This file holds the changelog for Pepperminty Wiki. This is the master list of things that have changed (second only to the commit history!) - though the information for any particular release can also be found in the description of it's page for every release made on GitHub too.
- **Changed:** Catch and deal with more unpacking issues on first run (thanks, @daveschroeter in [#249](https://github.com/sbrl/Pepperminty-Wiki/issues/249))
- Added [oneboxing](https://meta.discourse.org/t/rich-link-previews-with-onebox/98088): rich previews for internal links. If an internal link with 3 square brackets (e.g. `[[[example]]]`) is on it's own with nothing before or after it on a line, then it'll be turned into a onebox
- [Rest API] Return a 409 Conflict instead of a 200 OK on an edit conflict when saving a page in the `save` action, and add `x-failure-reason` for more errors
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
- [security] User pages are now only savable in the HTTP API by either a moderator or the owning user (previously only the `edit` action was protected, so if you made a request direct to the `save` action, you could bypass the check)
- Added HTTP API support for creating pages that don't yet have a name (#194)
- This allows for having a "create new page" button in your navigation links - e.g. edit `nav_links`, `nav_links_extra`, or `nav_links_bottom` in your `peppermint.json` and add something like `[ "+", "index.php?action=edit&unknownpagename=yes" ]`.
- XML sitemap support with the new `page-sitemap` module (manual setup required for crawlers to notice it: see [the documentation](https://github.com/sbrl/Pepperminty-Wiki/blob/master/docs/02-Features.md#whats-this-about-manual-setup-for-the-sitemap))
- Experimental support for transparent handling of `[display text](./Page Name.md)` style internal links (disabled by default: enable the `parser_mangle_external_links` setting and delete the `._cache` directory to enable)
- Added automatic system requirements indicator to first run (checks for various PHP extensions required for various different functions) - does not block you from proceeding, but does assist in first-time system configuration
- Updated the [configuration guide](https://starbeamrainbowlabs.com/labs/peppermint/peppermint-config-info.php) to include count of how many settings we have
- Add `image/avif` (AVIF image), `image/jxl` (JPEG XL image), and `image/heif`/`image/heic` to `upload_allowed_file_types` (you'll need to delete your entry in `peppermint.json` to get the new updated list)
- [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once (#222)
- [security] Fix reflected XSS attacks ([CVE-2021-386001](https://github.com/hmaverickadams/CVE-2021-38600); arbitrary code execution in the user's browser due to unsanitized data) via the many different GET parameters in many different modules (#222)
- [security] Automatically run page titles through `htmlentities()` (#222)
**Make sure you have PHP 7.3+ when you update past this point!** It isn't the end of the world if you don't, but it will make you more secure if you do.
- Added dark theme via `prefers-color-scheme` to configuration guide (see the stable channel guide [here](https://starbeamrainbowlabs.com/labs/peppermint/peppermint-config-info.php) - will only be updated when v0.22 is released)
- Disable parser cache by default to avoid issues because said cache isn't invalidated when it should be (and doing so would take more of a performance hit than leaving it on)
**Make sure you have PHP 7.3+ when you update past this point!** It isn't the end of the world if you don't, but it will make you more secure if you do.
- Added new syntax features to PeppermintParsedown, inspired by ParsedownExtreme (which we couldn't get to work, and it wasn't working before as far as I can tell)
- Checkboxes: `[ ]` and `[x]` after a bullet point or at the start of a line
- Add `<meta name="theme-color" content="value" />` support with the new `theme_colour` setting. More information: [MDN](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name/theme-color), [caniuse](https://caniuse.com/#feat=meta-theme-color). Also used by some platforms to customise embed accents when generating a rich snippet (e.g. Discord).
- Added similar page suggestions between the bottom of the page content and the comments - control it with the new `similarpages_enabled` and `similarpages_count` settings.
