- Changed the XSS check a little to be slightly more forgiving wrt style
  attributes.

- Improvement: don't perform XSS checks for trusted users.  Trusted users
  are those that have the "bypass input data check" permission set.  Should
  address bug #2147.

- Improvement: simplified index.php and modules/admin.module.

- Bugfix: fixed broken links in bloggerapi documentation.  Patch by Chris
  Johnson.  Fixes bug #2030.

- Bugfix: fixed the date shown on a book module preview.  Reported as part
  of bug #2097.

- Bugfix: fixed broken URL in the book module documentation.

- Fixed some "search related" bugs introduced by Moshe's latest patch.
  Fixes bug #2127.

- Removed "link" from the XSS check as well as "font".

- Improvement: faster regex/checks.  Patch by Marco.

and the request will be terminated when something suspicious is
detected.  This will be logged in the watchdog.  With help from Marco.

- Fixed translation issue in the archive module.  Patch by Gerhard.

- Removed dead parameter from variable_get().  Patch by Chris Johnson.
Fixes bug #2111.

- Improved input checking of taxonomy module.  Patch by Gerhard.
Fixes bug #2112.

- Bugfix: do not escpae slashes in block path.  Patch #50 by Gerhard.

  (This accompanies the recent block module documentation update, right?)

- Bugfix: fixed bug in the search module that prevented the title module
  from working properly.  Patch by Moshe.  Fixes bug #1852.

- Bugfix: fixed the "variables not set" problem (bug #2014).  Patch by
  Slavica.

  Sorry for the confusion guys - I had it applied on my tree for a couple
  of days now but forgot to commit it.

- Bugfix: fixed problem with changing themes.  Didn't apply Al's patch as
  the fix was somewhat simpler.  Fixes bug #2003.

- Bugfix: fixed problem with voting on certain poll pages.  Patch #37 by Al.

- Improvement: removed stupid descriptions from profile module.

- Bugfix: fixed utf-8 problem for people that use PHP 4.2.x or below.  Patch #33 by Al.

- Bugfix: fixed translation problems in the user module and the block module.  Patch by Stefan.

- Improvement: made it impossible to delete user role #1 and #2.  Patch #38 by Al.

- Improvement: fixed the "Allowed HTML tag" issues.  Makes for better code and improved usability.  Patch #35 by Al.

  NOTE: as soon the compose tips make their way into CVS, most of this code can be removed.

- Improvements: XHTML-ifications.  Patch by GmbH.  See feature #1813.

- Improvements: XHTML-ifications.  Patch by GmbH.

- Moved some CXX checks to a centralized place; less error-prone.

- Bugfix: small Xtemplate fixes.  Patch by Ax.  (Slightly modified.)

- Bugfix: block patch fix.  Patch by Gerhard.

- Bugfix: fixed broken URL in ping.  Patch by Gerhard.

  (This should fix the problems shown on http://www.blo.gs/info.php?id=1515.)

- Improvement: added better password generator.  Patch #1 by Al.  Fixes bug
  #1935.

- Improvement: performance improvement to the blog module.  Patch by Marco.

- Bugfix: charset fixes/clean-up.  Patch #52 by Al.

- Improvement: renamed some theme functions of the forum module for sake of consistency/readability.  Patch #2 by Kristjan.

- Improvement: usability improvements to the Xtemplate theme.  Patch #3 by Kristjan.

- Improvement: CSS'ified the book module pages.  Patch #3 by Al.  (I simplified the "l
ocation" part.  Al's approach gave you a bit more power but I'm not sure anyone wants
to change that.  Besides, this will change as soon we integrate the menu system so I kept it easy for now.)

- Bugfix: fixed the CREATE FUNCTION in database.mssql as it needs to be prefixed with GO for some obscure reason.  Patch by Kjartan.

- Bugfix: fixed the defaults for blocks in database.mssql so the NOT NULL fields get values.  Patch by Kjartan.

- Bugfix: changed check_form() to use htmlspecialchars() instead of drupal_specialchars() as this caused Drupal to emit incorrect form items in presence of quotes.  Example:

  <input type="submit" class="form-submit" name="op" value="Submit "top nodes" block changes" />

  IMO, drupal_specialchars() is better called xmlspecialchars() to avoid confusion.

- Bugfix: when an anonymous user visits a site, they shouldn't see any content (except the login block, if it is enabled) unless they have the "access content" permissions.  Patch by Matt Westgate.

- Improvement: improved the error checking and the error messages in the profile module.  Updated the code to match the Drupal coding conventions.  Modified patch from Matt Westgate.

- Improvement: don't generate the <base href=""> tag in the base theme; it is already emitted by theme_head().  Patch by Kristjan.

- Improvement: don't execute any SQL queries when checking the permissions of user #1.  Patch by Kjartan.

- Improvement: made a scalable layout form that works in IE and that behaves better with narrow themes.  Part of patch #51 by Al.

- Improvement: removed some redundant print statements from the comment module.  Modified patch from Craig Courtney.

- Charset simpliciations.  Patch #46 by Al.

- Synced/unified the error reporting from database.mysql.inc and database.pear.inc.
  This makes debugging the PostgreSQL (and MSSQL) support somewhat easier.

