OSDN Git Service

Add some codes from 3.61. Currently files under /nucleus/libs and /nucleus/libs/sql...
[nucleus-jp/nucleus-jp-ancient.git] / utf8 / nucleus / libs / ADMIN.php
index dbeef1a..6b6e536 100755 (executable)
 <?php\r
+/*\r
+ * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)\r
+ * Copyright (C) 2002-2010 The Nucleus Group\r
+ *\r
+ * This program is free software; you can redistribute it and/or\r
+ * modify it under the terms of the GNU General Public License\r
+ * as published by the Free Software Foundation; either version 2\r
+ * of the License, or (at your option) any later version.\r
+ * (see nucleus/documentation/index.html#license for more info)\r
+ */\r
+/**\r
+ * The code for the Nucleus admin area\r
+ *\r
+ * @license http://nucleuscms.org/license.txt GNU General Public License\r
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group\r
+ * @version $Id$\r
+ * @version $NucleusJP: ADMIN.php,v 1.21.2.4 2007/10/30 19:04:24 kmorimatsu Exp $\r
+ */\r
+\r
+if ( !function_exists('requestVar') ) exit;\r
+require_once dirname(__FILE__) . '/showlist.php';\r
+\r
 /**\r
-  * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) \r
-  * Copyright (C) 2002-2004 The Nucleus Group\r
-  *\r
-  * This program is free software; you can redistribute it and/or\r
-  * modify it under the terms of the GNU General Public License\r
-  * as published by the Free Software Foundation; either version 2\r
-  * of the License, or (at your option) any later version.\r
-  * (see nucleus/documentation/index.html#license for more info)\r
-  *\r
-  * The code for the Nucleus admin area   \r
-  */\r
\r
+ * Builds the admin area and executes admin actions\r
+ */\r
 class ADMIN {\r
 \r
-       // action currently being executed ($action=xxxx -> action_xxxx method)\r
+       /**\r
+        * @var string $action action currently being executed ($action=xxxx -> action_xxxx method)\r
+        */\r
        var $action;\r
 \r
+       /**\r
+        * Class constructor\r
+        */\r
        function ADMIN() {\r
 \r
        }\r
-       \r
+\r
        /**\r
-         * Executes an action\r
-         *\r
-         * @param $action\r
-         *             action to be performed\r
-         */\r
+        * Executes an action\r
+        *\r
+        * @param string $action action to be performed\r
+        */\r
        function action($action) {\r
+               global $CONF, $manager;\r
+\r
                // list of action aliases\r
                $alias = array(\r
                        'login' => 'overview',\r
                        '' => 'overview'\r
                );\r
 \r
-               if ($alias[$action])\r
+               if (isset($alias[$action]))\r
                        $action = $alias[$action];\r
 \r
                $methodName = 'action_' . $action;\r
-               \r
-               $this->action = $action;\r
+\r
+               $this->action = strtolower($action);\r
+\r
+               // check ticket. All actions need a ticket, unless they are considered to be safe (a safe action\r
+               // is an action that requires user interaction before something is actually done)\r
+               // all safe actions are in this array:\r
+               $aActionsNotToCheck = array(\r
+                       'showlogin',\r
+                       'login',\r
+                       'overview',\r
+                       'itemlist',\r
+                       'blogcommentlist',\r
+                       'bookmarklet',\r
+                       'blogsettings',\r
+                       'banlist',\r
+                       'deleteblog',\r
+                       'editmembersettings',\r
+                       'browseownitems',\r
+                       'browseowncomments',\r
+                       'createitem',\r
+                       'itemedit',\r
+                       'itemmove',\r
+                       'categoryedit',\r
+                       'categorydelete',\r
+                       'manage',\r
+                       'actionlog',\r
+                       'settingsedit',\r
+                       'backupoverview',\r
+                       'pluginlist',\r
+                       'createnewlog',\r
+                       'usermanagement',\r
+                       'skinoverview',\r
+                       'templateoverview',\r
+                       'skinieoverview',\r
+                       'itemcommentlist',\r
+                       'commentedit',\r
+                       'commentdelete',\r
+                       'banlistnewfromitem',\r
+                       'banlistdelete',\r
+                       'itemdelete',\r
+                       'manageteam',\r
+                       'teamdelete',\r
+                       'banlistnew',\r
+                       'memberedit',\r
+                       'memberdelete',\r
+                       'pluginhelp',\r
+                       'pluginoptions',\r
+                       'plugindelete',\r
+                       'skinedittype',\r
+                       'skinremovetype',\r
+                       'skindelete',\r
+                       'skinedit',\r
+                       'templateedit',\r
+                       'templatedelete',\r
+                       'activate',\r
+                       'systemoverview'\r
+               );\r
+/*\r
+               // the rest of the actions needs to be checked\r
+               $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'activatesetpwd');\r
+*/\r
+               if (!in_array($this->action, $aActionsNotToCheck))\r
+               {\r
+                       if (!$manager->checkTicket())\r
+                               $this->error(_ERROR_BADTICKET);\r
+               }\r
 \r
                if (method_exists($this, $methodName))\r
                        call_user_func(array(&$this, $methodName));\r
                else\r
-                       $this->error(_BADACTION . " ($action)");\r
-               \r
-       }\r
+                       $this->error(_BADACTION . htmlspecialchars(" ($action)"));\r
 \r
+       }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_showlogin() {\r
                global $error;\r
                $this->action_login($error);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_login($msg = '', $passvars = 1) {\r
                global $member;\r
-               \r
+\r
                // skip to overview when allowed\r
                if ($member->isLoggedIn() && $member->canLogin()) {\r
                        $this->action_overview();\r
                        exit;\r
                }\r
-                       \r
+\r
                $this->pagehead();\r
-               \r
+\r
                echo '<h2>', _LOGIN ,'</h2>';\r
                if ($msg) echo _MESSAGE , ': ', htmlspecialchars($msg);\r
                ?>\r
-               \r
+\r
                <form action="index.php" method="post"><p>\r
-               <?php echo _LOGIN_NAME?>: <br /><input name="login"  tabindex="10" />\r
+               <?php echo _LOGIN_NAME; ?> <br /><input name="login"  tabindex="10" />\r
                <br />\r
-               <?php echo _LOGIN_PASSWORD?>: <br /><input name="password"  tabindex="20" type="password" />\r
+               <?php echo _LOGIN_PASSWORD; ?> <br /><input name="password"  tabindex="20" type="password" />\r
                <br />\r
                <input name="action" value="login" type="hidden" />\r
                <br />\r
@@ -82,71 +169,72 @@ class ADMIN {
                        <input type="checkbox" value="1" name="shared" tabindex="40" id="shared" /><label for="shared"><?php echo _LOGIN_SHARED?></label>\r
                        <br /><a href="forgotpassword.html"><?php echo _LOGIN_FORGOT?></a>\r
                </small>\r
-               <?php                   // pass through vars\r
-                       \r
+               <?php              // pass through vars\r
+\r
                        $oldaction = postVar('oldaction');\r
                        if (  ($oldaction != 'logout')  && ($oldaction != 'login')  && $passvars ) {\r
                                passRequestVars();\r
                        }\r
 \r
-                       \r
+\r
                ?>\r
                </p></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
 \r
        /**\r
-         * provides a screen with the overview of the actions available\r
-         */\r
+        * provides a screen with the overview of the actions available\r
+        * @todo document parameter\r
+        */\r
        function action_overview($msg = '') {\r
                global $member;\r
-               \r
+\r
                $this->pagehead();\r
-               \r
+\r
                if ($msg)\r
                        echo _MESSAGE , ': ', $msg;\r
-               \r
+\r
                /* ---- add items ---- */\r
                echo '<h2>' . _OVERVIEW_YRBLOGS . '</h2>';\r
-               \r
+\r
                $showAll = requestVar('showall');\r
-               \r
+\r
                if (($member->isAdmin()) && ($showAll == 'yes')) {\r
                        // Super-Admins have access to all blogs! (no add item support though)\r
                        $query =  'SELECT bnumber, bname, 1 as tadmin, burl, bshortname'\r
-                              . ' FROM ' . sql_table('blog')\r
-                              . ' ORDER BY bname';\r
+                                  . ' FROM ' . sql_table('blog')\r
+                                  . ' ORDER BY bname';\r
                } else {\r
                        $query =  'SELECT bnumber, bname, tadmin, burl, bshortname'\r
-                              . ' FROM ' . sql_table('blog') . ', ' . sql_table('team')\r
-                              . ' WHERE tblog=bnumber and tmember=' . $member->getID()\r
-                              . ' ORDER BY bname';             \r
+                                  . ' FROM ' . sql_table('blog') . ', ' . sql_table('team')\r
+                                  . ' WHERE tblog=bnumber and tmember=' . $member->getID()\r
+                                  . ' ORDER BY bname';\r
                }\r
                $template['content'] = 'bloglist';\r
                $template['superadmin'] = $member->isAdmin();\r
                $amount = showlist($query,'table',$template);\r
-               \r
+\r
                if (($showAll != 'yes') && ($member->isAdmin())) {\r
                        $total = quickQuery('SELECT COUNT(*) as result FROM ' . sql_table('blog'));\r
-                       if ($total > $amount) \r
-                               echo '<p><a href="index.php?action=overview&amp;showall=yes">Show all blogs</a></p>';\r
+                       if ($total > $amount)\r
+                               echo '<p><a href="index.php?action=overview&amp;showall=yes">' . _OVERVIEW_SHOWALL . '</a></p>';\r
                }\r
 \r
                if ($amount == 0)\r
                        echo _OVERVIEW_NOBLOGS;\r
-                       \r
+\r
                if ($amount != 0) {\r
                        echo '<h2>' . _OVERVIEW_YRDRAFTS . '</h2>';\r
                        $query =  'SELECT ititle, inumber, bshortname'\r
                                   . ' FROM ' . sql_table('item'). ', ' . sql_table('blog')\r
-                              . ' WHERE iauthor='.$member->getID().' and iblog=bnumber and idraft=1';\r
+                                  . ' WHERE iauthor='.$member->getID().' and iblog=bnumber and idraft=1';\r
                        $template['content'] = 'draftlist';\r
                        $amountdrafts = showlist($query, 'table', $template);\r
-                       if ($amountdrafts == 0) \r
+                       if ($amountdrafts == 0)\r
                                echo _OVERVIEW_NODRAFTS;\r
                }\r
-               \r
+\r
                /* ---- user settings ---- */\r
                echo '<h2>' . _OVERVIEW_YRSETTINGS . '</h2>';\r
                echo '<ul>';\r
@@ -154,7 +242,7 @@ class ADMIN {
                echo '<li><a href="index.php?action=browseownitems">' . _OVERVIEW_BROWSEITEMS.'</a></li>';\r
                echo '<li><a href="index.php?action=browseowncomments">'._OVERVIEW_BROWSECOMM.'</a></li>';\r
                echo '</ul>';\r
-               \r
+\r
                /* ---- general settings ---- */\r
                if ($member->isAdmin()) {\r
                        echo '<h2>' . _OVERVIEW_MANAGEMENT. '</h2>';\r
@@ -162,144 +250,158 @@ class ADMIN {
                        echo '<li><a href="index.php?action=manage">',_OVERVIEW_MANAGE,'</a></li>';\r
                        echo '</ul>';\r
                }\r
-               \r
-               \r
+\r
+\r
                $this->pagefoot();\r
        }\r
-       \r
-       // returns a link to a weblog (takes BLOG object as parameter)\r
+\r
+       /**\r
+        * Returns a link to a weblog\r
+        * @param object BLOG\r
+        */\r
        function bloglink(&$blog) {\r
-               return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'.$blog->getName() .'</a>';\r
+               return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'. htmlspecialchars( $blog->getName() ) .'</a>';\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_manage($msg = '') {\r
                global $member;\r
-               \r
+\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $this->pagehead();\r
-               \r
+\r
                echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';\r
-               \r
+\r
                if ($msg)\r
                        echo '<p>' , _MESSAGE , ': ', $msg , '</p>';\r
 \r
 \r
                echo '<h2>' . _MANAGE_GENERAL. '</h2>';\r
-               \r
+\r
                echo '<ul>';\r
                echo '<li><a href="index.php?action=createnewlog">'._OVERVIEW_NEWLOG.'</a></li>';\r
                echo '<li><a href="index.php?action=settingsedit">'._OVERVIEW_SETTINGS.'</a></li>';\r
-               echo '<li><a href="index.php?action=usermanagement">'._OVERVIEW_MEMBERS.'</a></li>';            \r
-               echo '<li><a href="index.php?action=actionlog">'._OVERVIEW_VIEWLOG.'</a></li>';         \r
+               echo '<li><a href="index.php?action=usermanagement">'._OVERVIEW_MEMBERS.'</a></li>';\r
+               echo '<li><a href="index.php?action=actionlog">'._OVERVIEW_VIEWLOG.'</a></li>';\r
                echo '</ul>';\r
-               \r
+\r
                echo '<h2>' . _MANAGE_SKINS . '</h2>';\r
                echo '<ul>';\r
                echo '<li><a href="index.php?action=skinoverview">'._OVERVIEW_SKINS.'</a></li>';\r
                echo '<li><a href="index.php?action=templateoverview">'._OVERVIEW_TEMPLATES.'</a></li>';\r
-               echo '<li><a href="index.php?action=skinieoverview">'._OVERVIEW_SKINIMPORT.'</a></li>';         \r
+               echo '<li><a href="index.php?action=skinieoverview">'._OVERVIEW_SKINIMPORT.'</a></li>';\r
                echo '</ul>';\r
-               \r
-               echo '<h2>' . _MANAGE_EXTRA . '</h2>';          \r
+\r
+               echo '<h2>' . _MANAGE_EXTRA . '</h2>';\r
                echo '<ul>';\r
-               echo '<li><a href="index.php?action=backupoverview">'._OVERVIEW_BACKUP.'</a></li>';                     \r
-               echo '<li><a href="index.php?action=pluginlist">'._OVERVIEW_PLUGINS.'</a></li>';                        \r
-               echo '</ul>';   \r
-               \r
-               $this->pagefoot();      \r
+               echo '<li><a href="index.php?action=backupoverview">'._OVERVIEW_BACKUP.'</a></li>';\r
+               echo '<li><a href="index.php?action=pluginlist">'._OVERVIEW_PLUGINS.'</a></li>';\r
+               echo '</ul>';\r
+\r
+               $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemlist($blogid = '') {\r
-               global $member, $manager;\r
-               \r
+               global $member, $manager, $CONF;\r
+\r
                if ($blogid == '')\r
                        $blogid = intRequestVar('blogid');\r
-               \r
-               $member->teamRights($blogid) or $member->isAdmin() or $this->disallow();                \r
-               \r
+\r
+               $member->teamRights($blogid) or $member->isAdmin() or $this->disallow();\r
+\r
                $this->pagehead();\r
                $blog =& $manager->getBlog($blogid);\r
-               \r
-               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';          \r
+\r
+               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';\r
                echo '<h2>' . _ITEMLIST_BLOG . ' ' . $this->bloglink($blog) . '</h2>';\r
-               \r
+\r
                // start index\r
                if (postVar('start'))\r
                        $start = intPostVar('start');\r
                else\r
-                       $start = 0;     \r
-                       \r
+                       $start = 0;\r
+\r
                if ($start == 0)\r
-                       echo '<p><a href="index.php?action=createitem&amp;blogid='.$blogid.'">',_ITEMLIST_ADDNEW,'</a></p>';            \r
-                       \r
+                       echo '<p><a href="index.php?action=createitem&amp;blogid='.$blogid.'">',_ITEMLIST_ADDNEW,'</a></p>';\r
+\r
                // amount of items to show\r
                if (postVar('amount'))\r
                        $amount = intPostVar('amount');\r
-               else\r
-                       $amount = 10;   \r
-               \r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
+\r
                $search = postVar('search');    // search through items\r
-                       \r
-               $query =  'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime'\r
-                      . ' FROM ' . sql_table('item') . ', ' . sql_table('blog') . ', ' . sql_table('member') . ', ' . sql_table('category')\r
-                      . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
-               \r
-               if ($search) \r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';                       \r
-                       \r
+\r
+               $query =  'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime, bnumber, catid'\r
+                          . ' FROM ' . sql_table('item') . ', ' . sql_table('blog') . ', ' . sql_table('member') . ', ' . sql_table('category')\r
+                          . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
+\r
+               if ($search)\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
+\r
                // non-blog-admins can only edit/delete their own items\r
-               if (!$member->blogAdminRights($blogid)) \r
+               if (!$member->blogAdminRights($blogid))\r
                        $query .= ' and iauthor=' . $member->getID();\r
 \r
-                               \r
+\r
                $query .= ' ORDER BY itime DESC'\r
-                       . " LIMIT $start,$amount";\r
-               \r
+                               . " LIMIT $start,$amount";\r
+\r
                $template['content'] = 'itemlist';\r
                $template['now'] = $blog->getCorrectTime(time());\r
 \r
-\r
-               $navList = new NAVLIST('itemlist', $start, $amount, 0, 1000, $blogid, $search, 0);\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $navList =& new NAVLIST('itemlist', $start, $amount, 0, 1000, $blogid, $search, 0);\r
                $navList->showBatchList('item',$query,'table',$template);\r
 \r
-               \r
+\r
                $this->pagefoot();\r
        }\r
-       \r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchitem() {\r
                global $member, $manager;\r
-               \r
+\r
                // check if logged in\r
                $member->isLoggedIn() or $this->disallow();\r
-               \r
-               // more precise check will be done for each performed operation \r
-       \r
+\r
+               // more precise check will be done for each performed operation\r
+\r
                // get array of itemids from request\r
                $selected = requestIntArray('batch');\r
                $action = requestVar('batchaction');\r
-               \r
+\r
                // Show error when no items were selected\r
                if (!is_array($selected) || sizeof($selected) == 0)\r
                        $this->error(_BATCH_NOSELECTION);\r
-                       \r
+\r
                // On move: when no destination blog/category chosen, show choice now\r
                $destCatid = intRequestVar('destcatid');\r
-               if (($action == 'move') && (!$manager->existsCategory($destCatid))) \r
+               if (($action == 'move') && (!$manager->existsCategory($destCatid)))\r
                        $this->batchMoveSelectDestination('item',$selected);\r
-               \r
+\r
                // On delete: check if confirmation has been given\r
-               if (($action == 'delete') && (requestVar('confirmation') != 'yes')) \r
+               if (($action == 'delete') && (requestVar('confirmation') != 'yes'))\r
                        $this->batchAskDeleteConfirmation('item',$selected);\r
 \r
                $this->pagehead();\r
-               \r
-               echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>';         \r
+\r
+               echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>';\r
                echo '<h2>',_BATCH_ITEMS,'</h2>';\r
                echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>';\r
                echo '<ul>';\r
-               \r
+\r
 \r
                // walk over all itemids and perform action\r
                foreach ($selected as $itemid) {\r
@@ -315,48 +417,51 @@ class ADMIN {
                                        $error = $this->moveOneItem($itemid, $destCatid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
-               \r
+\r
                echo '</ul>';\r
                echo '<b>',_BATCH_DONE,'</b>';\r
-               \r
+\r
                $this->pagefoot();\r
 \r
-               \r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchcomment() {\r
                global $member;\r
-               \r
+\r
                // check if logged in\r
                $member->isLoggedIn() or $this->disallow();\r
-               \r
-               // more precise check will be done for each performed operation \r
-       \r
+\r
+               // more precise check will be done for each performed operation\r
+\r
                // get array of itemids from request\r
                $selected = requestIntArray('batch');\r
                $action = requestVar('batchaction');\r
-               \r
+\r
                // Show error when no items were selected\r
                if (!is_array($selected) || sizeof($selected) == 0)\r
                        $this->error(_BATCH_NOSELECTION);\r
-                       \r
+\r
                // On delete: check if confirmation has been given\r
-               if (($action == 'delete') && (requestVar('confirmation') != 'yes')) \r
+               if (($action == 'delete') && (requestVar('confirmation') != 'yes'))\r
                        $this->batchAskDeleteConfirmation('comment',$selected);\r
 \r
                $this->pagehead();\r
-               \r
-               echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>';         \r
+\r
+               echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>';\r
                echo '<h2>',_BATCH_COMMENTS,'</h2>';\r
                echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>';\r
                echo '<ul>';\r
-               \r
+\r
                // walk over all itemids and perform action\r
                foreach ($selected as $commentid) {\r
                        $commentid = intval($commentid);\r
@@ -368,46 +473,49 @@ class ADMIN {
                                        $error = $this->deleteOneComment($commentid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
-               \r
+\r
                echo '</ul>';\r
                echo '<b>',_BATCH_DONE,'</b>';\r
-               \r
+\r
                $this->pagefoot();\r
 \r
-               \r
+\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchmember() {\r
                global $member;\r
-               \r
+\r
                // check if logged in and admin\r
                ($member->isLoggedIn() && $member->isAdmin()) or $this->disallow();\r
-               \r
+\r
                // get array of itemids from request\r
                $selected = requestIntArray('batch');\r
                $action = requestVar('batchaction');\r
-               \r
+\r
                // Show error when no members selected\r
                if (!is_array($selected) || sizeof($selected) == 0)\r
                        $this->error(_BATCH_NOSELECTION);\r
-                       \r
+\r
                // On delete: check if confirmation has been given\r
-               if (($action == 'delete') && (requestVar('confirmation') != 'yes')) \r
+               if (($action == 'delete') && (requestVar('confirmation') != 'yes'))\r
                        $this->batchAskDeleteConfirmation('member',$selected);\r
 \r
                $this->pagehead();\r
-               \r
-               echo '<a href="index.php?action=usermanagement">(',_MEMBERS_BACKTOOVERVIEW,')</a>';             \r
+\r
+               echo '<a href="index.php?action=usermanagement">(',_MEMBERS_BACKTOOVERVIEW,')</a>';\r
                echo '<h2>',_BATCH_MEMBERS,'</h2>';\r
                echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>';\r
                echo '<ul>';\r
-               \r
+\r
                // walk over all itemids and perform action\r
                foreach ($selected as $memberid) {\r
                        $memberid = intval($memberid);\r
@@ -426,56 +534,58 @@ class ADMIN {
                                case 'unsetadmin':\r
                                        // there should always remain at least one super-admin\r
                                        $r = sql_query('SELECT * FROM '.sql_table('member'). ' WHERE madmin=1 and mcanlogin=1');\r
-                                       if (mysql_num_rows($r) < 2)\r
+                                       if (sql_num_rows($r) < 2)\r
                                                $error = _ERROR_ATLEASTONEADMIN;\r
                                        else\r
                                                sql_query('UPDATE ' . sql_table('member') .' SET madmin=0 WHERE mnumber='.$memberid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
-               \r
+\r
                echo '</ul>';\r
                echo '<b>',_BATCH_DONE,'</b>';\r
-               \r
+\r
                $this->pagefoot();\r
 \r
-               \r
-       }       \r
-       \r
 \r
+       }\r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchteam() {\r
                global $member;\r
-               \r
+\r
                $blogid = intRequestVar('blogid');\r
-               \r
+\r
                // check if logged in and admin\r
                ($member->isLoggedIn() && $member->blogAdminRights($blogid)) or $this->disallow();\r
-               \r
+\r
                // get array of itemids from request\r
                $selected = requestIntArray('batch');\r
                $action = requestVar('batchaction');\r
-               \r
+\r
                // Show error when no members selected\r
                if (!is_array($selected) || sizeof($selected) == 0)\r
                        $this->error(_BATCH_NOSELECTION);\r
-                       \r
+\r
                // On delete: check if confirmation has been given\r
-               if (($action == 'delete') && (requestVar('confirmation') != 'yes')) \r
+               if (($action == 'delete') && (requestVar('confirmation') != 'yes'))\r
                        $this->batchAskDeleteConfirmation('team',$selected);\r
 \r
                $this->pagehead();\r
-               \r
+\r
                echo '<p><a href="index.php?action=manageteam&amp;blogid=',$blogid,'">(',_BACK,')</a></p>';\r
 \r
                echo '<h2>',_BATCH_TEAM,'</h2>';\r
                echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>';\r
                echo '<ul>';\r
-               \r
+\r
                // walk over all itemids and perform action\r
                foreach ($selected as $memberid) {\r
                        $memberid = intval($memberid);\r
@@ -494,61 +604,62 @@ class ADMIN {
                                case 'unsetadmin':\r
                                        // there should always remain at least one admin\r
                                        $r = sql_query('SELECT * FROM '.sql_table('team').' WHERE tadmin=1 and tblog='.$blogid);\r
-                                       if (mysql_num_rows($r) < 2)\r
+                                       if (sql_num_rows($r) < 2)\r
                                                $error = _ERROR_ATLEASTONEBLOGADMIN;\r
                                        else\r
                                                sql_query('UPDATE '.sql_table('team').' SET tadmin=0 WHERE tblog='.$blogid.' and tmember='.$memberid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
-               \r
+\r
                echo '</ul>';\r
                echo '<b>',_BATCH_DONE,'</b>';\r
-               \r
+\r
                $this->pagefoot();\r
 \r
-               \r
-       }       \r
 \r
+       }\r
 \r
-       \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchcategory() {\r
                global $member, $manager;\r
-               \r
+\r
                // check if logged in\r
                $member->isLoggedIn() or $this->disallow();\r
-               \r
-               // more precise check will be done for each performed operation \r
-       \r
+\r
+               // more precise check will be done for each performed operation\r
+\r
                // get array of itemids from request\r
                $selected = requestIntArray('batch');\r
                $action = requestVar('batchaction');\r
-               \r
+\r
                // Show error when no items were selected\r
                if (!is_array($selected) || sizeof($selected) == 0)\r
                        $this->error(_BATCH_NOSELECTION);\r
-                       \r
+\r
                // On move: when no destination blog chosen, show choice now\r
                $destBlogId = intRequestVar('destblogid');\r
-               if (($action == 'move') && (!$manager->existsBlogID($destBlogId))) \r
+               if (($action == 'move') && (!$manager->existsBlogID($destBlogId)))\r
                        $this->batchMoveCategorySelectDestination('category',$selected);\r
-               \r
+\r
                // On delete: check if confirmation has been given\r
-               if (($action == 'delete') && (requestVar('confirmation') != 'yes')) \r
+               if (($action == 'delete') && (requestVar('confirmation') != 'yes'))\r
                        $this->batchAskDeleteConfirmation('category',$selected);\r
 \r
                $this->pagehead();\r
-               \r
-               echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>';         \r
+\r
+               echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>';\r
                echo '<h2>',BATCH_CATEGORIES,'</h2>';\r
                echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>';\r
                echo '<ul>';\r
-               \r
+\r
                // walk over all itemids and perform action\r
                foreach ($selected as $catid) {\r
                        $catid = intval($catid);\r
@@ -563,21 +674,25 @@ class ADMIN {
                                        $error = $this->moveOneCategory($catid, $destBlogId);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
-                       echo '<b>',($error ? 'Error: '.$error : _BATCH_SUCCESS),'</b>';\r
+                       echo '<b>',($error ? _ERROR . ': '.$error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
-               \r
+\r
                echo '</ul>';\r
                echo '<b>',_BATCH_DONE,'</b>';\r
-               \r
+\r
                $this->pagefoot();\r
-               \r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function batchMoveSelectDestination($type, $ids) {\r
+               global $manager;\r
                $this->pagehead();\r
                ?>\r
                <h2><?php echo _MOVE_TITLE?></h2>\r
@@ -585,25 +700,32 @@ class ADMIN {
 \r
                        <input type="hidden" name="action" value="batch<?php echo $type?>" />\r
                        <input type="hidden" name="batchaction" value="move" />\r
-                       <?php                           // insert selected item numbers\r
+                       <?php\r
+                               $manager->addTicketHidden();\r
+\r
+                               // insert selected item numbers\r
                                $idx = 0;\r
                                foreach ($ids as $id)\r
                                        echo '<input type="hidden" name="batch[',($idx++),']" value="',intval($id),'" />';\r
-                       \r
+\r
                                // show blog/category selection list\r
                                $this->selectBlogCategory('destcatid');\r
-                       \r
+\r
                        ?>\r
-                       \r
-                       \r
+\r
+\r
                        <input type="submit" value="<?php echo _MOVE_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function batchMoveCategorySelectDestination($type, $ids) {\r
+               global $manager;\r
                $this->pagehead();\r
                ?>\r
                <h2><?php echo _MOVECAT_TITLE?></h2>\r
@@ -611,94 +733,106 @@ class ADMIN {
 \r
                        <input type="hidden" name="action" value="batch<?php echo $type?>" />\r
                        <input type="hidden" name="batchaction" value="move" />\r
-                       <?php                           // insert selected item numbers\r
+                       <?php\r
+                               $manager->addTicketHidden();\r
+\r
+                               // insert selected item numbers\r
                                $idx = 0;\r
                                foreach ($ids as $id)\r
                                        echo '<input type="hidden" name="batch[',($idx++),']" value="',intval($id),'" />';\r
-                       \r
+\r
                                // show blog/category selection list\r
                                $this->selectBlog('destblogid');\r
-                       \r
+\r
                        ?>\r
-                       \r
-                       \r
+\r
+\r
                        <input type="submit" value="<?php echo _MOVECAT_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function batchAskDeleteConfirmation($type, $ids) {\r
+               global $manager;\r
+\r
                $this->pagehead();\r
                ?>\r
                <h2><?php echo _BATCH_DELETE_CONFIRM?></h2>\r
                <form method="post" action="index.php"><div>\r
 \r
                        <input type="hidden" name="action" value="batch<?php echo $type?>" />\r
+                       <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="batchaction" value="delete" />\r
-                       <input type="hidden" name="confirmation" value="yes" />                 \r
-                       <?php                           // insert selected item numbers\r
+                       <input type="hidden" name="confirmation" value="yes" />\r
+                       <?php                      // insert selected item numbers\r
                                $idx = 0;\r
                                foreach ($ids as $id)\r
                                        echo '<input type="hidden" name="batch[',($idx++),']" value="',intval($id),'" />';\r
-                                       \r
+\r
                                // add hidden vars for team & comment\r
-                               if ($type == 'team') \r
+                               if ($type == 'team')\r
                                {\r
                                        echo '<input type="hidden" name="blogid" value="',intRequestVar('blogid'),'" />';\r
                                }\r
-                               if ($type == 'comment') \r
+                               if ($type == 'comment')\r
                                {\r
                                        echo '<input type="hidden" name="itemid" value="',intRequestVar('itemid'),'" />';\r
                                }\r
-                                       \r
+\r
                        ?>\r
-                       \r
+\r
                        <input type="submit" value="<?php echo _BATCH_DELETE_CONFIRM_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
-       \r
-       \r
+\r
+\r
        /**\r
-         * Inserts a HTML select element with choices for all categories to which the current\r
-         * member has access\r
-         */\r
+        * Inserts a HTML select element with choices for all categories to which the current\r
+        * member has access\r
+        * @see function selectBlog\r
+        */\r
        function selectBlogCategory($name, $selected = 0, $tabindex = 0, $showNewCat = 0, $iForcedBlogInclude = -1) {\r
                ADMIN::selectBlog($name, 'category', $selected, $tabindex, $showNewCat, $iForcedBlogInclude);\r
        }\r
-       \r
-       /**\r
-         * Inserts a HTML select element with choices for all blogs to which the user has access\r
-         *             mode = 'blog' => shows blognames and values are blogids\r
-         *             mode = 'category' => show category names and values are catids\r
-         *\r
-         * @param $iForcedBlogInclude\r
-         *             ID of a blog that always needs to be included, without checking if the member is on the blog team (-1 = none)\r
-         */\r
+\r
+       /**\r
+        * Inserts a HTML select element with choices for all blogs to which the user has access\r
+        *        mode = 'blog' => shows blognames and values are blogids\r
+        *        mode = 'category' => show category names and values are catids\r
+        *\r
+        * @param $iForcedBlogInclude\r
+        *        ID of a blog that always needs to be included, without checking if the\r
+        *        member is on the blog team (-1 = none)\r
+        * @todo document parameters\r
+        */\r
        function selectBlog($name, $mode='blog', $selected = 0, $tabindex = 0, $showNewCat = 0, $iForcedBlogInclude = -1) {\r
                global $member, $CONF;\r
-               \r
+\r
                // 0. get IDs of blogs to which member can post items (+ forced blog)\r
                $aBlogIds = array();\r
                if ($iForcedBlogInclude != -1)\r
                        $aBlogIds[] = intval($iForcedBlogInclude);\r
 \r
-               if (($member->isAdmin()) && ($CONF['ShowAllBlogs'])) \r
+               if (($member->isAdmin()) && ($CONF['ShowAllBlogs']))\r
                        $queryBlogs =  'SELECT bnumber FROM '.sql_table('blog').' ORDER BY bname';\r
                else\r
-                       $queryBlogs =  'SELECT bnumber FROM '.sql_table('blog').', '.sql_table('team').' WHERE tblog=bnumber and tmember=' . $member->getID();          \r
+                       $queryBlogs =  'SELECT bnumber FROM '.sql_table('blog').', '.sql_table('team').' WHERE tblog=bnumber and tmember=' . $member->getID();\r
                $rblogids = sql_query($queryBlogs);\r
-               while ($o = mysql_fetch_object($rblogids))\r
+               while ($o = sql_fetch_object($rblogids))\r
                        if ($o->bnumber != $iForcedBlogInclude)\r
                                $aBlogIds[] = intval($o->bnumber);\r
-                               \r
+\r
                if (count($aBlogIds) == 0)\r
                        return;\r
-               \r
+\r
                echo '<select name="',$name,'" tabindex="',$tabindex,'">';\r
 \r
                // 1. select blogs (we'll create optiongroups)\r
@@ -706,10 +840,10 @@ class ADMIN {
                $queryBlogs =  'SELECT bnumber, bname FROM '.sql_table('blog').' WHERE bnumber in ('.implode(',',$aBlogIds).') ORDER BY bname';\r
                $blogs = sql_query($queryBlogs);\r
                if ($mode == 'category') {\r
-                       if (mysql_num_rows($blogs) > 1)\r
+                       if (sql_num_rows($blogs) > 1)\r
                                $multipleBlogs = 1;\r
 \r
-                       while ($oBlog = mysql_fetch_object($blogs)) {\r
+                       while ($oBlog = sql_fetch_object($blogs)) {\r
                                if ($multipleBlogs)\r
                                        echo '<optgroup label="',htmlspecialchars($oBlog->bname),'">';\r
 \r
@@ -722,7 +856,7 @@ class ADMIN {
 \r
                                // 2. for each category in that blog\r
                                $categories = sql_query('SELECT cname, catid FROM '.sql_table('category').' WHERE cblog=' . $oBlog->bnumber . ' ORDER BY cname ASC');\r
-                               while ($oCat = mysql_fetch_object($categories)) {\r
+                               while ($oCat = sql_fetch_object($categories)) {\r
                                        if ($oCat->catid == $selected)\r
                                                $selectText = ' selected="selected" ';\r
                                        else\r
@@ -735,344 +869,363 @@ class ADMIN {
                        }\r
                } else {\r
                        // blog mode\r
-                       while ($oBlog = mysql_fetch_object($blogs)) {\r
+                       while ($oBlog = sql_fetch_object($blogs)) {\r
                                echo '<option value="',$oBlog->bnumber,'"';\r
                                if ($oBlog->bnumber == $selected)\r
                                        echo ' selected="selected"';\r
-                               echo'>',htmlspecialchars($oBlog->bname),'</option>';                    \r
+                               echo'>',htmlspecialchars($oBlog->bname),'</option>';\r
                        }\r
                }\r
                echo '</select>';\r
-               \r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_browseownitems() {\r
-               global $member;\r
-               \r
+               global $member, $manager, $CONF;\r
+\r
                $this->pagehead();\r
-               \r
-               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';          \r
+\r
+               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';\r
                echo '<h2>' . _ITEMLIST_YOUR. '</h2>';\r
-               \r
+\r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
-                       $start = 0;     \r
-                       \r
+                       $start = 0;\r
+\r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;   \r
-               \r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
+\r
                $search = postVar('search');    // search through items\r
-                       \r
+\r
                $query =  'SELECT bshortname, cname, mname, ititle, ibody, idraft, inumber, itime'\r
-                      . ' FROM '.sql_table('item').', '.sql_table('blog') . ', '.sql_table('member') . ', '.sql_table('category')\r
-                      . ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
-               \r
-               if ($search) \r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
-                       \r
+                          . ' FROM '.sql_table('item').', '.sql_table('blog') . ', '.sql_table('member') . ', '.sql_table('category')\r
+                          . ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
+\r
+               if ($search)\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
+\r
                $query .= ' ORDER BY itime DESC'\r
-                       . " LIMIT $start,$amount";\r
-               \r
+                               . " LIMIT $start,$amount";\r
+\r
                $template['content'] = 'itemlist';\r
                $template['now'] = time();\r
 \r
-               $navList = new NAVLIST('browseownitems', $start, $amount, 0, 1000, $blogid, $search, 0);\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $navList =& new NAVLIST('browseownitems', $start, $amount, 0, 1000, /*$blogid*/ 0, $search, 0);\r
                $navList->showBatchList('item',$query,'table',$template);\r
 \r
-               $this->pagefoot();              \r
-               \r
+               $this->pagefoot();\r
+\r
        }\r
-       \r
+\r
        /**\r
-         * Show all the comments for a given item\r
-         */\r
+        * Show all the comments for a given item\r
+        * @param int $itemid\r
+        */\r
        function action_itemcommentlist($itemid = '') {\r
-               global $member;\r
-               \r
+               global $member, $manager, $CONF;\r
+\r
                if ($itemid == '')\r
                        $itemid = intRequestVar('itemid');\r
-               \r
+\r
                // only allow if user is allowed to alter item\r
                $member->canAlterItem($itemid) or $this->disallow();\r
-               \r
+\r
                $blogid = getBlogIdFromItemId($itemid);\r
-       \r
+\r
                $this->pagehead();\r
-               \r
+\r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
-                       $start = 0;     \r
-                       \r
+                       $start = 0;\r
+\r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;   \r
-               \r
-               $search = postVar('search');    \r
-               \r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
+\r
+               $search = postVar('search');\r
+\r
                echo '<p>(<a href="index.php?action=itemlist&amp;blogid=',$blogid,'">',_BACKTOOVERVIEW,'</a>)</p>';\r
                echo '<h2>',_COMMENTS,'</h2>';\r
-               \r
-               $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE citem=' . $itemid;\r
 \r
-               if ($search) \r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+               $query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
+\r
+               if ($search)\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime ASC'\r
-                       . " LIMIT $start,$amount";\r
+                               . " LIMIT $start,$amount";\r
 \r
                $template['content'] = 'commentlist';\r
                $template['canAddBan'] = $member->blogAdminRights(getBlogIDFromItemID($itemid));\r
 \r
-               $navList = new NAVLIST('itemcommentlist', $start, $amount, 0, 1000, 0, $search, $itemid);\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $navList =& new NAVLIST('itemcommentlist', $start, $amount, 0, 1000, 0, $search, $itemid);\r
                $navList->showBatchList('comment',$query,'table',$template,_NOCOMMENTS);\r
-               \r
+\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
        /**\r
-         * Browse own comments\r
-         */\r
+        * Browse own comments\r
+        */\r
        function action_browseowncomments() {\r
-               global $member;\r
-               \r
+               global $member, $manager, $CONF;\r
+\r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
-                       $start = 0;     \r
-                       \r
+                       $start = 0;\r
+\r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;   \r
-               \r
-               $search = postVar('search');                    \r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
+\r
+               $search = postVar('search');\r
 \r
 \r
                $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
 \r
-               if ($search) \r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+               if ($search)\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime DESC'\r
-                       . " LIMIT $start,$amount";\r
-               \r
+                               . " LIMIT $start,$amount";\r
+\r
                $this->pagehead();\r
-               \r
-               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';          \r
+\r
+               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';\r
                echo '<h2>', _COMMENTS_YOUR ,'</h2>';\r
-       \r
+\r
                $template['content'] = 'commentlist';\r
-               $template['canAddBan'] = 0;     // doesn't make sense to allow banning yourself\r
-               \r
-               $navList = new NAVLIST('browseowncomments', $start, $amount, 0, 1000, 0, $search, 0);\r
+               $template['canAddBan'] = 0; // doesn't make sense to allow banning yourself\r
+\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $navList =& new NAVLIST('browseowncomments', $start, $amount, 0, 1000, 0, $search, 0);\r
                $navList->showBatchList('comment',$query,'table',$template,_NOCOMMENTS_YOUR);\r
-       \r
+\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
        /**\r
-         * Browse all comments for a weblog\r
-         */\r
-       function action_blogcommentlist($blogid = '') \r
+        * Browse all comments for a weblog\r
+        * @param int $blogid\r
+        */\r
+       function action_blogcommentlist($blogid = '')\r
        {\r
-               global $member, $manager;\r
-               \r
+               global $member, $manager, $CONF;\r
+\r
                if ($blogid == '')\r
                        $blogid = intRequestVar('blogid');\r
                else\r
                        $blogid = intval($blogid);\r
-                       \r
-               $member->teamRights($blogid) or $member->isAdmin() or $this->disallow();                \r
-               \r
+\r
+               $member->teamRights($blogid) or $member->isAdmin() or $this->disallow();\r
+\r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
-                       $start = 0;     \r
-                       \r
+                       $start = 0;\r
+\r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;   \r
-               \r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
+\r
                $search = postVar('search');            // search through comments\r
 \r
 \r
-               $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
+               $query =  'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
+\r
+               if ($search != '')\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
+\r
 \r
-               if ($search != '') \r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
-                       \r
-                               \r
