibleErrors
  * ApiBase::parseErrors
  * ApiQuery::setGeneratorContinue
  * ApiQueryBase::checkRowCount
  * ApiQueryBase::titleToKey
  * ApiQueryBase::keyToTitle
  * ApiQueryBase::keyPartToTitle
  * ApiQueryInfo::getTokenFunctions
  * ApiQueryInfo::resetTokenCache
  * ApiQueryInfo::getEditToken
  * ApiQueryInfo::getDeleteToken
  * ApiQueryInfo::getProtectToken
  * ApiQueryInfo::getMoveToken
  * ApiQueryInfo::getBlockToken
  * ApiQueryInfo::getUnblockToken
  * ApiQueryInfo::getEmailToken
  * ApiQueryInfo::getImportToken
  * ApiQueryInfo::getWatchToken
  * ApiQueryInfo::getOptionsToken
  * ApiQueryRecentChanges::getTokenFunctions
  * ApiQueryRecentChanges::getPatrolToken
  * ApiQueryRevisions::getTokenFunctions
  * ApiQueryRevisions::getRollbackToken
  * ApiQueryUsers::getTokenFunctions
  * ApiQueryUsers::getUserrightsToken
* The following classes have been deprecated and may be removed in a future
  release:
  * ApiFormatDbg
  * ApiFormatDump
  * ApiFormatTxt
  * ApiFormatWddx
  * ApiFormatYaml
  * ApiTokens
* The following class constants have been deprecated and may be removed in a
  future release:
  * ApiBase::PROP_ROOT
  * ApiBase::PROP_LIST
  * ApiBase::PROP_TYPE
  * ApiBase::PROP_NULLABLE
=== Languages updated in 1.24 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.
=== Other changes in 1.24 ===
* The deprecated jquery.delayedBind ResourceLoader module was removed.
* The deprecated function mw.util.toggleToc was removed.
* The Special:Search hooks SpecialSearchGo and SpecialSearchResultsAppend
  were removed as they were unused.
* (bug 65477) User::pingLimiter() now has an additional profile point varying
  by action being used.
* mediawiki.util.$content no longer supports old versions of the Vector,
  Monobook, Modern and CologneBlue skins that don't yet implement the "mw-body"
  and/or "mw-body-primary" class name in their html.
* Added pp_sortkey column to page_props table, so pages can be efficiently
  queried and sorted by property value (bug 58032).
  See $wgPagePropsHaveSortkey if you want to postpone the schema change.
* BREAKING CHANGE: All four built-in MediaWiki skins (Vector, MonoBook, Modern
  and Cologne Blue) were moved out of MediaWiki core to their own respective
  repositories. They will be installed with the release tarball, but you must
  install them separately if installing MediaWiki from source code. A warning
  message displayed until you do it should guide you through the process. See
  also <https://www.mediawiki.org/wiki/Manual:Skin_configuration>.
* BREAKING CHANGE: Skins built for MediaWiki 1.15 and earlier that do not use
  the "headelement" template key are no longer supported. Setting
  $useHeadElement = false; is no longer supported and will not cause old keys
  like "headlinks", "skinnameclass", etc. to be defined.
* BREAKING CHANGE: The files commonElements.css, commonContent.css and
  commonInterface.css (in skins/common/) have been removed. Skins may no longer
  rely on their presence and include them in their style modules. ResourceLoader
  modules introduced in MediaWiki 1.23 should be loaded instead:
  - skins/common/commonElements.css  → 'mediawiki.skinning.elements' module
  - skins/common/commonContent.css  → 'mediawiki.skinning.content' module
  - skins/common/commonInterface.css → 'mediawiki.skinning.interface' module
* The deprecated 'SpecialVersionExtensionTypes' hook was removed.
* (bug 63891) Add 'X-Robots-Tag: noindex' header in action=render pages.
* SpecialPage no longer supports the syntax for invoking wfSpecial*() functions.
  Special pages should subclass SpecialPage and implement the execute() method.
* (bug 63755) The deprecated constants RC_MOVE and RC_MOVE_OVER_REDIRECT were
  removed.
* Special:MostLinkedTemplates has been renamed to Special:MostTranscludedPages.
* The skin autodiscovery mechanism has been deprecated and will be removed in
  MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
  for migration guide for creators and users of custom skins that relied on it.
* ResourceLoaderFileModule#getAllStyleFiles now returns all style files and all
  skin style files used by the module.
* Removed getLang() from IContextSource and subclasses. (deprecated since 1.19)
* Removed setLang() from subclasses of IContextSource. (deprecated since 1.19)
* Removed WebRequest::escapeAppendQuery(). (deprecated since 1.20)
* Removed info(), purge(), revert() and rollback() from the Article class; they
  have since become subclasses of the Action class. (deprecated since 1.19)
* SearchEngineReplacePrefixesComplete hook was removed.
* The "jquery.json" module has been deprecated. Use the "json" module instead.
* Removed HTMLForm::addJS(). (deprecated since 1.18)
* Removed LogEventsList::showHeader(). (deprecated since 1.19)
* Removed ImageGalleryBase::useSkin(). (deprecated since 1.18)
* Removed DatabaseMysqlBase::getLagFromProcesslist(). (deprecated since 1.19)
* Removed LoadBalancer::closeConnecton(). (deprecated since 1.18)
* Removed ApiBase::createContext(). (deprecated since 1.19)
* BREAKING CHANGE: The undocumented Special{$this->getName()}BeforeFormDisplay
  set of hooks has been removed and replaced by a single new hook
  SpecialPageBeforeFormDisplay.
* (bug 65781) Removed block warning on included {{Special:Contributions}}
* Removed Skin::makeGlobalVariablesScript(). (deprecated since 1.19)
* Removed MWNamespace::isMain(). (deprecated since 1.19)
* Removed Preferences::loadOldSearchNs(). (deprecated since 1.19)
* Removed OutputPage::getStatusMessage(). (deprecated since 1.18)
* Removed OutputPage::isUserJsAllowed(). (deprecated since 1.18)
* Removed Title::updateTitleProtection(). (deprecated since 1.19)
* Removed ParserOptions::setSkin(). (deprecated since 1.19)
* Removed Title::escapeCanonicalURL(). (deprecated since 1.19)
* Removed Title::escapeLocalURL(). (deprecated since 1.19)
* Removed Title::escapeFullURL(). (deprecated since 1.19)
* Removed User::isValidEmailAddr(). (deprecated since 1.18)
