Release Notes for XWiki 14.6

Last modified by Michael Hamann on 2023/01/10

This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

This release brings paginated attachments, multiple categories support for wiki macros and cancelable multi-page PDF exports. Admins can now control where the PDF export is performed (server-side or client-side) and also security related aspects, such as what HTML elements attributes are allowed in wiki syntax or the HTML macro. The old events store has also been moved to legacy, as it will eventually stop being bundled by default. On the other hand, the CKEditor integration was moved from Contrib into XWiki Platform. Finally, an important security-related migration is now available and configurable regarding the notification and regeneration of user passwords for potentially affected users.

The following regressions were introduced in this release (and found after it was released). Please check them out and if they impact you we recommend waiting to upgrade to a version where they are fixed.

New and Noteworthy (since XWiki 14.5)

Full list of issues fixed and Dashboard for 14.6.

For Users

Ckeditor Macro Dialog filters by categories

 
The CKEditor Macros dialog now allows to filter by several categories. In addition, all the listed macros are now displaying their categories.

In addition, macros with an hidden category are not displayed to users who have Display hidden pages set to False in their preferences. Hidden macros categories are Deprecated and Internal by default, and can be configured by Admins since 14.8+.

Cancel PDF Export

 
You can now cancel a running multi-page PDF export job, either because you triggered it by mistake (for a large subtree of pages) or because it takes too long, or any other reason. See the PDF Export Application documentation for more information.

Wiki macros can have several categories

 
The wiki macros can have several categories. The deprecated Default category is replaced by Default categories.

Add pagination for Attachments

 
The attachments tab is now displayed using a Livetable, with only 5 rows displayed at a time to avoid a crowded section. This way, on pages with multiple attached files users can use the navigation and filtering options to search for specific attachments.

Macro Categories listed in the available macros page

 
The list of all the categories of the macros are now listed in the available macros page.

Miscellaneous

  • Java macros can have several categories: The java macros can have several categories. The deprecated setDefaultCategory is replaced by setDefaultCategories. For instance:

    /**
    * Create and initialize the descriptor of the macro.
    */

    public ExampleMacro()
    {

     super("Example", DESCRIPTION, ExampleMacroParameters.class);
      setDefaultCategories(java.util.Collections.singleton("Tutorial"));
    }

For Admins

  • Force client-side PDF generation: The PDF Export application has a new global setting to control whether the PDF is generated server-side (e.g. using a headless Chrome web browser running inside a Docker container) or client-side, using the user's web browser:

    # [Since 14.6RC1]
    # Whether the PDF export should be performed server-side, e.g. using a headless Chrome web browser running inside a
    # Docker container, or client-side, using the user's web browser instead; defaults to server-side PDF generation
    export.pdf.serverSide=true

    Note that client-side generation has the downside that different users may get a different PDF result for the same wiki page (same content).

  • New Options for Allowed HTML Elements and Attributes: New options for HTML cleaning were added that allow precise control which attributes and elements are allowed in XWiki syntax but also in the HTML macro in restricted contexts. The default settings should be fine but in case you notice any breakage due to attributes no longer working or want to restrict certain features like inline-styling, consult the documentation on these options. Do not hesitate to contact us on the forum or the chat in case you notice unexpected breakages or other issues with this change.

For Developers

Moved the old event store to legacy

 
The old events store is still bundled with XWiki for now. However, it has now been moved to legacy in order to make sure it is not actively used in the product, to discourage others from directly using it (by mistake) and as a first step before actually stopping to bundle it.

Miscellaneous

  • Figure Type Identification: A data-xwiki-rendering-figure-type property is added to the rendered figures macro. Its value is table if the figure contains a single table, and figure otherwise.

  • Provide a way to list the categories of a macro: The MacroCategoryManager from Rendering Macro Transformation provides a getMacroCategories operation that takes a MacroId object and return the set of categories of the macro. The default implementation takes into account the macro categories overriding that can be done in xwiki.properties.

  • Script service to access the macro categories: Calling $services.rendering.getMacroCategories($macroId) returns a Set of the categories of the macro. See XWiki Platform - Rendering - XWiki-specific Implementation.

  • New HTML Sanitizer: A new HTML Sanitizer component has been added that allows checking if a certain HTML element, attribute and attribute value are considered safe according to the current configuration. This can be used when validating user input. The sanitizer also supports SVG and MathML with the features available when they are embedded in HTML documents.

Moved Modules

CKEditor Integration is now part of XWiki Platform. The extension will still be maintained as an independent contribution extension, for bug fixes only, until the 14.4.x and 13.10.x branches become unsupported. Please create new issues on the XWiki Plaform Jira project. Issues can still be created in the CKEditor Integration Jira project only for bug that are impacting branches 14.4.x and 13.10.x.

