Version 2.1.27 (2006-12-11)

This version backports from 2.2.0-beta a bugfix for $TableRowIndexMax and also support for the {*$Variable} markup.

Version 2.1.26 (2006-09-11)

This version fixes a bug in feeds.php that would cause feed entries to be mixed up.

Version 2.1.25 (2006-09-08)

This release fixes a bug in authuser.php introduced by the 2.1.24 release.

The skin template code has also been extended to allow <!--XMLHeader--> and <!--XMLFooter--> as aliases for <!--HTMLHeader--> and <!--HTMLFooter-->.

Version 2.1.24 (2006-09-06)

This release makes some improvements and fixes to the AuthUser capability.

A bug in authuser.php that had trouble dealing with non-array values in $AuthUser has been fixed.

It is now possible to specify group memberships from local/config.php (remember that such entries must come before including the authuser.php script):

    # alice and bob's passwords
    $AuthUser['alice'] = crypt('alicepassword');
    $AuthUser['bob'] = crypt('bobpassword');

    # members of the @writers and @admins groups
    $AuthUser['@writers'] = array('alice',  'bob');
    $AuthUser['@admins'] = array('alice', 'dave');

    # carol is a member of @editors and @writers
    $AuthUser['carol'] = array('@editors', '@writers');

AuthUser can now read from Apache-formatted .htgroup files. The location of the .htgroup file can be done either in local/config.php or Site.AuthUser

    # local/config.php:
    $AuthUser['htgroup'] = '/path/to/.htgroup';

    # Site.AuthUser
    htgroup: /path/to/.htgroup

Versions 2.1.21, 2.1.22, 2.1.23 (2006-09-05, 2006-09-06)

This release closes a potential security vulnerability for sites that are running with 'register_globals' set to on. Details of the vulnerability will be forthcoming on the mailing list and site.

Sites that are running with PHP 'register_globals' and 'allow_url_fopen' set to 'On' should upgrade to this release at the earliest opportunity. If upgrading isn't an option, contact Pm for a patch to older versions.

There is now a tool available to analyze PmWiki sites for security and other configuration settings, see PmWiki:SiteAnalyzer.

Version 2.1.23 also corrects a bug that prevented PmWiki from being able to read pagefiles created by versions of PmWiki before 0.5.6.

Version 2.1.20 (2006-09-04)

More minor bugfixes:

  • Corrected a bug with WikiWord references appearing in the (:attachlist:) markup.
  • Restore ability to remove/override PmWiki's default CSS settings.

Version 2.1.19 (2006-08-30)

This release provides a number of very minor bugfixes and enhancements:

  • Fixed a bug in the pageindex code that was causing it to not regenerate as quickly as it should.
  • Fixed image/object/embed handling in wikistyles to better support the Cookbook:Flash recipe.
  • Fixed a bug with wikistyles and input form tags.

The next release(s) may have a number of substantial code enhancements and changes, so this release simply closes out a few items before introducing those changes.

Version 2.1.18 (2006-08-28)

This release closes a potential cross-site scripting vulnerability that could allow authors to inject Javascript code through the various table markups.

The release also adds a new (:input image:) markup to generate image input tags in forms.

Finally, this release corrects a problem with ?action=print failing to properly set the {$Action} page variable.

Version 2.1.17 (2006-08-26)

This release fixes a long-standing bug with $EnableIMSCaching (PITS:00573), whereby login/logout operations wouldn't invalidate browser caches, causing some people to see versions of a page prior to the login/logout taking place.

The new IMS caching code maintains a "imstime" cookie in the visitor's browser that keeps track of the time of last login, logout, author name change, or site modification. This cookie is then used to determine the proper response to browser requests containing If-Modified-Since headers. (Previously only the time of the last site modification was available.)

Browsers which do not accept cookies will effectively act as though IMS caching is disabled.

Version 2.1.16 (2006-08-26)

This release makes some improvements to skin handling -- primarily this improves the capability of relocating skin files to other locations, and to provide the ability for recipes to insert items at the end of HTML output.

