RELEASE-NOTES-1.19

= MediaWiki release notes =

Security reminder: MediaWiki does not require PHP's register_globals
setting since version 1.2.0. If you have it on, turn it '''off''' if you can.

== MediaWiki 1.19.24 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

== Changes since 1.19.23 ==

* (T85848, T71210) SECURITY: Don't parse XMP blocks that contain XML entities,
  to prevent various DoS attacks.
* (T88310) SECURITY: Always expand xml entities when checking SVG's.
* (T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
* (T85855) SECURITY: Don't execute another user's CSS or JS on preview.
* (T85349, T85850, T86711) SECURITY: Multiple issues fixed in SVG filtering to
  prevent XSS and protect viewer's privacy.

== MediaWiki 1.19.23 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.22 ===

* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which
  could lead to xss. Permission to edit MediaWiki namespace is required to
  exploit this.
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Add missing $ in front of variable in OutputPage.php

== MediaWiki 1.19.22 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.21 ===

* (bugs 66776, 71478) SECURITY:  User PleaseStand reported a way to inject code
  into API clients that used format=php to process pages that underwent flash
  policy mangling. This was fixed along with improving how the mangling was done
  for format=json, and allowing sites to disable the mangling using
  $wgMangleFlashPolicy.
* (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with
  DELETED_ACTION. NOTICE: this may be reverted in a future release pending a
  public RFC about the desired functionality. This issue was reported by user
  Bawolff.
* (bug 71621) Make allowing site-wide styles on restricted special pages a
  config option.
* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
  might be a flash policy directive configurable.

== MediaWiki 1.19.21 ==

This is a maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.20 ===

* (bug 67440) Allow classes to be registered properly from installer.
* (bug 47281) Fixed a dumpBackup.php error with --uploads --include-files
  options: Unable to find the wrapper "mwstore".
  System administrators are encouraged to upgrade to this release or 1.22+
  and produce a full data dump.
  https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Backing_up_a_wiki
* (bug 63049) Removed anonymous functions from ApiFormatBase, added in
  1.19.13 as part of the fix for bug 61362, for PHP 5.2 compatibility.

== MediaWiki 1.19.20 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.19 ===
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
  allowance.

== MediaWiki 1.19.19 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.18 ===
* (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style>
  elements; normalize style elements and attributes before filtering; add
  checks for attributes that contain css; add unit tests for html5sec and
  reported bugs.

== MediaWiki 1.19.18 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.17 ===

* (bug 68187) SECURITY: Prepend jsonp callback with comment.
* (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and
  ParserOutput.

== MediaWiki 1.19.17 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.16 ===

* (bug 65839) SECURITY: Prevent external resources in SVG files.
* (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects
  like only extracting the tail of the file partially or not at all.

== MediaWiki 1.19.16 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.15 ===

* (bug 65501) SECURITY: Don't parse usernames as wikitext on
  Special:PasswordReset.

== MediaWiki 1.19.15 ==

This is a maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.14 ===

* Fixed resetting passwords.
* (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages
  to appear blank or with missing text.

== MediaWiki 1.19.14 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.13 ===

* (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
* (bug 62467) Set a title for the context during import on the cli.

== MediaWiki 1.19.13 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.12 ===

* (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.
* Use the correct branch of the extensions' git repositories.

== MediaWiki 1.19.12 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.11 ===

* (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted
  namespaces files. Also disallow iframe elements. User will get an error
  including the namespace name if they use a non- whitelisted namespace.
* (bug 61346) SECURITY: Make token comparison use constant time. It seems like
  our token comparison would be vulnerable to timing attacks. This will take
  constant time.

== MediaWiki 1.19.11 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.10 ===
* (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats

== MediaWiki 1.19.10 ==

This is a security release of the MediaWiki 1.19 branch.

=== Changes since 1.19.9 ===
* (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
* (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
* (bug 58472) SECURITY: Disallow -o-link in styles
* (bug 58553) SECURITY: Return error on invalid XML for SVG Uploads
* (bug 58699) SECURITY: Fix RevDel log entry information leaks

== MediaWiki 1.19.9 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.8 ===
* (bug 53032) SECURITY: Don't cache when a call could autocreate
* (bug 55332) SECURITY: Improve css javascript detection
* (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
* Translations

== MediaWiki 1.19.8 ==

This is a security and maintenance release of the MediaWiki 1.19 branch.

