Skip to Content

Release Notes for XWiki 17.4.8

Last modified by Ilie Andriuta on 2026/03/19 16:36
Contents

This is the release notes for XWiki Commons, XWiki Rendering and XWiki Platform. They share the same release notes as they are released together and have the same version.

This is a bugfix release. It contains security fixes, with the highest severity being 8.6/10.

New and Noteworthy (since XWiki 17.4.7

Full list of issues fixed and Dashboard for 17.4.8.

Upgrades

The following runtime dependencies have been upgraded (they have a different release cycle than XWiki Commons, XWiki Rendering and XWiki Platform):

Translations

The following translations have been updated: 

Tested Browsers & Databases

Automated testing

XWiki executes a lot of automated tests during its build, testing all supported configurations. In addition, some manual QA is also executed to try to discover additional problems (see below):

Manual testing

Here is the list of browsers we support and how they have been manually tested for this release:

 BrowserTested on:
Firefox30.pngMozilla Firefox 148Not Tested
Edge30.pngMicrosoft Edge 146Jira Tickets Marked as Fixed in the Release Notes
Chrome30.pngGoogle Chrome 146Not Tested
Safari30.pngSafari 26Not Tested

Here is the list of databases we support and how they have been manually tested for this release:

 DatabaseTested on:
hypersql.pngHyperSQL 2.7.4Not Tested
mysql.pngMySQL 9.3Not Tested
mariadb.pngMariaDB 11.8Not Tested
postgresql.pngPostgreSQL 17Not Tested
oracle.pngOracle 19cJira Tickets Marked as Fixed in the Release Notes

Here is the list of Servlet Containers we support and how they have been manually tested for this release:

 Servlet ContainerTested on:
tomcat-icon.pngTomcat 11.0.18Jira Tickets Marked as Fixed in the Release Notes
jetty-icon.pngJetty 12.0.20 (XWiki Standalone packaging)Not Tested
jetty-icon.pngJetty 12.0.20Not Tested

Security Issues

Security issues are not listed in issue lists or dashboards to avoid disclosing ways to use them, but they will appear automatically in them once they're disclosed. See the XWiki Security Policy for more details.

Known issues

Backward Compatibility and Migration Notes

General Notes

  • When upgrading make sure you compare and merge the following XWiki configuration files since some parameters may have been modified, removed or added:
    • xwiki.cfg
    • xwiki.properties
    • web.xml
    • hibernate.cfg.xml
  • Add xwiki.store.migration=1 in xwiki.cfg so that XWiki will attempt to automatically migrate your current database to any new schema. Make sure you backup your Database before doing anything.

Issues specific to XWiki 17.4.8

Apache HttpClient 3 is not included in XWiki Standard anymore

Apache HttpClient 3 having an important vulnerability, it was removed from XWiki Standard 17.10.0-rc-1, 17.4.8 and 16.10.15. This means that an extension that relies on the fact that it's there without declaring it as a dependency won't work anymore. Of course it's true also for any custom script that expects it to exist.

While it's technically easy to reinstall extension commons-httpclient:commons-httpclient (last version is 3.1), it's highly recommended to instead rewrite whatever code which needed it to use another library (like HttpClient 5, for example).

Note that to fully remove that dependency, we also had to:

  • remove the com.xpn.xwiki.XWiki#getHttpClient API
  • change the type of com.xpn.xwiki.plugin.feed.XWikiFeedFetcher$CredentialSupplier#getCredentials#

Removal of withTip and useTitleAsTip CSS class behaviour

Two CSS classes were defined in the past for working around Internet Explorer limitations regarding values in form inputs: withTip and useTitleAsTip. However it was advised to not rely on those CSS class anymore and to rely on placeholder input attribute only. We now removed the support of those CSS classes in XWiki.

API Breakages

The following APIs were modified since XWiki 17.4.7:

Real breakages

Real backward compatibility breakages that we have unwillingly accepted to do for the reasons mentioned in each violation below.

  • Expose a vulnerable and long dead library, and should have never been public in the first place
    • Violation type:
      java.method.removed
    • Code:
      ## Old:
method org.apache.commons.httpclient.HttpClient com.xpn.xwiki.XWiki::getHttpClient(int, java.lang.String)

Credits

The following people have contributed code and translations to this release (sorted alphabetically):

  • Alex Cotiugă 
  • Cédric LAMBLIN 
  • LucasC 
  • Manuel Leduc 
  • Marius Dumitru Florea 
  • Michael Hamann 
  • Nikita Petrenko 
  • Rostyslav Haitkulov 
  • Saa Kiraly 
  • Simon Urli 
  • Simpel 
  • Thomas Mortagne 
  • Vincent Massol 
  • Xiaofei Cui 
  • xrichard 
  • 龔敖摩 
  • 이경철 

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected