RELEASE-NOTES-1.23

Security reminder: MediaWiki does not require PHP's register_globals. If you
have it on, turn it '''off''' if you can.

== MediaWiki 1.23.17 ==

=== Changes since 1.23.16 ===

* Fix syntax errors introduced in 1.23.16 when running PHP 5.3.

== MediaWiki 1.23.16 ==
This is a security and maintenance release of the MediaWiki 1.23 branch.

=== Changes since 1.23.15 ===
* (T68404) CSS3 attr() function with url type is no longer allowed
  in inline styles.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Submitting the lgtoken and lgpassword parameters in the query string to
  action=login is now deprecated and outputs a warning. They should be submitted
  in the POST body instead.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
  to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
  $wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
  their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
  token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
  declaration.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
  syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
  it.

== MediaWiki 1.23.15 ==

This is a maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.14 ==
* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
  made by MediaWiki via a proxy. Relying on the http_proxy environment
  variable is no longer supported.
* (T139565) SECURITY: API: Generate head items in the context of the given title
* (T137264) SECURITY: XSS in unclosed internal links
* (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
* (T133147) SECURITY: Require login to preview user CSS pages
* (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is
  the top file
* (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in
  permissions
* (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
* (T115333) SECURITY: Check read permission when loading page content in ApiParse
* Remove support for $wgWellFormedXml = false, all output is now well formed

== MediaWiki 1.23.13 ==

This is a maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.12 ==
* (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.
* (T122056) Old tokens are remaining valid within a new session
* (T127114) Login throttle can be tricked using non-canonicalized usernames
* (T123653) Cross-domain policy regexp is too narrow
* (T123071) Incorrectly identifying http link in a's href attributes, due to
  m modifier in regex
* (T129506) MediaWiki:Gadget-popups.js isn't renderable
* (T125283) Users occasionally logged in as different users after
  SessionManager deployment
* (T103239) Patrol allows click catching and patrolling of any page
* (T122807) [tracking] Check php crypto primatives
* (T98313) Graphs can leak tokens, leading to CSRF
* (T130947) Diff generation should use PoolCounter
* (T133507) Careless use of $wgExternalLinkTarget is insecure
* (T132874) API action=move is not rate limited
* (T110143) strip markers can be used to get around html attribute escaping in
  (many?) parser tags
* (T126685) Globally throttle password attempts

== MediaWiki 1.23.12 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.11 ==
* (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
  that do not begin with a slash. This enabled trivial XSS attacks.
  Configuration values such as "http://my.wiki.com/wiki/$1" are fine, as are
  "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an
  error.
* (T119309) SECURITY: Use hash_compare() for edit token comparison
* (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
  with '@' as file uploads
* (T115522) SECURITY: Passwords generated by User::randomPassword() can no
  longer be shorter than $wgMinimalPasswordLength
* (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
  result in improper blocks being issued
* (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
  and related pages no longer use HTTP redirects and are now redirected by
  MediaWiki

== MediaWiki 1.23.11 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.10 ==

* (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
* (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
* (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails

== MediaWiki 1.23.10 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.9 ==

* (T94116) SECURITY: Compare API watchlist token in constant time
* (T97391) SECURITY: Escape error message strings in thumb.php
* (T106893) SECURITY: Don't leak autoblocked IP addresses on
  Special:DeletedContributions
* (bug 67644) Make AutoLoaderTest handle namespaces
* (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
* (T102562) Fix InstantCommons parameters to handle the new HTTPS-only
  policy of Wikimedia Commons.

== MediaWiki 1.23.9 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.8 ==

* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
  to prevent various DoS attacks.
* (T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce
  likelihood of DoS.
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
  prevent XSS and protect viewer's privacy.
* (bug T68650) Fix indexing of moved pages with PostgreSQL. Requires running
  update.php to fix.
* (bug T70087) Fix Special:ActiveUsers page for installations using
  PostgreSQL.

== MediaWiki 1.23.8 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.7 ==

* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
  could lead to xss. Permission to edit MediaWiki namespace is required to
  exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
  part of its name.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.