=== Changes since 1.19.7 ===
* SECURITY: Sanitize ResourceLoader exception messages
* SECURITY: Token-getting functions will fail when using jsonp callbacks.
* SECURITY: Fix extension detection with 2 .'s
* Allow a string other than '*' as condition for DatabaseBase::delete()
* Purge upstream caches when deleting file assets.
* jquery.tablesorter: Add missing dependency on jquery.mwExtension

== MediaWiki 1.19.7 ==

This is a security and maintenance release of the MediaWiki 1.19 branch

=== Changes since 1.19.6 ===
* (bug 48306) SECURITY: Run file validation checks on  chunked uploads, and chunks
  of upload, during the upload process.

== MediaWiki 1.19.6 ==

This is a security and maintenance release of the MediaWiki 1.19 branch

=== Changes since 1.19.5 ===
* (bug 47304) SECURITY: Check SVG xml encoding against whitelist
* (bug 46590) Added AbortChangePassword hook to allow extensions to abort password
  changes from Special:ChangePassword
* Localisation updates from http://translatewiki.net.
* mwdocgen.php: Implement --version option.
* Remove svnstat stuff used in Doxygen generation
* E_USER_DEPRECATED undefined prior to php 5.3

== MediaWiki 1.19.5 ==

This is a security and maintenance release of the MediaWiki 1.19 branch

=== Changes since 1.19.4 ===
* (bug 47251) SECURITY: Disable external entities in Import
* (bug 46859) SECURITY: Disable external entities in XMLReader
* (bug 46084) SECURITY: Sanitize $limitReport before outputting
* (bug 43594) Fix notices displayed on PHP 5.4
* (bug 40585) Don't drop 'step="any"' in HTML input fields.

== MediaWiki 1.19.4 ==

This is a maintenance release of the MediaWiki 1.19 branch

=== Changes since 1.19.3 ===
* New preference type - 'api'. Preferences of this type are not shown on
  Special:Preferences, but are still available via the action=options API.
* (bug 44010) Context is passed to UserGetLanguageObject.
* The recursion guard on RequestContext::getLanguage() was weakened.
* (bug 44135/42441) Pass '2' instead of 'true' to CURLOPT_SSL_VERIFYHOST
* (bug 43518) API action=unblock should return the user name, not the full
  user object

== MediaWiki 1.19.3 ==

This is a security release of the MediaWiki 1.19 branch

=== Changes since 1.19.2 ===
* (bug 40995) Prevent session fixation in Special:UserLogin (CVE-2012-5391)
* (bug 41400) Prevent linker regex from exceeding PCRE backtrack limit
* Increase permitted runtime for testParserTest (only used for continuous
  integration).
* Updated messages translations from http://translatewiki.net/

== MediaWiki 1.19.2 ==
2012-08-30

This is a security release of the MediaWiki 1.19 branch

=== Changes since 1.19.1 ===
* (bug 39700) File: link to non-existing file can inject html
* (bug 35839) Hidden block text leaking to admins
* (bug 39184) LDAP password leakage
* (bug 39180) Disallow framing of api results
* (bug 37587) Enforce language codes to be html safe
* (bug 38333) Check global blocks on account creation

== MediaWiki 1.19 ==

MediaWiki 1.19 is a large release that contains many new features and bug
fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.19 file for the full list of changes in
this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the beta
release and submitting bug reports.

=== Changes since 1.19.1 ===
* (bug 38406) Properly quote table names in DatabaseBase::tableName()

=== Changes since 1.19.0 ===
* (bug 36568) Fixed "Illegal string offset 'LIMIT'" warnings in updater
* (bug 36938) Correctly escape uselang attribute to prevent xss
* Expanded Blacklist for SVG Files

=== Changes since 1.19 beta 2 ===
* Special:Watchlist no longer sets links to feed when the user is anonymous.
* (bug 35961) Hash comparison should always be strict.
* Fix broken email confirmation expiration caused by MWCryptRand changes.
* (bug 35671) PHP Notice: Undefined index: gettoken in includes/api/ApiMain.php
  on line 598.
* (bug 36042) 'show' causes a fatal in blocks API.

=== Changes since 1.19 beta 1 ===
* (bug 35014) Including a special page no longer sets the page's title to the
  included page
* (bug 35019) Edit summaries are no longer transformed in notification e-mails
* (bug 35152) Help message for e-mail is shown again in user preferences
* (bug 34887) $3 and $4 parameters are now substituted correctly in message
  "movepage-moved"
* (bug 34841) Edit links are no longer displayed when display old page versions
* (bug 34889) User name should be normalized on Special:Contributions
* (bug 35051) If heading has a trailing space after == then its name is not
  preloaded into edit summary on section edit
* (bug 31417) New ID mw-content-text around the actual page text, without categories,
  contentSub, ... The same div often also contains the class mw-content-ltr/rtl.
* (bug 35303) Proxy and DNS blacklist blocking works again
* (bug 22555) Remove or skip strip markers from tag hooks like &lt;nowiki&gt; in
  core parser functions which operate on strings, such as padleft.
* (bug 18295) Don't expose strip markers when a tag appears inside a link
  inside a heading.
* (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token
  parameter present.
* (bug 34907) Fixed exposure of tokens through load.php that could have facilitated
  CSRF attacks.
* (bug 35317) CSRF in Special:Upload.

=== Configuration changes in 1.19 ===
* Removed SkinTemplateSetupPageCss hook; use BeforePageDisplay instead.
* (bug 27132) movefile right granted by default to registered users.
* Default cookie lifetime ($wgCookieExpiration) is increased to 180 days.
* (bug 31204) Removed old user.user_options.
* $wgMaxImageArea now applies to jpeg files if they are not scaled with
  ImageMagick.
* Introduced $wgQueryPageDefaultLimit (defaults to 50) for the number of
  items to show by default on query pages (special pages such as Whatlinkshere).
* (bug 32470) Increase the length of ug_group.
* (bug 32239) Removed $wgEnableTooltipsAndAccesskeys.
* Removed $wgVectorShowVariantName.
* Removed $wgExtensionAliasesFiles. Use $wgExtensionMessagesFiles.
* Removed $wgResourceLoaderInlinePrivateModules , now always enabled.