* Removed Title::getEscapedText(). (deprecated since 1.19)
* Removed Language::getFallbackLanguageCode(). (deprecated since 1.19)
* Removed WikiPage::isBigDeletion(). (deprecated since 1.19)
* Removed MWInit class which contained functions related to a now discontinued
  PHP compiler called hphpc. (deprecated since 1.22)
* ApiResult::enableSizeCheck() and disableSizeCheck() are now obsolete.
* Removed ResourceLoaderGetStartupModules hook. (deprecated since 1.23)
* Removed getFormFields(), onSubmit() and onSuccess() from FormlessAction, as
  these were meant specifically for FormAction instead.
* Removed Action::execute().
* Removed AjaxAddScript which has been obsolete since ResourceLoader and
  is unused by any modern extension.
* Removed maintenance/nextJobDB.php; no longer in use.
* Removed global function wfViewPrevNext(). (deprecated since 1.19)
* Removed global function xmlsafe() from Export.php. (moved to OAIRepo extension)
* Removed Title::userCanRead(). (deprecated since 1.19)
* Removed maintenance script importTextFile.php. Use edit.php script instead.
* A _from_namespace field has been added to the templatelinks, pagelinks,
  and filelinks tables. Run update.php to apply this change to the schema.
* Removed File::sha1Base36(). (deprecated since 1.19)
* Removed File::getPropsFromPath(). (deprecated since 1.19)
* Removed functions blockedPage(), noCreatePermission(), readOnlyPage() and
  userNotLoggedInPage() from EditPage.php. (deprecated since 1.19)
* Removed functions getContent(), getPreloadedText(), mergeChangesInto() and
  setPreloadedText() from EditPage.php. (deprecated since 1.21)
* Removed global functions wfArrayLookup(), wfArrayMerge(), wfDebugDieBacktrace()
  and wfTime(). (deprecated since 1.22)
* Browser support for Internet Explorer 6 and 7 lowered from Grade A to Grade C,
  meaning that JavaScript is no longer executed in these browser versions.
* Browser support for Opera 11 lowered from Grade A to Grade C.
* Removed IEFixes module which existed purely to provide support for MSIE versions
  below 7 (conditionally loaded only for those browsers).
* Deprecated SpecialPageFactory::getList() in favor of
  SpecialPageFactory::getNames()
* Action::checkCanExecute() no longer has a return value.
* Removed cleanupForIRC(), loadFromCurRow(), newFromCurRow(), notifyRC2UDP()
  and sendToUDP() from RecentChange.php. (deprecated since 1.22)
* Removed EnhancedChangesList::arrow(), sideArrow(), downArrow(), spacerArrow().
* Removed Xml::namespaceSelector(). (deprecated since 1.19)
* Removed WikiPage::estimateRevisionCount(). (deprecated since 1.19)
* MYSQL: Enum item added to "major MIME type" columns.
  Running update.php on MySQL < v5.1 may result in heavy processing.
* RSS and Atom feeds generated by MediaWiki no longer include a fallback
  stylesheet. It was ignored by most browsers these days anyway.
* SpecialSearchNoResults hook has been removed. SpecialSearchResults is now
  called unconditionally.
* TablePager::getBody() is now 'final' and can't be overridden in subclasses.
* TablePager::getBody() is deprecated, use getBodyOutput() or getFullOutput().
* Added $outputPage parameter to the SkinTemplateGetLanguageLink hook.
* log_page for move log entries store the original page ID, rather than that
  of the new redirect page. This is not retroactive.
* LCStoreAccel was removed. $wgLocalisationCacheConf can no longer be set to
  use this store class.
* Html::infoBox() no longer accepts paths relative to skins/common/images/.
* Deprecated defunct Skin::getCommonStylePath().
* Some extensions had their ResourceLoader modules depend on the "mediawiki"
  and "jquery" modules. In the past, this behavior was undefined, now it will
  throw an error.
* Removed BagOStuff::replace(). (deprecated since 1.23)
* In Linker.php, link(), linkText() and makeBrokenImageLinkObj() now display
  warnings if their first parameter is not a Title object. Also makeImageLink()
  now requires a Parser as its first parameter.
* (bug 67368) LESS functions embed() and embeddable(), added in MediaWiki 1.23
  and broken by design, have been removed. Use appropriate LESS mixins instead.
* Removed cssjanus.py from maintenance directory as it was unused.
* Removed maintenance/purgeOldText.inc and the PurgeRedundantText() function
  it contained (superseded by Maintenance::purgeRedundantText() in 1.16).
  The purgeOldText.php maintenance script has been retained.
* PHPUnit tests can be found by directory discovery, by adding the directory
  path from your UnitTestsList callback. Older versions of MediaWiki core will
  barf at this usage.
==== Renamed classes ====
* CLDRPluralRuleConverter_Expression to CLDRPluralRuleConverterExpression
* CLDRPluralRuleConverter_Fragment to CLDRPluralRuleConverterFragment
* CLDRPluralRuleConverter_Operator to CLDRPluralRuleConverterOperator
* CLDRPluralRuleEvaluator_Range to CLDRPluralRuleEvaluatorRange
* CSSJanus_Tokenizer to CSSJanusTokenizer
* MediaWiki_I18N to MediaWikiI18N
* Parser_DiffTest to ParserDiffTest
* RevDel_ArchiveItem to RevDelArchiveItem
* RevDel_ArchiveList to RevDelArchiveList
* RevDel_ArchivedFileItem to RevDelArchivedFileItem
* RevDel_ArchivedFileList to RevDelArchivedFileList
* RevDel_ArchivedRevisionItem to RevDelArchivedRevisionItem
* RevDel_FileItem to RevDelFileItem
* RevDel_FileList to RevDelFileList
* RevDel_Item to RevDelItem
* RevDel_List to RevDelList
* RevDel_LogItem to RevDelLogItem
* RevDel_LogList to RevDelLogList
* RevDel_RevisionItem to RevDelRevisionItem
* RevDel_RevisionList to RevDelRevisionList
* WebInstaller_Complete to WebInstallerComplete
* WebInstaller_Copying to WebInstallerCopying
* WebInstaller_DBConnect to WebInstallerDBConnect
* WebInstaller_DBSettings to WebInstallerDBSettings
* WebInstaller_Document to WebInstallerDocument
* WebInstaller_ExistingWiki to WebInstallerExistingWiki
* WebInstaller_Install to WebInstallerInstall
* WebInstaller_Language to WebInstallerLanguage
* WebInstaller_Name to WebInstallerName
