Foswiki Release 2.1.7

See Release Dates for the complete list of available releases.


GPG Signatures and MD5 checksums are provided for verifying the integrity of the files for the primary download packages.

File GPG MD5 Description
download Foswiki-2.1.7.tgz GPG MD5 tar gz version of Foswiki
download GPG MD5 zip version of Foswiki

Upgrade packages

If you already have an earlier version of Foswiki 1.1.X installed, you can extract an upgrade package on top of the installation. The major.minor part of the release should not be changed by an upgrade package.

ALERT! Upgrade packages must not be used to upgrade older releases.

File GPG MD5 Description
download Foswiki-upgrade-2.1.7.tgz GPG MD5 upgrade tar gz version of Foswiki
download GPG MD5 upgrade zip version of Foswiki

<blockquote class="foswikiAlert"> *This release has not been built yet!*  This is a draft of the release announcement.  If you want an early start to testing, see Development.GitBasedInstall.</blockquote>

%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"

%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"

%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="{"Release" topic="%BASETOPIC%"}%"

%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="{"Release" topic="%BASETOPIC%"}%"

%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="{"ReleaseTag" topic="%BASETOPIC%"}%"

%INCLUDE{"Download.FoswikiReleaseViewTemplate" section="download"
  release="%FORMFIELD{"Release" topic="%BASETOPIC%"}%"
  url="{"ReleaseTag" topic="%BASETOPIC%"}%"

| *File* | *GPG* | *MD5* | *Description* |
| [[%url%/Foswiki-%upgraded%%release%.tgz][%ICON{download}% Foswiki-%upgraded%%release%.tgz]] | [[%url%/Foswiki-%upgraded%%release%.tgz.asc][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% tar gz version of Foswiki |
| [[%url%/][%ICON{download}%]] | [[%url%/][GPG]] | [[%url%/Foswiki-%release%.md5][MD5]] | %upgrade% zip version of Foswiki |%IF{"'%upgraded%'='' and '%FORMFIELD{"VMImage" topic="%BASETOPIC%"}%'='1'" then="
| [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%][%ICON{download}% Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%]] | [[%url%/Foswiki-%release%-vmware.%FORMFIELD{"VMFormat" topic="%BASETOPIC%"}%.asc][GPG]] | [[%url%/Foswiki-%release%-vmware.md5][MD5]] | [[Support.VirtualMachineImages][VM Image (instructions)]] |"}%%ENDSECTION{"download"}%

---++ Upgrade packages

   else="These packages can be used to upgrade __Foswiki Release %FORMFIELD{"UpgradeFrom" topic="%BASETOPIC%"}% or newer__. See [[#Upgrade_Instructions]] for further information"
   then="If you already have an earlier version of Foswiki %FORMFIELD{"ReleaseMajor" topic="%BASETOPIC%"}%.%FORMFIELD{"ReleaseMinor" topic="%BASETOPIC%"}%.X installed, you can extract an upgrade package on top of the installation. The =major.minor= part of the release should not be changed by an upgrade package."}%

%X% Upgrade packages must not be used to upgrade older releases.


Getting help & providing feedback

Don't forget to use the upgrade or installation guides. If you need help, there are several options:

We want to hear from you! Especially if you have noticed a bug, have some ideas we could use, or just want to contribute:

Highlights of this release

Multiple cross-site scripting vulnerability in jQuery and jQuery UI

These fixes are described in

  • CVE-2021-41182: XSS in the `altField` option of the Datepicker widget in jQuery UI < 1.30.0
  • CVE-2021-41183: XSS in `*Text` options of the Datepicker widget in jQuery UI < 1.30.0
  • CVE-2021-41184: XSS in the `of` option of the `.position()` util in jQuery UI &kt; 1.30.0
  • CVE-2016-7103: XSS in closeText option of Dialog in jQuery UI < 1.12.0
  • Fixes for CVE-2015-9251 and CVE-2019-11358 have been backported from jquery-3.x to jquery-2.x which is being used by default

Regular Expression Denial of Service vulnerability in jquery.validate

Details in CVE-2021-21252

Possible server site request forgery exposing the session id

For decades Foswiki and TWiki had ways to access the session id of a user and make it available on a wiki page using the %SESSIONID macro. Anybody that has got access to a session id can use this session in behalf of the user that is associated with it. There are multiple ways to leak this information to the outside using this macro. Therefore the two related macros %SESSIONID and %SESSIONVAR are deprecated for security reasons and have been disabled by default using the {Sessions}{HideSessionVariable} setting. Note that these macros will be removed completely in the next minor release.