This release introduces a <!--HTMLFooter--> directive into skin templates, which allows recipes and local customizations to insert output near the end of a document using a $HTMLFooterFmt array from PHP.

Also, the <!--HeaderText--> directive, which inserts the contents of $HTMLHeaderFmt into the output, has now been renamed to <!--HTMLHeader-->. PmWiki will continue to recognize <!--HeaderText--> to preserve compatibility with existing skins, but <!--HTMLHeader--> is preferred.

A new $SkinLibDirs array has been introduced which allows the source locations and urls for skins to be specified from a customization file. By default $SkinDirUrls is set as

  array("./pub/skins/\$Skin"      => "$PubDirUrl/skins/\$Skin",
        "$FarmD/pub/skins/\$Skin" => "$FarmPubDirUrl/skins/\$Skin")

The keys (on the left) indicate the places to look for skins in the filesystem, while the values (on the right) indicate the urls corresponding to the locations on the left. Modifying the value of $SkinLibDirs allows skins to be located anywhere on the filesystem.

As far as I can see, none of the changes introduced by this release should have any sort of negative impact on existing sites, so it should be safe to upgrade. (If I'm wrong, please let me know.)

Version 2.1.15 (2006-08-25)

This release includes a number of feature enhancements and code cleanups as reported or requested by administrators.

First, AuthUser's LDAP authentication system now allows the use of a ?filter parameter, consistent with urls used for mod_auth_ldap authorization in Apache. See the newly updated LDAP section of the AuthUser documentation for more details.

A chicken-and-egg problem with the @_site_* authorization groups has been resolved. It's now possible to have a page's read authorization refer to things such as _site_edit.

Also, the RetrieveAuthPage() function -- used for retrieving pages only if the visitor is authorized to do so -- now recognizes a special level parameter of 'ALWAYS', which means to always authorize access regardless of the browser or visitors current permissions. This may be useful for allowing certain operations to take place from within trusted scripts without having to grant full authorization to the browser.

Hardcoded instances of the local/ directory now use a customizable $LocalDir variable. This variable controls where PmWiki looks for local/config.php and per-group customization files. It may be useful for some Wiki Farm contexts. Note that this does not change or affect the location of $FarmD/local/farmconfig.php.

Some minor internal changes have been made to scripts/wikistyles.php to better accommodate the wikipublisher recipe. It's probably better if we don't try to explain them. :-)

Version 2.1.13, 2.1.14 (2006-08-15, 2006-08-16)

This release fixes a bug in handling numeric passwords, and also allows ldaps:// authentication sources.

Version 2.1.12 (2006-08-07)

This version introduces the ability to nest divs and tables. The standard (:table:) and (:div:) markups are still available, except that a (:div:) may contain a (:table:) and vice-versa.

As in previous versions of PmWiki, the (:div:) markup automatically closes any previous (:div:). However, there are now (:div1:), (:div2:), etc. markups (and the corresponding (:div1end:), (:div2end:), ...) which can be used to uniquely distinguish divs for nesting purposes.

To restore PmWiki's previous "non-nested" div behavior, set $Transition['nodivnest'] = 1; in a local customization file.

Other changes in this release:

  • Add a (:noaction:) directive to suppress display of page actions.
  • Allow anchor tags to contain colons, hyphens, and dots.
  • Add "white-space" as an allowed wikistyle.
  • Other minor bug fixes and typographical corrections.

Version 2.1.11 (2006-06-09)

This is a minor update that prevents %define=% wikistyles from generating empty paragraphs in the HTML output. Prior to this release, markup lines containing only wikistyle definitions would often generate empty paragraphs (<p></p>), this release changes things so that a markup line beginning with %define= and containing only wikistyle definitions will not initiate a new paragraph.

Version 2.1.10 (2006-06-03)

Version 2.1.4 introduced an {$Action} page variable that would contain the current ?action= value. Unfortunately, this page variable conflicted with a pre-existing $Action global variable that was being used by skins to display a human-friendly form of the current action. Since there's not really a clean way to resolve this, I've decided to keep {$Action} as a page variable with the current action value (as introduced in 2.1.4), and change the global for skins to be $ActionTitle. This will require updating skins to use $ActionTitle instead of $Action. I apologize for the conflict.

