= MediaWiki release notes =

Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it *off* if you can.

== Mediawiki 1.6.9 ==

January 9, 2007

* (bug 6621) Backported German translation for 'eauthentsent'
* (bug 6680) Added localisation for Dutch bookstore list (nl)
* (bug 6730) Clearer usage of message 'titlematch' in German translation (de)
* XSS fix in AJAX module

An XSS injection vulnerability was located in the AJAX support module,
affecting MediaWiki 1.6.x and up when the optional setting $wgUseAjax
is enabled.

There is no danger in the default configuration, with $wgUseAjax off.

If you are using an extension based on the optional AJAX module,
either disable it or upgrade to a version containing the fix:

* 1.9: fixed in 1.9.0rc2
* 1.8: fixed in 1.8.3
* 1.7: fixed in 1.7.2
* 1.6: fixed in 1.6.9


== Mediawiki 1.6.8 ==

July 8, 2006

MediaWiki 1.6.8 is a security and bugfix maintenance release of the
Spring 2006 snapshot:

A potential HTML/JavaScript-injection vulnerability in a debugging script
has been fixed. Only versions and configurations of PHP vulnerable to the
$GLOBALS overwrite vulnerability are affected.

As a workaround for existing installs, profileinfo.php may simply be deleted
if it's not being used.

* (bug 5957) Updates to Hebrew translation (he)
* Respect language directionality when displaying arrow in Special:Brokenredirects
* (bug 6415) Typo in Parser.php
* Fixed potential XSS in profileinfo.php


== Mediawiki 1.6.7 ==

June 6, 2006

MediaWiki 1.6.7 is a security and bugfix maintenance release of the
Spring 2006 snapshot:

An HTML/JavaScript-injection vulnerability in the edit form has been closed.
This vulnerability was new in 1.6.0; MediaWiki versions 1.5.x or earlier are
not affected.

Extensions, comments, and <nowiki> sections are now handled in a one-pass
way which is more reliable and safer. Under earlier versions of MediaWiki,
certain extensions could be abused to inject HTML/JavaScript into the page.

Additional precautions are made against offsite form submissions when
the restricted raw HTML mode is enabled.

Some small localization and user interface updates are also included.

* (bug 6051) Improvement to German localisation (de)
* (bug 6017) Update bookstore list for German language (de)
* (bug 6138) Minor grammar tweak in "loginreqlink"
* (bug 5957) Update for Hebrew language (he)
* Increase robustness of parser placeholders; fixes some glitches when
  adjacent to identifier-ish constructs such as URLs.
* (bug 5384) Fix <!-- comments --> in <ref> extension
* Nesting of different tag extensions and comments should now work more
  consistently and more safely. A cleaner, one-pass tag strip lets the
  'outer' tag either take source (<nowiki>-style) or pass it down to
  further parsing (<ref>-style). There should no longer be surprise
  expansion of foreign extensions inside HTML output, or differences
  in behavior based on the order tags are loaded.
* (bug 885) Pre-save transform no longer silently appends close tags
* Pre-save transform no longer changes the case of close tags
* Edit security precautions in raw HTML mode, etc


== MediaWiki 1.6.6 ==

May 23, 2006

MediaWiki 1.6.6 is a security and bugfix maintenance release.

An XSS injection vector in brace replacement has been fixed, as have some
potential problems with table parsing. Upgrading is strongly recommended
for all users of 1.6. MediaWiki versions 1.5 and earlier are not affected.

Additionally some localization and user interface updates are included.

* Correct "revertpage" message in English
* (bug 5507) Logouttext uses now wiki markup
* (bug 5857, 5957) Update for German localisation (de)
* (bug 5586) <gallery> treated text as links
* (bug 5957) Update for Hebrew language (he)
* (bug 6025) SpecialImport: wrong message when no file selected
* (bug 6015) EditPage: add spacing in the boxes "edit is minor" and "watch this"
* (bug 6018) Userrights: new message when no user specified ('nouserspecified')
* (bug 6055) Fix for HTML/JS injection bug in variable handler (found by Nick Jenkins)
* Reordered wiki table handling and __TOC__ extraction in the parser to better
  handle some overlapping tag cases.
* Only the first __TOC__ is now turned into a TOC.
* (bug 361) URL in URL, they were almost fixed. Now they are.


== MediaWiki 1.6.5 ==

May 2, 2006

* Rolled back the buggy patch for bug 5497

== MediaWiki 1.6.4 ==

May 2, 2006

* Further improvements to Hebrew localisation
* (bug 5544) Fix redirect arrow in Special:Listredirects for right-to-left
  languages
* Replace "doubleredirectsarrow" with a content language check that picks
  the appropriate arrow
* Remove live debugging hack which caused errors with certain database names
* (bug 5510) Warning produced when using {{SUBPAGENAME}} in some namespaces
* (bug 5548) Improvements to Indonesian localisation [patch: Ivan Lanin]
* (bug 5403) Fix Special:Newpages RSS/Atom feeds
* (bug 3359) Add hooks on completion of file upload
* (bug 5184) CSS misapplied to elements in Special:Allmessages due to conflicting
  anchor identifiers
* (bug 5519) Allow sidebar cache to be disabled; disable it by default.
* Add $wgReservedUsernames configuration directive to block account creation/use
* (bug 5576) Remove debugging hack in session check
* (bug 5181) Update "nogomatch" for Slovak
* (bug 5594) Id translation up to '# Login and logout pages' section
* (bug 5536) Use content language for editing help link
* Minor improvements to English language files
* Improvements to German localisation files
* (bug 5628) Translations for MessagesHr.php
* (bug 5595, 5644) Localisation for Bosnian language (bs)
* (bug 5592) Actions are logged with the default language for the
   wiki, not the language of the user performing the operation.
* (bug 5646) Compare for identical types in wfElement()
* Fix for concurrency problem in job queue (image description page invalidation)
* (bug 5497) regeression in HTML normalization in 1.6 (unclosed <li>,<dd>,<dt>)
* (bug 5709) Allow customisation of separator for categories
* (bug 4834) Fix XHTML output when using $wgMaxTocLevel
* Improvements to update scripts; print out the version, check for superuser credentials
  before attempting a connection, and produce a friendlier error if the connection fails
* (bug 5005): Fix XHTML <gallery> output.
* (bug 5315) "Expires: -1" HTTP header made strictly valid (using 1970 date).
* (bug 4825): note in DefaultSettings.php about 'profiling' table creation
* Remove unneeded extra whitespace at top of Special:Categories
* Rewrite reassignEdits script to be more efficient; support optional updates to
  recent changes table; add reporting and silent modes
* Updated initStats maintenance script
* (bug 5723) Don't count pages linked to from the MediaWiki namespace as "wanted"
* (bug 5789) Treat "loginreqpagetext" as wikitext
* (bug 5796) We require MySQL >=4.0.14