* WebInstaller_Options to WebInstallerOptions
* WebInstaller_Readme to WebInstallerReadme
* WebInstaller_ReleaseNotes to WebInstallerReleaseNotes
* WebInstaller_Restart to WebInstallerRestart
* WebInstaller_Upgrade to WebInstallerUpgrade
* WebInstaller_UpgradeDoc to WebInstallerUpgradeDoc
* WebInstaller_Welcome to WebInstallerWelcome
==== Removed classes ====
* IPBlockForm - Use SpecialBlock directly
* WatchlistEditor - Use SpecialEditWatchlist directly
* FormatExif - Use FormatMetadata directly
* RevertFileAction - Use RevertAction directly
* HistoryPage - Use HistoryAction directly
* RawPage - Use RawAction directly
* StubContLang - Use Language::factory() instead
* XMLReader2 - Use XMLReader directly
* ResourceLoaderLESSFunctions - No longer in use, not intended for public usage
==== Removed files ====
The skins/common/ directory, previously containing some assets intended to be
used by skins and a number of legacy styles and scripts, has been removed. Its
contents have been deleted or relocated into the resources/ directory. Full list
of files that are no longer available follows.
* skins/common/ajax.js
* skins/common/commonContent.css
* skins/common/commonElements.css
* skins/common/commonInterface.css
* skins/common/commonPrint.css
* skins/common/config-cc.css
* skins/common/config.css
* skins/common/config.js
* skins/common/feed.css
* skins/common/IEFixes.js
* skins/common/oldshared.css
* skins/common/protect.js
* skins/common/shared.css
* skins/common/upload.js
* skins/common/wikibits.js
* skins/common/images/add.png
* skins/common/images/ajax-loader.gif
* skins/common/images/arrow_disabled_first_25.png
* skins/common/images/arrow_disabled_last_25.png
* skins/common/images/arrow_disabled_left_25.png
* skins/common/images/arrow_disabled_right_25.png
* skins/common/images/arrow_first_25.png
* skins/common/images/arrow_last_25.png
* skins/common/images/arrow_left_25.png
* skins/common/images/arrow_right_25.png
* skins/common/images/Arr_.png
* skins/common/images/Arr_d.png
* skins/common/images/Arr_l.png
* skins/common/images/Arr_r.png
* skins/common/images/Arr_u.png
* skins/common/images/bullet.gif
* skins/common/images/button_bold.png
* skins/common/images/button_extlink.png
* skins/common/images/button_headline.png
* skins/common/images/button_hr.png
* skins/common/images/button_image.png
* skins/common/images/button_italic.png
* skins/common/images/button_link.png
* skins/common/images/button_media.png
* skins/common/images/button_nowiki.png
* skins/common/images/button_sig.png
* skins/common/images/button_template.png
* skins/common/images/cc-0.png
* skins/common/images/cc-by-nc-sa.png
* skins/common/images/cc-by-sa.png
* skins/common/images/cc-by.png
* skins/common/images/Checker-16x16.png
* skins/common/images/closewindow.png
* skins/common/images/closewindow19x19.png
* skins/common/images/critical-32.png
* skins/common/images/diffunderline.gif
* skins/common/images/download-32.png
* skins/common/images/feed-icon.png
* skins/common/images/feed-icon.svg
* skins/common/images/gnu-fdl.png
* skins/common/images/help-question-hover.gif
* skins/common/images/help-question.gif
* skins/common/images/info-32.png
* skins/common/images/link_icon.gif
* skins/common/images/magnify-clip-rtl.png
* skins/common/images/magnify-clip.png
* skins/common/images/mediawiki.png
* skins/common/images/nextredirectltr.png
* skins/common/images/nextredirectrtl.png
* skins/common/images/poweredby_mediawiki_88x31.png
* skins/common/images/public-domain.png
* skins/common/images/question-small.png
* skins/common/images/question.svg
* skins/common/images/redirectltr.png
* skins/common/images/redirectrtl.png
* skins/common/images/remove.png
* skins/common/images/spinner.gif
* skins/common/images/tick-32.png
* skins/common/images/tipsy-arrow.gif
* skins/common/images/tooltip_icon.png
* skins/common/images/warning-32.png
* skins/common/images/wiki.png
* skins/common/images/Zoom_sans.gif
* skins/common/images/ar/button_bold.png
* skins/common/images/ar/button_headline.png
* skins/common/images/ar/button_italic.png
* skins/common/images/ar/button_link.png
* skins/common/images/ar/button_nowiki.png
* skins/common/images/be-tarask/button_bold.png
* skins/common/images/be-tarask/button_italic.png
* skins/common/images/be-tarask/button_link.png
* skins/common/images/cyrl/button_bold.png
* skins/common/images/cyrl/button_italic.png
* skins/common/images/cyrl/button_link.png
* skins/common/images/de/button_bold.png
* skins/common/images/de/button_italic.png
* skins/common/images/fa/button_bold.png
* skins/common/images/fa/button_headline.png
* skins/common/images/fa/button_italic.png
* skins/common/images/fa/button_link.png
* skins/common/images/fa/button_nowiki.png
* skins/common/images/icons/fileicon-c.png
* skins/common/images/icons/fileicon-cpp.png
* skins/common/images/icons/fileicon-deb.png
* skins/common/images/icons/fileicon-djvu.png
* skins/common/images/icons/fileicon-djvu.xcf
* skins/common/images/icons/fileicon-dvi.png
* skins/common/images/icons/fileicon-exe.png
* skins/common/images/icons/fileicon-h.png
* skins/common/images/icons/fileicon-html.png
* skins/common/images/icons/fileicon-iso.png
* skins/common/images/icons/fileicon-java.png
* skins/common/images/icons/fileicon-mid.png
* skins/common/images/icons/fileicon-mov.png
* skins/common/images/icons/fileicon-o.png
* skins/common/images/icons/fileicon-ogg.png
* skins/common/images/icons/fileicon-ogg.xcf
* skins/common/images/icons/fileicon-pdf.png
* skins/common/images/icons/fileicon-ps.png
* skins/common/images/icons/fileicon-psd.png
* skins/common/images/icons/fileicon-rm.png
* skins/common/images/icons/fileicon-rpm.png
* skins/common/images/icons/fileicon-svg.png
* skins/common/images/icons/fileicon-tar.png
* skins/common/images/icons/fileicon-tex.png
* skins/common/images/icons/fileicon-ttf.png
* skins/common/images/icons/fileicon-txt.png
* skins/common/images/icons/fileicon.png
* skins/common/images/ksh/button_S_italic.png


