== MediaWiki 1.39.17 == This is a maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.14 === * Localisation updates. * (T406664, T412602) Fix backport for T406664. == MediaWiki 1.39.16 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.15 === * Localisation updates. * (T406391) RemexCompatFormatter: Don't encode HTML entities in raw-text elements. * (T401155) Update wikimedia/ip-utils to 5.0.0. * ResourceLoader: Update cssjanus/cssjanus to wikimedia/cssjanus. * (T407289) i18n: deprecate double-underscore magic words which don't start/end with __. * i18n: all behavior switches should start/end with __ (part 2). * (T407289) i18n: Remove deprecated behavior switches without underscores in et/sh-latn/vep. * (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by default. * (T406664, CVE-2025-67475) SECURITY: Escape square brackets in autocomment links. * (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail encoded-words. * (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and wide underscore in data-* attribute names. * (T401053, CVE-2025-67480) SECURITY: Check read permissions in ApiQueryRevisionsBase. * (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in client-side messages (jqueryMsg). == MediaWiki 1.39.15 == This is a maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.14 === * Fixup VisualEditor related backports. * (T406322, CVE-2025-11261) SECURITY: Escape system messages in mw.language.listToText. == MediaWiki 1.39.14 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.13 === * Localisation updates. * (T399672) mime: Add mime types for *.less. * ParserCacheSerializationTestCases: back port ParserOutput changes from 1.45. * ParserCacheSerializationTestCases: distinguish empty ToC from missing ToC. * Fix attachLatest --regenerate-all creating invalid SQL command. * (T322099) Make RequestContext::sanitizeLangCode() accept null. * (T380456) exception: Avoid service container init in exception handler. * diff: Avoid Phan warning with some Wikidiff2 versions. * (T387408) exception: Skip use of HookRunner when not autoloaded. * (T327439) ParserOutput: Prepare to allow JsonCodec serialization of TOCData. * media: Remove pass-by-ref in Exif::exifGPStoNumber. * (T386208) Exif: Handle malformed gps tags. * i18n: Add Special:MyLanguage to mediawiki.org links. * (T380423) Show user a human readable message when $wgLocaltimezone is set to an invalid timezone. * (T374042) PostgresUpdater: Fix typo in sites_group index renaming instruction. * (T401570) rdbms: Fix read-only detection for MariaDB 12. * (T400881) filerepo: Improve identification of ForeignAPIRepo requests. * (T402037) config: Change Reauthenticate Time Default. * SimpleParsoidOutputStash: protect against rollback from MW >= 1.43. * (T401099, CVE-2025-61638) Upgrading wikimedia/parsoid (v0.16.5 => v0.16.6). * (T394968) Metadata: ignore LocationCreated, similar to LocationShown. * (T304428) Allow marking recent changes about logged actions with bot flag. * (T400505) Regenerate patch-drop-page_restrictions-pr_user.sql for SQLite. * (T401099, CVE-2025-61638) SECURITY: Sanitize data- attributes. * (T280413, CVE-2025-61639) SECURITY: Use ManualLogEntry::getDeleted in ::getRecentChange. * (T402075, CVE-2025-61640) SECURITY: Parse messages instead of inserting them as HTML. * (T298690, CVE-2025-61641) SECURITY: api: Disable maxsize in QueryAllPages in miser mode. * (T403757, CVE-2025-61643) SECURITY: Don't send suppressed recent changes to RCFeeds. * (T398706, CVE-2025-61646) SECURITY: Prevent leaking hidden usernames in Watchlist/RecentChanges. == MediaWiki 1.39.13 == This is a security and maintenance release of the MediaWiki 1.39 branch. === Changes since 1.39.12 === * Localisation updates. * (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils. * (T391867) http: Handle accept header with incomplete q. * Update Pingback address. * (T393879) objectcache: Cast explicitly to integer. * (T394989) FormatMetadata::formatFraction: Don't risk passing null to preg_match. * (T395834) Treat File::getShortDesc() as possibly unsafe HTML. * (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param to string. * (T221560) Remove hyphens from legal search characters for MySQL-based database searches. * ParserCache forward-compatibility: anticipate removal of OutputHooks. * Protect against ParserOutput/CacheTime re-namespacing. * ParserCache forward-compatibility: anticipate removal of TOCHTML. * SerializationTestUtils: handle 1.xx_wmf* versions; don't fail immediately. * AuthManager: Be consistent about the remember flag on autocreate. * (T397883, T397643) htmlform: fix min/max validations on empty input in int/float fields. * (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField validation errors. * (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in action=feedcontributions. * (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email. * (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid 'format' is provided. * (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for reauthentication.