=== New features in 1.19 ===
* (bug 19838) Add ability to get all interwiki prefixes also if the interwiki
  cache is used.
* $wgDnsBlacklistUrls now accepts an array with url and key as the
  elements to work with DNSBLs that require keys, such as
  Project Honeypot.
* (bug 30022) Add support for custom loadScript sources to ResourceLoader.
* (bug 19052) Unicode space separator characters (Zs) now terminates external
  links and images links.
* (bug 30160) Add public method to mw.loader to get module names from registry.
* (bug 15558) Parameters to special pages included in wikitext can now be passed
  as with templates.
* Installer now issues a warning if mod_security is present.
* (bug 29455) Add support for a filter callback function in jQuery byteLimit
  plugin.
* Added two new GetLocalURL hooks to better serve extensions working on a
  limited type of titles.
* Added a --no-updates flag to importDump.php that skips updating the links
  tables.
* Most presentational html attributes like valign are now converted to inline
  css style rules. These attributes were removed from html5 and so we clean
  them up when $wgHtml5 is enabled. This can be disabled using
  $wgCleanupPresentationalAttributes.
* Magic words (time and number-formatting ones, plus DIRECTIONMARK, but not
  NAMESPACE) now depend on the page content language instead of the site
  language. In theory this sets the right magic words in system messages,
  although they are not used there.
* (bug 30451) Add page_props to RefreshLinks::deleteLinksFromNonexistent.
* (bug 30450) Clear page_props table on page deletion.
* Hook added to check for exempt from account creation throttle.
* (bug 30344) Add configuration variable for setting custom priorities when
  generating sitemaps.
* (bug 96170) Add array support for space-separated list attributes (like
  'class') in the Html helper class.
* (bug 26470) Add checkered background image on hover on files pages.
* (bug 30774) mediawiki.html: Add support for numbers and booleans in the
  attribute values and element contents.
* Conversion script between Tifinagh and Latin for the Tachelhit language.
* (bug 16755) Add options 'noreplace' and 'noerror' to {{DEFAULTSORT:...}}
  to stop it from replace an already existing default sort, and suppress error.
* (bug 18578) Rewrote revision delete related messages to allow better
  localisation.
* (bug 30364) LanguageConverter now depends on the page content language
  instead of the wiki content language.
* Jump links will now be usable in CSS-capable browsers instead of only
  in outdated text browsers.
* New common*.css files usable by skins instead of having to copy piles
  of generic styles from MonoBook or Vector's css.
* Some deprecated presentational html attributes will now be automatically
  converted to css.
* (bug 31297) Add support for namespaces in Special:RecentChanges subpage filter
  syntax.
* The default user signature now contains a talk link in addition to the user link.
* (bug 25306) Add link of old page title to MediaWiki:Delete_and_move_reason.
* Added hook BitmapHandlerCheckImageArea.
* (bug 30062) Add $wgDBprefix option to cli installer.
* getUserPermissionsErrors and getUserPermissionsErrorsExpensive hooks are now
  also called when checking for 'read' permission.
* Introduce $wgEnableSearchContributorsByIP which controls whether searching
  for an IP address redirects to the contributions list for that IP.
* (bug 8859) Database::update should take array of tables too.
* (bug 19698) Add "Inverse namespaces" option to Special:Contributions.
* (bug 24037) Add byte length of revision to Special:Contributions.
* (bug 1672) Added $wgDisableUploadScriptChecks to allow uploading of files
  containing HTML or JS. DISABLING THESE CHECKS IS VERY DANGEROUS.
* New path mappings can be added using the WebRequestPathInfoRouter hook
  and adding paths to the PathRouter.
* (bug 32666) Special:ActiveUsers now allows a subpage to be used as value for the
  "target" query parameter (eg. Special:ActiveUsers/Username).
* New JavaScript variable wgPageContentLanguage.
* Added new debugging toolbar, enabled with $wgDebugToolbar.
* Differences in the history page now uses slightly better colors for people
  perceiving colors differently.
* (bug 32879) Upgrade jQuery to 1.7.1.
* jQuery UI upgraded to 1.8.17.
* Extensions can use the 'Language::getMessagesFileName' hook to define new
  languages using messages files outside of core.
* (bug 32512) Add 'Associated namespace' checkbox to Special:Contributions.
* Added $wgSend404Code, true by default, which can be set to false to send a
  200 status code instead of 404 for nonexistent articles.
* (bug 33447) Link to the broken image tracking category from Special:Wantedfiles.
* (bug 27724) Add timestamp to job queue.
* (bug 30339) Implement SpecialPage for running javascript tests. Disabled by default, due to
  tests potentially being harmful, not to be run on a production wiki.
  Enable by setting $wgEnableJavaScriptTest to true.
* Extensions can use the RequestContextCreateSkin hook to override what skin is
  loaded in some contexts.
* (bug 33456) Show $wgQueryCacheLimit on cached query pages.
* (bug 10574) Add an option to allow all pages to be exported by Special:Export.
* mediawiki.js Message object constructor is now publicly available as mw.Message.
* (bug 29309) Allow CSS class per tooltip (tipsy).
* (bug 33565) Add accesskey/tooltip to submit buttons on Special:EditWatchlist.
* (bug 17959) Inline rendering/thumbnailing for Gimp XCF images.
* (bug 27775) Namespace has it's own XML tag in the XML dump file.
* (bug 30513) Redirect tag is now resolved in XML dump file.
* sha1 xml tag added to XML dump file.
* (bug 33646) Badtitle error page now emits a 400 HTTP status.
* Special:MovePage now has a dropdown menu for namespaces.
* (bug 34420) Special:Version now shows git HEAD sha1 when available.
* (bug 33952) Refactor mw.toolbar to allow dynamic additions at any time.

