Run wikiman and sync.sh

Mostly pulls in language updates.

Some minor changes in core and extensions.

Also new versions of some composer packages.

Author: tarrow

dist-persist/composer.lock

@@ -4,13 +4,85 @@ PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/
 PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/
 PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/
 PHP 8.4 workboard: https://phabricator.wikimedia.org/tag/php_8.4_support/
+PHP 8.5 workboard: https://phabricator.wikimedia.org/tag/php_8.5_support/
 
 == MediaWiki 1.43.6 ==
 
-THIS IS NOT A RELEASE YET
+This is a security and maintenance release of the MediaWiki 1.43 branch.
 
 === Changes since 1.43.5 ===
 * Localisation updates.
+* (T394396) Revert "SECURITY: Escape rawElement $content".
+* (T394059) DeduplicateStyles: Only transform possible style nodes.
+* UserGroupManager: Use MainConfigNames::PrivilegedGroups rather than
+  string literal.
+* (T406391) RemexCompatFormatter: Don't encode HTML entities in raw-text
+  elements.
+* (T402438) api: Allow ApiResult to override imagerepository key in
+  prop=imageinfo.
+* ParserOutput: Add default values for JSON deserialization.
+* (T355853, T407172) Make the login and signup forms wider.
+* (T292868) Forward-compatibility: allow output flags to be serialized in
+  `OutputFlags`.
+* ResourceLoader: Update cssjanus/cssjanus to wikimedia/cssjanus.
+* (T85085) Improve CSS checking in SVG filter.
+* (T405064) Fix the premature loop exit in Parser.cleanUpTocLine.
+* (T407289) i18n: deprecate double-underscore magic words which don't start/end
+  with __.
+* i18n: all behavior switches should start/end with __ (part 2).
+* (T407289) i18n: Remove deprecated behavior switches without underscores in
+  et/sh-latn/vep.
+* (T407770) Add symfony/polyfill-php84 and symfony/polyfill-php85.
+* maintenance/getConfiguration.php: Fix null warning and serialize error.
+* (T328605) ApiParse: Introduce prop=tocdata as replacement for prop=sections.
+* (T406283) ApiSandbox: Use POST when we have long URL.
+* (T401987, T401995, CVE-2025-67484) SECURITY: Disable xslt option by default.
+* (T410913) SpecialVersion: Fix "Cannot use bool as array" warning.
+* (T410928) resourceloader: Fix null offset in ClientHtml module sorting.
+* (T410934) Remove noop xml_parser_free() calls.
+* (T410920) Language: Prevent passing '' to ord() in ucfirst().
+* (T410912) Language: Fix "ord(): Providing a string that is not one byte long
+  is deprecated."
+* (T410912) MessageCache: Fix "ord(): Providing a string that is not one byte
+  long is deprecated."
+* (T410920) Language: Prevent passing '' to ord() in lcfirst().
+* (T410963) Upgrade wikimedia/xmp-reader from 0.9.4 to 0.10.2.
+* (T411016) Upgrading wikimedia/cldr-plural-rule-parser (v2.0.0 => v3.0.0).
+* (T411075) Api: Initialise reference variable.
+* (T411018) IndexPager: Set '' as default value for 'order'.
+* (T410914) Language: Fix PHP 8.5 warnings for NAN/INF string coercion in
+  formatNumInternal.
+* (T410914) Language: Fix PHP 8.5 warnings for NAN/INF string coercion in
+  parseFormattedNumber.
+* (T338103, T411214) ApiResult: Fix "ord(): Providing a string that is not one
+  byte long is deprecated."
+* (T356544) Replace uses of Xml::fieldset(), deprecated since 1.42.
+* (T393790) htmlform: Fix rendering contents for cloner fields.
+* (T391882) HTMLFormFieldCloner: Fix multiple bugs related to conditional
+  states.
+* (T406374) htmlform: Load ooui before infusing field cloner buttons.
+* (T411199) initEditCount: Fix count for users with no edits.
+* (T411827) SpecialPageFactory: Handle resolveAlias() returning null in
+  getPage() and exists().
+* (T411968) Installer: Do not use null as array offset.
+* Add support for HTTP/3 in MultiHttpClient.
+* (T295568) mediawiki.jqueryMsg: Support self-closing HTML tags.
+* (T411968) EditResultBuilder: Do not use null as array offset.
+* Add http/3 to runMulti in MultiHttpClient
+* (T406639, CVE-2025-67477) SECURITY: Escape word-separator message in
+  Special:ApiSandbox.
+* (T406664, CVE-2025-67475) SECURITY: Escape square brackets in autocomment
+  links.
+* (T385403, CVE-2025-67478) SECURITY: Always escape commas in mail
+  encoded-words.
+* (T407131, CVE-2025-67479) SECURITY: Sanitizer: disallow underscore and wide
+  underscore in data-* attribute names.
+* (T401053, CVE-2025-67480) SECURITY: Check read permissions in
+  ApiQueryRevisionsBase.
+* (T409226, CVE-2025-67483) SECURITY: mediawiki.page.preview: Escape
+  'comma-separator' between multiple protection levels.
+* (T251032, CVE-2025-67481) SECURITY: Disallow 'style' attribute in client-side
+  messages (jqueryMsg).
 
