Release Notes for XWiki 13.3-rc-1

Last modified by Ilie Andriuta on 2021/04/21

This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

The release brings the ability to define default notification filters for new users and paves the way for adding metadata inside Extensions (such as being able to indicate the Rendering macros that an Extension provides; This will allow for future use cases such as exposing all available macros from inside your wiki, even for extensions that you haven't installed yet!). Security has been tightened by not allowing redirection to other domains without an explicit consent. Last but not least, this release brings several developer improvements: Localization REST endpoint, a Syntax Registry, LESS compilation for WebJars, and more.

New and Noteworthy (since XWiki 13.2)

Full list of issues fixed and Dashboard for 13.3.

For Users

No changes!

For Admins

Global Notifications Filters

Administrators can now add global notification filters which will be copied as the default filters for any new user registering on the wiki. It's possible for administrators to define both global system filters and global custom filters. Since the default filters are copied, any change made to the global filters won't impact existing users.

Searching inside Extensions

It's now possible to expose some Components found in Extensions so that they can be queried by the Extension Manager and shown in the extension details. You can now search in the Extension Manager for all Extensions providing some type of Components (Macros, Script Services, Syntax Parsers, Syntax Renderers, etc). For example, you can use component_macro:* to search for all Extensions providing Rendering Macros.


  • Prevent redirections to untrusted domains: Redirections are now only performed to trusted domains in XWiki. The list of trusted domains is obtained from two sources:

    1. any URLs used to access the wiki is considered as trusted, as well as all the aliases used for subwikis,
    2. it's possible to specify in the list of trusted domain by setting the property url.trustedDomains.

    If a redirection is attempted to an URL whose domain does not belong to any of this source, a warning log will be output and the redirect is prevented. Note that it's possible to switch off this security mechanism by setting the property url.trustedDomainsEnabled to false.

For Developers

  • Syntax Registry: There's now the concept of a Syntax Registry and new Syntaxes are expected to register themselves in that registry

    You can list all registered syntaxes using:

    private SyntaxRegistry registry;
    List<Syntax> syntaxes = registry.getSyntaxes();

    You can also get a Syntax object from a Syntax id string using (for example):

    private SyntaxRegistry registry;
    Optional<Syntax> syntax = registry.getSyntax("xwiki/2.1");

    See available Syntaxes for more.

  • User Authentication Event: The classic Form and Basic Authentication mechanisms now trigger a UserAuthenticatedEvent event whenever a user is authenticated. As a new best practice, custom authenticator authors are advised to implement this new event.

  • Less files in WebJar can be compiled to css: Less code packaged in WebJars can now be compiled to CSS when requested. When Less files are compiled to CSS, the less variables defined in the current skin are available and will be resolved to their current values.

    Usage examples:

    // Returns the raw content of test.less
    $services.webjars.url('org.xwiki.platform:xwiki-platform-example', 'test.less')
    // Returns the content of test.less compiled to css.
    $services.webjars.url('org.xwiki.platform:xwiki-platform-example', 'test.less', {'evaluate': true})
  • Localization REST API: The localization module is now providing a REST API. This API allows to request the raw source from a set of translation keys.

    For instance:

    # Request of a single translation, the locale is the default one.
    curl -H 'Accept: application/json' http://localhost:8080/xwiki/rest/wikis/xwiki/localization/translations?key=administration.section.users.deleteUser.newAuthor.error
    # {"translations":[{"key":"administration.section.users.deleteUser.newAuthor.error","rawSource":"The selected user doesn''t have {0} rights!"}]}
  • Empty string in Static List: It is now possible to specify empty string values in a Static list by repeating twice the same separator. For example, using the default separators (|, , and space), the Foo||Bar string will be parsed as containing three values (Foo, empty string, and Bar), while Foo, Bar will be parsed as only two values (Foo and Bar), even if two separators (, and space) are used.

Moved Modules

  • The Help Center Application has been retired and its content integrated in the Help Application, for the following reasons:
    • 2 extensions must not share the same pages
    • It’s logical that the help is in sync with what it documents
    • contrib extensions should be minimized for XS, all of XS deps should be in the XWiki GitHub organization (since they are maintained by the XS dev team), and preferably inside xwiki-platform when possible.
    • Simpler to manage XS releases


The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):


The following translations have been updated:

Tested Browsers & Databases

Here is the list of browsers we support and how they have been tested for this release:

 BrowserTested on:
Chrome30.pngGoogle Chrome 90
Firefox30.pngMozilla Firefox 88
Edge30.pngMicrosoft Edge 90Not Tested
IE30.pngInternet Explorer 11Not Tested
Safari30.pngSafari 14Not Tested

Here is the list of databases we support and how they have been tested for this release:

 DatabaseTested on:
hypersql.pngHyperSQL 2.5.1
mariadb.pngMariaDB 10.5
mysql.pngMySQL 8Not Tested
oracle.pngOracle 19cNot Tested
postgresql.pngPostgreSQL 13Not Tested

Here is the list of Servlet Containers we support and how they have been tested for this release:

 Servlet ContainerTested on:
tomcat-icon.pngTomcat 9.0.45
jetty-icon.pngJetty 9.4.29 (XWiki Standalone packaging)
jetty-icon.pngJetty 9.4.29Not Tested

Known issues

Backward Compatibility and Migration Notes

General Notes

  • When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
    • xwiki.cfg
    • web.xml
    • hibernate.cfg.xml
  • Add in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 13.3-rc-1

This release introduced a new security mechanism to prevent unwanted redirection (details can be found here). This mechanism might need a proper setup of url.trustedDomains property. In case it would create unwanted behaviour, you can always switch it off by editing your config file and adding:


Also note that developers can use a specific property bypassDomainSecurityCheck in the execution context, when they need to use an URL redirect API even when the trusted domains are not properly configured, e.g. in some specific authenticators.

API Breakages

The following APIs were modified since XWiki 13.2:

  • Was never meant to be public
    • Violation type:
    • Code:
      ## Old:


The following people have contributed code and translations to this release (sorted alphabetically):

We've merged the Help Center Application into the Help Application and when doing so we've imported the Git history, leading to several old contributors listed below to wrongly appear in the release notes for 11.3RC1.

Alex Cotiugă
Björn Ludwig
Boris Yevstyhneiev
Camelia Andrei
Ecaterina Moraru (Valica)
Eduard Moraru
Guillaume C
Guillaume Delhumeau
Gwennan Smitskamp
Manuel Leduc
Marius Dumitru Florea
Mohammad Humayun Khan
Paul Massol
Simon Urli
Thomas Mortagne
Vincent Massol


Get Connected