This release adds a Site.LocalTemplates page for the fmt=#xyz option in pagelist and search results. The list of pages to be searched can be customized via the $FPLTemplatePageFmt variable. The fmt=#xyz option will now also search the current page for a matching template before searching Site.LocalTemplates and Site.PageListTemplates.

The 'pmwiki' skin now places a <span> around the "Recent Changes" link in the header to make it somewhat easier to style.

Version 2.1.9 (2006-06-02)

This release fixes a long-standing and difficult-to-find bug with the handling of [[~Author]] links.

Version 2.1.8 (2006-06-01)

This release simply changes the $NotifyListFmt variable to be $NotifyListPageFmt (more descriptive), and adds a $NotifyList array that can be used to specify notification entries from a configuration file.

Version 2.1.7 (2006-05-31)

This release introduces a variety of improvements and bugfixes.

Vspace paragraphs are now divs: Version 2.1.7 changes the way that PmWiki handles vertical space in output (the infamous <p class='vspace></p> sequence). Instead of using paragraphs, PmWiki now generates <div class='vspace'></div> for vertical space sequences. In addition, PmWiki is able to collapse the vspace <div> with any subsequent paragraph tags, such that a sequence like

    <div class='vspace></div><p>...paragraph text...</p>

is automatically converted to

    <p class='vspace'>...paragraph text...</p>

This allows for better control over paragraph spacing. It is expected that this change in vspace handling will not have any detrimental effects on existing sites. Sites that have set custom values for $HTMLVSpace will continue to use the custom value. A site that wants to restore PmWiki's earlier handling of vspace can do so by adding the following to local/config.php:

    $HTMLVSpace = "<p class='vspace'></p>";

Improved email notifications of changes: Version 2.1.7 incorporates a notify.php script that provides improved capabilities for sending email notifications in response to page changes. This script is intended to replace the previous MailPosts capability, which is now deprecated (but will continue to be supported in PmWiki 2.1.x). Details and instructions for using notify.php are in the PmWiki.Notify page.

Added 'group home page' syntax: A group name followed by only a dot or slash is automatically treated as a reference to the group's home page, whatever it happens to be. This simplifies some pagelist templates as well as a number of other items. In particular, group links in pagelist output now points to the correct locations (instead of being a page in the current group).

Several bugs and vulnerabilities have been fixed:

  • The default width of edit forms is now more appropriate for Internet Explorer.
  • Authentication failure messages from LDAP are now suppressed.
  • Some cross-site scripting vulnerabilities in uploads and page links have been corrected (courtesy Moritz Naumann,
  • A problem with invalid pagenames resulting in redirect loops has been corrected.

Version 2.1.6 (2006-05-22)

The primary improvement in this release is the addition of a pagename argument to the (:if auth:) conditional markup. Thus one can display markup based on a visitor's authorization to a page other than the current one. For example, to test for edit privileges to Main.WikiSandbox, one would use (:if auth edit Main.WikiSandbox:). As before, if the pagename is omitted the directive tests authorization to the current page.

This release also restores the ability to have hyphens in InterMap link names.

Lastly, the release closes a potential cross-site scripting vulnerability in the WikiTrail markup, and provides some small performance improvements.

Version 2.1.4, 2.1.5 (2006-03-29)

This release fixes a few more bugs:

  • Pagelist-based feeds using ?action=rss work again.
  • Multi-term searches with special characters is fixed.

The release also adds a couple of items:

  • There is now an {$Action} page variable.
  • Usernames and passwords submitted to authuser.php can contain quotes.
  • The (:attachlist:) command now uses a natural case sort.

Version 2.1.3 (2006-03-17)

This release fixes a bug that prevents the lines= option from working on sites running PHP 5.1.1 or later. It also re-fixes a bug involving empty passwords and LDAP authentication.

Version 2.1.2 (2006-03-16)

This release fixes a bug with handling "nopass" passwords. It also makes some speed improvements to large web feeds, and fixes a couple of minor HTML tag mismatches.

Version 2.1.1 (2006-03-13)

This release primarily fixes a bug with passwords containing multiple authorization groups, and in the process slightly liberalized the formatting of "@group" and "id:name" handling. This release also adds a new mechanism for managing and displaying FAQ pages.

Version 2.1.0 (2006-03-12)

This set of release notes is fairly lengthy, as it chronicles all of the changes since 2.0.13 (four months of development). A lot remains the same, but some changes warrant extra care when upgrading from a 2.0.x version to 2.1.0 (thus the major revision number change). As always, questions and issues can be mailed to the pmwiki-users mailing list.

Here's the list:

  • WikiWords are now disabled by default. To enable them, set "$LinkWikiWords = 1;" in a local customization file. As of 2.1.beta2, you can now leave WikiWords enabled but have links to non-existent pages display without decoration -- to do this, place the following lines in pub/css/local.css:
    span.wikiword a.createlink { display:none; }
    span.wikiword a.createlinktext 
      { border-bottom:none; text-decoration:none; color:inherit; }
  • The (:pagelist:) code has been substantially revised. Pagelist formatting can now be specified using markup, and several defaults are available from Site.PageListTemplates. Also, several built-in pagelist formatting functions (FPLSimple, FPLByGroup, FPLGroup) are now removed in favor of the template code. The FPLByGroup function can be restored by setting $Transition['fplbygroup']=1; . Remark: Check to see if your page Site.PageListTemplates is not passwordprotected for viewing, otherwise the resulting pagelist will not be shown.
  • (:pagelist:) now also understands wildcards in group= and name= arguments, as well as excluding specific names and groups.
  • (:pagelist:) now has an "order=random" option.
  • (:searchbox:) now accepts "group=", "link=", "list=", etc. options to be passed along to the search results. It also accepts a "target=" option that identifies the page on which to send the search query.
  • ?action=search will display the contents of the current page if it contains a (:searchresults:) directive, otherwise it uses the content of the page identified by $PageSearchForm (default is the search page for the current language translation).
  • PmWiki no longer maintains a ".linkindex" file -- it now has a ".pageindex" file that contains not only a table of links, but also words used in each page (to speed up term searches). The maintenance of the .pageindex file can be disabled by setting $PageIndexFile='';
  • The $EnablePageListProtect variable now defaults to true, so that read-only pages appear in pagelists only if the visitor has read authorization. Note that this can also slow down some (:pagelist:) and search commands, so if the site doesn't have any read-only pages or if you aren't worried with cloaking read-only pages from searchlists, it might be worth setting $EnablePageListProtect=0; .
  • Whitespace indentation rules now exist and are enabled by default. Any line that begins with whitespace and aligns with a previous list item is considered to be "within" that list item. Text folds and wraps as normal, and the (:linebreaks:) directive is honored. To turn off whitespace indentation, use DisableMarkup('^ws');.
  • A single blank line after a !!Heading is silently ignored.
  • The (:redirect:) directive is now a true markup, and can be embedded inside conditional markups or includes. It also allows redirecting to an anchor in a page, such as (:redirect PageName#anchor:). A new from= option allows the redirect to take place only from pages that match the given wildcard specification. The status= option allows a 301, 302, 303, or 307 HTTP status code to be returned.
  • The built-in authorization function has gone through some substantial internal changes, however these changes should be fully backward compatible so that it doesn't impact any existing sites. (If it does cause a problem, please let me know so I can investigate why!) The password prompts are now specified by an admin-customizable Site.AuthForm page. In addition, the authorization function no longer creates PHP sessions for visitors that aren't being authenticated.
  • The authuser.php has likewise been substantially updated. The new version should have complete backwards compatibility with previous authuser.php settings, but this version also offers the ability to configure authentication resources and authorization groups through the Site.AuthUser page. Note that by default the Site.AuthUser page can only be edited using the admin password.
  • The $Author variable now defaults to $AuthId if not otherwise set by a script or cookie.
  • The Site.SideBar page now defaults its edit password to the sitewide edit password (in $DefaultPasswords['edit']).
