Unterstütze uns! Spende jetzt!

Hinweise zu Mediawiki: Unterschied zwischen den Versionen

Aus PiratenWiki
Wechseln zu: Navigation, Suche
(Bekannte Probleme)
 
Zeile 6: Zeile 6:
  
 
== Bekannte Probleme ==
 
== Bekannte Probleme ==
* folgt
+
* Den Seiten-Cache mit action=purge löschen braucht jetzt statt GET- zwingend einen POST-Request. Damit gibt es keine "geräuschlose" Möglichkeit mehr für normale Benutzer; ohne einen manuellen Bestätigungsklick beim Löschen des Seiten-Cache funktioniert es nicht mehr. Ein Problem ist das nicht wirklich - wir klicken gern! ''(Die API geht natürlich ohne klicken.)'' --[[Benutzer:Uk|uk]] 20:12, 1. Nov. 2018 (CET)
 +
* weiteres folgt
  
 
== Update Long Term Support (LTS) Version ==
 
== Update Long Term Support (LTS) Version ==

Aktuelle Version vom 1. November 2018, 20:12 Uhr

Neue Versionen von Mediawiki bringen manchmal Voreinstellungen mit, die nicht unbedingt optimal sind. Diese Seite wird versuchen auf Veränderungen einzugehen.

Seiten und Dateien automatisch beobachten abstellen

Wer nicht möchte, dass man jedesmal automatisch per E-Mail benachrichtigt wird, falls man Seiten oder Dateien erstellt, verschiebt oder bearbeitet, sollte die Einstellungen seiner Beobachtungsliste anpassen. Ein Abschalten der entsprechenden Optionen bewirkt auch, dass bei der Seitenvorschau keine Vorauswahl bei "Diese Seite beobachten" aktiviert wird.

Bekannte Probleme

  • Den Seiten-Cache mit action=purge löschen braucht jetzt statt GET- zwingend einen POST-Request. Damit gibt es keine "geräuschlose" Möglichkeit mehr für normale Benutzer; ohne einen manuellen Bestätigungsklick beim Löschen des Seiten-Cache funktioniert es nicht mehr. Ein Problem ist das nicht wirklich - wir klicken gern! (Die API geht natürlich ohne klicken.) --uk 20:12, 1. Nov. 2018 (CET)
  • weiteres folgt

Update Long Term Support (LTS) Version

Bei der Wartung am 22. Oktober 2018 wurde das Wiki von LTS legacy auf die aktuelle LTS-Version aktualisiert. Diese Version wird bis Juni 2021 gepflegt. Ein paar kleine Probleme habe ich bereits entdeckt, aber wahrscheinlich wird sich für alles eine Lösung finden. Die wichtigsten Änderungen unten im Überblick. --Admin mw (Diskussion) 14:25, 22. Okt. 2018 (CEST)

== MediaWiki 1.31.1 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
* (T197229) Bundle Nuke extension, it was accidentally omitted.
* (T193995) Fix undefined patchPath() method call in parser tests.
* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T198037) GitInfo: Don't try shelling out if it's disabled.
* (T151415) Log email changes.
* (T197206) Fix performance regression when multiple DB used without caching.
* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
* (T182377, T196793) Exif: Guard against uncountable tag values.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T200864) Fix pingback over-reporting on non-MySQL databases
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.

=== Changes since MediaWiki 1.31.0-rc.2 ===
* (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
* (T196092) Hide MySQL binary/utf-8 charset option in the installer.
* (T196185) Don't allow setting $wgDBmysql5 in the installer.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.

=== Changes since MediaWiki 1.31.0-rc.0 ===
* (T33223) Drop archive.ar_text and ar_flags.
* Add default edit rate limit of 90 edits/minute for all users.
* (T187645) Use codepoint as tiebreaker when getting first-letters in
  IcuCollation.
* (T191947) Don't shell during the installer if shelling out is disabled.
* (T194319) Improve duplicate config setting exception as part of extension
  registration.
* (T195211) Don't require trailing slash in PSR-4 autoloader directory.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* Do not incorrectly hide namespace input field in the installer.
* (T186456) Refactor checks looking for PEAR maik libraries to be clearer.

=== Important pre-upgrade notes for 1.31 ===
* If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
  schema changes, and cannot have downtime to run migrateArchiveText.php and
  apply patch-drop-ar_text.sql manually, you'll have to apply a default value
  to the ar_text and ar_flags columns of the archive table or make those
  columns nullable before upgrading to MediaWiki 1.31.
  maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL.
* The CologneBlue and Modern skins are no longer bundled with the tarball. You
  will need to remove the wfLoadSkin() calls from your LocalSettings.php or
  download them separately
  (<https://www.mediawiki.org/wiki/Special:SkinDistributor>).

=== Configuration changes in 1.31 ===
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
  a future version. The API is now considered to be stable, secure and
  essential.
* $wgUsejQueryThree was removed, as it is now the default. This was documented
  as a temporary variable during the migration period, deprecated since 1.29.
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
  possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
  have the right to mark things patrolled.
* Wikis that contain imported revisions or CentralAuth global blocks should run
  maintenance/cleanupUsersWithNoId.php.
* The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
  $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
  are not using the latest version of the Referrer Policy specification.
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
  first step of migration to human-readable section IDs that will later result
  in 'html5' being the default mode.
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
  as upstream is inactive and has no plans to move to PHP 7.
* The old CategorizedRecentChanges feature, including its related configuration
  option $wgAllowCategorizedRecentChanges, has been removed.
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
  for performance reasons, and installations with this setting will now work as
  if it was configured with 'any'.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
  rather than being off by default. If you wish to disable HTML tidying
  entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
  Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
* $wgLogAutopatrol now defaults to false instead of true.
* $wgValidateAllHtml was removed and will be ignored.
* $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
  1.25 release notes for more information.
* $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
  framework that it enables. Some extensions mistakenly used this to check
  whether any AJAX functionality at all should be enabled, further making this
  problematic to retain.
* $wgDBmysql5 is now deprecated, and will be removed in a future version. It
  has been marked as experimental ever since it was introduced.

