Fixed unsetting global vars - Matt Kavanagh

Fixed XSS vulnerability in username handling - AnthraX101

Fixed not confirmed sql injection in username handling - warmth

Added check for empty topic id in topic_review function

Added visual confirmation mod to code base

• Added extra checks to the deletion code in privmsg.php - reported by party_fan
• Fixed XSS issue in IE using the url BBCode
• Fixed admin activation so that you must have administrator rights to activate accounts in this mode - reported by ieure
• Fixed get_username returning wrong row for usernames beginning with numerics - reported by Ptirhiik
• Pass username through phpbb_clean_username within validate_username function - AnthraX101
• Fixed PHP error in message_die function
• Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php - reported by Double_J
• Also fixed above issue in usercp_viewprofile.php
• Fixed incorrect setting of user_level on pending members if a group is granted moderator rights - reported by halochat
• Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages
• Correctly set username on posts when deleting a user from the admin panel

• [Fix] incorrect handling of password resets if admin activation is enabled (Bug #88)
• [Fix] retrieving category rows in index.php (Bug #90)
• [Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
• [Fix] wrong topic redirection after login redirect (Bug #94)
• [Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
• [Fix] incorrect removal of bbcode_uid values if bbcode has been turned off (Bug #100)
• [Fix] correctly preview signature if editing other users posts (Bug #101)
• [Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php and usercp_viewprofile.php (Bug #102)
• [Fix] consistent forum ordering in all dropdown boxes (Bug #106)
• [Fix] correctly get compression status in page_tail.php and page_footer_admin.php (Bug #117)
• [Fix] set page title on summary page of groupcp.php (bug #125)
• [Fix] correctly test style and avatar in usercp_register.php (bug #129 and #317)
• [Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
• [Fix] handling of both forms of translation information used in language packs (Bug #159)
• [Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
• [Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
• [Fix] incorrect handling of move stubs (Bug #179)
• [Fix] wrong mode_type in memberlist (Bug #187)
• [Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
• [Fix] removed unused variable from topic_notify email template (Bug #210)
• [Fix] removed unset variable from smilies popup window title (Bug #224)
• [Fix] removed duplicate template assignment from admin_board.php (Bug #226)
• [Fix] incorrect search link for guest posts in modcp.php (Bug #254)
• [Fix] all users removed from topics watch table on special occassions (Bug #271)
• [Fix] correctly check returned value from strpos in append_sid function (Bug #275)
• [Fix] correctly display username in private message notification (Bug #278)
• [Fix] fixed "var-by-ref" errors (Bug #322)
• [Fix] changed redirection to installation (Bug #325)
• [Fix] added timout of 10 seconds to version check (Bug #348)
• [Fix] fixed user_level default in postgresql schema file (Bug #444)
• [Fix] multiple minor HTML issues with subSilver
• [Change] deprecated the use of some PHP 3 compatability functions in favour of the native equivalents
• [Change] added 60 days limit for grabbing unread topics in index.php
• [Sec] backport of session keys system from olympus
• [Sec] fixed email bans to use the same pattern as email validation and allow wildcard domain bans
• [Sec] fixed validation of topic type when posting
• [Sec] unset database password once it is no longer needed
• [Sec] fixed potential to select images outside the specified path as avatars or smilies
• [Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
• [Sec] changed avatar gallery code sections to prevent possible injection points (AnthraX101)
• [Sec] signature field is not properly sanitised for user input when an error occurs while accessing the avatar gallery (AnthraX101)
• [Sec] check to_username and ownership when editing a PM (AnthraX101)
• [Sec] fixed ability to edit PM's you did not send (depablo84)
• [Sec] compare imagetype on avatar uploading to match the file extension from uploaded file

Fixed moderator status removal in groupcp.php
Removed newlines after ?> on some files - Thoul
Added admin re-authentication (admin needs to login seperatly to access the ACP) - backported from Olympus
Fixed vulnerability in url/bbcode handling functions - PapaDos and Paul/Zhen-Xjell from CastleCops
Fixed issue in admin/admin_forums.php
Suppressed warning message for fsockopen in /includes/smtp.php - Thoul
Fixed bug in admin/admin_smilies.php (admin is able to add empty smilies) - Exy
Adjusted documents to reflect the urgent need to update the files too (not only running the database update script)
Updated the readme file
Added one new language variable
Added general error if accessing profile for a non-existent user
Changed session id generation to be more unique - Henno Joosep
Fixed bug in highlight code to escape characters correctly
Reversed the 2.0.14 fix for postgresql because it produced more problems than it solves.
Added reference to article written by R45 about case-sensitivity in postgreSQL to the readme file
Fixed bypassing of validate_username on registration - Yen
Empty url/img bbcodes no longer get parsed