MediaWiki Changelog

New in version 1.22.2

January 29th, 2014
  • (bug 58253) Check for very old PCRE versions in installer and updater
  • (bug 60054) Make WikiPage::$mPreparedEdit public

New in version 1.22.1 (January 28th, 2014)

  • Security fixes:
  • MediaWiki user Michael M reported that the fix for bug 55332 (CVE-2013-4568) allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS. (CVE-2013-6451)
  • Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lead to XSS when an XSL was used to include JavaScript. (CVE-2013-6452)
  • During internal review, it was discovered that MediaWiki's SVG sanitization could be bypassed when the XML was considered invalid. (CVE-2013-6453)
  • Durign internal review, it was discovered that MediaWiki's CSS sanitization did not filter -o-link attributes, which could be used to execute JavaScript in Opera 12. (CVE-2013-6454)
  • During internal review, it was discovered that MediaWiki displayed some information about deleted pages in the log API, enhanced RecentChanges, and user watchlists. (CVE-2013-6472) Additionally, the following extensions have been updated to fix security issues:
  • TimedMediaHandler: Bawolff discovered an XSS vulnerability with the way the extension stored and used HTML for showing videos. (CVE-2013-4574)
  • Scribuntu: Internal review found a NULL pointer dereference in php-luasandbox, which could be used for DoS attacks. (CVE-2013-4570)
  • Scribuntu: Internal review found a Buffer Overflow in php-luasandbox. It's not know if this could be use for code execution on the server. (CVE-2013-4571)
  • CentralAuth: Eran Roz reported that MediaWiki usernames could be leaked to other websites. Javascript returned for CentralAuth's login would update the page DOM with the username, even when included on other sites. (CVE-2013-6455)
  • SemanticForms: Ravindra Singh Rathore reported a missing CSRF check to Mozilla, who reported the issue to us. Several other forms in the extension were also fixed.
  • Bug fixes:
  • (bug 59945) 1.22 tarball offers Extension SimpleAntiSpam which is supposed to be in core.
  • (bug 58178) Restore compatibility with curl < 7.16.2.
  • (bug 56931) Updated the plural rules to CLDR 24. They are in new format which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the JavaScript evaluator were updated to support the new format. Plural rules for some languages have changed, most notably Russian. Affected software messages have been updated and marked for review at This change is backported from the development branch of MediaWiki 1.23.
  • (bug 58434) The broken installer for database backend Oracle was fixed.
  • (bug 58167) The web installer no longer throws an exception when PHP is compiled without support for MySQL yet with support for another DBMS.
  • (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
  • (bug 47055) Changed FOR UPDATE handling in Postgresql

New in version 1.22.0 (December 11th, 2013)

  • Anti-spam and countervandalism improvements
  • Editing improvements
  • Upgrades to Vector and other skins
  • Support for Composer
  • Several ancient skins removed
  • Blank system messages must be deleted
  • Protection rights usage has changed
  • Special:Disambiguations has been removed
  • Bundled extensions: SimpleAntiSpam

New in version 1.21.2 (September 13th, 2013)

  • This is a security and maintenance release of the 1.21 branch.
  • It fixes extension detection with 2 .'s.
  • Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed.
  • This release sanitizes ResourceLoader exception messages.
  • It will purge upstream caches when deleting file assets.
  • The unit test suite now runs the AutoLoader tests.
  • The autoloading entry for the PageORMTableForTesting class has also been fixed, though it had no impact.

New in version 1.21.0 (May 29th, 2013)

