Changes Report

Last modified by Vincent Massol on 2017/05/31

Listing of Extensions Vulnerabilities

A security vulnerabilities section is now available in the administration. This section present the state of the known vulnerabilities of extensions installed on the wiki.

This list is filled based on a periodic scan (running every 24h by default), and uses as its vulnerability database.

Please note that the list does not include all extensions for now. Extensions that can't be upgraded through the extension manager are not included.

Therefore, do not consider a instance as exempt of know security issues if the list is empty. See our Security Policy to know more about our security practices.

The vulnerabilities presented in the screenshots are based on outdated extensions versions and does not represent the state of an up to date XWiki instance.
They are here to show what the UI looks like with known vulnerabilities listed.

Quick Icon Insertion

You can now search for and insert icons using the keyboard, by typing / (slash) and selecting the icon Quick Action. This opens a drop down that lists all the available icons.

XJetty Debian packages

XWiki now comes with new Debian package based on a customized Jetty optimized for XWiki that you can use instead of the traditional Tomcat based XWiki Debian package which unfortunately don't work on Debian 12+. See InstallationViaAPT for mode details.

Required Rights

When the rights of the current author are different from the rights of the page author, a required rights analyzer is executed.

This analyzer can raise a warning if:

  • the current user has more rights than the content author (e.g., a macro previously failing by lack of right might start being evaluated)
  • the current user has less rights than the content author (e.g., a macro previously working might stop working by lack of rights)

Note that this analysis is currently disabled by default. See the Admins section.

Quick Editing Actions

You can now access most of the WYSIWYG editing features using the keyboard, just by typing / (slash). This opens the Quick Actions drop down that lists quick action suggestions based on the context. Rendering macros are exposed as quick actions. Checkout the CKEditor Integration documentation for more information.

Quick Image Insertion

You can now search for and insert images using the keyboard, by typing / (slash) and selecting the image Quick Action. This opens a drop down that lists latest images uploaded to the page and to the whole wiki. You can also upload new images directly from the drop down. Checkout the CKEditor Integration documentation for more information.

Fine-grained control over how Chrome accesses XWiki

The "XWiki Host" PDF Export configuration parameter has been replaced by a new configuration parameter named "XWiki URI". While the old parameter was used to specify only the domain name or IP address of XWiki (required by the headless Chrome web browser to open the print preview page) the new parameter allows you to specify additionally the scheme (e.g. HTTP versus HTTPS) and the port number (e.g. 8080). This makes it easier to configure the remote Chrome so that it bypasses the proxy (e.g. SSO) in front of XWiki (e.g. by accessing directly the servlet engine that runs XWiki, such as Tomcat).

Note that the old "XWiki Host" configuration parameter is still taken into account (e.g. if it was set before upgrading to XWiki 15.7+) but the new "XWiki URI" parameter takes precedence (when set). We recommend updating your configuration to use the new parameter (in case you're using a remote Chrome and not the user's browser for PDF export). Migration is easy: just copy the value from the old parameter to the new one. This is possible because the scheme and port number are optional when specifying the "XWiki URI".

For more information checkout the PDF Export Application documentation.

Quick Link to a new Attachment

You can now upload and link to an attachment using the keyboard, by typing / (slash) and selecting the Link Quick Action. This opens a drop-down that now supports uploading attachments.

Buttons appearance

We made some changes on the visual aspect of buttons:

  • the gradient on the buttons background has been removed
  • buttons are now borderless, except for the default buttons since they have the same background as the default background

Live Data in Batch Restore

The list of deleted pages that is displayed when restoring a batch of pages uses Live Data instead of Livetable.

Attachments Page from the Index now use a Live Data

The Attachments page displayed in the Index now use a Live Data instead of a Live Table for displaying the information.

Headings appearance

In order to make headings easier to ready, they are now bolder. In addition, the size difference between two adjacent levels is larger.

Warning when the dimensions are larger than the selected image

A warning message is displayed to the user when the width or height of an image are larger than the dimensions of the selected image.

