Update cookies preferences

Release Notes

See also: Upgrades, Change log, Download and Road map.

Version 2.3.20 (2023-02-12)

This version fixes an unidentified variable warning introduced yesterday in 2.3.19.

Version 2.3.19 (2023-02-11)

This version includes fixes for recent PHP versions, new helper functions, new variables allowing more customization, and the documentation was updated.

Work is underway to define and implement a new family of self-contained recipes "Modules" which should be easier to install, configure and update. It may be possible to easily update your modules and skins either from a remote Git/SVN repository, or by simply dropping a ZIP file into the "modules" directory, and use a wiki-based editor to enable and configure them. Nothing will change for existing recipes, and they will not need to be updated; this will be an entirely optional new interface. Let me know if you can suggest features/scopes added to the wishlist.

PmWiki too may be able to run directly from the read-only release ZIP archive, without the need to unzip it first. Again, this will be entirely optional, the current ways will continue to work as before, and slightly faster than the ZIP version (approx. 2% faster in my benchmarks).

Version 2.3.18 (2023-01-15)

This version fixes a bug user groups in with conditional markup, includes updates for PHP 8, minor improvements to the edit textarea and to the syntax highlighting. A helper function pm_json_encode() was added for servers where the PHP-JSON extension is not enabled.

The documentation was updated.

Version 2.3.17 (2022-12-17)

This release has updates for recent PHP versions.

The edit textarea had some improvements. Edit buttons and the automatic edit text will now insert their wiki markup in a way which allows for the "undo" function in the text area to work (with Ctrl+Z). The edit textarea (with $EnableEditAutoText enabled) now accepts 4 new keyboard shortcuts: Ctrl+L and Ctrl+Shift+L to convert the selected text to lowercase or uppercase, and Ctrl+Shift+ArrowUp or ArrowDown to move the line with the cursor up or down.

A new variable $EnableBaseNameConfig was added - it allows to enable automatic inclusion of local configuration for the "basename" of the current page, for example Group.Page-Draft to include local/Group.Page.php if it exists.

Conditional markup (:if auth @admins,@editors:) can now check if the current user belongs to selected usergroups (with AuthUser).

A few minor bugs and omissions were fixed, and the documentation was updated.

Version 2.3.16 (2022-11-28)

This version fixes a bug with some skins introduced in 2.3.15 last week, and reverts PrePrintFmt().

New WikiStyles 'notoc' and 'overflow' were added. PmTOC Table of contents, and the list of included pages in the edit form, now use classnames instead of style attributes.

PmSyntax fixes a font-size alignment bug with nested programming languages, and has been optimized for large pages.

A few more minor bugs were fixed, including for PHP 8, and the documentation was updated.

Version 2.3.15 (2022-11-21)

Security: Closed a potential XSS vulnerability discovered today. Your wiki may be at risk if untrusted people can edit your pages.

HTTP headers: CSP updated, XSSP added. Both can be disabled or modified by changing the $HTTPHeaders values.

Cookies: Added a new variable $CookieSameSite default to 'Lax' per current browser defaults and expectations. Updated pmsetcookie() added an argument $samesite, and refactored to work with old and current PHP versions. Added function pm_session_start() as a replacement for session_start() with respect for local preferences ($CookieSameSite, $EnableCookieSecure, $EnableCookieHTTPOnly).

PmSyntax: A new CSS variable --pmsyntax-fontsize-editform allows to set the font size of the edit form separately from highlighted elements in the documentation. Fixed the [[Highlight]] label could change fonts when clicked.

Responsive skin: The font size for "pre" and "code" elements is now scalable/relative to the paragraph font size rather than fixed. This works better in headings or small text blocks.

GUI edit buttons: Part of these functions were rewritten to avoid 'unsafe inline' JavaScript. While default and most custom buttons should work without change, you should no longer need to url-encode some characters like % or add backslashes. If you have such buttons, you may need to update their declarations to strip the extra backslashes.

WikiStyles: Refactored to move all inline WikiStyles to the $HTMLStylesFmt array in the header of the HTML page.

Tables and block markup: Replaced inline style="..." attributes with class names.

The function PrintFmt() was refactored to process skin parts, skin functions, markup, and wiki pages, before sending the HTTP and HTML headers. This allows for wikistyles and recipes in sidebars and footers to add their configuration to the headers.

If you have questions or difficulties upgrading, please contact us.

Version 2.3.14 (2022-11-03)

This version includes fixes for recent PHP versions and for 2 minor bugs (searchbox wrongly encoded entities and {(ftime %L)} format). Inline JavaScript for focusing form fields is now replaced with native attributes. In the Edit form, the "Minor edit" label can now toggle the checkbox.

The "disabled obsolete markup" tooltip now includes the file path and the line number of the markup rule definition.

PmSyntax now recognizes (:template requires? ...:) which is used by some recipes.

The documentation was updated.

Version 2.3.13 (2022-10-07)

This version closes a potential XSS vulnerability, reported by lukystreik. A new variable $FailedLoginsFunction will allow to define a function limiting the number of failed logins. The documentation was updated.

Version 2.3.12 (2022-09-25)

This version has a few fixes for PHP8. Complex conditionals with empty page variables could cause errors, now fixed. Form elements with values like "0" could appear empty, now fixed. The PSFT() function and the {(ftime)} markup expression now recognize a "%L" format as a human-readable localizable timestamp. A new helper function PrintAuthForm() was split from PmWikiAuth() to allow recipes to call it directly. The documentation was updated.

Version 2.3.11 (2022-08-30)

This version fixes the function stripmagic(), when used with arrays (a recent update for PHP 8 broke it).

New PageVariables derived from a Group's homepage are now available: {$GroupHomePage}, {$GroupHomePageName}, {$GroupHomePageTitle}, {$GroupHomePageTitlespaced}.

A new helper function should simplify recipes with custom markup directives of the format:

(:mydirective arg=val param="other value":)...(:mydirectiveend:).

See the documentation at Cookbook:MarkupDirectiveFunctions.

The core documentation was updated.

Version 2.3.10 (2022-08-20)

This version includes updates for PHP 8. Wildcard $DefaultUnsetPageTextVars should now work with forms. PmSyntax fixed text alignment between the edit area and the colored block in some cases. The documentation was updated.

Version 2.3.9 (2022-08-18)

This version includes updates for PHP 8. Non-wildcard $DefaultUnsetPageTextVars should now work with (:input default:). PmSyntax now handles blocks with simpler selectors, possibly created by recipes. The documentation was updated.

Version 2.3.8 (2022-07-22)

This version fixes a bug caused by a recent update for PHP 8 with the include markup:

   (:include Page1 Page2 Page3:)

When the first page doesn't exist, it didn't check for the other pages (now fixed).

In addition, PmSyntax was improved when more than one inline blocks are on the same line, and the documentation was updated.

Version 2.3.7 (2022-06-28)

This version sets default HTTP headers X-Frame-Options (reported by Imagine Dragon) and Content-Security-Policy to disallow embedding in external websites by default and clickjacking attempts.

Should you require the previous behavior, you can add this line to local/config.php:

unset($HTTPHeaders['XFO'], $HTTPHeaders['CSP']);

$EnableHighlight will now remember any links to PmWiki variables and restore them after the highlighting.

$EnablePmSyntax will now process %hlt pmwiki% in addition to %pmhlt% blocks, and escaped markup after it will be tentatively highlighted.

The documentation was updated.

Version 2.3.6 (2022-06-19)

This version contains fixes for PHP 8. A form attribute "lang" was added.

Sortable tables now allow for table headers to have markup such as bold (except links), and will use a case-insensitive natural ordering.

Searchbox now has a default placeholder "$[Search]" and can have the submit button removed with the argument label="" (users need to press Enter on their keyboards to search).

$EnableHighlight-formatted code blocks are now converted to plain text to prevent warnings; there is an ongoing discussion in the mailing list so this solution may evolve.

For developers: $UploadVerifyFunction can now modify $upname, and a variable $PageIndexTermsFunction can configure a replacement function for PageIndexTerms().

The documentation was updated.

Version 2.3.5 (2022-05-23)

This version fixes a bug with (:pagelist list=grouphomes:). A new helper function DisableSkinParts() allows for simpler disabling of headers, footers and sidebars from recipes. When a file is uploaded, new variables with the file path and URL are now available to recipes.

The version also contains fixes for PHP 8 and documentation updates.

Version 2.3.4 (2022-04-22)

This version includes fixes for PHP 8 and documentation updates.

Version 2.3.3 (2022-03-26)

This version includes fixes for PHP 8 and documentation updates.

Version 2.3.2 (2022-02-09)

This version includes bug fixes and updates for PHP 8.1. The core variable $EnableIncludedPages introduced in 2.3.0 was renamed to $EnableListIncludedPages to avoid ambiguity. With LocalTimes, is now possible to configure the number of days the "plus" button will pull from the page history, and the function will better recognize some older RecentUploads formats. PmSyntax was updated so that "\\" line breaks in tables and headings are treated like in the core, staying in the same context; and the different PmSyntax blocks will now be processed in parallel.

