Release notes/1.21


Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it off if you can.

MediaWiki 1.21 is a stable branch and is recommended for use in production.

MediaWiki 1.21.11[edit]

This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.10[edit]

  • (bug 65839) SECURITY: Prevent external resources in SVG files.
  • (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.

MediaWiki 1.21.10[edit]

This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.9[edit]

  • (bug 65501) SECURITY: Don't parse usernames as wikitext on Special:PasswordReset.
  • (bug 36356) Add space between two feed links.

MediaWiki 1.21.9[edit]

This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.8[edit]

  • (bug 63251) SECURITY: Escape sortKey in pageInfo.
  • (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.

MediaWiki 1.21.8[edit]

This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.7[edit]

  • (bug 62497) SECURITY: Add CSRF token on Special:ChangePassword.
  • (bug 62467) Set a title for the context during import on the cli.

MediaWiki 1.21.7[edit]

This is a maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.6[edit]

  • Use the correct branch of the extensions' git repositories.

MediaWiki 1.21.6[edit]

This is a security release of the MediaWiki 1.21 branch.

Changes since 1.21.5[edit]

  • (bug 60771) SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non- whitelisted namespace.
  • (bug 61346) SECURITY: Make token comparison use constant time. It seems like our token comparison would be vulnerable to timing attacks. This will take constant time.
  • (bug 61362) SECURITY: API: Don't find links in the middle of api.php links.

MediaWiki 1.21.5[edit]

This is a security release of the MediaWiki 1.21 branch.

Changes since 1.21.4[edit]

  • (bug 60339) SECURITY: Sanitize shell arguments to DjVu files, and other media formats

MediaWiki 1.21.4[edit]

This is a security release of the MediaWiki 1.21 branch.

Changes since 1.21.3[edit]

  • (bug 57550) SECURITY: Disallow stylesheets in SVG Uploads
  • (bug 58088) SECURITY: Don't normalize U+FF3C to \ in CSS Checks
  • (bug 58472) SECURITY: Disallow -o-link in styles
  • (bug 58553) SECURITY: Return error on invalid XML for SVG Uploads
  • (bug 58699) SECURITY: Fix RevDel log entry information leaks

MediaWiki 1.21.3[edit]

This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.2[edit]

  • (bug 53032) SECURITY: Don't cache when a call could autocreate
  • (bug 55332) SECURITY: Improve css javascript detection
  • (bug 49717) Fix behaviour $wgVerifyMimeType = false; in Upload
  • Fix comma errors in various js files
  • Translations

MediaWiki 1.21.2[edit]

This is a security and maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.1[edit]

  • SECURITY: Fix extension detection with 2 .'s
  • SECURITY: Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed.
  • SECURITY: Sanitize ResourceLoader exception messages
  • Purge upstream caches when deleting file assets.
  • Unit test suite now runs the AutoLoader tests. Also fixed the autoloading entry for the PageORMTableForTesting class though it had no impact.

MediaWiki 1.21.1[edit]

This is a maintenance release of the MediaWiki 1.21 branch.

Changes since 1.21.0[edit]

  • An incorrect version number was used for 1.21.0. 1.21.1 has the correct number.
  • A problem with the Oracle SQL table creation was fixed.
  • (PdfHandler extension) Fix warning if pdfinfo fails but pdftext succeeds.

MediaWiki 1.21[edit]

Configuration changes[edit]

New features[edit]

  • (bug 41769) Add parser method to call parser functions.
  • (bug 38110) Schema changes (adding or dropping tables, indices and fields) can be now be done separately from from other changes that update.php makes. This is useful in environments that use database permissions to restrict schema changes but allow the DB user that MediaWiki normally runs as to perform other changes that update.php makes. Schema changes can be run separately. See the file UPGRADE for more information.
  • (bug 34876) jquery.makeCollapsible has been improved in performance.
  • Added ContentHandler facility to allow extensions to support other content than wikitext. See docs/contenthandler.txt for details.
  • New feature was developed for showing high-DPI thumbnails for high-DPI mobile and desktop displays (configurable with $wgResponsiveImages ).
  • Added new backend to represent and store information about sites and site specific configuration.
  • jQuery upgraded from 1.8.2 to 1.8.3.
  • jQuery UI upgraded from 1.8.23 to 1.8.24.
  • Added separate fa_sha1 field to filearchive table. This allows sha1 searches with the api in miser mode for deleted files.
  • Add initial and programmatic sorting for tablesorter.
  • Add the event "sortEnd.tablesorter", triggered after sorting has completed.
  • The Job system was refactored to allow for different backing stores for queues as well as cross-wiki access to queues, among other things. The schema for the DB queue was changed to support better concurrency and reduce deadlock errors.
  • Added ApiQueryORM class to facilitate creation of query API modules based on tables that have a corresponding ORMTable class.
  • (bug 40876) Icon for PSD (Adobe Photoshop) file types.
  • (bug 40641) Implemented Special:Version/Credits with a list of contributors.
  • (bug 7851) Implemented one-click AJAX patrolling.
  • The <data>, <time>, <meta>, and <link> elements are allowed within WikiText for use with Microdata.
  • The HTML5 <mark> tag has been whitelisted.
  • Added ParserCloned hook for when the Parser object is cloned.
  • Added AlternateEditPreview hook to allow extensions to replace the page preview from the edit page.
  • Added EditPage::showStandardInputs:options hook to allow extensions to add new fields to the "editOptions" area of the edit form.
  • Upload stash DB schema altered to improve upload performance.
  • The following global functions are now reporting deprecated warnings in debug mode: wfMsg, wfMsgNoTrans, wfMsgForContent, wfMsgForContentNoTrans, wfMsgReal, wfMsgGetKey, wfMsgHtml, wfMsgWikiHtml, wfMsgExt, wfEmptyMsg. Use the Message class, or the global method wfMessage.
  • Added $wgEnableCanonicalServerLink , off by default. If enabled, a <link rel=canonical> tag is added to every page indicating the correct server to use.
  • Debug message emitted by wfDebugLog() will now be prefixed with the group name when its logged to the default log file. That is the case whenever the group has no key in wgDebugLogGroups, that will help triage the default log.
  • (bug 24620) Add types to LogFormatter.
  • jQuery JSON upgraded from 2.3 to 2.4.0.
  • Added GetDoubleUnderscoreIDs hook, for modifying the list of magic words.
  • DatabaseUpdater class has two new methods to ease extensions schema changes: dropExtensionIndex and renameExtensionIndex.
  • New preference type - 'api'. Preferences of this type are not shown on Special:Preferences, but are still available via the action=options API.
  • (bug 39397) Hide rollback link if a user is the only contributor of the page.
  • $wgPageInfoTransclusionLimit limits the list size of transcluded articles on the info action. Default is 50.
  • Added action=createaccount to allow user account creation.
  • (bug 40124) action=options API also allows for setting of arbitrary preferences, provided that their names are prefixed with 'userjs-'. This officially reenables the feature that was undocumented and defective in MW 1.20 (saving preferences using Special:Preferences cleared any additional fields) and which has been disabled in 1.20.1 as a part of a security fix (bug 42202).
  • Added option to specify "others" as author in extension credits using "..." as author name.
  • Added the ability to limit the wall clock time used by shell processes, as well as the CPU time. Configurable with $wgMaxShellWallClockTime .
  • Allow memory of shell subprocesses to be limited using Linux cgroups instead of ulimit -v, which tends to cause deadlocks in recent versions of ImageMagick. Configurable with $wgShellCgroup .
  • Added $wgWhitelistReadRegexp for regex whitelisting.
  • (bug 5346) Categories that are redirects will be displayed italic in the category links section at the bottom of a page.
  • (bug 43915) New maintenance script deleteEqualMessages.php.
  • You can now create checkbox option matrices through the HTMLCheckMatrix subclass in HTMLForm.
  • WikiText now permits the use of WAI-ARIA's role="presentation" inside of html elements and tables. This allows presentational markup, especially tables. To be marked up as such.
  • maintenance/sql.php learned the --cluster option. Let you run the script on some external cluster instead of the primary cluster for a given wiki.
  • (bug 20281) test the parsing of inline URLs.
  • Added Special:PagesWithProp, which lists pages using a particular page property.
  • Implemented language-specific collations for category sorting for 67 languages based in latin, greek and cyrillic alphabets. This allows one to *finally* get articles to be correctly sorted on category pages. They are named 'uca-<langcode>', where <langcode> is one of: af, ast, az, be, bg, br, bs, ca, co, cs, cy, da, de, dsb, el, en, eo, es, et, eu, fi, fo, fr, fur, fy, ga, gd, gl, hr, hsb, hu, is, it, kk, kl, ku, ky, la, lb, lt, lv, mk, mo, mt, nl, no, oc, pl, pt, rm, ro, ru, rup, sco, sk, sl, smn, sq, sr, sv, tk, tl, tr, tt, uk, uz, vi.
  • Added 'CategoryAfterPageAdded' and 'CategoryAfterPageRemoved' hooks.
  • Added 'HistoryRevisionTools' and 'DiffRevisionTools' hooks.
  • Added 'SpecialSearchResultsPrepend' and 'SpecialSearchResultsAppend' hooks.
  • (bug 33186) Add image rotation api "imagerotate"
  • (bug 34040) Add "User rights management" link on user page toolbox.
  • (bug 45526) Add QUnit assertion helper "QUnit.assert.htmlEqual" for asserting structual equality of HTML (ignoring insignificant differences like quotmarks, order and whitespace in the attribute list).

