MediaWiki 1.28

MediaWiki 1.28 is the latest release of MediaWiki.

Consult the  file for the full list of changes.

It was deployed on Wikimedia Foundation wikis through incremental "wmf"-branches starting May 10, 2016.

The 1.28.0 stable release was released on November 28, 2016.

Download the or checkout the   branch download>Special:MyLanguage/Download from Git|in Git to follow this release.

Improved HTML file caching
The HTML file caching feature (controlled by ) now supports caching ?action=history views (310697). In addition, the emergency fallback of showing cached pages if the database is down was fixed and now works properly.

Breaking changes

 * Magic links are now disabled by default. They can be enabled by changing the value of . It has been proposed to remove magic link functionality from MediaWiki in a future release, if you depend upon or use them it is requested that you comment at Requests for comment/Future of magic links.

Changes since 1.28.0-rc1

 * Replace with  on db errors.
 * Only apply to postgres/mssql.
 * Introduce separate log action for deleting pages on move.
 * Bypass login page if no user input is required.

Changes since 1.28.0-rc0

 * The changes to move the parser "NewPP limit report" from a HTML comment to a machine-readable JavaScript config option '' have been undone. They caused the human-readable limit report to be shown incompletely or not at all.  and   behave as they did in MediaWiki 1.27 again.
 * Value of  parser function will not be used for the text of subheadings on a category page when creating it. This wasn't working correctly.
 * MediaWiki will no longer try to perform a HTTP redirect to the canonical pretty URL when a non-pretty URL is used. It resulted in redirect loops in some clients and in some server configurations. This undoes a change made in MediaWiki 1.26.
 * was removed.

Configuration changes in 1.28

 * now affects status code of action=history if the page is not there.
 * BREAKING CHANGE: is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
 * The entry point now enforces the existing policy of not allowing access to session data, which includes the session user and the session user's language. If such access is attempted, an exception will be thrown.
 * The number of internal PBKDF2 iterations used to derive the session secret is configurable via.
 * Upload dialog's file upload log comment can now be configured separately for local and foreign uploads.
 * now defaults to `[ 'local' ]`, where `'local'` signifies local uploads. A value of `[]` (empty array) now means that no upload targets are allowed, effectively disabling the upload dialog.
 * The deprecated $wgEditEncoding variable has been removed; it was only used for Esperanto language character conversion. You are now recommended to use input methods provided by the UniversalLanguageSelector extension.
 * When is true, MediaWiki will periodically ping beacon with basic information about the local MediaWiki installation. This data includes, for example, the type of system, PHP version, and chosen database backend. This behavior is off by default.
 * When is true, MediaWiki will label the button to store-to-database-and-show-to-others as "Publish page"/"Publish changes"; if false, the default, they will be "Save page"/"Save changes".
 * The ' ' permission is now granted to all logged-in users (' '). instead of just administrators (' '). Documentation for this feature is available at Help:ChangeContentModel.
 * is now set to one week by default instead of being disabled.
 * Magic links are now disabled by default, and can be re-enabled by modifying the value of . Their usage is discouraged, but if they are manually enabled, a tracking category will be added to help identify usage and make it easier to migrate away from. If you depend upon magic link functionality, it is requested that you comment on Requests for comment/Future of magic links and explain your use case(s).
 * New config variable to control what URLs to ignore in upcoming Content-SECURITY-Policy feature's reporting.

New features in 1.28

 * method for checking if an account is a bot role account.
 * Added a new ' ' mode for galleries.
 * Added a new hook, '', to aid in determining if a user is a bot.
 * Added a new hook, '', to allow extensions to better interact with API parsing.
 * Added a new hook, '', which can be used to reject a file upload. Unlike 'UploadVerifyFile' it provides information about upload comment and the file description page, but does not run for uploads to stash.
 * Extensions can now provide a better error message when their maintenance scripts are run without the extension being installed.
 * Numeric sorting in categories is now supported by setting to ' ' or ' '. If you can't use UCA collations, a 'numeric' collation is also available. If migrating from another collation, you will need to run the  maintenance script.
 * Two new codes have been added to #time parser function: "xit" for days in current month, and "xiz" for days passed in the year, both in Iranian calendar.
 * has a new option,, to use   (Unit Separator) when appropriate for sending multi-valued parameters. This defaults to true when the   instance seems to be for the local wiki.
 * After a client performs an action which alters a database that has replica databases, MediaWiki will wait for the replica databases to synchronize with the master database while it renders the HTML output. However, if the output is a redirect to another wiki on the wiki farm with a different domain, MediaWiki will instead alter the redirect URL to include a ?cpPosTime parameter that triggers the database synchronization when the URL is followed by the client. The same-domain case uses a new cpPosTime cookie.
 * Added new hooks, , , and '', to make it easier for extensions to add 'prop' and 'show' parameters to existing API query modules.

