This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

This release provides a first experimental version of the Required Right Analysis feature, which needs to be activated by administrators to be used, and aims at better understanding consequences of editions regarding rights. It also comes with an important performance improvements on the rendering of macros. The look and feel also has been improved on heading and border radius, but also by polishing rights UI and Index Application. For developers, it's now possible to inject custom pre-edit checks similar to what already exists for locked pages, or pages owned by extensions. Finally, as usual, this release comes with a bunch of bug and security fixes.

New and Noteworthy (since XWiki 15.8)

Full list of issues fixed and Dashboard for 15.9.

For Users

Required Rights

 
When the rights of the current author are different from the rights of the page author, a required rights analyzer is executed.

This analyzer can raise a warning if:

• the current user has more rights than the content author (e.g., a macro previously failing by lack of right might start being evaluated)
• the current user has less rights than the content author (e.g., a macro previously working might stop working by lack of rights)

Note that this analysis is currently disabled by default. See the Admins section.

Headings appearance

 
In order to make headings easier to ready, they are now bolder. In addition, the size difference between two adjacent levels is larger.

Default radius of UI elements

 
The default radius of UI elements of the Flamingo Skin are now larger (about 1.75 times larger) by default.

Change viewer UI update

 
Improved the layout and added icons in the version comparison UI.

Miscellaneous

• Added various HTML landmarks to improve the view page semantics.

• Added autocompletion to the login page and the register form.

• Improved contrast of the metadata display on the change viewer.

• Improved the visibility of the focus state of the "Create", "Edit" and "more actions" buttons found on the top right of every page content.

• Added links towards documentation under the videos in the Help section.

For Admins

XJetty Debian packages

 
XWiki now comes with new Debian package based on a customized Jetty optimized for XWiki that you can use instead of the traditional Tomcat based XWiki Debian package which unfortunately don't work on Debian 12+. See InstallationViaAPT for mode details.

Attachments Page from the Index now use a Live Data

 
The Attachments page displayed in the Index now use a Live Data instead of a Live Table for displaying the information.

Miscellaneous

• Automatic validation and encryption keys: The validation and encryption key configured in the xwiki.cfg file and used for cookies don't need to be set anymore. When not set (the default now) they are automatically generated and stored.

• The rights livetables display user first name and last name: User first name and last name are now displayed in the rights UI using the standard user and group displayers.

• Tour Application in platform: The Tour Application is now part of xwiki-platform and the contrib extension has been moved to the attic.

• Extensions Security Vulnerabilities Application: After some forum discussions we agreed that the extension is current not useful to fix security vulnerabilities, and is at risk of presenting false-positive. Until those issues are fixed, we decided to stop bundling it as part of the standard distribution.

• Users can be filtered based on first name and last name in the rights UI: The rights UI now allows filtering based on the user first name last name and username. This is particularily helpful in cases where usernames do not contain any character from the user first name or last name (for example, uuid-based usernames).

• Required Rights: The Required Rights Application analysis is deactivated by default as the analysis is still incomplete and the presentation needs to be improved to more clearly show what's wrong. Still, the analysis can already provide useful warnings and this is a good opportunity to provide feedback as this feature will be activated by default in a future version of XWiki. It can be activated by setting the security.requiredRights.protection to warning.

  #-# [Since 15.9RC1]
  #-# Indicates how documents are protected by required rights.
  #-#
  #-# The possible choices are:
  #-# * none (the default): no required rights check
  #-# * warning: a warning is presented to the user when trying to edit a document with required rights issues
  # security.requiredRights.protection=none

For Developers

Block preparation and caching

 
To continue the work on improving the performances and benefit from the Velocity scripts compilation introduced in 15.8, the concept of block preparation has been added to the Rendering framework. The goal is to pre-execute everything that does not rely on the context in a XDOM and cache it to not redo all this in each transformation pass.