= MediaWiki 1.23.15 =
== MediaWiki 1.27.5 ==
This is a security and maintenance release of the MediaWiki 1.27 branch.
</pre>
</pre>

Version vom 22. Oktober 2018, 12:27 Uhr

Neue Versionen von Mediawiki bringen manchmal Voreinstellungen mit, die nicht unbedingt optimal sind. Diese Seite wird versuchen auf Veränderungen einzugehen.

Seiten und Dateien automatisch beobachten abstellen

Wer nicht möchte, dass man jedesmal automatisch per E-Mail benachrichtigt wird, falls man Seiten oder Dateien erstellt, verschiebt oder bearbeitet, sollte die Einstellungen seiner Beobachtungsliste anpassen. Ein Abschalten der entsprechenden Optionen bewirkt auch, dass bei der Seitenvorschau keine Vorauswahl bei "Diese Seite beobachten" aktiviert wird.

Bekannte Probleme

  • folgt

Update Long Term Support (LTS) Version

Bei der Wartung am 22. Oktober 2018 wurde das Wiki von LTS legacy auf die aktuelle LTS-Version aktualisiert. Diese Version wird bis Juni 2021 gepflegt. Ein paar kleine Probleme habe ich bereits entdeckt, aber wahrscheinlich wird sich für alles eine Lösung finden. Die wichtigsten Änderungen unten im Überblick. --Admin mw (Diskussion) 14:25, 22. Okt. 2018 (CEST)

== MediaWiki 1.31.1 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
* (T197229) Bundle Nuke extension, it was accidentally omitted.
* (T193995) Fix undefined patchPath() method call in parser tests.
* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T198037) GitInfo: Don't try shelling out if it's disabled.
* (T151415) Log email changes.
* (T197206) Fix performance regression when multiple DB used without caching.
* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
* (T182377, T196793) Exif: Guard against uncountable tag values.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T200864) Fix pingback over-reporting on non-MySQL databases
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.

=== Changes since MediaWiki 1.31.0-rc.2 ===
* (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
* (T196092) Hide MySQL binary/utf-8 charset option in the installer.
* (T196185) Don't allow setting $wgDBmysql5 in the installer.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.

=== Changes since MediaWiki 1.31.0-rc.0 ===
* (T33223) Drop archive.ar_text and ar_flags.
* Add default edit rate limit of 90 edits/minute for all users.
* (T187645) Use codepoint as tiebreaker when getting first-letters in
  IcuCollation.
* (T191947) Don't shell during the installer if shelling out is disabled.
* (T194319) Improve duplicate config setting exception as part of extension
  registration.
* (T195211) Don't require trailing slash in PSR-4 autoloader directory.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* Do not incorrectly hide namespace input field in the installer.
* (T186456) Refactor checks looking for PEAR maik libraries to be clearer.

=== Important pre-upgrade notes for 1.31 ===
* If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
  schema changes, and cannot have downtime to run migrateArchiveText.php and
  apply patch-drop-ar_text.sql manually, you'll have to apply a default value
  to the ar_text and ar_flags columns of the archive table or make those
  columns nullable before upgrading to MediaWiki 1.31.
  maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL.
* The CologneBlue and Modern skins are no longer bundled with the tarball. You
  will need to remove the wfLoadSkin() calls from your LocalSettings.php or
  download them separately
  (<https://www.mediawiki.org/wiki/Special:SkinDistributor>).

=== Configuration changes in 1.31 ===
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
  a future version. The API is now considered to be stable, secure and
  essential.
* $wgUsejQueryThree was removed, as it is now the default. This was documented
  as a temporary variable during the migration period, deprecated since 1.29.
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
  possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
  have the right to mark things patrolled.
* Wikis that contain imported revisions or CentralAuth global blocks should run
  maintenance/cleanupUsersWithNoId.php.
* The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
  $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
  are not using the latest version of the Referrer Policy specification.
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
  first step of migration to human-readable section IDs that will later result
  in 'html5' being the default mode.
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
  as upstream is inactive and has no plans to move to PHP 7.
* The old CategorizedRecentChanges feature, including its related configuration
  option $wgAllowCategorizedRecentChanges, has been removed.
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
  for performance reasons, and installations with this setting will now work as
  if it was configured with 'any'.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
  rather than being off by default. If you wish to disable HTML tidying
  entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
  Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
* $wgLogAutopatrol now defaults to false instead of true.
* $wgValidateAllHtml was removed and will be ignored.
* $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
  1.25 release notes for more information.
* $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
  framework that it enables. Some extensions mistakenly used this to check
  whether any AJAX functionality at all should be enabled, further making this
  problematic to retain.
* $wgDBmysql5 is now deprecated, and will be removed in a future version. It
  has been marked as experimental ever since it was introduced.

=== New features in 1.31 ===
* (T76554) User sub-pages named ….json are now protected in the same way that
  ….js and ….css pages are, so that configuration options can safely be placed
  there.
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
  with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
  Html class now provides helper methods for messageBox, successBox, errorBox
  and warningBox generation.
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
  a format like "iw>Example".
* (T20209) Linker (used on history pages, log pages, and so on) will display
  usernames formed like "iw>Example" as interwiki links, as if by wikitext like
  [[iw:User:Example|iw>Example]].
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
  users during an import.
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
  the ParserOutput::getText() post-cache transformations.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
  initial page text for file uploads.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
  hash value in the table of basic information.
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
  ParserOutput::getText() post-cache transformation. This may be disabled by
  passing 'deduplicateStyles' => false to that method.
* The identity of the logged-in or IP "actor" for logged actions is being moved
  into a new actor table, with the rows in tables such as revision and logging
  referring to the actor ID instead of storing the user ID and name/IP in
  every row.
  * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
    can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
    soon as any necessary extensions are updated.
  * Most code accessing rows for logged actions from the database should use
    the relevant getQueryInfo() methods to get the information needed to build
    the SQL query. The ActorMigration class may also be used to get feature
    -flagged information needed to access actor-related fields during the
    migration period.
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
  section without having to roll back the whole transaction.
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
  and non-MySQL ::replace() and ::upsert() no longer roll back the whole
  transaction on failure.
* (T189785) Added a monthly heartbeat ping to the pingback feature.
* The CLI installer (maintenance/install.php) learned to detect and include
  extensions. Pass --with-extensions to enable that feature.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
  "1" for manually patrolled and "2" for autopatrolled actions.
* Extensions can now set their type to "editor" if they provide an editor or
  enhance the editing experience.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
  property in extension.json. See the documentation at
  <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
  for more details and an example.
* (T19099) Tabs which link to pages that don't exist (like those to uncreated
  discussion pages) now have a tooltip to indicate state, not just colour.

=== External library changes in 1.31 ===
* pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
  suggested to required. These packages now must be installed via composer
  and not via PEAR itself.

==== Upgraded external libraries ====
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.

==== New external libraries ====
* Added wikimedia/object-factory 1.0.0

==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
  text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
  'mediawiki.viewport' module instead.
* mediawiki/at-ease was replaced with wikimedia/at-ease.

=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor.
* (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
  space.
* (T2087, T10897, T87753, T174639) Whitespace created by category and language
  links is now stripped rather than leaving blank lines in odd places.
* (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+

=== Action API changes in 1.31 ===
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
  removed. It has never made a difference in the output, the name was always
  returned regardless.
* The 'watch' and 'unwatch' parameters for action=move have been removed. They
  were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
  'watchlist' instead.

=== Action API internal changes in 1.31 ===
* ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
* ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
* ApiBase::getProfileTime, deprecated since 1.25, was removed.

=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
* (T182305) New language support: Nyungar (nys).
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
* (T186635) New language support: Guianan Creole (gcr).
* (T186647) New language support: Kumyk [къумукъ] (kum).
* (T187750) New language support: Spanish formal address (es-formal).
* (T187824) New language support: Hungarian formal address (hu-formal).
* (T189127) New language support: Gorontalo (gor).