                $query .= ' ORDER BY ctime DESC'\r
-                       . " LIMIT $start,$amount";\r
+                               . " LIMIT $start,$amount";\r
 \r
 \r
                $blog =& $manager->getBlog($blogid);\r
 \r
                $this->pagehead();\r
-                               \r
-               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';          \r
+\r
+               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';\r
                echo '<h2>', _COMMENTS_BLOG , ' ' , $this->bloglink($blog), '</h2>';\r
-               \r
+\r
                $template['content'] = 'commentlist';\r
                $template['canAddBan'] = $member->blogAdminRights($blogid);\r
-               \r
+\r
+               $manager->loadClass("ENCAPSULATE");\r
                $navList =& new NAVLIST('blogcommentlist', $start, $amount, 0, 1000, $blogid, $search, 0);\r
-               $navList->showBatchList('comment',$query,'table',$template, 'No comments were made on items of this blog');\r
-       \r
+               $navList->showBatchList('comment',$query,'table',$template, _NOCOMMENTS_BLOG);\r
+\r
                $this->pagefoot();\r
        }\r
 \r
        /**\r
-         * Provide a page to item a new item to the given blog\r
-         */\r
+        * Provide a page to item a new item to the given blog\r
+        */\r
        function action_createitem() {\r
                global $member, $manager;\r
-               \r
+\r
                $blogid = intRequestVar('blogid');\r
-               \r
+\r
                // check if allowed\r
-               $member->teamRights($blogid) or $this->disallow();              \r
-               \r
+               $member->teamRights($blogid) or $this->disallow();\r
+\r
                $memberid = $member->getID();\r
-               \r
+\r
                $blog =& $manager->getBlog($blogid);\r
-                               \r
+\r
                $this->pagehead();\r
-       \r
+\r
                // generate the add-item form\r
-               $formfactory = new PAGEFACTORY($blogid);\r
+               $formfactory =& new PAGEFACTORY($blogid);\r
                $formfactory->createAddForm('admin');\r
 \r
-               $this->pagefoot();      \r
+               $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemedit() {\r
                global $member, $manager;\r
-               \r
+\r
                $itemid = intRequestVar('itemid');\r
-               \r
+\r
                // only allow if user is allowed to alter item\r
                $member->canAlterItem($itemid) or $this->disallow();\r
-               \r
+\r
                $item =& $manager->getItem($itemid,1,1);\r
                $blog =& $manager->getBlog(getBlogIDFromItemID($itemid));\r
-               \r
+\r
                $manager->notify('PrepareItemForEdit', array('item' => &$item));\r
-               \r
+\r
                if ($blog->convertBreaks()) {\r
                        $item['body'] = removeBreaks($item['body']);\r
                        $item['more'] = removeBreaks($item['more']);\r
                }\r
-       \r
+\r
                // form to edit blog items\r
                $this->pagehead();\r
-               $formfactory = new PAGEFACTORY($blog->getID());\r
-               $formfactory->createEditForm('admin',$item);            \r
-               $this->pagefoot();      \r
+               $formfactory =& new PAGEFACTORY($blog->getID());\r
+               $formfactory->createEditForm('admin',$item);\r
+               $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemupdate() {\r
                global $member, $manager, $CONF;\r
-               \r
+\r
                $itemid = intRequestVar('itemid');\r
                $catid = postVar('catid');\r
-               \r
+\r
                // only allow if user is allowed to alter item\r
                $member->canUpdateItem($itemid, $catid) or $this->disallow();\r
 \r
                $actiontype = postVar('actiontype');\r
-               \r
+\r
                // delete actions are handled by itemdelete (which has confirmation)\r
                if ($actiontype == 'delete') {\r
                        $this->action_itemdelete();\r
-                       return; \r
+                       return;\r
                }\r
-                               \r
-               $body   = postVar('body');\r
-               $title  = postVar('title');\r
-               $more   = postVar('more');\r
+\r
+               $body   = postVar('body');\r
+               $title  = postVar('title');\r
+               $more   = postVar('more');\r
                $closed = intPostVar('closed');\r
+               $draftid = intPostVar('draftid');\r
 \r
                // default action = add now\r
-               if (!$actiontype) \r
+               if (!$actiontype)\r
                        $actiontype='addnow';\r
-                       \r
-               // create new category if needed \r
+\r
+               // create new category if needed\r
                if (strstr($catid,'newcat')) {\r
-                       // get blogid \r
+                       // get blogid\r
                        list($blogid) = sscanf($catid,"newcat-%d");\r
-                       \r
+\r
                        // create\r
                        $blog =& $manager->getBlog($blogid);\r
                        $catid = $blog->createNewCategory();\r
 \r
                        // show error when sth goes wrong\r
-                       if (!$catid) \r
+                       if (!$catid)\r
                                $this->doError(_ERROR_CATCREATEFAIL);\r
-               } \r
+               }\r
 \r
                /*\r
                        set some variables based on actiontype\r
-                       \r
+\r
                        actiontypes:\r
                                draft items -> addnow, addfuture, adddraft, delete\r
                                non-draft items -> edit, changedate, delete\r
-                       \r
+\r
                        variables set:\r
                                $timestamp: set to a nonzero value for future dates or date changes\r
                                $wasdraft: set to 1 when the item used to be a draft item\r
                                $publish: set to 1 when the edited item is not a draft\r
                */\r
-               switch ($actiontype) {\r
-                       case 'adddraft':\r
-                               $publish = 0;\r
-                               $wasdraft = 1;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'addfuture':\r
-                               $wasdraft = 1;\r
-                               $publish = 1;\r
-                               $timestamp = mktime(postVar('hour'), postVar('minutes'), 0, postVar('month'), postVar('day'), postVar('year'));\r
-                               break;\r
-                       case 'addnow':\r
-                               $wasdraft = 1;\r
-                               $publish = 1;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'changedate':\r
-                               $timestamp = mktime(postVar('hour'), postVar('minutes'), 0, postVar('month'), postVar('day'), postVar('year'));\r
-                               $publish = 1;\r
-                               $wasdraft = 0;\r
-                               break;\r
-                       case 'edit':\r
-                       default:\r
-                               $publish = 1;\r
-                               $wasdraft = 0;\r
-                               $timestamp = 0;\r
+               $blogid =  getBlogIDFromItemID($itemid);\r
+               $blog   =& $manager->getBlog($blogid);\r
+\r
+               $wasdrafts = array('adddraft', 'addfuture', 'addnow');\r
+               $wasdraft  = in_array($actiontype, $wasdrafts) ? 1 : 0;\r
+               $publish   = ($actiontype != 'adddraft' && $actiontype != 'backtodrafts') ? 1 : 0;\r
+               if ($actiontype == 'addfuture' || $actiontype == 'changedate') {\r
+                       $timestamp = mktime(intPostVar('hour'), intPostVar('minutes'), 0, intPostVar('month'), intPostVar('day'), intPostVar('year'));\r
+               } else {\r
+                       $timestamp =0;\r
                }\r
-               \r
+\r
                // edit the item for real\r
                ITEM::update($itemid, $catid, $title, $body, $more, $closed, $wasdraft, $publish, $timestamp);\r
-               \r
+\r
+               $this->updateFuturePosted($blogid);\r
+\r
+               if ($draftid > 0) {\r
+                       // delete permission is checked inside ITEM::delete()\r
+                       ITEM::delete($draftid);\r
+               }\r
+\r
                // show category edit window when we created a new category\r
                // ($catid will then be a new category ID, while postVar('catid') will be 'newcat-x')\r
                if ($catid != intPostVar('catid')) {\r
                        $this->action_categoryedit(\r
-                               $catid, \r
+                               $catid,\r
                                $blog->getID(),\r
                                $CONF['AdminURL'] . 'index.php?action=itemlist&blogid=' . getBlogIDFromItemID($itemid)\r
                        );\r
@@ -1081,136 +1234,191 @@ class ADMIN {
                        $this->action_itemlist(getBlogIDFromItemID($itemid));\r
                }\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemdelete() {\r
                global $member, $manager;\r
-               \r
+\r
                $itemid = intRequestVar('itemid');\r
-               \r
+\r
                // only allow if user is allowed to alter item\r
                $member->canAlterItem($itemid) or $this->disallow();\r
-               \r
+\r
                if (!$manager->existsItem($itemid,1,1))\r
                        $this->error(_ERROR_NOSUCHITEM);\r
-                       \r
+\r
                $item =& $manager->getItem($itemid,1,1);\r
                $title = htmlspecialchars(strip_tags($item['title']));\r
                $body = strip_tags($item['body']);\r
                $body = htmlspecialchars(shorten($body,300,'...'));\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
-                       \r
+\r
                        <p><?php echo _CONFIRMTXT_ITEM?></p>\r
-                       \r
+\r
                        <div class="note">\r
                                <b>"<?php echo  $title ?>"</b>\r
                                <br />\r
                                <?php echo $body?>\r
                        </div>\r
-                       \r
+\r
                        <form method="post" action="index.php"><div>\r
                                <input type="hidden" name="action" value="itemdeleteconfirm" />\r
+                               <?php $manager->addTicketHidden() ?>\r
                                <input type="hidden" name="itemid" value="<?php echo  $itemid; ?>" />\r
                                <input type="submit" value="<?php echo _DELETE_CONFIRM_BTN?>"  tabindex="10" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemdeleteconfirm() {\r
                global $member;\r
-               \r
+\r
                $itemid = intRequestVar('itemid');\r
-               \r
+\r
                // only allow if user is allowed to alter item\r
                $member->canAlterItem($itemid) or $this->disallow();\r
 \r
                // get blogid first\r
                $blogid = getBlogIdFromItemId($itemid);\r
-               \r
+\r
                // delete item (note: some checks will be performed twice)\r
                $this->deleteOneItem($itemid);\r
-               \r
+\r
                $this->action_itemlist($blogid);\r
        }\r
-       \r
-       // deletes one item and returns error if something goes wrong\r
+\r
+       /**\r
+        * Deletes one item and returns error if something goes wrong\r
+        * @param int $itemid\r
+        */\r
        function deleteOneItem($itemid) {\r
                global $member, $manager;\r
-               \r
+\r
                // only allow if user is allowed to alter item (also checks if itemid exists)\r
                if (!$member->canAlterItem($itemid))\r
                        return _ERROR_DISALLOWED;\r
-               \r
+\r
+               // need to get blogid before the item is deleted\r
+               $blogid = getBlogIDFromItemId($itemid);\r
+\r
                $manager->loadClass('ITEM');\r
                ITEM::delete($itemid);\r
+\r
+               // update blog's futureposted\r
+               $this->updateFuturePosted($blogid);\r
+       }\r
+\r
+       /**\r
+        * Update a blog's future posted flag\r
+        * @param int $blogid\r
+        */\r
+       function updateFuturePosted($blogid) {\r
+               global $manager;\r
+\r
+               $blog =& $manager->getBlog($blogid);\r
+               $currenttime = $blog->getCorrectTime(time());\r
+               $result = sql_query("SELECT * FROM ".sql_table('item').\r
+                       " WHERE iblog='".$blogid."' AND iposted=0 AND itime>".mysqldate($currenttime));\r
+               if (sql_num_rows($result) > 0) {\r
+                               $blog->setFuturePost();\r
+               }\r
+               else {\r
+                               $blog->clearFuturePost();\r
+               }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemmove() {\r
                global $member, $manager;\r
-               \r
-               $itemid = intRequestVar('itemid');              \r
-               \r
+\r
+               $itemid = intRequestVar('itemid');\r
+\r
                // only allow if user is allowed to alter item\r
                $member->canAlterItem($itemid) or $this->disallow();\r
 \r
                $item =& $manager->getItem($itemid,1,1);\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
                        <h2><?php echo _MOVE_TITLE?></h2>\r
                        <form method="post" action="index.php"><div>\r
                                <input type="hidden" name="action" value="itemmoveto" />\r
                                <input type="hidden" name="itemid" value="<?php echo  $itemid; ?>" />\r
-                               \r
-                               <?php $this->selectBlogCategory('catid',$item['catid'],10,1);?>\r
-                               \r
+\r
+                               <?php\r
+\r
+                                       $manager->addTicketHidden();\r
+                                       $this->selectBlogCategory('catid',$item['catid'],10,1);\r
+                               ?>\r
+\r
                                <input type="submit" value="<?php echo _MOVE_BTN?>" tabindex="10000" onclick="return checkSubmit();" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemmoveto() {\r
                global $member, $manager;\r
-               \r
+\r
                $itemid = intRequestVar('itemid');\r
                $catid = requestVar('catid');\r
-               \r
-               // create new category if needed \r
+\r
+               // create new category if needed\r
                if (strstr($catid,'newcat')) {\r
-                       // get blogid \r
+                       // get blogid\r
                        list($blogid) = sscanf($catid,'newcat-%d');\r
-                       \r
+\r
                        // create\r
                        $blog =& $manager->getBlog($blogid);\r
                        $catid = $blog->createNewCategory();\r
 \r
                        // show error when sth goes wrong\r
-                       if (!$catid) \r
+                       if (!$catid)\r
                                $this->doError(_ERROR_CATCREATEFAIL);\r
-               } \r
-               \r
+               }\r
+\r
                // only allow if user is allowed to alter item\r
                $member->canUpdateItem($itemid, $catid) or $this->disallow();\r
 \r
-               ITEM::move($itemid, $catid);            \r
-               \r
+               $old_blogid = getBlogIDFromItemId($itemid);\r
+\r
+               ITEM::move($itemid, $catid);\r
+\r
+               // set the futurePosted flag on the blog\r
+               $this->updateFuturePosted(getBlogIDFromItemId($itemid));\r
+\r
+               // reset the futurePosted in case the item is moved from one blog to another\r
+               $this->updateFuturePosted($old_blogid);\r
+\r
                if ($catid != intRequestVar('catid'))\r
                        $this->action_categoryedit($catid, $blog->getID());\r
                else\r
-                       $this->action_itemlist(getBlogIDFromCatID($catid));             \r
+                       $this->action_itemlist(getBlogIDFromCatID($catid));\r
        }\r
-       \r
+\r
        /**\r
-         * Moves one item to a given category (category existance should be checked by caller)\r
-         * errors are returned\r
-         */\r
+        * Moves one item to a given category (category existance should be checked by caller)\r
+        * errors are returned\r
+        * @param int $itemid\r
+        * @param int $destCatid category ID to which the item will be moved\r
+        */\r
        function moveOneItem($itemid, $destCatid) {\r
                global $member;\r
-               \r
+\r
                // only allow if user is allowed to move item\r
                if (!$member->canUpdateItem($itemid, $destCatid))\r
                        return _ERROR_DISALLOWED;\r
@@ -1219,129 +1427,71 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Adds a item to the chosen blog\r
-         */\r
+        * Adds a item to the chosen blog\r
+        */\r
        function action_additem() {\r
-               global $member, $manager, $CONF;\r
-                \r
+               global $manager, $CONF;\r
+\r
                $manager->loadClass('ITEM');\r
 \r
                $result = ITEM::createFromRequest();\r
-               \r
+\r
                if ($result['status'] == 'error')\r
                        $this->error($result['message']);\r
-               \r
+\r
                $blogid = getBlogIDFromItemID($result['itemid']);\r
                $blog =& $manager->getBlog($blogid);\r
+               $btimestamp = $blog->getCorrectTime();\r
+               $item      = $manager->getItem(intval($result['itemid']), 1, 1);\r
 \r
-               if ($result['status'] == 'newcategory')\r
-                       $this->action_categoryedit(\r
-                               $result['catid'],\r
-                               $blogid, \r
-                               $blog->pingUserland() ? $CONF['AdminURL'] . 'index.php?action=sendping&blogid=' . intval($blogid) : ''\r
-                       );\r
-               elseif ((postVar('actiontype') == 'addnow') && $blog->pingUserland())\r
-                       $this->action_sendping($blogid);\r
-               else\r
-                       $this->action_itemlist($blogid);\r
+               if ($result['status'] == 'newcategory') {\r
+                       $distURI = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=itemList&blogid=' . intval($blogid));\r
+                       $this->action_categoryedit($result['catid'], $blogid, $distURI);\r
+               } else {\r
+                       $methodName = 'action_itemList';\r
+                       call_user_func(array(&$this, $methodName), $blogid);\r
+               }\r
        }\r
-       \r
-       /**\r
-         * Shows a window that says we're about to ping weblogs.com.\r
-         * immediately refresh to the real pinging page, which will \r
-         * show an error, or redirect to the blog.\r
-         *\r
-         * @param $blogid ID of blog for which ping needs to be sent out\r
-         */\r
-       function action_sendping($blogid = -1) {\r
-               global $member;\r
-               \r
-               if ($blogid == -1)\r
-                       $blogid = intRequestVar('blogid');\r
-               \r
-               $member->isLoggedIn() or $this->disallow();\r
-               \r
-               $this->pagehead('<meta http-equiv="refresh" content="1; url=index.php?action=rawping&amp;blogid=' . $blogid . '" />');\r
-               ?>              \r
-               <h2>Site Updated, Now pinging weblogs.com</h2>\r
 \r
-               <p>\r
-                       Pinging weblogs.com! This can a while...\r
-                       <br />\r
-                       When the ping is complete (and successfull), your weblog will show up in the weblogs.com updates list.\r
-               </p>\r
-               \r
-               <p>\r
-                       If you aren't automatically passed through, <a href="index.php?action=rawping&amp;blogid=<?php echo $blogid?>">try again</a>\r
-               </p>\r
-               <?php           $this->pagefoot();\r
-       }\r
-       \r
-       // ping to Weblogs.com\r
-       // sends the real ping (can take up to 10 seconds!)\r
-       function action_rawping() {\r
-               global $manager;\r
-               // TODO: checks?\r
-                               \r
-               $blogid = intRequestVar('blogid');\r
-               $blog =& $manager->getBlog($blogid);\r
-               \r
-               $result = $blog->sendUserlandPing();\r
-               \r
-               $this->pagehead();\r
-               \r
-               ?>\r
-               \r
-               <h2>Ping Results</h2>\r
-               \r
-               <p>The following message was returned by weblogs.com:</p>\r
-               \r
-               <div class='note'><?php echo  $result ?></div>\r
-               \r
-               <ul>\r
-                       <li><a href="index.php?action=itemlist&amp;blogid=<?php echo $blog->getID()?>">View list of recent items for <?php echo htmlspecialchars($blog->getName())?></a></li>\r
-                       <li><a href="<?php echo $blog->getURL()?>">Visit your own site</a></li>\r
-               </ul>\r
-               \r
-               <?php           $this->pagefoot();\r
-       }\r
-       \r
-       /** \r
-         * Allows to edit previously made comments\r
-         */\r
+       /**\r
+        * Allows to edit previously made comments\r
+        */\r
        function action_commentedit() {\r
                global $member, $manager;\r
-               \r
+\r
                $commentid = intRequestVar('commentid');\r
-               \r
+\r
                $member->canAlterComment($commentid) or $this->disallow();\r
 \r
                $comment = COMMENT::getComment($commentid);\r
-               \r
+\r
                $manager->notify('PrepareCommentForEdit',array('comment' => &$comment));\r
 \r
                // change <br /> to \n\r
                $comment['body'] = str_replace('<br />','',$comment['body']);\r
                \r
-               $comment['body'] = eregi_replace("<a href=['\"]([^'\"]+)['\"]>[^<]*</a>","\\1",$comment['body']);\r
+               // replaced eregi_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0\r
+               /* original eregi_replace: eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>", "\\1", $comment['body']) */\r
+               $comment['body'] = preg_replace("#<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>#I", "\\1", $comment['body']);\r
                \r
                $this->pagehead();\r
-               \r
+\r
                ?>\r
                <h2><?php echo _EDITC_TITLE?></h2>\r
-               \r
+\r
                <form action="index.php" method="post"><div>\r
-               \r
+\r
                <input type="hidden" name="action" value="commentupdate" />\r
+               <?php $manager->addTicketHidden(); ?>\r
                <input type="hidden" name="commentid" value="<?php echo  $commentid; ?>" />\r
                <table><tr>\r
                        <th colspan="2"><?php echo _EDITC_TITLE?></th>\r
                </tr><tr>\r
                        <td><?php echo _EDITC_WHO?></td>\r
                        <td>\r
-                       <?php                           if ($comment['member']) \r
+                       <?php                      if ($comment['member'])\r
                                        echo $comment['member'] . " (" . _EDITC_MEMBER . ")";\r
-                               else \r
+                               else\r
                                        echo $comment['user'] . " (" . _EDITC_NONMEMBER . ")";\r
                        ?>\r
                        </td>\r
@@ -1351,10 +1501,19 @@ class ADMIN {
                </tr><tr>\r
                        <td><?php echo _EDITC_HOST?></td>\r
                        <td><?php echo  $comment['host']; ?></td>\r
-               </tr><tr>\r
+               </tr>\r
+               <tr>\r
+                       <td><?php echo _EDITC_URL; ?></td>\r
+                       <td><input type="text" name="url" size="30" tabindex="6" value="<?php echo $comment['userid']; ?>" /></td>\r
+               </tr>\r
+               <tr>\r
+                       <td><?php echo _EDITC_EMAIL; ?></td>\r
+                       <td><input type="text" name="email" size="30" tabindex="8" value="<?php echo $comment['email']; ?>" /></td>\r
+               </tr>\r
+               <tr>\r
                        <td><?php echo _EDITC_TEXT?></td>\r
                        <td>\r