Improved Display of What's New

The display of the What's New Application has been improved to allow an easier differentiation between the different news items and better accessibility.

Improved required rights reporting

The reporting presented by the required rights analyzer is now just a summary of the impacted rights first, with the possibility to expand the details. This is done to prevent showing technical items to users by default.

Icon Macro

A new icon macro has been introduced. It supports displaying an icon from the current or a chosen icon set and can thus be used to display icons that are consistent with XWiki's UI.

Default radius of UI elements

The default radius of UI elements of the Flamingo Skin are now larger (about 1.75 times larger) by default.

What's New in XWiki

Displays news about XWiki and its ecosystem, directly into your XWiki instance.

Increasing contrast

Some elements of the XWiki interface systematically didn't achieve the minimum contrast defined in the Web Content Accessibility Guidelines.

Instances using Iceberg - the default color theme - or no color theme, are now patched to avoid those systematic violations.

Contrast is notably higher on buttons or light texts.

Changes for the Iceberg UI:

  • Navigation bar is very slightly darker
  • Links are slightly darker
  • Breadcrumb text is darker.
  • Muted text (e.g. description of a template when creating a page, [+] to add tags, ...) is darker
  •  The buttons have more contrast:
    • Blue buttons have a slightly darker background
    • Red buttons have a darker background
    • Green buttons have a darker background
    • Yellow buttons have a lighter background and their text is swapped from white to black

Changes for the no-theme UI:

  • The anchors in the right side drawer are darker.
  • Breadcrumb text is darker.
  • Muted text is darker
  • The buttons have more contrast:
    • Blue buttons have a slightly darker background
    • Red buttons have a darker background
    • Green buttons have a darker background
    • Yellow buttons' text swapped from white to black


Choose the authentication service at runtime

It's now possible to choose the authentication service to use at runtime (for authenticators which support it).

New Watch button state

The behaviour of watch buttons have changed to be more accurate regarding users' custom notification filters: if users have filters concerning some specific events only (e.g. a filter to watch mention on the whole wiki) the watch buttons will be displayed as "undecided". The idea is to expose to the users that "some events" are actually watched for that page, space or wiki.

Also using the watch buttons might disable some already existing custom filters, if those are concerning the exact same location and are contradictory. So for example, if a filter has been created to ignore mentions on a specific space, and the user decides to watch this space, then automatically the filter to ignore mention will be disabled. It can be enabled back manually by the user through the notification settings.

Mail Deletion

It's now possible to delete a single mail from the Admin UI, by clicking on the "Delete" button next to the mail in the Mail Status screen.

Common User Name Differentiator

The user picker can now be configured to show additional information about the listed users (e.g. the user address or user position within the organisation) in order to help you distinguish between users with similar names. Check out the User Module documentation for more information.

Improved Security Vulnerabilities scanner

On XWiki 15.5 the Security Vulnerabilities Application was limited to installed extensions. The scan now includes core extensions as well as dependencies provided by the environment (e.g., the servlet engine).

Environment vulnerabilities are listed in a separate tab.

Increasing contrast

The info button of the Flamingo Theme is now increased to conform to the minimum contrast defined in the Web Content Accessibility Guidelines

Suggestions for the wiki macro parameter type

It's now easier to decide what value to set in the wiki macro parameter type as suggestions are proposed: "Unknown" (the default), and "Wiki" for a parameter containing wiki markup. It's still possible to explicitly set the Java type to use.

Available macros sorted by id

The available macros list is now sorted by ascending macro ids.

Home page change

The Youtube video located on the XWiki Standard flavor's home page has been removed (for privacy reasons and also for increased usability, as the underlying markup was complex to understand for users).

Empty Line Placeholder

A placeholder text is now displayed on currently focused empty lines. By default it indicates the type of content block that holds the caret (e.g. paragraph, heading, list item, etc.), but it could also show tips on how to use the editor in that particular context. This is for instance used to advertise the Quick Actions shortcut (slash). Checkout the CKEditor Integration documentation for more information.


Get Connected