MediaWiki 1.16

MediaWiki 1.16 was developed between and. It was deployed on Wikimedia Foundation wikis through incremental -branches, starting in. The final, stable version was released on. Consult the for the full list of changes. Download the or checkout the   branch in Git for testing.

= MediaWiki release notes =

MediaWiki 1.16.5
2011-05-05

This is a security release of the MediaWiki 1.16 branch.

Summary of selected changes in 1.16
Selected changes since MediaWiki 1.15 that may be of interest:


 * A new skin called Vector was added
 * Watchlists now have RSS/Atom feeds. RSS feeds generally are now hidden, since Atom is a better protocol and is supported by virtually all clients.
 * It's now possible to block users from sending email via Special:Emailuser.
 * The maintenance script system was overhauled. Most maintenance scripts now have a useful help page when you run them with --help.
 * AdminSettings.php is no longer required in order to run maintenance scripts. You can just set $wgDBadminuser and $wgDBadminpassword in your LocalSettings.php instead.
 * The preferences system was overhauled. Preferences are stored in a more compact format. Changes to site default preferences will automatically affect all users who have not chosen a different preference.
 * Support for SQLite was improved. Some broken features were fixed, and it now has an efficient full-text search.
 * The user groups ACL system was improved by allowing rights to be revoked, instead of just granted.
 * A new localisation caching system was introduced, which will make MediaWiki faster for almost everyone, especially when lots of extensions are enabled. By default, this new system makes a lot of database queries. If your database is particularly slow, or if your system administrator limits your query count, or if you want to squeeze as much performance as possible out of Mediawiki, set $wgCacheDirectory to a writable path on the local filesystem. Make sure you have the DBA extension for PHP installed, this will improve performance further.

Changes since 1.16.5

 * Fixed undefined variable error in recentchanges API module.

Changes since 1.16.4

 * Fixed XSS vulnerability for IE 6 clients. This is the third attempt at fixing bug 28235.
 * Fixed potential privilege escalation when $wgBlockDisablesLogin is enabled.

Changes since 1.16.3

 * The change we made in 1.16.3 to fix bug 28235 (XSS for IE 6 clients) was not actually sufficient to fix that bug. This release contains a second attempt, hopefully we have fixed it this time.

Changes since 1.16.2

 * Fixed permissions checks in Special:Import which allowed users without the 'import' permission to import pages from the configured import sources.
 * Fixed XSS affecting IE 6 and earlier clients only, due to those browsers looking for a file extension in the query string of the URL, and ignoring the Content-Type header if one is found.
 * Fixed a CSS validation issue involving escaped comments, which led to XSS for Internet Explorer clients and privacy loss for other clients.

Changes since 1.16.1

 * Fixed incorrect translated namespace due to a regression in the language converter.
 * The interface translations were updated.
 * (, CVE-2011-0047}}): Fixed CSS injection vulnerability.
 * Fixed server-side arbitrary script inclusion vulnerability. Affects Windows servers only. A malicious file with extension ".php" must exist on the server for the exploit to be effective.

Changes since 1.16.0

 * Allow extensions to access SpecialUpload variables again
 * list=allusers was out by 1 (shows total users - 1}})
 * Fixed API error when using rvprop=tags
 * For wikis using French as a content language, Special:Téléchargement works again as an alias for Special:Upload.
 * Correctly load JS fixes for IE6 (fixing a regression in 1.16.0}})
 * Fixed paraminfo errors in certain API modules.
 * The installer now has improved handling for situations where safe_mode is active or exec and similar functions are disabled.
 * Specifying --server in now works for all maintenance scripts.
 * Fixed $wgLicenseTerms register globals.
 * Fixed clickjacking vulnerabilities by introducing support for X-Frame-Options. The header value can be configured using $wgBreakFrames and $wgEditPageFrameOptions.

Changes since 1.16 beta 3

 * Disabled HTML 5 client-side form validation. Was introduced in 1.16 beta 1, but is currently poorly supported by browsers.
 * Re-added window.ta variable for backwards compatibility.
 * Fixed breakage of various command line scripts due to extra line endings being inserted by Maintenance::output.
 * Fixed HTTP client functionality with safe_mode=On.
 * Fixed parser tests broken in 1.16 beta 3.
 * For Oracle DB backend: fixed parser tests and table prefix feature.
 * Fixed PHP warning when REQUEST_URI is blank (IIS issue).
 * Fixed plural function for Northern Sami (se)
 * Fixed conflicts between ID attributes in the Vector skin and parser-generated heading IDs. Renamed head, panel, head-base and page-base.
 * Disabled $wgHitcounterUpdateFreq>1 feature on SQLite, does not work yet.
 * Don't ignore the predefined destination filename on Special:Upload after following a red link to a file.
 * In SQLite full-text search feature: fixed "move page" feature, was non-functional.
 * Fixed Cache-Control headers sent from API modules, to protect user privacy in the case where an attacker can access the wiki through the same HTTP proxy as a logged-in user.
 * Fixed an XSS vulnerability in profileinfo.php for installations with $wgEnableProfileInfo = true (false by default)
 * Fixed a case where an X-Vary-Options header was sent despite $wgUseXVO being false. Fixed a minor header parsing issue when $wgUseXVO = true.
 * Fixed a register_globals arbitrary inclusion vulnerability in MediaWikiParserTest.php, introduced in 1.16 beta 1.

Changes since 1.16 beta 2

 * Fixed bugs in the Special:Userlogin and Special:Emailuser handling of invalid usernames.
 * Fixed sorting in Special:Allmessages
 * Fixed title in the show/hide links on diff pages
 * Fixed API rollback, was returning "badtoken" for valid requests
 * Re-added missing $1 parameter to the uploadtext message
 * Fixed a bug in the Vector skin where personal tools display behind the logo
 * Fixed a bug in edit conflict resolution, where both textboxes showed the same text.
 * (, Fixed various problems with   and   elements in page views and previews when the language converter is enabled.
 * Fixed a local path disclosure vulnerability in ImageMagick image scaling, which was introduced in 1.16 beta 1.
 * Improved error checking on installer.
 * Fixed a JavaScript error in the upload destination conflict check.
 * Check the watch checkbox by default if the watchcreations preference is set.
 * Improve IE6 version check to avoid false positives.
 * Fixed upload warning override feature "upload new version", broken in 1.16 beta 1.
 * Fixed regression in unwatch links sent out in notification emails. When the mailing job was deferred via the job queue, the title was incorrect.
 * Fixed SQL query error in API list=allusers.
 * Fixed a bug in uploads for non-JavaScript clients. An empty string was used as the default destination filename, instead of the source filename as expected.
 * Fixed CSRF vulnerability in "e-mail me my password", "create account" and "create by e-mail" features of Special:Userlogin
 * Fixed XSS vulnerability affecting IE clients only, due to a CSS validation issue.
 * Fixed a DoS vulnerability in ImageMagick image scaling. ImageMagick expanded wildcard characters "?" and "*" in image filenames, potentially causing large numbers of images to be scaled in response to a single request. The fix for this involves breaking the scaling of such image filenames until ImageMagick 6.6.1-5 or later is deployed, see bug 23361 for more details.
 * Fixed invalid HTML in diff pages.

Changes since 1.16 beta 1

 * Fixed errors in maintenance/patchSql.php
 * Fix regression from r57867 where HTMLForm would output  rather than
 * Fixed broken "-r" option to maintenance/lag.php
 * Fixed login CSRF vulnerability. Logins now require a token to be submitted along with the user name and password.

Configuration changes in 1.16

 * $wgMinimalPasswordLength default is now 1
 * $wgSessionHandler can be used to configure session.save_handler
 * $wgLocalFileRepo/$wgForeignFileRepos now have a 'fileMode' parameter to be used when uploading/moving files
 * $wgHiddenPrefs is a new array for specifying preferences not to be shown to users
 * $wgAllowRealName and $wgAllowUserSkin were deprecated in favor of $wgHiddenPrefs[] = 'realname', but the former are still retained for backwards-compatibility
 * $wgRCMaxAge now defaults to three months
 * $wgDevelopmentWarnings can be set to true to show warnings about deprecated functions and other potential errors when developing.
 * Subpages are now enabled in the MediaWiki namespace by default. This is mainly a cosmetic change, and does not in any way affect the MessageCache, which was already effectively treating the namespace as if it had subpages.
 * Oracle: maintenance/ora/user.sql script for creating DB user on oracle with appropriate privileges. Creating this user with web-install page requires oci8.privileged_connect set to On in php.ini.
 * Removed hook introduced in 1.14
 * Added $wgCacheDirectory, to replace $wgFileCacheDirectory, $wgLocalMessageCache, and any other local caches which need a place to put files.
 * $wgFileCacheDirectory is no longer set to anything by default, and so either needs to be set explicitly, or $wgCacheDirectory needs to be set instead.
 * $wgLocalMessageCache has been removed. Instead, set $wgUseLocalMessageCache to true
 * Removed $wgEnableSerializedMessages and $wgCheckSerialized. Similar functionality is now available via $wgLocalisationCacheConf.
 * $wgMessageCache->addMessages is deprecated. Messages added via this interface will not appear in Special:AllMessages.
 * $wgRegisterInternalExternals can be used to record external links pointing to same server
 * $wgCrossSiteAJAXdomains and $wgCrossSiteAJAXdomainExceptions added to control which external domains may access the API via cross-site AJAX.
 * $wgMaintenanceScripts for extensions to add their scripts to the default list
 * $wgMemoryLimit has been added, default value '50M'
 * $wgExtraRandompageSQL is deprecated, the hook should be used instead
 * $wgIllegalFileChars added to override the default list of illegal characters in file names.
 * $wgImgAuthDetails added to display reason access to uploaded file was denied to users(img_auth only)
 * $wgImgAuthPublicTest added to test to see if img_auth set up correctly (img_auth only)
 * $wgUploadMaintenance added to disable file deletions and restorations during maintenance
 * $wgCapitalLinkOverrides added to configure per-namespace capitalization
 * $wgSorbsUrl can now be an array with multiple DNSBL and renamed to $wgDnsBlacklistUrls (backward compatibility kept)
 * $wgEnableHtmlDiff has been removed
 * $wgBlockCIDRLimit added (default: 16}}) to configure the low end of CIDR ranges for blocking
 * $wgUseInstantCommons added for quick and easy enabling of Commons as a remote file repository
 * $wgDBAhandler added to choose a DBA handler when using CACHE_DBA
 * $wgPreviewOnOpenNamespaces for extensions that create namespaces that behave similarly to the category namespace.
 * $wgEnableSorbs renamed to $wgDnsBlacklistUrls ($wgEnableSorbs kept for backward compatibility)
 * $wgUploadNavigationUrl now also affects images inline images that do not exist. In that case the URL will get (?|&)wpDestFile= appended to it as appropriate.
 * If $wgLocaltimezone is null, use the server's timezone as the default for signatures. This was always the behaviour documented in DefaultSettings.php but has not been the actual behaviour for some time: instead, UTC was used by default.
 * Added $wgExtensionAssetsPath, to decouple assets serving from $wgScriptPath. If not specified it will default to $wgScriptPath/extensions
 * Added $wgCountTotalSearchHits to make search UI display total number of hits with some search engines.
 * Added $wgAdvertisedFeedTypes to decide what feed types (RSS, Atom, both, or neither) MediaWiki advertises. Default is array( 'atom' ), so RSS is no longer advertised by default (but it still works).
 * Added $wgMemCachedTimeout, controls how long to wait for data from the memcached servers.
 * New configuration variables $wgDebugTimestamps and $wgDebugPrintHttpHeaders for controlling debug output.
 * New $wgBlockDisablesLogin when set to true disallows blocked users from logging in.
 * Metadata edition ($wgUseMetadataEdit) has been moved to a separate extension "MetadataEdit".

New features in 1.16

 * A new skin called Vector was added
 * Add CSS defintion of the 'wikitable' class to shared.css
 * Added MediaWiki:Talkpageheader which will be displayed when viewing talk pages
 * Superfluous border="0" removed from images
 * Added new hook into MessageCache.php. For instance to allow extensions to update caches in similar way as MediaWiki invalidates a cached MonoBook sidebar
 * Special:AllPages: Move hardcoded styles from code to CSS
 * New hook: for adding information about the software to Special:Version
 * Added $wgExtPGAlteredFields to allow extensions to easily alter the data type of columns when using the Postgres backend.
 * Show move log when viewing/creating a deleted page
 * Show the Subversion revision number per extensions in Special:Version
 * Missing file revisions are handled gracefully now
 * Auth plugins can control editing RealName/Email/Nick preferences
 * Add note or warning when overruling a move (semi-)protection
 * insertTags works in edit summary box
 * The upload form also checks post_max_size
 * Watchlist now has a specialized tag that contains a unique class for each page
 * Added Minguo calendar support for the Taiwan Chinese language
 * Database: unionQueries function to be used for UNION sql construction, so it can be overloaded on DB abstraction level for DB specific functionality
 * Implement Japanese and North Korean calendars
 * Introduce and  to display the month number without the leading zero
 * categoriespagetext supports PLURAL
 * Blocks of IPs affecting registered users can now block email
 * Date and time are separate parameters in Special:BlockList
 * Added ISO speed rating to default collapsed EXIF metadata view
 * Messages 'recentchangeslinked-toolbox' and 'recentchangeslinked-toolbox' were added to allow more fine grained customisation of the user interface
 * DISPLAYTITLE now accepts a limited amount of wiki markup (the single-quote items)
 * Special:Search now could search terms in all variant-forms. ONLY apply on wikis enabled LanguageConverter.
 * Add autopromote condition APCOND_BLOCKED to autopromote blocked users to various user groups.
 * Add $wgRevokePermissions as a means of restricting a group's rights. The syntax is identical to $wgGroupPermissions, but users in these groups will have these rights stripped from them.
 * Added a PHP port of CDB (constant database), for improved local caching when the DBA extension is not available.
 * Introduced a new system for localisation caching. The system is based around fast fetches of individual messages, minimising memory overhead and startup time in the typical case. The database backend will be used by default, but set $wgCacheDirectory to get a faster CDB-based implementation.
 * Expanded the number of variables which can be set in the extension messages files.
 * Added a feature to allow per-article process pool size control for the parsing task, to limit resource usage when the cache for a heavily-viewed article is invalidated. Requires an external daemon.
 * Moved the id attribues from the anchors accompanying section headers to the elements within the section headers, removing the redundant anchor elements.
 * Parser::setFunctionTagHook now can be used to add a new tag which is parsed at preprocessor level.
 * Added $wgShowArchiveThumbnails, allowing sysadmins to disable thumbnail display for old versions of images.
 * In watchlists and Special:RecentChanges, the difference in page size now appears in dark green if bytes were added and dark red if bytes were removed.
 * Added FSRepo configuration properties thumbUrl and thumbDir, to allow the thumbnails to be stored in a separate location to the source images.
 * If config/ directory is not executable, the command to make it executable now asks the user to cd to the correct directory
 * Add experimental new external authentication framework, ExternalAuth
 * Remove AdminSettings requirements. Maintenance environment will still load it if it exists, but it's not required for anything
 * The "listgrouprights-key" message is now wrapped in a div with class "mw-listgrouprights-key"
 * Allow RSS feeds for watchlist, using an opt-in security token
 * Interwiki links can have names and descriptions, fetched from message 'interwiki-desc-PREFIX', not really used anywhere yet though
 * Add type (signup or login) parameter to AuthPlugin::ModifyUITemplate
 * "Member of group(s)" in Special:Preferences causes language difficulties
 * Unicode combining characters are difficult to edit in some browsers
 * Parser test supports uploading results to remote CodeReview instance
 * Added CSS class "mw-version-ext-version" is wrapped on the extension version in Special:Version
 * Added CSS class "mw-listgrouprights-right-name" is wrapped on the right name in Special:ListGroupRights
 * New CoreParserFunction  as an url-friendly equivalent to
 * Allow maintenance scripts to accept DB user/pass over input or params
 * Maintenance script to un/protect pages
 * The HTML tag is now permitted.
 * RecentChanges now has a legend to explain what the Nmb! flags mean, and the flags have tooltips.
 * New hook called after everything has been setup but before Mediawiki::performRequestForTitle
 * wgMainPageTitle variable now available to JavaScript code to identify the main page link, so it doesn't have to be extracted from the link URLs.
 * Display preview of signature in user preferences and describe its use
 * The default output format is now HTML 5 instead of XHTML 1.0 Transitional. This can be disabled by setting $wgHtml5 = false;. Specific features enabled if HTML 5 is used:
 * Some extra inputs will be autofocused, in supporting browsers.
 * The summary attribute has been removed from tables of contents. summary is obsolete in HTML 5 and wasn't useful here anyway.
 * Unnecessary type="" attribute removed for CSS and JS.