=== New features in 1.31 ===
* (T76554) User sub-pages named ….json are now protected in the same way that
  ….js and ….css pages are, so that configuration options can safely be placed
  there.
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
  with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
  Html class now provides helper methods for messageBox, successBox, errorBox
  and warningBox generation.
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
  a format like "iw>Example".
* (T20209) Linker (used on history pages, log pages, and so on) will display
  usernames formed like "iw>Example" as interwiki links, as if by wikitext like
  [[iw:User:Example|iw>Example]].
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
  users during an import.
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
  the ParserOutput::getText() post-cache transformations.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
  initial page text for file uploads.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
  hash value in the table of basic information.
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
  ParserOutput::getText() post-cache transformation. This may be disabled by
  passing 'deduplicateStyles' => false to that method.
* The identity of the logged-in or IP "actor" for logged actions is being moved
  into a new actor table, with the rows in tables such as revision and logging
  referring to the actor ID instead of storing the user ID and name/IP in
  every row.
  * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
    can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
    soon as any necessary extensions are updated.
  * Most code accessing rows for logged actions from the database should use
    the relevant getQueryInfo() methods to get the information needed to build
    the SQL query. The ActorMigration class may also be used to get feature
    -flagged information needed to access actor-related fields during the
    migration period.
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
  section without having to roll back the whole transaction.
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
  and non-MySQL ::replace() and ::upsert() no longer roll back the whole
  transaction on failure.
* (T189785) Added a monthly heartbeat ping to the pingback feature.
* The CLI installer (maintenance/install.php) learned to detect and include
  extensions. Pass --with-extensions to enable that feature.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
  "1" for manually patrolled and "2" for autopatrolled actions.
* Extensions can now set their type to "editor" if they provide an editor or
  enhance the editing experience.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
  property in extension.json. See the documentation at
  <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
  for more details and an example.
* (T19099) Tabs which link to pages that don't exist (like those to uncreated
  discussion pages) now have a tooltip to indicate state, not just colour.

=== External library changes in 1.31 ===
* pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
  suggested to required. These packages now must be installed via composer
  and not via PEAR itself.

==== Upgraded external libraries ====
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.

==== New external libraries ====
* Added wikimedia/object-factory 1.0.0

==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
  text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
  'mediawiki.viewport' module instead.
* mediawiki/at-ease was replaced with wikimedia/at-ease.

=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor.
* (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
  space.
* (T2087, T10897, T87753, T174639) Whitespace created by category and language
  links is now stripped rather than leaving blank lines in odd places.
* (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+

=== Action API changes in 1.31 ===
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
  removed. It has never made a difference in the output, the name was always
  returned regardless.
* The 'watch' and 'unwatch' parameters for action=move have been removed. They
  were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
  'watchlist' instead.

=== Action API internal changes in 1.31 ===
* ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
* ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
* ApiBase::getProfileTime, deprecated since 1.25, was removed.

=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
* (T182305) New language support: Nyungar (nys).
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
* (T186635) New language support: Guianan Creole (gcr).
* (T186647) New language support: Kumyk [къумукъ] (kum).
* (T187750) New language support: Spanish formal address (es-formal).
* (T187824) New language support: Hungarian formal address (hu-formal).
* (T189127) New language support: Gorontalo (gor).

=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
* The OutputPage class constructor now requires a context parameter.
  Instantiating without context was deprecated in 1.18.
* The mw.page JavaScript singleton, deprecated in 1.30, was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
  ::onArticleEdit() methods, deprecated in 1.24, were removed.
* Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
  removed. Use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
  DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
  no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
  'byText' or ->setBlocker(). Callers should either ensure the blocker exists
  locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were
  deprecated in 1.27, have been removed:
  * WatchedItem::getTitle()
  * WatchedItem::fromUserTitle()
  * WatchedItem::addWatch()
  * WatchedItem::removeWatch()
  * WatchedItem::isWatched()
  * WatchedItem::duplicateEntries()
  * WatchedItem::IGNORE_USER_RIGHTS
  * WatchedItem::CHECK_USER_RIGHTS
  * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
  HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
  The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
  default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have
  been removed:
  * PreparedEdit->newText
  * PreparedEdit->oldText
  * PreparedEdit->pst
* ParserOutput objects which are generated using a non-default value for
  ParserOptions::setWrapOutputClass() can no longer be added to the parser
  cache.
* The following deprecated methods from the OutputPage class have been removed:
  * OutputPage::addExtensionStyle(); deprecated in 1.27
  * OutputPage::getExtStyle(); deprecated in 1.27
  * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
  * OutputPage::setSquidMaxage(); deprecated in 1.27
  * OutputPage::readOnlyPage(); deprecated in 1.25
  * OutputPage::rateLimited(); deprecated in 1.25
  * Additionally, the protected OutputPage::$mExtStyles array, only accessed
    through the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
  were removed:
  * $isCssJsSubpage — use ::isUserConfigPage()
  * $isCssSubpage — use ::isUserCssConfigPage()
  * $isJsSubpage — use ::isUserJsConfigPage()
  * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
  * ::getSummaryInput() – use ::getSummaryInputWidget()
  * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
  * ::getCheckboxes() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
  * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
* ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on
  the response object, and were deprecated in 1.27, have been removed:
  * ::setCookie()
  * ::clearCookie()
  * ::setExtendedLoginCookie()
  Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27 have
  been removed:
  * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
  * ::getPasswordFactory() – create a PasswordFactory directly
  * ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
  been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
  use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
  can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
  Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when
  DBO_TRX is set results in an exception. Calling Database::commit() explicitly
  for an implicit transaction also results in an exception. Previously these
  were logged as errors. The startAtomic() and endAtomic() methods, or
  AtomicSectionUpdate should be used instead.
* The global function wfOutputHandler() was removed, use the its replacement
  MediaWiki\OutputHandler::handle() instead. The global function was only
  sometimes defined. Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
  deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
  ::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
  use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
  ResourceLoaderModule::getLessVars() to expose local variables instead of
  global ones.
* As part of work to modernise user-generated content clean-up, a config option
  and some methods related to HTML validity were removed without deprecation.
  The public methods MWTidy::checkErrors() and the path through which it was
  called, TidyDriverBase::validate(), are removed, as are the testing methods
  MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
  The $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies
  the RESTRICT_DEFAULT Firejail restriction by default.
* The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
  deprecated in 1.26, were removed.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
  Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.

