Officers of the church Ministry support pages available: Children Elders Life Groups Praise Team Block Party Serving schedules: Home Visitation Meditation |
PmWiki /
Release NotesSee also: Upgrades, Change log, Download and Road map. Version 2.3.38 (2024-11-03)This version includes updates for recent PHP versions for PmForm and Notify. For PmForm, a new variable The variable $UploadBlockPatterns = '*.php*,*.pl*,*.cgi*,*.py*'; # disallow common script files Uploading files matching the patterns will be rejected.
WikiStyles now accept inline A new helper function Version 2.3.37 (2024-08-21)This version adds new variables The "minor checkbox" label is now part of the
A new page variable Minor improvements to the pmwiki-responsive skin, to PmSyntax, to in-page anchor tags, and the documentation was updated. Full change log. Version 2.3.36 (2024-08-07)This version introduces a drag-and-drop feature for uploads, which can be enabled using The release also includes a fix for PHP 8 and updated documentation. Version 2.3.35 (2024-07-07)This version updates links in the default sidebar to the HTTPS scheme, and places the links to PITS (issue tracking) and Mailing lists in a conditional for editors only. Minor improvements to PmSyntax. It is now possible to show the source text of a wiki page highlighted by opening A minor bug with escaped strings in page titles was fixed, and the documentation was updated. Version 2.3.35 for security reasons removes the upload types "svg", "svgz", "htm", "html", "css", "swf", "fla", "epub". In some cases, those file formats may allow scripting and potentially open XSS vulnerabilities. Existing uploads with these extensions will not be affected. Wiki administrators who only allow trusted users to upload, can re-enable the extensions that they require with the following lines in config.php: # NOTE: Only enable extensions that you require # files with no extension, the type may be auto-detected by the server $UploadExts[''] = 'text/plain'; # SVG images may contain scripting $UploadExts['svg'] = 'image/svg+xml'; $UploadExts['svgz'] = 'image/svg+xml'; # Epub may contain scripting and be opened by a browser extension $UploadExts['epub'] = 'application/epub+zip'; # Flash files may contain scripting on older browsers # but are no longer supported by recent browsers $UploadExts['swf'] = 'application/x-shockwave-flash'; $UploadExts['fla'] = 'application/vnd.adobe.fla'; # HTML may contain scripting $UploadExts['html'] = $UploadExts['htm'] = 'text/html'; # CSS, if loaded by a browser, may request external resources # and thus reveal your visitors to external websites $UploadExts['css'] = 'text/css'; Additionally, a few more upload extensions are considered for deprecation and removal from the core in early 2025. Please join the discussion: https://www.pmwiki.org/wiki/PITS/01509. Version 2.3.34 (2024-05-27)This version adds a new conditional markup for the current wiki action like Version 2.3.33 (2024-04-21)This version includes updates for PHP 8, improvements to the responsive skin, to the preview changes mode, to conditional markup handling, and the documentation was updated. PmSyntax will now colorize links in double brackets. A new variable Version 2.3.32 (2024-03-24)This version includes improvements for the dark color scheme, restoring a light scheme for printing. Pictures with a white background may appear too bright on a dark theme, so a new variable New image and upload extensions AVIF and AVIFS were added, FileSizeCompact() was refactored to allow decimal file sizes, Recent changes pages will be locked to prevent blanking in case of concurrent uploads, and the documentation was updated. Version 2.3.31 (2024-02-23)This release includes improvements to the color sets of the dark theme for the PmWiki-responsive skin, and for the PmSyntax highlighting. The dark toggle icons are now 3-state, rotating between Light, Dark, and Auto (browser/system preference), and an annotation tooltip near the icon displays the current mode. The dark theme functions detecting, storing, and restoring visitor preferences can be reused by other skins, and a new variable The page attributes form where passwords and permissions are defined, can now add or remove passwords, users, or groups, without the need to rewrite the full definition. If for example you need to add a new password and a group without removing existing permissions, type " + MyNewPassword @newgroup Edit templates entries can now include page patterns where the template should be used. For example: The function PrintFmt() was refactored to process markup and wiki pages before outputting HTML headers, which would allow for markup, headers, footers, sidebars included from the skin, and action pages like the Auth form, to configure $EnablePrePrintFmt = 0; The variable RecipeCheck was updated to also list skins and report their versions. Other minor changes include: the "form" attribute was added to input fields; WikiStyles accept a new property 'columns', Version 2.3.30 (2024-01-22)Publishing my 176th PmWiki release, this milestone coincides with 15.0 years of me (Petko) serving as core developer. Here are some new developments that may be interesting. Dark color theme: The PmWiki-responsive skin has new styles for a user-activated dark/night scheme, with dark backgrounds and light texts. A dark theme can be softer on the eyes if used at night or in dark rooms. An icon to toggle the styles is placed near the search box in the header. It is possible to place toggle icons and/or labels in wiki pages, headers, footers, sidebars, to toggle stylesheets, and all functions can be easily reused in other skins, and with syntax highlighting, see Cookbook:DarkColorScheme. PmSyntax: We added styles for the new dark color theme. These may be improved in the future. PmWiki logo: A new logo in SVG format was added to pub/skins/pmwiki, and the variable $FarmPubDirUrl = $PubDirUrl; # if not already defined $PageLogoUrl = "$FarmPubDirUrl/skins/pmwiki/pmwiki-32.gif" Page history: A significant improvement in the word-diff highlighting precision. Uploads: Various fixes for Forms: The input field Quiet redirects: With the directive The release includes a few other minor fixes and the documentation was updated. Version 2.3.29 (2023-12-18)This version includes a fix for PHP 8.2 and improvements to the PmSyntax functions, markup directives defined in Version 2.3.28 (2023-11-27)This version adds new form input types "month" and "color". A new variable The "simpletable" zebra backgrounds are now reversed when the table has a <thead> element, in order to have dark-light-dark rows instead of dark-dark-light. With UrlApprovals, if a URL with the insecure http: scheme has been approved, URLs with the secure https: scheme to the same domain name will be automatically approved (not the other way around). Some utility JavaScript functions should now work better when localStorage is not available. The documentation was updated. Version 2.3.27 (2023-10-23)This version includes fixes for PHP 8, and for time formats with an invalid timezone. When merging the last edit without an edit summary, it will now reuse the previous edit summary. The ".diffmarkup" element now has the style "white-space: pre-wrap" - if a custom skin disables core