MediaWiki 1.35.0
5 October 2020
MediaWiki version 1.35.0 is now available (major release).
Upgrading to MediaWiki 1.35.0
MediaWiki 1.35.0 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.35.0 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron
What's New in MediaWiki 1.35.0
Security
- Unescaped message used in HTML on Special:Contributions.
- Unescaped message used in HTML within LogEventsList.
- Prevent invoking firejail's --output functionality.
- mediawiki.jqueryMsg: Sanitize URLs and 'style' attribute.
- mediawiki.js: Escape HTML in mw.message( ... ).parse().
- ActorMigration: Load user from the correct database.
- ensure actor ID from correct wiki is used.
- User::pingLimiter: add user-global rate limit type.
Changes and Bug Fixes
- Remove checks for ancient ImageMagick versions in BitmapHandler.
- Don't include null page ids in query list for category dumps.
- Check existing watchitem when saving action=watch.
- Correct success messages for action=watch.
- mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
- mediawiki.page.ready: Fix skin override config flags, wrong way round.
- Remove requirement for ApiWatchlistTrait to be in ApiBase.
- Watchlist: Fix updateWatchLink removing css class when action=watch.
- mediawiki.notification: Don't close notif when clicking <select> element.
- Sanitizer: Truncate IDs to a reasonable length.
- Parsoid updated to v0.12.0.
- watch.ajax: Add expiry support to watchpage.mw event.
- Fix failure of rebuildLocalisationCache.php due to ResourceLoader hook.
- Hard deprecate File::userCan() with $user=null.
- Use localized success message after watching via action=watch.
- Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
- Installer: consistently reset Language objects.
- Installer: consistently reset Language objects.
- Explicitly wrap some XML calls in libxml_disable_entity_loader().
- Ensure dropdown label is always on its own line.
- resourceloader: Use a local HookRunner.
- Have findBadBlobs.php require Maintenance.php rather than cleanupTable.inc.
- Set fake time, to avoid flaky tests.
- Add FindMissingActors script.
- shell: Don't blacklist /run/firejail.
- NewPagesPager: Ignore nonexistent namespaces.
- Update specialPageAliases and magicWords for Egyptian Arabic (arz).
- ParserOutput: don't throw on bad editsection.
- SpecialUserrights: If a viewer lacks `hideuser`, ignore hidden users.
- Add Finnish special page aliases.
- Fix GuzzleHttpRequest request headers.
- Fix description for pruneFileCache.php.
- emptyUserGroup.php: handle more than 5000 users.
- Make ApiSandbox copyable URL absolute.
- Add a link from a deleted page to that page's logs.
- mediawiki.visibleTimeout: Update the nextVisibleTimeoutId value.
- Ensure Parsoid doesn't throw when <ref> is used w/o Cite installed.
- Remove maintenance/createCommonPasswordCdb.php.
- Increase "sites.site_global_key" to varbinary(64).
- Fix shell edge-cases in Windows.
- Drop PHP 7.2 support; require 7.3.19.
- User: enforce pingLimiter() expiry time.
- Rest: Handle Uri constructor exception.
- Fix RequestFromGlobalsTest failing in Travis CI.
- Rest: Use try/catch to handle URIs with embedded colon.
- uuid: Fix filenames on Windows.
- Remove Gruntfile.js and package-lock.json from the tarball.
- firejail: Strengthen by copying from Wikimedia's profile.
- ResourceLoaderOOUIImageModule: loadOOUIDefinition() may return false.
- The installer supports using a Postgres server running on a custom port other than 5432.
- Support private wikis in Parsoid zero configuration mode.
- Fix bad use of `|=` PHP bit operation where `= … ||` bool is intended.
- SpecialBlock: Show error if a block could not be inserted or found.
- UserOptionsManager: fix options reset.
- WatchAction: avoid unnecessary UPDATEs when expiry is unchanged.
- Allow skins to override mediawiki.page.ready initialisation.
- mediawiki.page.ready: Allow skins to disable search lazy load.
- Update language in watchlist expiry.
- Use IPset in MWRestrictions::checkIP.
- Fix race condition on edit page.
- Hide watchlist expiry label in edit form.
- mime: Fix docs of MIME_EXTENSIONS, they're arrays, not space-seperated.
- Add application/font-sfnt to MimeMap for ttf files.
- WatchedItemStore: Cache single WatchedItems with preexisting expiry.
- Add a maintenance script to create bot passwords.
- Add Traditional Chinese zh-hant as fallback for Amis (ami).
- Improve wfParseUrl docs.
- Add multi index fields in ImageListPager for unique paginate.
- Guard against 'Widget not found' error.
- Fix RecentChanges watchlist filters when WatchlistExpiry is off.
- Update time period for watchlist expiry pop-up.
- Fix expiry dropdown not getting disabled on edit page.
- Add license information for promise-polyfill.
- Remove executable bit from scripts without shebang.
- Fix bold of watched items on Special:RecentChangesLinked.
- Edit page expiry dropdown should keep state after disabling/enabling.
- Translate expiry period in pop-up message for watchlist expiry.
- Add watchlist clock icon to RecentChanges.
- Permit temporary table writes on replica DB connections.
- Add UI support in Special:EditWatchlist for watchlist expiry.
- Disable wgLegacyJavaScriptGlobals by default.
- Add Edge to MediaWiki:Clearyourcache.
- Add mediawiki.ui Less variable deprecation note.
- Fixed reassignEdits.php to work with anonymous users.
- Fix Circular dependency when creating service in DBLoadBalancerFactory.
- Default to using watchlist expiry of old page when moving pages.