- It's disabled by default due to potential security issues with untrusted editors - enable it with the new `redirect_absolute_enable` setting (default: `false`)
-`comment_enabled` controls whether _anyone_ is allowed to comment at all or not
-`comment_hide_all` determines whether the commenting system displays anything at all (if disabled, it's (almost) like the `feature-comments` doesn't exist - consider using the downloader to exclude the commenting system instead of enabling this setting)
-`avatars_gravatar_enabled` determines whether redirects to [gravatar.com](https://gravatar.com/) should be performed if a user hasn't yet uploaded an avatar (if disabled then a blank image is returned instead of a redirect).
- **New policy:** Only [officially supported](https://www.php.net/supported-versions.php) versions of PHP are officially supported by Pepperminty Wiki.
- NOTE TO SELF: Don't forget to update wikimatrix.org when we next make a stable release! (if you are reading this in the release notes for a stable release, please get in touch)
- This prevents session-stealing attacks from third-party origins
- This complies with the [new samesite cookies rules](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#SameSiteNone_requires_Secure).
- A warning is generated in PHP 7.2 and below = [please upgrade](https://www.php.net/supported-versions.php) to PHP 7.3+! (#200)
- [security] The `Secure` cookie flag is now automatically added when clients use HTTPS to prevent downgrade-based session stealing attacks (control this with the new `cookie_secure` setting)
- Improved spam protection when hiding email addresses. Javascript is now required to decode email addresses - please [get in touch](https://github.com/sbrl/Pepperminty-Wiki/issues/new) if this is a problem for whatever reason. I take accessibility _very_ seriously.
- Bump weighting of title and tag matches in search results (delete the `search_title_matches_weighting` and `search_tags_matches_weighting` settings to get the new weightings)
- Really fix bots getting into infinite loops on the login page this time by marking all login pages as `noindex, nofollow` with a robots `<meta />` tag
- Squashed the text `\A` appearing before tags at the bottom of pages for some users ([ref](https://gitter.im/Pepperminty-Wiki/Lobby?at=5f0632068342f4627401f145))
- Squashed a warning at the top of search results (more insight is needed though to squash the inconsistencies in the search index that creep in though)
- Watchlists! A new addition has been added to the more menu to add the current page to your personal watchlist
- An email will be sent to all users watching a page when an edit is saved to it (uses the PHP `mail()` function internally, via the [`email_user()`](https://starbeamrainbowlabs.com/labs/peppermint/docs/ModuleApi/#method_email_user) internal Pepperminty Wiki utility function)
- Enabled by default. In order to receive emails users now need to verify their email address
- This is done via a verification email that's sent when you change your email address (even if your email address is the same when you change your preferences and you haven't yet verified it)
- Wiki administrators with terminal/console access can now make use of a brand-new CLI by executing `php ./index.php` (warning: strange things will happen if the current working directory is not the directory that contains index.php and peppermint.json)
- Added new `anoncomments` setting to control whether anonymous users are allowed to make comments (disabled by default) - thanks to @SeanFromIT for suggesting it in #181
- Finally: *Experimental* didyoumean support. Ever made a typo in a search query? The new didyoumean engine can correct query terms that are up to 2 characters out!
- It's disabled by default (check out the new `search_didyoumean_enabled` setting), as it enabling it comes with a significant performance impact when typos are corrected (~0.8s-ish / typo is currently observed)
- Uses the words in the search index as a base for corrections (so if you have a typo on a page, then it will correct it to the typo)
- The index does _not_ currently update when you edit a page - this feature is still _very_ experimental (please report any issues)
- A typo is a search query term that is both not a stop word and not found in the search index
- [security] Bugfix: Don't leak the PHP version in emails when expose_php is turned off
- Fixed handling of Unicode characters when emailing users - added new `email_subject_utf8` and `email_body_utf8` settings to control the new behaviour
- Optimisation: Don't generate the list of pages for the datalist if it isn't going to be displayed (especially noticeable on wikis with lots of pages)
- Optimisation: Don't load the statistics index if it's not needed (also esp. noticeable on wikis with lots of pages)
- [Module Api] `search::extract_context()` and `search::highlight_context()` now take in a _parsed_ query (with `search::stas_parse()`), not a raw string
- Wow, a new section! Haven't seen one of these before. Hopefully we don't see it too often.....
- The didyoumean search query typo correction engine does not currently update it's index when you save an edit to a page (the typo correction engine is still under development).
- Added automatic dark mode to default theme using [`prefers-color-scheme`](https://starbeamrainbowlabs.com/blog/article.php?article=posts%2F353-prefers-color-scheme.html)
- Added theme gallery, which can be accessed through a link in the master settings (if the new `feature-theme-gallery` module is present)
- Theme gallery URLs can be added to the `css_theme_autoupdate_url` setting
- A graphical interface can be used to switch between available themes from the galleries
- No external HTTP requests will be made without consent
- Themes from galleries auto-update every week by default (adjustable/disable-able with the `css_theme_autoupdate_interval` setting)
- Added mega-menu support to the `nav_links_extra` setting - the default value for the `nav_links_extra` setting has now changed (delete/rename it in your `peppermint.json` file to get the new version)
- An object can now be used to define groups of items in the more menu
- Server-side diagramming support! See the [`parser_ext_renderers`](https://starbeamrainbowlabs.com/labs/peppermint/peppermint-config-info.php#config_parser_ext_renderers_enabled) setting for more information on how to configure it
- It hooks into external programs such as [nomnoml](http://nomnoml.com), [plantuml](http://plantuml.com/), and `abcm2ps` ([ABC musical notation](https://abcnotation.com/) rendering)
- It's generic enough to allow you to hook into any program that takes an input of some source text, and output some form of image
- Accessibility improvements - thanks, Firefox developer tools :D (if you're a screen reader / accessibility tool user and have feedback or any better ideas, please [get in touch](https://github.com/sbrl/Pepperminty-Wiki/issues/new))
- Added a new first-run wizard to help new users set up the basics of their wiki.
- It also checks to ensure that access to `peppermint.json` is blocked correctly (coming soon as a one-time check to pre-existing wikis)
- Pre-existing wikis will not see this first-run wizard - a new `firstrun_complete` setting has been added that's automatically set to true if Pepperminty Wiki does a settings upgrade
- Added new `minify_pageindex` setting, which defaults to `true` and causes the page index to be minified when saved. Improves performance slightly (especially on larger wikis as the page index grows), but makes debugging and ninja-edits more awkward.
- [Module API] Added new `save_pageindex()` function which respects the above setting.
- Switch to [nightdocs](https://gitlab.com/sbrl/nightdocs) instead of [docpress](https://docpress.github.io/) (the [official docs](https://starbeamrainbowlabs.com/labs/peppermint/_docpress/) will update & change URL on the next stable release)
- Added `interwiki_index_location` setting to control the location of the interwiki index (which is a CSV file that is documented in the main _Pepperminty Wiki_ documentation), which has to be specified in order for it to activate
- 2 new settings have been added: `parser_cache` and `parser_cache_min_size`
- Uses a hash of the content, the _Pepperminty Wiki_ version, and the parser name as the cache id - so it should never serve stale content (unless you're actively working on particular areas of _Pepperminty Wiki_'s codebase of course)
- Useful for longer pages
-`parser_cache_min_size` may need tuning for your specific installation (lower it if you regularly use features that are slow to parse; raise if it's the opposite)
- Completely reworked the README to refactor out the documentation to its [own static site](https://starbeamrainbowlabs.com/labs/peppermint/_docpress/)
- Corrected default passwords. If you were having issues, try updating to this release, deleting `peppermint.json` and trying again (thanks for spotting this, @tspivey!)
- Added `history_max_revisions` setting to allow control of the maximum number of revisions stored for a page
- Takes effect every time a page revision is added
- Added page restore system
- A previous page revision can be restored with a single click from the page history page
- Added a new `history_revert_require_moderator` setting to control whether moderator privileges are required to use the functionality (regardless of setting a user must be logged in)
- [HTTP/2.0 Server Push](https://www.smashingmagazine.com/2017/04/guide-http2-server-push/) support!
