Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message) - Pages are now stored with an extra metadata field called page_format which is "wikitext" or "xhtml" - New $flags parameter + RENDER_* constants added that control RenderMan::render() behavior - Several other changes: * Added a sprite API for Javascript and made editor use sprites when possible * Removed a number of config options from the default install schema, replaced with second parameter to getConfig() calls * MessageBox in editor mostly replaced with miniPrompt * A few bugfixes related to password changes (registration didn't even work) * Rewrote the bitfield compression algorithm used to serialize allowed MIME types * Fixed some typos in language files and strings * Fixed a Text_Wiki bug in Heading parser

Made all page_id and namespace columns consistent

Added Unicode support for usernames and passwords (this is probably best considered a JS crypto bug)

Fixed https urls not allowed in user_extra CPs; fixed nonworking password reset in admin CP

Added a few hooks to Admin:GeneralConfig (didn't I do this already?)

Merging Nighthawk (anti-spam work) and Scribus (AJAX work + debugging + CLI installer) branches

Replaced integer checks that used preg_match() to use ctype_digit() instead

Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.

Login: reauth: window.location.hash is now updated to include the new SID so that page reloads will use it

AJAX core library: possible breaking change, readystatechange functions are now called with the XHR instance as the first parameter, to allow requests to run in parallel. This means much better stability but may break some applets (compatibility hack is included)

Oxygen: synced mint style

PageProcessor: fix not setting page_exists to true after create_page() success (todo: move to Namespace_*?); add $visible parameter to create_page()

Change config.new.php and .htaccess.new to have a single newline according to Fedora project guidelines

Installer: add RewriteBase to .htaccess to work properly under aliased Apache setups (generated 404s in QA)

A few bugfixes in CLI installer related to interactivity

SECURITY: Fix XSS under IE in closing tags (shared sanitizer)

Fixed login form being focused too early (caused page to scroll up)

Deprecated old grab_password_hash() functions in session

Whoops! Fixed an SQL injection vulnerability in the CLI installer. (Not like it's a huge deal because the vulnerability was only introduced last commit and if you make it to that stage you already know the database password)

Added already-installed check to cli-core

Added CLI installer. Supports interactive, command-line, and internal-call installation. Fixed a few bugs related to anti-SQL injection parser and plugin installation.

Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.

JS core: whiteOutReportSuccess now has a sister whiteOutReportFailure(); both abstracted to function whiteOutDestroyWithImage(whitey, image_url)

DBAL: Fixed issues with die_json() and multiline responses from {mysql,pg_last}_error()

Plugin manager: added support for having specific install and uninstall blocks per DBMS

Special:Administration: fixed 404 on several Tigra tree menu images

jBox: When an anchor in a menu is clicked, menu is now hidden

Fix undefined variable in special namespace missing function handler

If there's an onlineupgrade.php, installer index.php will link to that instead of upgrade.php (future readiness ;))

Fix version number warning in installer common