styles you may want to update the skin styles. When The documentation was updated. Version 2.3.26 (2023-09-28)This version includes updates for PHP 8.2, customizable HTML snippets for trails and input labels. It is now possible to configure searching for "at least one" term among many, as opposed to currently searching for all terms. Extensions are now removed from the Version 2.3.25 (2023-07-29)This version includes updates for PHP 8.2. Some core markup directives were refactored to prevent very rare bugs. The documentation was updated. Version 2.3.24 (2023-06-06)This version includes some code refactoring, and a new helper function InsertEditFunction() to simplify the reuse of core functionality by recipes. It is now possible to configure the merging of the latest edits by the same author into a single history entry, see New configuration variables PmForm now can validate an email address field with the "template require FIELD if=validemail" condition. A few other minor improvements in the change log, and the documentation was updated. Version 2.3.23 (2023-05-03)This version implements session tokens to prevent potential cross-site request forgery vulnerabilities, suggested by Dominique Faure. Most core actions that modify pages or files should have this enabled and should work like before. This new feature can be disabled by setting these variables in config.php: $EnablePmToken = 0; # edit, upload, attributes, approveurls $PmFormEnablePmToken = 0; # PmForm Some installations might encounter the error message "Token invalid or missing". These can include custom edit forms, automated scripts posting to the wiki, AJAX posting text or uploads used by some recipes, or partial upgrades where some core scripts haven't been updated. Most of these should be easy to update -- please check if you're using the latest recipe versions, otherwise report such cases to us -- otherwise you may selectively disable the feature. See Upgrades#pmtoken. A form element The version also includes a minor code refactoring, a bug fix, and the documentation was updated. Version 2.3.22 (2023-04-06)This version adds to the core the Cookbook:PmForm recipe (script and templates), not enabled by default. This is in order to reduce my workload, and future updates to PmForm will be made only in the core version. If you already use PmForm, you can enable the core script, by modifying your A bug was fixed with PageLists with multiple Version 2.3.21 (2023-03-06)This version includes updates for PHP 8, and bug fixes with sortable tables and multiline New features include: the upload extension CSV, Version 2.3.20 (2023-02-12)This version fixes an unidentified variable warning introduced yesterday in 2.3.19. Version 2.3.19 (2023-02-11)This version includes fixes for recent PHP versions, new helper functions, new variables allowing more customization, and the documentation was updated. Work is underway to define and implement a new family of self-contained recipes "Modules" which should be easier to install, configure and update. It may be possible to easily update your modules and skins either from a remote Git/SVN repository, or by simply dropping a ZIP file into the "modules" directory, and use a wiki-based editor to enable and configure them. Nothing will change for existing recipes, and they will not need to be updated; this will be an entirely optional new interface. Let me know if you can suggest features/scopes added to the wishlist. PmWiki too may be able to run directly from the read-only release ZIP archive, without the need to unzip it first. Again, this will be entirely optional, the current ways will continue to work as before, and slightly faster than the ZIP version (approx. 2% faster in my benchmarks). Version 2.3.18 (2023-01-15)This version fixes a bug with user groups in with conditional markup, includes updates for PHP 8, minor improvements to the edit textarea and to the syntax highlighting. A helper function pm_json_encode() was added for servers where the PHP-JSON extension is not enabled. The documentation was updated. Version 2.3.17 (2022-12-17)This release has updates for recent PHP versions. The edit textarea had some improvements. Edit buttons and the automatic edit text will now insert their wiki markup in a way which allows for the "undo" function in the text area to work (with Ctrl+Z). The edit textarea (with A new variable Conditional markup A few minor bugs and omissions were fixed, and the documentation was updated. Version 2.3.16 (2022-11-28)This version fixes a bug with some skins introduced in 2.3.15 last week, and reverts PrePrintFmt(). New WikiStyles 'notoc' and 'overflow' were added. PmTOC Table of contents, and the list of included pages in the edit form, now use classnames instead of style attributes. PmSyntax fixes a font-size alignment bug with nested programming languages, and has been optimized for large pages. A few more minor bugs were fixed, including for PHP 8, and the documentation was updated. Version 2.3.15 (2022-11-21)Security: Closed a potential XSS vulnerability discovered today. Your wiki may be at risk if untrusted people can edit your pages. HTTP headers: CSP updated, XSSP added. Both can be disabled or modified by changing the $HTTPHeaders values. Cookies: Added a new variable PmSyntax: A new CSS variable Responsive skin: The font size for "pre" and "code" elements is now scalable/relative to the paragraph font size rather than fixed. This works better in headings or small text blocks. GUI edit buttons: Part of these functions were rewritten to avoid 'unsafe inline' JavaScript. While default and most custom buttons should work without change, you should no longer need to url-encode some characters like % or add backslashes. If you have such buttons, you may need to update their declarations to strip the extra backslashes. WikiStyles: Refactored to move all inline WikiStyles to the Tables and block markup: Replaced inline The function PrintFmt() was refactored to process skin parts, skin functions, markup, and wiki pages, before sending the HTTP and HTML headers. This allows for wikistyles and recipes in sidebars and footers to add their configuration to the headers. If you have questions or difficulties upgrading, please contact us. Version 2.3.14 (2022-11-03)This version includes fixes for recent PHP versions and for 2 minor bugs (searchbox wrongly encoded entities and The "disabled obsolete markup" tooltip now includes the file path and the line number of the markup rule definition. PmSyntax now recognizes The documentation was updated. Version 2.3.13 (2022-10-07)This version closes a potential XSS vulnerability, reported by lukystreik. A new variable Version 2.3.12 (2022-09-25)This version has a few fixes for PHP8. Complex conditionals with empty page variables could cause errors, now fixed. Form elements with values like "0" could appear empty, now fixed. The PSFT() function and the Version 2.3.11 (2022-08-30)This version fixes the function stripmagic(), when used with arrays (a recent update for PHP 8 broke it). New PageVariables derived from a Group's homepage are now available: A new helper function should simplify recipes with custom markup directives of the format: (:mydirective arg=val param="other value":)...(:mydirectiveend:) .