QUERY macro does not check access rights

While macros such as %FORMFIELD only allowed access only to information the current user has got view rights for, the %QUERY macro does not.

Reimplementation of livequery using mutation observer

The LiveQuery module is at the core of Foswiki's javascript framework, alas was abandoned upstream. In the meantime modern browsers now all support a feature called "mutation observer" to monitor changes to the DOM in an efficient standardized way. Thus a new module called Observer has been implemented on this base to initialize javascript modules in a declarative way as it has been done before using LiveQuery.

The following issues have been reported against FoswikiRelease02x01x07. Tasks in "Closed" or "Waiting for Release" state will be fixed in the next release.

Detailed list

Security Fixes

# Task Component Summary
1 Item15061 JQueryPlugin multiple cross-site scripting vulnerability in jQuery UI
2 Item15048 LoginManager disable access to sessionid
3 Item15033 JQueryPlugin update jquery.validate
4 Item15024 QUERY QUERY macro does not check access rights
5 Item14936 Engine eliminate use of 2-args open()
6 Item14918 JQueryPlugin backport fix of CVE-2015-9251 and CVE-2019-11358
7 Item14903 Engine change password accepts "1" as an old password

Bug Fixes

# Task Priority Component Summary
1 Item15071 Normal Engine add some more useful entries to mime.types
2 Item15070 Normal WysiwygPlugin use of uninitialized variable when there is no text
3 Item15069 Normal Engine improvements to radio, checkbox and label
4 Item15067 Normal JQueryPlugin jquery-ui's dialogs maniplulate the z-index of the widget on every mouseclick
5 Item15066 Normal JQueryPlugin rating formfield is not mergeable
6 Item15058 Normal JQueryPlugin script tags for javascrit i18n should not use src attribute
7 Item15057 Normal PageCache Add support for MariaDB
8 Item15047 Urgent Engine Deep recursion if UserInterfaceInternationalisation is enabled yet no languages are enabled
9 Item15045 Urgent RCSStoreContrib getRevisionInfo of an attachment always returns the revision info of the first attachment on the topic
10 Item15041 Urgent Engine global FOSWIKI_BROADCAST not initialized correctly
11 Item15038 Normal NatEditPlugin select2 formfields were not validated
12 Item15032 Normal TinyMCEPlugin tinymce cannot attach a file when strike one is disabled
13 Item15031 Normal NatEditPlugin be less restrictive checking compatible acl settings in editor
14 Item15030 Normal Engine encoding error including attachments
15 Item15029 Normal Engine Meta::getPreferences() sometimes fails when called too early
16 Item15028 Urgent Engine store password during registration
17 Item15027 Normal JQueryPlugin add jquery-3.6.0
18 Item15026 Normal Engine modernize default link protocol pattern
19 Item15025 Urgent Engine FORMFIELD and QUERY don't read the correct topic object
20 Item15023 Urgent FORMFIELD Eliminate local cache in FORMFIELD macro
21 Item15022 Urgent Engine Change notifications not send out under certain conditions
22 Item15014 Urgent ConfigurePlugin prevent password fields from being autofilled in configure
23 Item15010 Urgent RCSStoreContrib configure fails to accept newer rcs versions
24 Item15008 Normal NatEditPlugin bring back support for "dontnotify" in natedit
25 Item15007 Normal Engine too loud on STDERR
26 Item15006 Urgent Engine missing cpan dependencies for core engine
27 Item15004 Normal Engine use relative urls wherever possible
28 Item15000 Normal JQueryPlugin fix button's behavior in disabled state
29 Item14996 Urgent Engine wrong url host if foswiki called via localhost
30 Item14992 Urgent HistoryPlugin always display date and time of revisions
31 Item14990 Normal Engine remove explicit undef from return statement
32 Item14991 Normal TopicUserMappingContrib improve performance of isGroup() call