The rendering framework now offers a helper to make a lot easier to cache part of the execution of a macro. When preparing a Block, the Macro transformation will call the new Macro#prepare API that any macro can implement to reduce the time spent in Macro#execute.

In 15.9, the following macros are prepared:

• the content is compiled in the velocity macros
• the wiki content is parsed (and the resulting blocks are prepared) in the following macros
  • box
  • info
  • warning
  • error
  • success
  • content
  • footnote
  • html
  • async
  • context
  • cache
  • container
  • gallery
  • translation

And the XDOM is prepared and cached in the following use cases:

• The content of the UI extensions
• The content of the panels
• The content of the wiki macros

See ExtendingMacro for more details.

Miscellaneous

• Configuration modifications: There's now a setProperty() API to modify a single ConfigurationSource property.

• Block attributes: Rendering Blocks now have the concept of attributes. The main difference between Block parameters and block attributes is that attributes are not meant to be parser/serialized, the point is to use them as internal metadata associated to a block. The current main use case is to store the result of pre-executed macros.

• Pre-edit document check: It is now possible for extensions to define a pre-edit document check, similar to what already exists for locked pages, or pages owned by extensions.

• #displayUser and #displayGroup now allow displaying a link to the profile: The standard velocity macros #displayUser and #displayGroup can now be configured to display a link to the user or group profile with the parameter displayLink. The parameter defaults to true.

Upgrades

The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):

• CSS4J 4.2.1 & XML-DTD 4.2.1
• dompurify 3.0.6
• vue2-touch-events 3.2.3
• Elastic search client 8.10.2
• CKEditor 4.22.1
• jodconverter 4.4.6
• WebSocket 1.1
• log4j API 2.21.0
• jDataUri 1.2.1
• httpcore 5.2.3
• Zookeeper 3.9.1
• Thumbnailator 0.4.20
• Stax2 API 4.2.2
• Snappy 1.1.10.5
• RssReader 3.5.0
• RE2/J 1.7
• Protobuf Java 3.24.4
• PrettyTime 5.0.7
• Netty 4.1.100.Final
• Liquibase 4.24.0
• Jetty Client 9.4.53.v20231009
• Jetty 10.0.17 for the standalone packaging
• Jackson 2.15.3
• JAXB Runtime 2.3.9
• Incava Java Diff 1.1.2
• Hibernate Validator 6.2.5.Final
• Guava 32.1.3-jre
• Error Prone annotations 2.23.0
• Commons Pool 2.12.0
• Commons Net 3.10.0
• Commons IO 2.14.0
• Checker Qual 3.39.0
• CVSS Calculator 1.4.2
• Byte Buddy 1.14.9
• ASM 9.6
• Maven Resolver to 1.9.16
• Maven to 3.9.5

Translations

The following translations have been updated: 

• German
• Spanish
• French
• Hindi
• Croatian
• Japanese
• Portuguese (Brazil)
• Russian
• Ukrainian

Tested Browsers & Databases

Here is the list of browsers we support and how they have been tested for this release:

	Browser	Tested on:
	Mozilla Firefox 120	Not Tested
	Google Chrome 119	Not Tested
	Microsoft Edge 119	Jira Tickets Marked as Fixed in the Release Notes
	Safari 16	Not Tested

Here is the list of databases we support and how they have been tested for this release:

	Database	Tested on:
	HyperSQL 2.7.2	Not Tested
	MariaDB 11.1	Jira Tickets Marked as Fixed in the Release Notes
	MySQL 8.2	Not Tested
	PostgreSQL 16	Not Tested
	Oracle 19c	Not Tested

Here is the list of Servlet Containers we support and how they have been tested for this release:

	Servlet Container	Tested on:
	Tomcat 9.0.83	Jira Tickets Marked as Fixed in the Release Notes
	Jetty 10.0.17 (XWiki Standalone packaging)	Not Tested
	Jetty 10.0.17	Not Tested

Security Issues

Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.

