PmWiki 2.3.23

7 May 2023

PmWiki version 2.3.23 is now available.

Upgrading to PmWiki 2.3.23

What's New in PmWiki 2.3.23

• This version implements session tokens to prevent potential cross-site request forgery vulnerabilities, suggested by Dominique Faure. Most core actions that modify pages or files should have this enabled and should work like before.
  
• This new feature can be disabled by setting these variables in config.php: $EnablePmToken = 0; # edit, upload, attributes, approveurls; $PmFormEnablePmToken = 0; # PmForm
  
• Some installations might encounter the error message "Token invalid or missing". These can include custom edit forms, automated scripts posting to the wiki, AJAX posting text or uploads used by some recipes, or partial upgrades where some core scripts haven't been updated. Most of these should be easy to update -- please report such cases to us -- otherwise you may selectively disable the feature.
  
• A form element (:input pmtoken:) was added, and the helper function pmtoken() was documented to make it easy for custom forms and recipes to use this new feature.
  
• The version also includes a minor code refactoring, a bug fix, and the documentation was updated.
  

• This version adds to the core the Cookbook:PmForm recipe (script and templates), not enabled by default. This is in order to reduce my workload, and future updates to PmForm will be made only in the core version.
  
• If you already use PmForm, you can enable the core script, by modifying your include_once() call from "cookbook/pmform.php" to "scripts/pmform.php". Your existing templates and configuration should continue to work.
  
• A bug was fixed with PageLists with multiple category=+A,+B categories. Input forms and buttons can now be configured to ask for confirmation before they are submitted. A few updates for recent PHP versions, and other minor improvements, and the documentation was updated.