== MediaWiki 1.6.3 ==

April 10, 2006

* Fix disappearing red-linked items in the watchlist editing view
* (bug 5512) Spacing in "page has a history" deletion warning
* (bug 5508) Switch ENGINE in table statements back to TYPE; fixes regression
  where some versions of MySQL 4.0.x wouldn't work
* Added note about $wgUrlProtocols format change


== MediaWiki 1.6.2 ==

April 8, 2006

* Further improvements to Hebrew localisation
* Fix 'copyright' message for Romanian
* (bug 5476) Invalid xhtml in German localization
* (bug 5479) Id translation for preferences tabs caption
* (bug 5493) Id translation for special pages
* Additional path fixes in the updater
* (bug 5344) Fix regression that broke slashes in extension tag parameters


== MediaWiki 1.6.1 ==

April 5, 2006

Some minor issues in the 1.6.0 release have been corrected:
* (bug 5458) Fix double-URL encoding in block log link in contribs and contribs
  link in block log
* (bug 5462) Bogus missing patch warning in updater
* (bug 5461) Use of deprecated "showhideminor" in Special:Recentchangeslinked
* PHP warning when allow_call_time_pass_reference is off
* Update to Finnish localization


== MediaWiki 1.6.0 ==

April 5, 2006

MediaWiki is now using a "continuous integration" development model with
quarterly snapshot releases. The latest development code is always kept
"ready to run", and in fact runs our own sites on Wikipedia.

Release branches will continue to receive security updates for about a year
from first release, but nonessential bugfixes and feature development happen
will be made on the development trunk and appear in the next quarterly release.

Those wishing to use the latest code instead of a branch release can obtain
it from source control: http://www.mediawiki.org/wiki/Download_from_SVN


=== What's new in 1.6 ===

User interface:
* The account creation form has been separated from the user login form.
* Page protection/unprotection uses a new, expanded form

Templates:
* Categories and "what links here" now update as expected when adding or
  removing links in a template.
* Template parameters can now have default values, as {{{name|default value}}}

Uploads:
* Optional support for rasterizing SVG images to PNG for inline dislay

Feeds:
* Feed generation upgraded to Atom 1.0
* Diffs in RSS and Atom feeds are now colored for improved readability.

Database:
* MySQL 3.23.x support dropped; 4.0 or later required
* Experimental support for Unicode mode of MySQL 4.1/5.0 (moderately tested)
* Experimental Oracle support (not well tested!)

Anti-spam extension support:
* Spam blacklist extension now has support for automated cleanup:
  http://meta.wikimedia.org/wiki/SpamBlacklist_extension
* Support for a captcha extension to restrict automated spam edits:
  http://meta.wikimedia.org/wiki/ConfirmEdit_extension

Numerous bug fixes and other behind-the-scenes changes have been made;
see the file HISTORY for a complete change list.


== Compatibility ==

Older PHP 4.2 and 4.1 releases are no longer supported; PHP 4 users must
upgrade to 4.3.3 or later.

MediaWiki 1.6 is the last major version to support PHP 4; future versions
will require PHP 5.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade.
At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.


== Upgrading ==

Several changes to the database have been made from 1.5; these are relatively
minor but do require that the update process be run before the new code will
work properly:

* A new "templatelinks" table tracks template inclusions.
* A new "externallinks" table tracks URL links; this can be used by a
  mass spam-cleanup tool in the SpamBlacklist extension.
* A new "jobs" table stores a queue of pages to update in the background; this
  is used to update links in including pages when templates are edited.

To ensure that these tables are filled with data, run refreshLinks.php after
the upgrade.

The format of the $wgUrlProtocols has changed from 1.5; it is now an array
instead of a regular expression string. If you have customized this setting
you will need to change it or external links will not work properly. See
includes/DefaultSettings.php for the updated format.


If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.



=== Caveats ===

Some output, particularly involving user-supplied inline HTML, may not
produce 100% valid or well-formed XHTML output. Testers are welcome to
set $wgMimeType = "application/xhtml+xml"; to test for remaining problem
cases, but this is not recommended on live sites. (This must be set for
MathML to display properly in Mozilla.)


For notes on 1.5.x and older releases, see HISTORY.


=== Online documentation ===

Documentation for both end-users and site administrators is currently being
built up on Meta-Wikipedia, and is covered under the GNU Free Documentation
License:

  http://www.mediawiki.org/wiki/Documentation


=== Mailing list ===

A MediaWiki-l mailing list has been set up distinct from the Wikipedia
wikitech-l list:

  http://mail.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

  http://mail.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.


=== IRC help ===

There's usually someone online in #mediawiki on irc.freenode.net