=== Bug fixes in 1.19 ===
* $wgUploadNavigationUrl should be used for file redlinks if.
  $wgUploadMissingFileUrl is not set. The first was used for this
  until the second was introduced in 1.17.
* BREAKING CHANGE:  Style rules for wikitable are now more specific and prevent
  inheritance to nested tables which caused various issues (bug 30485 and bug
  33434). If your wiki has overriden rules for ".wikitable", please revise them and
  adjust where neccecary. For comparison, use the "table.wikitable" section in
  skins/common/shared.css as base.
* $wgUploadNavigationUrl is now used for file redlinks if
  $wgUploadMissingFileUrl is not set. The former was used for this until the
  second was introduced in 1.17.
* (bug 27894) Move 'editondblclick' event listener down from body to
  div#bodyContent.
* (bug 30172) The check for posix_isatty() in maintenance scripts did not detect
  when the function exists but is disabled. Introduced
  Maintenance::posix_isatty().
* (bug 30264) Changed installer-generated LocalSettings.php to use
  require_once() instead require() for included extensions.
* Do not convert text in the user interface language to another script.
* (bug 26283) Previewing user JS/CSS pages didn't load other user JS/CSS pages.
* (bug 26486) ResourceLoader modules with paths to nonexistent files cause PHP
  warnings/notices to be thrown.
* (bug 30335) Fix for HTMLForms using GET that were breaking when non-friendly
  URLs are used.
* (bug 28649) Preventing half truncated multi-byte unicode characters when
  truncating log comments.
* Show --batch-size option in help of maintenance scripts that support it.
* (bug 4381) Magic quotes cleaning was not comprehensive, key strings were not
  unescaped.
* (bug 23057) Importers no longer can 'edit' or 'create' a fully-protected page by
  importing a new revision into it.
* Allow moving the associated talk pages of subpages even if the base page
  has no subpage.
* Per page edit-notices now work in namespaces without subpages enabled.
* (bug 31081) $wgEnotifUseJobQ is no longer unconditionally enqueueing jobs.
* (bug 30202) File names are now restricted on upload to 240 bytes, because of
  restrictions on some of the database fields.
* Timezones are now recognised in user preferences when offset is different
  due to DST.
* (bug 31692) "summary" parameter now also works when undoing revisions.
* (bug 18823) "move succeeded" text displayed bluelinks even when redirect was
  suppressed.
* (bug 19186) Special:UserLogin's title on Special:SpecialPages now says
  "create account" when the user cannot create an account.
* (bug 31818) 'usercreated' message now supports GENDER.
* (bug 32022) Our phpunit.php script can now be executed from another directory.
* (bug 26020) Setting $wgEmailConfirmToEdit to true no longer removes diffs.
  from recent changes feeds.
* (bug 30232) add current time to message wlnote on Special:Watchlist.
* (bug 29110) $wgFeedDiffCutoff did not affect new pages.
* (bug 32168) Add wfRemoveDotSegments for use in wfExpandUrl.
* (bug 32358) Do not display "No higher resolution available" for dimensionless
  files (like audio files).
* (bug 32168) Add wfAssembleUrl for use in wfExpandUrl.
* (bug 32168) fixed - wfExpandUrl expands dot segments now.
* (bug 31535) Upload comments now truncated properly, and don't have brackets.
* (bug 32086) Special:PermanentLink now show an error message when no subpage
  was specified.
* (bug 30368) Special:Newpages now shows the new page name for moved pages.
* (bug 1697) The way to search blocked usernames in block log should be clearer.
* (bug 29747) eAccelerator shared memory caching has been removed since it is
  now disabled by default and is buggy. APC, XCache and WinCache are not affected.
* Installer now refuses to install if php was not compiled with Ctype support.
* (bug 29475) Remove "trackback" feature entirely from core.
* (bug 32665) Special:BlockList prefills the username in the input field if
  using the Special:BlockList/username URL.
* (bug 27721) Make JavaScript variables wgSeparatorTransformTable and
  wgDigitTransformTable depend on page content language so the sort script
  sorts correctly more often.
* (bug 32230) Expose wgRedirectedFrom in JavaScript.
* (bug 31212) History tab not collapsed when the screen is narrow.
* (bug 15521) Use new section summary when the action of adding a new section
  also happens to create the page.
* (bug 32960) Remove EmailAuthenticationTimestamp from database when a
  email address is removed.
* (bug 32414) Empty page get a empty bytes attribute in Export/Dump.
* (bug 33101) Viewing a User or User talk of username resembling IP ending
  with .xxx causes Internal error.
* Warning about undefined index in certain situations when $wgLogRestrictions
  causes the first log type requested to be removed but not the others.
* Use separate message ('prefixindex-namespace') for title of
  Special:PrefixIndex rather then re-using Special:AllPages's allinnamespace.
* (bug 33156) Special:Block now allows you to confirm you want to block yourself
  when using non-normalized username.
* (bug 33246) News icon shown for news:// URLs but not for news: URLs.
* (bug 33305) Make mw.util.addCSS resistant to IE's @font-face bug by setting
  cssText after DOM insertion.
* (bug 30711) When adding a new section to a page with section=new, the text is
  now always added to the current version of the page.
* (bug 31719) Fix uploads of SVGs exported by Adobe Illustrator by expanding
  XML entities correctly.
* (bug 30914) Embeddable ResourceLoader modules (user.options, user.tokens)
  should be loaded in <head> for proper dependency resolution.
* (bug 32702) Removed method Skin::makeGlobalVariablesScript() has been readded
  for backward compatibility.
* (bug 31469) Make sure tracking category messages expand variables like
  {{NAMESPACE}} relative to correct title.
* (bug 33454) ISO-8601 week-based year number (format character 'o') is now
  calculated correctly with respect to timezone.
* (bug 32219) InstantCommons now fetches content from Wikimedia Commons using
  HTTPS when the local wiki is served over HTTPS.
* (bug 33525) clearTagHooks doesn't clear function hooks.
* (bug 33523) Function tag hooks don't appear on Special:Version.
* Files with IPTC blocks we can't read no longer prevent extraction of exif
  or other metadata.
* (bug 33587) Remove action "historysubmit" from history pages.
* (bug 25800) mw.config wgAction should contain the actually performed action instead
  of whatever the query value contains.
* (bug 4438) Add CSS hook for current WikiPage action.
* (bug 33703) Common border-bottom color for <abbr> should inherit default (text) color.
* (bug 33819) Display file sizes in appropriate units.
* (bug 32948) {{REVISIONID}} and related variables are no longer blank after doing
  a null edit.
* (bug 33880) $wgUsersNotifiedOnAllChanges should not send e-mail to user who made
  the edit.
* (bug 33902) Decoding %2B with mw.Uri.decode results in ' ' instead of +.
* (bug 33762) QueryPage-based special pages no longer misses *-summary message.
* Other sizes links are no longer generated for wikis without a 404 thumbnail handler.
* (bug 29454) Enforce byteLimit for page title input on Special:MovePage.
* (bug 34114) CSSMin::remap() doesn't respect its $embed parameter.
* Special:Contributions/newbies now shows the contributions for the user "newbies".
  New user contributions are obtained using the form or using ?contribs=newbie in URL.
* It is now possible to delete images that have no corresponding description pages.
* (bug 33165) GlobalFunctions.php line 1312: Call to a member function
  getText() on a non-object.
* (bug 31676) Group dynamically inserted CSS into a single <style> tag, to work
  around a bug where not all styles were applied in Internet Explorer.
* (bug 28936, bug 5280) Broken or invalid titles can't be removed from watchlist.
* (bug 34600) Older skins using useHeadElement=false were broken in 1.18.
* (bug 34604) [mw.config] wgActionPaths should be an object instead of a numeral
  array.* (bug 12262) Indents and lists are now aligned
* (bug 29753) mw.util.tooltipAccessKeyPrefix should be alt-shift for Chrome
   on Windows
* (bug 25095) Special:Categories should also include the first relevant item
   when "from" is filled.
* (bug 34972) An error occurred while changing your watchlist settings for
  [[Special:WhatLinksHere/Example]]