-                               <textarea name="body" tabindex="10" rows="10" cols="50"><?php                                   // htmlspecialchars not needed (things should be escaped already)\r
+                               <textarea name="body" tabindex="10" rows="10" cols="50"><?php                              // htmlspecialchars not needed (things should be escaped already)\r
                                        echo $comment['body'];\r
                                ?></textarea>\r
                        </td>\r
@@ -1362,173 +1521,197 @@ class ADMIN {
                        <td><?php echo _EDITC_EDIT?></td>\r
                        <td><input type="submit"  tabindex="20" value="<?php echo _EDITC_EDIT?>" onclick="return checkSubmit();" /></td>\r
                </tr></table>\r
-               \r
+\r
                </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_commentupdate() {\r
                global $member, $manager;\r
-               \r
+\r
                $commentid = intRequestVar('commentid');\r
-               \r
+\r
                $member->canAlterComment($commentid) or $this->disallow();\r
-               \r
+\r
+               $url = postVar('url');\r
+               $email = postVar('email');\r
                $body = postVar('body');\r
                \r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE\r
+               # important note that '\' must be matched with '\\\\' in preg* expressions\r
                // intercept words that are too long\r
-               if (eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}",$body) != false) \r
+               if (preg_match('#[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}#', $body) != FALSE)\r
+               {\r
                        $this->error(_ERROR_COMMENT_LONGWORD);\r
-\r
+               }\r
+               \r
                // check length\r
-               if (strlen($body)<3)\r
+               if (strlen($body) < 3) {\r
                        $this->error(_ERROR_COMMENT_NOCOMMENT);\r
+               }\r
                if (strlen($body)>5000)\r
+               {\r
                        $this->error(_ERROR_COMMENT_TOOLONG);\r
-               \r
+               }\r
                \r
                // prepare body\r
                $body = COMMENT::prepareBody($body);\r
-               \r
+\r
                // call plugins\r
                $manager->notify('PreUpdateComment',array('body' => &$body));\r
-               \r
+\r
                $query =  'UPDATE '.sql_table('comment')\r
-                      . " SET cbody='" .addslashes($body). "'"\r
-                      . " WHERE cnumber=" . $commentid;\r
+                          . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'"\r
+                          . " WHERE cnumber=" . $commentid;\r
                sql_query($query);\r
-               \r
+\r
                // get itemid\r
                $res = sql_query('SELECT citem FROM '.sql_table('comment').' WHERE cnumber=' . $commentid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $itemid = $o->citem;\r
-               \r
+\r
                if ($member->canAlterItem($itemid))\r
-                       $this->action_itemcommentlist($itemid); \r
+                       $this->action_itemcommentlist($itemid);\r
                else\r
                        $this->action_browseowncomments();\r
-       \r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_commentdelete() {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                $commentid = intRequestVar('commentid');\r
-               \r
+\r
                $member->canAlterComment($commentid) or $this->disallow();\r
 \r
                $comment = COMMENT::getComment($commentid);\r
 \r
                $body = strip_tags($comment['body']);\r
                $body = htmlspecialchars(shorten($body, 300, '...'));\r
-               \r
+\r
                if ($comment['member'])\r
                        $author = $comment['member'];\r
                else\r
                        $author = $comment['user'];\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
-               \r
+\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
-                       \r
+\r
                        <p><?php echo _CONFIRMTXT_COMMENT?></p>\r
-                       \r
+\r
                        <div class="note">\r
                        <b><?php echo _EDITC_WHO?>:</b> <?php echo  $author ?>\r
                        <br />\r
                        <b><?php echo _EDITC_TEXT?>:</b> <?php echo  $body ?>\r
                        </div>\r
-                       \r
+\r
                        <form method="post" action="index.php"><div>\r
                                <input type="hidden" name="action" value="commentdeleteconfirm" />\r
+                               <?php $manager->addTicketHidden() ?>\r
                                <input type="hidden" name="commentid" value="<?php echo  $commentid; ?>" />\r
                                <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_commentdeleteconfirm() {\r
                global $member;\r
-               \r
+\r
                $commentid = intRequestVar('commentid');\r
-               \r
+\r
                // get item id first\r
                $res = sql_query('SELECT citem FROM '.sql_table('comment') .' WHERE cnumber=' . $commentid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $itemid = $o->citem;\r
 \r
                $error = $this->deleteOneComment($commentid);\r
                if ($error)\r
                        $this->doError($error);\r
-                       \r
+\r
                if ($member->canAlterItem($itemid))\r
-                       $this->action_itemcommentlist($itemid); \r
+                       $this->action_itemcommentlist($itemid);\r
                else\r
                        $this->action_browseowncomments();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOneComment($commentid) {\r
                global $member, $manager;\r
-               \r
+\r
                $commentid = intval($commentid);\r
-               \r
+\r
                if (!$member->canAlterComment($commentid))\r
                        return _ERROR_DISALLOWED;\r
-                       \r
+\r
                $manager->notify('PreDeleteComment', array('commentid' => $commentid));\r
-                               \r
+\r
                // delete the comments associated with the item\r
                $query = 'DELETE FROM '.sql_table('comment').' WHERE cnumber=' . $commentid;\r
                sql_query($query);\r
-               \r
-               $manager->notify('PostDeleteComment', array('commentid' => $commentid));                \r
-               \r
+\r
+               $manager->notify('PostDeleteComment', array('commentid' => $commentid));\r
+\r
                return '';\r
        }\r
-       \r
+\r
        /**\r
-         * Usermanagement main\r
-         */\r
+        * Usermanagement main\r
+        */\r
        function action_usermanagement() {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
 \r
                $this->pagehead();\r
-       \r
+\r
                echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';\r
-               \r
+\r
                echo '<h2>' . _MEMBERS_TITLE .'</h2>';\r
-               \r
+\r
                echo '<h3>' . _MEMBERS_CURRENT .'</h3>';\r
-               \r
+\r
                // show list of members with actions\r
                $query =  'SELECT *'\r
-                      . ' FROM '.sql_table('member');\r
+                          . ' FROM '.sql_table('member');\r
                $template['content'] = 'memberlist';\r
                $template['tabindex'] = 10;\r
-               \r
-               $batch = new BATCH('member');\r
+\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $batch =& new BATCH('member');\r
                $batch->showlist($query,'table',$template);\r
 \r
                echo '<h3>' . _MEMBERS_NEW .'</h3>';\r
                ?>\r
-                       <form method="post" action="index.php"><div>\r
-                       \r
+                       <form method="post" action="index.php" name="memberedit"><div>\r
+\r
                        <input type="hidden" name="action" value="memberadd" />\r
-                       \r
+                       <?php $manager->addTicketHidden() ?>\r
+\r
                        <table>\r
                        <tr>\r
                                <th colspan="2"><?php echo _MEMBERS_NEW?></th>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_DISPLAY?> <?php help('shortnames');?>\r
-                                   <br /><small>(This is the name used to logon)</small>\r
+                               <br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>\r
                                </td>\r
-                               <td><input tabindex="10010" name="name" size="16" maxlength="16" /></td>\r
+                               <td><input tabindex="10010" name="name" size="32" maxlength="32" /></td>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_REALNAME?></td>\r
                                <td><input name="realname" tabindex="10020" size="40" maxlength="60" /></td>\r
@@ -1557,28 +1740,33 @@ class ADMIN {
                                <td><?php echo _MEMBERS_NEW?></td>\r
                                <td><input type="submit" value="<?php echo _MEMBERS_NEW_BTN?>" tabindex="10090" onclick="return checkSubmit();" /></td>\r
                        </tr></table>\r
-                       \r
-                       </div></form>           \r
-               <?php           \r
+\r
+                       </div></form>\r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
        /**\r
-         * Edit member settings\r
-         */\r
+        * Edit member settings\r
+        */\r
        function action_memberedit() {\r
                $this->action_editmembersettings(intRequestVar('memberid'));\r
        }\r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_editmembersettings($memberid = '') {\r
                global $member, $manager, $CONF;\r
-               \r
+\r
                if ($memberid == '')\r
                        $memberid = $member->getID();\r
-               \r
+\r
                // check if allowed\r
                ($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
-       \r
-               $this->pagehead();\r
+\r
+               $extrahead = '<script type="text/javascript" src="javascript/numbercheck.js"></script>';\r
+               $this->pagehead($extrahead);\r
 \r
                // show message to go back to member overview (only for admins)\r
                if ($member->isAdmin())\r
@@ -1587,23 +1775,25 @@ class ADMIN {
                        echo '<a href="index.php?action=overview">(' ._BACKHOME. ')</a>';\r
 \r
                echo '<h2>' . _MEMBERS_EDIT . '</h2>';\r
-               \r
+\r
                $mem = MEMBER::createFromID($memberid);\r
-               \r
+\r
                ?>\r
-               <form method="post" action="index.php"><div>\r
-               \r
+               <form method="post" action="index.php" name="memberedit"><div>\r
+\r
                <input type="hidden" name="action" value="changemembersettings" />\r
                <input type="hidden" name="memberid" value="<?php echo  $memberid; ?>" />\r
+               <?php $manager->addTicketHidden() ?>\r
+\r
                <table><tr>\r
                        <th colspan="2"><?php echo _MEMBERS_EDIT?></th>\r
                </tr><tr>\r
                        <td><?php echo _MEMBERS_DISPLAY?> <?php help('shortnames');?>\r
-                           <br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>\r
+                               <br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>\r
                        </td>\r
                        <td>\r
                        <?php if ($CONF['AllowLoginEdit'] || $member->isAdmin()) { ?>\r
-                               <input name="name" tabindex="10" maxlength="16" size="16" value="<?php echo  htmlspecialchars($mem->getDisplayName()); ?>" />\r
+                               <input name="name" tabindex="10" maxlength="32" size="32" value="<?php echo  htmlspecialchars($mem->getDisplayName()); ?>" />\r
                        <?php } else {\r
                                echo htmlspecialchars($member->getDisplayName());\r
                           }\r
@@ -1612,7 +1802,7 @@ class ADMIN {
                </tr><tr>\r
                        <td><?php echo _MEMBERS_REALNAME?></td>\r
                        <td><input name="realname" tabindex="20" maxlength="60" size="40" value="<?php echo  htmlspecialchars($mem->getRealName()); ?>" /></td>\r
-               </tr><tr>               \r
+               </tr><tr>\r
                <?php if ($CONF['AllowLoginEdit'] || $member->isAdmin()) { ?>\r
                        <td><?php echo _MEMBERS_PWD?></td>\r
                        <td><input type="password" tabindex="30" maxlength="40" size="16" name="password" /></td>\r
@@ -1622,55 +1812,65 @@ class ADMIN {
                <?php } ?>\r
                </tr><tr>\r
                        <td><?php echo _MEMBERS_EMAIL?>\r
-                           <br /><small><?php echo _MEMBERS_EMAIL_EDIT?></small>\r
+                               <br /><small><?php echo _MEMBERS_EMAIL_EDIT?></small>\r
                        </td>\r
                        <td><input name="email" tabindex="40" size="40" maxlength="60" value="<?php echo  htmlspecialchars($mem->getEmail()); ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _MEMBERS_URL?></td>\r
-                       <td><input name="url" tabindex="50" size="40" maxlength="100" value="<?php echo  htmlspecialchars($mem->getURL()); ?>" /></td>                  \r
+                       <td><input name="url" tabindex="50" size="40" maxlength="100" value="<?php echo  htmlspecialchars($mem->getURL()); ?>" /></td>\r
                <?php // only allow to change this by super-admins\r
                   // we don't want normal users to 'upgrade' themselves to super-admins, do we? ;-)\r
                   if ($member->isAdmin()) {\r
                ?>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_SUPERADMIN?> <?php help('superadmin'); ?></td>\r
-                               <td><?php $this->input_yesno('admin',$mem->isAdmin(),60); ?></td>       \r
+                               <td><?php $this->input_yesno('admin',$mem->isAdmin(),60); ?></td>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_CANLOGIN?> <?php help('canlogin'); ?></td>\r
-                               <td><?php $this->input_yesno('canlogin',$mem->canLogin(),70); ?></td>\r
+                               <td><?php $this->input_yesno('canlogin',$mem->canLogin(),70,1,0,_YES,_NO,$mem->isAdmin()); ?></td>\r
                <?php } ?>\r
                </tr><tr>\r
                        <td><?php echo _MEMBERS_NOTES?></td>\r
-                       <td><input name="notes" tabindex="80" size="40" maxlength="100" value="<?php echo  htmlspecialchars($mem->getNotes()); ?>" /></td>                      \r
-               </tr><tr>               \r
+                       <td><input name="notes" tabindex="80" size="40" maxlength="100" value="<?php echo  htmlspecialchars($mem->getNotes()); ?>" /></td>\r
+               </tr><tr>\r
                        <td><?php echo _MEMBERS_DEFLANG?> <?php help('language'); ?>\r
                        </td>\r
                        <td>\r
-                       \r
+\r
                                <select name="deflang" tabindex="85">\r
                                        <option value=""><?php echo _MEMBERS_USESITELANG?></option>\r
-                               <?php                           // show a dropdown list of all available languages\r
+                               <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle))\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$", $filename, $matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
-                                               if ($name == $mem->getLanguage())\r
-                                                       echo " selected='selected'";\r
+                                               echo "<option value=\"$name\"";\r
+                                               if ($name == $mem->getLanguage() )\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
+                               \r
                                ?>\r
-                               </select>                       \r
-                       \r
+                               </select>\r
+\r
                        </td>\r
                </tr>\r
+               <tr>\r
+                       <td><?php echo _MEMBERS_USEAUTOSAVE?> <?php help('autosave'); ?></td>\r
+                       <td><?php $this->input_yesno('autosave', $mem->getAutosave(), 87); ?></td>\r
+               </tr>\r
                <?php\r
                        // plugin options\r
-                       $this->_insertPluginOptions('member',$memberid);                        \r
+                       $this->_insertPluginOptions('member',$memberid);\r
                ?>\r
                <tr>\r
                        <th colspan="2"><?php echo _MEMBERS_EDIT ?></th>\r
@@ -1678,47 +1878,52 @@ class ADMIN {
                        <td><?php echo _MEMBERS_EDIT?></td>\r
                        <td><input type="submit" tabindex="90" value="<?php echo _MEMBERS_EDIT_BTN?>" onclick="return checkSubmit();" /></td>\r
                </tr></table>\r
-               \r
+\r
                </div></form>\r
-               \r
-               \r
-               <?php           \r
-                       echo '<h3>', _PLUGINS_EXTRA , '</h3>';\r
+\r
+               <?php\r
+                       echo '<h3>',_PLUGINS_EXTRA,'</h3>';\r
+\r
                        $manager->notify(\r
-                               'MemberSettingsFormExtras',     \r
+                               'MemberSettingsFormExtras',\r
                                array(\r
                                        'member' => &$mem\r
                                )\r
                        );\r
-                       \r
+\r
                $this->pagefoot();\r
        }\r
-       \r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_changemembersettings() {\r
                global $member, $CONF, $manager;\r
-               \r
+\r
                $memberid = intRequestVar('memberid');\r
-               \r
+\r
                // check if allowed\r
                ($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
-               \r
-               $name                   = trim(postVar('name'));\r
-               $realname               = trim(postVar('realname'));\r
-               $password               = postVar('password');\r
-               $repeatpassword = postVar('repeatpassword');            \r
-               $email                  = postVar('email');\r
-               $url                    = postVar('url');\r
-\r
-               // Sometimes user didn't prefix the URL with http://, this cause a malformed URL. Let's fix it.\r
-               if (!eregi("^https?://", $url))\r
-                       $url = "http://".$url;\r
-\r
-               $admin                  = postVar('admin');\r
-               $canlogin               = postVar('canlogin');\r
-               $notes                  = postVar('notes');\r
+\r
+               $name              = trim(strip_tags(postVar('name')));\r
+               $realname          = trim(strip_tags(postVar('realname')));\r
+               $password          = postVar('password');\r
+               $repeatpassword = postVar('repeatpassword');\r
+               $email            = strip_tags(postVar('email'));\r
+               $url                    = strip_tags(postVar('url'));\r
+\r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: !eregi("^https?://", $url)\r
+               // begin if: sometimes user didn't prefix the URL with http:// or https://, this cause a malformed URL. Let's fix it.\r
+               if (!preg_match('#^https?://#', $url) )\r
+               {\r
+                       $url = "http://" . $url;\r
+               }\r
+               $admin            = postVar('admin');\r
+               $canlogin          = postVar('canlogin');\r
+               $notes            = strip_tags(postVar('notes'));\r
                $deflang                = postVar('deflang');\r
-               \r
+\r
                $mem = MEMBER::createFromID($memberid);\r
 \r
                if ($CONF['AllowLoginEdit'] || $member->isAdmin()) {\r
@@ -1728,337 +1933,546 @@ class ADMIN {
 \r
                        if (($name != $mem->getDisplayName()) && MEMBER::exists($name))\r
                                $this->error(_ERROR_NICKNAMEINUSE);\r
-                               \r
+\r
                        if ($password != $repeatpassword)\r
                                $this->error(_ERROR_PASSWORDMISMATCH);\r
-                               \r
+\r
                        if ($password && (strlen($password) < 6))\r
                                $this->error(_ERROR_PASSWORDTOOSHORT);\r
+\r
+                       if ($password) {\r
+                               $pwdvalid = true;\r
+                               $pwderror = '';\r
+                               $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                               if (!$pwdvalid) {\r
+                                       $this->error($pwderror);\r
+                               }\r
+                       }\r
                }\r
-               \r
+\r
                if (!isValidMailAddress($email))\r
                        $this->error(_ERROR_BADMAILADDRESS);\r
 \r
-       \r
+\r
                if (!$realname)\r
                        $this->error(_ERROR_REALNAMEMISSING);\r
-                       \r
-               if (($deflang != '') && (!checkLanguage($deflang))) \r
+\r
+               if (($deflang != '') && (!checkLanguage($deflang)))\r
                        $this->error(_ERROR_NOSUCHLANGUAGE);\r
-               \r
+\r
                // check if there will remain at least one site member with both the logon and admin rights\r
                // (check occurs when taking away one of these rights from such a member)\r
-               if (    (!$admin && $mem->isAdmin() && $mem->canLogin())\r
-                    || (!$canlogin && $mem->isAdmin() && $mem->canLogin())\r
+               if (    (!$admin && $mem->isAdmin() && $mem->canLogin())\r
+                        || (!$canlogin && $mem->isAdmin() && $mem->canLogin())\r
                   )\r
                {\r
                        $r = sql_query('SELECT * FROM '.sql_table('member').' WHERE madmin=1 and mcanlogin=1');\r
-                       if (mysql_num_rows($r) < 2)\r
+                       if (sql_num_rows($r) < 2)\r
                                $this->error(_ERROR_ATLEASTONEADMIN);\r
                }\r
-               \r
-               \r
-               // if email changed, generate new password\r
-               if ($email != $mem->getEmail())\r
-               {\r
-                       $password = genPassword(10);\r
-                       $newpass = 1;\r
-               } else {\r
-                       $newpass = 0;\r
-               }\r
 \r
                if ($CONF['AllowLoginEdit'] || $member->isAdmin()) {\r
                        $mem->setDisplayName($name);\r
-                       if ($password) \r
+                       if ($password)\r
                                $mem->setPassword($password);\r
                }\r
 \r
-               if ($newpass)\r
-                       $mem->setPassword($password);\r
-               \r
+               $oldEmail = $mem->getEmail();\r
+\r
                $mem->setRealName($realname);\r
                $mem->setEmail($email);\r
                $mem->setURL($url);\r
                $mem->setNotes($notes);\r
                $mem->setLanguage($deflang);\r
 \r
-               \r
+\r
                // only allow super-admins to make changes to the admin status\r
                if ($member->isAdmin()) {\r
                        $mem->setAdmin($admin);\r
                        $mem->setCanLogin($canlogin);\r
                }\r
 \r
-       \r
+               $autosave = postVar ('autosave');\r
+               $mem->setAutosave($autosave);\r
+\r
                $mem->write();\r
-               \r
+\r
                // store plugin options\r
                $aOptions = requestArray('plugoption');\r
                NucleusPlugin::_applyPluginOptions($aOptions);\r
-               $manager->notify('PostPluginOptionsUpdate',array('context' => 'member', 'memberid' => $memberid, 'member' => &$mem));           \r
-               \r
-               // if new password was generated, send out mail message and logout\r
-               if ($newpass) \r
-                       $mem->sendPassword($password);\r
+               $manager->notify('PostPluginOptionsUpdate',array('context' => 'member', 'memberid' => $memberid, 'member' => &$mem));\r
+\r
+               // if email changed, generate new password\r
+               if ($oldEmail != $mem->getEmail())\r
+               {\r
+                       $mem->sendActivationLink('addresschange', $oldEmail);\r
+                       // logout member\r
