Release Notes: This is a security and maintenance release of the 1.21 branch. It fixes extension detection with 2 .'s. Support for the 'gettoken' parameter to action=block and action=unblock, deprecated since 1.20, has been removed. This release sanitizes ResourceLoader exception messages. It will purge upstream caches when deleting file assets. The unit test suite now runs the AutoLoader tests. The autoloading entry for the PageORMTableForTesting class has also been fixed, though it had no impact.
Release Notes: Several bugs have been fixed.
Release Notes: A cross-site scripting (XSS) vulnerability was fixed. Fatal errors with unusual file repository configurations, such as ForeignAPIRepo were fixed. The "change password" link on Special:Preferences was changed to have the correct returnto parameter.
Release Notes: XSS and CSRF vulnerabilities were fixed.
Release Notes: An XSS vulnerability has been fixed.