Release Notes for XWiki 17.4.7
This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.
This is a bug fix release mainly improving the recently introduced link protection mechanism to make it less intrusive for users, and fixing a few bugs in the editor and in document tree macro, as well as upgrading a few dependencies.
New and Noteworthy (since XWiki 17.4.6)
Full list of issues fixed and Dashboard for 17.4.7.
Upgrades
The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):
Tested Browsers & Databases
Automated testing
XWiki executes a lot of automated tests during its build, testing all supported configurations. In addition, some manual QA is also executed to try to discover additional problems (see below):
Manual testing
Here is the list of browsers we support and how they have been manually tested for this release:
| Browser | Tested on: | |
|---|---|---|
 | Mozilla Firefox 144 | Jira Tickets Marked as Fixed in the Release Notes |
 | Microsoft Edge 142 | Tests run and results |
 | Google Chrome 142 | |
 | Safari 26 | Not Tested |
Here is the list of databases we support and how they have been manually tested for this release:
| Database | Tested on: | |
|---|---|---|
 | HyperSQL 2.7.4 | Not Tested |
 | MySQL 9.3 | Jira Tickets Marked as Fixed in the Release Notes |
 | MariaDB 11.8 | Not Tested |
 | PostgreSQL 17 | Tests run and results |
 | Oracle 19c |
Here is the list of Servlet Containers we support and how they have been manually tested for this release:
| Servlet Container | Tested on: | |
|---|---|---|
 | Tomcat 11.0.13 | |
 | Jetty 12.0.20 (XWiki Standalone packaging) | |
| Jetty 12.0.20 | Not Tested |
Security Issues
Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.
Known issues
Backward Compatibility and Migration Notes
General Notes
- When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
- xwiki.cfg
- xwiki.properties
- web.xml
- hibernate.cfg.xml
- Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.
Issues specific to XWiki 17.4.7
Change in link protection mechanism
The link protection mechanism introduced in XWiki 17.4.6 has been mitigated to be less intrusive. You can find below the documentation of the new mechanism:
A new security mechanism related to URLs has been put in place in XWiki to inform users when they click on a link leading to an external URL that does not belong to the list of trusted domains. This mechanism is enabled by default only on links put on comments, but can be enabled for the whole wiki too. It reuses the list of trusted domains that can be configured in xwiki.properties, and a new configuration has also been provided to allow specifying specific URLs that can be accessed without any warning from the frontend. Finally it's possible to also disable the new security mechanism thanks to a dedicated configuration.
#-# [Since 17.9.0]
#-# [Since 17.4.7]
#-# [Since 16.10.14]
#-# Define the policy to use for URL checks performed in the UI, whether the user should be asked for confirmation
#-# when going to an untrusted domain.
#-# Accepted values for this property are: enabled, disabled, or comments.
#-# Enabled means that the check will be enforced in all the wiki UI, disabled that the check will never be
#-# performed, and comments (default value) means that the check will only be performed on links provided in the
#-# comments of the wiki.
#-#
#-# By default this property is set to comments:
# url.frontendUrlCheckPolicy=comments
#-# [Since 17.9.0RC1]
#-# [Since 17.4.6]
#-# [Since 16.10.13]
#-# Allow to allow specific URLs to be accessible from the frontend without asking confirmation, and without
#-# needing to allow and entire domain. The expected format is absolute URLs separated by commas, e.g.:
#-# https://github.com/xwiki/xwiki-platform,https://www.xwiki.org/xwiki/bin/view/Main/WebHome
#-#
#-# By default this property is empty:
# url.allowedFrontendUrls=API Breakages
The following APIs were modified since XWiki 17.4.6:
Unstable APIs
Not real backward compatibility breakages since they were done on APIs marked @Unstable (a.k.a Young APIs). Thus it's part of the contract that they can be broken until they become stable. They're listed purely for reference in case you decided to still use them (and thus agreed to be broken).
- Very recent unstable API introduced in 17.4.6 and replaced by getFrontendUrlCheckPolicy.
- Violation type:
java.method.removed - Code:
## Old: method boolean org.xwiki.url.URLConfiguration::isFrontendUrlCheckEnabled()
- Violation type:
- Very recent unstable API introduced in 17.4.6 and replaced by getFrontendUrlCheckPolicy.
- Violation type:
java.method.removed - Code:
## Old: method boolean org.xwiki.url.script.URLSecurityScriptService::isFrontendUrlCheckEnabled()
- Violation type:
Credits
The following people have contributed code and translations to this release (sorted alphabetically):
- LucasC
- Manuel Leduc
- Marius Dumitru Florea
- Michael Hamann
- Simon Urli
- Thomas Mortagne