+                       $mem->newCookieKey();\r
+\r
+                       // only log out if the member being edited is the current member.\r
+                       if ($member->getID() == $memberid)\r
+                               $member->logout();\r
+                       $this->action_login(_MSG_ACTIVATION_SENT, 0);\r
+                       return;\r
+               }\r
 \r
-               if (  ( $mem->getID() == $member->getID() ) \r
-                  && ( $newpass || ( $mem->getDisplayName() != $member->getDisplayName() ) )\r
+\r
+               if (  ( $mem->getID() == $member->getID() )\r
+                  && ( $mem->getDisplayName() != $member->getDisplayName() )\r
                   ) {\r
+                       $mem->newCookieKey();\r
                        $member->logout();\r
                        $this->action_login(_MSG_LOGINAGAIN, 0);\r
                } else {\r
                        $this->action_overview(_MSG_SETTINGSCHANGED);\r
                }\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_memberadd() {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                if (postVar('password') != postVar('repeatpassword'))\r
                        $this->error(_ERROR_PASSWORDMISMATCH);\r
-               if (strlen(postVar('password')) < 6)  \r
+               if (strlen(postVar('password')) < 6)\r
                        $this->error(_ERROR_PASSWORDTOOSHORT);\r
-               \r
-               $res = MEMBER::create(postVar('name'), postVar('realname'), postVar('password'), postVar('email'), postVar('url'), postVar('admin'), postVar('canlogin'), postVar('notes'));    \r
+\r
+               $res = MEMBER::create(postVar('name'), postVar('realname'), postVar('password'), postVar('email'), postVar('url'), postVar('admin'), postVar('canlogin'), postVar('notes'));\r
                if ($res != 1)\r
                        $this->error($res);\r
-               \r
-               $this->action_usermanagement();         \r
+\r
+               // fire PostRegister event\r
+               $newmem = new MEMBER();\r
+               $newmem->readFromName(postVar('name'));\r
+               $manager->notify('PostRegister',array('member' => &$newmem));\r
+\r
+               $this->action_usermanagement();\r
        }\r
-       \r
+\r
        /**\r
-         * Manage team\r
-         */\r
-       function action_manageteam() {\r
-               global $member;\r
+        * Account activation\r
+        *\r
+        * @author dekarma\r
+        */\r
+       function action_activate() {\r
+\r
+               $key = getVar('key');\r
+               $this->_showActivationPage($key);\r
+       }\r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
+       function _showActivationPage($key, $message = '')\r
+       {\r
+               global $manager;\r
+\r
+               // clean up old activation keys\r
+               MEMBER::cleanupActivationTable();\r
+\r
+               // get activation info\r
+               $info = MEMBER::getActivationInfo($key);\r
+\r
+               if (!$info)\r
+                       $this->error(_ERROR_ACTIVATE);\r
+\r
+               $mem = MEMBER::createFromId($info->vmember);\r
+\r
+               if (!$mem)\r
+                       $this->error(_ERROR_ACTIVATE);\r
+\r
+               $text = '';\r
+               $title = '';\r
+               $bNeedsPasswordChange = true;\r
+\r
+               switch ($info->vtype)\r
+               {\r
+                       case 'forgot':\r
+                               $title = _ACTIVATE_FORGOT_TITLE;\r
+                               $text = _ACTIVATE_FORGOT_TEXT;\r
+                               break;\r
+                       case 'register':\r
+                               $title = _ACTIVATE_REGISTER_TITLE;\r
+                               $text = _ACTIVATE_REGISTER_TEXT;\r
+                               break;\r
+                       case 'addresschange':\r
+                               $title = _ACTIVATE_CHANGE_TITLE;\r
+                               $text = _ACTIVATE_CHANGE_TEXT;\r
+                               $bNeedsPasswordChange = false;\r
+                               MEMBER::activate($key);\r
+                               break;\r
+               }\r
+\r
+               $aVars = array(\r
+                       'memberName' => htmlspecialchars($mem->getDisplayName())\r
+               );\r
+               $title = TEMPLATE::fill($title, $aVars);\r
+               $text = TEMPLATE::fill($text, $aVars);\r
+\r
+               $this->pagehead();\r
+\r
+                       echo '<h2>' , $title, '</h2>';\r
+                       echo '<p>' , $text, '</p>';\r
+\r
+                       if ($message != '')\r
+                       {\r
+                               echo '<p class="error">',$message,'</p>';\r
+                       }\r
+\r
+                       if ($bNeedsPasswordChange)\r
+                       {\r
+                               ?>\r
+                                       <div><form action="index.php" method="post">\r
+\r
+                                               <input type="hidden" name="action" value="activatesetpwd" />\r
+                                               <?php $manager->addTicketHidden() ?>\r
+                                               <input type="hidden" name="key" value="<?php echo htmlspecialchars($key) ?>" />\r
+\r
+                                               <table><tr>\r
+                                                       <td><?php echo _MEMBERS_PWD?></td>\r
+                                                       <td><input type="password" maxlength="40" size="16" name="password" /></td>\r
+                                               </tr><tr>\r
+                                                       <td><?php echo _MEMBERS_REPPWD?></td>\r
+                                                       <td><input type="password" maxlength="40" size="16" name="repeatpassword" /></td>\r
+                                               <?php\r
+\r
+                                                       global $manager;\r
+                                                       $manager->notify('FormExtra', array('type' => 'activation', 'member' => $mem));\r
+\r
+                                               ?>\r
+                                               </tr><tr>\r
+                                                       <td><?php echo _MEMBERS_SETPWD ?></td>\r
+                                                       <td><input type='submit' value='<?php echo _MEMBERS_SETPWD_BTN ?>' /></td>\r
+                                               </tr></table>\r
+\r
+\r
+                                       </form></div>\r
+\r
+                               <?php\r
+\r
+                       }\r
+\r
+               $this->pagefoot();\r
+\r
+       }\r
+\r
+       /**\r
+        * Account activation - set password part\r
+        *\r
+        * @author dekarma\r
+        */\r
+       function action_activatesetpwd() {\r
                \r
-               $blogid = intRequestVar('blogid');\r
+               $key = postVar('key');\r
+\r
+               // clean up old activation keys\r
+               MEMBER::cleanupActivationTable();\r
+\r
+               // get activation info\r
+               $info = MEMBER::getActivationInfo($key);\r
+\r
+               if (!$info || ($info->type == 'addresschange'))\r
+                       return $this->_showActivationPage($key, _ERROR_ACTIVATE);\r
+\r
+               $mem = MEMBER::createFromId($info->vmember);\r
+\r
+               if (!$mem)\r
+                       return $this->_showActivationPage($key, _ERROR_ACTIVATE);\r
+\r
+               $password          = postVar('password');\r
+               $repeatpassword = postVar('repeatpassword');\r
+\r
+               if ($password != $repeatpassword)\r
+                       return $this->_showActivationPage($key, _ERROR_PASSWORDMISMATCH);\r
+\r
+               if ($password && (strlen($password) < 6))\r
+                       return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
                \r
+               if ($password) {\r
+                       $pwdvalid = true;\r
+                       $pwderror = '';\r
+                       global $manager;\r
+                       $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                       if (!$pwdvalid) {\r
+                               return $this->_showActivationPage($key,$pwderror);\r
+                       }\r
+               }\r
+               $error = '';\r
+               $manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
+               if ($error != '')\r
+                       return $this->_showActivationPage($key, $error);\r
+\r
+\r
+               // set password\r
+               $mem->setPassword($password);\r
+               $mem->write();\r
+\r
+               // do the activation\r
+               MEMBER::activate($key);\r
+\r
+               $this->pagehead();\r
+                       echo '<h2>',_ACTIVATE_SUCCESS_TITLE,'</h2>';\r
+                       echo '<p>',_ACTIVATE_SUCCESS_TEXT,'</p>';\r
+               $this->pagefoot();\r
+       }\r
+\r
+       /**\r
+        * Manage team\r
+        */\r
+       function action_manageteam() {\r
+               global $member, $manager;\r
+\r
+               $blogid = intRequestVar('blogid');\r
+\r
                // check if allowed\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-       \r
+\r
                $this->pagehead();\r
-               \r
+\r
                echo "<p><a href='index.php?action=blogsettings&amp;blogid=$blogid'>(",_BACK_TO_BLOGSETTINGS,")</a></p>";\r
-               \r
+\r
                echo '<h2>' . _TEAM_TITLE . getBlogNameFromID($blogid) . '</h2>';\r
-               \r
+\r
                echo '<h3>' . _TEAM_CURRENT . '</h3>';\r
 \r
 \r
 \r
                $query =  'SELECT tblog, tmember, mname, mrealname, memail, tadmin'\r
-                      . ' FROM '.sql_table('member').', '.sql_table('team')\r
-                      . ' WHERE tmember=mnumber and tblog=' . $blogid;\r
+                          . ' FROM '.sql_table('member').', '.sql_table('team')\r
+                          . ' WHERE tmember=mnumber and tblog=' . $blogid;\r
 \r
                $template['content'] = 'teamlist';\r
                $template['tabindex'] = 10;\r
-               \r
-               $batch = new BATCH('team');\r
+\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $batch =& new BATCH('team');\r
                $batch->showlist($query, 'table', $template);\r
 \r
                ?>\r
                        <h3><?php echo _TEAM_ADDNEW?></h3>\r
 \r
                        <form method='post' action='index.php'><div>\r
-                       \r
+\r
                        <input type='hidden' name='action' value='teamaddmember' />\r
                        <input type='hidden' name='blogid' value='<?php echo  $blogid; ?>' />\r
+                       <?php $manager->addTicketHidden() ?>\r
 \r
                        <table><tr>\r
                                <td><?php echo _TEAM_CHOOSEMEMBER?></td>\r
-                               <td><?php                                       // TODO: try to make it so only non-team-members are listed\r
+                               <td><?php                                  // TODO: try to make it so only non-team-members are listed\r
                                        $query =  'SELECT mname as text, mnumber as value'\r
-                                              . ' FROM '.sql_table('member');\r
+                                                  . ' FROM '.sql_table('member');\r
 \r
                                        $template['name'] = 'memberid';\r
                                        $template['tabindex'] = 10000;\r
-                                       showlist($query,'select',$template);                    \r
+                                       showlist($query,'select',$template);\r
                                ?></td>\r
                        </tr><tr>\r
                                <td><?php echo _TEAM_ADMIN?><?php help('teamadmin'); ?></td>\r
                                <td><?php $this->input_yesno('admin',0,10020); ?></td>\r
                        </tr><tr>\r
                                <td><?php echo _TEAM_ADD?></td>\r
-                               <td><input type='submit' value='<?php echo _TEAM_ADD_BTN?>' tabindex="10030" /></td>            \r
+                               <td><input type='submit' value='<?php echo _TEAM_ADD_BTN?>' tabindex="10030" /></td>\r
                        </tr></table>\r
-                       \r
+\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
        /**\r
-         * Add member tot tram\r
-         */\r
+        * Add member to team\r
+        */\r
        function action_teamaddmember() {\r
                global $member, $manager;\r
-               \r
+\r
                $memberid = intPostVar('memberid');\r
                $blogid = intPostVar('blogid');\r
                $admin = intPostVar('admin');\r
-               \r
+\r
                // check if allowed\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                $blog =& $manager->getBlog($blogid);\r
                if (!$blog->addTeamMember($memberid, $admin))\r
                        $this->error(_ERROR_ALREADYONTEAM);\r
-               \r
+\r
                $this->action_manageteam();\r
-               \r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_teamdelete() {\r
                global $member, $manager;\r
-               \r
+\r
                $memberid = intRequestVar('memberid');\r
                $blogid = intRequestVar('blogid');\r
-               \r
+\r
                // check if allowed\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                $teammem = MEMBER::createFromID($memberid);\r
                $blog =& $manager->getBlog($blogid);\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
-                       \r
-                       <p><?php echo _CONFIRMTXT_TEAM1?><b><?php echo  $teammem->getDisplayName() ?></b><?php echo _CONFIRMTXT_TEAM2?><b><?php echo  htmlspecialchars(strip_tags($blog->getName())) ?></b>\r
+\r
+                       <p><?php echo _CONFIRMTXT_TEAM1?><b><?php echo  htmlspecialchars($teammem->getDisplayName()) ?></b><?php echo _CONFIRMTXT_TEAM2?><b><?php echo  htmlspecialchars(strip_tags($blog->getName())) ?></b>\r
                        </p>\r
-                       \r
-                       \r
+\r
+\r
                        <form method="post" action="index.php"><div>\r
                        <input type="hidden" name="action" value="teamdeleteconfirm" />\r
+                       <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="memberid" value="<?php echo  $memberid; ?>" />\r
                        <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
                        <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_teamdeleteconfirm() {\r
                global $member;\r
-               \r
+\r
                $memberid = intRequestVar('memberid');\r
                $blogid = intRequestVar('blogid');\r
 \r
                $error = $this->deleteOneTeamMember($blogid, $memberid);\r
-               \r
-               \r
+               if ($error)\r
+                       $this->error($error);\r
+\r
+\r
                $this->action_manageteam();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOneTeamMember($blogid, $memberid) {\r
                global $member, $manager;\r
-               \r
+\r
                $blogid = intval($blogid);\r
                $memberid = intval($memberid);\r
-               \r
+\r
                // check if allowed\r
                if (!$member->blogAdminRights($blogid))\r
                        return _ERROR_DISALLOWED;\r
 \r
                // check if: - there remains at least one blog admin\r
-               //           - (there remains at least one team member)\r
+               //                 - (there remains at least one team member)\r
                $tmem = MEMBER::createFromID($memberid);\r
-               \r
-               $manager->notify('PreDeleteTeamMember', array('member' => &$mem, 'blogid' => $blogid));                         \r
-               \r
+\r
+               $manager->notify('PreDeleteTeamMember', array('member' => &$tmem, 'blogid' => $blogid));\r
+\r
                if ($tmem->isBlogAdmin($blogid)) {\r
                        // check if there are more blog members left and at least one admin\r
                        // (check for at least two admins before deletion)\r
                        $query = 'SELECT * FROM '.sql_table('team') . ' WHERE tblog='.$blogid.' and tadmin=1';\r
                        $r = sql_query($query);\r
-                       if (mysql_num_rows($r) < 2)\r
+                       if (sql_num_rows($r) < 2)\r
                                return _ERROR_ATLEASTONEBLOGADMIN;\r
                }\r
-               \r
+\r
                $query = 'DELETE FROM '.sql_table('team')." WHERE tblog=$blogid and tmember=$memberid";\r
                sql_query($query);\r
-               \r
-               $manager->notify('PostDeleteTeamMember', array('member' => &$mem, 'blogid' => $blogid));                                                \r
-               \r
+\r
+               $manager->notify('PostDeleteTeamMember', array('member' => &$tmem, 'blogid' => $blogid));\r
+\r
                return '';\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_teamchangeadmin() {\r
                global $member;\r
-               \r
+\r
                $blogid = intRequestVar('blogid');\r
                $memberid = intRequestVar('memberid');\r
-               \r
+\r
                // check if allowed\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                $mem = MEMBER::createFromID($memberid);\r
-               \r
+\r
                // don't allow when there is only one admin at this moment\r
                if ($mem->isBlogAdmin($blogid)) {\r
                        $r = sql_query('SELECT * FROM '.sql_table('team') . " WHERE tblog=$blogid and tadmin=1");\r
-                       if (mysql_num_rows($r) == 1)\r
+                       if (sql_num_rows($r) == 1)\r
                                $this->error(_ERROR_ATLEASTONEBLOGADMIN);\r
                }\r
-               \r
+\r
                if ($mem->isBlogAdmin($blogid))\r
                        $newval = 0;\r
-               else    \r
+               else\r
                        $newval = 1;\r
-                       \r
+\r
                $query = 'UPDATE '.sql_table('team') ." SET tadmin=$newval WHERE tblog=$blogid and tmember=$memberid";\r
                sql_query($query);\r
-               \r
+\r
                // only show manageteam if member did not change its own admin privileges\r
                if ($member->isBlogAdmin($blogid))\r
                        $this->action_manageteam();\r
                else\r
                        $this->action_overview(_MSG_ADMINCHANGED);\r
        }\r
-         \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_blogsettings() {\r
                global $member, $manager;\r
-               \r
+\r
                $blogid = intRequestVar('blogid');\r
-               \r
+\r
                // check if allowed\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                $blog =& $manager->getBlog($blogid);\r
-               \r
-               $this->pagehead();\r
-               \r
-               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';          \r
+\r
+               $extrahead = '<script type="text/javascript" src="javascript/numbercheck.js"></script>';\r
+               $this->pagehead($extrahead);\r
+\r
+               echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>';\r
                ?>\r
                <h2><?php echo _EBLOG_TITLE?>: '<?php echo $this->bloglink($blog)?>'</h2>\r
 \r
                <h3><?php echo _EBLOG_TEAM_TITLE?></h3>\r
-               \r
-               <p>Members currently on your team: \r
+\r
+               <p><?php echo _EBLOG_CURRENT_TEAM_MEMBER; ?>\r
                <?php\r
                        $res = sql_query('SELECT mname, mrealname FROM ' . sql_table('member') . ',' . sql_table('team') . ' WHERE mnumber=tmember AND tblog=' . intval($blogid));\r
                        $aMemberNames = array();\r
-                       while ($o = mysql_fetch_object($res))\r
+                       while ($o = sql_fetch_object($res))\r
                                array_push($aMemberNames, htmlspecialchars($o->mname) . ' (' . htmlspecialchars($o->mrealname). ')');\r
                        echo implode(',', $aMemberNames);\r
                ?>\r
                </p>\r
-               \r
-               \r
+\r
+\r
 \r
                <p>\r
                <a href="index.php?action=manageteam&amp;blogid=<?php echo $blogid?>"><?php echo _EBLOG_TEAM_TEXT?></a>\r
                </p>\r
 \r
                <h3><?php echo _EBLOG_SETTINGS_TITLE?></h3>\r
-               \r
+\r
                <form method="post" action="index.php"><div>\r
-               \r
+\r
                <input type="hidden" name="action" value="blogsettingsupdate" />\r
+               <?php $manager->addTicketHidden() ?>\r
                <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
                <table><tr>\r
                        <td><?php echo _EBLOG_NAME?></td>\r
@@ -2076,38 +2490,42 @@ class ADMIN {
                        <td><input name="url" tabindex="40" size="40" maxlength="100" value="<?php echo  htmlspecialchars($blog->getURL()) ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_DEFSKIN?>\r
-                           <?php help('blogdefaultskin'); ?>\r
+                               <?php help('blogdefaultskin'); ?>\r
                        </td>\r
                        <td>\r
-                               <?php \r
+                               <?php\r
                                        $query =  'SELECT sdname as text, sdnumber as value'\r
-                                              . ' FROM '.sql_table('skin_desc');\r
+                                                  . ' FROM '.sql_table('skin_desc');\r
                                        $template['name'] = 'defskin';\r
                                        $template['selected'] = $blog->getDefaultSkin();\r
                                        $template['tabindex'] = 50;\r
-                                       showlist($query,'select',$template);            \r
+                                       showlist($query,'select',$template);\r
                                ?>\r
-                               \r
+\r
                        </td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_LINEBREAKS?> <?php help('convertbreaks'); ?>\r
                        </td>\r
-                       <td><?php $this->input_yesno('convertbreaks',$blog->convertBreaks(),55); ?></td>        \r
+                       <td><?php $this->input_yesno('convertbreaks',$blog->convertBreaks(),55); ?></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_ALLOWPASTPOSTING?> <?php help('allowpastposting'); ?>\r
                        </td>\r
-                       <td><?php $this->input_yesno('allowpastposting',$blog->allowPastPosting(),57); ?></td>  \r
-               </tr><tr>                                       \r
+                       <td><?php $this->input_yesno('allowpastposting',$blog->allowPastPosting(),57); ?></td>\r
+               </tr><tr>\r
                        <td><?php echo _EBLOG_DISABLECOMMENTS?>\r
                        </td>\r
-                       <td><?php $this->input_yesno('comments',$blog->commentsEnabled(),60); ?></td>   \r
+                       <td><?php $this->input_yesno('comments',$blog->commentsEnabled(),60); ?></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_ANONYMOUS?>\r
                        </td>\r
-                       <td><?php $this->input_yesno('public',$blog->isPublic(),70); ?></td>    \r
-               </tr><tr>               \r
+                       <td><?php $this->input_yesno('public',$blog->isPublic(),70); ?></td>\r
+               </tr><tr>\r
+       <td><?php echo _EBLOG_REQUIREDEMAIL?>\r
+                </td>\r
+                <td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
+         </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
-                       <td><input name="notify" tabindex="80" maxlength="60" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
+                       <td><input name="notify" tabindex="80" maxlength="128" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY_ON?></td>\r
                        <td>\r
@@ -2116,17 +2534,14 @@ class ADMIN {
                                /><label for="notifyComment"><?php echo _EBLOG_NOTIFY_COMMENT?></label>\r
                                <br />\r
                                <input name="notifyVote" value="5" type="checkbox" tabindex="82" id="notifyVote"\r
-                                       <?php if  ($blog->notifyOnVote()) echo "checked='checked'" ?>                           \r
+                                       <?php if  ($blog->notifyOnVote()) echo "checked='checked'" ?>\r
                                /><label for="notifyVote"><?php echo _EBLOG_NOTIFY_KARMA?></label>\r