== MediaWiki 1.23.7 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

== Changes since 1.23.6 ==

* (bugs 66776, 71478) SECURITY:  User PleaseStand reported a way to inject code
  into API clients that used format=php to process pages that underwent flash
  policy mangling. This was fixed along with improving how the mangling was done
  for format=json, and allowing sites to disable the mangling using
  $wgMangleFlashPolicy.
* (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update
  the content model for a page could allow an unprivileged attacker to edit
  another user's common.js under certain circumstances. The user right
  "editcontentmodel" was added, and is needed to change a revision's content
  model.
* (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw
  HTML, it is not safe to preview wikitext coming from an untrusted source such
  as a cross-site request. Thus add an edit token to the form, and when raw HTML
  is allowed, ensure the token is provided before showing the preview. This
  check is not performed on wikis that both allow raw HTML and anonymous
  editing, since there are easier ways to exploit that scenario.
* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
  DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
  public RFC about the desired functionality. This issue was reported by user
  Bawolff.
* (bug 71621) Make allowing site-wide styles on restricted special pages a
  config option.
* (bug 42723) Added updated version history from 1.19.2 to 1.22.13
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
  might be a flash policy directive configurable.

== MediaWiki 1.23.6 ==

This is a maintenance release of the MediaWiki 1.23 branch.

=== Changes since 1.23.5 ===
* (Bug 72274) Job queue not running (HTTP 411) due to missing
  Content-Length: header
* (Bug 67440) Allow classes to be registered properly from installer

== MediaWiki 1.23.5 ==

This is a security release of the MediaWiki 1.23 branch.

=== Changes since 1.23.4 ===
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
  allowance.

== MediaWiki 1.23.4 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

=== Changes since 1.23.3 ===

* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
  elements; normalize style elements and attributes before filtering; add
  checks for attributes that contain css; add unit tests for html5sec and
  reported bugs.
* (bug 65998) Make MySQLi work with non-standard socket.
* (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config
  settings.

== MediaWiki 1.23.3 ==

This is a maintenance release of the MediaWiki 1.23 branch.

=== Changes since 1.23.2 ===

* (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
* (bug 64970) Fix support for blobs on DatabaseOracle::update.
* (bug 66574) Display MediaWiki:Loginprompt on the login page.
* (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
* (bug 60629) Handle invalid language code gracefully in
  Language::fetchLanguageNames.
* (bug 62017) Restore the number of rows shown on Special:Watchlist.
* Check for boolean false result from database query in SqlBagOStuff.

== MediaWiki 1.23.2 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

=== Changes since 1.23.1 ===

* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used
  for loading a new page in Javascript,instead of relying on the URL in the link
  that has been clicked.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
  ParserOutput.
* (bug 68313) Preferences: Turn stubthreshold back into a combo box.
* (bug 65214) Fix initSiteStats.php maintenance script.
* (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.

== MediaWiki 1.23.1 ==

This is a security and maintenance release of the MediaWiki 1.23 branch.

=== Changes since 1.23.0 ===

* (bug 65839) SECURITY: Prevent external resources in SVG files.
* (bug 67025) Special:Watchlist: Don't try to render empty row.
* (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
* (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
  like only extracting the tail of the file partially or not at all.
* (bug 66182) Removed -x flag on some php files.

== MediaWiki 1.23 ==

MediaWiki 1.23.0 is the stable branch and is recommended for use in production.

MediaWiki 1.23 is a large release that contains many new features and bug
fixes. This is the full list of changes in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the beta
release and submitting bug reports.

