PmWiki 2.3.15
21 November 2022
PmWiki version 2.3.15 is now available (security release).
Upgrading to PmWiki 2.3.15
PmWiki 2.3.15 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply PmWiki updates as new versions are released, or use Installatron's Clone feature to duplicate an existing PmWiki install to test the 2.3.15 upgrade prior to applying it live. Get started managing your PmWiki installations with Installatron
What's New in PmWiki 2.3.15
Security
- Closed a potential XSS vulnerability discovered today. Your wiki may be at risk if untrusted people can edit your pages.
Bug Fixes and Changes
- HTTP headers: CSP updated, XSSP added. Both can be disabled or modified by changing the $HTTPHeaders values.
- Cookies: Added a new variable $CookieSameSite default to 'Lax' per current browser defaults and expectations. Updated pmsetcookie() added an argument $samesite, and refactored to work with old and current PHP versions. Added function pm_session_start() as a replacement for session_start() with respect for local preferences ($CookieSameSite, $EnableCookieSecure, $EnableCookieHTTPOnly).
- PmSyntax: A new CSS variable --pmsyntax-fontsize-editform allows to set the font size of the edit form separately from highlighted elements in the documentation. Fixed the [[Highlight]] label could change fonts when clicked.
- Responsive skin: The font size for "pre" and "code" elements is now scalable/relative to the paragraph font size rather than fixed. This works better in headings or small text blocks.
- GUI edit buttons: Part of these functions were rewritten to avoid 'unsafe inline' JavaScript. While default and most custom buttons should work without change, you should no longer need to url-encode some characters like % or add backslashes. If you have such buttons, you may need to update their declarations to strip the extra backslashes.
- WikiStyles: Refactored to move all inline WikiStyles to the $HTMLStylesFmt array in the header of the HTML page.
- Tables and block markup: Replaced inline style="..." attributes with class names.
- The function PrintFmt() was refactored to process skin parts, skin functions, markup, and wiki pages, before sending the HTTP and HTML headers. This allows for wikistyles and recipes in sidebars and footers to add their configuration to the headers.