Release Notes for XWiki 15.6

Last modified by Ilie Andriuta on 2023/11/09

This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

This release provides two improvements on the features introduced in previous release: the capability to insert image using only keyboard with Quick Action, and an improved security vulnerability scanner allowing to not only display vulnerabilities from installed extensions, but also from core extensions. On top of those, several minor improvements have been brought as well as bug fixes including security fixes. Finally, some clean up has been performed: various deprecated plugins have been removed from the core extensions. Ensure to read the backward compatibility section.

The following regressions were introduced in this release (and found after it was released). Please check them out and if they impact you we recommend waiting to upgrade to a version where they are fixed.

New and Noteworthy (since XWiki 15.5)

Full list of issues fixed and Dashboard for XWiki 15.6.

For Users

Quick Image Insertion

 
You can now search for and insert images using the keyboard, by typing / (slash) and selecting the image Quick Action. This opens a drop down that lists latest images uploaded to the page and to the whole wiki. You can also upload new images directly from the drop down. Checkout the CKEditor Integration documentation for more information.

Miscellaneous

  • PDF Export Size Limit: The default PDF export size limit has been increased from 100KB to 5MB and is now applied only when exporting multiple wiki pages. Checkout the PDF Export Application documentation for more information.

  • Set email grouping strategy per scheduler: The email grouping strategy can be defined at different levels (per wiki, and per user) and is specific for a given scheduler, using a new dedicated XObject XWiki.Notifications.Code.NotificationEmailGroupingStrategyPreferenceClass.

    So an admin can add one or severals xobjects in XWiki.XWikiPreferences for defining the different strategies for each scheduler, at wiki level: the xobject needs to contain the name of the strategy to use, and the name of scheduler (hourly, daily, weekly or live).
    This value can be overridden by a user if they perform adding the same type of xobject in their own user profile.

  • Improved contrast for the "Decline" button in invitations.

  • The Application panel has been improved for low width displays.

For Admins

Improved Security Vulnerabilities scanner

 
On XWiki 15.5 the Security Vulnerabilities Application was limited to installed extensions. The scan now includes core extensions as well as dependencies provided by the environment (e.g., the servlet engine).

Environment vulnerabilities are listed in a separate tab.

Miscellaneous

  • Security Vulnerabilities Reviews: The Security Vulnerabilities Application now takes into account vulnerabilities reviews maintained by the XWiki Development Team

    Those reviews provide a more in-depth analysis of the security vulnerabilities found by the security scan. Known vulnerabilities that are analyzed as safe are displayed in a small font and will not raised the security notification.

    Vulnerabilities with available reviews have a button next to them in the security listing Live Data, allowing to display the details of the reviews.

    See the XWiki Security Policy for more details about our review process and to know where to reach us for questions.

  • Security Vulnerabilities name display: The display of the extension names on the extension security vulnerabilities is now improved to take into account the limited horizontal space of the administration.

  • Improved contrast on the "Excluded page" None element, in the Look & Feel -> Navigation Panels administration subsection.

  • More robust security cache: The security cache has been made robust against the disposal of structurally important entries by storing them also outside the cache as long as they're still needed by entries in the cache to avoid cascading disposal of large parts of the cache. If you've had problems with users seeing access denied sometimes, this might be the improvement you've been looking forward to. Also, if you've configured a very high size for the security cache to avoid these problems, it should be possible to reduce these limits now. The documentation provides some hints how to choose a reasonable security cache size. However, as with every change to code that is critical to performance and security, there is a risk for regressions even though we have extensive tests. In particular if you're maintaining a larger instance of XWiki, it is advised to monitor memory usage and performance after the upgrade to see if there are any irregularities. Also, please check that access restrictions are still working, in particular, if they involve nested groups. As always, please open a bug report or create a forum post if you're noticing anything unusual.

For Developers

No changes!