See the documentation at Cookbook:MarkupDirectiveFunctions. The core documentation was updated. Version 2.3.10 (2022-08-20)This version includes updates for PHP 8. Wildcard Version 2.3.9 (2022-08-18)This version includes updates for PHP 8. Non-wildcard Version 2.3.8 (2022-07-22)This version fixes a bug caused by a recent update for PHP 8 with the include markup: When the first page doesn't exist, it didn't check for the other pages (now fixed). In addition, PmSyntax was improved when more than one inline blocks are on the same line, and the documentation was updated. Version 2.3.7 (2022-06-28)This version sets default HTTP headers X-Frame-Options (reported by Imagine Dragon) and Content-Security-Policy to disallow embedding in external websites by default and clickjacking attempts. Should you require the previous behavior, you can add this line to local/config.php: unset($HTTPHeaders['XFO'], $HTTPHeaders['CSP']);
The documentation was updated. Version 2.3.6 (2022-06-19)This version contains fixes for PHP 8. A form attribute "lang" was added. Sortable tables now allow for table headers to have markup such as bold (except links), and will use a case-insensitive natural ordering. Searchbox now has a default placeholder
For developers: $UploadVerifyFunction can now modify $upname, and a variable The documentation was updated. Version 2.3.5 (2022-05-23)This version fixes a bug with The version also contains fixes for PHP 8 and documentation updates. Version 2.3.4 (2022-04-22)This version includes fixes for PHP 8 and documentation updates. Version 2.3.3 (2022-03-26)This version includes fixes for PHP 8 and documentation updates. Version 2.3.2 (2022-02-09)This version includes bug fixes and updates for PHP 8.1. The core variable $EnableIncludedPages introduced in 2.3.0 was renamed to The code configuring and loading pmwiki-utils.js was moved to a new file scripts/utils.php, and a new variable The documentation was updated. Version 2.3.1 (2022-01-15)There was an omission in the release script which unexpectedly deleted the Version 2.3.0 (2022-01-15)January 2022 is the 20th year anniversary of the release of PmWiki version 0.1, and 13 years since I (Petko) became core developer. This merited additional work and effort with hopefully interesting and useful new production. PHP 5.3 - 8.1 compatibility
PmSyntax. A new function PmSyntax was added to the core, and enabled on pmwiki.org.
Improvements to the edit form
Dates and times, monitoring, review
PageLists, categories, backlinks
Styles (core skin PmWiki-responsive)
Core helper functions
Last but not least, the documentation in English has been updated with the latest development (and in German by MFWolff). See also Upgrading from version 2.2.145 to 2.3.0. As always, if you have any questions or difficulties, please let us know. Version 2.2.145 (2021-12-11)This version includes a minor change in search patterns: searches and pagelists with a wrong or undefined It also includes updates for PHP 8, a fix of an emoji for non-UTF8 wikis, and the latest pages of the documentation. Version 2.2.144 (2021-11-06)This version includes fixes for PHP 8 and an update to Version 2.2.143 (2021-10-02)This version should prevent some errors from local customization or recipes with recent PHP versions, by disabling obsolete markup rules and replacement patterns. If such markup appears on a page, it will not be processed, it will be rendered like this: Care should be taken if you have custom calls to the deprecated function If you experience any difficulties, please do let us know and we'll try to provide a fix. The documentation was updated. Version 2.2.142 (2021-08-31)This version hides some PHP 8 notices, and adds 2 new form element attributes "accept" and "autofocus". The documentation was updated. Version 2.2.141 (2021-07-09)This version adds ways to define 2 custom functions:
The documentation was updated. Version 2.2.140 (2021-06-26)This version has updates for PHP 8. The API of the source code highlighting library has changed and the PmWiki loader function was adapted; if you use this feature, please upgrade Highlight.js to version 11.0.0 or newer. Note: since version 11, Highlight.js doesn't preserve HTML in the preformatted blocks and issues a console warning, so you should only use the The documentation was updated. Version 2.2.139 (2021-05-05)This version removes empty "title" attributes in HTML tags (links and images), fixes warnings which appear with PHP 8 and updates the documentation. Version 2.2.138 (2021-03-02)This version fixes a bug when a details directive has markup in the summary attribute, and the documentation was updated. Version 2.2.137 (2021-02-26)This version fixes a bug introduced earlier today with entities encoded twice in PQA() quoted arguments. Version 2.2.136 (2021-02-26)This version fixes a XSS vulnerability for WikiStyles reported today by Igor Sak-Sakovskiy. The fix adds a second argument $keep to the core function PQA($attr, $keep=true) which by default escapes HTML special characters and places the values in Keep() containers. If you have custom functions that call PQA() and expect the previous behavior, call PQA() with a second argument set to false. If you have any questions or difficulties, please let us know. Version 2.2.135 (2021-01-31)This version fixes a number of PHP8 compatibility issues. This is a work in progress, if you uncover others, please report them at PITS:01461. A work is underway to implement session tokens to prevent CSRF vulnerabilities -- suggested by Dominique Faure. I wanted to rework these functions but the PHP8 compatibilities are more urgent so at the moment the PmToken functions are transparent/non-functional. A defunct syndicated blocklist was disabled, a minor code refactoring was done for PmTOC to better support manual edit section links, and the documentation was updated. Version 2.2.134 (2020-11-30)This is a documentation update version. Version 2.2.133 (2020-10-25)This version fixes a potential vulnerability to CWE-384: Session Fixation, reported by Dominique Faure. The fix regenerates the session identifier at the moment someone logs in. In case this is not desirable, a wiki admin can set the new variable $EnableAuthPostRegenerateSID to false. This version also fixes an unintended variable evaluation in link markups. The CSS from Cookbook:RecipeCheck will now be injected only when needed. The responsive skin styles contained a reduced padding value for numbered and bulleted lists in order to save space, but in longer lists it could clip the item numbers. This value was removed from the styles because it was complex to reliably override it from local configuration. If you need to enable the previous