  • PmWiki now supports a "draft edit" mode, enabled by $EnableDrafts = 1. This creates a "Save as draft" button that will save a page under a "-Draft" suffix, for intermediate edits.
  • There is now an ?action=login action available.
  • A potential security vulnerability for sites running PHP 5 with register_globals enabled has been fixed.
  • The [[PageName |+]] markup is now available by default; this creates a link to PageName and uses that page's title as the link text.
  • What used to be "markup variables" are now "page variables". These are always specified using the {$variable} syntax, and can be used in markup and in $...Fmt strings. In addition, one can request a value for a specific page by placing the pagename in front of the variable, as in {pagename$variable}.
  • The scripts/rss.php script is now scripts/feeds.php, and is a complete redesign for web feed generation. The new version supports UTF-8 and other encodings, can generate Atom 1.0 (?action=atom), Dublin Core Metadata (?action=dc) output, and enclosures for podcasting. It also allows feeds to be generated from trails, groups, categories, and backlinks, and provides options (same as pagelists) for sorting and filtering the contents of the feed. Most sites can simply switch to using include_once("scripts/feeds.php"); instead of the previous rss.php include. The rss.php file has been removed from the distribution (but still works with PmWiki 2.1 for those sites that wish to continue using it).
  • InterMap entries can now come from a Site.InterMap page as well as the local/localmap.txt and local/farmmap.txt files. The format of these files has changed slightly, in that the InterMap name should now have a colon after it (previously the colon was omitted).
  • We can now provide better control of robot (webcrawler) interactions with a site to reduce server load and bandwidth. The $RobotPattern variable is used to detect robots based on the user-agent string, and any actions not listed in the $RobotActions array will return a 403 Forbidden response to robots. In addition, setting $EnableRobotCloakActions will eliminate any forbidden ?action= values from page links returned to robots, which will reduce bandwidth loads from robots even further (PITS:00563).
  • Non-existent page handling has been improved; whenever a browser hits a non-existent page, PmWiki returns the contents of Site.PageNotFound and a 404 ("Not Found") status code.
  • Page links that have "?action=" in their query arguments are now treated as "existing page" links even if the page does not exist.
  • The PmWiki default skin now adds rel='nofollow' to various action links.
  • Some of the CSS styles in the PmWiki default skin have been changed for better presentation.
  • The gui edit buttons have transparent (instead of white) borders so they integrate better into skins.
  • The $EnableIMSCaching variable is now much smarter, it can detect changes in local customization files as well as pages.
  • WikiStyles can now make percentage specifications by using "pct" to mean "%".
  • Class attributes in WikiStyle shortcuts are now cumulative, so that %class1 class2% results in class='class1 class2' instead of just class='class2' in the output.
  • A problem with the (:include PageName#from#:) markup not working has been fixed (PITS:00560).
  • Viewing a GroupHeader or GroupFooter page no longer displays the contents twice.
  • It's now easier to share pages among multiple sites (e.g., WikiFarms), see Cookbook:SharedPages (PITS:00459).
  • A problem with nested apostrophe markups has been fixed (PITS:00590).
  • PmWiki is now smarter about not surrounding block HTML tags with <p>...</p> tags.
  • If an [[#anchor]] is used more than once in a page, only the first generates an actual anchor (to preserve XHTML validity).
  • There are now (:if equal ...:) and (:if exists pagename:) conditional markups.
  • Compound conditional markup expressions are now possible -- e.g. (:if [ group PmWiki && ! name PmWiki ] :) .
  • Added an $InputValues array that can supply default values for certain form controls (PITS:00566).
  • The default setting of $UploadUrlFmt is now based on $PubDirUrl instead of $ScriptUrl.
  • The $text global variable has been removed (use $_GET['text'], $_POST['text'], or $_REQUEST['text']).
  • A possible problem with url-encoding of attachments with non-ASCII characters has been addressed (PITS:00588).
  • Page actions in non-existent pages no longer display with non-existent link decorations.
  • A README.txt file has been added, and several documentation files are now available through the docs/ directory.
  • PmWiki is no longer available through CVS on It is now available via SVN on, at svn:// . For more details, see PmWiki:Subversion.
  • The $NewlineXXX variable (deprecated in 2.0.0) has been removed.
  • There is experimental support for server-side caching of pages that take a long time to render; this is currently an unsupported feature and may be removed in future releases.

Version 2.0.13 (2005-11-10)

This is a release containing minor bugfixes and improvements in preparation for the 2.1.beta series.

Wiki administrators should note that after this release PmWiki will default to having WikiWords disabled.
To make sure WikiWords are enabled, use $LinkWikiWords = 1; in the local/config.php file.

Version 2.0.12 (19-Oct-2005)

This release cleans up problems with page validation for page links containing query fragments and ampersands, changes PmWiki to use a PHP "return" statement instead of "exit", and fixes a warning in scripts/transition.php.

Version 2.0.11 (17-Oct-2005)

This release fixes a couple of important bugs and adds some new features to PmWiki.

Most importantly, this release fixes bug with ?action=attr affecting the page history.

For sites using LDAP authentication with authuser.php, PmWiki now provides $AuthLDAPBindDN and $AuthLDAPBindPassword variables to specify the binding to be used for searching. It also works around a PHP oddity that causes users to appear authenticated when an empty password is provided. Authuser.php also now handles straight md5 password encryptions (commonly used by MySQL databases).

The core now includes the (:linebreaks:) markup (from Cookbook:LineBreaks), which causes text on separate lines in the markup to appear as separate lines in the output (i.e., no auto-joining of one line to the previous one).

There have been some internal changes designed to provide better support for leading-whitespace rules (more details on this in a future release).

The core now provides an (:if date:) markup to display text only if the current day is within a range of supplied dates.

Version 2.0.10 (29-Sep-2005)
Version 2.0.9 (28-Sep-2005)

This release fixes an oversight in xlpage-utf-8.php that failed to uppercase ASCII letters when mb_strtoupper isn't present.

Version 2.0.8 (27-Sep-2005)

This release simply adds the capability to use quotes to enter pass phrases (passwords containing spaces) using ?action=attr, and fixes a bug with displaying the name instead of the title in the default print skin.

Version 2.0.7 (26-Sep-2005)

This version changes the xlpage-utf-8.php case conversion slightly to use a more direct conversion table, and completed the table for more characters in the utf-8 set.

This release also fixes the $VersionNum variable that was supposed to appear in 2.0.6.

An accesskey shortcut (ak_textedit) is being added to the edit form text area.

Lastly, this release adds a timelimit to the generation of .linkindex, to avoid long page times when generating the .linkindex.

Version 2.0.6 (16-Sep-2005)

In this release, we provide quite a few more updates for sites that want or need to use utf-8 encoding, fix a large number of utf-8 related bugs, introduce better handling of author cookies, and better support for keeping track of version releases.

The biggest change is to the xlpage-utf-8.php recipe, which has been substantially rewritten from the previous version. This new version of xlpage-utf-8.php no longer depends on the mb_strtoupper() function, which seems to be not available in many PHP installations. The new version of xlpage-utf-8.php uses mb_strtoupper() if it's available, but if not available then it manually performs case conversions from a Unicode table that is directly encoded in the script. At present this table only understands case conversions for Western European (Latin-1 or ISO-8859-1) and Cyrillic characters, we'll want to expand the table to support other language character sets as needed. Just contact me on the listserv if a particular character isn't yet supported.

In addition to the above, author names and cookies in utf-8 environments now work again, and link suffixes containing non-ASCII characters work again also.

The GUI button handling in IE has been greatly improved; text selection in IE now works as you would expect it to work when a gui button is pressed. Possibly still no hope for Mac Safari browsers, unfortunately...

A $CookiePrefix variable has been introduced; a wiki administrator can set $CookiePrefix to prevent PmWiki's cookies from interfering with cookies set from other applications under the same domain name.

Some XHTML validation issues surrounding the use of