Upgrades

The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):

Translations

The following translations have been updated: 

Tested Browsers & Databases

Here is the list of browsers we support and how they have been tested for this release:

 BrowserTested on:
Firefox30.pngMozilla Firefox 116Not Tested
Chrome30.pngGoogle Chrome 116Not Tested
Edge30.pngMicrosoft Edge 116Jira Tickets Marked as Fixed in the Release Notes
Safari30.pngSafari 16Not Tested

Here is the list of databases we support and how they have been tested for this release:

 DatabaseTested on:
hypersql.pngHyperSQL 2.7.2Not Tested
mariadb.pngMariaDB 11.1Jira Tickets Marked as Fixed in the Release Notes
mysql.pngMySQL 8.1Not Tested
postgresql.pngPostgreSQL 16Not Tested
oracle.pngOracle 19cNot Tested

Here is the list of Servlet Containers we support and how they have been tested for this release:

 Servlet ContainerTested on:
tomcat-icon.pngTomcat 9.0.82Jira Tickets Marked as Fixed in the Release Notes
jetty-icon.pngJetty 10.0.15 (XWiki Standalone packaging)Not Tested
jetty-icon.pngJetty 10.0.15Not Tested

Security Issues

Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.

Known issues

Backward Compatibility and Migration Notes

General Notes

  • When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
    • xwiki.cfg
    • xwiki.properties
    • web.xml
    • hibernate.cfg.xml
  • Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 15.6

  • The RSS Macro has been removed from XWiki Standard and moved as a Contrib Extensionn as it wasn't a core feature. If you're upgrading from a version < 15.6, you'll just need to upgrade the RSS Macro Extension using the Extension Manager to get the latest version coming from contrib.
  • The Charting Plugin has been removed from XWiki Standard and moved to XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). It was also not a core feature. In addition, it's been replaced by the Chart Macro, and more recently by the Chart.js macro.
  • The SVG Plugin has been removed from XWiki Standard. It was using some old technology (plugin) and not maintained. It was also not a core feature. In addition, there are now more recent solutions, including using the HTML macro.
  • The SVG Rasterizing API has been removed from XWiki Standard and moved as a Contrib extension. If you're upgrading from a version < 15.6, and if you were using that API, you'll need to upgrade it using the Extension Manager to get the latest version coming from contrib. It was also not a core feature. In addition, if you were using the Java API, you'll need to change the packages from org.xwiki.platform.svg to org.xwiki.contrib.svg.
  • The Diff plugin API has been removed from XWiki Standard and moved to the XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). In addition, it's been replaced by a newer Diff API.
  • The Autotag plugin has been removed from XWiki Standard and moved to XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). It was also not a core feature.
  • The Graphviz plugin has been removed from XWiki Standard and moved to XWiki Attic. The main reason was that it has not been supported for many years and was using some old techbology (plugin). It was also not a core feature.
  •  The property refactoring.rename.useAtomicRename is no longer available and the old code relying on it has been removed.
  • The rendered changes now only download images to compare their content from trusted domains. Also, several configuration options have been added to disable the feature of downloading images for comparison or to change the maximum size of downloaded images. Make sure you review these settings to make sure the comparison of images works as expected.

API Breakages

The following APIs were modified since XWiki 15.5:

Real breakages

Real backward compatibility breakages that we have unwillingly accepted to do for the reasons mentioned in each violation below.

  • We voted to remove this old and unmaintained plugin for which there are alternatives.
    • Violation type:
      java.class.removed
    • Code:
      ## Old:
      class com.xpn.xwiki.plugin.svg.SVGPlugin
  • We voted to remove this old and unmaintained plugin for which there are alternatives.
    • Violation type:
      java.class.removed
    • Code:
      ## Old:
      class com.xpn.xwiki.plugin.svg.SVGPluginApi
  • We voted to remove this old and unmaintained plugin for which there are alternatives.
    • Violation type:
      java.class.removed
    • Code:
      ## Old:
      class com.xpn.xwiki.web.SVGAction

Unstable APIs

Not real backward compatibility breakages since they were done on APIs marked @Unstable (a.k.a Young APIs). Thus it's part of the contract that they can be broken until they become stable. They're listed purely for reference in case you decided to still use them (and thus agreed to be broken).

  • Young API. Provides a method to get access to the extension vulnerabilities URL
    • Violation type:
      java.method.addedToInterface
    • Code:
      ## Old:


      ## New:
      method java.lang.String org.xwiki.extension.security.ExtensionSecurityConfiguration::getReviewsURL()

Credits

The following people have contributed code and translations to this release (sorted alphabetically):

  •  Dorian OUAKLI
  •  Gankov Andrey
  •  Jarle Sandmo
  •  Manuel Leduc
  •  Marius Dumitru Florea
  •  Michael Hamann
  •  Nikita Petrenko
  •  Oana-Lavinia Florean
  •  Sautner
  •  Sereza7
  •  Simon Urli
  •  Simpel
  •  Thomas Mortagne
  •  Vincent Massol
  •  xrichard

Get Connected