values, add to pub/css/local.css the following: ul, ol { padding: 0 0 0 20px; } @media screen and (min-width:50em) { ul, ol { padding: 0 0 0 40px; } } Version 2.2.132 (2020-09-30)This is a documentation update version. Version 2.2.131 (2020-08-30)This is a documentation update version. Version 2.2.130 (2020-07-04)This is a documentation update version. Version 2.2.129 (2020-05-21)This version adds the styles for the "simpletable" class of tables from the "pmwiki-responsive" skin into the old "pmwiki" skin, and the documentation was updated. Version 2.2.128 (2020-04-26)This version only includes some cosmetic changes and updates the documentation. Version 2.2.127 (2020-03-23)This version sets the maximum height of the edit form textarea after reports for a jumping behavior on mobile devices (the PmWiki-responsive skin only). The core table of content classes "pmtoc-show" and "pmtoc-hide" now replace the previous classes "show" and "hide" to prevent conflicts with other frameworks. The functionality of the recipe Skins:SkinChange was added to the core (disabled by default). The documentation was updated. Version 2.2.126 (2020-02-01)This version fixes a bug with Version 2.2.124, 2.2.125 (2020-01-27)This version adds a variable Version 2.2.123 (2019-12-31)This version allows link URLs to be escaped with Version 2.2.122 (2019-11-19)Version 2.2.121 was released by mistake and contained some experimental code that was meant to be tested first. This version fixes a bug with ObfuscateLinkIMap() and international characters. New configuration variables The documentation was updated. Version 2.2.120 (2019-10-13)This version fixes a bug with existing complex customization of GUIEdit buttons. Very long tables of contents will now be scrollable. A new "input datalist" form element (list of suggestions to other input fields), and a new "details+summary" block section (toggle sections without JavaScript) were added. The documentation was updated. Version 2.2.119 (2019-10-03)This version updates the core for PHP 7.4. Required input fields now feature A number of features currently provided by recipes were added to the core and disabled by default. You can still use the recipes, or you can disable them and enable the core features. The following features were added:
The above new features are disabled by default, see the documentation for more information on how to enable them, or test them on pmwiki.org where most of these are enabled. Please report if you notice any problems. Version 2.2.118 (2019-08-28)This version integrates the features of the recipe Cookbook:PreviewChanges into the core. If you currently use this recipe, please uninstall it and add to config.php: The documentation was updated. Version 2.2.117 (2019-07-28)This version adds handling of "partial content" requests for file downloads. New video file extensions 'm4v' and '3gp' were added. The Upload form now includes a new text field "Uploader" pre-filled with the name of the editor, and a new variable Version 2.2.116 (2019-06-19)This version fixes pagelists with case insensitive matches of page (text) variables for international wikis. If your international wiki pagelists rely on case-sensitive variable matches, please see Version 2.2.115 (2019-05-13)In this version the responsive skin in large "desktop" mode changes the search form background to transparent, for easier custom styling of the header. The documentation was updated. Version 2.2.114 (2019-04-02)This version adds a skin directive Version 2.2.113 (2019-03-01)This version adds a new The documentation was updated. Version 2.2.112 (2019-01-09)This version includes a fix for PHP 7.3, and the documentation was updated. Version 2.2.111 (2018-12-08)This version updates core .htaccess files to be compatible with both Apache 2.4 and earlier versions, and the variable A CSS value in the pmwiki-responsive skin was fixed. The MarkupExpression Version 2.2.110 (2018-11-05)This version prevents a warning with the The default style for code.escaped { white-space: nowrap; } The documentation was updated. Version 2.2.109 (2018-07-09)This version fixes a bug with the Path: InterMap prefix which was broken in 2.2.108. The function pmcrypt() was updated to prevent more strings from causing "invalid hash" warnings in PHP 7. The variable Version 2.2.108 (2018-07-05)This version adds the $PCCFOverrideFunction variable allowing a custom function to override PCCF(). Version 2.2.107 (2018-02-02)This version includes more fixes for PHP 7.2 for forms and pagelists. A new variable Version 2.2.106 (2017-12-01)This version has a rewrite of the function PageListSort() to allow it to work with PHP 7.2, and fixes a bug with the backtick (escape) Version 2.2.105 (2017-11-07)This version fixes a bug with the PQA() function causing invalid HTML with attributes glued together. The function If you upgrade from 2.2.98 or earlier, and you have custom markup rules relative to author signatures, please see note about change in 2.2.99 (documented November 2017). Version 2.2.104 (2017-10-11)This version fixes a bug with path WikiTrails reported today. Version 2.2.103 (2017-10-01)This version is a major upgrade on the internal processing of markups and patterns, all core scripts were updated to be compatible with PHP version 7.2. Whether you use that PHP version or another one, with any local configurations and custom add-ons, there should be no change for what you see, but if any problems please contact us immediately. Pagelists can now have optimized The documentation was updated. Version 2.2.102 (2017-08-05)This version reverts the patterns for text variables changed in 2.2.99, because we found that a longer text variable content may cause a blank page or an internal server error. In the page SiteAdmin.AuthList an input box was added to allow filtering of the groups or pages. Version 2.2.101 (2017-07-30)This version renames the internal constructor of the PageStore class to be compatible with both PHP 5 and PHP 7. Previously, the PageStore class had two constructors for PHP 4 and PHP 5 compatibility of which one was silently ignored, but recent PHP 7 versions display strict or deprecated notices when the PHP 4 constructor is used. If you must use PmWiki 2.2.101 or newer on a PHP 4 installation, please contact me so I can provide you with a workaround. Version 2.2.100 (2017-07-30)This version provides a workaround for an incompatibility with our Subversion version control system, where the Version 2.2.99 (2017-06-26)This version fixes a bug where an incomplete text variable without a closing parenthesis like " A bug was fixed where previewing a page didn't show changes to be done by replace-on-save patterns (the function ReplaceOnSave