The code configuring and loading pmwiki-utils.js was moved to a new file scripts/utils.php, and a new variable $EnablePmUtils was added to allow administrators to easily disable these functions. The script pmwiki-utils.js will now be included in the page header rather than the footer, which may reduce the number of page redraws. The individual functions will now be processed in parallel.

The documentation was updated.

Version 2.3.1 (2022-01-15)

There was an omission in the release script which unexpectedly deleted the $VersionNum variable which broke some settings. This quick release fixes it.

Version 2.3.0 (2022-01-15)

January 2022 is the 20th year anniversary of the release of PmWiki version 0.1, and 13 years since I (Petko) became core developer. This merited additional work and effort with hopefully interesting and useful new production.

PHP 5.3 - 8.1 compatibility

  • PmWiki 2.3.0 includes updates for PHP 8.0 and 8.1.
  • Consequently, it requires PHP version 5.3 (released 2009) or more recent.

PmSyntax. A new function PmSyntax was added to the core, and enabled on pmwiki.org.

  • It highlights PmWiki syntax in the documentation, and possibly in the basic edit form.
  • It only highlights PmWiki markup, and is independent from Highlight.js. See Cookbook:PmSyntax and $EnablePmSyntax.
  • It should highlight most core language features and those of many recipes, see this mashup of various markups.
  • Developers can add custom rules in the $CustomSyntax array, see Cookbook:CustomSyntax.
  • The (:markup:) directive can now have class=norender to only show the source code without processing it. This may be useful, together with PmSyntax, in 2 cases: writing/discussing markup code without actually running it, or working on PageList Templates where you want to see and edit them highlighted.

Improvements to the edit form

  • PmSyntax (above) can be enabled to highlight the PmWiki markup the edit form, and should work in recent standards-compliant browsers.
  • The variable $EnableNotSavedWarning is now enabled by default. Add to config.php $EnableNotSavedWarning = 0; to disable it.
  • A new variable $EnableIncludedPages $EnableListIncludedPages (from 2.3.2) allows listing of other pages included from the currently edited page, with links to see or edit them. When the variable is enabled, the list of pages appears in the edit form, after the text area, in a collapsed <details> element. The list includes pages from which text, text variables, or templates are included from the edited page. This is enabled on pmwiki.org if you wish to preview it.
  • The $EnableEditAutoText function will now feel more like other text editors by removing the automatically inserted bullet when Enter is pressed twice.

Dates and times, monitoring, review

  • The {(ftime)} Markup expression now accepts a new format '%o' for the ordinal suffix of the date.
  • The Notify feature now accepts a tz= timezone specifier for individual subscribers. See Notify#tz.
  • A function based on Cookbook:LocalTimes was added to the core. See the recipe page for the differences. You can continue using the recipe, or disable it and enable the core function.
  • New core variables $EnableLocalTimes, $CurrentLocalTime.
  • New markup @2022-01-09T08:35:00Z output as a <time> element, formatted via $TimeFmt; localized if $EnableLocalTimes.
  • Added a variable $EnableRecentUploads which makes it easy to enable the Recent Uploads feature on AllRecentChanges. This is a basic format that may be good enough for many wikis. For more options, see Cookbook:RecentUploadsLog.
  • The default $RecentChangesFmt now use the variable $CurrentLocalTime instead of $CurrentTime. In the wiki source text it saves the timestamps in a portable time format in GMT, which is then shown formatted per $TimeFmt (wiki timezone). It looks just like $CurrentTime did previously, but can be converted to the visitor's time zone if LocalTimes is enabled. If you have custom $RecentChangesFmt entries that use $CurrentTime, nothing will change for you, but you may want to update these with $CurrentLocalTime if you want to benefit from localization.
  • The "page history" page now has CSS classes for the delay between edits: diffday, diffweek, diffmonth, diffyear. These allow styling of vertical spacing between individual edits in page histories. See Cookbook:DiffDelay for an example.
  • The page history can now have a "hidden" edit type, in addition to "minor". This is intended to be used by recipes in order to hide, rather than delete, some edits from the page history. A couple of new recipes using this feature will be added in the next few days.

PageLists, categories, backlinks

  • PageLists now accept a new argument category=Name which lists only pages declared in the category with the markup [[!Name]], and does not include pages simply linking to [[Category/Name]] (unless they also contain [[!Name]]).
    • The differentiation between links to !Name and Category.Name requires the pages containing category links to be re-indexed; see Cookbook:ReindexCategories which can automate this.
  • Also in PageLists, the arguments link= and category= now accept multiple and negative specifiers, and wildcards. See PageLists#wildcards. If you previously used the recipe Cookbook:PageListMultiTargets, please disable it when you upgrade to 2.3.0.
  • Category links can now have a different text, like [[!Name|Text]], and the markup generally behaves like other links, see PITS:01095.

Styles (core skin PmWiki-responsive)

  • Collapsible sections details+summary will now change the cursor to the "pointer" style over the clickable element, and the color will change to "navy".
  • The core table of contents function ($PmTOC) has had its styles updated, in order to properly indent long sub-headings.

Core helper functions

  • A new helper function PSFT() can now be used as an almost drop-in replacement for strftime() and gmstrftime() which became deprecated in PHP 8.1. Please review the documentation at Functions#PSFT. If you have local configurations or recipes using strftime() you can change for PSFT() now.
  • A helper function DownloadUrl($pagename, $path) was added, see Functions#DownloadUrl. It can simplify the handling of attached files by recipes.

Last but not least, the documentation in English has been updated with the latest development (and in German by MFWolff).

See also Upgrading from version 2.2.145 to 2.3.0.

As always, if you have any questions or difficulties, please let us know.

Version 2.2.145 (2021-12-11)

This version includes a minor change in search patterns: searches and pagelists with a wrong or undefined $SearchPatterns (list=abc argument) will now use $SearchPatterns["default"] rather than an empty array (effectively all pages). This was likely the intended behavior, a way for admins to restrict search locations.

It also includes updates for PHP 8, a fix of an emoji for non-UTF8 wikis, and the latest pages of the documentation.

Version 2.2.144 (2021-11-06)

This version includes fixes for PHP 8 and an update to intermap.txt. The conditional markup "exists" was optimized when called multiple times. The functions CondExists(), MatchPageNames(), and MatchNames(), can now be called with an additional argument (false) when a case-sensitive match is needed. The documentation was updated.

Version 2.2.143 (2021-10-02)

This version should prevent some errors from local customization or recipes with recent PHP versions, by disabling obsolete markup rules and replacement patterns. If such markup appears on a page, it will not be processed, it will be rendered like this: ⚠(:my-obsolete-directive params:) and a tooltip title should have some additional information.

Care should be taken if you have custom calls to the deprecated function PCCF(), and incompatible custom replacement patterns processed via PPRE() or PPRA() are silently skipped, which may not work as expected. (Previously they wouldn't work at all.)

If you experience any difficulties, please do let us know and we'll try to provide a fix.

The documentation was updated.

Version 2.2.142 (2021-08-31)

This version hides some PHP 8 notices, and adds 2 new form element attributes "accept" and "autofocus".

The documentation was updated.

Version 2.2.141 (2021-07-09)

This version adds ways to define 2 custom functions:

The documentation was updated.

Version 2.2.140 (2021-06-26)

This version has updates for PHP 8.

The API of the source code highlighting library has changed and the PmWiki loader function was adapted; if you use this feature, please upgrade Highlight.js to version 11.0.0 or newer.

Note: since version 11, Highlight.js doesn't preserve HTML in the preformatted blocks and issues a console warning, so you should only use the (space)[=escaped=] or the [@escaped@] markup blocks.

The documentation was updated.

Version 2.2.139 (2021-05-05)

This version removes empty "title" attributes in HTML tags (links and images), fixes warnings which appear with PHP 8 and updates the documentation.

Version 2.2.138 (2021-03-02)

This version fixes a bug when a details directive has markup in the summary attribute, and the documentation was updated.

Version 2.2.137 (2021-02-26)

This version fixes a bug introduced earlier today with entities encoded twice in PQA() quoted arguments.

Version 2.2.136 (2021-02-26)

This version fixes a XSS vulnerability for WikiStyles reported today by Igor Sak-Sakovskiy.

The fix adds a second argument $keep to the core function PQA($attr, $keep=true) which by default escapes HTML special characters and places the values in Keep() containers. If you have custom functions that call PQA() and expect the previous behavior, call PQA() with a second argument set to false.

If you have any questions or difficulties, please let us know.

Version 2.2.135 (2021-01-31)

This version fixes a number of PHP8 compatibility issues. This is a work in progress, if you uncover others, please report them at PITS:01461.

A work is underway to implement session tokens to prevent CSRF vulnerabilities -- suggested by Dominique Faure. I wanted to rework these functions but the PHP8 compatibilities are more urgent so at the moment the PmToken functions are transparent/non-functional.

A defunct syndicated blocklist was disabled, a minor code refactoring was done for PmTOC to better support manual edit section links, and the documentation was updated.

Version 2.2.134 (2020-11-30)

This is a documentation update version.