 * If $wgWellFormedXml is set to false, some bytes will be shaved off of HTML, output by omitting some things like quotation marks where HTML 5 allows.
 * maxlength enabled for page move comments
 * The description message in $wgExtensionCredits can be an array with parameters
 * New hook allows extensions to modify the selection criteria used by Special:Random and subclasses, or substitute a custom result, deprecating the $wgExtraRandompageSQL config variable
 * Distinct CSS classes for ISBN/RFC/PMID special links added
 * Custom fields in the user creation form template can now have detail labels in prefsectiontip divs.
 * MakeSysop and MakeBot are now aliases for Special:UserRights
 * IndexPager->mLimitsShown can now be an associative array of limit => text-to- display-in-limit-form.
 * LogEventsList::showLogExtract can now take a string-by-reference and add its HTML to it, rather than having to go straight to $wgOut.
 * Added $wgShowDBErrorBacktrace, to allow users to easily gather backtraces for database connection and query errors.
 * Show change block / unblock link on Special:Contributions if user is blocked
 * Display note on Special:Contributions if the user is blocked, and provide an excerpt from the block log.
 * New hook: for tests and functionality before file is streamed to user, but only when using img_auth
 * Note on non-existing user and user talk pages if user does not exist
 * New hook so extensions can modify the output for non-existent pages.
 * Admins could disable some variants using $wgDisabledVariants now. ONLY apply on wikis enabled LanguageConverter.
 * Credits page now lists IP addresses rather than saying the number of anonymous users that edited the page
 * New permission 'sendemail' added. Default right for all registered users. Can for example be used to prevent new accounts from sending spam.
 * Tracking categories for __INDEX__ and __NOINDEX__
 * Two new hooks, and, which are called after a user's email has been successfully confirmed or invalidated.
 * Moved the XCF files out of the main MediaWiki distribution, for a smaller subversion checkout.
 * First letter capitalization can now be a per-namespace setting
 * "User does not exist" message no longer displayed on sub-sub-pages of existing users
 * Tracking categories produced by the parser (expensive parser function limit exceeded, __NOINDEX__ tracking, etc) can now be disabled by setting the system message (MediaWiki:expensive-parserfunction-category  etc) to "-".
 * Added maintenance script sqlite.php for SQLite-specific maintenance tasks.
 * Rewrote Special:Upload to allow easier extension.
 * Upload errors that can be solved by changing the filename now do not require reuploading.
 * Added $wgRateLimitsExcludedIPs, to allow specific IPs to be whitelisted from rate limits.
 * When $wgUseTeX is not enabled, is no longer registered with the parser so extensions are free to implement their own  tag
 * Wrap 'cannotdelete' into a div with the generic 'error' class and an own 'mw-error-cannotdelete' class
 * New hook, called before account creation from AuthPlugin- or ExtUser-driven requests.
 * The warning saying that the page has a history when deleting it now contains the number of revisions in the history
 * $wgStylePath and $wgLogo are now set in the default LocalSettings.php file.
 * Allow filtering history for revision deletion.
 * New hook, called in Special:IPBlockList and Special:Block to show links to block logs of other blocking extensions, i.e. GlobalBlocking
 * Added search capabilities to SQLite backend
 * rebuildtextindex.php maintenance script now supports databases other than MySQL
 * upgrade1_5.php now requires to be run --update option to prevent confusion
 * Customizable default preload/editintro for new sections in the respective addsection-preload and addsection-editintro messages
 * Added maintenance script checkSyntax.php that checks for PHP syntax errors and common coding mistakes
 * Updated Unicode normalization tables
 * Spellcheck attribute for editsummary
 * New wgCategories JavaScript global variable for userscripts.
 * Added checkboxes to hide users with bot and/or sysop group membership in SpecialActiveusers
 * Allow \pagecolor and \definecolor in texvc
 * $wgTexvcBackgroundColor contains background color for texvc call
 * Redirects can now have "303 See Other" HTTP status
 * EditPage refactored to allow extensions to derive new edit modes much easier.
 * Subsections of Special:Version now also have anchors
 * Add URL of file source as comment to thumbs (for ImageMagick)
 * Sorted wikitables do not properly handle minus signs
 * Red links for media files do not support shared repositories
 * Added $wgFixArabicUnicode, to convert deprecated presentation forms in Arabic text to their modern equivalents, and $wgFixMalayalamUnicode, to convert ZWJ-based chillu sequences in Malayalam text to their Unicode 5.1 equivalents.
 * Returing false in hook now stops normal output
 * Send new password e-mail in users preference language
 * LanguageConverter now support nested using of manual convert syntax like "-{-{}-}-"
 * Upload license preview now uses the API instead of action=ajax
 * Add to RSS to avoid duplicates
 * Added new hooks for Special:Search, which allow to further restrict/expand it.
 * When a revision has been patrolled, there's now a link back to the article
 * hook now pass $query_options and checks the return value
 * Separate unit test suites under t/ and tests/ were merged and moved to maintenance/tests/.
 * importImages.php maintenance script can now use the original uploader and comment from another wiki.
 * Support for Turck MMCache was removed
 * Warn users when they try to move their user page that their account will not be renamed
 * Show block log on non-existing user (talk) pages of currently blocked users