33 Item14970 Urgent Engine INCLUDEing an url does not decode the retrieved content according to its charset
34 Item14946 Normal UnitTestContrib, RCSStoreContrib RCS storage tests fail with a one-off second difference sometimes
35 Item14945 Normal Engine improve performance of template loader
36 Item14944 Urgent Engine cannot use zero in alttext of FORMFIELD
37 Item14943 Normal Engine document publicOnly parameter in %INCLUDE and make it a true boolean
38 Item14942 Normal Engine make sure isValueMapped is defined for any formfield
39 Item14941 Normal CommentPlugin only load comment.js and comment.css on pages where it is required
40 Item14937 Normal Engine error parsing dotted triplets ip addresses
41 Item14938 Normal Engine don't return compressed content when calling foswiki on the command line
42 Item14935 Normal Engine leave absolute_urls context when an exception occured during registration
43 Item14934 Normal Engine language file compression isn't experimental anymore
44 Item14933 Normal TwistyPlugin remove dependency on jquery.livequery module
45 Item14931 Normal Engine Error moving file with [space]WikiWord[space] name.
46 Item14929 Normal EditRowPlugin Single '0' (zero) not displayed in any table if plugin is activated for that topic
47 Item14910 Normal UnitTestContrib, core Remove Taint::Runtime
48 Item14908 Urgent Engine cannot use zero as a formfield default
49 Item14906 Urgent Engine OP_ref has to read data relative to the topic being queried
50 Item14902 Low Documentation Add new Ubuntu 20.04 required perl module to requirements
51 Item14890 Normal PatternSkin breadcrumbs won't line-break on mobile devices
52 Item14884 Urgent Engine performance problem listing webs (hotfix available)
53 Item14874 Normal JQueryPlugin, BuildContrib deprecate uglify-js and yuicompressor in favor of terser and csso
54 Item14873 Normal UpdatesPlugin rewrite and simplify UpdatesPlugin
55 Item14839 Urgent JQueryPlugin fix default value in textboxlist formfields
56 Item14840 Urgent JQueryPlugin fix tooltip position in draggable elements
57 Item14819 Urgent TinyMCEPlugin lost content on specific editor interactions
58 Item14809 Low Documentation System/InstallGuide Step 2: Ownership table lists wrong FreeBSD group
59 Item14773 Low ConfigurePlugin configure documentation refers to FastReport. Should be JsonReport
60 Item14766 Urgent JQueryPlugin deprecate all 1.x jquery, deprecate all 2.x except the latest
61 Item14762 Normal JQueryPlugin jquery.loader does not clear timeout properly for automated reloading
62 Item14741 Normal SpreadSheetPlugin EVAL(0) should return 0 not the empty string
63 Item14739 Urgent Engine regression: cannot control logged actions anymore
64 Item14732 Urgent Engine statistics script blocks all of foswiki
65 Item14731 Normal WysiwygPlugin illegal json returned by attachments rest handler
66 Item14730 Normal Engine can't use path with a 0 (zero) in it
67 Item14729 Normal Engine fix regular expression for headings trying to support ExplicitNumberingPlugin
68 Item14725 Normal JQueryPlugin wrong initial color of jquery.farbtastic dialog
69 Item14722 Normal JQueryPlugin add jquery.browser as a separate module being removed from newer jQuery
70 Item14721 Normal JQueryPlugin fix loading of language files for jquery.i18n
71 Item14689 Urgent FoswikiNet Email::Address is deprecated, Email::Address::XS is the preferred module.
72 Item14688 Low InterwikiPlugin Typos in InterwikiPlugin documentation.
73 Item14687 Low Documentation, FoswikiPrefs SET macro documentation related to INCLUDE and topic scope is incorrect.
74 Item14685 Urgent NatEditPlugin permissions read from the wrong topic
75 Item14662 Normal CommentPlugin comment type "return" not functional
76 Item14660 Normal JQueryPlugin, NatEditPlugin missing tab id causes a javascript error
77 Item14564 Urgent JQueryPlugin add jquery-3 and an appropriate migrate module
78 Item13134 Urgent UnitTestContrib HTML::Tidy fails to validate html5