Version 2.2.133 (2020-10-25)

This version fixes a potential vulnerability to CWE-384: Session Fixation, reported by Dominique Faure. The fix regenerates the session identifier at the moment someone logs in. In case this is not desirable, a wiki admin can set the new variable $EnableAuthPostRegenerateSID to false.

This version also fixes an unintended variable evaluation in link markups. The CSS from Cookbook:RecipeCheck will now be injected only when needed. The responsive skin styles contained a reduced padding value for numbered and bulleted lists in order to save space, but in longer lists it could clip the item numbers. This value was removed from the styles because it was complex to reliably override it from local configuration. If you need to enable the previous values, add to pub/css/local.css the following:

ul, ol { padding: 0 0 0 20px; }
@media screen and (min-width:50em) {
  ul, ol { padding: 0 0 0 40px; }

Version 2.2.132 (2020-09-30)

This is a documentation update version.

Version 2.2.131 (2020-08-30)

This is a documentation update version.

Version 2.2.130 (2020-07-04)

This is a documentation update version.

Version 2.2.129 (2020-05-21)

This version adds the styles for the "simpletable" class of tables from the "pmwiki-responsive" skin into the old "pmwiki" skin, and the documentation was updated.

Version 2.2.128 (2020-04-26)

This version only includes some cosmetic changes and updates the documentation.

Version 2.2.127 (2020-03-23)

This version sets the maximum height of the edit form textarea after reports for a jumping behavior on mobile devices (the PmWiki-responsive skin only). The core table of content classes "pmtoc-show" and "pmtoc-hide" now replace the previous classes "show" and "hide" to prevent conflicts with other frameworks. The functionality of the recipe Skins:SkinChange was added to the core (disabled by default). The documentation was updated.

Version 2.2.126 (2020-02-01)

This version fixes a bug with $PmTOC['MinNumber'] set to -1, and updates the .htaccess format for caches.php. The documentation was updated.

Version 2.2.124, 2.2.125 (2020-01-27)

This version adds a variable $SetCookieFunction to override the core "pmsetcookie" function. A new feature ToggleNext was included in the core, documented at Cookbook:ToggleNext. The documentation was updated.

Version 2.2.123 (2019-12-31)

This version allows link URLs to be escaped with [=link address=] if they contain any special characters, including quotes, parentheses and pipes. The obfuscated e-mails will now work from headers, footers and sidebars. A form attribute "formnovalidate" was added to the core and to the "Cancel" button in the edit form. Core table of contents will now work better with Cookbook:SectionEdit. Cookbook:RecipeCheck was included in the core -- if you have this recipe already installed, you can simply comment it out from your config.php. The code that handles $EnableRCDiffBytes was refactored to also show the bytes changed in the page histories. New upload extensions "webp" (images) and "opus" (audio) were added. The documentation was updated.

Version 2.2.122 (2019-11-19)

Version 2.2.121 was released by mistake and contained some experimental code that was meant to be tested first.

This version fixes a bug with ObfuscateLinkIMap() and international characters. New configuration variables $DefaultUnsetPageTextVars, $DefaultEmptyPageTextVars can set default values for page text variables. The built-in table of contents and numbered headings can now be enabled independently. A pagelist template pseudovariable {$$EachCount} was added, containing the number of the page in the current "each" loop. Input form elements and the (:searchbox:) field now can have ARIA accessibility attributes.

The documentation was updated.

Version 2.2.120 (2019-10-13)

This version fixes a bug with existing complex customization of GUIEdit buttons. Very long tables of contents will now be scrollable. A new "input datalist" form element (list of suggestions to other input fields), and a new "details+summary" block section (toggle sections without JavaScript) were added. The documentation was updated.

Version 2.2.119 (2019-10-03)

This version updates the core for PHP 7.4. Required input fields now feature required="required" attributes and modern browsers prevent sending the edit or upload form with empty required fields. Attachlist ext= and names= arguments now accept patterns and negatives like ext=jpg,png, ext=-pdf, or names=-th*---*.jpg. The Redirect function can now have a 3rd argument with the full URL. The scroll position in the edit text area will be remembered on save-and-edit and preview. A bug was fixed with pagelist while preview. The documentation was updated.

A number of features currently provided by recipes were added to the core and disabled by default. You can still use the recipes, or you can disable them and enable the core features. The following features were added:

The above new features are disabled by default, see the documentation for more information on how to enable them, or test them on pmwiki.org where most of these are enabled. Please report if you notice any problems.

Version 2.2.118 (2019-08-28)

This version integrates the features of the recipe Cookbook:PreviewChanges into the core. If you currently use this recipe, please uninstall it and add to config.php:

  $EnablePreviewChanges = 1;

The documentation was updated.

Version 2.2.117 (2019-07-28)

This version adds handling of "partial content" requests for file downloads. New video file extensions 'm4v' and '3gp' were added. The Upload form now includes a new text field "Uploader" pre-filled with the name of the editor, and a new variable $EnableUploadAuthorRequired was added (defaults to $EnablePostAuthorRequired). The documentation was updated.

Version 2.2.116 (2019-06-19)

This version fixes pagelists with case insensitive matches of page (text) variables for international wikis. If your international wiki pagelists rely on case-sensitive variable matches, please see $PageListVarFoldFn. The documentation was updated.

Version 2.2.115 (2019-05-13)

In this version the responsive skin in large "desktop" mode changes the search form background to transparent, for easier custom styling of the header. The documentation was updated.

Version 2.2.114 (2019-04-02)

This version adds a skin directive <!--IncludeTemplate ... --> and the variable $SkinTemplateIncludeLevel. The core variable documentation format identifiers were moved to the definition term element to allow CSS ":target" styling, and the header and link text of the vardoc table can now be translated. Input forms have a new HTML5 element "tel", a new attribute "pattern" and two bugs were fixed with the classnames of the new elements and with the identifiers of "select" lists. The documentation was updated.

Version 2.2.113 (2019-03-01)

This version adds a new (:input button:) form element. All form elements can now accept custom data-* attributes, which can be disabled by setting $EnableInputDataAttr to 0. Both additions are meant for easier integration with custom JavaScript functions or some frameworks.

The documentation was updated.

Version 2.2.112 (2019-01-09)

This version includes a fix for PHP 7.3, and the documentation was updated.

Version 2.2.111 (2018-12-08)

This version updates core .htaccess files to be compatible with both Apache 2.4 and earlier versions, and the variable $DenyHtaccessContent was added with the updated content. In case of difficulties or questions please contact us.

A CSS value in the pmwiki-responsive skin was fixed. The MarkupExpression {(ftime )} now accepts tz= (time zone) and locale= (language locale) arguments. The documentation was updated.

Version 2.2.110 (2018-11-05)

This version prevents a warning with the {(substr )} markup expression when non-number arguments are typed. A new variable $PageListSortCmpFunction allows custom functions to order page lists. A new variable $MarkupMarkupLevel indicates when the processing happens inside (:markup:) blocks.

The default style for [@escaped code@] dropped white spaces inconsistently and was fixed. If you rely on the previous behavior please add this to your pub/css/local.css file to revert it:

  code.escaped { white-space: nowrap; }

The documentation was updated.

Version 2.2.109 (2018-07-09)

This version fixes a bug with the Path: InterMap prefix which was broken in 2.2.108. The function pmcrypt() was updated to prevent more strings from causing "invalid hash" warnings in PHP 7. The variable $EnableMarkupDiag was added to help diagnose all markup calls. The documentation was updated.

Version 2.2.108 (2018-07-05)

This version adds the $PCCFOverrideFunction variable allowing a custom function to override PCCF(). $AuthUserPageFmt can now be an array of page names. The page cache file name can now be customized. Form checkbox labels now have the same tooltip title as the checkbox. Ordered lists with the %reversed% WikiStyle will have descending numbers. Minor fixes to refcount.php, vardoc.php, and pmcrypt(). The default InterMap PmWiki URLs have now the HTTPS protocol. The documentation was updated.

Version 2.2.107 (2018-02-02)

This version includes more fixes for PHP 7.2 for forms and pagelists. A new variable $MailFunction allows administrators and developers to write replacement functions for the PHP function "mail()". Styles were improved for right-to-left text blocks embedded into left-to-right texts (and vice versa). The documentation was updated.

Version 2.2.106 (2017-12-01)

This version has a rewrite of the function PageListSort() to allow it to work with PHP 7.2, and fixes a bug with the backtick (escape) `WikiWord markup. The helper function pmsetcookie() and the variables $EnableCookieSecure, $EnableCookieHTTPOnly were added to allow easy setting of secure cookies. The documentation was updated.

Version 2.2.105 (2017-11-07)

This version fixes a bug with the PQA() function causing invalid HTML with attributes glued together. The function HandleUpload() was refactored and UploadSetVars($pagename) was added to allow upload-managing add-ons to set variables more easily.

If you upgrade from 2.2.98 or earlier, and you have custom markup rules relative to author signatures, please see note about change in 2.2.99 (documented November 2017).

Version 2.2.104 (2017-10-11)

This version fixes a bug with path WikiTrails reported today.

Version 2.2.103 (2017-10-01)

This version is a major upgrade on the internal processing of markups and patterns, all core scripts were updated to be compatible with PHP version 7.2. Whether you use that PHP version or another one, with any local configurations and custom add-ons, there should be no change for what you see, but if any problems please contact us immediately.