=== Deprecations in 1.31 ===
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
  RevisionRecord and its subclasses.
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* The global function wfCountDown is now deprecated in favor of
  Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
  have been deprecated in favor of similar methods that also return the tables
  to select from and the join conditions for those tables.
  * Block::selectFields() → Block::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
  * LocalFile::selectFields() → LocalFile::getQueryInfo()
  * LocalFile::getCacheFields() with a prefix no longer works
  * LocalFile::getLazyCacheFields() with a prefix no longer works
  * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
  * Revision::selectFields() → Revision::getQueryInfo()
  * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
  * User::selectFields() → User::getQueryInfo()
  * WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
  should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
  override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
  Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated; use instead the hook
  RevisionRecordInserted. RevisionInsertComplete is still called, but the second
  and third parameter will always be null. Hard deprecation is scheduled for 1.32.
* The following methods that get and set ParserOutput state are deprecated.
  Callers should use the new stateless $options parameter to
  ParserOutput::getText() instead.
  * ParserOptions::getEditSection()
  * ParserOptions::setEditSection()
  * ParserOutput::getEditSectionTokens()
  * ParserOutput::setEditSectionTokens()
  * ParserOutput::getTOCEnabled()
  * ParserOutput::setTOCEnabled()
  * OutputPage::enableSectionEditLinks()
  * OutputPage::sectionEditLinksEnabled()
  * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
    are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
  Setting template variables by reference allowed violating the principle of
  data being immutable once added to the skin template. In practice, this method
  was not being used for that. Rather, setRef() existed as memory optimisation
  for PHP 4.
* QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
  favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
  wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
  'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced class
  \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
  used instead.
* CommentStore::newKey is deprecated. Instead, get an instance from
  MediaWikiServices.
* The following CommentStore methods have had their signatures changed to
  introduce a $key parameter, usage of the methods on instances retrieved from
  CommentStore::newKey will remain unchanged but deprecated:
  * CommentStore::getFields
  * CommentStore::getJoin
  * CommentStore::getComment
  * CommentStore::getCommentLegacy
  * CommentStore::insert
  * CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are
  deprecated:
  * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
  * Title::isCssOrJsPage – use ::isSiteConfigPage
  * Title::isCssJsSubpage – use ::isUserConfigPage
  * Title::isCssSubpage – use ::isUserCssConfigPage
  * Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
  * Parser::serializeHalfParsedText()
  * Parser::unserializeHalfParsedText()
  * Parser::isValidHalfParsedText()
  * StripState::getSubState()
  * StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
  deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
  used instead.
* The function wfShellWikiCmd() has been deprecated, use
  MediaWiki\Shell::makeScriptCommand().
* In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
  will be allowed to provide any HTMLForm object rather than PreferencesForm.

=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was dropped entirely. Opera 15+
  continues at Grade A.
* Multi-content-revision capability was introduced into the storage layer. See
  <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext.
  Links written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
  wikitext table captions, wikitext table headings, wikitext table cells. HTML
  headings, HTML list items, HTML table captions, HTML table headings, HTML
  table cells will not have this trimming behavior.

== MediaWiki 1.30.1 ==

This is a security and maintenance release of the MediaWiki 1.30 branch.

=== Changes since MediaWiki 1.30.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
  include extensions. Pass --with-extensions to enable that feature.
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker.
* (T179190) selenium: Move logic for running tests from package.json to selenium.sh
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* Add default edit rate limit of 90 edits/minute for all users.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* oojs/oojs-ui updated to remove an unnecessary dependancy.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T193995) Fix undefined patchPath() method call in parser tests.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.
* (T190539) Explicitly require Postgres 9.1.
* (T118420) Unbreak Oracle installer.

== MediaWiki 1.30 ==

=== Changes since MediaWiki 1.30.0-rc.0 ===
* Upgraded Moment.js from v2.15.0 to v2.19.3.
* Add ip_changes to postgres/tables.sql.
* Skip null shell parameters.
* Add wfWaitForSlaves() to maintenance/migrateComments.php.
* (T182245) Fix join conditions in ImageListPager.
* (T178626) Revert #contentSub and #jump-to-nav margin changes.

=== MySQL version requirement in 1.30 ===
As of 1.30, MediaWiki now requires MySQL 5.5.8 or higher (see Compatibility
section).

=== Configuration changes in 1.30 ===
* The "C.UTF-8" locale should be used for $wgShellLocale, if available, to avoid
  unexpected behavior when code uses locale-sensitive string comparisons. For
  example, the Scribunto extension considers "bar" < "Foo" in most locales
  since it ignores case.
* $wgShellLocale now affects LC_ALL rather than only LC_CTYPE. See
  documentation of $wgShellLocale for details.
* $wgShellLocale is now applied for all requests. wfInitShellLocale() is
  deprecated and a no-op, as it is no longer needed.
* $wgJobClasses may now specify callback functions as an alternative to plain
  class names. This is intended for extensions that want control over the
  instantiation of their jobs, to allow for proper dependency injection.
* $wgResourceModules may now specify callback functions as an alternative
  to plain class names, using the 'factory' key in the module description
  array. This allows dependency injection to be used for ResourceLoader modules.
* $wgExceptionHooks has been removed.
* (T163562) $wgRangeContributionsCIDRLimit was introduced to control the size
  of IP ranges that can be queried at Special:Contributions.
* (T45547) $wgUsePigLatinVariant added (off by default).
* (T152540) MediaWiki now supports a section ID escaping style that allows to display
  non-Latin characters verbatim on many modern browsers. This is controlled by the
  new configuration setting, $wgFragmentMode.
* $wgExperimentalHtmlIds is now deprecated and will be removed in a future version,
  use $wgFragmentMode to migrate off it to a modern alternative.
* $wgExternalInterwikiFragmentMode was introduced to control how fragments in
  sinterwikis going outside of current wiki farm are encoded.
* (T120333) Soft-deprecated the use of PHP extension 'mysql' in favor of 'mysqli'.
  This PHP extension was deprecated in PHP 5.5 and removed in PHP 7.0. MediaWiki
  auto-selects the 'mysqli' driver since MediaWiki 1.22, except if explicitly
  requested through the configuration parameter $wgDBservers.
* $wgOOUIEditPage was removed, as it is now the default. This was documented as a
  temporary variable during the migration period.

=== New features in 1.30 ===
* (T37247) Output from Parser::parse() will now be wrapped in a div with
  class="mw-parser-output" by default. This may be changed or disabled using
  ParserOptions::setWrapOutputClass().
* (T163562) Added ability to search for contributions within an IP ranges
  at Special:Contributions.
* Added 'ChangeTagsAllowedAdd' hook, enabling extensions to allow software-
  specific tags to be added by users.
* Added a 'ParserOptionsRegister' hook to allow extensions to register
  additional parser options.
* (T45547) Included Pig Latin, a language game in English, as a
  LanguageConverter variant.  This allows English-speaking developers
  to develop and test LanguageConverter more easily.  Pig Latin can be
  enabled by setting $wgUsePigLatinVariant to true.
* Added RecentChangesPurgeRows hook to allow extensions to purge data that
  depends on the recentchanges table.
* Added JS config values wgDiffOldId/wgDiffNewId to the output of diff pages.
* (T2424) Added direct unwatch links to entries in Special:Watchlist (if the
  'watchlistunwatchlinks' preference option is enabled). With JavaScript
  enabled, these links toggle so the user can also re-watch pages that have
  just been unwatched.
* Added $wgParserTestMediaHandlers, where mock media handlers can be passed to
  MediaHandlerFactory for parser tests.
* Edit summaries, block reasons, and other "comments" are now stored in a
  separate database table. Use the CommentFormatter class to access them.
** This is currently gated by $wgCommentTableSchemaMigrationStage. Most wikis
   can set this to MIGRATION_NEW and run maintenance/migrateComments.php as
   soon as any necessary extensions are updated.
* (T138166) Added ability for users to prohibit other users from sending them
  emails with Special:Emailuser. Can be enabled by setting
  $wgEnableUserEmailBlacklist to true.
* (T67297) $wgBrowserBlacklist is deprecated, and changing it will have no effect.
  Instead, users using browsers that do not support Unicode will be unable to edit
  and should upgrade to a modern browser instead.