=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
* The OutputPage class constructor now requires a context parameter.
  Instantiating without context was deprecated in 1.18.
* The mw.page JavaScript singleton, deprecated in 1.30, was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
  ::onArticleEdit() methods, deprecated in 1.24, were removed.
* Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
  removed. Use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
  DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
  no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
  'byText' or ->setBlocker(). Callers should either ensure the blocker exists
  locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were
  deprecated in 1.27, have been removed:
  * WatchedItem::getTitle()
  * WatchedItem::fromUserTitle()
  * WatchedItem::addWatch()
  * WatchedItem::removeWatch()
  * WatchedItem::isWatched()
  * WatchedItem::duplicateEntries()
  * WatchedItem::IGNORE_USER_RIGHTS
  * WatchedItem::CHECK_USER_RIGHTS
  * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
  HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
  The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
  default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have
  been removed:
  * PreparedEdit->newText
  * PreparedEdit->oldText
  * PreparedEdit->pst
* ParserOutput objects which are generated using a non-default value for
  ParserOptions::setWrapOutputClass() can no longer be added to the parser
  cache.
* The following deprecated methods from the OutputPage class have been removed:
  * OutputPage::addExtensionStyle(); deprecated in 1.27
  * OutputPage::getExtStyle(); deprecated in 1.27
  * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
  * OutputPage::setSquidMaxage(); deprecated in 1.27
  * OutputPage::readOnlyPage(); deprecated in 1.25
  * OutputPage::rateLimited(); deprecated in 1.25
  * Additionally, the protected OutputPage::$mExtStyles array, only accessed
    through the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
  were removed:
  * $isCssJsSubpage — use ::isUserConfigPage()
  * $isCssSubpage — use ::isUserCssConfigPage()
  * $isJsSubpage — use ::isUserJsConfigPage()
  * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
  * ::getSummaryInput() – use ::getSummaryInputWidget()
  * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
  * ::getCheckboxes() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
  * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
* ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on
  the response object, and were deprecated in 1.27, have been removed:
  * ::setCookie()
  * ::clearCookie()
  * ::setExtendedLoginCookie()
  Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27 have
  been removed:
  * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
  * ::getPasswordFactory() – create a PasswordFactory directly
  * ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
  been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
  use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
  can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
  Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when
  DBO_TRX is set results in an exception. Calling Database::commit() explicitly
  for an implicit transaction also results in an exception. Previously these
  were logged as errors. The startAtomic() and endAtomic() methods, or
  AtomicSectionUpdate should be used instead.
* The global function wfOutputHandler() was removed, use the its replacement
  MediaWiki\OutputHandler::handle() instead. The global function was only
  sometimes defined. Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
  deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
  ::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
  use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
  ResourceLoaderModule::getLessVars() to expose local variables instead of
  global ones.
* As part of work to modernise user-generated content clean-up, a config option
  and some methods related to HTML validity were removed without deprecation.
  The public methods MWTidy::checkErrors() and the path through which it was
  called, TidyDriverBase::validate(), are removed, as are the testing methods
  MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
  The $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies
  the RESTRICT_DEFAULT Firejail restriction by default.
* The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
  deprecated in 1.26, were removed.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
  Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.

=== Deprecations in 1.31 ===
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
  RevisionRecord and its subclasses.
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* The global function wfCountDown is now deprecated in favor of
  Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
  have been deprecated in favor of similar methods that also return the tables
  to select from and the join conditions for those tables.
  * Block::selectFields() → Block::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
  * LocalFile::selectFields() → LocalFile::getQueryInfo()
  * LocalFile::getCacheFields() with a prefix no longer works
  * LocalFile::getLazyCacheFields() with a prefix no longer works
  * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
  * Revision::selectFields() → Revision::getQueryInfo()
  * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
  * User::selectFields() → User::getQueryInfo()
  * WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
  should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
  override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
  Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated; use instead the hook
  RevisionRecordInserted. RevisionInsertComplete is still called, but the second
  and third parameter will always be null. Hard deprecation is scheduled for 1.32.
* The following methods that get and set ParserOutput state are deprecated.
  Callers should use the new stateless $options parameter to
  ParserOutput::getText() instead.
  * ParserOptions::getEditSection()
  * ParserOptions::setEditSection()
  * ParserOutput::getEditSectionTokens()
  * ParserOutput::setEditSectionTokens()
  * ParserOutput::getTOCEnabled()
  * ParserOutput::setTOCEnabled()
  * OutputPage::enableSectionEditLinks()
  * OutputPage::sectionEditLinksEnabled()
  * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
    are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
  Setting template variables by reference allowed violating the principle of
  data being immutable once added to the skin template. In practice, this method
  was not being used for that. Rather, setRef() existed as memory optimisation
  for PHP 4.
* QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
  favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
  wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
  'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced class
  \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
  used instead.
* CommentStore::newKey is deprecated. Instead, get an instance from
  MediaWikiServices.
* The following CommentStore methods have had their signatures changed to
  introduce a $key parameter, usage of the methods on instances retrieved from
  CommentStore::newKey will remain unchanged but deprecated:
  * CommentStore::getFields
  * CommentStore::getJoin
  * CommentStore::getComment
  * CommentStore::getCommentLegacy
  * CommentStore::insert
  * CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are
  deprecated:
  * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
  * Title::isCssOrJsPage – use ::isSiteConfigPage
  * Title::isCssJsSubpage – use ::isUserConfigPage
  * Title::isCssSubpage – use ::isUserCssConfigPage
  * Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
  * Parser::serializeHalfParsedText()
  * Parser::unserializeHalfParsedText()
  * Parser::isValidHalfParsedText()
  * StripState::getSubState()
  * StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
  deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
  used instead.
* The function wfShellWikiCmd() has been deprecated, use
  MediaWiki\Shell::makeScriptCommand().
* In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
  will be allowed to provide any HTMLForm object rather than PreferencesForm.

=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was dropped entirely. Opera 15+
  continues at Grade A.
* Multi-content-revision capability was introduced into the storage layer. See
  <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext.
  Links written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
  wikitext table captions, wikitext table headings, wikitext table cells. HTML
  headings, HTML list items, HTML table captions, HTML table headings, HTML
  table cells will not have this trimming behavior.

== MediaWiki 1.30.1 ==

This is a security and maintenance release of the MediaWiki 1.30 branch.

=== Changes since MediaWiki 1.30.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
  include extensions. Pass --with-extensions to enable that feature.
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker.
* (T179190) selenium: Move logic for running tests from package.json to selenium.sh
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* Add default edit rate limit of 90 edits/minute for all users.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* oojs/oojs-ui updated to remove an unnecessary dependancy.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T193995) Fix undefined patchPath() method call in parser tests.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.
* (T190539) Explicitly require Postgres 9.1.
* (T118420) Unbreak Oracle installer.