Bug fixes in 1.16

 * Make namespace selector on Special:Export remember the previous selection
 * The svn-version version numbers on Special:Version have been removed
 * Special:Export no longer exports two copies of the same page
 * Proper parsing in MediaWiki:Sharedupload message
 * HTML cleanup for ImagePage
 * namespaceDupes.php no longer fails on an empty interwiki table
 * Improved error handling for image moving
 * On Special:SpecialPages, restricted special pages are now marked with  tags, helps with text-based browsers
 * Special:DeletedContributions now also uses MediaWiki:Sp-contributions-logs for the link to Special:Log
 * Don't add empty title="" attributes to links to anchors on the current page
 * rebuildrecentchanges.php failed to add deletion log entries
 * rebuildrecentchanges.php got size changes wrong
 * Fixed a PHP warning in Parser::preSaveTransform in PHP 5.3
 * Database connection error page now returns correct HTML
 * "successbox", "errorbox" and related CSS classes are now available in all skins
 * Removed superfluous name="fulltext" from Special:Search
 * MediaWiki:Undelete-revision can now have wikitext
 * The "noautoblock" flag is no longer displayed in the block log when blocking an IP address
 * $wgHooks and $wgExtensionFunctions now support closures
 * Maintenance scripts now exit(0) or exit(1) as appropriate
 * Time in Enhanced ChangesList lacking localisation
 * Allow,  , etc. in DISPLAYTITLE
 * Lowercase navigation headings in German
 * Pending transactions failed to commit on loginToUse error
 * session.save_handler being over-ridden
 * session.save_handler being set twice (causes error)
 * ForeignAPIRepo throwing error on first page load for file
 * ForeignAPIRepo cache isn't working
 * Fixed a bug caused by LanguageConverter.php, which brings an abnormal '}-' after some parsed math syntax.
 * rebuildrecentchanges.inc no longer ignores $wgLogRestrictions
 * Bolded selections in 1 | 3 | etc days on RecentChanges now use  instead of hardcoded styles
 * Fixed items number per column on category pages when the total is divisible by 3
 * maintenance/deleteArchivedRevisions.php no longer deletes revisions when --delete is not passed
 * GPS coordinates in image Exif data are now actually displayed
 * Overhaul of preferences system, includes the following bug fixes:
 * Changes to default preferences now impact registered users.
 * Hook to enable putting preferences in existing tabs.
 * Registration date now listed on preferences page.
 * The user_properties table (now used for storing preferences) has been added to $wgSharedTables.
 * Note that this change will break some extensions which have not been adapted for it.
 * Adding fallback encodings for Traditional and Simplified Chinese languages while the the text is typed as URLs.
 * Prev / Next links are not shown if all results are shown
 * Strange spacing before irc:... links
 * Removed float from the user login form in RTL interface - caused display problems in FF2
 * Redirect images are now subject to Bad image list rules
 * profileinfo.php now also work on other database servers than MySQL
 * Diffs no longer fail when $wgExternalDiffEngine is set to 'wikidiff' or 'wikidiff2' but extension is not installed
 * Chmod errors in file repos have been hidden
 * Comma after a } create a error in IE
 * Removed redundant class in Modern skin CSS for category links and tweaked spacing.
 * Use proper directory separators in wfMkdirParents
 * Make Special:Blockip respect $wgEnableUserEmail and $wgSysopEmailBans
 * Tooltips on images with link= disappear
 * Localise numbers in EXIF data
 * Wrap MediaWiki:Protect-cascadeon in a div for identification
 * Tweak HTML for preview bar for consistency and accessibility
 * Updated documentation for dumpBackup.php
 * Fix array logic in Sanitizer::removeHTMLtags so that it doesn't strip good tags that were redundantly defined.
 * SpecialPage::getTitleFor does not return a localised name
 * Renaming non entry point maintenance scripts from .inc.php to .inc
 * Deprecated methods Title::getInterwikiLink, Title::userCanCreate, Title::userCanEdit and Title::userCanMove have been removed
 * Only show upload links on file description if $wgEnableUploads = true and user can upload
 * Don't say "You need to log in to upload/move", because it's possible that uploading/moving is disabled for registered users as well (e.g. only sysops)
 * Handle invalid titles gracefully at Special:Mostlinked
 * Enable variant conversion in text on 'alt' and 'title' attributes
 * Introducing the StubUserVariant class to determine the variant variable instead of using this to overrules the user language preference.
 * If user had deletedhistory right, but not undeleted right, then show "view" instead of "view/restore" on logs.
 * TOC level calculation error in an odd case
 * CSS update for RTL interwiki links
 * history.js removes class names of list elements on initialization
 * Multiple whitespace in TOC anchors is now stripped, for consistency with the link from the edit comment
 * Preferences now respects $wgUseExternalEditor
 * MediaWiki now fails when unable to determine a client IP
 * Special:Version should follow the content language direction
 * maintenance/purgeOldText.inc is now compatible with PostgreSQL
 * Fixed performance regression in "bad image list" feature
 * Show user preference 'Use live preview' if $wgLivePreview is enabled only
 * Blocked users can no longer use Special:UserRights unless they can add/remove *all* groups (have 'userrights' permission).
 * Always show Sp-contributions-footer(-anon)
 * Attempts to restrict reading of pages while anonymous viewing is allowed via extensions not using the hook and via $wgRevokePermissions now work.
 * Multiple-character search terms are now handled properly for Chinese
 * Use formatNum for "Number of edits" in Special:Preferences
 * Check for MySQL storage engines during installation now checks whether the engines are actually available
 * Omit the "printable version" link on the printable version
 * img_auth.php now respects userCan
 * Uploading to a file named '0' previously treated it as null input and attempted to upload with the source name. Now warns about not having an extension (since 0.ext is perfectly valid)
 * Enotif preferences are now only displayed when they are turned on
 * Show/hide options on watchlist only work once
 * PubMed Magic links now use updated NIH url
 * externallinks have links to self
 * Don't load Opera 9.5 RTL fixes for Opera 9.6
 * Remove five-year-old KHTMLFixes.css, which is unlikely to be relevant anymore and was causing problems.
 * Removed repetition of URIs in the title attributes of external links.
 * User name is now escaped in "Contributions for ..." link on Special:BlockIP
 * Override buildConcat for SQLite.
 * Log in and log out links no longer return to page view when clicked from history view, edit page, or something similar
 * RTL fixes for new Search UI
 * Special:Allmessages is paginated
 * CSS plainlinks class now available to all skins
 * Database error messages no longer have "MySQL" hardcoded as the database type
 * successbox on Special:Preferences now correctly aligned on standard, nostalgia and cologneblue skin
 * interwiki links from file links are no longer recorded in the pagelinks table
 * date option "ISO 8601" produced illegal id
 * Removed autogenerated tag with link data. Keyword set was not useful, and is ignored by modern search engines anway.
 * Special:SpecialPages title is "Upload file
 * Added .xhtml, .xht to upload file extension blacklist
 * Workaround for lag on history page in Firefox 3.5
 * Updated docs/hooks.txt
 * Fix for buggage in profiling setup for some extensions on PHP 5.1
 * ts_resortTable inconsistent trimming makes date sorting fragile
 * Change oldimage table to use ON UPDATE CASCADE for FK to image table.
 * Short notation links to subpages didn't work in edit summaries
 * Special:Export no longer exports multiple copies of pages
 * Edits to user CSS/JS subpages can now be marked as patrolled by users who can't edit them
 * Comments in log items are no more double escaped
 * Fix inconsistent separators in watchlist link toolbars with "enhanced recent changes"
 * Moving a page over a redirect no longer leaves an orphan entry in the recentchanges table
 * Limit selection forms based on Pager now links to the correct page when using long urls
 * The display of the language list on the preferences is more comply with the BCP 47 standards.
 * Custom X-Vary-Options header now disabled unless $wgUseXVO is set
 * Duplicates entries in $wgAddGroups, $wgRemoveGroups, $wgGroupsAddToSelf and $wgGroupsRemoveFromSelf are no more displayed on Special:ListGroupRights
 * Special:Userlogin now handles correctly the returnto parameter to not link back to Special:Userlogout when user's language isn't the same as content's language
 * Show proper error message when unable to connect to PostgreSQL database with username/password in MediaWiki's setup
 * (bugs 18407, 18409}}) Special:Upload is now listed on Special:Specialpages only if uploads are enabled and the user can access it
 * Spaces before [[Category:]] links are no longer ignored
 * All known-failing tests now marked disabled; added --run-disabled option to parser test suite to run disabled tests if desired.
 * Make recent change flags (n/m/b) s instead of s
 * Split the edit tip message of user CSS/JS subpage into "usercssyoucanpreview" and "userjsyoucanpreview" respectively.
 * Split the rights for editing users' CSS/JS subpage from "editusercssjs" into "editusercss" and edituserjs" respectively.
 * RecentChanges feed URLs for log items with no revisions (eg Newuser, Userrights) are no longer broken
 * Remote file descriptions use user language ($wgLang), not wiki language ($wgContLang)
 * Lock error on redirect table when running orphans.php
 * initStats.php now refreshes active users count
 * Using the nosummary URL option no longer triggers the "You have not provided a summary" warning for those who activated it in their preferences
 * commandLine.inc and Maintenance.php are now properly included using the full path
 * Fixed broken style sheets in Opera fullscreen mode
 * Default memory limit has be increased to 50M, see $wgMemoryLimit
 * Added proper input normalization in Special:UserRights
 * Add Hook to add extra statistics at the end of Special:Statistics
 * importDump.php can now handle bzip2 and 7zip
 * Fixed a PHP notice for users having the "rollback" right on Special:RecentChangesLinked
 * Do not transform EXIF fields with pure text to avoid results like foo,bar@example,com
 * Fix login/logout links in skin CologneBlue
 * "Powered by Mediawiki" now has height/width on image tag
 * Fix broken output when no pages are found in the content namespaces
 * Make AncientPages and UnusedFiles work on SQLite
 * Fixed XSS vulnerability for Internet Explorer clients (only pre-release versions of MediaWiki were affected).
 * Moving a page to a subpage of itself moves it twice
 * $wgMaximumMovedPages should only count pages actually moved
 * Non-breaking spaces and certain other Unicode space characters are now normalized to ordinary spaces in titles; if your wiki has existing titles with such characters, run cleanupTitles.php and/or cleanupImages.php
 * Links containing invalid UTF-8 percent-code sequences are now cleanly disabled instead of breaking parsing entirely on PHP 5.2.
 * Fixed an PHP warning in Language::getMagic in PHP 5.3
 * Unprotect tab was missing accesskey; now same as protect tab.
 * Cleaned up default main page link accesskey settings
 * Special:Statistics now produces valid HTML when view counters are enabled
 * maintenance/deleteRevision.php on last revision no longer breaks target page
 * Page name with with c/g/h/j/s/u + x are now correctly handled in Special:MovePage with Esperanto as content language
 * Fixed regression in GIF metadata loading
 * MediaWiki:Move-subpages and MediaWiki:Move-talk-subpages can now use wikitext
 * DatabaseBase::setFlag, DatabaseBase::clearFlag and DatabaseBase::getFlag now have documentation
 * MediaWiki:License-header is now used for the licensing header in the file description page instead of MediaWiki:License
 * Links to history/deleted edits at the top of Special:RevisionDelete are no more displayed when when doing log suppression
 * Localised parser function names are now correctly case insensitive if they contain non-ASCII characters
 * maintenance/rebuildrecentchanges.php now purges Special:Recentchanges's RSS and Atom feed cache
 * The installer will now try to bypass PHP's max_execution_time
 * SQLite no longer tries to automatically create the database at execution time, this now happens only at install time; if it is not available at script execution, it now throws an exception
 * Fixed hook so the hookError parameter serves a purpose (analogous to  hook)
 * Tag extensions can expand template parameters provided to the tag, by using a new parameter added to the recursiveTagParse function
 * __INDEX__ and __NOINDEX__ no longer override site config set in $wgArticleRobotPolicies.
 * Hidden categories are no more displayed when printing
 * When changing user rights with User@remotewiki and remotewiki is the local wiki, the user is now treated as the local user
 * OutputPage::getArticleBodyOnly no longer requires an useless argument
 * Protection form JavaScript now synchronizes the expiry boxes on any change, in addition to onkeyup.
 * Don't link to "edit this page" on MediaWiki:Noarticletext if user is not allowed to create page. Done via new message MediaWiki:Noarticletext-nopermission
 * Improved compatibility between the Vector skin and addPortletLink from wikibits.js: empty portlets are now present but hidden, adding an element to a portlet unhides it
 * addPortletLink now wraps inserted labels in a element to be compatible with the CSS for the Vector skin
 * Wrong localized image metadata - duplicated string?
 * Stub threshold's "other" in Special:Preferences now has a correct type="text" parameter
 * Don't include TOC in the printable version if it has been hidden
 * Adjust the time according to the user configuration on Special:Revisiondelete
 * Installation no longer allows "qqq" as the chosen language
 * The installer-created database user will now have all rights on the database so that upgrades will go more smoothly.
 * Special:Export ignores limit, dir, offset parameters
 * User::getBlockedStatus works for all kinds of user objects and doesn't assume the user object is equal to the current-user object ($wgUser)
 * Cancel link from edit page now returns to the old version when editing an old version
 * Installer no longer shows warnings when exec has been disabled by disable_functions
 * Title::getLatestRevID's documentation now says that the function returns false if the page doesn't exist
 * ForeignApiRepo now urldecodes filenames when saving to local cache
 * Fix to Special:Version ViewVC link for branch checkouts
 * wfShellExec was adding extra quotes on Windows Vista, causing command line scripts to fail
 * Parser functions can now be used correctly in MediaWiki:Missing-article
 * "redirected from" is now also shown on foreign file redirects
 * Only display thumbnail column in file history if the image can be rendered.
 * Live preview no longer breaks user CSS/JS previews
 * The file logo on a file description page for documents (PDF, ...) now links to the file rather than the file description page
 * Password fields built with HTMLForm now still have the type="password" attribute if $wgHtml5=false.
 * Preload now works for MediaWiki namespace
 * Search box no longer suggests unavailable special pages
 * "Create this page" on Special:Search is no longer displayed when searching for special pages
 * Hideuser: Show nice error when trying to block hidden user without hideuser right
 * Fixed file redirects on shared repos on non-English client wikis
 * Fixed schema choices from being overwritten by defining unique field names per driver.
 * wgCanonicalSpecialPageName javascript variable is now always false on non-special pages
 * "Other statistics" header on Special:Statistics is no more displayed when there isn't any entry in it
 * Special:Contributions no longer shows diff links for new revisions
 * MediaWiki:Templatesused, MediaWiki:Templatesusedpreview and MediaWiki:Templatesusedsection now support plural
 * There is no more line wrapping between label and field in Special:Log
 * Fixed SQL errors on Special:Recentchanges and Special:Recentchangeslinked on SQLite backend
 * Fixed updater failure on SQLite backend
 * Fixed invalid HTML in Special:Listgrouprights
 * Installer no longer promts for user credentials for SQLite databases
 * Installer failed to create a SQLite database
 * Deprecated deprecated akeytt removed in wikibits.js leaving dummy
 * Changing $wgCacheEpoch now always invalidates file cache
 * Fixed row count estimation on SQLite backend
 * Fixed LIKE queries on SQLite backend
 * Moving subpages of titles containing \\ now works properly
 * maintenance/updateArticleCount.php now works again on PostgreSQL
 * Add activeusers-intro message at top of SpecialActiveUsers page
 * Fixed hostname construction for DNSBL checking
 * Users are now warned when moving a file to a name in use on a shared repository and only users with the 'reupload-shared' permission can complete the move.
 * Add missing Postgres INSERT SELECT wrapper
 * User::isValidPassword now only returns boolean results, User::getPasswordValidity can be used to get an error message string
 * The error message shown in Special:ChangePassword now parses wiki markup
 * Removed experimental HTMLDiff feature
 * Removed section edit links in edit conflict form
 * Allow SpecialActiveusers to work on non-MySQL databases
 * Fixed protecting images from uploading only
 * Search index was empty for some pages
 * rebuildrecentchanges maintenance script works on PG again
 * Reduce false positives when checking for PHP (on upload, etc.)
 * Bitrotted tests in the t/ directory were failing.
 * MediaWiki:Sp-contributions-explain is now wrapped in a with id "mw-sp-contributions-explain"
 * Fixed \overleftrightarrow in texvc
 * Fix caching for Recent ChangesFeed.
 * Fixed "Watch this page" checkbox appearing on some special pages even to non-logged in users
 * Rewrote the Squid purge HTTP client to provide a more robust and general implementation of HTTP, allowing it to purge non-Squid caches such as Varnish.
 * Fixed corruption of long UDP debug log messages by using socket_sendto instead of fsockopen with fwrite.
 * Fixed feed links in sidebar not complying with URL parameters of the displayed page
 * memcached class renamed to MWMemecached to avoid conflict with PHP's memcached extension
 * Both calls to hook are now compatible
 * Add missing Accept-Language to both Vary and XVO headers
 * "Edit block reasons" link at the bottom of Special:Blockip is now only displayed to the users that have "editinterface" right
 * Attempting to protect a page that doesn't exist (salting) returns "unknown error"
 * both redirects and links get fixed one after another if redirects-only switch is not present
 * thumbnails rerendered if older that $wgThumbnailEpoch
 * Fixed a bug which in some situations causes the job queue to grow forever, due to an infinite loop of job requeues.
 * File that can have multiple pages (djvu, pdf, ...) no longer have the page selector when they have only one page
 * "logempty" message is now wrapped in a div with class "mw-warning-logempty" when used in log extract
 * Parser tests were broken on SQLite backend
 * Interwiki urls like http://en.wikibooks.org/wiki/cs: should give a redirect instead of a baderror.
 * Special:MyContributions now keeps the query string parameters
 * Redirecting special pages now keep query string paramters set to "0" (e.g. for namespace)
 * Special:ListGroupRights no longer misses addables and removables groups if there are duplicate entries
 * Message shown when rolling back an edit with a deleted username now shows '(username deleted)' instead of broken user tool links
 * Fixed JavaScript error on Special:Search caused by an incorrect ID
 * RecentChanges RSS feed now always recognises the namespace filter, previously it sometimes didn't due to caching.
 * ProfilerSimpleText no longer outputs comment on action=raw
 * refreshLinks.php now purges orphaned redirect table rows
 * Swap links of hist & diff location on Special:Contributions for consistency with RC/WL
 * Special page names were are now capitalized by content language
 * If two log type have the same description, they're now both displayed in the type selector on Special:Log
 * Special:Userlogin title says "Log in / create account" even if the user can't create an account
 * Don't attempt to set the TZ environment variable.
 * User rights log entries for foreign user now links to the foreign user's page if possible
 * Don't load nonexistent CSS fix files for non-Monobook skins
 * Use wfClientAcceptsGzip in wfGzipHandler instead of reimplementing it.
 * First line renders differently on many UI messages.
 * Comments are no longer stripped from MediaWiki:Common.js and skin-specific JS pages
 * Use the more precise thumbcaption thumbimage and thumbinner classes for image divs.
 * Fixed bug involving unclosed "-{" markup in the language converter
 * No longer include Google logo from an external server on wiki error.
 * Do not truncate if the ellipsis actually make the string longer
 * Text disappearing after a bad image
 * Internal links like Foo should read 'caption', not 'File:Foo' when Foo is not an image
 * Special:UserRights no longer displays the user name box for users that can only change their rights
 * Special:UserRights now lists automatic groups membership
 * Setting $wgUseExternalEditor to false no longer hides the reupload link from file pages
 * Fix bug introduced in MediaWiki 1.12: The author field in $wgExtensionCredits is no longer sorted with sort but rather used as it appears in extensions as was the case before r30117 where it was unintentionally sorted along with other fields.
 * Textarea no longer jumps when editing longer articles in IE8
 * Truncate summary of page moves in revision comment field to avoid broken multibyte characters
 * ForeignApiRepos no longer try to store thumbnails that don't exist
 * Special:Resetpass now has a "Cancel" button that sends the user to the page set in the &returnto parameter.
 * Search box in Modern skin doesn't focus with Safari/Chrome
 * Users instantly logged off on HughesNet

API changes in 1.16

 * Added uiprop=changeablegroups to meta=userinfo
 * Added usprop=gender to list=users
 * action=purge now works for images too
 * Add parentid to prop=revisions output
 * action=delete returns 'unknownerror' instead of 'permissiondenied' when the user is blocked
 * Added timestamp of new revision to action=edit output
 * Also list hidden revisions in list=usercontribs for privileged users
 * "API must be accessed from the primary script entry point" error
 * Don't display help for format=jsonfm unless specifically requested
 * Added PHP and database version to meta=siteinfo output
 * Add readonly message to meta=siteinfo output
 * Add clprop=hidden to prop=categories
 * Fixed internal error with empty parameter in action=paraminfo
 * Missing descriptions for some parameters in action=paraminfo output
 * Show correct SVN links for extension modules in api.php?version
 * Add version information to action=paraminfo output
 * Add ucprop=size to list=usercontribs
 * Add generator flag to action=paraminfo output
 * Make action=block respect $wgEnableUserEmail and $wgSysopEmailBans
 * Made deleting file description pages without files possible
 * Add content flag to siprop=namespaces output
 * Add siprop=languages to meta=siteinfo
 * Added user and excludeuser parameters to list=watchlist and list=recentchanges
 * Added index, fromtitle and byteoffset fields to action=parse&prop=sections output
 * action=rollback returns wrong revid on master/slave setups
 * action=parse doesn't return section tree on pages with Cite warnings
 * Add anchor field to action=parse&prop=sections output
 * The initial file description page used caption in user lang rather than UI lang
 * Add number of users in user groups to meta=siteinfo
 * Add readonly reason to readonly exception
 * Added XSLT parameter to API queries in format=xml
 * Fix prependtext and appendtext in combination with section parameter in action=edit
 * Added watchlist parameter, deprecated watch and unwatch parameter in action=edit
 * Added fields to list=search output: size, wordcount, timestamp, snippet
 * Where supported by backend, list=search adds a 'searchinfo' element with optional info: 'totalhits' count and 'suggestion' alternate query term
 * $wgCrossSiteAJAXdomains added to allow specified (or all) external domains to access api.php via AJAX, if the browser supports the Access-Control-Allow-Origin HTTP header
 * Made metadata and properties of search results optional. Added srprop and srinfo.
 * Add amprop=default to meta=allmessages to list default value for customized messages
 * Don't parse magic words in meta=allmessages, output messages unparsed
 * list=usercontribs can now list contribs for User:0
 * list=deletedrevs no longer returns only one revision when drcontinue param is passed
 * Deprecated parameters now tagged in action=paraminfo
 * Added support for tags
 * list=allusers no longer returns current timestamp for users without registration date
 * action=edit allows creation of invalid titles
 * Add inprop=watched to prop=info
 * API: Separate summary and initial page text for uploads
 * list=usercontribs returns empty result for empty ucuser
 * meta=userinfo&uiprop=options no longer returns default options for logged-in users under certain circumstances
 * Add chomp control in YAML
 * Expand the thumburl to an absolute url to make it consistent with url and descriptionurl
 * ApiLogin::execute doesn't handle LoginForm :: RESET_PASS
 * API: add prop=headitems to action=parse
 * API: include time in siteinfo
 * Quick edit is still using the deprecated watch parameter (API: Setting default for watch/unwatch wrongly set)
 * blfilterredirect=nonredirects in blredirect mode wrongly filtering
 * Output extension URLs in meta=siteinfo&siprop=extensions
 * Support key-params arrays in 'descriptionmsg' in meta=siteinfo&siprop=extensions
 * YAML output should quote asterisk when used as key
 * safesubst: to allow substitution without breaking transclusion
 * API read of watchlist's wl_notificationtimestamp
 * Expose EditFormPreloadText via the API
 * Comment (edit summary) parser option for API
 * API should provide list of CSS styles to apply to rendered output
 * List possible errors in action=paraminfo

Languages updated in 1.16
MediaWiki supports over 330 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of MediaZilla reports.


 * Capiznon (cps) (new)
 * North Frisian (frr) (new)
 * Kirmanjki (kiu) (new)
 * Komi-Permyak (koi) (new)
 * Karachay-Balkar (krc) (new)
 * Latgalian (ltg) (new)
 * Hill Mari (mrj) (new)
 * Prussian (prg) (new)
 * Romagnol (rgn) (new)
 * Rusyn (rue) (new)
 * Lower Silesian (sli) (new)
 * Picard (pcd) (new)
 * Uyghur (Arabic script) (ug-arab) (new)
 * Upper Franconian (vmf) (new)
 * Votic (vot) (new)
 * Eastern Yiddish (ydd) (removed)
 * Iriga Bicolano (bto) (removed)
 * Ladin (lld) (removed)
 * Palembang (plm) (removed)
 * Megleno-Romanian (Greek script) (ruq-grek) (removed)
 * Tamazight (tzm) (removed)
 * Sorani (ckb - Central Kurdish) (renamed from ku-arab)
 * Add PLURAL function for Scots Gaelic (gd)
 * Add Estonian letters äöõšüž to linktrail (et)
 * Native name of Burmese language (my)
 * Use correct unicode characters in spelling of native Chuvash(Чӑвашла)
 * Updated autonym for Zhuang language
 * Updated date formatting in Occitan (oc)
 * Added ăâîşţșțĂÂÎŞŢȘȚ to Romanion (ro) linktrail
 * Correct commafying function in Polish (pl)
 * Updated date formatting for Lithuanian
 * Added ÄäÇçĞğŇňÖöŞşÜüÝýŽž to Turkmen (tk) linktrail
 * New linktrail for Greek (el)
 * Korean (North Korea) (ko-kp) (new)
 * Fixed "Project talk" namespace name for Maltese (mt)
 * Added áâãàéêçíóôõúü to Portuguese (pt) linktrail
 * Change interwiki link for Kurdish (ku)

Compatibility
MediaWiki 1.16 requires PHP 5.1 (5.2 recommended). PHP 4 is no longer supported.

MySQL 3.23.x is no longer supported; some older hosts may need to upgrade. At this time we still recommend 4.0, but 4.1/5.0 will work fine in most cases.

Upgrading
1.16 has several database changes since 1.15, and will not work without schema updates.

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, some major databases changes are made, and there is a slightly higher chance that things could break. Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

Caveats
Some output, particularly involving user-supplied inline HTML, may not produce 100% valid or well-formed XHTML output. Testers are welcome to set $wgMimeType = "application/xhtml+xml"; to test for remaining problem cases, but this is not recommended on live sites. (This must be set for MathML to display properly in Mozilla.)

For notes on 1.15.x and older releases, see HISTORY.