breaking change: Query watchlist shows flags only when explicitly requested with wlparam=flags, and rc_this_oldid (textid) is no longer accessible
query watchlist cleanup
bug in the integer parameter min/max validation
bug in feed formatting in error handling
some documentation
* breaking change: Converted a map of revisions into a list of revisions to allow easier json processing (no need to know map keys)
* html formatting now properly links urls ending with a '\n' string (jsonfm)
* regression: fixed allpages to return int instead of string for pageid and ns
* Added: info now returns page length, counter, and a new flag
* Add @addtogroup tags to various classes, to try and group conceptually-related classes together.
* Add brief descriptions to various Special pages, thanks to Phil Boswell.
* Moving some docs to be right above the classes they represent, so that they are picked up.
* Create magic links only using a whitelist of protocols.
Have no proof of vuln, but allowing the user to make JavaScript links and have a lot of control over what goes into them probably isn't desirable.
Example attack input:
http://en.wikipedia.org/w/api.php?action=query&meta=javascript://**/alert(1);
Example pre-patch HTML output contains this string:
<a href="javascript://**/alert">javascript://**/alert</a>(1);
Which doesn't work, due to:
1) the double slash - one slash someone can work around by faking a C-style comment (by appending "**/" as shown above), but two is a problem
2) the parentheses being excluded, so we can't pass parameters
... but best to put a stop to it anyway.
* API: added experimental watchlist rss/atom feed
* API: if available, json_encode() will be used
* API: opensearch parameter changed to "search=" (more descriptive)
* API: minor parameter cleanup, a wrapper for Feed class