Pagelists can now have optimized list=grouphomes and fmt=#grouphomes arguments to list only the home pages of your wiki groups, whether they are named Group.HomePage, Group.Group, or a custom Group.$DefaultName. Minor bugs in older xlpage scripts were fixed, the responsive skin is now compatible with even older PmWiki/PHP versions, web subtitles (*.vtt) were added as an allowed extension, input form fields can now have a "title" attribute (usually rendered as a tooltip/help balloon when the mouse cursor is over the input element), and a configuration variable $AuthLDAPReferrals was added for wikis running AuthUser over LDAP to force enable or disable referrals when needed.

The documentation was updated.

Version 2.2.102 (2017-08-05)

This version reverts the patterns for text variables changed in 2.2.99, because we found that a longer text variable content may cause a blank page or an internal server error. In the page SiteAdmin.AuthList an input box was added to allow filtering of the groups or pages.

Version 2.2.101 (2017-07-30)

This version renames the internal constructor of the PageStore class to be compatible with both PHP 5 and PHP 7. Previously, the PageStore class had two constructors for PHP 4 and PHP 5 compatibility of which one was silently ignored, but recent PHP 7 versions display strict or deprecated notices when the PHP 4 constructor is used.

If you must use PmWiki 2.2.101 or newer on a PHP 4 installation, please contact me so I can provide you with a workaround.

Version 2.2.100 (2017-07-30)

This version provides a workaround for an incompatibility with our Subversion version control system, where the $Author wiki variable was considered a Subversion variable. A fix for the responsive skin adds some spacing above the WikiText block. The documentation was updated.

Version 2.2.99 (2017-06-26)

This version fixes a bug where an incomplete text variable without a closing parenthesis like "(:Var:Value" could hide the remaining of the page.

A bug was fixed where previewing a page didn't show changes to be done by replace-on-save patterns (the function ReplaceOnSave was refactored). Markup rules for previewing author signatures are no longer needed and were removed. Note that if you had custom markup rules processed before or after the ~~~ or ~~~~ author signatures may need to be set to '<[[~' (second argument of the Markup call).

A bug and a warning for PHP 4 installations were fixed. Two minor bugs with the [[<<]] line break for the responsive skin and the $Version variable link in the documentation were fixed.

The InterMap prefix to Wikipedia was corrected to use the secure HTTPS protocol and the documentation was updated.

Version 2.2.98 (2017-05-31)

This version adds a new skin that is better adaptable to both large and small screens, desktop and mobile devices (touchscreens). The new skin "pmwiki-responsive" is not enabled by default but available as an option, and as a base for customized copies. It requires a relatively modern browser (post-2009). The old skin is still available and enabled by default.

The Vardoc links now use MakeLink() to allow a custom LinkPage function. The function ReplaceOnSave() was refactored to allow easier calling from recipes. Markup processing functions now can access besides $pagename, a $markupid variable that contains the "name" of the processed markup rule, allowing a single function to process multiple markup rules. The "*.mkv" video extension was added to the list of allowed uploads.

A bug was fixed with the (:markup:) output where a leading space was lost. Note that the "markup" frame is now wrapped in a <pre> block with a "pre-wrap" style instead of <code>.

A number of other (minor) bugs were fixed: see ChangeLog, and the documentation was updated.

Version 2.2.97 (2017-04-07)

This version fixes a bug concerning $ScriptUrl when $EnablePathInfo is set, introduced in 2.2.96 and reported by 3 users.

Version 2.2.96 (2017-04-05)

This version fixes a severe PHP code injection vulnerability, reported by Gabriel Margiani. PmWiki versions 2.2.56 to 2.2.95 are concerned.

Only certain local customizations enable the vulnerability. Your website may be at risk if your local configuration or recipes call too early some core functions like CondAuth(), RetrievePageName() or FmtPageName(), before the $pagename variable is sanitized by ResolvePageName() in stdconfig.php. A specific URL launched by a malicious visitor may trigger the vulnerability.

Most recipes call core functions from a $HandleActions function, or from a Markup expression rule, these do not appear to be affected by the current exploit.

If your wiki may be at risk, it is recommended to upgrade to version 2.2.96 or most recent at the earliest opportunity. If you cannot immediately upgrade, you should place the following line in your local (farm)config.php file:

  $pagename = preg_replace('![${}\'"\\\\]+!', '', $pagename);

Place this line near the top of the file but after you include scripts/xlpage-utf-8.php or other character encoding file.

This version filters the $pagename variable to exclude certain characters. A new variable $pagename_unfiltered is added in case a recipe requires the previous behavior. The documentation was updated.

Version 2.2.95 (2017-02-28)

This is a documentation update version.

Version 2.2.94 (2017-01-31)

This version allows webmasters to configure and use both .html and .htm extensions. The cached information about whether a page exists or not will now be cleared when that page is created or deleted. The documentation was updated.

Version 2.2.93 (2016-12-31)

This is a documentation update version.

Version 2.2.92 (2016-11-30)

This version allows administrators to disable the "nopass" password by setting $AllowPassword to false. The function FmtPageName() will now expand PageVariables with asterisks like {*$FullName}. The documentation was updated.

Version 2.2.91 (2016-09-30)

This is a documentation update version.

Version 2.2.90 (2016-08-31)

This version adds a parameter to the upload form which can improve analytics from the server logs. Two new CSS classes were added to help skin developers: imgonly and imgcaption, for standalone embedded pictures with or without a caption. A bug with the plus-links was fixed. The documentation was updated.

Version 2.2.89 (2016-07-30)

This version allows to set a default class name for simple tables. The (:searchbox:) directive can now have a "placeholder" attribute, and the input type can be changed from "text" to "search" for HTML5 websites. The edit form elements have now identifier attributes to allow easier styling. All core scripts will now inject CSS into the skin only if it hasn't already been defined. The vardoc.php script now recognizes and links to the documentation for the variables $pagename, $Author and $Skin. The documentation was updated.

Version 2.2.88 (2016-06-29)

This version fixes invalid HTML output of some WikiTrail links. The function PHSC() can now have an optional fourth argument for a safe replacement of htmlspecialchars(). A new page variable {$SiteAdminGroup} was added and the documentation was updated.

Version 2.2.87 (2016-05-31)

This version adds the $HTMLTagAttr variable to be used in the <html> tag in skins for additional attributes like "lang" or "manifest". To enable it, use it in your skin, for example:

  <html xmlns="http://www.w3.org/1999/xhtml" $HTMLTagAttr>

The variable $EnableRevUserAgent, if set to 1, will cause the User-Agent string from browsers to be stored with each page history entry (as opposed to only storing the last user agent string). The output variable $DiffUserAgent can be used in history templates like $DiffStartFmt.

A wrong page variable in Site.UploadQuickReference was corrected, and the documentation was updated.

Version 2.2.86 (2016-04-28)

This version adds updates for PHP 7, for the PageStore() class and for the $DefaultPasswords default/unset definitions (no action should be needed upon upgrades). The documentation was updated.

Version 2.2.85 (2016-03-31)

This version adds Scalable Vector Graphics (*.svg, *.svgz) as allowed uploads and as embeddable picture extensions (with the html tag <img/>). The documentation was updated.

Version 2.2.84 (2016-02-21)

This version fixes "indent" and "outdent" styles for right-to-left languages. A new variable $EnableLinkPlusTitlespaced allows "plus links" [[Link|+]] to display the "Spaced Title" of the page instead the "Title". The documentation was updated.

Version 2.2.83 (2015-12-31)

This is a documentation update version.

Version 2.2.82 (2015-11-30)

This version enables stripmagic() to process arrays recursively and updates the documentation.

Version 2.2.81 (2015-10-31)

This version fixes an inconsistency with single line page text variables. International wikis enabling UTF-8 will now be able to use the CSS classes "rtl" and "ltr" to override the text direction when inserting right to left languages. The documentation was updated.

Version 2.2.80 (2015-09-30)

This version modifies the (:searchbox:) directive to use type="search" semantic input, and updates the documentation.

Version 2.2.79 (2015-08-27)

This version adds WikiStyles for the CSS basic colors "fuchsia", "olive", "lime", "teal", "aqua", "orange" and "gray"/"grey". New input elements "email", "url", "number", "date", and "search" can now be used in wiki forms.

Note: the "target" attribute of input forms which was added in the previous version broke the PmForm processor, and was removed until we find a solution. If you don't use PmForm and require this attribute (or others), the usual way to add it is to redefine the $InputAttrs array in your local configuration.

A new variable $EnableROSEscape can be set to 1 if $ROSPatterns and $ROEPatterns should not process source text wrapped with [=...=] or [@...@]. By default "replace on edit" patterns are performed even in such text.

The insMarkup() function in guiedit.js was refactored to allow custom input ids and/or custom functions to process the selected text.

The documentation was updated.

Version 2.2.78 (2015-07-21)

This version updates the $RobotPattern list with currently active user agents. Input forms can have a "target" attribute (removed in 2.2.79). The documentation was updated.

Note, this release broke the Cookbook:PmForm module. Please do upgrade to 2.2.79 or newer if your wiki uses PmForm.

Version 2.2.77 (2015-06-19)

This version extends the (:if attachments:) conditional to specify file and page names. A {$WikiTitle} page variable was added. A MatchNames() function was introduced as a generic way to match array values the same way MatchPageNames() does currently with lists of pages -- recipe authors can use it to get a subset of attachments for example. The PageStore() class was slightly optimized when recoding pages from-to UTF-8. The documentation was updated.

Version 2.2.76 (2015-05-31)

This version improves support for arrays in form elements: setting default values and recovering values from posted forms. A new "label" argument to checkbox and radio input elements allows easy insertion of clickable text labels after the form elements. Division blocks wrapping standalone images, and standalone image captions, now receive CSS classes allowing greater control via stylesheets. The documentation was updated.

Version 2.2.75 (2015-04-26)

This version adds a pmcrypt($pass, $salt) function which can be used as a replacement for the PHP crypt() function when encrypting passwords. From PHP 5.6 on, crypt() should not be used without a $salt parameter and would raise a notice. If pmcrypt() is called with a $salt parameter it will simply call crypt() in order to check a password. If it is called without a $salt parameter, pmcrypt() will create a password hash with the password_hash() function or with crypt() depending on your installation. You can replace any calls to crypt() with pmcrypt(), notably in config.php when defining $DefaultPasswords entries.

Markup was added for the semantic HTML5 tags article, section, nav, header, footer, aside, address.

A bug with the uploads feature was fixed when $EnableReadOnly is set, and the documentation was updated.

Version 2.2.74 (2015-03-28)

This version allows the translation of the word "OK" in authentication forms. The documentation was updated to the latest state on pmwiki.org.

Version 2.2.73 (2015-02-28)

This release only updates the documentation to the latest state on pmwiki.org.

Version 2.2.72 (2015-01-27)

This version improves the ?action=ruleset display for markup rules potentially incompatible with PHP 5.5 when the function debug_backtrace() is not available. It restores the ability to set a custom function handling the (:markup:) demos. A variable $AbortFunction was added allowing administrators to override the core Abort() function. The documentation was updated.

Version 2.2.71 (2014-12-29)

This version removes the hard word wrap in (:markup:) wikicode examples, and instead of <pre> tags, it wraps it in <code> tags. This allows newcomers to copy and paste the code in their wikis without inserted line breaks (which often cause the markup to not work).

The release also adds back-tracing for markup rules potentially incompatible with PHP 5.5. Such rules, often added by recipes, can trigger "Deprecated: preg_replace()" warnings. To find out which recipes may trigger the warnings, enable diagnostic tools in config.php with $EnableDiag = 1; then open a page with the 'ruleset' action, eg. [[HomePage?action=ruleset]]. The PHP-5.5-incompatible rules will be flagged with filenames, line numbers and patterns. See also the pages Troubleshooting and CustomMarkup on pmwiki.org.

The variable $DraftActionsPattern was added, the pagelist "request" parameter can now contain a list of allowed or disallowed parameters that can be overridden by the user, the "input default source" parameter can now contain multiple pages, and a minor bug was fixed in upload.php ('strict' warning). See the updated documentation for more information.

Version 2.2.70 (2014-11-08)

This release only updates the documentation to the latest state on pmwiki.org.

Version 2.2.69 (2014-10-13)

This version fixes a bug when dates are defined as relative to other dates, eg. "2014-10-13 -3 days". The documentation was updated; note that the instructions in Site.UploadQuickReference were updated to reflect the display of the upload form in current browsers.

Version 2.2.68 (2014-09-01)

This version adds a Skins: InterMap prefix pointing to the Skins section on PmWiki.org, a "signature" markup in the edit quick reference, new WikiStyles clear, min-width and max-width and the documentation was updated.

Version 2.2.67 (2014-08-02)

This version fixes an inconsistency with input forms when values are taken from PageTextVariables. The documentation was updated to the latest state on pmwiki.org.

Version 2.2.66 (2014-07-02)

This version fixes a minor longstanding bug in the default Notification format when a page is deleted. In custom patterns, the "_" character will no longer be considered a function name. The documentation was updated.

Version 2.2.65 (2014-06-07)

This version fixes Pagelist handling of {$$PseudoVars} when they contain page variables. File permissions handling was improved when the current directory is owned by "root". The documentation was updated.

Version 2.2.64 (2014-05-08)

This version adds the "{(mod)}" markup expression for modulo/remainder calculations, and the "tel:" and "geo:" URI schemes which, on compatible devices like smartphones, allow the creation of links to dial telephone numbers and open map/location applications.

The $SysMergePassthru switch was added, if enabled, it allows the "Simultaneous Edits" conflict resolution to use the passthru() function instead of popen().

The documentation was updated.

Version 2.2.63 (2014-04-05)

This version allows for form elements to have custom attributes containing a dash in the attribute names and enables the attributes 'required', 'placeholder' and 'autocomplete' for HTML5 forms. A minor bug with pagelist {$$RequestVariables} appearing on some installations was fixed. The documentation was updated.

Version 2.2.62 (2014-02-28)

This version adds the variable $EnableTableAutoValignTop which allows to make advanced tables compatible with HTML5. For developers, a fourth argument $template was added to the Markup_e() function, and a callback template 'return' was added. The documentation was updated.

Version 2.2.61 (2014-01-31)

This version removes unnecessary snippets of code and adds the variable $TableCellAlignFmt which allows to make simple tables compatible with HTML5. The documentation was updated.

Version 2.2.60 (2014-01-12)

This version reverts the changes to the pmwiki.css file made in 2.2.59.

Version 2.2.59 (2014-01-11)

This version has an improvement for Blocklist when multiple text fields are posted. A bug with some nested markup conditionals was fixed. The default skin switched font sizes from points (fixed) to percents (relative). A couple of other minor bugs were fixed and the documentation was updated.

Version 2.2.58 (2013-12-25)

This version enables customization of (:input auth_form:), and fixes a couple of minor bugs. The documentation was updated.

Version 2.2.57 (2013-11-03)

This version enables the use of the Attach: link format in the (:attachlist:) directive. The documentation was updated.

Version 2.2.56 (2013-09-30)

This version aims to fix a PHP 5.5 compatibility issue with a deprecated feature of the preg_replace() function. The PageStore() class now detects and works around a bug with the iconv() function, and the documentation was updated.

Version 2.2.55 (2013-09-16)

This version adds the variable $EnableDraftAtomicDiff. If enabled, publishing from a draft version will clear the history of intermediate draft edits, and the published version will contain a single combined diff from the previous published version. The documentation was updated.

Version 2.2.54 (2013-08-13)

This version fixes a bug when old versions are restored from draft pages. The documentation was updated.

Version 2.2.53 (2013-07-08)

This version enables a message to be shown when a post is blocked because of too many unapproved links. The documentation was updated.

Version 2.2.52 (2013-06-08)

This version hides warnings about a deprecated feature in PHP 5.5 installations (preg_replace with /e eval flag). Three new upload extensions were added: docx, pptx and xlsx produced by recent versions of some office suites. The documentation was updated.

Version 2.2.51 (2013-05-08)

This version updates the addresses for the remote blocklists. A minor XSS vulnerability for open wikis, which was discovered today, was fixed. The documentation was updated.

Version 2.2.50 (2013-04-08)

This release only updates the documentation to the latest state on pmwiki.org.

Version 2.2.49 (2013-03-09)

This version adds an array $UploadBlacklist containing forbidden strings of an uploaded filename (case insensitive). Some Apache installations try to execute a file which has ".php", ".pl" or ".cgi" anywhere in the filename, for example, "test.php.txt" may be executed. To disallow such files to be uploaded via the PmWiki interface, add to config.php such a line:

  $UploadBlacklist = array('.php', '.pl', '.cgi', '.py', '.shtm', '.phtm', '.pcgi', '.asp', '.jsp', '.sh');

The documentation was updated.

Version 2.2.48 (2013-02-11)

This version fixes a bug introduced yesterday with some links.

Version 2.2.47 (2013-02-10)

This version enables tooltip titles in links to anchors in the same page, and the documentation was updated.

Version 2.2.46 (2013-01-07)

This version adds $UploadPermAdd and $UploadPermSet variables, and the documentation was updated.

If your wiki has uploads enabled, it is recommended to set the variable $UploadPermAdd to 0.

The $UploadPermAdd variable sets additional unix permissions applied to newly uploaded files, and should be 0 (recommended as of 2013). If uploaded files cannot be downloaded and displayed on the website, for example with the error 403 Forbidden, set this value to 0444 (core setting, default since 2004).

    $UploadPermAdd = 0; # recommended

The $UploadPermSet variable unconditionally sets the file permissions on newly uploaded files. Only advanced administrators should use it.

Version 2.2.45 (2012-12-02)

This version fixes some PHP notices appearing on some installations. The documentation was updated.

Version 2.2.44 (2012-10-21)

This version improves the display of consecutive whitespaces in page histories, and fixes the definition of PageTextVariables containing a dash. The documentation was updated.