=== Configuration changes in 1.23 ===
* (bug 13250) Restored method for clearing a watchlist in web UI
  so that users with large watchlists don't have to perform
  contortions to clear them.
* When $wgJobRunRate is higher than zero, jobs are now executed via an
  asynchronous HTTP request to a MediaWiki entry point. This may require
  increasing the number of server worker threads. $wgRunJobsAsync has been
  added to disable this feature if needed, falling back to executing the job
  on the same process but making the execution synchronously.
* $wgDebugLogGroups values may be set to an associative array with a
  'destination' key specifying the log destination. The array may also contain
  a 'sample' key with a positive integer value N indicating that the log group
  should be sampled by dispatching one in every N messages on average. The
  sampling is random.
* In addition to the current exception log format, MediaWiki now serializes
  exception metadata to JSON and logs it to the 'exception-json' log group.
  This makes MediaWiki easier to integrate with log aggregation and analysis
  tools.
* $wgSquidServersNoPurge now supports the use of Classless Inter-Domain
  Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6
  addresses that should be trusted to provide X-Forwarded-For headers.
* Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add
  pages I create and files I upload to my watchlist", "Add pages and files I
  edit to my watchlist", "Email me when a page or file on my watchlist is
  changed") are now enabled by default. In addition new user accounts' personal
  and talk pages are now watched by them by default.
* $wgLBFactoryConf: Class names have had underscores removed. The configuration
  should be updated if LBFactory_Simple or LBFactory_Multi is configured.
* $wgPasswordSenderName has been removed and is no longer functional. To set a
  custom mailer name, the system message 'emailsender' should be modified
  (default: "{{SITENAME}}").
* (bug 63269) Email notifications were not correctly handling the
  [[MediaWiki:Helppage]] message being set to a full URL (the default).
  If you customized [[MediaWiki:Enotif body]] (the text of email notifications),
  you'll need to edit it locally to include the URL via the new variable
  $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise
  you don't have to do anything.
* $wgDBAhandler was removed as the only class using it was also removed
* The 'max threads' setting was removed from $wgDBservers.
* Support for AdminSettings.php has been completely removed. All configuration
  belongs in LocalSettings.php.
* $wgSkipSkin, which has been replaceable by $wgSkipSkins since 2005 (r9249), is
  now formally deprecated.
* Removed deprecated $wgDisabledActions as it is hardly used anywhere.
* $wgRateLimitLog has been deprecated and replaced by
  $wgDebugLogGroup['ratelimit'].
* $wgLocalInterwikis is an array containing multiple local interwiki prefixes
  (interwiki prefixes that point back to the current wiki). This effectively
  allows more than one value of $wgLocalInterwiki to be specified and
  understood by the parser. The value of $wgLocalInterwiki is automatically
  prepended to the start of this array.
* $wgQueryPages has been removed. Query Pages should be added to by using the
  wgQueryPages hook.
* $wgHttpOnlyBlacklist has been removed.
* $wgLicenseTerms has been removed as it was unused.
* $wgProfileOnly is now deprecated; set the log file in
  $wgDebugLogGroups['profileoutput'] to replace it.
* $wgMaxBacklinksInvalidate was removed; use $wgJobBackoffThrottling instead
* Deprecated ResourceLoaderGetStartupModules hook.