                                <br />\r
                                <input name="notifyNewItem" value="7" type="checkbox" tabindex="83" id="notifyNewItem"\r
-                                       <?php if  ($blog->notifyOnNewItem()) echo "checked='checked'" ?>                                \r
+                                       <?php if  ($blog->notifyOnNewItem()) echo "checked='checked'" ?>\r
                                /><label for="notifyNewItem"><?php echo _EBLOG_NOTIFY_ITEM?></label>\r
                        </td>\r
                </tr><tr>\r
-                       <td><?php echo _EBLOG_PING?> <?php help('pinguserland'); ?></td>\r
-                       <td><?php $this->input_yesno('pinguserland',$blog->pingUserland(),85); ?></td>                          \r
-               </tr><tr>               \r
                        <td><?php echo _EBLOG_MAXCOMMENTS?> <?php help('blogmaxcomments'); ?></td>\r
                        <td><input name="maxcomments" tabindex="90" size="3" value="<?php echo  htmlspecialchars($blog->getMaxComments()); ?>" /></td>\r
                </tr><tr>\r
@@ -2135,25 +2550,25 @@ class ADMIN {
                </tr><tr>\r
                        <td><?php echo _EBLOG_DEFCAT?></td>\r
                        <td>\r
-                               <?php \r
+                               <?php\r
                                        $query =  'SELECT cname as text, catid as value'\r
-                                              . ' FROM '.sql_table('category')\r
-                                              . ' WHERE cblog=' . $blog->getID();\r
+                                                  . ' FROM '.sql_table('category')\r
+                                                  . ' WHERE cblog=' . $blog->getID();\r
                                        $template['name'] = 'defcat';\r
                                        $template['selected'] = $blog->getDefaultCategory();\r
                                        $template['tabindex'] = 110;\r
-                                       showlist($query,'select',$template);            \r
+                                       showlist($query,'select',$template);\r
                                ?>\r
-                       </td>                   \r
+                       </td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_OFFSET?> <?php help('blogtimeoffset'); ?>\r
-                           <br /><?php echo _EBLOG_STIME?> <b><?php echo  strftime("%H:%M",time()); ?></b>\r
-                           <br /><?php echo _EBLOG_BTIME?> <b><?php echo  strftime("%H:%M",$blog->getCorrectTime()); ?></b>\r
-                           </td>\r
-                       <td><input name="timeoffset" tabindex="120" size="3" value="<?php echo  htmlspecialchars($blog->getTimeOffset()); ?>" /></td>                   \r
+                               <br /><?php echo _EBLOG_STIME?> <b><?php echo  strftime("%H:%M",time()); ?></b>\r
+                               <br /><?php echo _EBLOG_BTIME?> <b><?php echo  strftime("%H:%M",$blog->getCorrectTime()); ?></b>\r
+                               </td>\r
+                       <td><input name="timeoffset" tabindex="120" size="3" value="<?php echo  htmlspecialchars($blog->getTimeOffset()); ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_SEARCH?> <?php help('blogsearchable'); ?></td>\r
-                       <td><?php $this->input_yesno('searchable',$blog->getSearchable(),122); ?></td>  \r
+                       <td><?php $this->input_yesno('searchable',$blog->getSearchable(),122); ?></td>\r
                </tr>\r
                <?php\r
                        // plugin options\r
@@ -2161,31 +2576,33 @@ class ADMIN {
                ?>\r
                <tr>\r
                        <th colspan="2"><?php echo _EBLOG_CHANGE?></th>\r
-               </tr><tr>               \r
+               </tr><tr>\r
                        <td><?php echo _EBLOG_CHANGE?></td>\r
                        <td><input type="submit" tabindex="130" value="<?php echo _EBLOG_CHANGE_BTN?>" onclick="return checkSubmit();" /></td>\r
                </tr></table>\r
-               \r
+\r
                </div></form>\r
-               \r
+\r
                <h3><?php echo _EBLOG_CAT_TITLE?></h3>\r
-               \r
 \r
-               <?php           \r
+\r
+               <?php\r
                $query = 'SELECT * FROM '.sql_table('category').' WHERE cblog='.$blog->getID().' ORDER BY cname';\r
                $template['content'] = 'categorylist';\r
                $template['tabindex'] = 200;\r
-               \r
-               $batch = new BATCH('category');\r
+\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $batch =& new BATCH('category');\r
                $batch->showlist($query,'table',$template);\r
-               \r
+\r
                ?>\r
 \r
-               \r
+\r
                <form action="index.php" method="post"><div>\r
                <input name="action" value="categorynew" type="hidden" />\r
+               <?php $manager->addTicketHidden() ?>\r
                <input name="blogid" value="<?php echo $blog->getID()?>" type="hidden" />\r
-               \r
+\r
                <table><tr>\r
                        <th colspan="2"><?php echo _EBLOG_CAT_CREATE?></th>\r
                </tr><tr>\r
@@ -2198,53 +2615,59 @@ class ADMIN {
                        <td><?php echo _EBLOG_CAT_CREATE?></td>\r
                        <td><input type="submit" value="<?php echo _EBLOG_CAT_CREATE?>" tabindex="320" /></td>\r
                </tr></table>\r
-               \r
+\r
                </div></form>\r
-               \r
-               <?php           \r
-                       echo '<h3>', _PLUGINS_EXTRA , '</h3>';\r
-               \r
+\r
+               <?php\r
+\r
+                       echo '<h3>',_PLUGINS_EXTRA,'</h3>';\r
+\r
                        $manager->notify(\r
-                               'BlogSettingsFormExtras',       \r
+                               'BlogSettingsFormExtras',\r
                                array(\r
                                        'blog' => &$blog\r
                                )\r
                        );\r
-               \r
+\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categorynew() {\r
                global $member, $manager;\r
-               \r
+\r
                $blogid = intRequestVar('blogid');\r
-               \r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                $cname = postVar('cname');\r
                $cdesc = postVar('cdesc');\r
-               \r
+\r
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
-                       \r
-               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid);\r
+\r
+               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid);\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) > 0)\r
+               if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
-                       \r
-               $blog           =& $manager->getBlog($blogid);\r
-               $newCatID       =  $blog->createNewCategory($cname, $cdesc);\r
-               \r
+\r
+               $blog      =& $manager->getBlog($blogid);\r
+               $newCatID   =  $blog->createNewCategory($cname, $cdesc);\r
+\r
                $this->action_blogsettings();\r
        }\r
-       \r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categoryedit($catid = '', $blogid = '', $desturl = '') {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                if ($blogid == '')\r
                        $blogid = intGetVar('blogid');\r
-               else \r
+               else\r
                        $blogid = intval($blogid);\r
                if ($catid == '')\r
                        $catid = intGetVar('catid');\r
@@ -2254,21 +2677,25 @@ class ADMIN {
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cblog=$blogid AND catid=$catid");\r
-               $obj = mysql_fetch_object($res);\r
+               $obj = sql_fetch_object($res);\r
 \r
                $cname = $obj->cname;\r
                $cdesc = $obj->cdesc;\r
 \r
-               $this->pagehead();\r
+               $extrahead = '<script type="text/javascript" src="javascript/numbercheck.js"></script>';\r
+               $this->pagehead($extrahead);\r
+\r
+               echo "<p><a href='index.php?action=blogsettings&amp;blogid=$blogid'>(",_BACK_TO_BLOGSETTINGS,")</a></p>";\r
 \r
                ?>\r
                <h2><?php echo _EBLOG_CAT_UPDATE?> '<?php echo htmlspecialchars($cname)?>'</h2>\r
                <form method='post' action='index.php'><div>\r
                <input name="blogid" type="hidden" value="<?php echo $blogid?>" />\r
-               <input name="catid" type="hidden" value="<?php echo $catid?>" />                        \r
-               <input name="desturl" type="hidden" value="<?php echo htmlspecialchars($desturl) ?>" />                                 \r
-               <input name="action" type="hidden" value="categoryupdate" />            \r
-               \r
+               <input name="catid" type="hidden" value="<?php echo $catid?>" />\r
+               <input name="desturl" type="hidden" value="<?php echo htmlspecialchars($desturl) ?>" />\r
+               <input name="action" type="hidden" value="categoryupdate" />\r
+               <?php $manager->addTicketHidden(); ?>\r
+\r
                <table><tr>\r
                        <th colspan="2"><?php echo _EBLOG_CAT_UPDATE ?></th>\r
                </tr><tr>\r
@@ -2278,7 +2705,7 @@ class ADMIN {
                        <td><?php echo _EBLOG_CAT_DESC?></td>\r
                        <td><input type="text" name="cdesc" value="<?php echo htmlspecialchars($cdesc)?>" size="40" maxlength="200" /></td>\r
                </tr>\r
-               <?php \r
+               <?php\r
                        // insert plugin options\r
                        $this->_insertPluginOptions('category',$catid);\r
                ?>\r
@@ -2288,16 +2715,18 @@ class ADMIN {
                        <td><?php echo _EBLOG_CAT_UPDATE?></td>\r
                        <td><input type="submit" value="<?php echo _EBLOG_CAT_UPDATE_BTN?>" /></td>\r
                </tr></table>\r
-                       \r
+\r
                </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categoryupdate() {\r
                global $member, $manager;\r
-               \r
+\r
                $blogid = intPostVar('blogid');\r
                $catid = intPostVar('catid');\r
                $cname = postVar('cname');\r
@@ -2305,28 +2734,28 @@ class ADMIN {
                $desturl = postVar('desturl');\r
 \r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
-                       \r
-               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
+\r
+               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) > 0)\r
+               if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
-                       \r
+\r
                $query =  'UPDATE '.sql_table('category').' SET'\r
-                          . " cname='" . addslashes($cname) . "',"\r
-                          . " cdesc='" . addslashes($cdesc) . "'"                         \r
+                          . " cname='" . sql_real_escape_string($cname) . "',"\r
+                          . " cdesc='" . sql_real_escape_string($cdesc) . "'"\r
                           . " WHERE catid=" . $catid;\r
-                          \r
+\r
                sql_query($query);\r
-               \r
+\r
                // store plugin options\r
                $aOptions = requestArray('plugoption');\r
                NucleusPlugin::_applyPluginOptions($aOptions);\r
-               $manager->notify('PostPluginOptionsUpdate',array('context' => 'category', 'catid' => $catid));          \r
+               $manager->notify('PostPluginOptionsUpdate',array('context' => 'category', 'catid' => $catid));\r
+\r
 \r
-               \r
                if ($desturl) {\r
                        redirect($desturl);\r
                        exit;\r
@@ -2335,55 +2764,62 @@ class ADMIN {
                }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categorydelete() {\r
-               global $member, $manager; \r
-               \r
+               global $member, $manager;\r
+\r
                $blogid = intRequestVar('blogid');\r
                $catid = intRequestVar('catid');\r
-               \r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                $blog =& $manager->getBlog($blogid);\r
-       \r
+\r
                // check if the category is valid\r
-               if (!$blog->isValidCategory($catid)) \r
+               if (!$blog->isValidCategory($catid))\r
                        $this->error(_ERROR_NOSUCHCATEGORY);\r
-       \r
+\r
                // don't allow deletion of default category\r
                if ($blog->getDefaultCategory() == $catid)\r
                        $this->error(_ERROR_DELETEDEFCATEGORY);\r
-               \r
+\r
                // check if catid is the only category left for blogid\r
                $query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) == 1)\r
+               if (sql_num_rows($res) == 1)\r
                        $this->error(_ERROR_DELETELASTCATEGORY);\r
-               \r
-               \r
+\r
+\r
                $this->pagehead();\r
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
-                       \r
+\r
                        <div>\r
-                       <?php echo _CONFIRMTXT_CATEGORY?><b><?php echo  $blog->getCategoryName($catid)?></b>\r
+                       <?php echo _CONFIRMTXT_CATEGORY?><b><?php echo  htmlspecialchars($blog->getCategoryName($catid))?></b>\r
                        </div>\r
-                       \r
+\r
                        <form method="post" action="index.php"><div>\r
                        <input type="hidden" name="action" value="categorydeleteconfirm" />\r
+                       <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="blogid" value="<?php echo $blogid?>" />\r
-                       <input type="hidden" name="catid" value="<?php echo $catid?>" />                                                \r
+                       <input type="hidden" name="catid" value="<?php echo $catid?>" />\r
                        <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categorydeleteconfirm() {\r
-               global $member, $manager; \r
-               \r
+               global $member, $manager;\r
+\r
                $blogid = intRequestVar('blogid');\r
                $catid = intRequestVar('catid');\r
-               \r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                $error = $this->deleteOneCategory($catid);\r
@@ -2391,84 +2827,90 @@ class ADMIN {
                        $this->error($error);\r
 \r
                $this->action_blogsettings();\r
-       }       \r
+       }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOneCategory($catid) {\r
                global $manager, $member;\r
-               \r
+\r
                $catid = intval($catid);\r
-               \r
-               $manager->notify('PreDeleteCategory', array('catid' => $catid));                \r
 \r
                $blogid = getBlogIDFromCatID($catid);\r
-               \r
+\r
                if (!$member->blogAdminRights($blogid))\r
                        return ERROR_DISALLOWED;\r
-               \r
+\r
                // get blog\r
                $blog =& $manager->getBlog($blogid);\r
 \r
                // check if the category is valid\r
-               if (!$blog || !$blog->isValidCategory($catid)) \r
+               if (!$blog || !$blog->isValidCategory($catid))\r
                        return _ERROR_NOSUCHCATEGORY;\r
-       \r
+\r
                $destcatid = $blog->getDefaultCategory();\r
-               \r
+\r
                // don't allow deletion of default category\r
                if ($blog->getDefaultCategory() == $catid)\r
                        return _ERROR_DELETEDEFCATEGORY;\r
-               \r
+\r
                // check if catid is the only category left for blogid\r
                $query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) == 1)\r
+               if (sql_num_rows($res) == 1)\r
                        return _ERROR_DELETELASTCATEGORY;\r
-                       \r
+\r
+               $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
+\r
                // change category for all items to the default category\r
                $query = 'UPDATE '.sql_table('item')." SET icat=$destcatid WHERE icat=$catid";\r
                sql_query($query);\r
-               \r
+\r
                // delete all associated plugin options\r
                NucleusPlugin::_deleteOptionValues('category', $catid);\r
-               \r
+\r
                // delete category\r
                $query = 'DELETE FROM '.sql_table('category').' WHERE catid=' .$catid;\r
                sql_query($query);\r
-               \r
-               $manager->notify('PostDeleteCategory', array('catid' => $catid));                               \r
+\r
+               $manager->notify('PostDeleteCategory', array('catid' => $catid));\r
 \r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function moveOneCategory($catid, $destblogid) {\r
                global $manager, $member;\r
 \r
                $catid = intval($catid);\r
                $destblogid = intval($destblogid);\r
-               \r
+\r
                $blogid = getBlogIDFromCatID($catid);\r
-               \r
+\r
                // mover should have admin rights on both blogs\r
                if (!$member->blogAdminRights($blogid))\r
                        return _ERROR_DISALLOWED;\r
                if (!$member->blogAdminRights($destblogid))\r
                        return _ERROR_DISALLOWED;\r
-                       \r
+\r
                // cannot move to self\r
                if ($blogid == $destblogid)\r
                        return _ERROR_MOVETOSELF;\r
-               \r
+\r
                // get blogs\r
                $blog =& $manager->getBlog($blogid);\r
-               $destblog =& $manager->getBlog($destblogid);            \r
-               \r
+               $destblog =& $manager->getBlog($destblogid);\r
+\r
                // check if the category is valid\r
-               if (!$blog || !$blog->isValidCategory($catid)) \r
+               if (!$blog || !$blog->isValidCategory($catid))\r
                        return _ERROR_NOSUCHCATEGORY;\r
-                       \r
+\r
                // don't allow default category to be moved\r
                if ($blog->getDefaultCategory() == $catid)\r
                        return _ERROR_MOVEDEFCATEGORY;\r
-                       \r
+\r
                $manager->notify(\r
                        'PreMoveCategory',\r
                        array(\r
@@ -2477,11 +2919,11 @@ class ADMIN {
                                'destblog' => &$destblog\r
                        )\r
                );\r
-               \r
+\r
                // update comments table (cblog)\r
                $query = 'SELECT inumber FROM '.sql_table('item').' WHERE icat='.$catid;\r
                $items = sql_query($query);\r
-               while ($oItem = mysql_fetch_object($items)) {\r
+               while ($oItem = sql_fetch_object($items)) {\r
                        sql_query('UPDATE '.sql_table('comment').' SET cblog='.$destblogid.' WHERE citem='.$oItem->inumber);\r
                }\r
 \r
@@ -2489,7 +2931,7 @@ class ADMIN {
                $query = 'UPDATE '.sql_table('item').' SET iblog='.$destblogid.' WHERE icat='.$catid;\r
                sql_query($query);\r
 \r
-               // move category \r
+               // move category\r
                $query = 'UPDATE '.sql_table('category').' SET cblog='.$destblogid.' WHERE catid='.$catid;\r
                sql_query($query);\r
 \r
@@ -2500,47 +2942,50 @@ class ADMIN {
                                'sourceblog' => &$blog,\r
                                'destblog' => $destblog\r
                        )\r
-               );              \r
-               \r
+               );\r
+\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_blogsettingsupdate() {\r
                global $member, $manager;\r
-               \r
+\r
                $blogid = intRequestVar('blogid');\r
-               \r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                $blog =& $manager->getBlog($blogid);\r
-               \r
-               $notify                 = trim(postVar('notify'));\r
-               $shortname              = trim(postVar('shortname'));\r
-               $updatefile             = trim(postVar('update'));\r
-               \r
-               $notifyComment  = intPostVar('notifyComment');\r
-               $notifyVote             = intPostVar('notifyVote');\r
-               $notifyNewItem  = intPostVar('notifyNewItem');          \r
-               \r
+\r
+               $notify          = trim(postVar('notify'));\r
+               $shortname        = trim(postVar('shortname'));\r
+               $updatefile      = trim(postVar('update'));\r
+\r
+               $notifyComment  = intPostVar('notifyComment');\r
+               $notifyVote      = intPostVar('notifyVote');\r
+               $notifyNewItem  = intPostVar('notifyNewItem');\r
+\r
                if ($notifyComment == 0)        $notifyComment = 1;\r
-               if ($notifyVote == 0)           $notifyVote = 1;                \r
-               if ($notifyNewItem == 0)        $notifyNewItem = 1;             \r
-               \r
+               if ($notifyVote == 0)      $notifyVote = 1;\r
+               if ($notifyNewItem == 0)        $notifyNewItem = 1;\r
+\r
                $notifyType = $notifyComment * $notifyVote * $notifyNewItem;\r
-               \r
-               \r
+\r
+\r
                if ($notify) {\r
-                       $not = new NOTIFICATION($notify);\r
+                       $not =& new NOTIFICATION($notify);\r
                        if (!$not->validAddresses())\r
                                $this->error(_ERROR_BADNOTIFY);\r
-                       \r
+\r
                }\r
-                       \r
+\r
                if (!isValidShortName($shortname))\r
                        $this->error(_ERROR_BADSHORTBLOGNAME);\r
-                       \r
+\r
                if (($blog->getShortName() != $shortname) && $manager->existsBlog($shortname))\r
                        $this->error(_ERROR_DUPSHORTBLOGNAME);\r
-                       \r
+\r
                // check if update file is writable\r
                if ($updatefile && !is_writeable($updatefile))\r
                        $this->error(_ERROR_UPDATEFILE);\r
@@ -2548,7 +2993,7 @@ class ADMIN {
                $blog->setName(trim(postVar('name')));\r
                $blog->setShortName($shortname);\r
                $blog->setNotifyAddress($notify);\r
-               $blog->setNotifyType($notifyType);              \r
+               $blog->setNotifyType($notifyType);\r
                $blog->setMaxComments(postVar('maxcomments'));\r
                $blog->setCommentsEnabled(postVar('comments'));\r
                $blog->setTimeOffset(postVar('timeoffset'));\r
@@ -2557,65 +3002,72 @@ class ADMIN {
                $blog->setDefaultSkin(intPostVar('defskin'));\r
                $blog->setDescription(trim(postVar('desc')));\r
                $blog->setPublic(postVar('public'));\r
-               $blog->setPingUserland(postVar('pinguserland'));\r
                $blog->setConvertBreaks(intPostVar('convertbreaks'));\r
-               $blog->setAllowPastPosting(intPostVar('allowpastposting'));             \r
+               $blog->setAllowPastPosting(intPostVar('allowpastposting'));\r
                $blog->setDefaultCategory(intPostVar('defcat'));\r
                $blog->setSearchable(intPostVar('searchable'));\r
+               $blog->setEmailRequired(intPostVar('reqemail'));\r
 \r
                $blog->writeSettings();\r
-               \r
+\r
                // store plugin options\r
                $aOptions = requestArray('plugoption');\r
                NucleusPlugin::_applyPluginOptions($aOptions);\r
-               $manager->notify('PostPluginOptionsUpdate',array('context' => 'blog', 'blogid' => $blogid, 'blog' => &$blog));          \r
-               \r
-               \r
+               $manager->notify('PostPluginOptionsUpdate',array('context' => 'blog', 'blogid' => $blogid, 'blog' => &$blog));\r
+\r
+\r
                $this->action_overview(_MSG_SETTINGSCHANGED);\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_deleteblog() {\r
                global $member, $CONF, $manager;\r
-               \r
-               $blogid = intRequestVar('blogid');              \r
-               \r
+\r
+               $blogid = intRequestVar('blogid');\r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                // check if blog is default blog\r
                if ($CONF['DefaultBlog'] == $blogid)\r
                        $this->error(_ERROR_DELDEFBLOG);\r
-                       \r
+\r
                $blog =& $manager->getBlog($blogid);\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
-                       \r
+\r
                        <p><?php echo _WARNINGTXT_BLOGDEL?>\r
                        </p>\r
-                       \r
+\r
                        <div>\r
                        <?php echo _CONFIRMTXT_BLOG?><b><?php echo  htmlspecialchars($blog->getName())?></b>\r
                        </div>\r
-                       \r
+\r
                        <form method="post" action="index.php"><div>\r
                        <input type="hidden" name="action" value="deleteblogconfirm" />\r
+                       <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
                        <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_deleteblogconfirm() {\r
                global $member, $CONF, $manager;\r
-               \r
-               $blogid = intRequestVar('blogid');              \r
-               \r
-               $manager->notify('PreDeleteBlog', array('blogid' => $blogid));                          \r
-               \r
+\r
+               $blogid = intRequestVar('blogid');\r
+\r
+               $manager->notify('PreDeleteBlog', array('blogid' => $blogid));\r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
+\r
                // check if blog is default blog\r
                if ($CONF['DefaultBlog'] == $blogid)\r
                        $this->error(_ERROR_DELDEFBLOG);\r
@@ -2624,143 +3076,170 @@ class ADMIN {
                $query = 'DELETE FROM '.sql_table('comment').' WHERE cblog='.$blogid;\r
                sql_query($query);\r
 \r
-               // delete all items             \r
+               // delete all items\r
                $query = 'DELETE FROM '.sql_table('item').' WHERE iblog='.$blogid;\r
                sql_query($query);\r
-               \r
+\r
                // delete all team members\r
                $query = 'DELETE FROM '.sql_table('team').' WHERE tblog='.$blogid;\r
                sql_query($query);\r
-               \r
+\r
                // delete all bans\r
                $query = 'DELETE FROM '.sql_table('ban').' WHERE blogid='.$blogid;\r
                sql_query($query);\r
-               \r
+\r
                // delete all categories\r
                $query = 'DELETE FROM '.sql_table('category').' WHERE cblog='.$blogid;\r
                sql_query($query);\r
-               \r
+\r
                // delete all associated plugin options\r
                NucleusPlugin::_deleteOptionValues('blog', $blogid);\r
-               \r
+\r
                // delete the blog itself\r
                $query = 'DELETE FROM '.sql_table('blog').' WHERE bnumber='.$blogid;\r
                sql_query($query);\r
-               \r
-               $manager->notify('PostDeleteBlog', array('blogid' => $blogid));                                         \r
-               \r
+\r
+               $manager->notify('PostDeleteBlog', array('blogid' => $blogid));\r
+\r
                $this->action_overview(_DELETED_BLOG);\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_memberdelete() {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                $memberid = intRequestVar('memberid');\r
-       \r
+\r
                ($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $mem = MEMBER::createFromID($memberid);\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
-                       \r
-                       <p><?php echo _CONFIRMTXT_MEMBER?><b><?php echo  $mem->getDisplayName() ?></b>\r
+\r
+                       <p><?php echo _CONFIRMTXT_MEMBER?><b><?php echo htmlspecialchars($mem->getDisplayName()) ?></b>\r
                        </p>\r
-                       \r
+\r
                        <p>\r
-                       Please note that media files will <b>NOT</b> be deleted. (At least not in this Nucleus version)\r
+                       <?php echo _WARNINGTXT_NOTDELMEDIAFILES ?>\r
                        </p>\r
-                       \r
+\r
                        <form method="post" action="index.php"><div>\r
                        <input type="hidden" name="action" value="memberdeleteconfirm" />\r
+                       <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="memberid" value="<?php echo  $memberid; ?>" />\r
                        <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
                        </div></form>\r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_memberdeleteconfirm() {\r
                global $member;\r
-               \r
-               $memberid = intRequestVar('memberid');          \r
-               \r
+\r
+               $memberid = intRequestVar('memberid');\r
+\r
                ($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $error = $this->deleteOneMember($memberid);\r
                if ($error)\r
                        $this->error($error);\r
-               \r
+\r
                if ($member->isAdmin())\r
                        $this->action_usermanagement();\r
                else\r
                        $this->action_overview(_DELETED_MEMBER);\r
-       }       \r
-       \r
+       }\r
+\r
+       /**\r
+        * @static\r
+        * @todo document this\r
+        */\r
        function deleteOneMember($memberid) {\r
                global $manager;\r
-               \r
+\r
                $memberid = intval($memberid);\r
                $mem = MEMBER::createFromID($memberid);\r
-               \r
-               if (!$mem->canBeDeleted()) \r
-                       return _ERROR_DELETEMEMBER;     \r
 \r
-               $manager->notify('PreDeleteMember', array('member' => &$mem));                          \r
-               \r
+               if (!$mem->canBeDeleted())\r
+                       return _ERROR_DELETEMEMBER;\r
+\r
+               $manager->notify('PreDeleteMember', array('member' => &$mem));\r
+\r
+               /* unlink comments from memberid */\r
+               if ($memberid) {\r
+                       $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. sql_real_escape_string($mem->getDisplayName())\r
+                                  .'" WHERE cmember='.$memberid;\r
+                       sql_query($query);\r
+               }\r
+\r
                $query = 'DELETE FROM '.sql_table('member').' WHERE mnumber='.$memberid;\r
                sql_query($query);\r
 \r
                $query = 'DELETE FROM '.sql_table('team').' WHERE tmember='.$memberid;\r
-               sql_query($query);      \r
-               \r
+               sql_query($query);\r
+\r
+               $query = 'DELETE FROM '.sql_table('activation').' WHERE vmember='.$memberid;\r
+               sql_query($query);\r
+\r
                // delete all associated plugin options\r
                NucleusPlugin::_deleteOptionValues('member', $memberid);\r
-               \r
-               $manager->notify('PostDeleteMember', array('member' => &$mem));                                         \r
-               \r
+\r
+               $manager->notify('PostDeleteMember', array('member' => &$mem));\r
+\r
                return '';\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_createnewlog() {\r
-               global $member, $CONF;\r
-               \r
+               global $member, $CONF, $manager;\r
+\r
                // Only Super-Admins can do this\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $this->pagehead();\r
 \r
                echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';\r
                ?>\r
                <h2><?php echo _EBLOG_CREATE_TITLE?></h2>\r
-               \r
-               <h3>注意事項</h3>\r
-               \r
-               <p>作成にあたって、下記の<strong>注意事項</strong> をまずお読み下さい</p>\r
-               \r
-               <p>新しいweblogを作成した後に、このblogにアクセスするための方法を紹介しておきます。方法は2つあります:</p>\r
-               \r
+\r
+               <h3><?php echo _ADMIN_NOTABILIA ?></h3>\r
+\r
+               <p><?php echo _ADMIN_PLEASE_READ ?></p>\r
+\r
+               <p><?php echo _ADMIN_HOW_TO_ACCESS ?></p>\r
+\r
                <ol>\r
-                       <li><strong>簡単な方法:</strong> <code>index.php</code>の複製を作り、新しいblogを表示するように変更を加えます。 この変更の詳細は、作成後に表示されます。Further instructions on how to do this will be provided after you've submitted this first form.</li>\r
-                       <li><strong>高度な方法:</strong> 現在のblogで使用しているスキンに<code>otherblog</code>というコードを使った記述を加えます。この方法では、同じページ内で複数のblogを展開することが可能となります。</li>\r
+                       <li><?php echo _ADMIN_SIMPLE_WAY ?></li>\r
+                       <li><?php echo _ADMIN_ADVANCED_WAY ?></li>\r
                </ol>\r
-               \r
-               <h3>Weblogの作成</h3>\r
-               \r
+\r
+               <h3><?php echo _ADMIN_HOW_TO_CREATE ?></h3>\r
+\r
                <p>\r
                <?php echo _EBLOG_CREATE_TEXT?>\r
                </p>\r
-               \r
+\r
                <form method="post" action="index.php"><div>\r
-               \r
+\r
                <input type="hidden" name="action" value="addnewlog" />\r
+               <?php $manager->addTicketHidden() ?>\r
+\r
+\r
                <table><tr>\r
                        <td><?php echo _EBLOG_NAME?></td>\r
                        <td><input name="name" tabindex="10" size="40" maxlength="60" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_SHORTNAME?>\r
-                           <?php help('shortblogname'); ?>\r
+                               <?php help('shortblogname'); ?>\r
                        </td>\r
                        <td><input name="shortname" tabindex="20" maxlength="15" size="15" /></td>\r
                </tr><tr>\r
@@ -2768,97 +3247,109 @@ class ADMIN {
                        <td><input name="desc" tabindex="30" maxlength="200" size="40" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_DEFSKIN?>\r
-                           <?php help('blogdefaultskin'); ?>\r
+                               <?php help('blogdefaultskin'); ?>\r
                        </td>\r
                        <td>\r
-                               <?php \r
+                               <?php\r
                                        $query =  'SELECT sdname as text, sdnumber as value'\r
-                                              . ' FROM '.sql_table('skin_desc');\r
+                                                  . ' FROM '.sql_table('skin_desc');\r
                                        $template['name'] = 'defskin';\r
                                        $template['tabindex'] = 50;\r
-                                       $template['selected'] = $CONF['BaseSkin'];      // set default selected skin to be globally defined base skin\r
-                                       showlist($query,'select',$template);            \r
+                                       $template['selected'] = $CONF['BaseSkin'];  // set default selected skin to be globally defined base skin\r
+                                       showlist($query,'select',$template);\r
                                ?>\r
                        </td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_OFFSET?>\r
-                           <?php help('blogtimeoffset'); ?>\r
-                           <br /><?php echo _EBLOG_STIME?> <b><?php echo  strftime("%H:%M",time()); ?></b>\r
+                               <?php help('blogtimeoffset'); ?>\r
+                               <br /><?php echo _EBLOG_STIME?> <b><?php echo  strftime("%H:%M",time()); ?></b>\r
                        </td>\r
-                       <td><input name="timeoffset" tabindex="110" size="3" value="0" /></td>                  \r
+                       <td><input name="timeoffset" tabindex="110" size="3" value="0" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_ADMIN?>\r
-                           <?php help('blogadmin'); ?>\r
+                               <?php help('teamadmin'); ?>\r
                        </td>\r
                        <td><?php echo _EBLOG_ADMIN_MSG?></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_CREATE?></td>\r
                        <td><input type="submit" tabindex="120" value="<?php echo _EBLOG_CREATE_BTN?>" onclick="return checkSubmit();" /></td>\r
                </tr></table>\r
-               \r
+\r
                </div></form>\r
-               <?php           \r
-               $this->pagefoot();      \r
+               <?php\r
+               $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_addnewlog() {\r
                global $member, $manager, $CONF;\r
-               \r
+\r
                // Only Super-Admins can do this\r
                $member->isAdmin() or $this->disallow();\r
-               \r
-               $bname                  = trim(postVar('name'));\r
-               $bshortname             = trim(postVar('shortname'));\r
+\r
+               $bname            = trim(postVar('name'));\r
+               $bshortname      = trim(postVar('shortname'));\r
                $btimeoffset    = postVar('timeoffset');\r
-               $bdesc                  = trim(postVar('desc'));\r
-               $bdefskin               = postVar('defskin');\r
-               \r
+               $bdesc            = trim(postVar('desc'));\r
+               $bdefskin          = postVar('defskin');\r
+\r
                if (!isValidShortName($bshortname))\r
                        $this->error(_ERROR_BADSHORTBLOGNAME);\r
-                       \r
+\r
                if ($manager->existsBlog($bshortname))\r
                        $this->error(_ERROR_DUPSHORTBLOGNAME);\r
-                       \r
+\r
                $manager->notify(\r
                        'PreAddBlog',\r
                        array(\r
-                               'name' => &$bname,\r
-                               'shortname' => &$bshortname,\r
-                               'timeoffset' => &$btimeoffset,\r
-                               'description' => &$bdescription,\r
+                               'name'          => &$bname,\r
+                               'shortname'   => &$bshortname,\r
+                               'timeoffset'  => &$btimeoffset,\r
+                               'description' => &$bdesc,\r
                                'defaultskin' => &$bdefskin\r
                        )\r
                );\r
 \r
 \r
                // add slashes for sql queries\r
-               $bname =                addslashes($bname);\r
-               $bshortname =   addslashes($bshortname);\r
-               $btimeoffset =  addslashes($btimeoffset);\r
-               $bdesc =                addslashes($bdesc);\r
-               $bdefskin =     addslashes($bdefskin);\r
-               \r
+               $bname     = sql_real_escape_string($bname);\r
+               $bshortname  = sql_real_escape_string($bshortname);\r
+               $btimeoffset = sql_real_escape_string($btimeoffset);\r
+               $bdesc     = sql_real_escape_string($bdesc);\r
+               $bdefskin       = sql_real_escape_string($bdefskin);\r
+\r
                // create blog\r
                $query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
                sql_query($query);\r
-               $blogid = mysql_insert_id();\r
-               $blog   =& $manager->getBlog($blogid);\r
-               \r
+               $blogid = sql_insert_id();\r
+               $blog   =& $manager->getBlog($blogid);\r
+\r
                // create new category\r
-               sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, 'General','Items that do not fit in other categories')");\r
-               $catid = mysql_insert_id();\r
+               $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');\r
+               $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');\r
+               $sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
+               sql_query(sprintf($sql, sql_table('category'), $blogid, $catdefname, $catdefdesc));\r
+//             sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
+               $catid = sql_insert_id();\r
 \r
                // set as default category\r
                $blog->setDefaultCategory($catid);\r
                $blog->writeSettings();\r
-       \r
-               // create team member   \r
+\r
+               // create team member\r
                $memberid = $member->getID();\r
                $query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
                sql_query($query);\r
-       \r
-\r
-               $blog->additem($blog->getDefaultCategory(),'First Item','これはあなたのweblogにおける最初のアイテムです。自由に削除していただいてかまいません。','',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               \r
+               $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');\r
+               $itemdefbody = (defined('_EBLOG_FIRSTITEM_BODY') ? _EBLOG_FIRSTITEM_BODY : 'This is the first item in your weblog. Feel free to delete it.');\r
+               \r
+               $blog->additem($blog->getDefaultCategory(),$itemdeftitle,$itemdefbody,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               //$blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               \r
+               \r
                \r
                $manager->notify(\r
                        'PostAddBlog',\r
@@ -2866,28 +3357,31 @@ class ADMIN {
                                'blog' => &$blog\r
                        )\r
                );\r
-               \r
+\r
                $manager->notify(\r
                        'PostAddCategory',\r
                        array(\r
-                               'catid' => $catid\r
+                               'blog'          => &$blog,\r
+                               'name'          => _EBLOGDEFAULTCATEGORY_NAME,\r
+                               'description' => _EBLOGDEFAULTCATEGORY_DESC,\r
+                               'catid'    => $catid\r
                        )\r
                );\r
-               \r
+\r
                $this->pagehead();\r
                ?>\r
-               <h2>新しいweblogが作成されました</h2>\r
-               \r
-               <p>新しいweblog 「<?php echo htmlspecialchars($bname)?>」が作成されました。続けて、これにアクセスするために以下のどちらかの手順に進んでください。</p>\r
-               \r
+               <h2><?php echo _BLOGCREATED_TITLE ?></h2>\r
+\r
+               <p><?php echo sprintf(_BLOGCREATED_ADDEDTXT, htmlspecialchars($bname)) ?></p>\r
+\r
                <ol>\r
-                       <li><a href="#index_php">簡単な方法: 下のコードを貼付けた <code><?php echo htmlspecialchars($bshortname)?>.php</code> というファイルを作成する</a></li>\r
-                       <li><a href="#skins">高度な方法: 現在使用しているスキンに新しいweblogを展開させるための記述を加える</a></li>                 \r
+                       <li><a href="#index_php"><?php echo sprintf(_BLOGCREATED_SIMPLEWAY, htmlspecialchars($bshortname)) ?></a></li>\r
+                       <li><a href="#skins"><?php echo _BLOGCREATED_ADVANCEDWAY ?></a></li>\r
                </ol>\r
-               \r
-               <h3><a id="index_php">方法 1: <code><?php echo htmlspecialchars($bshortname)?>.php</code> というファイルを作成</a></h3>\r
-               \r
-               <p><code><?php echo htmlspecialchars($bshortname)?>.php</code> というファイルを作成して、中身に以下のコードを貼り付ける:</p>\r
+\r
+               <h3><a id="index_php"><?php echo sprintf(_BLOGCREATED_SIMPLEDESC1, htmlspecialchars($bshortname)) ?></a></h3>\r
+\r
+               <p><?php echo sprintf(_BLOGCREATED_SIMPLEDESC2, htmlspecialchars($bshortname)) ?></p>\r
 <pre><code>&lt;?php\r
 \r
 $CONF['Self'] = '<b><?php echo htmlspecialchars($bshortname)?>.php</b>';\r
@@ -2899,13 +3393,14 @@ selector();
 \r
 ?&gt;</code></pre>\r
 \r
-               <p>すでにある<code>index.php</code>と同じディレクトリにアップロードします。</p>\r
-               \r
-               <p>新しいweblogの作成を完了するためには、下にこのファイルのURLを入力してください。 (すでに用意した値で合っているとは思いますが保証はしません):</p>\r
-               \r
+               <p><?php echo _BLOGCREATED_SIMPLEDESC3 ?></p>\r
+\r
+               <p><?php echo _BLOGCREATED_SIMPLEDESC4 ?></p>\r
+\r
                <form action="index.php" method="post"><div>\r
-                       <input type="hidden" name="action" value="addnewlog2" />                \r
-                       <input type="hidden" name="blogid" value="<?php echo intval($blogid)?>" />                                              \r
+                       <input type="hidden" name="action" value="addnewlog2" />\r
+                       <?php $manager->addTicketHidden() ?>\r
+                       <input type="hidden" name="blogid" value="<?php echo intval($blogid)?>" />\r
                        <table><tr>\r
                                <td><?php echo _EBLOG_URL?></td>\r
                                <td><input name="url" maxlength="100" size="40" value="<?php echo htmlspecialchars($CONF['IndexURL'].$bshortname.'.php')?>" /></td>\r
@@ -2914,14 +3409,15 @@ selector();
                                <td><input type="submit" value="<?php echo _EBLOG_CREATE_BTN?>" onclick="return checkSubmit();" /></td>\r
                        </tr></table>\r
                </div></form>\r
-               \r
-               <h3><a id="skins">方法 2: 現在使用しているスキンに新しいweblogを展開する記述を加える</a></h3>\r
 \r
-               <p>新しいweblogの作成を完了するためには、下にURLを入力してください。 (大抵は既存blogと同じURL)</p>\r
-               \r
+               <h3><a id="skins"><?php echo _BLOGCREATED_ADVANCEDWAY2 ?></a></h3>\r
+\r
+               <p><?php echo _BLOGCREATED_ADVANCEDWAY3 ?></p>\r
+\r
                <form action="index.php" method="post"><div>\r
                        <input type="hidden" name="action" value="addnewlog2" />\r
-                       <input type="hidden" name="blogid" value="<?php echo intval($blogid)?>" />                      \r
+                       <?php $manager->addTicketHidden() ?>\r
+                       <input type="hidden" name="blogid" value="<?php echo intval($blogid)?>" />\r
                        <table><tr>\r
                                <td><?php echo _EBLOG_URL?></td>\r
                                <td><input name="url" maxlength="100" size="40" /></td>\r
@@ -2930,43 +3426,49 @@ selector();
                                <td><input type="submit" value="<?php echo _EBLOG_CREATE_BTN?>" onclick="return checkSubmit();" /></td>\r
                        </tr></table>\r
                </div></form>\r
-               \r
-               <?php           $this->pagefoot();              \r
-               \r
+\r
+               <?php      $this->pagefoot();\r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_addnewlog2() {\r
                global $member, $manager;\r
-               \r
+\r
                $member->blogAdminRights($blogid) or $this->disallow();\r
-               \r
-               $burl   = requestVar('url');\r
-               $blogid = intRequestVar('blogid');\r
-               \r
-               $blog =& $manager->getBlog($blogid);            \r
+\r
+               $burl   = requestVar('url');\r
+               $blogid = intRequestVar('blogid');\r
+\r
+               $blog =& $manager->getBlog($blogid);\r
                $blog->setURL(trim($burl));\r
-               $blog->writeSettings();         \r
-               \r
+               $blog->writeSettings();\r
+\r
                $this->action_overview(_MSG_NEWBLOG);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinieoverview() {\r
-               global $member, $DIR_LIBS;\r
-               \r
+               global $member, $DIR_LIBS, $manager;\r
+\r
                $member->isAdmin() or $this->disallow();\r
 \r
                // load skinie class\r
                include_once($DIR_LIBS . 'skinie.php');\r
-               \r
+\r
                $this->pagehead();\r
-               \r
-               echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';                \r
-               \r
+\r
+               echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';\r
+\r
        ?>\r
-               <h2><?php echo _SKINIE_TITLE_IMPORT?></h2>      \r
-                       \r
+               <h2><?php echo _SKINIE_TITLE_IMPORT?></h2>\r
+\r
                                <p><label for="skinie_import_local"><?php echo _SKINIE_LOCAL?></label>\r
-                               <?php                                   global $DIR_SKINS;\r
+                               <?php                              global $DIR_SKINS;\r
 \r
                                        $candidates = SKINIMPORT::searchForCandidates($DIR_SKINS);\r
 \r
@@ -2974,9 +3476,10 @@ selector();
                                                ?>\r
                                                        <form method="post" action="index.php"><div>\r
                                                                <input type="hidden" name="action" value="skinieimport" />\r
+                                                               <?php $manager->addTicketHidden() ?>\r
                                                                <input type="hidden" name="mode" value="file" />\r
                                                                <select name="skinfile" id="skinie_import_local">\r
-                                                               <?php                                                                   foreach ($candidates as $skinname => $skinfile) {\r
+                                                               <?php                                                              foreach ($candidates as $skinname => $skinfile) {\r
                                                                                $html = htmlspecialchars($skinfile);\r
                                                                                echo '<option value="',$html,'">',$skinname,'</option>';\r
                                                                        }\r