was refactored). Markup rules for previewing author signatures are no longer needed and were removed. Note that if you had custom markup rules processed before or after the A bug and a warning for PHP 4 installations were fixed. Two minor bugs with the The InterMap prefix to Wikipedia was corrected to use the secure HTTPS protocol and the documentation was updated. Version 2.2.98 (2017-05-31)This version adds a new skin that is better adaptable to both large and small screens, desktop and mobile devices (touchscreens). The new skin "pmwiki-responsive" is not enabled by default but available as an option, and as a base for customized copies. It requires a relatively modern browser (post-2009). The old skin is still available and enabled by default. The Vardoc links now use MakeLink() to allow a custom LinkPage function. The function ReplaceOnSave() was refactored to allow easier calling from recipes. Markup processing functions now can access besides A bug was fixed with the A number of other (minor) bugs were fixed: see ChangeLog, and the documentation was updated. Version 2.2.97 (2017-04-07)This version fixes a bug concerning Version 2.2.96 (2017-04-05)This version fixes a severe PHP code injection vulnerability, reported by Gabriel Margiani. PmWiki versions 2.2.56 to 2.2.95 are concerned. Only certain local customizations enable the vulnerability. Your website may be at risk if your local configuration or recipes call too early some core functions like CondAuth(), RetrievePageName() or FmtPageName(), before the Most recipes call core functions from a $HandleActions function, or from a Markup expression rule, these do not appear to be affected by the current exploit. If your wiki may be at risk, it is recommended to upgrade to version 2.2.96 or most recent at the earliest opportunity. If you cannot immediately upgrade, you should place the following line in your local (farm)config.php file: Place this line near the top of the file but after you include scripts/xlpage-utf-8.php or other character encoding file. This version filters the Version 2.2.95 (2017-02-28)This is a documentation update version. Version 2.2.94 (2017-01-31)This version allows webmasters to configure and use both .html and .htm extensions. The cached information about whether a page exists or not will now be cleared when that page is created or deleted. The documentation was updated. Version 2.2.93 (2016-12-31)This is a documentation update version. Version 2.2.92 (2016-11-30)This version allows administrators to disable the "nopass" password by setting Version 2.2.91 (2016-09-30)This is a documentation update version. Version 2.2.90 (2016-08-31)This version adds a parameter to the upload form which can improve analytics from the server logs. Two new CSS classes were added to help skin developers: Version 2.2.89 (2016-07-30)This version allows to set a default class name for simple tables. The Version 2.2.88 (2016-06-29)This version fixes invalid HTML output of some WikiTrail links. The function PHSC() can now have an optional fourth argument for a safe replacement of htmlspecialchars(). A new page variable Version 2.2.87 (2016-05-31)This version adds the <html xmlns="http://www.w3.org/1999/xhtml" The variable A wrong page variable in Site.UploadQuickReference was corrected, and the documentation was updated. Version 2.2.86 (2016-04-28)This version adds updates for PHP 7, for the PageStore() class and for the Version 2.2.85 (2016-03-31)This version adds Scalable Vector Graphics (*.svg, *.svgz) as allowed uploads and as embeddable picture extensions (with the html tag <img/>). The documentation was updated. Version 2.2.84 (2016-02-21)This version fixes "indent" and "outdent" styles for right-to-left languages. A new variable Version 2.2.83 (2015-12-31)This is a documentation update version. Version 2.2.82 (2015-11-30)This version enables stripmagic() to process arrays recursively and updates the documentation. Version 2.2.81 (2015-10-31)This version fixes an inconsistency with single line page text variables. International wikis enabling UTF-8 will now be able to use the CSS classes "rtl" and "ltr" to override the text direction when inserting right to left languages. The documentation was updated. Version 2.2.80 (2015-09-30)This version modifies the Version 2.2.79 (2015-08-27)This version adds WikiStyles for the CSS basic colors "fuchsia", "olive", "lime", "teal", "aqua", "orange" and "gray"/"grey". New input elements "email", "url", "number", "date", and "search" can now be used in wiki forms. Note: the "target" attribute of input forms which was added in the previous version broke the PmForm processor, and was removed until we find a solution. If you don't use PmForm and require this attribute (or others), the usual way to add it is to redefine the $InputAttrs array in your local configuration. A new variable The insMarkup() function in guiedit.js was refactored to allow custom input ids and/or custom functions to process the selected text. The documentation was updated. Version 2.2.78 (2015-07-21)This version updates the Note, this release broke the Cookbook:PmForm module. Please do upgrade to 2.2.79 or newer if your wiki uses PmForm. Version 2.2.77 (2015-06-19)This version extends the Version 2.2.76 (2015-05-31)This version improves support for arrays in form elements: setting default values and recovering values from posted forms. A new "label" argument to checkbox and radio input elements allows easy insertion of clickable text labels after the form elements. Division blocks wrapping standalone images, and standalone image captions, now receive CSS classes allowing greater control via stylesheets. The documentation was updated. Version 2.2.75 (2015-04-26)This version adds a pmcrypt($pass, $salt) function which can be used as a replacement for the PHP crypt() function when encrypting passwords. From PHP 5.6 on, crypt() should not be used without a $salt parameter and would raise a notice. If pmcrypt() is called with a $salt parameter it will simply call crypt() in order to check a password. If it is called without a $salt parameter, pmcrypt() will create a password hash with the password_hash() function or with crypt() depending on your installation. You can replace any calls to crypt() with pmcrypt(), notably in config.php when defining Markup was added for the semantic HTML5 tags article, section, nav, header, footer, aside, address. A bug with the uploads feature was fixed when Version 2.2.74 (2015-03-28)This version allows the translation of the word "OK" in authentication forms. The documentation was updated to the latest state on pmwiki.org. Version 2.2.73 (2015-02-28)This release only updates the documentation