Upgrades

The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):

Translations

The following translations have been updated: 

Tested Browsers & Databases

Here is the list of browsers we support and how they have been tested for this release:

 BrowserTested on:
Firefox30.pngMozilla Firefox 102
Chrome30.pngGoogle Chrome 103Not Tested
Edge30.pngMicrosoft Edge 103Not Tested
Safari30.pngSafari 15Not Tested

Here is the list of databases we support and how they have been tested for this release:

 DatabaseTested on:
hypersql.pngHyperSQL 2.6.1Not Tested
postgresql.pngPostgreSQL 14Jira Tickets Marked as Fixed in the Release Notes
mariadb.pngMariaDB 10.6Not tested
mysql.pngMySQL 8Not Tested
oracle.pngOracle 19cTests run and results

Here is the list of Servlet Containers we support and how they have been tested for this release:

 Servlet ContainerTested on:
tomcat-icon.pngTomcat 9.0.65
jetty-icon.pngJetty 10.0.7 (XWiki Standalone packaging)Not Tested
jetty-icon.pngJetty 10.0.7Not Tested

Known issues

Backward Compatibility and Migration Notes

General Notes

  • When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
    • xwiki.cfg
    • xwiki.properties
    • web.xml
    • hibernate.cfg.xml
  • Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 14.6

Migration sending emails

A migration is provided as part of this upgrade that might trigger a reset password of some users. As part of this operation, some emails are automatically being sent by default: a first mail informing about a possible data leak, and a second mail for asking users to reset their password.

It's possible to chose whether the mails should be sent or not by editing the following properties:

#-# [Since 14.6RC1]
#-# [Since 14.4.3]
#-# [Since 13.10.8]
#-# This option is only used when performing a migration from a wiki before the versions mentioned above.
#-#
#-# This parameter defines if as part of the migration R140600000XWIKI19869 the passwords of impacted user should be
#-# reset or not. It's advised to keep this value as true, now for some usecases advertised administrators might want
#-# their users to keep their passwords nevertheless, then enable the configuration and set it to false before the
#-# migration is executed.
# security.migration.R140600000XWIKI19869.resetPassword = true

#-# [Since 14.6RC1]
#-# [Since 14.4.3]
#-# [Since 13.10.8]
#-# This option is only used when performing a migration from a wiki before the versions mentioned above.
#-#
#-# This parameter defines if reset password emails should be sent as part of the migration R140600000XWIKI19869.
#-# By default this value is set to true, so emails will be automatically produced. Now it's possible for admin to set
#-# this option to false: note that in such case a file containing the list of users for whom a reset password email
#-# should be sent will still be created in the permanent directory (named 140600000XWIKI19869DataMigration-users.txt).
#-# If this file exists and this property is set back to true after the migration, the file will still be consumed to
#-# send the emails, so it's possible to perform the migration and send the emails only later if needed.
# security.migration.R140600000XWIKI19869.sendResetPasswordEmail = true

#-# [Since 14.6RC1]
#-# [Since 14.4.3]
#-# [Since 13.10.8]
#-# This option is only used when performing a migration from a wiki before the versions mentioned above.
#-#
#-# This parameter defines if a security email information should be sent as part of the migration R140600000XWIKI19869.
#-# By default this value is set to true, so emails will be automatically produced. Now it's possible for admin to set
#-# this option to false: note that in such case a file containing the list of users for whom a reset password email
#-# should be sent will still be created in the permanent directory (named 140600000XWIKI19869DataMigration-users.txt).
#-# If this file exists and this property is set back to true after the migration, the file will still be consumed to
#-# send the emails, so it's possible to perform the migration and send the emails only later if needed.
# security.migration.R140600000XWIKI19869.sendSecurityEmail = true

Note that the mails are sent after the migration is actually performed, during the wiki intialization by reading a file named 140600000XWIKI19869DataMigration-users.txt created in the permanent directory during the migration. So it's possible for an administrator to set the properties for sending the emails to false for performing the migration, and to actually set them back to true before a next restart to send the emails at this moment. Be aware that the file is deleted as soon as the emails are processed to be sent: in case of failure for sending the emails, please check the administration of the wiki to see the status of the created emails.

It's also possible for administrators to configure the template of the first mail by creating a file named 140600000XWIKI19869-mail.txt in the permanent directory. The format of this template is the following:

Subject:<the subject of the email>
<the plain text content of the email>

By default, the mail template is the following:

Subject: Important security issue
Dear user,

due to a bug your password was stored in plain text in our wiki. We cannot exclude that your plain text password was exposed in a data leak. Therefore, you might receive a second email to choose a new password. 
Please contact the administrator in case of problem or for further questions.

Renaming of actions related to authentication

Two possible authentication resource URL can be used to respectively ask for a password reset, and ask for retrieving a username from an email address. The associated resource actions used to be /authenticate/reset and /authenticate/forgot. Since those were not very explicit we renamed them as part of fixing a bug, and they are now respectively named /authenticate/resetpassword and /authenticate/retrieveusername. So be careful to update your URLs if you use those in some places.

No more legacy events migration step in the Distribution Wizard

If you upgrade from a version of XWiki older than 12.4 you will need to migrate events (notifications) if you don't want them to appear lost. There used to be a step proposing it in the Distribution Wizard but as we are preparing to remove all the legacy events code from XWiki Standard this step was removed but you can still ask for a migration from the wiki administration (Administer Wiki -> Social -> Notifications -> Events migration).

Restrictions on allowed attributes

New options for HTML cleaning were added that allow precise control which attributes and elements are allowed in XWiki syntax and in the HTML macro in restricted contexts. The default settings should be fine but in case you notice any breakage due to attributes no longer working or want to restrict certain features like inline-styling, consult the documentation on these options. Do not hesitate to contact us on the forum or the chat in case you notice unexpected breakages or other issues with this change.

API Breakages

No APIs breakage since XWiki 14.5.

Credits

The following people have contributed code and translations to this release (sorted alphabetically):

Eduard Moraru
Manuel Leduc
Marius Dumitru Florea
Michael Hamann
Oana-Lavinia Florean
Simon Urli
Simpel
Thomas Mortagne
Vincent Massol
oanalavinia
xrichard

Get Connected