Known issues

• Bugs we know about

Backward Compatibility and Migration Notes

General Notes

• When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
  • xwiki.cfg
  • xwiki.properties
  • web.xml
  • hibernate.cfg.xml
• Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 15.9

Extensions Security Vulnerabilities Application

Since the extension is not bundled by default anymore, if you upgrade from a version where it was installed by default (15.5-rc-1+), you will be proposed to uninstall it, or to make it top level (i.e., keep it install). If you choose to keep it, you will need to upgrade it manually to version 15.9+.

Default font change

The default font is now Open Sans, instead of the sans-serif font provided by the user system. We did this change to guarantee that all users use the same font, and that the font support different weights.

If you wish to change this, please go to the Flamingo Theme Application administration, customize your color theme and set @font-family-base to sans-serif in the Typography section.

API Breakages

The following APIs were modified since XWiki 15.8:

Real breakages

Real backward compatibility breakages that we have unwillingly accepted to do for the reasons mentioned in each violation below.

• New API added to a component very unlikely to have a custom implementation
  • Violation type:
    java.method.addedToInterface
  • Code:
    ## Old:
    
    
    ## New:
    method org.xwiki.velocity.VelocityTemplate org.xwiki.velocity.VelocityManager::compile(java.lang.String, java.io.Reader) throws org.xwiki.velocity.XWikiVelocityException
• Needed to add attribute support in blocks, implementation is provided in abstract base class that should be inherited by all implementations.
  • Violation type:
    java.method.addedToInterface
  • Code:
    ## Old:
    
    
    ## New:
    method void org.xwiki.rendering.block.Block::setAttribute(java.lang.String, java.lang.Object)
                      
• Needed to add attribute support in blocks, implementation is provided in abstract base class that should be inherited by all implementations.
  • Violation type:
    java.method.addedToInterface
  • Code:
    ## Old:
    
    
    ## New:
    method void org.xwiki.rendering.block.Block::setAttributes(java.util.Map<java.lang.String, java.lang.Object>)
                      
• Was never meant to be public
  • Violation type:
    java.class.removed
  • Code:
    ## Old:
    class com.xpn.xwiki.render.XWikiScriptContextInitializer
• Was never meant to be public
  • Violation type:
    java.class.removed
  • Code:
    ## Old:
    class com.xpn.xwiki.render.DefaultVelocityManager

Unstable APIs

Not real backward compatibility breakages since they were done on APIs marked @Unstable (a.k.a Young APIs). Thus it's part of the contract that they can be broken until they become stable. They're listed purely for reference in case you decided to still use them (and thus agreed to be broken).

• Unstable API
  • Violation type:
    java.method.removed
  • Code:
    ## Old:
    method org.xwiki.velocity.VelocityTemplate org.xwiki.velocity.VelocityEngine::compile(java.lang.String, java.io.Reader) throws org.xwiki.velocity.XWikiVelocityException
• Unstable code
  • Violation type:
    java.method.removed
  • Code:
    ## Old:
    method boolean org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::isFromEnvironment()
• Unstable code
  • Violation type:
    java.method.removed
  • Code:
    ## Old:
    method boolean org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::isInstalledExtension()
• Unstable code
  • Violation type:
    java.method.removed
  • Code:
    ## Old:
    method org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::setFromEnvironment(boolean)
• Unstable code
  • Violation type:
    java.method.removed
  • Code:
    ## Old:
    method void org.xwiki.extension.index.security.ExtensionSecurityAnalysisResult::setInstalledExtension(boolean)

Credits

The following people have contributed code and translations to this release (sorted alphabetically):

• Clément Aubin 
• Farcasut 
• Gankov Andrey 
• Manuel Leduc 
• Marius Dumitru Florea
• Michael Hamann 
• Nikita Petrenko 
• Oana-Lavinia Florean 
• Pierre Jeanjean 
• Sereza7 
• Simon Urli 
• Simpel 
• Thomas Mortagne 
• Vincent Massol
• fivemoons 
• raphj