Version 2.2.43 (2012-09-20)

This version makes it possible to use HTML attribute names that contain dashes, and removes a warning when editing and previewing Site.EditForm. The documentation was updated.

Version 2.2.42 (2012-08-20)

This version provides a workaround for cases when a wiki page contains a character nonexistent in the active encoding. The documentation was updated.

Version 2.2.41 (2012-08-12)

This version changes the internal $KeepToken separator to be compatible with more encodings. The documentation was updated.

Version 2.2.40 (2012-07-21)

This version provides a helper function replacing htmlspecialchars() and compatible with PHP 5.4. The documentation was updated.

Version 2.2.39 (2012-06-25)

This version provides a fix for links to attachments containing international characters. The documentation was updated.

Version 2.2.38 (2012-05-21)

This version fixes a "parameter count" warning which appeared on some websites.

Version 2.2.37 (2012-05-01)

This version provides a workaround for installations with broken iconv() function, while optimizing the recode function. This should fix the "Unable to retrieve edit form" problem in some wikis. Dots in sections are now better supported, PageVariables are expanded in PageList template defaults, and the documentation is updated.

Version 2.2.36 (2011-12-28)

This version fixes the recode function to try to recover Windows-1252 characters in ISO-8859-1 files. A new variable $EnableOldCharset enables the $page["=oldcharset"] entry which will be used in the future. A couple of minor bugs were fixed and the documentation was updated.

Version 2.2.35 (2011-11-11)

This release fixes a critical PHP injection vulnerability, reported today by Egidio Romano. PmWiki versions 2.2.X, 2.1.X, 2.0.X and 2.0.beta33 and newer are vulnerable. When you upgrade, please read carefully the Release notes for all PmWiki versions since yours.

If you cannot upgrade, it is recommended to disable Searches at the earliest opportunity (even if your wiki skin doesn't have a search form). Add to config.php such a line:

  if ($action == 'search') $action = 'browse';

If your old version wiki allows editing by not entirely trusted visitors, even on limited pages like a WikiSandbox, you should also disable PageLists. Add to config.php this line:

  $EnablePageList = 0;

This version has an important change for international wikis: the XLPage() function no longer loads encoding scripts such as xlpage-utf-8.php. When you upgrade, you need to include those scripts from config.php, before calling XLPage():

  include_once("scripts/xlpage-utf-8.php"); # if your wiki uses UTF-8

All links can now have tooltip titles. Previously, only images and external links could have tooltip titles, now this feature is enabled for internal links. To set a tooltip title, add it in quotes after the link address:

  [[Main.HomePage"This is a tooltip title"]]
  [[Main.HomePage"This is a tooltip title"|Home]]
  [[http://www.pmwiki.org"Home of PmWiki"]]
  Attach:image.jpg"Tooltip title of the image"

The following new upload extensions were added: svg, xcf, ogg, flac, ogv, mp4, webm, odg, epub. A couple of minor optimizations were added (MarkupExpressions and rendering of page history) and the documentation was updated.

Version 2.2.34 (2011-10-10)

This version resets the timestamps of the default pages Site(Admin).AuthUser which are expected in case of upgrades from the versions 2.1.*. Core MarkupExpressions which manipulate strings should now work better with international characters. The documentation was updated to its latest state from pmwiki.org.

Version 2.2.33 (2011-09-23)

This version fixes a security bug introduced in 2.2.32 which left the groups Site and SiteAdmin open for reading and editing because the pages Site.GroupAttributes and SiteAdmin.GroupAttributes didn't have all necessary attributes.

All wikis running 2.2.32 should upgrade. If you cannot immediately upgrade, you can set the attributes from your wiki:

  • open the attributes page [[SiteAdmin.GroupAttributes?action=attr]] and set a "read" and an "edit" password, @lock is recommended.
  • open the attributes page [[Site.GroupAttributes?action=attr]] and set an "edit" password, @lock is recommended. Do not set a "read" password here.

The release also fixes the refcount.php script to produce valid HTML, and updates intermap.txt entries PITS: and Wikipedia: to point to their current locations.

Version 2.2.32 (2011-09-18)

This is the first version shipping with the core documentation in the UTF-8 encoding. PmWiki will automatically convert it on the fly for wikis using an older encoding.

It is recommended that all new PmWiki installations enable UTF-8. Migration of existing wikis from an older encoding to UTF-8 shouldn't be rushed: it is not trivial and will be documented in the future.

A required HTML xmlns attribute was added to the print skin template. The history rendering is now faster when many lines are added or removed.

Note: Due to a manipulation error, a version 2.2.31 was created before it was ready for a release.

Version 2.2.30 (2011-08-13)

This version fixes a $Charset definition in international iso-8859-*.php files. This will help for a future transition to UTF-8.

A variable $EnableRangeMatchUTF8 was added, set it to 1 to enable range matches of pagenames in UTF-8 like [A-D]. Previously the range matches were always enabled in UTF-8, but we found out that on some installations this feature breaks all pagelists, even those without range matches. In case the feature worked for you, you can re-enable it.

Version 2.2.29 (2011-07-24)

This release fixes Attach links that were broken with the Path fix in 2.2.28 earlier today.

Version 2.2.28 (2011-07-24)

This release fixes 2 potential XSS vulnerabilities and a bug with Path: links.

Version 2.2.27 (2011-06-19)

This release fixes a validation bug on pages after a redirection. A new block WikiStyle %justify% was added, allowing left and right aligned text. The page history now accepts a URL parameter ?nodiff=1 which hides the rendering of edit differences, showing only timestamps, authors, summaries and "Restore" links; it allows to restore a vandalized page with a huge contents or history which otherwise would break the memory or time limits of the server.

Version 2.2.26 (2011-05-21)

This release fixes a redundant removal of link hashes from WikiTrails, and updates the documentation to the most recent version from PmWiki.org.

Version 2.2.25 (2011-03-22)

This release only updates the documentation to the latest state on pmwiki.org.

Version 2.2.24 (2011-02-15)

This version reverts the way existing PageVariables are processed, like version 2.2.21 or earlier, but it adds a special variable $authpage which can be used in PageVar definitions. It is the same as the $page array, but exists only if the visitor has read permissions. For example, an administrator can set to config.php:

  $FmtPV['$LastModifiedSummary'] = '@$authpage["csum"]'; # instead of '@$page["csum"]'

Then, the edit summary metadata will only be available if the user has read permissions.

Version 2.2.23 (2011-01-25)

This version sets the default value of $EnablePageVarAuth to 0 until we investigate a reported problem with authentication.

Version 2.2.22 (2011-01-16)

This version adds the variable $EnableXLPageScriptLoad which, if set to 0, will prevent authors to load scripts from XLPage and to accidentally change the encoding of the wiki. If you use it, make sure you include the required files, eg. xlpage-utf-8.php from local config files.

PageVariables should now respect authentications: without read permissions, the title, description, change summary, author of a protected page are unavailable. PageVariables that are computed without reading the page are still available (eg. $Group, $Namespaced, $Version etc.). Administrators can revert the previous behavior by adding to config.php such a line:

$EnablePageVarAuth = 0;

Version 2.2.21 (2010-12-14)

Due to a mis-configuration of a local svn repository, some of the changes intended for 2.2.20 didn't make it in the correct branch. This release corrects this.

Version 2.2.20 (2010-12-14)

This version fixes a potential XSS vulnerability, reported today. An AuthUser bug with excluding users from authgroups was fixed. A new InterMap prefix PmL10n: was added, it leads to the Localization section on PmWiki.org and should help the work of translators. A couple of other minor bugs were fixed and the documentation was updated.

Version 2.2.19 (2010-11-10)

This is a documentation-update release.

Version 2.2.18 (2010-09-04)

This version fixes 3 minor bugs, and updates the documentation.

Version 2.2.17 (2010-06-20)

This version adds a variable $PostConfig containing functions and scripts to be loaded after stdconfig.php. Tabindex was added as a valid form field attribute. Protected downloads now respect existing browser caches. AuthUser now allows more flexible cookbook recipe integration. A couple of bugs were fixed and the documentation was updated.

Version 2.2.16 (2010-05-10)

This version fixes a bug with parsing html attributes which could allow XSS injection. Wikis allowing unprotected editing are encouraged to upgrade.

A bug with the "center" button of the GUI edit toolbar was corrected.

The "exists" conditional now accepts wildcards, for example:

  (:if exists Main.*:)There are pages in the Main group (:if:)

The documentation was updated.

Version 2.2.15 (2010-03-27)

This version adds some minor bugfixes and optimizations notably a bug with (:template none:) introduced in the last version 2.2.14.

Version 2.2.14 (2010-02-27)

This release corrects inline styles for WikiTrail links. Undefined include/template {$$variables} are now removed from the included section, like Page(Text)Variables, and can be used in conditional expressions. If needed, this change can be reverted by adding to config.php such a line:

  $EnableUndefinedTemplateVars = 1; # keep and display unset {$$variables}

PageList templates now accept the sections !first and !last for markup to appear for every page in list except the first or last one.