=== API changes in 1.19 ===
* Made action=edit less likely to return "unknownerror", by returning the actual error
  message (which may have come from a hook call or similar).
* (bug 19838) siprop=interwikimap can now use the interwiki cache.
* (bug 29748) Add API search prefix support.
* (bug 29684) Set forgotten parameter types in ApiQueryIWLinks.
* (bug 29685) do not output NULL parentid with list=deletedrevs&drprop=parentid.
* siprop=interwikimap and siprop=languages can use silanguagecode to have
  a best effort language name translation. Use CLDR extension for best result.
* (bug 30230) action=expandtemplates should not silently override invalid title
  inputs.
* (bug 18634) Create API to fetch MediaWiki's language fallback tree structure.
* (bug 26885) Allow show/hide of account blocks, temporary blocks and single IP
  address blocks for list=blocks.
* (bug 30591) Add support to only return keys in ApiAllMessages.
* The API now respects $wgShowHostnames and won't share the hostname in
  severedby if it's set to false.
* wlexcludeuser parameter added to ApiFeedWatchlist.
* (bug 7304) Links on redirect pages no longer cause the redirect page to show
  up as a redirect to the linked page on Special:Whatlinkshere.
* (bug 32609) API: Move captchaid/captchaword of action=edit from core
  to Captcha extension(s).
* Added 'APIGetDescription' hook.
* (bug 32688) Paraminfo for parameter "generator" of the query module shows too
  many types.
* (bug 32415) Empty page get no size attribute in API output.
* (bug 31759) Undefined property notice in querypages API.
* (bug 32495) API should allow purge by pageids.
* (bug 33147) API examples should explain what they do.
* (bug 33482) Api incorrectly calls ApiBase::parseMultiValue if allowed
  values is given as an array.
* (bug 32948) {{REVISIONID}} and related variables are no longer blank after
  calling action=purge&forcelinkupdate.
* (bug 34377) action=watch now parses messages using the correct title instead
  of "API".
* (bug 35036) WikiLove messages were not automatically updated in JavaScript
  after having been changed on-wiki due to a bug in core

=== Languages updated in 1.19 ===

MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Bugzilla reports.