=== New features in 1.23 ===
* ResourceLoader can utilize the Web Storage API to cache modules client-side.
  Compared to the browser cache, caching in Web Storage allows ResourceLoader
  to be more granular about evicting stale modules from the cache while
  retaining the ability to retrieve multiple modules in a single HTTP request.
  This capability can be enabled by setting $wgResourceLoaderStorageEnabled to
  true. This feature is currently considered experimental and should only be
  enabled with care.
* (bug 6092) Add expensive parser functions {{REVISIONID:}}, {{REVISIONUSER:}}
  and {{REVISIONTIMESTAMP:}} (with friends).
* Add "wgRelevantUserName" to mw.config containing the current
  Skin::getRelevantUser value.
* (bug 56033) Add content model to the page information.
* Added Article::MissingArticleConditions hook to give extensions a chance to
  hide their (unrelated) log entries.
* Added LonelyPagesQuery hook to let extensions modify the query used to
  generate Special:LonelyPages.
* Added $wgOpenSearchDefaultLimit defining the default number of entries to show
  on action=opensearch API call.
* For namespaces with $wgNamespaceProtection (including the MediaWiki
  namespace), the "protect" tab will be shown only if there are restriction
  levels available that would restrict editing beyond what
  $wgNamespaceProtection already applies. The protection form will offer only
  those protection levels.
* Added $wgAPIFormatModules, allowing extensions to add additional output
  formatting modules for the API.
* (bug 47812) The MediaWiki:Group-user.{css,js} pages can now be used to add
  custom CSS or JavaScript enabled only for registered users.
* (bug 52005) Special pages RecentChanges, RecentChangesLinked and Watchlist
  now include a legend describing the symbols used in lists of changes.
* Improved the accessibility of the tabs in Special:Preferences.
* Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook:
  it's called after everything is set up but before any major processing
  happens.
* The jquery.client module now performs a component-wise version comparison in
  its #test method when strings are used in the browser map: version '1.10' is
  now correctly considered larger than '1.2'. Using numbers in the version map
  is not affected.
* All API modules now support an assert parameter, which can either be
  'user' or 'bot'. The API will throw an error if the user is not logged
  in (user) or does not have the 'bot' userright (bot). Based off of the
  AssertEdit extension by Steve Sanbeg.
* [[Special:Diff]] was added, allowing users to create internal links to
  revision comparison pages using syntax such as [[Special:Diff/12345]],
  [[Special:Diff/12345/prev]] or [[Special:Diff/12345/98765]].
* New user accounts' personal and talk pages are now watched by them by default.
* Added SkinTemplateGetLanguageLink hook to allow changing the html of language
  links.
* Added MessageCache::get hook as a new way to customize messages across
  multiple sites.
* Added jquery.throttle-debounce ResourceLoader module to limit the number of
  callbacks for frequently occurring events.
* Special:ProtectedPages shows now a table. The timestamp, the reason and
  the protecting user is also shown.
* Added experimental support for using Microsoft SQL Server as the database
  backend.
** Added new Microsoft SQL Server-specific configuration variable
   $wgDBWindowsAuthentication, which makes the web server authenticate against
   the database server using Integrated Windows Authentication instead of
   $wgDBuser/$wgDBpassword.
* HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and
  'radio' fields can now use message keys as labels via the 'options-messages'
  parameter, which overrides the 'options' parameter.
* Admins can expire users users passwords manually, or on a schedule using the
  $wgPasswordExpirationDays configuration setting.
* Add new hook SendWatchlistEmailNotification, this will be used to determine
  whether to send a watchlist email notification.
* (bug 42026) Special:Contributions now includes an option to filter page
  creations, similar to the topOnly option.
* Add mediawiki.ui.button styling to all pages so wiki content can use styled
  buttons.
* Special:UserLogin/signup now does AJAX checks for invalid and taken usernames,
  displaying the error live.
* Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
* Support has been added for a JSON based localisation file format. The
  installer has been updated to use it.
* Changes to content typography (colors, line-height etc.). See
  https://www.mediawiki.org/wiki/Typography_refresh for further information.
* The Vector skin's visual treatment of external links has been simplified to a
  single icon (from nine). This should not affect local rules unless they were
  re-using these icons, which have now been deleted.
* ResourceLoader: mw.loader.using() now implements a Promise interface.
* Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows.
  If called by the ChangesList consumer this gives extensions a chance to batch
  process the result set prior to rendering.
* A PoolCounterRedis class was added which can be make use of in $wgPoolCounterConf.
  This requires at least one Redis 2.6+ server.
* $wgProfileToDatabase was removed. Set $wgProfiler to ProfilerSimpleDB
  in StartProfiler.php instead of using this.
* (bug 63444) Made it possible to change the indent string (default: 4 spaces)
  used by FormatJson::encode().

=== Bug fixes in 1.23 ===
* (bug 41759) The "updated since last visit" markers (on history pages, recent
  changes and watchlist) and the talk page message indicator are now correctly
  updated when the user is viewing old revisions of pages, instead of always
  acting as if the latest revision was being viewed.
* (bug 56443) Special:ConfirmEmail no longer shows a "Mail a confirmation code"
  when the email address is already confirmed. Also, consistently use
  "confirmed", rather than "authenticated", when messaging whether or not the
  user has confirmed an email address.
* (bug 19415) action=render no longer shows section edit links. This affects
  behavior of several other features where (bogus) section edit links will
  disappear, such as file description pages loaded via $wgUseInstantCommons or
  pages transcluded cross-wiki via $wgEnableScaryTranscluding.
* (bug 56912) Show correct link color on cached result of Special:DeadendPages.
* Classes TitleListDependency and TitleDependency have been removed, as they
  have been found unused in core and extensions for a long time.
* (bug 57098) SpecialPasswordReset now obeys returnto parameter
* (bug 37812) ResourceLoader will notice when a module's definition changes and
  recompile it accordingly.
* (bug 57201) SpecialRecentChangesFilters hook is now executed for feeds.
* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
  to appear blank or with missing text.
* (bug 56931) Updated the plural rules to CLDR 24. They are in new format
  which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as
  the JavaScript evaluator were updated to support the new format. Plural rules
  for some languages have changed, most notably Russian. Affected software
  messages have been updated and marked for review at translatewiki.net.
* (bug 23542) imagelinks now stores both the redirect and target (as
  templatelinks does).
* (bug 58167) The web installer no longer throws an exception when PHP is
  compiled without support for MySQL yet with support for another DBMS.
* (bug 56199) Raw option of parser functions must now match complete word,
  to take effect.
* (bug 60543) Special:PrefixIndex forgot stripprefix=1 for "Next page" link
* (bug 29762) Undoing an already-undone edit will now display an appropriate
  message instead of leading the user to make a null edit.
* (bug 52659) mediawiki.notification: Notification area remained visible when
  empty and thus was stealing pointer events from links on the page.
* (bug 26811) When a DBUnexpectedError occurs, DB server hostnames are now
  hidden unless $wgShowExceptionDetails is true, and $wgShowDBErrorBacktrace
  no longer applies in such cases.
* (bug 60960) Avoid doing file_exist() checks on data: URIs, as they cause
  warnings to be printed on Windows due to large path length.
* (bug 48084) Fixed a bug in the installer that could cause $wgLogo to hold
  the wrong path to the placeholder logo (skins/common/images/wiki.png).
* (bug 64289) jquery.textSelection: Don't throw errors on empty collections.

=== Web API changes in 1.23 ===
* (bug 54884) action=parse&prop=categories now indicates hidden and missing
  categories.
* action=query&meta=filerepoinfo now returns additional information for each
  repo.
* action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in
  MediaWiki 1.24.
* action=parse now has disabletoc flag to disable table of contents in output.
* (bug 25702) list=allcategories, list=allimages, list=alllinks, list=allpages,
  list=deletedrevs and list=filearchive did not handle case-sensitivity
  properly for all parameters.
* ApiQueryBase::titlePartToKey allows an extra parameter that indicates the
  namespace in order to properly capitalize the title part.
* (bug 57874) action=feedcontributions no longer has one item more than limit.
* All API modules now support an assert parameter. See the new features section
  for more details.
* Added prop=contributors to fetch the list of contributors to the page.
* The following API modules will now return entries where fields have been
  revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges,
  list=watchlist. "hidden" indicators will be included, in the same style as is
  already done for prop=revisions.
* The following API modules will now return the content of revision-deleted
  fields, in addition to the "hidden" indicators, if the querying user has the
  necessary rights: list=logevents, list=usercontribs, prop=imageinfo,
  prop=revisions.
* The above modules, where applicable, will now return entries filtered by
  revision-deleted fields if the querying user has the necessary rights. For
  example, prop=revisions with rvuser or rvexcludeuser will no longer skip
  revisions where the user was revision-deleted if the current user has the
  deletedhistory right.
* The 'hideuser' right, used when blocking, is no longer necessary or
  sufficient for seeing contributions with revision-deleted in
  list=usercontribs.
* list=watchlist now uses the querying user's rights rather than the wlowner's
  rights when checking whether wlprop=patrol is allowed.
* (bug 32151) ApiWatch now has pageset capabilities (titles/pageids/generators).
  Title parameter is now deprecated.
* (bug 23005) Added action=revisiondelete.
* Added siprop=restrictions to API action=query&meta=siteinfo for querying
  possible page restriction (protection) levels and types.
* Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
* (bug 58627) Provide language names on action=parse&prop=langlinks.
* Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
* Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
* prop=redirects is added, to return redirects to the pages in the query.
* list=allredirects is added, to list all redirects pointing to a namespace.
* (bug 42026) Added ucshow={new,!new,top,!top} to list=usercontribs.
  Also added newonly to action=feedcontributions.
* (bug 42026) Deprecated uctoponly in favor of ucshow=top.
* list=search no longer has a "srredirects" parameter. Redirects are now
  included in all searches.
* Added list=prefixsearch that works like action=opensearch but can be used as
  a generator.
* (bug 24782) Various modules will now use unique continuation parameters.
* (bug 63249) Cache RecentChanges Atom feed in varnish for 15 seconds.

=== Languages updated in 1.23 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.

* Support was added for Algerian Spoken Arabic (arq).
* Support was added for Riograndenser Hunsrückisch (hrx).
* Support was added for Northern Luri (lrc).

=== Other changes in 1.23 ===
* The rc_type field in the recentchanges table has been superseded by a new
  rc_source field.  The rc_source field is a string representation of the
  change type where rc_type was a numeric constant.  This field is not yet
  queried but will be in a future release.
** Utilize update.php to create and populate this new field.  On larger wikis
   which do not wish to update recentchanges table in one large update please
   review the SQL and comments in maintenance/archives/patch-rc_source.sql.
** The rc_type field of recentchanges will be deprecated in a future release.
* The global variable $wgArticle has been removed after a lengthy deprecation.
* The global functions addButton and insertTags (for mw.toolbar.addButton and
  mw.toolbar.insertTags) now emits mw.log.warn when accessed.
* The ExpandTemplates extension has been moved into MediaWiki core.
* (bug 52812) Removed "Disable search suggestions" from Preference.
* (bug 52809) Removed "Disable browser page caching" from Preference.
* Three new modules intended for use by custom skins were added:
  'mediawiki.skinning.elements', 'mediawiki.skinning.content', and
  'mediawiki.skinning.interface', representing three levels of standard
  MediaWiki styling. Previously skin creators wishing to use them had to refer
  to the file names of appropriate files directly, which is now discouraged.
* The modules 'skins.vector' and 'skins.monobook' have been renamed to
  'skins.vector.styles' and 'skins.monobook.styles', respectively,
  and their definition was changed not to include the common*.css files;
  the two skins now load the 'mediawiki.skinning.interface' module instead.
* A page_links_updated field has been added to the page table.
* SpecialPage::getTitle has been deprecated in favor of
  SpecialPage::getPageTitle.
* BREAKING CHANGE: Two potentially backwards-incompatible changes have been made
  to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make
  the hook more consistent with the 'SpecialRecentChangesQuery' one:
** Several array keys have been renamed: hideMinor → hideminor,
   hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu,
   hidePatrolled → hidepatrolled, hideOwn → hidemyself.
** The parameter value is now a FormOptions object, not a plain array (array
   access operators should continue to work, as it implements the ArrayAccess
   interface).
* Option to mark hooks as deprecated has been added.
* (bug 52811) Preference "Enable section editing via [edit] links" was removed.
* (bug 52813) Preference "Show table of contents (for pages with more than
  3 headings)" was removed.
* (bug 52810) Preference "Justify paragraphs" was removed.
* OutputPage::showErrorPage raises a notice if arguments are incoherent.
* Thumbnails that keep failing to render in thumb.php will be rate-limited
  againt further render attempts for 1 hour. $wgAttemptFailureEpoch can be
  altered to reset all rate-limited thumbnails at once.
* (bug 56572) Builds of the OOjs and OOjs UI libraries are now available.
* mw.loader.go and mw.loader.version have been removed.
* (bug 52815) Preference "Enable simplified search bar (Vector skin only)"
  was removed.
* A user_password_expires column has been added to the user table. The User
  object expects this column to exist. Use update.php to create this new field.
* The jquery.delayedBind ResourceLoader module was deprecated in favor of the
  jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
* mw.user.bucket has been deprecated.
* On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to
  table.mw-prefixindex-list-table to avoid duplicate ids when the special page
  is transcluded.
* (bug 62198) window.$j has been deprecated.
* Preference "Disable link title conversion" was removed.
* SpecialRecentChanges no longer includes any functionality for generating feeds
  - it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new
  ones.
* RecentChange::mExtra['lang'] is no longer set and should no longer be used.
  Extensions should read from other configuration variables, including
  $wgLocalInterwikis, to identify the current wiki.
* Sections in the parser test framework have been renamed and the old
  section names are deprecated.  Please use "!!wikitext" and "!!html"
  (or "!!html/php") instead of "!!input" and "!!result".  This allows
  us to extend parser tests to accommodate additional input/output
  pairs, such as "!!html/parsoid" (for the output of the Parsoid
  parser, where it differs from the PHP parser).
* Special:Search no longer has an "include redirects" option on the advanced
  tab. Redirects are now included in all searches.
* mediawiki.api.category's getCategories() 'async' parameter was deprecated.
* The locations of resources have been split between upstream libraries, now in
  resources/lib/, local libaries in resources/src/, and local forks of upstream
  libraries, also in resources/src/.
* BREAKING CHANGE: The automatically-generated function closure with which
  ResourceLoader wraps all modules' JavaScript code now binds the identifier
  names 'jQuery' and '$' to the jQuery object of the version of jQuery that is
  bundled with MediaWiki. If you bind these names to other objects in global
  scope (like Zepto.js or document.querySelectorAll, for example) you will need
  to use different names to or re-bind them at the top of each
  ResourceLoader-loaded module.
* (bug 52342) Preference "Remember my login" was removed.
* The skin autodiscovery mechanism has been deprecated and will be removed in
  MediaWiki 1.25. See https://www.mediawiki.org/wiki/Manual:Skin_autodiscovery
  for migration guide for creators and users of custom skins that relied on it.

==== Removed classes ====
* FakeMemCachedClient (deprecated in 1.18)
* RdfMetaData (unused)
* TitleDependency (unused)
* TitleListDependency (unused)
* WikiError (deprecated in 1.17)
* WikiXmlError (deprecated in 1.17)
* WikiErrorMsg (deprecated in 1.17)

==== Renamed classes ====
* CdbReader_DBA to CdbReaderDBA
* CdbReader_PHP to CdbReaderPHP
* CdbWriter_DBA to CdbWriterDBA
* CdbWriter_PHP to CdbWriterPHP
* DiffOp_Add to DiffOpAdd
* DiffOp_Change to DiffOpChange
* DiffOp_Copy to DiffOpCopy
* DiffOp_Delete to DiffOpDelete
* HWLDF_WordAccumulator to HWLDFWordAccumulator
* LBFactory_Fake to LBFactoryFake
* LBFactory_Multi to LBFactoryMulti
* LBFactory_Simple to LBFactorySimple
* LBFactory_Single to LBFactorySingle
* LCStore_Accel to LCStoreAccel
* LCStore_CDB to LCStoreCDB
* LCStore_DB to LCStoreDB
* LCStore_Null to LCStoreNull
* LoadBalancer_Single to LoadBalancerSingle
* LoadMonitor_MySQL to LoadMonitorMySQL
* LoadMonitor_Null to LoadMonitorNull
* LocalisationCache_BulkLoad to LocalisationCacheBulkLoad
* csvStatsOutput to CsvStatsOutput
* extensionLanguages to ExtensionLanguages
* languages to Languages
* statsOutput to StatsOutput
* textStatsOutput to TextStatsOutput
* wikiStatsOutput to WikiStatsOutput

==== Removed methods ====
* ApiBase::getValidNamespaces() (deprecated in 1.17)
* ApiMain::setCachePrivate() (deprecated in 1.17)
* ApiMain::setVaryCookie (deprecated in 1.17)
* Article::doRedirect() (deprecated in 1.18)
* Article::doUnwatch() (deprecated in 1.18)
* Article::doWatch() (deprecated in 1.18)
* Article::forUpdate() (deprecated in 1.18)
* Article::markpatrolled() (deprecated in 1.18)
* Article::unwatch() (deprecated in 1.18)
* Article::watch() (deprecated in 1.18)
* Block::clear() (deprecated in 1.18)
* Block::decodeExpiry() (deprecated in 1.18)
* Block::encodeExpiry() (deprecated in 1.18)
* Block::forUpdate() (deprecated in 1.18)
* Block::infinity() (deprecated in 1.18)
* Block::load() (deprecated in 1.18)
* Block::newFromDB() (deprecated in 1.18)
* Block::normaliseRange() (deprecated in 1.18)
* Block::parseExpiryInput() (deprecated in 1.18)
* CategoryViewer::addSubcategory() (deprecated in 1.17)
* EditPage::spamPage() (deprecated since 1.17)
* Exif::getFormattedData() (deprecated in 1.18)
* Exif::makeFormattedData() (deprecated in 1.18)
* in_string (deprecated in 1.21)
* Language::convertLinkToAllVariants() (deprecated in 1.17)
* LanguageConverter::convertLinkToAllVariants() (deprecated in 1.17)
* Linker::makeBrokenLink() (deprecated in 1.16)
* Linker::makeBrokenLinkObj() (deprecated in 1.16)
* Linker::makeColouredLinkObj() (deprecated in 1.16)
* Linker::makeSizeLinkObj() (deprecated in 1.17)
* MediaWiki::articleFromTitle() (deprecated in 1.18)
* ParserOptions::getkin() (deprecated 1.18)
* ProfilerSimple::getCpuTime (deprecated in 1.20)
* Revision::revText() (deprecated in 1.17)
* SkinTemplate::jstext() (deprecated in 1.21)
* SpecialPage::__call() (deprecated in 1.17)
* SpecialPage::executePath() (deprecated in 1.18)
* SpecialPage::exists() (deprecated in 1.18)
* SpecialPage::file() (deprecated in 1.18)
* SpecialPage::func() (deprecated in 1.18)
* SpecialPage::getGroup() (deprecated in 1.18)
* SpecialPage::getPage() (deprecated in 1.18)
* SpecialPage::getPageByAlias() (deprecated in 1.18)
* SpecialPage::getLocalNameFor() (deprecated in 1.18)
* SpecialPage::getRegularPages() (deprecated in 1.18)
* SpecialPage::getRestrictedPages() (deprecated in 1.18)
* SpecialPage::getTitleForAlias() (deprecated in 1.18)
* SpecialPage::getUsablePages() (deprecated in 1.18)
* SpecialPage::includable() (deprecated in 1.18)
* SpecialPage::init()
* SpecialPage::initAliasList() (deprecated in 1.18)
* SpecialPage::initList() (deprecated in 1.18)
* SpecialPage::name() (deprecated in 1.18)
* SpecialPage::removePage() (deprecated in 1.18)
* SpecialPage::resolveAlias() (deprecated in 1.18)
* SpecialPage::resolveAliasWithSubpage() (deprecated in 1.18)
* SpecialPage::restriction() (deprecated in 1.18)
* SpecialPage::setGroup() (deprecated in 1.18)
* SpecialRecentChanges::feedSetup()
* SpecialRevisionDelete::extractBitField() (deprecated in 1.22)
* User::getPageRenderingHash() (deprecated in 1.17)
* WebRequest::getFileSize() (deprecated in 1.17)
* WebRequest::isPathInfoBad() (deprecated in 1.17)
* wfGenerateToken (deprecated in 1.20)
* wfStreamFile (deprecated in 1.19)
* wfUILang (deprecated in 1.18)
* WikiPage::createUpdates() (deprecated in 1.18)
* WikiPage::quickEdit() (deprecated in 1.18)
* WikiPage::useParserCache() (deprecated in 1.18)
* WikiPage::viewUpdates() (deprecated in 1.18)

==== Removed globals ====
* $wgBetterDirectionality (deprecated in 1.18)

== Compatibility ==

MediaWiki 1.23 requires PHP 5.3.2 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.0.2 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==

1.23 has several database changes since 1.22, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to
1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed
with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.22.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

	https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

	https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

	https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.