to the latest state on pmwiki.org. Version 2.2.72 (2015-01-27)This version improves the ?action=ruleset display for markup rules potentially incompatible with PHP 5.5 when the function debug_backtrace() is not available. It restores the ability to set a custom function handling the (:markup:) demos. A variable Version 2.2.71 (2014-12-29)This version removes the hard word wrap in The release also adds back-tracing for markup rules potentially incompatible with PHP 5.5. Such rules, often added by recipes, can trigger "Deprecated: preg_replace()" warnings. To find out which recipes may trigger the warnings, enable diagnostic tools in config.php with The variable Version 2.2.70 (2014-11-08)This release only updates the documentation to the latest state on pmwiki.org. Version 2.2.69 (2014-10-13)This version fixes a bug when dates are defined as relative to other dates, eg. "2014-10-13 -3 days". The documentation was updated; note that the instructions in Site.UploadQuickReference were updated to reflect the display of the upload form in current browsers. Version 2.2.68 (2014-09-01)This version adds a Skins: InterMap prefix pointing to the Skins section on PmWiki.org, a "signature" markup in the edit quick reference, new WikiStyles clear, min-width and max-width and the documentation was updated. Version 2.2.67 (2014-08-02)This version fixes an inconsistency with input forms when values are taken from PageTextVariables. The documentation was updated to the latest state on pmwiki.org. Version 2.2.66 (2014-07-02)This version fixes a minor longstanding bug in the default Notification format when a page is deleted. In custom patterns, the "_" character will no longer be considered a function name. The documentation was updated. Version 2.2.65 (2014-06-07)This version fixes Pagelist handling of Version 2.2.64 (2014-05-08)This version adds the "{(mod)}" markup expression for modulo/remainder calculations, and the "tel:" and "geo:" URI schemes which, on compatible devices like smartphones, allow the creation of links to dial telephone numbers and open map/location applications. The $SysMergePassthru switch was added, if enabled, it allows the "Simultaneous Edits" conflict resolution to use the passthru() function instead of popen(). The documentation was updated. Version 2.2.63 (2014-04-05)This version allows for form elements to have custom attributes containing a dash in the attribute names and enables the attributes 'required', 'placeholder' and 'autocomplete' for HTML5 forms. A minor bug with pagelist {$$RequestVariables} appearing on some installations was fixed. The documentation was updated. Version 2.2.62 (2014-02-28)This version adds the variable Version 2.2.61 (2014-01-31)This version removes unnecessary snippets of code and adds the variable Version 2.2.60 (2014-01-12)This version reverts the changes to the pmwiki.css file made in 2.2.59. Version 2.2.59 (2014-01-11)This version has an improvement for Blocklist when multiple text fields are posted. A bug with some nested markup conditionals was fixed. The default skin switched font sizes from points (fixed) to percents (relative). A couple of other minor bugs were fixed and the documentation was updated. Version 2.2.58 (2013-12-25)This version enables customization of (:input auth_form:), and fixes a couple of minor bugs. The documentation was updated. Version 2.2.57 (2013-11-03)This version enables the use of the Attach: link format in the (:attachlist:) directive. The documentation was updated. Version 2.2.56 (2013-09-30)This version aims to fix a PHP 5.5 compatibility issue with a deprecated feature of the preg_replace() function. The PageStore() class now detects and works around a bug with the iconv() function, and the documentation was updated. Version 2.2.55 (2013-09-16)This version adds the variable Version 2.2.54 (2013-08-13)This version fixes a bug when old versions are restored from draft pages. The documentation was updated. Version 2.2.53 (2013-07-08)This version enables a message to be shown when a post is blocked because of too many unapproved links. The documentation was updated. Version 2.2.52 (2013-06-08)This version hides warnings about a deprecated feature in PHP 5.5 installations (preg_replace with /e eval flag). Three new upload extensions were added: docx, pptx and xlsx produced by recent versions of some office suites. The documentation was updated. Version 2.2.51 (2013-05-08)This version updates the addresses for the remote blocklists. A minor XSS vulnerability for open wikis, which was discovered today, was fixed. The documentation was updated. Version 2.2.50 (2013-04-08)This release only updates the documentation to the latest state on pmwiki.org. Version 2.2.49 (2013-03-09)This version adds an array $UploadBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm', '.pcgi', '.asp', '.jsp', '.sh'); The documentation was updated. Version 2.2.48 (2013-02-11)This version fixes a bug introduced yesterday with some links. Version 2.2.47 (2013-02-10)This version enables tooltip titles in links to anchors in the same page, and the documentation was updated. Version 2.2.46 (2013-01-07)This version adds If your wiki has uploads enabled, it is recommended to set the variable The The Version 2.2.45 (2012-12-02)This version fixes some PHP notices appearing on some installations. The documentation was updated. Version 2.2.44 (2012-10-21)This version improves the display of consecutive whitespaces in page histories, and fixes the definition of PageTextVariables containing a dash. The documentation was updated. Version 2.2.43 (2012-09-20)This version makes it possible to use HTML attribute names that contain dashes, and removes a warning when editing and previewing Site.EditForm. The documentation was updated. Version 2.2.42 (2012-08-20)This version provides a workaround for cases when a wiki page contains a character nonexistent in the active encoding. The documentation was updated. Version 2.2.41 (2012-08-12)This version changes the internal $KeepToken separator to be compatible with more encodings. The documentation was updated. Version 2.2.40 (2012-07-21)This version provides a helper function replacing htmlspecialchars() and compatible with PHP 5.4. The documentation was updated. Version 2.2.39 (2012-06-25)This version provides a fix for links to attachments containing international characters. The documentation was updated. Version 2.2.38 (2012-05-21)This version fixes a "parameter count" warning which appeared on some websites. Version 2.2.37 (2012-05-01)This version provides a workaround for installations with broken iconv() function, while optimizing the recode function. This should fix the "Unable to retrieve edit form" problem