Bug fixes[edit]

  • (bug 48306) Chunked uploads allow arbitrary data to be dropped on the server
  • (bug 47271) $wgContentHandlerUseDB should be set to false during the upgrade
  • (bug 46084) Sanitize $limitReport before outputting.
  • (bug 46859) Disable external entities in XMLReader.
  • (bug 47251) Disable external entities in Import.
  • (bug 42649) PHP Fatal error: Call to a member function isLocal() on a non-object in Title.php
  • (bug 46493) Special:ProtectedPages results in whitepage when a bad title is protected
  • (bug 40617) Installer can now customize the logo in LocalSettings.php
  • (bug 40353) SpecialDoubleRedirect should support interwiki redirects.
  • (bug 40352) fixDoubleRedirects.php should support interwiki redirects.
  • (bug 9237) SpecialBrokenRedirect should not list interwiki redirects.
  • (bug 34960) Drop unused fields rc_moved_to_ns and rc_moved_to_title from recentchanges table.
  • (bug 32951) Do not register internal externals with absolute protocol, when server has relative protocol.
  • (bug 39005) When purging proxies listed in $wgSquidServers using HTTP PURGE method requests, we now send a Host header by default, for Varnish compatibility. This also works with Squid in reverse-proxy mode. If you wish to support Squid configured in forward-proxy mode, set $wgSquidPurgeUseHostHeader to false.
  • (bug 37020) sql.php with readline eats semicolon.
  • (bug 11748) Properly handle optionally-closed HTML tags when Tidy is disabled, and don't wrap HTML-syntax definition lists in paragraphs.
  • (bug 41409) Diffs while editing an old revision should again diff against the current revision.
  • (bug 41494) Honor $wgLogExceptionBacktrace when logging non-API exceptions caught during API execution.
  • (bug 37963) Fixed loading process for user options.
  • (bug 26995) Update filename field on Upload page after having sanitized it.
  • (bug 41793) Contribution links to users with 0 edits on Special:ListUsers didn't show up red.
  • (bug 41899) A PHP notice no longer occurs when using the "rvcontinue" API parameter.
  • (bug 42036) Account creation emails now contain canonical (not protocol-relative) URLs.
  • (bug 41990) Fix regression: API edit with redirect=true and lacking starttimestamp and basetimestamp should not cause an edit conflict.
  • (bug 41706) EditPage: Preloaded page should be converted if possible and needed.
  • (bug 41886) Rowspans are no longer exploded by tablesorter until the table is actually sorted.
  • (bug 2865) User interface HTML elements don't use lang attribute. (completed the fix by adding the lang attribute to firstHeading).
  • (bug 42173) Removed namespace prefixes on Special:UncategorizedCategories.
  • (bug 36053) Log in "returnto" feature forgets query parameters if no title parameter was specified.
  • (bug 42410) API action=edit now returns correct timestamp for the new edit.
  • (bug 14901) Email notification mistakes log action for new page creation. Enotif no longer sends "page has been created" notifications for some log actions. The following events now have a correct message: page creation, deletion, move, restore (undeletion), change (edit). Parameter $CHANGEDORCREATED is deprecated in 'enotif_body' and scheduled for removal in MediaWiki 1.23.
  • (bug 457) In the sidebar of Vector, CologneBlue, Monobook, and Monobook-based skins, the heading levels have been changed from (variously per skin) <h4>, <h5> or <h6> to only <h3>s, with a <h2> hidden heading above them. If you are styling or scripting the headings in a custom way, this change will require updates to your site's CSS or JS.
  • (bug 41342) jquery.suggestions should cancel any active (async) fetches before it triggers another fetch.
  • (bug 42184) $wgUploadSizeWarning missing second variable.
  • (bug 34581) removeUnusedAccounts.php maintenance script now ignores newuser log when determining whether an account is used.
  • (bug 43379) Gracefully fail if rev_len is unavailable for a revision on the History page.
  • (bug 42949) API no longer assumes all exceptions are MWException.
  • (bug 41733) Hide "New user message" (.usermessage) element from printable view.
  • (bug 39062) Special:Contributions will display changes that don't have a parent id instead of just an empty bullet item.
  • (bug 37209) "LinkCache doesn't currently know about this title" error fixed.
  • wfMerge() now works if $wgDiff3 contains spaces
  • (bug 43052) mediawiki.action.view.dblClickEdit.dblClickEdit should trigger ca-edit click instead opening URL directly.
  • (bug 43964) Invalid value of "link" parameter in <gallery> no longer produces a fatal error.
  • (bug 44775) The username field is not pre-filled when creating an account.
  • (bug 45069) wfParseUrl() no longer produces a PHP notice if passed a "mailto:" URL without address
  • (bug 45012) Creating an account by e-mail can no longer show a "password mismatch" error.
  • (bug 44599) On Special:Version, HEADs for submodule checkouts (e.g. for extensions) performed using Git 1.7.8+ should now appear.
  • (bug 40326) Check if files exist with a different extension during uploading
  • (bug 34798) Updated CSS for Atom/RSS recent changes feeds to match on-wiki diffs.
  • (bug 42430) Calling numRows on MySQL no longer propagates unrelated errors.
  • (bug 44719) Removed mention of non-existing maintenance/migrateCurStubs.php script in includes/DefaultSettings.php
  • (bug 45143) jquery.badge: Treat non-Latin variants of zero as zero as well.
  • (bug 46151) mwdocgen.php should not ignore exit code of doxygen command.
  • (bug 41889) Fix $.tablesorter rowspan exploding for complex cases.
  • (bug 47489) Installer now automatically selects the next-best database type if the PHP mysql extension is not loaded, preventing fatal errors in some cases.
  • (bug 47202) wikibits: FF2Fixes.css should not be loaded in Firefox 20.