=== External library changes in 1.30 ===

==== Upgraded external libraries ====
* Updated justinrainbow/json-schema from v3.0 to v5.2.
* Updated mediawiki/mediawiki-codesniffer from v0.7.2 to v0.12.0.
* Updated wikimedia/composer-merge-plugin from v1.4.0 to v1.4.1.
* Updated wikimedia/relpath from v1.0.3 to v2.0.0.
* Updated OOjs from v2.0.0 to v2.1.0.
* Updated OOUI from v0.21.1 to v0.23.0.
* Updated QUnit from v1.23.1 to v2.4.0.
* Updated phpunit/phpunit from v4.8.35 to v4.8.36.
* Upgraded Moment.js from v2.15.0 to v2.19.3.

==== New external libraries ====
* The class \TestingAccessWrapper has been moved to the external library
  wikimedia/testing-access-wrapper and renamed \Wikimedia\TestingAccessWrapper.
* Purtle, a fast, lightweight RDF generator.

==== Removed and replaced external libraries ====
* …

=== Bug fixes in 1.30 ===
* (T151633) Ordered list items use now Devanagari digits in Nepalese
  (thanks to Sfic)

=== Action API changes in 1.30 ===
* (T37247) action=parse output will be wrapped in a div with
  class="mw-parser-output" by default. This may be changed or disabled using
  the new 'wrapoutputclass' parameter.
* When errorformat is not 'bc', abort reasons from action=login will be
  formatted as specified by the error formatter parameters.
* action=compare can now handle arbitrary text, deleted revisions, and
  returning users and edit comments.
* (T164106) The 'rvdifftotext', 'rvdifftotextpst', 'rvdiffto',
  'rvexpandtemplates', 'rvgeneratexml', 'rvparse', and 'rvprop=parsetree'
  parameters to prop=revisions are deprecated, as are the similarly named
  parameters to prop=deletedrevisions, list=allrevisions, and
  list=alldeletedrevisions. Use action=compare, action=parse, or
  action=expandtemplates instead.

=== Action API internal changes in 1.30 ===
* ApiBase::getDescriptionMessage() and the "apihelp-*-description" messages are
  deprecated. The existing message should be split between "apihelp-*-summary"
  and "apihelp-*-extended-description".
* (T123931) Individual values of multi-valued parameters can now be marked as
  deprecated.

=== Languages updated in 1.30 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Added: kbp (Kabɩyɛ / Kabiyè)
* Added: skr (Saraiki, سرائیکی)
* Added: tay (Tayal / Atayal)
* Removed: tokipona (Toki Pona)

==== Pig Latin added ====
* (T45547) Added Pig Latin, a made-up English variant (en-x-piglatin),
  for easier variant development and testing. Disabled by default. It can be
  enabled by setting $wgUsePigLatinVariant to true.

=== Other changes in 1.30 ===
* The use of an associative array for $wgProxyList, where the IP address is in
  the key instead of the value, is deprecated (e.g. [ '127.0.0.1' => 'value' ]).
  Please convert these arrays to indexed/sequential ones (e.g. [ '127.0.0.1' ]).
* mw.user.bucket (deprecated in 1.23) was removed.
* LoadBalancer::getServerInfo() and LoadBalancer::setServerInfo() are
  deprecated. There are no known callers.
* File::getStreamHeaders() was deprecated.
* MediaHandler::getStreamHeaders() was deprecated.
* Title::canTalk() was deprecated. The new Title::canHaveTalkPage() should be
  used instead.
* MWNamespace::canTalk() was deprecated. The new MWNamespace::hasTalkNamespace()
  should be used instead.
* The ExtractThumbParameters hook (deprecated in 1.21) was removed.
* The OutputPage::addParserOutputNoText and ::getHeadLinks methods (both
  deprecated in 1.24) were removed.
* wfMemcKey() and wfGlobalCacheKey() were deprecated. BagOStuff::makeKey() and
  BagOStuff::makeGlobalKey() should be used instead.
* (T146304) Preprocessor handling of LanguageConverter markup has been improved.
  As a result of the new uniform handling, '-{' may need to be escaped
  (for example, as '-<nowiki/>{') where it occurs inside template arguments
  or wikilinks.
* (T163966) Page moves are now counted as edits for the purposes of
  autopromotion, i.e., they increment the user_editcount field in the database.
* Two new hooks, LogEventsListLineEnding and NewPagesLineEnding, were added for
  manipulating Special:Log and Special:NewPages lines.
* The OldChangesListRecentChangesLine, EnhancedChangesListModifyLineData,
  PageHistoryLineEnding, ContributionsLineEnding and DeletedContributionsLineEnding
  hooks have an additional parameter, for manipulating HTML data attributes of
  RC/history lines. EnhancedChangesListModifyBlockLineData can do that via the
  $data['attribs'] subarray.
* (T130632) The OutputPage::enableTOC() method was removed.
* WikiPage::getParserOutput() will now throw an exception if passed
  ParserOptions that would pollute the parser cache. Callers should use
  WikiPage::makeParserOptions() to create the ParserOptions object and only
  change options that affect the parser cache key.
* Article::viewRedirect() is deprecated.
* IP::isValidBlock() was deprecated. Use the equivalent IP::isValidRange().
* DeprecatedGlobal no longer supports passing in a direct value, it requires a
  callable factory function or a class name.
* The $parserMemc global, wfGetParserCacheStorage(), and ParserCache::singleton()
  are all deprecated. The main ParserCache instance should be obtained from
  MediaWikiServices instead. Access to the underlying BagOStuff is possible
  through the new ParserCache::getCacheStorage() method.
* .mw-ui-constructive CSS class (deprecated in 1.27) was removed.
* Sanitizer::escapeId() was deprecated, use escapeIdForAttribute(),
  escapeIdForLink() or escapeIdForExternalInterwiki() instead.
* Title::escapeFragmentForURL() was deprecated, use one of the aforementioned
  Sanitizer functions or, if possible, Title::getFragmentForURL().
* Second parameter to Sanitizer::escapeIdReferenceList() ($options) now does
  nothing and is deprecated.
* mw.util.escapeId() was deprecated, use escapeIdForAttribute() or
  escapeIdForLink().
* MagicWord::replaceMultiple() (deprecated in 1.25) was removed.
* WikiImporter now requires the second parameter to be an instance of the Config,
  class. Prior to that, the Config parameter was optional (a behavior deprecated in
  1.25).
* Removed 'jquery.mwExtension' module. (deprecated since 1.26)
* mediawiki.ui: Deprecate greys, which are not part of WikimediaUI color palette
  any more.
* CdbReader, CdbWriter, CdbException classes (deprecated in 1.25) were removed.
  The namespaced classes in the Cdb namespace should be used instead.
* IPSet class (deprecated in 1.26) was removed. The namespaced IPSet\IPSet
  should be used instead.
* RunningStat class (deprecated in 1.27) was removed. The namespaced
  RunningStat\RunningStat should be used instead.
* MWMemcached and MemCachedClientforWiki classes (deprecated in 1.27) were removed.
  The MemcachedClient class should be used instead.
* EditPage underwent some refactoring and deprecations:
  * EditPage::isOouiEnabled() is deprecated and will always return true.
  * EditPage::getSummaryInput() and ::getSummaryInputOOUI() are deprecated. Please
    use ::getSummaryInputWidget() instead.
  * EditPage::getCheckboxes() and ::getCheckboxesOOUI() are deprecated. Please
    use ::getCheckboxesWidget() instead.
  * Creating an EditPage instance without calling EditPage::setContextTitle() should
    be avoided and will be deprecated in a future release.
  * EditPage::safeUnicodeInput() and ::safeUnicodeOutput() are deprecated and no-ops.
  * EditPage::$isCssJsSubpage, ::$isCssSubpage, and ::$isJsSubpage are deprecated. The
    corresponding methods from Title should be used instead.
  * EditPage::$isWrongCaseCssJsPage is deprecated. There is no replacement.
  * EditPage::$mArticle and ::$mTitle are deprecated for public usage. The getters
    ::getArticle() and ::getTitle() should be used instead.
  * Trying to control or fake EditPage context by overriding $wgUser, $wgRequest, $wgOut,
    and $wgLang is no longer supported and won't work. The IContextSource returned from
    EditPage::getContext() must be modified instead.
* Parser::getRandomString() (deprecated in 1.26) was removed.
* Parser::uniqPrefix() (deprecated in 1.26) was removed.
* Parser::extractTagsAndParams() now only accepts three arguments. The fourth,
  $uniq_prefix was deprecated in 1.26 and has now been removed.
* (T172514) The following tables have had their UNIQUE indexes turned into proper
  PRIMARY KEYs for increased maintainability: categorylinks, imagelinks, iwlinks,
  langlinks, log_search, module_deps, objectcache, pagelinks, query_cache, site_stats,
  templatelinks, text, transcache, user_former_groups, user_properties.
* IDatabase::nextSequenceValue() is no longer needed by any database backends
  (formerly it was needed by PostgreSQL and Oracle), and is now deprecated.
* (T146591) The lc_lang_key index on the l10n_cache table has been changed into a
  PRIMARY KEY.
* (T157227) bot_password.bp_user, change_tag.ct_log_id, change_tag.ct_rev_id,
  page_restrictions.pr_user, tag_summary.ts_log_id, tag_summary.ts_rev_id and
  user_properties.up_user have all been made unsigned on MySQL.
* DB_SLAVE is deprecated. DB_REPLICA should be used instead.
* wfUsePHP() is deprecated.
* wfFixSessionID() was removed.
* wfShellExec() and related functions are deprecated, use Shell::command(). This also
  slightly changes the behavior of how execution time limits are calculated when only
  some of defaults are overridden per-call. When in doubt, always override both wall
  clock and CPU time.
* (T138166) SpecialEmailUser::getTarget() now requires a second argument, the sending
  user object. Using the method without the second argument is deprecated.
* (T67297) Browsers that don't support Unicode will have their edits rejected.
* (T178450) The module 'jquery.badge' is deprecated and will be removed in a future
  release. For notifying the user of an event, the Notifications ("Echo") system
  should be used instead.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.

