Update Feed

MediaWiki 1.43.6

11 December 2025

MediaWiki version 1.43.6 is now available (security release).

Upgrading to MediaWiki 1.43.6

MediaWiki 1.43.6 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply MediaWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing MediaWiki install to test the 1.43.6 upgrade prior to applying it live. Get started managing your MediaWiki installations with Installatron

What's New in MediaWiki 1.43.6

Security

(T401987, T401995) SECURITY: Disable xslt option by default.
(T394396) Revert "SECURITY: Escape rawElement $content".

Bug Fixes and Changes

Localisation updates.
(T394059) DeduplicateStyles: Only transform possible style nodes.
UserGroupManager: Use MainConfigNames::PrivilegedGroups rather than string literal.
(T406391) RemexCompatFormatter: Don't encode HTML entities in raw-text elements.
(T402438) api: Allow ApiResult to override imagerepository key in prop=imageinfo.
ParserOutput: Add default values for JSON deserialization.
(T355853, T407172) Make the login and signup forms wider.
(T292868) Forward-compatibility: allow output flags to be serialized in `OutputFlags`.
ResourceLoader: Update cssjanus/cssjanus to wikimedia/cssjanus.
(T85085) Improve CSS checking in SVG filter.
(T405064) Fix the premature loop exit in Parser.cleanUpTocLine.
(T407289) i18n: deprecate double-underscore magic words which don't start/end with __.
i18n: all behavior switches should start/end with __ (part 2).
(T407289) i18n: Remove deprecated behavior switches without underscores in et/sh-latn/vep.
(T407770) Add symfony/polyfill-php84 and symfony/polyfill-php85.
maintenance/getConfiguration.php: Fix null warning and serialize error.
(T328605) ApiParse: Introduce prop=tocdata as replacement for prop=sections.
(T406283) ApiSandbox: Use POST when we have long URL.
(T410913) SpecialVersion: Fix "Cannot use bool as array" warning.
(T410928) resourceloader: Fix null offset in ClientHtml module sorting.
(T410934) Remove noop xml_parser_free() calls.
(T410920) Language: Prevent passing '' to ord() in ucfirst().
(T410912) Language: Fix "ord(): Providing a string that is not one byte long is deprecated."
(T410912) MessageCache: Fix "ord(): Providing a string that is not one byte long is deprecated."
(T410920) Language: Prevent passing '' to ord() in lcfirst().
(T410963) Upgrade wikimedia/xmp-reader from 0.9.4 to 0.10.2.
(T411016) Upgrading wikimedia/cldr-plural-rule-parser (v2.0.0 => v3.0.0).
(T411075) Api: Initialise reference variable.
(T411018) IndexPager: Set '' as default value for 'order'.
(T410914) Language: Fix PHP 8.5 warnings for NAN/INF string coercion in formatNumInternal.
(T410914) Language: Fix PHP 8.5 warnings for NAN/INF string coercion in parseFormattedNumber.
(T338103, T411214) ApiResult: Fix "ord(): Providing a string that is not one byte long is deprecated."
(T356544) Replace uses of Xml::fieldset(), deprecated since 1.42.
(T393790) htmlform: Fix rendering contents for cloner fields.
(T391882) HTMLFormFieldCloner: Fix multiple bugs related to conditional states.
(T406374) htmlform: Load ooui before infusing field cloner buttons.
(T411199) initEditCount: Fix count for users with no edits.
(T411827) SpecialPageFactory: Handle resolveAlias() returning null in getPage() and exists().
(T411968) Installer: Do not use null as array offset.
Add support for HTTP/3 in MultiHttpClient.
(T295568) mediawiki.jqueryMsg: Support self-closing HTML tags.
(T411968) EditResultBuilder: Do not use null as array offset.