PmWiki 2.3.15

21 November 2022

PmWiki version 2.3.15 is now available (security release).

Upgrading to PmWiki 2.3.15

What's New in PmWiki 2.3.15

• Closed a potential XSS vulnerability discovered today. Your wiki may be at risk if untrusted people can edit your pages.
  

• HTTP headers: CSP updated, XSSP added. Both can be disabled or modified by changing the $HTTPHeaders values.
  
• Cookies: Added a new variable $CookieSameSite default to 'Lax' per current browser defaults and expectations. Updated pmsetcookie() added an argument $samesite, and refactored to work with old and current PHP versions. Added function pm_session_start() as a replacement for session_start() with respect for local preferences ($CookieSameSite, $EnableCookieSecure, $EnableCookieHTTPOnly).
  
• PmSyntax: A new CSS variable --pmsyntax-fontsize-editform allows to set the font size of the edit form separately from highlighted elements in the documentation. Fixed the [[Highlight]] label could change fonts when clicked.
  
• Responsive skin: The font size for "pre" and "code" elements is now scalable/relative to the paragraph font size rather than fixed. This works better in headings or small text blocks.
  
• GUI edit buttons: Part of these functions were rewritten to avoid 'unsafe inline' JavaScript. While default and most custom buttons should work without change, you should no longer need to url-encode some characters like % or add backslashes. If you have such buttons, you may need to update their declarations to strip the extra backslashes.
  
• WikiStyles: Refactored to move all inline WikiStyles to the $HTMLStylesFmt array in the header of the HTML page.
  
• Tables and block markup: Replaced inline style="..." attributes with class names.
  
• The function PrintFmt() was refactored to process skin parts, skin functions, markup, and wiki pages, before sending the HTTP and HTML headers. This allows for wikistyles and recipes in sidebars and footers to add their configuration to the headers.