== MediaWiki 1.29.3 ==

This is a security and maintenance release of the MediaWiki 1.29 branch.

=== Changes since 1.29.2 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T180551) Fix LanguageSrTest for language converter
* (T180552) Fix langauge converter parser test with self-close tags
* (T180537) Remove $wgAuth usage from wrapOldPasswords.php
* (T180485) InputBox: Have inputbox langconvert certain attributes
* (T161732, T181547) Upgraded Moment.js from v2.15.0 to v2.19.3.
* (T172927) Drop vendor from MW release branch
* (T87572) Make FormatMetadata::flattenArrayReal() work for an associative array
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* (T189567) the CLI installer (maintenance/install.php) learned to detect and
  include extensions. Pass --with-extensions to enable that feature.
* (T182381) Mask deprecated call in WatchedItemUnitTest
* (T190503) Let built-in web server (maintenance/dev) handle .php requests.
* The karma qunit tests would fail on some configuration due to headers already
  sent. Check headers_sent() before sending cpPosTime headers
* (T167507) selenium: Run Chrome headlessly.
* selenium: Pass -no-sandbox to Chrome under Docker
* (T191247) Use MediaWiki\SuppressWarnings around trigger_error('') instead @
* (T75174, T161041) Unit test ChangesListSpecialPageTest::testFilterUserExpLevel
  fails under SQLite.
* (T192584) Stop incorrectly passing USE INDEX to RecentChange::newFromConds().
* (T179190) selenium: Move test running logic from package.json to selenium.sh.
* (T117839, T193200) PDFHandler: Fix for pdfinfo changes in poppler-utils 0.48.
* Add default edit rate limit of 90 edits/minute for all users.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.
* (T194237) Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T176097) resourceloader: Disable a flaky MessageBlobStoreTest case
* (T193829) Indicate when a Bot Password needs reset.
* (T151415) Log email changes.
* (T118420) Unbreak Oracle installer.

== MediaWiki 1.29.2 ==

This is a security and maintenance release of the MediaWiki 1.29 branch.

=== Changes since 1.29.1 ===
* (T166757) Avoid scoped lock errors in Category::refreshCounts() due to nesting.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* Fixed login button label to accept RawMessage.
* Fixed case of SpecialRecentChanges class usage.
* (T174255) Declare uploadCount property in importDump.php.
* (T163646) Pass a string not an int to mysql_real_escape_string().
* (T180143) Bump justinrainbow/json-schema development dependency to ~5.2.
* Updated dev dependancy phpunit/phpunit from v4.8.35 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.
* (T180488) (T125177) "api.log contains passwords in plaintext" wasn't correctly fixed in all
  branches in the previous security release.
* (T200861) Fix total breakage of SQLite web upgrade.

== MediaWiki 1.29.1 ==

This is a maintenance release of the MediaWiki 1.29 branch.

The SpamBlacklist and PdfHandler extensions were missing from the generated
packages.

=== Changes since 1.29.1 ===
* (T164999) Define mw.Upload.Dialog.static.name in mediawiki.Upload.Dialog.js.
* (T172061) Fix fatal when passing a category to refreshLinks.php.

== MediaWiki 1.29 ==

=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
  expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
  determines whether to set a cookie when a user is autoblocked. Doing so means
  that a blocked user, even after logging out and moving to a new IP address,
  will still be blocked.
* The resetpassword right and associated password reset capture feature has
  been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
  or boolean false. This should be compatible with at least MediaWiki 1.23 if
  not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
  policies.
* Subpages are now enabled by default in the Template namespace. Set
  $wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
  added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
  fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
  'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.