# Task Component Summary
1 Item15068 JQueryPlugin don't bubble up jquery.loader events
2 Item15065 JsonRpcContrib add jsonRpc api to foswiki namespace in javascript
3 Item15060 JQueryPlugin add validation rule for foswikiMandatory css class
4 Item15059 JQueryPlugin JQICONs create a stray html attribute
5 Item15043 FastCGIEngineContrib unable to configure zero max requests
6 Item15044 FastCGIEngineContrib improve free bsd startup scripts
7 Item15040 PatternSkin add include cover
8 Item15021 SlideShowPlugin multiple enhancements to SlideshowPlugin
9 Item15019 PatternSkin give logos a proper dimension
10 Item15018 JQueryPlugin rework some old css code in jQuery
11 Item15005 FastCGIEngineContrib too many log messages in fastcgi procmanager
12 Item15003 FastCGIEngineContrib improve freebsd init script for foswiki service
13 Item15002 JQueryPlugin improve placement of content in jquery.loader
14 Item14994 JSCalendarContrib don't generate inline @import-ed css
15 Item14963 FastCGIEngineContrib add warmup parameter
16 Item14901 ConfigurePlugin Add support for XML and CERT data types in configure pages
17 Item14897 NatEditPlugin rationalize edit template structure for better customization
18 Item14875 JQueryPlugin various maintenance fixes
19 Item14837 JQueryPlugin update animate.css to latest upstream version
20 Item14838 JQueryPlugin add "remember" feature to tabs
21 Item14767 JQueryPlugin implement a proper icon service
22 Item14735 JQueryPlugin use animate.css for jquery.loader effects instead of jQuery's own ones
23 Item14728 JQueryPlugin forward "open" event of ui-dialogs to jqUIDialogLink element
24 Item14724 JQueryPlugin enhance Makefile system to support sass and babel
25 Item14727 JQueryPlugin improve locale support of datepicker
26 Item14726 JQueryPlugin better support for +values in textboxlist
27 Item14723 JQueryPlugin upgrade jquery.sprintf
28 Item14720 JQueryPlugin upgrade animate.css to latest release
29 Item14571 JQueryPlugin add manual sorting mode to textboxlist
30 Item14572 JQueryPlugin upgrade jquery.livequery
31 Item14569 JQueryPlugin deprecate jquery.placeholder
32 Item14568 JQueryPlugin add chili recipes for autolisp and ini
33 Item14567 JQueryPlugin add keyboard navigation to jquery.stars
34 Item14454 JQueryPlugin Bundle JsViews as an option with JsRender


Please refer to the INSTALL.html which can be found the downloaded tgz/zip. It can be also found on in the System.InstallationGuide

Upgrade Instructions

In-place upgrade from any release prior to Foswiki 1.1.0 is not recommended. Older Foswiki installations should install Foswiki as a new release, configure, and then migrate data to the new installation.
  • See System.UpgradeGuide for details on upgrading from older versions of Foswiki
  • See System.SystemRequirements for the latest System Requirements.
  • Be sure to take a backup!
  • The upgrade packages excludes files "commonly" modified, for example, WebHome, WebPreferences, AdminGroup, etc. If your installation has modified other topics, or template files, those updates will be lost!
  • If you use tar, then you can extract the upgrade package on top of your installation by using: (Be sure to run this as your web server user to avoid changing file ownership.)
cd /var/www/foswiki
tar --strip-components=1 -zxf /path/to/Foswiki-upgrade-2.x.x.tgz
cd tools
./configure --save
  • Similarly, if you are using the zip upgrade package, then
cd /var/www/foswiki
unzip -o /path/to/
cd tools
./configure --save


  • This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
  • This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  • See the GNU General Public License for more details, published at

Release Details

Topic revision: r5 - 04 Apr 2022, MichaelDaum - This page was cached on 21 Jan 2023 - 08:49.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy