setConfig() will now delete config values if the second parameter is explicitly set to false

HMAC functions are now standards-compliant (not a security issue). This BREAKS 1.1.6-hg passwords!

Added a basic plugin/hook framework for Javascript

[minor] changed heading format in mainpage-default

Fixed default ACLs

Added color specifications on input fields for admin and oxygen

Blah. Wrong type for those getConfig values.

Fixed: no default values in for avatar upload settings

[Oops] removed debug message in install-cli

Damn, forgot to add the version insertion back into schema

Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message) - Pages are now stored with an extra metadata field called page_format which is "wikitext" or "xhtml" - New $flags parameter + RENDER_* constants added that control RenderMan::render() behavior - Several other changes: * Added a sprite API for Javascript and made editor use sprites when possible * Removed a number of config options from the default install schema, replaced with second parameter to getConfig() calls * MessageBox in editor mostly replaced with miniPrompt * A few bugfixes related to password changes (registration didn't even work) * Rewrote the bitfield compression algorithm used to serialize allowed MIME types * Fixed some typos in language files and strings * Fixed a Text_Wiki bug in Heading parser

Made all page_id and namespace columns consistent

Added Unicode support for usernames and passwords (this is probably best considered a JS crypto bug)

Fixed https urls not allowed in user_extra CPs; fixed nonworking password reset in admin CP

Added a few hooks to Admin:GeneralConfig (didn't I do this already?)

Merging Nighthawk (anti-spam work) and Scribus (AJAX work + debugging + CLI installer) branches

Replaced integer checks that used preg_match() to use ctype_digit() instead

Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.

Login: reauth: window.location.hash is now updated to include the new SID so that page reloads will use it

AJAX core library: possible breaking change, readystatechange functions are now called with the XHR instance as the first parameter, to allow requests to run in parallel. This means much better stability but may break some applets (compatibility hack is included)

Oxygen: synced mint style

PageProcessor: fix not setting page_exists to true after create_page() success (todo: move to Namespace_*?); add $visible parameter to create_page()

Change config.new.php and .htaccess.new to have a single newline according to Fedora project guidelines

Installer: add RewriteBase to .htaccess to work properly under aliased Apache setups (generated 404s in QA)

A few bugfixes in CLI installer related to interactivity

SECURITY: Fix XSS under IE in closing tags (shared sanitizer)

Fixed login form being focused too early (caused page to scroll up)

Deprecated old grab_password_hash() functions in session

Whoops! Fixed an SQL injection vulnerability in the CLI installer. (Not like it's a huge deal because the vulnerability was only introduced last commit and if you make it to that stage you already know the database password)

Added already-installed check to cli-core