in some wikis. Dots in sections are now better supported, PageVariables are expanded in PageList template defaults, and the documentation is updated. Version 2.2.36 (2011-12-28)This version fixes the recode function to try to recover Windows-1252 characters in ISO-8859-1 files. A new variable $EnableOldCharset enables the $page["=oldcharset"] entry which will be used in the future. A couple of minor bugs were fixed and the documentation was updated. Version 2.2.35 (2011-11-11)This release fixes a critical PHP injection vulnerability, reported today by Egidio Romano. PmWiki versions 2.2.X, 2.1.X, 2.0.X and 2.0.beta33 and newer are vulnerable. When you upgrade, please read carefully the Release notes for all PmWiki versions since yours. If you cannot upgrade, it is recommended to disable Searches at the earliest opportunity (even if your wiki skin doesn't have a search form). Add to config.php such a line: if ($action == 'search') $action = 'browse'; If your old version wiki allows editing by not entirely trusted visitors, even on limited pages like a WikiSandbox, you should also disable PageLists. Add to config.php this line: $EnablePageList = 0; This version has an important change for international wikis: the XLPage() function no longer loads encoding scripts such as xlpage-utf-8.php. When you upgrade, you need to include those scripts from config.php, before calling XLPage(): include_once("scripts/xlpage-utf-8.php"); # if your wiki uses UTF-8 XLPage('bg','PmWikiBg.XLPage'); All links can now have tooltip titles. Previously, only images and external links could have tooltip titles, now this feature is enabled for internal links. To set a tooltip title, add it in quotes after the link address: [[Main.HomePage"This is a tooltip title"]] [[Main.HomePage"This is a tooltip title"|Home]] [[http://www.pmwiki.org"Home of PmWiki"]] Attach:image.jpg"Tooltip title of the image" The following new upload extensions were added: svg, xcf, ogg, flac, ogv, mp4, webm, odg, epub. A couple of minor optimizations were added (MarkupExpressions and rendering of page history) and the documentation was updated. Version 2.2.34 (2011-10-10)This version resets the timestamps of the default pages Site(Admin).AuthUser which are expected in case of upgrades from the versions 2.1.*. Core MarkupExpressions which manipulate strings should now work better with international characters. The documentation was updated to its latest state from pmwiki.org. Version 2.2.33 (2011-09-23)This version fixes a security bug introduced in 2.2.32 which left the groups Site and SiteAdmin open for reading and editing because the pages Site.GroupAttributes and SiteAdmin.GroupAttributes didn't have all necessary attributes. All wikis running 2.2.32 should upgrade. If you cannot immediately upgrade, you can set the attributes from your wiki:
The release also fixes the refcount.php script to produce valid HTML, and updates intermap.txt entries PITS: and Wikipedia: to point to their current locations. Version 2.2.32 (2011-09-18)This is the first version shipping with the core documentation in the UTF-8 encoding. PmWiki will automatically convert it on the fly for wikis using an older encoding. It is recommended that all new PmWiki installations enable UTF-8. Migration of existing wikis from an older encoding to UTF-8 shouldn't be rushed: it is not trivial and will be documented in the future. A required HTML xmlns attribute was added to the print skin template. The history rendering is now faster when many lines are added or removed. Note: Due to a manipulation error, a version 2.2.31 was created before it was ready for a release. Version 2.2.30 (2011-08-13)This version fixes a $Charset definition in international iso-8859-*.php files. This will help for a future transition to UTF-8. A variable $EnableRangeMatchUTF8 was added, set it to 1 to enable range matches of pagenames in UTF-8 like [A-D]. Previously the range matches were always enabled in UTF-8, but we found out that on some installations this feature breaks all pagelists, even those without range matches. In case the feature worked for you, you can re-enable it. Version 2.2.29 (2011-07-24)This release fixes Attach links that were broken with the Path fix in 2.2.28 earlier today. Version 2.2.28 (2011-07-24)This release fixes 2 potential XSS vulnerabilities and a bug with Path: links. Version 2.2.27 (2011-06-19)This release fixes a validation bug on pages after a redirection. A new block WikiStyle Version 2.2.26 (2011-05-21)This release fixes a redundant removal of link hashes from WikiTrails, and updates the documentation to the most recent version from PmWiki.org. Version 2.2.25 (2011-03-22)This release only updates the documentation to the latest state on pmwiki.org. Version 2.2.24 (2011-02-15)This version reverts the way existing PageVariables are processed, like version 2.2.21 or earlier, but it adds a special variable $authpage which can be used in PageVar definitions. It is the same as the $page array, but exists only if the visitor has read permissions. For example, an administrator can set to config.php: Then, the edit summary metadata will only be available if the user has read permissions. Version 2.2.23 (2011-01-25)This version sets the default value of Version 2.2.22 (2011-01-16)This version adds the variable PageVariables should now respect authentications: without read permissions, the title, description, change summary, author of a protected page are unavailable. PageVariables that are computed without reading the page are still available (eg. $Group, $Namespaced,
Version 2.2.21 (2010-12-14)Due to a mis-configuration of a local svn repository, some of the changes intended for 2.2.20 didn't make it in the correct branch. This release corrects this. Version 2.2.20 (2010-12-14)This version fixes a potential XSS vulnerability, reported today. An AuthUser bug with excluding users from authgroups was fixed. A new InterMap prefix PmL10n: was added, it leads to the Localization section on PmWiki.org and should help the work of translators. A couple of other minor bugs were fixed and the documentation was updated. Version 2.2.19 (2010-11-10)This is a documentation-update release. Version 2.2.18 (2010-09-04)This version fixes 3 minor bugs, and updates the documentation. Version 2.2.17 (2010-06-20)This version adds a variable $PostConfig containing functions and scripts to be loaded after stdconfig.php. Tabindex was added as a valid form field attribute. Protected downloads now respect existing browser caches. AuthUser now allows more flexible cookbook recipe integration. A couple of bugs were fixed and the documentation was updated. Version 2.2.16 (2010-05-10)This version fixes a