== MediaWiki 1.30 ==

=== Changes since MediaWiki 1.30.0-rc.0 ===
* Upgraded Moment.js from v2.15.0 to v2.19.3.
* Add ip_changes to postgres/tables.sql.
* Skip null shell parameters.
* Add wfWaitForSlaves() to maintenance/migrateComments.php.
* (T182245) Fix join conditions in ImageListPager.
* (T178626) Revert #contentSub and #jump-to-nav margin changes.

=== MySQL version requirement in 1.30 ===
As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
section).

=== Configuration changes in 1.30 ===
* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
  unexpected behavior when code uses locale-sensitive string comparisons. For
  example, the Scribunto extension considers "bar" < "Foo" in most locales
  since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
  documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is
  deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain
  class names. This is intended for extensions that want control over the
  instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative
  to plain class names, using the 'factory' key in the module description
  array. This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
  of IP ranges that can be queried at Special:Contributions.
* (T45547) $wgUsePigLatinVariant added (off by default).
* (T152540) MediaWiki now supports a section ID escaping style that allows to display
  non-Latin characters verbatim on many modern browsers. This is controlled by the
  new configuration setting, $wgFragmentMode.
* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version,
  use $wgFragmentMode to migrate off it to a modern alternative.
* $wgExternalInterwikiFragmentMode was introduced to control how fragments in
  sinterwikis going outside of current wiki farm are encoded.
* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'.
  This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki
  auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly
  requested through the configuration parameter $wgDBservers.
* $wgOOUIEditPage was removed, as it is now the default. This was documented as a
  temporary variable during the migration period.

=== New features in 1.30 ===
* (T37247) Output from Parser::parse() will now be wrapped in a div with
  class="mw-parser-output" by default. This may be changed or disabled using
  ParserOptions::setWrapOutputClass().
* (T163562) Added ability to search for contributions within an IP ranges
  at Special:Contributions.
* Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
  specific tags to be added by users.
* Added a 'ParserOptionsRegister' hook to allow extensions to register
  additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a
  LanguageConverter variant.  This allows English-speaking developers
  to develop and test LanguageConverter more easily.  Pig Latin can be
  enabled by setting $wgUsePigLatinVariant to true.
* Added RecentChangesPurgeRows hook to allow extensions to purge data that
  depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
* (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
  'watchlistunwatchlinks' preference option is enabled). With JavaScript
  enabled, these links toggle so the user can also re-watch pages that have
  just been unwatched.
* Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
  MediaHandlerFactory for parser tests.
* Edit summaries, block reasons, and other "comments" are now stored in a
  separate database table. Use the CommentFormatter class to access them.
** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
   can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
   soon as any necessary extensions are updated.
* (T138166) Added ability for users to prohibit other users from sending them
  emails with Special:Emailuser. Can be enabled by setting
  $wgEnableUserEmailBlacklist to true.
* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect.
  Instead, users using browsers that do not support Unicode will be unable to edit
  and should upgrade to a modern browser instead.

=== External library changes in 1.30 ===

==== Upgraded external libraries ====
* Updated justinrainbow/json-schema from v3.0 to v5.2.
* Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
* Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
* Updated wikimedia/relpath from v1.0.3 to v2.0.0.
* Updated OOjs from v2.0.0 to v2.1.0.
* Updated OOUI from v0.21.1 to v0.23.0.
* Updated QUnit from v1.23.1 to v2.4.0.
* Updated phpunit/phpunit from v4.8.35 to v4.8.36.
* Upgraded Moment.js from v2.15.0 to v2.19.3.

==== New external libraries ====
* The class \TestingAccessWrapper has been moved to the external library
  wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
* Purtle, a fast, lightweight RDF generator.

==== Removed and replaced external libraries ====
* …

=== Bug fixes in 1.30 ===
* (T151633) Ordered list items use now Devanagari digits in Nepalese
  (thanks to Sfic)

=== Action API changes in 1.30 ===
* (T37247) action=parse output will be wrapped in a div with
  class="mw-parser-output" by default. This may be changed or disabled using
  the new 'wrapoutputclass' parameter.
* When errorformat is not 'bc', abort reasons from action=login will be
  formatted as specified by the error formatter parameters.
* action=compare can now handle arbitrary text, deleted revisions, and
  returning users and edit comments.
* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
  'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
  parameters to prop=revisions are deprecated, as are the similarly named
  parameters to prop=deletedrevisions, list=allrevisions, and
  list=alldeletedrevisions. Use action=compare, action=parse, or
  action=expandtemplates instead.

=== Action API internal changes in 1.30 ===
* ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
  deprecated. The existing message should be split between "apihelp-*-summary"
  and "apihelp-*-extended-description".
* (T123931) Individual values of multi-valued parameters can now be marked as
  deprecated.

=== Languages updated in 1.30 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Added: kbp (Kabɩyɛ / Kabiyè)
* Added: skr (Saraiki, سرائیکی)
* Added: tay (Tayal / Atayal)
* Removed: tokipona (Toki Pona)

==== Pig Latin added ====
* (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
  for easier variant development and testing. Disabled by default. It can be
  enabled by setting $wgUsePigLatinVariant to true.

=== Other changes in 1.30 ===
* The use of an associative array for $wgProxyList, where the IP address is in
  the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
  Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
* mw.user.bucket (deprecated in 1.23) was removed.
* LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
  deprecated. There are no known callers.
* File::getStreamHeaders() was deprecated.
* MediaHandler::getStreamHeaders() was deprecated.
* Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
  used instead.
* MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
  should be used instead.
* The ExtractThumbParameters hook (deprecated in 1.21) was removed.
* The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
  deprecated in 1.24) were removed.
* wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
  BagOStuff::makeGlobalKey() should be used instead.
* (T146304) Preprocessor handling of LanguageConverter markup has been improved.
  As a result of the new uniform handling, '-{' may need to be escaped
  (for example, as '-<nowiki/>{') where it occurs inside template arguments
  or wikilinks.
* (T163966) Page moves are now counted as edits for the purposes of
  autopromotion, i.e., they increment the user_editcount field in the database.
* Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
  manipulating Special:Log and Special:NewPages lines.
* The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
  PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding
  hooks have an additional parameter, for manipulating HTML data attributes of
  RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the
  $data['attribs'] subarray.
* (T130632) The OutputPage::enableTOC() method was removed.
* WikiPage::getParserOutput() will now throw an exception if passed
  ParserOptions that would pollute the parser cache. Callers should use
  WikiPage::makeParserOptions() to create the ParserOptions object and only
  change options that affect the parser cache key.
* Article::viewRedirect() is deprecated.
* IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
* DeprecatedGlobal no longer supports passing in a direct value, it requires a
  callable factory function or a class name.
* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton()
  are all deprecated. The main ParserCache instance should be obtained from
  MediaWikiServices instead. Access to the underlying BagOStuff is possible
  through the new ParserCache::getCacheStorage() method.
* .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
* Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
  escapeIdForLink() or escapeIdForExternalInterwiki() instead.
* Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
  Sanitizer functions or, if possible, Title::getFragmentForURL().
* Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
  nothing and is deprecated.
* mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
  escapeIdForLink().
* MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
* WikiImporter now requires the second parameter to be an instance of the Config,
  class. Prior to that, the Config parameter was optional (a behavior deprecated in
  1.25).
* Removed 'jquery.mwExtension' module. (deprecated since 1.26)
* mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
  any more.
* CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
  The namespaced classes in the Cdb namespace should be used instead.
* IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
  should be used instead.
* RunningStat class (deprecated in 1.27) was removed. The namespaced
  RunningStat\RunningStat should be used instead.
* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed.
  The MemcachedClient class should be used instead.
* EditPage underwent some refactoring and deprecations:
  * EditPage::isOouiEnabled() is deprecated and will always return true.
  * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please
    use ::getSummaryInputWidget() instead.
  * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
    use ::getCheckboxesWidget() instead.
  * Creating an EditPage instance without calling EditPage::setContextTitle() should
    be avoided and will be deprecated in a future release.
  * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
  * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The
    corresponding methods from Title should be used instead.
  * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
  * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters
    ::getArticle() and ::getTitle() should be used instead.
  * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut,
    and $wgLang is no longer supported and won't work. The IContextSource returned from
    EditPage::getContext() must be modified instead.
* Parser::getRandomString() (deprecated in 1.26) was removed.
* Parser::uniqPrefix() (deprecated in 1.26) was removed.
* Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
  $uniq_prefix was deprecated in 1.26 and has now been removed.
* (T172514) The following tables have had their UNIQUE indexes turned into proper
  PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks,
  langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats,
  templatelinks, text, transcache, user_former_groups, user_properties.
* IDatabase::nextSequenceValue() is no longer needed by any database backends
  (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a
  PRIMARY KEY.
* (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
  page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
  user_properties.up_user have all been made unsigned on MySQL.
* DB_SLAVE is deprecated. DB_REPLICA should be used instead.
* wfUsePHP() is deprecated.
* wfFixSessionID() was removed.
* wfShellExec() and related functions are deprecated, use Shell::command(). This also
  slightly changes the behavior of how execution time limits are calculated when only
  some of defaults are overridden per-call. When in doubt, always override both wall
  clock and CPU time.
* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending
  user object. Using the method without the second argument is deprecated.
* (T67297) Browsers that don't support Unicode will have their edits rejected.
* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future
  release. For notifying the user of an event, the Notifications ("Echo") system
  should be used instead.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.

== MediaWiki 1.29.3 ==

This is a security and maintenance release of the MediaWiki 1.29 branch.

=== Changes since 1.29.2 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T180551) Fix LanguageSrTest for language converter
* (T180552) Fix langauge converter parser test with self-close tags
* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
* (T180485) InputBox: Have inputbox langconvert certain attributes
* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
* (T172927) Drop vendor from MW release branch
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
  include extensions. Pass --with-extensions to enable that feature.
* (T182381) Mask deprecated call in WatchedItemUnitTest
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* The karma qunit tests would fail on some configuration due to headers already
  sent. Check headers_sent() before sending cpPosTime headers
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker
* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
  fails under SQLite.
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* (T179190) selenium: Move test running logic from package.json to selenium.sh.
* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
* Add default edit rate limit of 90 edits/minute for all users.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T194237) Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T118420) Unbreak Oracle installer.

== MediaWiki 1.29.2 ==

This is a security and maintenance release of the MediaWiki 1.29 branch.

=== Changes since 1.29.1 ===
* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* Fixed login button label to accept RawMessage.
* Fixed case of SpecialRecentChanges class usage.
* (T174255) Declare uploadCount property in importDump.php.
* (T163646) Pass a string not an int to mysql_real_escape_string().
* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
  branches in the previous security release.
* (T200861) Fix total breakage of SQLite web upgrade.

== MediaWiki 1.29.1 ==

This is a maintenance release of the MediaWiki 1.29 branch.

The SpamBlacklist and PdfHandler extensions were missing from the generated
packages.

=== Changes since 1.29.1 ===
* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
* (T172061) Fix fatal when passing a category to refreshLinks.php.

== MediaWiki 1.29 ==

=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
  expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
  determines whether to set a cookie when a user is autoblocked. Doing so means
  that a blocked user, even after logging out and moving to a new IP address,
  will still be blocked.
* The resetpassword right and associated password reset capture feature has
  been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
  or boolean false. This should be compatible with at least MediaWiki 1.23 if
  not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
  policies.
* Subpages are now enabled by default in the Template namespace. Set
  $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
  added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
  fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
  'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.

=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
  if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
  exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
  dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
  downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
  via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
  from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
  of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
  browsers had poor support for them, but modern browsers handle them fine.
  This might affect some forms that used them and only worked because the
  attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
  structures filters into user-friendly groups.  This has corresponding
  changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
  Because this change can cause problems for extensions and on-wiki
  scripts depending on the exact HTML, the old version is still available
  and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
  This will be removed later and OOjs UI will become the only option.
  To make testing easier, users can also force either mode by adding
  &ooui=true or &ooui=false to the action=edit URL.

=== External library changes in 1.29 ===

==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.

==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.

==== Removed and replaced external libraries ====

=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
  to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
  highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
  action=clientlogin, action=createaccount, action=linkaccount, and
  action=changeauthenticationdata in the query string is now an error. They
  should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
  using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
  parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
  'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
  'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
  key 'talkmove-errors', rather than using 'talkmove-error-code' and
  'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
  and errors for each item. Use errorformat=wikitext if you're wanting parsed
  output.
* action=rollback no longer returns a "messageHtml" property. Use
  errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
  'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
  no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
  and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
  which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
  query in miser mode. This may result in less results being returned than were
  requested.

=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
  keys. Methods for using hard-coded English messages were deprecated:
  * ApiBase::dieUsage() was deprecated
  * ApiBase::dieUsageMsg() was deprecated
  * ApiBase::dieUsageMsgOrDebug() was deprecated
  * ApiBase::getErrorFromStatus() was deprecated
  * ApiBase::parseMsg() was deprecated
  * ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
  being ApiUsageException is a subclass of UsageException to allow things that
  catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
  ApiErrorFormatter_BackCompat, note that the result format has changed and
  various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
  from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
  the logs.

=== extension.json changes in 1.29 ===
* Extensions must set a value for "manifest_version" in their extension.json
  or skin.json files. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#manifest_version>
  for details.
* Extensions can now specify dependencies upon other extensions by using the
  "requires" key. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#requires> for
  more details.
* (T151136) Functions set as the "callback" now recieve that extension's credits
  information as the first argument.
* (T149597) "PasswordPolicy" can be set in extension.json.

=== Languages updated in 1.29 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Based as always on linguistic studies on intelligibility and language
  knowledge by geography, language fallbacks have been expanded. When a
  translation is missing in the user's preferred interface language, the
  corresponding translation for the fallback language will be used instead.
  English will only be used as last resort when there are no translations.
  Some configurations (such as date formats and gender namespaces) have also
  been updated when using the fallback language's configuration was inadequate.
  The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
  ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
  sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.

==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
  language will now use the default fallback language: English. When a translation
  to Ukrainian is not available, an English string will be shown.

=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
  SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
  required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
  Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
  were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
  were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
  instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
  \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
* Class ImageGallery (deprecated in 1.22) was removed.
  Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
  emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
  and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed.  Refer to index.php instead. If you want "wiki.phtml"
  URLs to continue to work, set up redirects. In Apache, this can be done by enabling
  mod_rewrite and adding the following rules to your configuration:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
  Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
  Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
  Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
  Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
  Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
  Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
  or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
  or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
  now required to have a getGroupMemberships() method. See UserRightsProxy for
  an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
  instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
  User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
  Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
  User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
  UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
  see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
  and subclasses.  It should only break if you call buildMainQueryConds
  (changed to buildQuery with new signature) or doMainQuery (new
  signature).  Subclasses are likely to call at least doMainQuery
  (possibly both), but other classes might too, because they were
  public.
  Also, some related hooks were deprecated, but this is not yet a
  breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  WikiPage::PURGE_* constants are deprecated, and the functions will always
  return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
  'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
  if you don't actually care about checkboxes and just want to add some HTML
  to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
  rather than <strong> tags. The old class name, "selflink", was deprecated
  and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
  Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
  is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
  webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
  opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
  ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
  addClickHandler, removeHandler, getElementsByClassName, getInnerText,
  setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
  mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
  escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
  tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
  'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
  deprecated (T30856). This old code dates from 2006, and was replaced in the
  MediaWiki release tarball and in Wikimedia production by the WikiEditor
  extension in 2010. It is only shown to users if no other editor was
  installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
  addModuleStyles() is deprecated and will log a warning server-side.

== MediaWiki 1.28.3 ==

This is a security and maintenance release of the MediaWiki 1.28 branch.

=== Changes since 1.28.2 ==
* (T168856) Allow SVGs created by Dia to be uploaded.
* (T157545) Add missing doUpdates() call to refreshLinks.php.
* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
* (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
* (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
* (T167798) Fix phrase search and highlighting for phrase queries.
* (T151136) Provide credits information to callbacks in extension registration.
* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
* (T168337) Fix ErrorPageError to work from non-UI contexts.
* (T143788) Backports for PHP 7.0 and 7.1 support.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T174255) Declare uploadCount property in importDump.php.
* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.

== MediaWiki 1.28.2 ==

Due to a packaging error, the wrong version of the SyntaxHighlight extension was
included in the tarball version of MediaWiki 1.28.1. The version included had a
serious security issue in it (T158689). There was also some minor code fixes in
MediaWiki itself since 1.28.1, but none of them were security relevant.

== MediaWiki 1.28.1 ==

This is a security and maintenance release of the MediaWiki 1.28 branch.

=== Changes since 1.28.0 ===

* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
  more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
  circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

== MediaWiki 1.28 ==

=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
  errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.

=== Changes since 1.28.0-rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
  comment to a machine-readable JavaScript config option 'wgPageParseReport'
  have been undone. They caused the human-readable limit report to be shown
  incompletely or not at all. ParserOutput::setLimitReportData() and
  getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
  the text of subheadings on a category page when creating it. This wasn't
  working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
  canonical pretty URL when a non-pretty URL is used. It resulted in redirect
  loops in some clients and in some server configurations. This undoes a change
  made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.

=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  made by MediaWiki via a proxy. Relying on the http_proxy environment
  variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
  access to session data, which includes the session user and the session
  user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
  is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
  local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  signifies local uploads. A value of `[]` (empty array) now means that
  no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
  for Esperanto language character conversion. You are now recommended to use
  input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
  https://www.mediawiki.org/beacon with basic information about the local
  MediaWiki installation. This data includes, for example, the type of system,
  PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
  to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
  instead of just administrators ('sysop'). Documentation for this feature is
  available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
  of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
  a tracking category will be added to help identify usage and make it easier to migrate
  away from. If you depend upon magic link functionality, it is requested that you comment
  on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
  explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
  in upcoming Content-Security-Policy feature's reporting.

=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
  maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  a 'numeric' collation is also available. If migrating from another
  collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
  month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  appropriate for sending multi-valued parameters. This defaults to true when
  the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
  MediaWiki will wait for the replica databases to synchronize with the master database
  while it renders the HTML output. However, if the output is a redirect to another wiki
  on the wiki farm with a different domain, MediaWiki will instead alter the redirect
  URL to include a ?cpPosTime parameter that triggers the database synchronization when
  the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules.

=== External library changes in 1.28 ===

==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4

==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1

=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
  Session::getAllowedUserRights()

=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
  (deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
  now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
  action=login is now deprecated and outputs a warning. They should be submitted
  in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
  action=createaccount, action=linkaccount, and action=changeauthenticationdata
  in the query string is now deprecated and outputs a warning. They should be
  submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  instead of the pipe character. This will be useful if some of the multiple
  values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
  contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
  ApiPageSet may contain entries where the 'from' value is percent-encoded as
  the raw value cannot be represented in a valid API response. These are
  indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
  module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
  named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
  the 'TitleIsAlwaysKnown' hook) are output in various modules.

=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules. A query module can enable
  these hooks by passing an array for $hookData to ApiQueryBase::select() and
  by calling ApiQueryBase->processRow() before adding a row's data to the
  result.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.

=== Languages updated in 1.28 ===

MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
  BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
  Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
  use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
  login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
  MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
  were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
  respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
  * Skin::commentBlock() (use Linker::commentBlock() instead)
  * Skin::generateRollback() (use Linker::generateRollback() instead)
  * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::userLink() (use Linker::userLink() instead)
  * Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
  disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
  Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
  favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
  on requests needed by primary providers even if all primaries need them.
  Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
  will no longer be automatically infused. You should call `OO.ui.infuse()`
  on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
  phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
  Instead of --keep-uploads, use the same option to parserTests.php, but you
  must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
  migrate to using the same functions on a ProxyLookup instance, obtainable from
  MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
  ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
  ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
  in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
  instead.

== MediaWiki 1.27.5 ==
	
This is a security and maintenance release of the MediaWiki 1.27 branch.