- You'll need to make sure your web server has support turned on
- The CSS file specified in the `css` setting (url path must begin with a forward-slash) and the favicon (must not be a `data:` url) are automatically pushed when rendering pages
- 2 new settings have been added: `http2_server_push` for turning it on and off (defaults to on), and `http2_server_push_items` for specifying custom resources to push (in case you design your own theme and want to push down the associated resources)
- More information about `http2_server_push_items` in particular is available on the [configuration info page](https://starbeamrainbowlabs.com/labs/peppermint/peppermint-config-info.php) (when this release is out, of course. Until then, check out the description in `peppermint.guiconfig.json`)
- [Security] Made the site secret generator cryptographically secure. If you created your wiki before this change, you might want to change your site secret in `peppermint.json` to something more secure with a site like [random.org](https://www.random.org/).
- The PHP function `openssl_pseudo_random_bytes()` was being used before, but [apparently that's not cryptographically secure](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php).
- [Rest API] Added `acquire-edit-key` action to allow scripts and other automated services (e.g. bots and [mobile apps](https://github.com/sbrl/Pepperminty-Wiki-Client-Android)) to fetch an edit key for a specified page name.
- Fixed that age-old warning in the search results if you have pages with special characters! I learnt a _lot_ about utf8 whilst fixing this one.... (#114)
- You'll need to rebuild your search index for this fix to fully take effect (call the `invindex-rebuild` action as a mod or better)
- Normalise utf8 text to avoid duplicate ids and missing search results.
- Disallow uploads if editing is disabled. Previously files could still be uploaded even if editing was disabled - unless `upload_enabled` was set to `false`.
- Added "restore locally saved content" button to page editor
- [module api] Documented the remainder of the members of the `search` class
### Fixed
- Moving a page will now move all the comments associated with it
- The page names on the page move success page are now encoded correctly to avoid html and url issues
- Clicking _Login to post a comment_ will now take you back to the comments section of the page you were on upon completing the login process instead of the top of the page
- Statistics are automagically recalculated every day - this can be controlled with the `stats_update_interval` and `stats_update_processingtime` settings
- It'll only work if your wiki is at the top-level of a domain without _anything_ after the `/` (subdomains are ok). This is a restriction of the protocol, not Pepperminty Wiki!
- Supports sending search suggestions based on page names in the page index (based on case-insensitive leveshtein distance)
- Added dynamic server-calculated page suggestions. Very helpful for larger wikis. Currently works best in Firefox. Part of the `feature-search` module.
- Added Alt + Enter support to the page search box. Works just like your browser's address bar - opens results in a new tab instead of the current one.
- User pages! Every page under `Users/` by default belongs to their respective users. e.g. `Users/admin` and all the pages under it belong to the `admin` user, so no other user can edit them.
- Added a `user-list` action that, well, outputs a list of users. Includes links to their respective user pages (though redlinks aren't implemented here yet).
- Internal links like `[[Page name]]s` will now link to the correct page in include the rest of the word. Note that this functionality _can't_ be mixed with display text, like this: `[[Page name|Display text]]s` - the rest of the word will be silently ignored in the link!
- Overhauled internal history logic - history logic is now done in core.
- Added `$env->page_filename`, which points to the current page on disk.
- Changed the way different display modes are accessed. You can now use the new `mode` parameter to the `view` action. It supports 4 different modes at present: `normal`, `printable`, `contentonly`, and `parsedsourceonly`.
- The page editor's main content box now automatically expands as you're typing! If you've got a custom theme, you may need to tweak it a bit. Help available on request.
- Improved the search engine indexing algorithm. It now shouldn't choke on certain special characters (`[]{}|`) and will treat them as word boundaries.
- Changed the uploaded file preview generation to use imagemagick. You now need to have the `imagick` php extension installed (installation on linux: `sudo apt-get install php-imagick`).
- The uploaded file preview generation action will now return audio and video files as-is. This allows for HTML5 video / audio tags to be used to view audio and video files.
- Removed parsedown from the `parser-parsedown` module and replaced it with code that automatically downloads parsedown and parsedown extra on the first run.