Upgraded external libraries

 * Updated es5-shim from v4.1.5 to v4.5.8
 * Updated composer/semver from v1.4.1 to v1.4.2
 * Updated wikimedia/php-session-serializer from v1.0.3 to v1.0.4

New external libraries

 * Added wikimedia/scoped-callback v1.0.0
 * Added wikimedia/wait-condition-loop v1.0.1

Bug fixes in 1.28

 * action=history pages should return 404 HTTP error code if the page does not exist
 * SECURITY: XSS in unclosed internal links
 * SECURITY: Escape '<' and ']]>' in inline  blocks
 * SECURITY: Require login to preview user CSS pages
 * SECURITY: Do not allow undeleting a revision deleted file if it is the top file
 * SECURITY: Make also restrict logged in permissions
 * SECURITY: Make blocks log users out if is true
 * Move 'UserGetRights' call before application of

Action API changes in 1.28

 * Added 'maxarticlesize' property to action=query&meta=siteinfo which contains the value of.
 * Property 'modulemessages' from action=parse&prop=modules was removed (deprecated since 1.26).
 * The following response properties from action=login, deprecated in 1.27, are now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies to properly manage session state.
 * Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
 * Submitting sensitive authentication request parameters to action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata in the query string is now deprecated and outputs a warning. They should be submitted in the POST body instead.
 * Multi-valued parameters may now be separated using U+001F (Unit Separator) instead of the pipe character. This will be useful if some of the multiple values need to contain pipes, e.g. for action=options.
 * The API will now warn if input is not NFC-normalized Unicode or if it contains invalid characters.
 * The 'normalized' list output by action=query and other modules that use ApiPageSet may contain entries where the 'from' value is percent-encoded as the raw value cannot be represented in a valid API response. These are indicated by a 'fromencoded' boolean alongside the existing 'from' parameter.
 * action=paraminfo can now return info about all submodules of a module without listing them all explicitly.
 * It is now possible to assert that the current user is a specific named user, using the 'assertuser' parameter.
 * Added a 'known' property when missing-but-known titles (e.g. from the '' hook) are output in various modules.

Action API internal changes in 1.28

 * Added a new hook, '', to allow extensions to better interact with ApiParse and ApiExpandTemplates.
 * SECURITY: API: Generate head items in the context of the given title
 * SECURITY: Check read permission when loading page content in ApiParse
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.24)
 * was removed (deprecated since 1.24)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * was removed (deprecated since 1.25)
 * Added new hooks, , , and '', to make it easier for extensions to add ' ' and ' ' parameters to existing API query modules. A query module can enable these hooks by passing an array for to   and by   before adding a row's data to the result.

Languages updated in 1.28
MediaWiki supports over 375 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.


 * ban (Balinese), thanks to translators Adi Mayndra, Andru, BASAbali, M. Adiputra, Naval Scene, Nemo bis, NoiX180, and 아라.
 * shn (Shan), thanks to translators Khun Sar, Piangpha, Saiddzone Saimawnkham, Saosukham, and Sengwan.
 * Czech (cs) and Slovak (sk) set as reciprocal fallbacks.
 * Livvi-Karelian (olo) namespace messages created thanks to translator Ilja.mos.

Other changes in 1.28

 * Improved handling of large diffs.
 * [BREAKING CHANGE] has been removed. You can use or update a custom session provider if needed.
 * Deprecated hook in favor of.
 * The  hook is deprecated. Use  instead.
 * was removed (deprecated since 1.25).
 * The '' hook has a new parameter to differentiate between actual login and visiting the login page while already logged in.
 * was removed (deprecated since 1.24).
 * was removed (deprecated since 1.24).
 * was removed (deprecated since 1.24).
 * was removed (deprecated since 1.24).
 * and  were deprecated; please instead use MediaWiki\Linker\LinkRenderer. In addition, the  and  hooks were replaced by  and  respectively. See docs/hooks.txt for the specific changes needed for those hooks.
 * was deprecated. Use  directly.
 * Aliases for Linker methods, deprecated since 1.21, were removed from Skin:
 * instead)
 * (use  instead)
 * (use  instead)
 * (use  instead)
 * (use  instead)
 * (use  instead)
 * Disabled "bug 2702" HTML tidying of parsed UI messages on wikis where Tidy is disabled.
 * was removed (deprecated since 1.21).
 * and  were deprecated. Use ...->stashFile->getFileKey instead.
 * "Public domain" was removed as a wiki license option from the installer, in favour of CC-0.
 * is now changed from  to   on requests needed by primary providers even if all primaries need them. Primary providers are discouraged from returning multiple   requests.
 * OOjs UI PHP widgets constructed with the ` ` config option will no longer be automatically infused. You should call `OO.ui.infuse` on them yourself from your JavaScript code.
 * has moved to tests/parser/parserTests.php
 * The command line options specific to parser tests have been removed from :  and  . Instead of , use  . Instead of  , use the same option to , but you must specify a directory with.
 * The ' ' ResourceLoader module is now deprecated.
 * and  were removed. Callers should migrate to using the same functions on a ProxyLookup instance, obtainable from MediaWikiServices.
 * The, , , , , , and  hooks will now emit deprecation warnings if used.
 * CSS3  function with   type is no longer allowed in inline styles.
 * is deprecated, use  instead.

Compatibility
MediaWiki 1.28 requires PHP 5.5.9 or later. There is experimental support for HHVM 3.6.5 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, butsupport for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server.

The supported versions are:
 * MySQL 5.0.3 or later
 * PostgreSQL 8.3 or later
 * SQLite 3.3.7 or later
 * Oracle 9.0.1 or later
 * Microsoft SQL Server 2005 (9.00.1399)