"Title" attributes were added to external links. You can have tooltip titles on external links, including InterMap and attachments, by adding the link title in double quotes after the URL:

  [[http://www.pmwiki.org"Home of PmWiki"| External link]]

For international wikis, PmWiki now automatically translates the titles of technical pages like GroupAttributes or RecentChanges -- just define these strings as usual in XLPage, for example, in French:

  'AllRecentChanges' => 'Tous les changements récents',

Some minor optimizations were done and the documentation was updated.

Version 2.2.13 (2010-02-21)

This release fixes a bug with $DiffKeepNum introduced in 2.2.10 -- the count of revisions was incorrect and a page could drop more revisions than it should.

The page history layout was modified with a rough consensus in the community. The history now defaults to "source" view with word-level highlighting of the differences. Authors can see the changes in rendered output by clicking on the link "Show changes to output". Admins can switch back the default by adding such a line to config.php:

  $DiffShow['source'] = (@$_REQUEST['source']=='y')?'y':'n';

To disable word-level highlighting and show plain text changes:

  $EnableDiffInline = 0;

In the page history rendering, a few minor bugs were fixed and the code was slightly optimized.

The documentation was updated.

Version 2.2.12 (2010-02-17)

This release adds simple word-level highlighting of differences in the page history, when "Show changes to markup" is selected. To enable the feature, add to config.php such a line:

  $EnableDiffInline = 1;

This feature is like what the InlineDiff recipe provides, but not exactly the same, and the implementation is simpler. It is enabled on PmWiki.org and can be improved -- your comments are welcome.

Version 2.2.11 (2010-02-14)

This release adds two new table directives for header cells, (:head:) and (:headnr:). They work the same way as (:cell:) and (:cellnr:) except that create <th> instead of <td> html tags.

The pagerev.php script was refactored into separate functions to allow easier integration of recipes displaying the page history.

A couple of minor bugs were fixed and the documentation was updated.

Version 2.2.9, 2.2.10 (2010-01-17)

Most important in this release is the official change of $EnableRelativePageVars to 1. The change is about how {$Variable} in included pages is understood by PmWiki.

  • When $EnableRelativePageVars is set to 0, {$Name} displays the name of the currently browsed page. Even if {$Name} is in an included page, it will display the name of the browsed page.
  • When $EnableRelativePageVars is set to 1, {$Name} displays the name of the physical page where it written. If {$Name} is in an included page, it will display the name of the included page.
  • {*$Name} always displays the name of the currently browsed page, regardless of $EnableRelativePageVars.

So, if your wiki relies on page variables from included pages, and doesn't have $EnableRelativePageVars set to 1, after upgrading to 2.2.9, you can revert to the previous behavior by adding to config.php such a line:

  $EnableRelativePageVars = 0;

More information about page variables can be found at:


This release adds a new variable $EnablePageTitlePriority which defines how to treat multiple (:title..:) directives. If set to 1, the first title directive will be used, and if a page defines a title, directives from included pages cannot override it. PmWiki default is 0, for years, the last title directive was used (it could come from an included page or GroupFooter).

This release also adds a new variable $DiffKeepNum, specifying the minimum number (default 20) of edits that will be kept even if some of them are older than the limit of $DiffKeepDays.

A number of bugs were fixed and the documentation was updated.

Version 2.2.8 (2009-12-07)

This release fixes another PHP 5.3 compatibility issue with conditional markup. The Author field now handles apostrophes correctly. The documentation was updated.

Version 2.2.7 (2009-11-08)

This release fixes most PHP 5.3 compatibility issues. Unfortunately some specific builds for Windows may still have problems, which are unrelated to PmWiki. Notably, on Windows, all passwords need to be 4 characters or longer.

Upload names with spaces are now correctly quoted. The documentation was updated.

Version 2.2.6 (2009-10-04)

With this release it is now possible to display recently uploaded files to the RecentChanges pages -- if you have been using the RecentUploadsLog recipe, please uninstall it and follow the instructions at http://www.pmwiki.org/wiki/Cookbook/RecentUploadsLog.

The release also introduces $MakeUploadNamePatterns to allow custom filename normalization for attachements. It is now possible to replace $PageListFilters and $FPLTemplateFunctions with custom functions. Notify should now work in safe_mode. Some bugs were fixed, among which one with conditional markup with dates. The documentation was updated.

Version 2.2.5 (2009-08-25)

This release adds a new markup for Pagelist templates, (:template none:) which allows a message to be set when the search found no pages. The FPLTemplate() function was broken into configurable sub-parts to allow development hooks. A number of bugs were fixed, and the documentation was updated.

Version 2.2.4 (2009-07-16)

This release fixes a bug introduced earlier today with HTML entities in XLPages.

Version 2.2.3 (2009-07-16)

This release fixes six potential XSS vulnerabilities, reported by Michael Engelke. The vulnerabilities may affect wikis open for editing and may allow the injection of external JavaScripts in their pages. Public open wikis should upgrade.

A new variable $EnableUploadGroupAuth was added; if set to 1, it allows password-protected uploads to be checked against the Group password.

It is now possible to use @_site_edit, @_site_read, @_site_admin or @_site_upload global passwords in GroupAttributes pages.

A number of other small bugs were fixed, and the documentation was updated.

Version 2.2.2 (2009-06-21)

The major news in this release is a fix of an AuthUser vulnerability.

The vulnerability affects only wikis that (1) rely on the AuthUser core module for User:Password authentication, -AND- (2) where the PHP installation runs with the variable "magic_quotes_gpc" disabled.

All PmWiki 2.1.x versions from pmwiki-2.1.beta6 on, all 2.2.betaX, 2.2.0, and 2.2.1 are affected.

The PmWiki SiteAnalyzer can detect if your wiki needs to upgrade:


If your wiki is vulnerable, you should do one of the following at the earliest opportunity:

  • Upgrade to a version of PmWiki at least 2.2.2 or greater.
  • Turn on magic_quotes_gpc in the php.ini file or in a .htaccess file.

Alternatively, you can temporarily disable AuthUser until you upgrade.

Note that even if your wiki does not have the AuthUser vulnerability at the moment, you are strongly encouraged to upgrade to PmWiki version 2.2.2 or later, as some future configuration of your hosting server might put you at risk.

This release also comes with minor updates in the local documentation; fixes were applied for international wikis - notably global variables in xlpage-utf-8.php and a new variable $EnableNotifySubjectEncode, which allows e-mail clients to correctly display the Subject header; and a number of other small bugs were fixed.

Version 2.2.1 (2009-03-28)

This release comes with an updated local documentation; wiki trails now work cross-group; guiedit.php now produces valid HTML, and other small bugs were fixed. We also added $EnableRedirectQuiet, which allows redirects to take place without any mention of "redirected from page ....".

Version 2.2.0 (2009-01-18)

This is a summary of changes from 2.1.x to 2.2.0.

  • Several pages that were formerly in the Site.* group are now in a separate SiteAdmin.* group, which is read-restricted by default. The affected pages include Site.AuthUser, Site.AuthList, Site.NotifyList, Site.Blocklist, and Site.ApprovedUrls . If upgrading from an earlier version of PmWiki, PmWiki will prompt to automatically copy these pages to their new location if needed. If a site wishes to continue using the old Site.* group for these pages, simply set
when carrying out this upgrade inspect your config files for lines such as
$BlocklistDownload['Site.Blocklist-PmWiki'] = array('format' => 'pmwiki');
as you may wish to fix then, eg
$BlocklistDownload[$SiteAdminGroup . '.Blocklist-PmWiki'] = array('format' => 'pmwiki');
  • Important Change in Passwords in PmWiki 2.2 indicating that the group can be edited even if a site password is set will be done by "@nopass" prior it was done by "nopass"
When migrating a wiki you will have to manually modify the permission or by a script replace in all the page concerned passwdread=nopass: by passwdread=@nopass (see PITS:00961) --isidor
  • PmWiki now ships with WikiWords entirely disabled by default. To re-enable them, set either $LinkWikiWords or $EnableWikiWords to 1. To get the 2.1 behavior where WikiWords are spaced and parsed but don't form links, use the following:
  • It's now easy to disable the rule that causes lines with leading spaces to be treated as preformatted text -- simply set $EnableWSPre=0; to disable this rule.
    Important: There is ongoing discussion that the leading whitespace rule may be disabled by default in a future versions of PmWiki. If you want to make sure that the rule will continue to work in future upgrades, set $EnableWSPre=1; in local/config.php.
  • The $ROSPatterns variable has changed somewhat -- replacement strings are no longer automatically passed through FmtPageName() prior to substitution (i.e., it must now be done explicitly).
  • Page variables and page links inside of (:include:) pages are now treated as relative to the included page, instead of the currently browsed page. In short, the idea is that links and page variables should be evaluated with respect to the page in which they are written, as opposed to the page in which they appear. This seems to be more in line with what authors expect. There are a number of important ramifications of this change:

  • We now have a new {*$var} form of page variable, which always refers to "the currently displayed page". Pages such as Site.PageActions and Site.EditForm that are designed to work on "the currently browsed page" should generally switch to using {*$FullName} instead of {$FullName}.
  • The $EnableRelativePageLinks and $EnableRelativePageVars settings control the treatment of links and page variables in included pages. However, to minimize disruption to existing sites, $EnableRelativePageVars defaults to disabled. This will give existing sites an opportunity to convert any absolute {$var} references to be {*$var} instead.
  • Eventually $EnableRelativePageVars will be enabled by default, so we highly recommend setting $EnableRelativePageVars = 1; in local/config.php to see how a site will react to the new interpretation. Administrators should especially check any customized versions of the following:
    SideBar pages with ?action= links for the current page
    Page lists that refer to the current group or page, etc in sidebars, headers, and footers
  • The (:include:) directive now has a basepage= option whereby an author can explicitly specify the page upon which relative links and page variables should be based. If no basepage= option is specified, the included page is assumed to be the base.
  • Sites that want to retain the pre-2.2 behavior of (:include:) and other items can set $Transition['version'] = 2001900; to automatically retain the 2.1.x defaults.
  • Text inserted via (:include:) can contain "immediate substitutions" of the form {$$option} -- these are substituted with the value of any options provided to the include directive.
  • PmWiki now recognizes when it is being accessed via "https:" and switches its internal links appropriately. This can be overridden by explicitly setting $ScriptUrl and $PubDirUrl.
  • A new $EnableLinkPageRelative option allows PmWiki to generate relative urls for page links instead of absolute urls.
  • Draft handling capabilities have been greatly improved. When $EnableDrafts is set, then the "Save" button is relabeled to "Publish" and a "Save draft" button appears. In addition, an $EnablePublishAttr configuration variable adds a new "publish" authorization level to distinguish editing from publishing. See PmWiki:Drafts for more details.

  • There is a new {$:var} "page text variable" available that is able to grab text excerpts out of markup content. For example, {SomePage$:Xyz} will be replaced by a definition of "Xyz" in SomePage. Page text variables can be defined using definition markup, a line beginning with the variable name and a colon, or a special directive form (that doesn't display anything on output):
    :Xyz: some value            # definition list form
    Xyz: some value             # colon form
    (:Xyz: some value:)         # directive form

  • The (:pagelist:) command can now filter pages based on the contents of page variables and/or page text variables. For example, the following directive displays only those pages that have an "Xyz" page text variable with "some value":
    (:pagelist $:Xyz="some value":)
    Wildcards also work here, thus the following pagelist command lists pages where the page's title starts with the letter "a":
    (:pagelist $Title=A* :)
  • The if= option to (:pagelist) can be used to filter pages based on conditional markup:
    (:pagelist if="auth upload {=$FullName}":) pages with upload permission
    (:pagelist if="date today.. {=$Name}":) pages with names that are dates later than today
  • Spaces no longer separate wildcard patterns -- use commas. (Most people have been doing this already.)
  • Because page variables are now "relative", the {$PageCount}, {$GroupCount}, {$GroupPageCount} variables used in pagelist templates are now {$$PageCount}, {$$GroupCount}, {$$GroupPageCount}.
  • One can now use {$$option} in a pagelist template to obtain the value of any 'option=' provided to the (:pagelist:) command.
  • The (:pagelist:) directive no longer accepts parameters from urls or forms by default. In order to have it accept such parameters (which was the default in 2.1 and earlier), add a request=1 option to the (:pagelist:) directive.
  • The count= option to pagelists now accepts negative values to count from the end of the list. Thus count=5 returns the the first five pages in the list, and count=-5 returns the last five pages in the list. In addition, ranges of pages may be specified, as in count=10..19 or count=-10..-5.
  • Pagelist templates may have special (:template first ...:) and (:template last ...:) sections to specify output for the first or last page in the list or a group. There's also a (:template defaults ...:) to allow a template to specify default options.
  • PmWiki comes with an ability to cache the results of certain (:pagelist:) directives, to speed up processing on subsequent visits to the page. To enable this feature, set $PageListCacheDir to the name of a writable directory (e.g., work.d/).
  • The (:if ...:) conditional markup now also understands (:elseif ...:) and (:else:). In addition, markup can nest conditionals by placing digits after if/elseif/else, as in (:if1 ...), (:elseif1 ...:), (:else1:), etc.
  • The (:if date ...:) conditional markup can now perform date comparisons for dates other than the current date and time.
  • WikiTrails can now specify #anchor identifiers to use only sections of pages as a trail.
  • A new (:if ontrail ...:) condition allows testing if a page is listed on a trail.
  • The extensions .odt, .ods, and .odp (from OpenOffice.org) are now recognized as valid attachment types by default.
  • A new blocklist capability has been added to the core distribution. It allows blocking of posts based on IP address, phrase, or regular expression, and can also make use of publicly available standard blocklists. See PmWiki.Blocklist for details.
  • There is a new SiteAdmin.AuthList page that can display a summary of all password and permissions settings for pages on a site. This page is restricted to administrators by default.
  • There are new {$PasswdRead}, {$PasswdEdit}, etc. variables that display the current password settings for a page (assuming the browser has attr permissions or whatever permissions are set in $PasswdVarAuth).
  • Forms creation via the (:input:) markup has been internally refactored somewhat (and may still undergo some changes prior to 2.2.0 release). The new (:input select ...:) markup can be used to create select boxes, and (:input default ...:) can be used to set default control values, including for radio buttons and checkboxes.
  • The (:input textarea:) markup now can take values from other sources, including page text variables from other pages.
  • Specifying focus=1 on an (:input:) control causes that control to receive the input focus when a page is loaded. If a page has multiple controls requesting the focus, then the first control with the lowest value of focus= "wins".
  • PmWiki now provides a scripts/creole.php module to enable Creole standard markup. To enable this, add include_once('scripts/creole.php') to a local customization file.
  • PmWiki adds a new {(...)} markup expression capability, which allows various simple string and data processing (e.g., formatting of dates and times). This is extensible so that recipe authors and system administrators can easily add custom expression operators.
  • It's now possible to configure PmWiki to automatically create Category pages whenever a page is saved with category links and the corresponding category doesn't already exist. Pages are created only if the author has appropriate write permissions into the group. To enable this behavior, add the following to local/config.php:
    $AutoCreate['/^Category\\./'] = array('ctime' => $Now);
  • Sites with wikiwords enabled can now set $WikiWordCount['WikiWord'] to -1 to indicate that 'WikiWord' should not be spaced according to $SpaceWikiWords.
  • WikiWords that follow # or & are no longer treated as WikiWords.
  • Links to non-existent group home pages (e.g., [[Group.]] and [[Group/]]) will now go to the first valid entry of $PagePathFmt, instead of being hardcoded to "Group.Group". For example, to set PmWiki to default group home pages to $DefaultName, use
    $PagePathFmt = array('{$Group}.$1', '$1.{$DefaultName}', '$1.$1');
  • PmWiki now provides a $CurrentTimeISO and $TimeISOFmt variables, for specifying dates in ISO format.
  • Cookbook authors can use the internal PmWiki function UpdatePage (temporarily documented at DebuggingForCookbookAuthors) to change page text while preserving history/diff information, updating page revision numbers, updating RecentChanges pages, sending email notifications, etc.
  • Skin templates are now required to have <!--HTMLHeader--> and <!--HTMLFooter--> directives. Setting $EnableSkinDiag causes PmWiki to return an error if this isn't the case for a loaded skin. Skins that explicitly do not want HTMLHeader or HTMLFooter sections can use <!--NoHTMLHeader--> and <!--NoHTMLFooter--> to suppress the warning.
  • Added a new "pre" wikistyle for preformatted text blocks.
  • The xlpage-utf-8.php script now understands how to space UTF-8 wikiwords.
  • Searches on utf-8 site are now case-insensitive for utf-8 characters.
  • Many Abort() calls now provide a link to pages on pmwiki.org that can explain the problem in more detail and provide troubleshooting assistance.
  • PmWiki no longer reports "?cannot acquire lockfile" if the visitor is simply browsing pages or performing other read-only actions.
  • The $EnableReadOnly configuration variable can be set to signal PmWiki that it is to run in "read-only" mode (e.g., for distribution on read-only media). Attempts to perform actions that write to the disk are either ignored or raise an error via Abort().
  • Including authuser.php no longer automatically calls ResolvePageName().
  • Authentication using Active Directory is now simplified. In Site.AuthUser or the $AuthUser variable, set "ldap://name.of.ad.server/" with no additional path information (see PmWiki.AuthUser for more details).
  • Pages are now saved with a "charset=" attribute to identify the character set in effect when the page was saved.
  • The phpdiff.php algorithm has been optimized to be smarter about finding smaller diffs.
  • Removed the (deprecated) "#wikileft h1" and "#wikileft h5" styles from the pmwiki default skin.
  • The mailposts.php and compat1x.php scripts have been removed from the distribution.

Bugs and other requests can be reported to the PmWiki Issue Tracking System at http://www.pmwiki.org/wiki/PITS/PITS. Any help in testing, development, and/or documentation is greatly appreciated..

Release Notes archive - notes for versions older than 2.2.0.

This page may have a more recent version on pmwiki.org: PmWiki:ReleaseNotes, and a talk page: PmWiki:ReleaseNotes-Talk.

Page last modified on 12 February 2023, at 8:31 GMT