API changes[edit]

Chunked uploads are now disabled by default. You can re-enable them by setting $wgAllowChunkedUploads =true
list=logevents output format changed for details of some log types. Specifically, details that were formerly reported under a key like "4::foo" will now be reported under a key of simply "foo".
'??_badcontinue' error code was changed to '??badcontinue' for all query modules.
  • prop=revisions can now report the contentmodel and contentformat. See docs/contenthandler.txt.
  • action=edit and action=parse now support contentmodel and contentformat parameters to control the interpretation of page content. See docs/contenthandler.txt for details.
  • (bug 35693) ApiQueryImageInfo now suppresses errors when unserializing metadata.
  • (bug 40111) Disable minor edit for page/section creation by API.
  • (bug 41042) Revert change to action=parse&page=... behavior when the page does not exist.
  • (bug 27202) Add timestamp sort to list=allimages.
  • (bug 43137) Don't return the sha1 of revisions through the API if the content is revision-deleted.
  • ApiQueryImageInfo now also returns imageinfo for redirects.
  • list=alltransclusions added to enumerate every instance of page embedding
  • list=alllinks & alltransclusions now allow both 'from' and 'continue' in the same query. When both are present, 'from' is simply ignored.
  • list=alllinks & alltransclusions now allow 'unique' in generators, to yield a list of all link/template target pages instead of source pages.
  • ApiQueryBase adds 'badcontinue' error code if module has 'continue' parameter.
  • (bug 35885) Removed version parameter and all getVersion() methods.
  • action=options now takes a "resetkinds" option, which allows only resetting certain types of preferences when the "reset" option is set.
  • (bug 36751) ApiQueryImageInfo now returns imageinfo for the redirect target when queried with &redirects=.
  • (bug 31849) ApiQueryImageInfo no longer gets confused when asked for info on a redirect and its target.
  • (bug 43849) ApiQueryImageInfo no longer throws exceptions with ForeignDBRepo redirects.
  • On error, any warnings generated before that error will be shown in the result.
  • action=help supports generalized submodules (modules=query+value), querymodules obsolete
  • ApiQueryImageInfo continuation is more reliable. The only major change is that the imagerepository property will no longer be set on page objects not processed in the current query (i.e. non-images or those skipped due to iicontinue).
  • Add supports for all pageset capabilities - generators, redirects, converttitles to action=purge and action=setnotificationtimestamp.
  • (bug 43251) prop=pageprops&ppprop= now accepts multiple props to query.
  • ApiQueryImageInfo will now limit the number of calls to File::transform made in any one query. If there are too many, iicontinue will be returned.
  • action=query&meta=siteinfo&siprop=general will now return the regexes used for link trails and link prefixes. Added for Parsoid support.
  • Added an API query module list=pageswithprop, which lists pages using a particular page property.
  • Added an API query module list=pagepropnames, which lists all page prop names currently in use on the wiki.
  • (bug 44921) ApiMain::execute() will now return after the CORS check for an HTTP OPTIONS request.
  • (bug 44923) action=upload works correctly if the entire file is uploaded in the first chunk.
  • Added 'continue=' parameter to streamline client iteration over complex query results
  • (bug 44909) API parameters may now be marked as type "upload", which is now used for action=upload's 'file' and 'chunk' parameters. This type will raise an error during parameter validation if the parameter is given but not recognized as an uploaded file.
  • (bug 44244) prop=info may now return the number of people watching each page.
  • (bug 33304) list=allpages will no longer return duplicate entries when querying protection.
  • (bug 33304) list=allpages will now find really old indefinite protections.
  • (bug 45937) meta=allmessages will report a syntactically invalid lang as a proper error instead of as an uncaught exception.
  • (bug 48542) SpecialStatistics::getOtherStats() now uses the user language.