* Canadian English (en-ca) (new).
* Norwegian (bokmål) (nb) (renamed from no).
* Uighur (Latin) (ug-latn) was incorrectly marked as right-to-left language.
* (bug 30217) Make pt-br a fallback of pt.
* (bug 31193) Set fallback language of Assamese from Bengali to English.
* Update date format for dsb and hsb: month names need the genitive.
* (bug 28643) Serbian variant conversion improvements (Nikola Smolenski).
* (bug 29405, bug 30809) Lower diacritics are invisible in titles in Indic
  languages Assamese, Bengali, Hindi, Malyalam and Odiya.
* (bug 32826) Titles in indic languages are partially cut.
* (bug 33367) Gendered namespaces for Czech.
* (bug 33014) Language::formatSize()/formatBitrate() should be able to deal
  with larger numbers (tera-yotta).

=== Other changes in 1.19 ===
* BREAKING CHANGE: Legacy global array 'ta' and global function 'akeytt' have
  been removed from wikibits.js.
* jquery.mwPrototypes module was renamed to jquery.mwExtension.
* The maintenance script populateSha1.php was renamed to the more concise
  populateImageSha1.php.
* The Client-IP header is no longer checked for when trying to resolve a client's
  real IP address.
* (bug 22096) Although IE5.x and below was already unsupported officially, stylesheets
  existing exclusively for IE5.0 and IE5.5 have now been removed (which were in skins
  'chick' and 'monobook').
* The constructor for CategoryView has changed, the second parameter is now a
  Context source and is required.
* The Title::escape{Local,Full,Canonical}URL methods are deprecated, please use
  proper html building methods to escape the normal get{...}URL methods instead.
* The $variant arguments in the Title::get{Local,Full,Link,Canonical}URL methods
  have been replaced with a secondary query argument.
* The $variant argument in the hooks for the Title::get{Local,Full,Link,Canonical}URL
  methods have been removed, the variant is now part of the $query argument.
* Removed Title::isValidCssJsSubpage(), deprecated since 1.17 in favor of
  using Title::isCssJsSubpage() or checking Title::isWrongCaseCssJsPage().
* Support for the deprecated hook MagicWordMagicWords was removed.
* The Xml::namespaceSelector method has been deprecated, please use
  Html::namespaceSelector instead (note that the parameters have changed also).
* (bug 33746) Preload popular ResourceLoader modules (mediawiki.util) as stop-gap
  for scripts missing dependencies.
  New configuration variable $wgPreloadJavaScriptMwUtil has been introduced for this
  (set to false by default for new installations). Set to true if your wiki has a large
  amount of user/site scripts that are lacking dependency information. In the short to
  medium term these user/site scripts should be fixed by adding the used modules to the
  dependencies in the module registry and/or wrapping them in a callback to mw.loader.using.

== Compatibility ==

MediaWiki 1.19 requires PHP 5.2.3. PHP 4 is no longer supported.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but
support for them is somewhat less mature. There is experimental support for IBM
DB2 and Oracle.

The supported versions are:

* MySQL 5.0.2 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later

== Upgrading ==

1.19 has several database changes since 1.18, and will not work without schema
updates.

As of 1.19 several JavaScript interfaces that were deprecated or superseeded in
MediaWiki 1.17, MediaWiki 1.16 or even earlier have been removed. They are
listed at the top of the "Other changes" list as a "BREAKING CHANGE".

If upgrading from before 1.11, and you are using a wiki as a commons
repository, make sure that it is updated as well. Otherwise, errors may arise
due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure
new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major database
changes are made, and there is a slightly higher chance that things could
break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.18.x and older releases, see HISTORY.

== Online documentation ==

Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

	https://www.mediawiki.org/wiki/Documentation

== Mailing list ==

A mailing list is available for MediaWiki user support and discussion:

	https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

	https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==

There's usually someone online in #mediawiki on irc.freenode.net.