  • Clearer email notifications:
  • Bug 14901 ? Email notification mistakes log action for new page creation, the third most reported open MediaWiki bug, has been fixed. Consequently, notifications now state clearly what action was performed on the watched pages in case they are created, deleted, restored, moved or changed.
  • There are still some known issues. If you customised MediaWiki:Enotif body on your wiki, you have to delete or update it; see also full documentation.
  • Skin:
  • The CologneBlue skin has been refactored to make it relevant again, more compatible with existing scripts, and more similar in structure to Vector and Monobook, reusing a lot of existing code.
  • The only major difference for end-users should be a slight reordering of the sidebar menu (the "Context" submenu was removed and its contents merged into other ones). If you were, however, depending on the exact HTML it used to produce, you'll need to review your tools.
  • ContentHandler:
  • As part of the Wikidata initiative, 1.21 adopts an extensible framework ("ContentHandler") so that pages can contain something other than wikitext.
  • Right now, built-in content types are limited to
  • wikitext - wikitext, as usual
  • javascript - user-provided JavaScript code
  • css - user-provided CSS code
  • text - plain text
  • Extension developers can create additional content types. Extension:EventLogging uses ContentHandler to implement a namespace for JSON schemas, and may be used as a reference. Other extensions, such as Scribunto, also make use of the new functionality.
  • ContentHandler affects diff rendering, handing of CSS and JavaScript pages, import/export, and the API.
  • Support for high DPI displays:
  • MediaWiki now tries to deliver higher-res images to high pixel density screens such as Apple Retina Displays (see gerrit change 24115 for details). This is a work-in-progress, so normal-resolution images may still appear in some places and in some browser versions. Administrators may need to watch out for higher load on their image scaling software.
  • Ajax patrolling:
  • (bug 7851) The features users have waited for longest: one-click Ajax patrolling. With this new feature, users can mark revisions or pages as having been "patrolled" with a single click while staying on the current page.
  • Internationalization:
  • (bug 24156) The general logging framework was made completely localisable at last. The logging for each action (whether in core or extensions) might still need to be updated to use the new system, though.
  • (bug 40367) MediaWiki:Contributions now reflects the gender of the user.
  • New accounts:
  • (bug 22457) It's now easier to create accounts for other users by sending a temporary password via e-mail: Special:CreateAccount now shows a checkbox for logged-in users to use this feature, rather than a button.
  • Account API: bots and other scripts can now use the API to create user accounts, rather than attempting to pseudo-submit the HTML form.
  • Account creation welcome:
  • The MediaWiki:welcomecreation message was split up into MediaWiki:welcomeuser and MediaWiki:welcomecreation-msg so users no longer see "Login successful" when creating their accounts (bug 42215). If you customized the former message and want to preserve your customization, you'll have to modify the new messages accordingly.
  • More wikitext now supported in JavaScript messages:
  • The jqueryMsg parser now supports wikilinks and int: transclusion. For more details, see Manual:Messages API.
  • Using semantic headings for the navigation menu:
  • The previous scheme of using (varying per skin) , and/or tags (with nothing apart from the main above them in the hierarchy) was change to consistently using a above the entire navigation and s as portlet headings in all skins.
  • The is hidden for normal browsers, but accessible for screen-readers or text browsers.
  • While this change is minor, it might require similarly minor updates in any customized CSS or JS (or in screen scrapers).
  • Extended collation support:
  • UCA-based category collations for 68 languages based in Latin, Greek and Cyrillic alphabets are now supported. You can use them by setting $wgCategoryCollation = 'uca-', where is the appropriate language code.
  • Bundled extensions:
  • Newly bundled for 1.21 (bug 43815):
  • Cite
  • ImageMap
  • Interwiki
  • Title Blacklist
  • SpamBlacklist
  • Poem
  • InputBox
  • LocalisationUpdate
  • SyntaxHighlight GeSHi

New in version 1.19.2 (October 26th, 2012)

  • This is a security release of the MediaWiki 1.19 branch

New in version 1.15.2 (March 10th, 2010)

  • This is a security and maintenance release.
  • MediaWiki is now using a "continuous integration" development model with quarterly snapshot releases. The latest development code is always kept "ready to run", and in fact runs our own sites on Wikipedia.
  • Release branches will continue to receive security updates for about a year from first release, but nonessential bugfixes and feature developments will be made on the development trunk and appear in the next quarterly release.
  • Those wishing to use the latest code instead of a branch release can obtain it from source control:

New in version 1.15.1 (January 28th, 2010)

  • Fixed fatal errors for unusual file repository configurations, such as ForeignAPIRepo.
  • Fixed the "change password" link on Special:Preferences to have the correct returnto parameter.

New in version 1.13.3 (December 15th, 2008)

  • XSS and CSRF vulnerabilities were fixed.