API internal changes[edit]

ApiPageSet constructor now has two params instead of three, with only the first one keeping its meaning. ApiPageSet is now derived from ApiBase.
ApiQuery::newGenerator() and executeGeneratorModule() were deleted.
  • For debugging only, a new global $wgDebugAPI removes many API restrictions when true. Never use on the production servers, as this flag introduces security holes. Whenever enabled, a warning will also be added to all output.
  • ApiModuleManager now handles all submodules (actions,props,lists) and instantiation
  • Query stores prop/list/meta as submodules
  • ApiPageSet can now be used in any action to process titles/pageids/revids or any generator.
  • ApiQueryGeneratorBase::setGeneratorMode() now requires a pageset param.
  • $wgAPIGeneratorModules is now obsolete and will be ignored.
  • Added flags ApiResult::OVERRIDE and ADD_ON_TOP to setElement() and addValue()
  • Internal API calls will now include <warnings> in case of unused parameters

Languages updated[edit]

MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.

  • South Azerbaijani (azb) added.
  • (bug 30040) Autonym for nds-nl is now 'Nedersaksies' (was 'Nedersaksisch').
  • (bug 45436) Autonym for pi (Pali) is now 'पालि' (was 'पाळि').
  • (bug 34977) Now formatted numbers in Spanish use space as separator for thousands, as mandated by the Real Academia Española.
  • (bug 35031) Kurdish formatted numbers now use period and comma as separators for thousands and decimals respectively.

Other changes[edit]

  • Experimental IBM DB2 support was removed due to lack of interest and maintainership.
(bug 44385) Removed the jquery.collapsibleTabs module and moved it to the Vector extension. It was entirely Vector-extension-specific, deeply interconnected with the extension, and this functionality really belongs to the extension instead of the skin anyway. In the unlikely case you were using it, you have to either copy it to your extension, or install the Vector extension (and possibly disable its features using config settings if you don't want them).
Filenames of maintenance scripts were standardized into lowerCamelCase format, and made more explicit:
  • clear_stats.php → clearCacheStats.php
  • clear_interwiki_cache.php → clearInterwikiCache.php
  • initStats.php → initSiteStats.php
  • proxy_check.php → proxyCheck.php
  • stats.php → showCacheStats.php
  • showStats.php → showSiteStats.php.
Class names were renamed accordingly:
  • clear_stats → ClearCacheStats
  • InitStats → InitSiteStats
  • CacheStats → ShowCacheStats
  • ShowStats → ShowSiteStats.
(bug 38244) Removed the mediawiki.api.titleblacklist module and moved it to the TitleBlacklist extension.


MediaWiki 1.21 requires PHP 5.3.2 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle.

The supported versions are:

  • MySQL 5.0.2 or later
  • PostgreSQL 8.3 or later
  • SQLite 3.3.7 or later
  • Oracle 9.0.1 or later


1.21 has several database changes since 1.20, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.19.x and older releases, see HISTORY.

Online documentation[edit]

Documentation for both end-users and site administrators is available on, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):

Mailing list[edit]

A mailing list is available for MediaWiki user support and discussion: A low-traffic announcements-only list is also available: It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help[edit]

There's usually someone online in the IRC channel #mediawiki connect.