bug with parsing html attributes which could allow XSS injection. Wikis allowing unprotected editing are encouraged to upgrade. A bug with the "center" button of the GUI edit toolbar was corrected. The "exists" conditional now accepts wildcards, for example: The documentation was updated. Version 2.2.15 (2010-03-27)This version adds some minor bugfixes and optimizations notably a bug with Version 2.2.14 (2010-02-27)This release corrects inline styles for WikiTrail links. Undefined include/template $EnableUndefinedTemplateVars = 1; # keep and display unset {$$variables} PageList templates now accept the sections "Title" attributes were added to external links. You can have tooltip titles on external links, including InterMap and attachments, by adding the link title in double quotes after the URL: [[http://www.pmwiki.org"Home of PmWiki"| External link]] For international wikis, PmWiki now automatically translates the titles of technical pages like GroupAttributes or RecentChanges -- just define these strings as usual in XLPage, for example, in French: 'AllRecentChanges' => 'Tous les changements récents', Some minor optimizations were done and the documentation was updated. Version 2.2.13 (2010-02-21)This release fixes a bug with The page history layout was modified with a rough consensus in the community. The history now defaults to "source" view with word-level highlighting of the differences. Authors can see the changes in rendered output by clicking on the link "Show changes to output". Admins can switch back the default by adding such a line to config.php: $DiffShow['source'] = (@$_REQUEST['source']=='y')?'y':'n'; To disable word-level highlighting and show plain text changes: In the page history rendering, a few minor bugs were fixed and the code was slightly optimized. The documentation was updated. Version 2.2.12 (2010-02-17)This release adds simple word-level highlighting of differences in the page history, when "Show changes to markup" is selected. To enable the feature, add to config.php such a line: This feature is like what the InlineDiff recipe provides, but not exactly the same, and the implementation is simpler. It is enabled on PmWiki.org and can be improved -- your comments are welcome. Version 2.2.11 (2010-02-14)This release adds two new table directives for header cells, (:head:) and (:headnr:). They work the same way as (:cell:) and (:cellnr:) except that create <th> instead of <td> html tags. The pagerev.php script was refactored into separate functions to allow easier integration of recipes displaying the page history. A couple of minor bugs were fixed and the documentation was updated. Version 2.2.9, 2.2.10 (2010-01-17)Most important in this release is the official change of
So, if your wiki relies on page variables from included pages, and doesn't have More information about page variables can be found at: http://www.pmwiki.org/wiki/PmWiki/PageVariables This release adds a new variable This release also adds a new variable A number of bugs were fixed and the documentation was updated. Version 2.2.8 (2009-12-07)This release fixes another PHP 5.3 compatibility issue with conditional markup. The Author field now handles apostrophes correctly. The documentation was updated. Version 2.2.7 (2009-11-08)This release fixes most PHP 5.3 compatibility issues. Unfortunately some specific builds for Windows may still have problems, which are unrelated to PmWiki. Notably, on Windows, all passwords need to be 4 characters or longer. Upload names with spaces are now correctly quoted. The documentation was updated. Version 2.2.6 (2009-10-04)With this release it is now possible to display recently uploaded files to the RecentChanges pages -- if you have been using the RecentUploadsLog recipe, please uninstall it and follow the instructions at http://www.pmwiki.org/wiki/Cookbook/RecentUploadsLog. The release also introduces Version 2.2.5 (2009-08-25)This release adds a new markup for Pagelist templates, Version 2.2.4 (2009-07-16)This release fixes a bug introduced earlier today with HTML entities in XLPages. Version 2.2.3 (2009-07-16)This release fixes six potential XSS vulnerabilities, reported by Michael Engelke. The vulnerabilities may affect wikis open for editing and may allow the injection of external JavaScripts in their pages. Public open wikis should upgrade. A new variable It is now possible to use A number of other small bugs were fixed, and the documentation was updated. Version 2.2.2 (2009-06-21)The major news in this release is a fix of an AuthUser vulnerability. The vulnerability affects only wikis that (1) rely on the AuthUser core module for User:Password authentication, -AND- (2) where the PHP installation runs with the variable "magic_quotes_gpc" disabled. All PmWiki 2.1.x versions from pmwiki-2.1.beta6 on, all 2.2.betaX, 2.2.0, and 2.2.1 are affected. The PmWiki SiteAnalyzer can detect if your wiki needs to upgrade: http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer If your wiki is vulnerable, you should do one of the following at the earliest opportunity:
Alternatively, you can temporarily disable AuthUser until you upgrade. Note that even if your wiki does not have the AuthUser vulnerability at the moment, you are strongly encouraged to upgrade to PmWiki version 2.2.2 or later, as some future configuration of your hosting server might put you at risk. This release also comes with minor updates in the local documentation; fixes
were applied for international wikis - notably global variables in
xlpage-utf-8.php and a new variable Version 2.2.1 (2009-03-28)This release comes with an updated local documentation; wiki trails now work cross-group; guiedit.php now produces valid HTML, and other small bugs were fixed. We also added Version 2.2.0 (2009-01-18)This is a summary of changes from 2.1.x to 2.2.0.
when carrying out this upgrade inspect your config files for lines such as
$BlocklistDownload['Site.Blocklist-PmWiki'] = array('format' => 'pmwiki');
as you may wish to fix then, eg
$BlocklistDownload[ $SiteAdminGroup . '.Blocklist-PmWiki'] = array('format' => 'pmwiki');
When migrating a wiki you will have to manually modify the permission or by a script replace in all the page concerned passwdread=nopass: by passwdread=@nopass (see PITS:00961) --isidor
$EnableWikiWords = 1;
$LinkWikiWords = 0;
Bugs and other requests can be reported to the PmWiki Issue Tracking System at http://www.pmwiki.org/wiki/PITS/PITS. Any help in testing, development, and/or documentation is greatly appreciated. Release Notes archive - notes for versions older than 2.2.0. This page may have a more recent version on pmwiki.org: PmWiki:ReleaseNotes, and a talk page: PmWiki:ReleaseNotes-Talk. |