- Bugfix: fix glitch in menu rendering code.  Patch #42 by Al.

- Dropped check_input(); use check_query() instead.

- Made the statistics module use referer_uri() for security's sake.

- Added a function check_url() that CSS checks URLs (or parts thereof).

- Bugfix: better charset support for non-ISO-8859-1 languages.  Patch 0029.charset.fixes.patch by Al.  Could East Asia test this please.

- Bugfix: made the "moderate" field behave.  Patch 0030.queue.module.help.and.settings.form.patch by Al.

- Documentation: revised a large part of the help texts / documentation!  Al's 0024.* patches.

- Documentation: added a glossary to the help module.  Patch 0025.help.module.glossary.patch by Al and Michael.

- Usability: first step towards unifying the terminology used in the cloud module.  Patch by 0028.site.cloud.rationalize.name.patch Al.

- Usability + CSS improvements: revamped the node form and removed all tables.  Patch 0027.node.form.rewrite.patch by Al.

- CSS improvements: patch 0026.admin.css.small.improvement.patch by Al.

- Updated the MAINTAINERS file.

- Bugfix: renamed the SQL field 'types' to 'nodes' because 'types' is a reserved keyword in MySQL 4.  This fixes critical bug #1618.  Patch by Marco.

  ==> This fix requires to run update.php!

- Bugfix: made sessions work without warnings when register_globals is turned off. The solution is to use $_SESSION instead of session_register().  This fixes critical bug #1797.  Patch by Marco.

- Bugfix: sometimes error messages where being discarded when previewing a node.  Patch by Craig Courtney.

- Bugfix: fixed charset problems.  This fixes critical bug #1549.  Patch '0023.charset.patch' by Al.

- Code improvements: removed some dead code from the comment module.  Patch by Marco.

- Documentation improvements: polished the node module help texts and form descriptions.  Patch '0019.node.module.help.patch' by Al.

- CSS improvements all over the map!  Patch '0021.more.css.patch' by Al.

- GUI improvements: improved the position of Druplicon in the admin menu.  Patch '0020.admin.logo.patch' by Al.

- GUI improvements: new logos for theme Marvin and theme UnConeD.  Logos by Kristjan Jansen.

- GUI improvements: small changes to the output emitted by the profile module.  Suggestions by Steven Wittens.

- GUI improvements: small fixes to Xtemplate.  Patch '0022.xtemplate.css.patch' by Al.

TODO:

- Some modules such as the buddy list module and the annotation module in the contributions repository are also using session_register().  They should be updated.  We should setup a task on Drupal.

- There is code emitting '<div align="right">' which doesn't validate.

- Does our XML feeds validate with the charset changes?

- The forum module's SQL doesn't work properly on PostgreSQL.

to avoid XSS attacks!  Patch by Al, Moshe, Marco, Kjartan and me.

- Bugfix: the admin module does now import drupal.css prior to admin.css.
Patch by me.

- Bugfix: the admin module was still emitting a <base href=""> tag.  I
removed this as it is been taken care of by theme_head();  Patch by me.

- Bugfix: made the tracker module's pager only consider published pages.
Patch by Moshe.

- Bugfix: cured some typos in the comment module's help function.  Patch by
Marco.

- Bugfix: fixed a typo in the pager_display() that caused optional
attributes to be discarded.

- Bugfix: made the Xtemplate emit empty boxes like any other theme does.
Patch by Al.

- Bugfix: fixed broken link on the statistics module's log page.
Reported by Kjartan.

- CSS improvements: made the HTML output emitted by the tracker module
look nicer.  Patch by Moshe and Al.

- CSS improvements: added CSS classes for form elements.  Patch by Al.

- CSS improvements: added a vertical gap between the last form item and the
submit button.  Patch by Al.  Note that Opera 6 is not picking up this
CSS but apparently others browsers such as Konqueror do.

- Xtemplate improvements: changed the color of the selected day in the
archive module's calendar.  Patch by Al.

- Usability improvements: made the "birthday" field of the profile module
look nicer.  Patch by Al.

------

- TODO: it might be a good idea to emit the following meta tag in the
theme_head() function:

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

Currently, some themes (and modules!) emit this while others don't.  This
would also make it possible to change the charset site-wide.

- TODO: now we added support for td.dark and td.light to drupal.css, maybe
it can be removed from admin.css as well as xtemplate.css?

- Another register globals fix.  Patch by Kjartan.

- Omit "index.php" when using Apache.  Patch by Al.

- Fixed typo.  Patch by Marco.

- Make sure the HTML filter is applied before any other filter.  Patch by
  Al.

- Fixed the order in which the CSS gets loaded.  Patch by Al.

- Al's CSS patches.  This commit improves the themability of some core
  components such as lists, form items, removes an ugly hack from the
  archive module and should fix the poll problem (although it doesn't
  Opera/Konqueror).

- Removed check_output() from the theme system layer.

- Updated Drupal to use "on output" filters.  Derived from Gerhard's patch.

- Fixed typo in URL().  Patch by Al.

- Added a filter option to disable/enable the rewrite_old_urls() filter.
  See task #1542.

  removed a dead global variable.)

- Fixed a IIS bug with regard to register globals.  This also avoids the
  aforementioned ugly hack.  Patch by Moshe.