=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
  if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
  exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
  dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
  downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
  via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
  from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
  of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
  browsers had poor support for them, but modern browsers handle them fine.
  This might affect some forms that used them and only worked because the
  attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
  structures filters into user-friendly groups.  This has corresponding
  changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
  Because this change can cause problems for extensions and on-wiki
  scripts depending on the exact HTML, the old version is still available
  and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
  This will be removed later and OOjs UI will become the only option.
  To make testing easier, users can also force either mode by adding
  &ooui=true or &ooui=false to the action=edit URL.

=== External library changes in 1.29 ===

==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.

==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.

==== Removed and replaced external libraries ====

=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
  to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
  highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
  action=clientlogin, action=createaccount, action=linkaccount, and
  action=changeauthenticationdata in the query string is now an error. They
  should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
  using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
  parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
  'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
  'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
  key 'talkmove-errors', rather than using 'talkmove-error-code' and
  'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
  and errors for each item. Use errorformat=wikitext if you're wanting parsed
  output.
* action=rollback no longer returns a "messageHtml" property. Use
  errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
  'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
  no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
  and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
  which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
  query in miser mode. This may result in less results being returned than were
  requested.

=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
  keys. Methods for using hard-coded English messages were deprecated:
  * ApiBase::dieUsage() was deprecated
  * ApiBase::dieUsageMsg() was deprecated
  * ApiBase::dieUsageMsgOrDebug() was deprecated
  * ApiBase::getErrorFromStatus() was deprecated
  * ApiBase::parseMsg() was deprecated
  * ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
  result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
  ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
  code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
  being ApiUsageException is a subclass of UsageException to allow things that
  catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
  ApiErrorFormatter_BackCompat, note that the result format has changed and
  various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
  from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
  the logs.

=== extension.json changes in 1.29 ===
* Extensions must set a value for "manifest_version" in their extension.json
  or skin.json files. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#manifest_version>
  for details.
* Extensions can now specify dependencies upon other extensions by using the
  "requires" key. See
  <https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#requires> for
  more details.
* (T151136) Functions set as the "callback" now recieve that extension's credits
  information as the first argument.
* (T149597) "PasswordPolicy" can be set in extension.json.

=== Languages updated in 1.29 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* Based as always on linguistic studies on intelligibility and language
  knowledge by geography, language fallbacks have been expanded. When a
  translation is missing in the user's preferred interface language, the
  corresponding translation for the fallback language will be used instead.
  English will only be used as last resort when there are no translations.
  Some configurations (such as date formats and gender namespaces) have also
  been updated when using the fallback language's configuration was inadequate.
  The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
  ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
  sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.

==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
  language will now use the default fallback language: English. When a translation
  to Ukrainian is not available, an English string will be shown.

=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
  SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
  required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
  Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
  were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
  were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
  instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
  \MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
* Class ImageGallery (deprecated in 1.22) was removed.
  Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
  emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
  and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed.  Refer to index.php instead. If you want "wiki.phtml"
  URLs to continue to work, set up redirects. In Apache, this can be done by enabling
  mod_rewrite and adding the following rules to your configuration:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
  Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
  Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
  Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
  Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
  Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
  Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
  Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
  or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
  or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
  now required to have a getGroupMemberships() method. See UserRightsProxy for
  an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
  instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
  User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
  Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
  User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
  UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
  see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
  and subclasses.  It should only break if you call buildMainQueryConds
  (changed to buildQuery with new signature) or doMainQuery (new
  signature).  Subclasses are likely to call at least doMainQuery
  (possibly both), but other classes might too, because they were
  public.
  Also, some related hooks were deprecated, but this is not yet a
  breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  WikiPage::PURGE_* constants are deprecated, and the functions will always
  return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
  'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
  if you don't actually care about checkboxes and just want to add some HTML
  to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
  rather than <strong> tags. The old class name, "selflink", was deprecated
  and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
  Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
  is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
  webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
  opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
  ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
  addClickHandler, removeHandler, getElementsByClassName, getInnerText,
  setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
  mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
  escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
  tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
  'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
  deprecated (T30856). This old code dates from 2006, and was replaced in the
  MediaWiki release tarball and in Wikimedia production by the WikiEditor
  extension in 2010. It is only shown to users if no other editor was
  installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
  addModuleStyles() is deprecated and will log a warning server-side.

== MediaWiki 1.28.3 ==

This is a security and maintenance release of the MediaWiki 1.28 branch.

=== Changes since 1.28.2 ==
* (T168856) Allow SVGs created by Dia to be uploaded.
* (T157545) Add missing doUpdates() call to refreshLinks.php.
* (T165714) (T100085) Better handling of jobs execution in post-connection shutdown.
* (T154425) (T154438) (T157679) Use AutoCommitUpdate instead of Database->onTransactionIdle.
* (T154425) Make DeferredUpdates detect LBFactory transaction rounds.
* (T149454) Restore erroneously removed realTableName call from DatabasePostgres.
* (T167798) Fix phrase search and highlighting for phrase queries.
* (T151136) Provide credits information to callbacks in extension registration.
* (T160462) Allow namespaces defined in extension.json to be overwritten locally.
* (T168337) Fix ErrorPageError to work from non-UI contexts.
* (T143788) Backports for PHP 7.0 and 7.1 support.
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T174255) Declare uploadCount property in importDump.php.
* (T180231) SECURITY: Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
  sends non-standard url escaping.
* (T165846) SECURITY: BotPassword login attempts weren't throttled.
* (T128209) SECURITY: Reflected File Download from api.php.
* (T134100) SECURITY: Do not reveal if user exists during login failure.
* (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
* (T125163) SECURITY: Make anchor for headlines escape > and <.
* (T180237) SECURITY: Protect vendor folder with .htaccess.
* (T180231) SECURITY: Remove PHPUnit file with known RCE if exists in update.php.
* (T124404) SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit.
* (T119158) SECURITY: Handle -{}- syntax in attributes safely.

== MediaWiki 1.28.2 ==

Due to a packaging error, the wrong version of the SyntaxHighlight extension was
included in the tarball version of MediaWiki 1.28.1. The version included had a
serious security issue in it (T158689). There was also some minor code fixes in
MediaWiki itself since 1.28.1, but none of them were security relevant.

== MediaWiki 1.28.1 ==

This is a security and maintenance release of the MediaWiki 1.28 branch.

=== Changes since 1.28.0 ===

* $wgRunJobsAsync is now false by default (T142751). This change only affects
  wikis with $wgJobRunRate > 0.
* Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has
  more than one database server setup.
* (T152717) Better escaping for PHP mail() command,
* (T154670) A missing method causing the MySQL installer to fatal in rare
  circumstances was restored.
* (T154672) Un-deprecate ArticleAfterFetchContentObject hook.
* (T158766) Avoid SQL error on MSSQL when using selectRowCount().
* (T145635) Fix too long index error when installing with MSSQL.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
  in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

== MediaWiki 1.28 ==

=== Changes since 1.28.0-rc1 ===
* (T148957) Replace wgShowExceptionDetails with wgShowDBErrorBacktrace on db
  errors.
* (T148956) Only apply wgDBschema to postgres/mssql.
* (T145991) Introduce separate log action for deleting pages on move.
* (T141474) (T110464) Bypass login page if no user input is required.

=== Changes since 1.28.0-rc0 ===
* (T142210) The changes to move the parser "NewPP limit report" from a HTML
  comment to a machine-readable JavaScript config option 'wgPageParseReport'
  have been undone. They caused the human-readable limit report to be shown
  incompletely or not at all. ParserOutput::setLimitReportData() and
  getLimitReportData() behave as they did in MediaWiki 1.27 again.
* (T149510) Value of {{DISPLAYTITLE:}} parser function will not be used for
  the text of subheadings on a category page when creating it. This wasn't
  working correctly.
* (T106793) MediaWiki will no longer try to perform a HTTP redirect to the
  canonical pretty URL when a non-pretty URL is used. It resulted in redirect
  loops in some clients and in some server configurations. This undoes a change
  made in MediaWiki 1.26.
* (T149759) manifest_version: 2 was removed.

=== Configuration changes in 1.28 ===
* $wgSend404Code now affects status code of action=history if the page is not there.
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  made by MediaWiki via a proxy. Relying on the http_proxy environment
  variable is no longer supported.
* The load.php entry point now enforces the existing policy of not allowing
  access to session data, which includes the session user and the session
  user's language. If such access is attempted, an exception will be thrown.
* The number of internal PBKDF2 iterations used to derive the session secret
  is configurable via $wgSessionPbkdf2Iterations.
* Upload dialog's file upload log comment can now be configured separately for
  local and foreign uploads.
* $wgForeignUploadTargets now defaults to `[ 'local' ]`, where `'local'`
  signifies local uploads. A value of `[]` (empty array) now means that
  no upload targets are allowed, effectively disabling the upload dialog.
* The deprecated $wgEditEncoding variable has been removed; it was only used
  for Esperanto language character conversion. You are now recommended to use
  input methods provided by the UniversalLanguageSelector extension.
* When $wgPingback is true, MediaWiki will periodically ping
  https://www.mediawiki.org/beacon with basic information about the local
  MediaWiki installation. This data includes, for example, the type of system,
  PHP version, and chosen database backend. This behavior is off by default.
* When $wgEditSubmitButtonLabelPublish is true, MediaWiki will label the button
  to store-to-database-and-show-to-others as "Publish page"/"Publish changes";
  if false, the default, they will be "Save page"/"Save changes".
* The 'editcontentmodel' permission is now granted to all logged-in users ('user').
  instead of just administrators ('sysop'). Documentation for this feature is
  available at <https://www.mediawiki.org/wiki/Help:ChangeContentModel>.
* $wgRevisionCacheExpiry is now set to one week by default instead of being disabled.
* Magic links are now disabled by default, and can be re-enabled by modifying the value
  of $wgEnableMagicLinks. Their usage is discouraged, but if they are manually enabled,
  a tracking category will be added to help identify usage and make it easier to migrate
  away from. If you depend upon magic link functionality, it is requested that you comment
  on <https://www.mediawiki.org/wiki/Requests_for_comment/Future_of_magic_links> and
  explain your use case(s).
* New config variable $wgCSPFalsePositiveUrls to control what URLs to ignore
  in upcoming Content-Security-Policy feature's reporting.

=== New features in 1.28 ===
* User::isBot() method for checking if an account is a bot role account.
* Added a new 'slideshow' mode for galleries.
* Added a new hook, 'UserIsBot', to aid in determining if a user is a bot.
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with API parsing.
* Added a new hook, 'UploadVerifyUpload', which can be used to reject a file
  upload. Unlike 'UploadVerifyFile' it provides information about upload comment
  and the file description page, but does not run for uploads to stash.
* (T141604) Extensions can now provide a better error message when their
  maintenance scripts are run without the extension being installed.
* (T8948) Numeric sorting in categories is now supported by setting $wgCategoryCollation
  to 'uca-default-u-kn' or 'uca-<langcode>-u-kn'. If you can't use UCA collations,
  a 'numeric' collation is also available. If migrating from another
  collation, you will need to run the updateCollation.php maintenance script.
* Two new codes have been added to #time parser function: "xit" for days in current
  month, and "xiz" for days passed in the year, both in Iranian calendar.
* mw.Api has a new option, useUS, to use U+001F (Unit Separator) when
  appropriate for sending multi-valued parameters. This defaults to true when
  the mw.Api instance seems to be for the local wiki.
* After a client performs an action which alters a database that has replica databases,
  MediaWiki will wait for the replica databases to synchronize with the master database
  while it renders the HTML output. However, if the output is a redirect to another wiki
  on the wiki farm with a different domain, MediaWiki will instead alter the redirect
  URL to include a ?cpPosTime parameter that triggers the database synchronization when
  the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules.

=== External library changes in 1.28 ===

==== Upgraded external libraries ====
* Updated es5-shim from v4.1.5 to v4.5.8
* Updated composer/semver from v1.4.1 to v1.4.2
* Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4

==== New external libraries ====
* Added wikimedia/scoped-callback v1.0.0
* Added wikimedia/wait-condition-loop v1.0.1

=== Bug fixes in 1.28 ===
* (T146496) action=history pages should return 404 HTTP error code if the page does not exist
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T139670) Move 'UserGetRights' call before application of
  Session::getAllowedUserRights()

=== Action API changes in 1.28 ===
* Added 'maxarticlesize' property to action=query&meta=siteinfo which contains
  the value of $wgMaxArticleSize.
* Property 'modulemessages' from action=parse&prop=modules was removed
  (deprecated since 1.26).
* The following response properties from action=login, deprecated in 1.27, are
  now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
  to properly manage session state.
* Submitting the lgtoken and lgpassword parameters in the query string to
  action=login is now deprecated and outputs a warning. They should be submitted
  in the POST body instead.
* Submitting sensitive authentication request parameters to action=clientlogin,
  action=createaccount, action=linkaccount, and action=changeauthenticationdata
  in the query string is now deprecated and outputs a warning. They should be
  submitted in the POST body instead.
* (T141960) Multi-valued parameters may now be separated using U+001F (Unit Separator)
  instead of the pipe character. This will be useful if some of the multiple
  values need to contain pipes, e.g. for action=options.
* The API will now warn if input is not NFC-normalized Unicode or if it
  contains invalid characters.
* The 'normalized' list output by action=query and other modules that use
  ApiPageSet may contain entries where the 'from' value is percent-encoded as
  the raw value cannot be represented in a valid API response. These are
  indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
* (T28680) action=paraminfo can now return info about all submodules of a
  module without listing them all explicitly.
* (T146770) It is now possible to assert that the current user is a specific
  named user, using the 'assertuser' parameter.
* (T141963) Added a 'known' property when missing-but-known titles (e.g. from
  the 'TitleIsAlwaysKnown' hook) are output in various modules.

=== Action API internal changes in 1.28 ===
* Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
  interact with ApiParse and ApiExpandTemplates.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* ApiBase::getResultData() was removed (deprecated since 1.25)
* ApiBase::makeHelpArrayToString() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsgParameters() was removed (deprecated since 1.25)
* ApiBase::makeHelpMsg() was removed (deprecated since 1.25)
* ApiFormatBase::formatHTML() was removed (deprecated since 1.25)
* ApiFormatBase::getNeedsRawData() was removed (deprecated since 1.25)
* ApiFormatBase::getWantsHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setBufferResult() was removed (deprecated since 1.25)
* ApiFormatBase::setHelp() was removed (deprecated since 1.25)
* ApiFormatBase::setUnescapeAmps() was removed (deprecated since 1.25)
* ApiMain::makeHelpMsgHeader() was removed (deprecated since 1.25)
* ApiMain::reallyMakeHelpMsg() was removed (deprecated since 1.25)
* ApiMain::setHelp() was removed (deprecated since 1.25)
* ApiResult::beginContinuation() was removed (deprecated since 1.25)
* ApiResult::cleanUpUTF8() was removed (deprecated since 1.25)
* ApiResult::convertStatusToArray() was removed (deprecated since 1.25)
* ApiResult::disableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::enableSizeCheck() was removed (deprecated since 1.24)
* ApiResult::endContinuation() was removed (deprecated since 1.25)
* ApiResult::getData() was removed (deprecated since 1.25)
* ApiResult::getIsRawMode() was removed (deprecated since 1.25)
* ApiResult::setContent() was removed (deprecated since 1.25)
* ApiResult::setContinueParam() was removed (deprecated since 1.25)
* ApiResult::setElement() was removed (deprecated since 1.25)
* ApiResult::setGeneratorContinueParam() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_internal() was removed (deprecated since 1.25)
* ApiResult::setIndexedTagName_recursive() was removed (deprecated since 1.25)
* ApiResult::setMainForContinuation() was removed (deprecated since 1.25)
* ApiResult::setParsedLimit() was removed (deprecated since 1.25)
* ApiResult::setRawMode() was removed (deprecated since 1.25)
* ApiResult::size() was removed (deprecated since 1.25)
* Added new hooks, 'ApiQueryBaseBeforeQuery', 'ApiQueryBaseAfterQuery', and
  'ApiQueryBaseProcessRow', to make it easier for extensions to add 'prop' and
  'show' parameters to existing API query modules. A query module can enable
  these hooks by passing an array for $hookData to ApiQueryBase::select() and
  by calling ApiQueryBase->processRow() before adding a row's data to the
  result.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.

=== Languages updated in 1.28 ===

MediaWiki supports over 375 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T137411) ban (Balinese), thanks to translators Adi Mayndra, Andru,
  BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
* (T135867) shn (Shan), thanks to translators Khun Sar, Piangpha,
  Saiddzone Saimawnkham, Saosukham, and Sengwan.
* Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
* (T146744) Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

=== Other changes in 1.28 ===
* (T128697) Improved handling of large diffs.
* [BREAKING CHANGE] $wgExtendedLoginCookies has been removed. You can
  use or update a custom session provider if needed.
* Deprecated APIEditBeforeSave hook in favor of EditFilterMergedContent.
* The 'UploadVerification' hook is deprecated. Use 'UploadVerifyFile' instead.
* SiteConfiguration::isLocalVHost() was removed (deprecated since 1.25).
* The 'UserLoginComplete' hook has a new parameter to differentiate between actual
  login and visiting the login page while already logged in.
* ResourceLoader::makeLoaderURL() was removed (deprecated since 1.24).
* $.fn.liveAndTestAtStart was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyPrefix was removed (deprecated since 1.24).
* mw.util.tooltipAccessKeyRegexp was removed (deprecated since 1.24).
* Linker::link() and Linker::linkKnown() were deprecated; please instead use
  MediaWiki\Linker\LinkRenderer. In addition, the LinkBegin and LinkEnd hooks
  were replaced by HtmlPageLinkRendererBegin and HtmlPageLinkRendererEnd
  respectively. See docs/hooks.txt for the specific changes needed for those hooks.
* Linker::formatSize() was deprecated. Use Language::formatSize() directly.
* Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
  * Skin::commentBlock() (use Linker::commentBlock() instead)
  * Skin::generateRollback() (use Linker::generateRollback() instead)
  * Skin::link() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::linkKnown() (use MediaWiki\Linker\LinkRenderer instead)
  * Skin::userLink() (use Linker::userLink() instead)
  * Skin::userToolLinks() (use Linker::userToolLinks() instead)
* Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is
  disabled.
* DifferenceEngine::generateDiffBody() was removed (deprecated since 1.21).
* UploadBase::stashFileGetKey() and UploadBase::stashSession() were deprecated.
  Use ...->stashFile()->getFileKey() instead.
* "Public domain" was removed as a wiki license option from the installer, in
  favour of CC-0.
* AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
  on requests needed by primary providers even if all primaries need them.
  Primary providers are discouraged from returning multiple REQUIRED requests.
* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
  will no longer be automatically infused. You should call `OO.ui.infuse()`
  on them yourself from your JavaScript code.
* parserTests.php has moved to tests/parser/parserTests.php
* The command line options specific to parser tests have been removed from
  phpunit.php: --regex and --keep-uploads. Instead of --regex, use --filter.
  Instead of --keep-uploads, use the same option to parserTests.php, but you
  must specify a directory with --upload-dir.
* The 'jquery.arrowSteps' ResourceLoader module is now deprecated.
* IP::isConfiguredProxy() and IP::isTrustedProxy() were removed. Callers should
  migrate to using the same functions on a ProxyLookup instance, obtainable from
  MediaWikiServices.
* The ArticleAfterFetchContent, ArticleInsertComplete, ArticleSave, ArticleSaveComplete,
  ArticleViewCustom, EditFilterMerged, EditPageGetDiffText, EditPageGetPreviewText and
  ShowRawCssJs hooks will now emit deprecation warnings if used.
* (T68404) CSS3 attr() function with url type is no longer allowed
  in inline styles.
* Database::getSearchEngine() is deprecated, use SearchEngineFactory::getSearchEngineClass
  instead.

== MediaWiki 1.27.5 ==
	
This is a security and maintenance release of the MediaWiki 1.27 branch.