 == MediaWiki 1.43.5 ==
 

dist/RELEASE-NOTES-1.43

@@ -2661,6 +2661,7 @@
 	'MediaWiki\\Title\\TitleFormatter' => __DIR__ . '/includes/title/TitleFormatter.php',
 	'MediaWiki\\Title\\TitleParser' => __DIR__ . '/includes/title/TitleParser.php',
 	'MediaWiki\\Title\\TitleValue' => __DIR__ . '/includes/title/TitleValue.php',
+	'MediaWiki\\Upload\\SVGCSSChecker' => __DIR__ . '/includes/upload/SVGCSSChecker.php',
 	'MediaWiki\\User\\ActorCache' => __DIR__ . '/includes/user/ActorCache.php',
 	'MediaWiki\\User\\ActorMigration' => __DIR__ . '/includes/user/ActorMigration.php',
 	'MediaWiki\\User\\ActorMigrationBase' => __DIR__ . '/includes/user/ActorMigrationBase.php',

dist/autoload.php

@@ -22,7 +22,6 @@
 	"prefer-stable": true,
 	"require": {
 		"composer/semver": "3.4.3",
-		"cssjanus/cssjanus": "2.3.0",
 		"ext-calendar": "*",
 		"ext-ctype": "*",
 		"ext-dom": "*",
@@ -51,15 +50,19 @@
 		"ralouphie/getallheaders": "3.0.3",
 		"symfony/polyfill-php82": "1.31.0",
 		"symfony/polyfill-php83": "1.31.0",
+		"symfony/polyfill-php84": "1.32.0",
+		"symfony/polyfill-php85": "1.33.0",
 		"symfony/yaml": "5.4.45",
 		"wikimedia/assert": "0.5.1",
 		"wikimedia/at-ease": "3.0.0",
 		"wikimedia/base-convert": "2.0.2",
 		"wikimedia/bcp-47-code": "2.0.0",
 		"wikimedia/cdb": "3.0.0",
-		"wikimedia/cldr-plural-rule-parser": "2.0.0",
+		"wikimedia/cldr-plural-rule-parser": "3.0.0",
 		"wikimedia/common-passwords": "0.5.0",
 		"wikimedia/composer-merge-plugin": "2.1.0",
+		"wikimedia/css-sanitizer": "^5.1.0 || ^5.2.0 || ^5.3.0 || ^5.4.0",
+		"wikimedia/cssjanus": "2.3.0",
 		"wikimedia/html-formatter": "4.1.0",
 		"wikimedia/ip-utils": "5.0.0",
 		"wikimedia/json-codec": "3.0.3",
@@ -81,7 +84,7 @@
 		"wikimedia/timestamp": "4.1.1",
 		"wikimedia/wait-condition-loop": "2.0.2",
 		"wikimedia/wrappedstring": "4.0.1",
-		"wikimedia/xmp-reader": "0.9.4",
+		"wikimedia/xmp-reader": "0.10.2",
 		"zordius/lightncandy": "1.2.6"
 	},
 	"require-dev": {