MediaWiki 1.23.17
23 May 2017
MediaWiki version 1.23.17 is now available.
Upgrading to MediaWiki 1.23.17
MediaWiki 1.23.17 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.23.17 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.23.17
MediaWiki 1.23.17:
This is a bug fix release of the MediaWiki 1.23 branch.
MediaWiki 1.23.16:
This is a security and maintenance release of the MediaWiki 1.23 branch.
- CSS3 attr() function with url type is no longer allowed in inline styles.
- $wgRawHtml will no longer apply to internationalization messages.
- Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
- SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
- SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
- SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
- SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
- SECURITY: Escape content model/format url parameter in message.
- SECURITY: SVG filter evasion using default attribute values in DTD declaration.
- SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
- SECURITY: Sysops can undelete pages, although the page is protected against it