@@ -2984,104 +3487,113 @@ selector();
                                                                </select>\r
                                                                <input type="submit" value="<?php echo _SKINIE_BTN_IMPORT?>" />\r
                                                        </div></form>\r
-                                               <?php                                   } else {\r
+                                               <?php                              } else {\r
                                                echo _SKINIE_NOCANDIDATES;\r
                                        }\r
                                ?>\r
                                </p>\r
-                               \r
+\r
                                <p><em><?php echo _OR?></em></p>\r
-                               \r
+\r
                                <form method="post" action="index.php"><p>\r
+                                       <?php $manager->addTicketHidden() ?>\r
                                        <input type="hidden" name="action" value="skinieimport" />\r
-                                       <input type="hidden" name="mode" value="url" />                                 \r
+                                       <input type="hidden" name="mode" value="url" />\r
                                        <label for="skinie_import_url"><?php echo _SKINIE_FROMURL?></label>\r
                                        <input type="text" name="skinfile" id="skinie_import_url" size="60" value="http://" />\r
                                        <input type="submit" value="<?php echo _SKINIE_BTN_IMPORT?>" />\r
                                </p></form>\r
 \r
-       \r
+\r
                <h2><?php echo _SKINIE_TITLE_EXPORT?></h2>\r
                <form method="post" action="index.php"><div>\r
                        <input type="hidden" name="action" value="skinieexport" />\r
-                       \r
+                       <?php $manager->addTicketHidden() ?>\r
+\r
                        <p><?php echo _SKINIE_EXPORT_INTRO?></p>\r
-                       \r
+\r
                        <table><tr>\r
                                <th colspan="2"><?php echo _SKINIE_EXPORT_SKINS?></th>\r
                        </tr><tr>\r
-       <?php           // show list of skins\r
+       <?php      // show list of skins\r
                $res = sql_query('SELECT * FROM '.sql_table('skin_desc'));\r
-               while ($skinObj = mysql_fetch_object($res)) {\r
+               while ($skinObj = sql_fetch_object($res)) {\r
                        $id = 'skinexp' . $skinObj->sdnumber;\r
                        echo '<td><input type="checkbox" name="skin[',$skinObj->sdnumber,']"  id="',$id,'" />';\r
                        echo '<label for="',$id,'">',htmlspecialchars($skinObj->sdname),'</label></td>';\r
-                       echo '<td>',htmlspecialchars($skinObj->sddesc),'</td>';                 \r
+                       echo '<td>',htmlspecialchars($skinObj->sddesc),'</td>';\r
                        echo '</tr><tr>';\r
                }\r
-               \r
+\r
                echo '<th colspan="2">',_SKINIE_EXPORT_TEMPLATES,'</th></tr><tr>';\r
-               \r
+\r
                // show list of templates\r
                $res = sql_query('SELECT * FROM '.sql_table('template_desc'));\r
-               while ($templateObj = mysql_fetch_object($res)) {\r
-                       $id = 'templateexp' . $templateObj->tdnumber;           \r
+               while ($templateObj = sql_fetch_object($res)) {\r
+                       $id = 'templateexp' . $templateObj->tdnumber;\r
                        echo '<td><input type="checkbox" name="template[',$templateObj->tdnumber,']" id="',$id,'" />';\r
                        echo '<label for="',$id,'">',htmlspecialchars($templateObj->tdname),'</label></td>';\r
-                       echo '<td>',htmlspecialchars($templateObj->tddesc),'</td>';                     \r
+                       echo '<td>',htmlspecialchars($templateObj->tddesc),'</td>';\r
                        echo '</tr><tr>';\r
                }\r
-               \r
+\r
        ?>\r
                                <th colspan="2"><?php echo _SKINIE_EXPORT_EXTRA?></th>\r
                        </tr><tr>\r
                                <td colspan="2"><textarea cols="40" rows="5" name="info"></textarea></td>\r
-                       </tr><tr>                               \r
+                       </tr><tr>\r
                                <th colspan="2"><?php echo _SKINIE_TITLE_EXPORT?></th>\r
                        </tr><tr>\r
                                <td colspan="2"><input type="submit" value="<?php echo _SKINIE_BTN_EXPORT?>" /></td>\r
                        </tr></table>\r
                </div></form>\r
-       \r
-       <?php   \r
+\r
+       <?php\r
                $this->pagefoot();\r
-               \r
+\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinieimport() {\r
-               global $member, $DIR_LIBS, $DIR_SKINS;\r
-               \r
+               global $member, $DIR_LIBS, $DIR_SKINS, $manager;\r
+\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                // load skinie class\r
                include_once($DIR_LIBS . 'skinie.php');\r
-               \r
+\r
                $skinFileRaw= postVar('skinfile');\r
-               $mode           = postVar('mode');\r
+               $mode      = postVar('mode');\r
+\r
+               $importer =& new SKINIMPORT();\r
 \r
-               $importer = new SKINIMPORT();\r
-               \r
                // get full filename\r
                if ($mode == 'file')\r
                {\r
                        $skinFile = $DIR_SKINS . $skinFileRaw . '/skinbackup.xml';\r
-                       \r
+\r
                        // backwards compatibilty (in v2.0, exports were saved as skindata.xml)\r
                        if (!file_exists($skinFile))\r
                                $skinFile = $DIR_SKINS . $skinFileRaw . '/skindata.xml';\r
                } else {\r
                        $skinFile = $skinFileRaw;\r
                }\r
-               \r
+\r
                // read only metadata\r
-               $error = $importer->readFile($skinFile, 1);     \r
-               \r
+               $error = $importer->readFile($skinFile, 1);\r
+\r
+               // clashes\r
+               $skinNameClashes = $importer->checkSkinNameClashes();\r
+               $templateNameClashes = $importer->checkTemplateNameClashes();\r
+               $hasNameClashes = (count($skinNameClashes) > 0) || (count($templateNameClashes) > 0);\r
 \r
                if ($error) $this->error($error);\r
 \r
                $this->pagehead();\r
 \r
-               echo '<p><a href="index.php?action=skinieoverview">(',_BACK,')</a></p>';                \r
+               echo '<p><a href="index.php?action=skinieoverview">(',_BACK,')</a></p>';\r
                ?>\r
                <h2><?php echo _SKINIE_CONFIRM_TITLE?></h2>\r
 \r
@@ -3089,53 +3601,71 @@ selector();
                        <li><p><strong><?php echo _SKINIE_INFO_GENERAL?></strong> <?php echo htmlspecialchars($importer->getInfo())?></p></li>\r
                        <li><p><strong><?php echo _SKINIE_INFO_SKINS?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getSkinNames())?></p></li>\r
                        <li><p><strong><?php echo _SKINIE_INFO_TEMPLATES?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getTemplateNames())?></p></li>\r
-                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_SKINCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->checkSkinNameClashes())?></p></li>          \r
-                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_TEMPLCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->checkTemplateNameClashes())?></p></li>\r
+                       <?php\r
+                               if ($hasNameClashes)\r
+                               {\r
+                       ?>\r
+                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_SKINCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$skinNameClashes)?></p></li>\r
+                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_TEMPLCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$templateNameClashes)?></p></li>\r
+                       <?php\r
+                               } // if (hasNameClashes)\r
+                       ?>\r
                </ul>\r
 \r
                <form method="post" action="index.php"><div>\r
                        <input type="hidden" name="action" value="skiniedoimport" />\r
+                       <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="skinfile" value="<?php echo htmlspecialchars(postVar('skinfile'))?>" />\r
-                       <input type="hidden" name="mode" value="<?php echo htmlspecialchars($mode)?>" />                        \r
+                       <input type="hidden" name="mode" value="<?php echo htmlspecialchars($mode)?>" />\r
                        <input type="submit" value="<?php echo _SKINIE_CONFIRM_IMPORT?>" />\r
+                       <?php\r
+                               if ($hasNameClashes)\r
+                               {\r
+                       ?>\r
                        <br />\r
                        <input type="checkbox" name="overwrite" value="1" id="cb_overwrite" /><label for="cb_overwrite"><?php echo _SKINIE_CONFIRM_OVERWRITE?></label>\r
+                       <?php\r
+                               } // if (hasNameClashes)\r
+                       ?>\r
                </div></form>\r
 \r
 \r
-               <?php           \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skiniedoimport() {\r
                global $member, $DIR_LIBS, $DIR_SKINS;\r
-               \r
+\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                // load skinie class\r
                include_once($DIR_LIBS . 'skinie.php');\r
 \r
                $skinFileRaw= postVar('skinfile');\r
-               $mode           = postVar('mode');\r
+               $mode      = postVar('mode');\r
 \r
                $allowOverwrite = intPostVar('overwrite');\r
-               \r
+\r
                // get full filename\r
                if ($mode == 'file')\r
                {\r
-                       $skinFile = $DIR_SKINS . $skinFileRaw . '/skinbackup.xml';              \r
-                       \r
+                       $skinFile = $DIR_SKINS . $skinFileRaw . '/skinbackup.xml';\r
+\r
                        // backwards compatibilty (in v2.0, exports were saved as skindata.xml)\r
                        if (!file_exists($skinFile))\r
                                $skinFile = $DIR_SKINS . $skinFileRaw . '/skindata.xml';\r
-                       \r
+\r
                } else {\r
                        $skinFile = $skinFileRaw;\r
                }\r
 \r
-               $importer = new SKINIMPORT();\r
+               $importer =& new SKINIMPORT();\r
 \r
-               $error = $importer->readFile($skinFile);        \r
+               $error = $importer->readFile($skinFile);\r
 \r
                if ($error)\r
                        $this->error($error);\r
@@ -3147,7 +3677,7 @@ selector();
 \r
                $this->pagehead();\r
 \r
-               echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';                                \r
+               echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';\r
        ?>\r
                <h2><?php echo _SKINIE_DONE?></h2>\r
 \r
@@ -3157,18 +3687,21 @@ selector();
                        <li><p><strong><?php echo _SKINIE_INFO_IMPORTEDTEMPLS?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getTemplateNames())?></p></li>\r
                </ul>\r
 \r
-       <?php           $this->pagefoot();\r
+       <?php      $this->pagefoot();\r
 \r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinieexport() {\r
                global $member, $DIR_LIBS;\r
-               \r
+\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                // load skinie class\r
                include_once($DIR_LIBS . 'skinie.php');\r
-               \r
+\r
                $aSkins = requestIntArray('skin');\r
                $aTemplates = requestIntArray('template');\r
 \r
@@ -3176,11 +3709,11 @@ selector();
                if (!is_array($aSkins)) $aSkins = array();\r
 \r
                $skinList = array_keys($aSkins);\r
-               $templateList = array_keys($aTemplates);        \r
+               $templateList = array_keys($aTemplates);\r
 \r
                $info = postVar('info');\r
 \r
-               $exporter = new SKINEXPORT();\r
+               $exporter =& new SKINEXPORT();\r
                foreach ($skinList as $skinId) {\r
                        $exporter->addSkin($skinId);\r
                }\r
@@ -3189,32 +3722,36 @@ selector();
                }\r
                $exporter->setInfo($info);\r
 \r
-               $exporter->export();    \r
+               $exporter->export();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateoverview() {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $this->pagehead();\r
-               \r
-               echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';                \r
-               \r
+\r
+               echo '<p><a href="index.php?action=manage">(',_BACKTOMANAGE,')</a></p>';\r
+\r
                echo '<h2>' . _TEMPLATE_TITLE . '</h2>';\r
                echo '<h3>' . _TEMPLATE_AVAILABLE_TITLE . '</h3>';\r
-               \r
+\r
                $query = 'SELECT * FROM '.sql_table('template_desc').' ORDER BY tdname';\r
                $template['content'] = 'templatelist';\r
                $template['tabindex'] = 10;\r
                showlist($query,'table',$template);\r
-               \r
+\r
                echo '<h3>' . _TEMPLATE_NEW_TITLE . '</h3>';\r
-               \r
+\r
                ?>\r
                <form method="post" action="index.php"><div>\r
-               \r
+\r
                <input name="action" value="templatenew" type="hidden" />\r
+               <?php $manager->addTicketHidden() ?>\r
                <table><tr>\r
                        <td><?php echo _TEMPLATE_NAME?> <?php help('shortnames');?></td>\r
                        <td><input name="name" tabindex="10010" maxlength="20" size="20" /></td>\r
@@ -3225,47 +3762,51 @@ selector();
                        <td><?php echo _TEMPLATE_CREATE?></td>\r
                        <td><input type="submit" tabindex="10030" value="<?php echo _TEMPLATE_CREATE_BTN?>" onclick="return checkSubmit();" /></td>\r
                </tr></table>\r
-               \r
+\r
                </div></form>\r
-               \r
-               <?php           \r
+\r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateedit($msg = '') {\r
-               global $member;\r
-               \r
+               global $member, $manager;\r
+\r
                $templateid = intRequestVar('templateid');\r
-               \r
+\r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
-               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.addslashes(_EDITTEMPLATE_EMPTY).'");</script>';\r
+               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.sql_real_escape_string(_EDITTEMPLATE_EMPTY).'");</script>';\r
 \r
                $this->pagehead($extrahead);\r
-               \r
+\r
                $templatename = TEMPLATE::getNameFromId($templateid);\r
                $templatedescription = TEMPLATE::getDesc($templateid);\r
-               $template = TEMPLATE::read($templatename);\r
-               \r
+               $template =& $manager->getTemplate($templatename);\r
+\r
                ?>\r
                <p>\r
                <a href="index.php?action=templateoverview">(<?php echo _TEMPLATE_BACK?>)</a>\r
                </p>\r
 \r
-               <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo  $templatename; ?>'</h2>\r
-               \r
-               <?php                                   if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+               <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo  htmlspecialchars($templatename); ?>'</h2>\r
+\r
+               <?php                              if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
                ?>\r
-               \r
+\r
                <p><?php echo _TEMPLATE_EDIT_MSG?></p>\r
-               \r
+\r
                <form method="post" action="index.php">\r
                <div>\r
-               \r
+\r
                <input type="hidden" name="action" value="templateupdate" />\r
+               <?php $manager->addTicketHidden() ?>\r
                <input type="hidden" name="templateid" value="<?php echo  $templateid; ?>" />\r
-               \r
+\r
                <table><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_SETTINGS?></th>\r
                </tr><tr>\r
@@ -3284,125 +3825,153 @@ selector();
                        </td>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_ITEMS?> <?php help('templateitems'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_ITEMHEADER, 'ITEM_HEADER', '', 8);         \r
-       $this->_templateEditRow($template, _TEMPLATE_ITEMBODY, 'ITEM', '', 9, 1);               \r
-       $this->_templateEditRow($template, _TEMPLATE_ITEMFOOTER, 'ITEM_FOOTER', '', 10);                \r
-       $this->_templateEditRow($template, _TEMPLATE_MORELINK, 'MORELINK', 'morelink', 20);             \r
-       $this->_templateEditRow($template, _TEMPLATE_EDITLINK, 'EDITLINK', 'editlink', 25);                     \r
-       $this->_templateEditRow($template, _TEMPLATE_NEW, 'NEW', 'new', 30);            \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_ITEMHEADER, 'ITEM_HEADER', '', 8);\r
+       $this->_templateEditRow($template, _TEMPLATE_ITEMBODY, 'ITEM', '', 9, 1);\r
+       $this->_templateEditRow($template, _TEMPLATE_ITEMFOOTER, 'ITEM_FOOTER', '', 10);\r
+       $this->_templateEditRow($template, _TEMPLATE_MORELINK, 'MORELINK', 'morelink', 20);\r
+       $this->_templateEditRow($template, _TEMPLATE_EDITLINK, 'EDITLINK', 'editlink', 25);\r
+       $this->_templateEditRow($template, _TEMPLATE_NEW, 'NEW', 'new', 30);\r
 ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_COMMENTS_ANY?> <?php help('templatecomments'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_CHEADER, 'COMMENTS_HEADER', 'commentheaders', 40);         \r
-       $this->_templateEditRow($template, _TEMPLATE_CBODY, 'COMMENTS_BODY', 'commentbody', 50, 1);             \r
-       $this->_templateEditRow($template, _TEMPLATE_CFOOTER, 'COMMENTS_FOOTER', 'commentheaders', 60);         \r
-       $this->_templateEditRow($template, _TEMPLATE_CONE, 'COMMENTS_ONE', 'commentwords', 70);         \r
-       $this->_templateEditRow($template, _TEMPLATE_CMANY, 'COMMENTS_MANY', 'commentwords', 80);               \r
-       $this->_templateEditRow($template, _TEMPLATE_CMORE, 'COMMENTS_CONTINUED', 'commentcontinued', 90);              \r
-       $this->_templateEditRow($template, _TEMPLATE_CMEXTRA, 'COMMENTS_AUTH', 'memberextra', 100);             \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_CHEADER, 'COMMENTS_HEADER', 'commentheaders', 40);\r
+       $this->_templateEditRow($template, _TEMPLATE_CBODY, 'COMMENTS_BODY', 'commentbody', 50, 1);\r
+       $this->_templateEditRow($template, _TEMPLATE_CFOOTER, 'COMMENTS_FOOTER', 'commentheaders', 60);\r
+       $this->_templateEditRow($template, _TEMPLATE_CONE, 'COMMENTS_ONE', 'commentwords', 70);\r
+       $this->_templateEditRow($template, _TEMPLATE_CMANY, 'COMMENTS_MANY', 'commentwords', 80);\r
+       $this->_templateEditRow($template, _TEMPLATE_CMORE, 'COMMENTS_CONTINUED', 'commentcontinued', 90);\r
+       $this->_templateEditRow($template, _TEMPLATE_CMEXTRA, 'COMMENTS_AUTH', 'memberextra', 100);\r
 ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_COMMENTS_NONE?> <?php help('templatecomments'); ?></th>\r
 <?php\r
-       $this->_templateEditRow($template, _TEMPLATE_CNONE, 'COMMENTS_NONE', '', 110);          \r
+       $this->_templateEditRow($template, _TEMPLATE_CNONE, 'COMMENTS_NONE', '', 110);\r
 ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_COMMENTS_TOOMUCH?> <?php help('templatecomments'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_CTOOMUCH, 'COMMENTS_TOOMUCH', '', 120);            \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_CTOOMUCH, 'COMMENTS_TOOMUCH', '', 120);\r
 ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_ARCHIVELIST?> <?php help('templatearchivelists'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_AHEADER, 'ARCHIVELIST_HEADER', '', 130);           \r
-       $this->_templateEditRow($template, _TEMPLATE_AITEM, 'ARCHIVELIST_LISTITEM', '', 140);                   \r
-       $this->_templateEditRow($template, _TEMPLATE_AFOOTER, 'ARCHIVELIST_FOOTER', '', 150);           \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_AHEADER, 'ARCHIVELIST_HEADER', '', 130);\r
+       $this->_templateEditRow($template, _TEMPLATE_AITEM, 'ARCHIVELIST_LISTITEM', '', 140);\r
+       $this->_templateEditRow($template, _TEMPLATE_AFOOTER, 'ARCHIVELIST_FOOTER', '', 150);\r
 ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
+                       <th colspan="2"><?php echo _TEMPLATE_BLOGLIST?> <?php help('templatebloglists'); ?></th>\r
+<?php  $this->_templateEditRow($template, _TEMPLATE_BLOGHEADER, 'BLOGLIST_HEADER', '', 160);\r
+       $this->_templateEditRow($template, _TEMPLATE_BLOGITEM, 'BLOGLIST_LISTITEM', '', 170);\r
+       $this->_templateEditRow($template, _TEMPLATE_BLOGFOOTER, 'BLOGLIST_FOOTER', '', 180);\r
+?>\r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_CATEGORYLIST?> <?php help('templatecategorylists'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_CATHEADER, 'CATLIST_HEADER', '', 160);             \r
-       $this->_templateEditRow($template, _TEMPLATE_CATITEM, 'CATLIST_LISTITEM', '', 170);                     \r
-       $this->_templateEditRow($template, _TEMPLATE_CATFOOTER, 'CATLIST_FOOTER', '', 180);             \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_CATHEADER, 'CATLIST_HEADER', '', 190);\r
+       $this->_templateEditRow($template, _TEMPLATE_CATITEM, 'CATLIST_LISTITEM', '', 200);\r
+       $this->_templateEditRow($template, _TEMPLATE_CATFOOTER, 'CATLIST_FOOTER', '', 210);\r
 ?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_DATETIME?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_DHEADER, 'DATE_HEADER', 'dateheads', 190);         \r
-       $this->_templateEditRow($template, _TEMPLATE_DFOOTER, 'DATE_FOOTER', 'dateheads', 200);                 \r
-       $this->_templateEditRow($template, _TEMPLATE_DFORMAT, 'FORMAT_DATE', 'datetime', 210);          \r
-       $this->_templateEditRow($template, _TEMPLATE_TFORMAT, 'FORMAT_TIME', 'datetime', 220);                  \r
-       $this->_templateEditRow($template, _TEMPLATE_LOCALE, 'LOCALE', 'locale', 230);          \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_DHEADER, 'DATE_HEADER', 'dateheads', 220);\r
+       $this->_templateEditRow($template, _TEMPLATE_DFOOTER, 'DATE_FOOTER', 'dateheads', 230);\r
+       $this->_templateEditRow($template, _TEMPLATE_DFORMAT, 'FORMAT_DATE', 'datetime', 240);\r
+       $this->_templateEditRow($template, _TEMPLATE_TFORMAT, 'FORMAT_TIME', 'datetime', 250);\r
+       $this->_templateEditRow($template, _TEMPLATE_LOCALE, 'LOCALE', 'locale', 260);\r
 ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_IMAGE?> <?php help('templatepopups'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_PCODE, 'POPUP_CODE', '', 240);             \r
-       $this->_templateEditRow($template, _TEMPLATE_ICODE, 'IMAGE_CODE', '', 250);                     \r
-       $this->_templateEditRow($template, _TEMPLATE_MCODE, 'MEDIA_CODE', '', 260);             \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_PCODE, 'POPUP_CODE', '', 270);\r
+       $this->_templateEditRow($template, _TEMPLATE_ICODE, 'IMAGE_CODE', '', 280);\r
+       $this->_templateEditRow($template, _TEMPLATE_MCODE, 'MEDIA_CODE', '', 290);\r
 ?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_SEARCH?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_SHIGHLIGHT, 'SEARCH_HIGHLIGHT', 'highlight',270);          \r
-       $this->_templateEditRow($template, _TEMPLATE_SNOTFOUND, 'SEARCH_NOTHINGFOUND', 'nothingfound',280);             \r
-?>                     \r
+<?php  $this->_templateEditRow($template, _TEMPLATE_SHIGHLIGHT, 'SEARCH_HIGHLIGHT', 'highlight',300);\r
+       $this->_templateEditRow($template, _TEMPLATE_SNOTFOUND, 'SEARCH_NOTHINGFOUND', 'nothingfound',310);\r
+?>\r
+               </tr><tr>\r
+                       <th colspan="2"><?php echo _TEMPLATE_PLUGIN_FIELDS?></th>\r
+<?php\r
+               $tab = 600;\r
+               $pluginfields = array();\r
+               $manager->notify('TemplateExtraFields',array('fields'=>&$pluginfields));\r
+\r
+               foreach ($pluginfields as $pfkey=>$pfvalue) {\r
+                       echo "</tr><tr>\n";\r
+                       echo '<th colspan="2">'.htmlentities($pfkey)."</th>\n";\r
+                       foreach ($pfvalue as $pffield=>$pfdesc) {\r
+                               $this->_templateEditRow($template, $pfdesc, $pffield, '',++$tab,0);\r
+                       }\r
+               }\r
+?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_UPDATE?></th>\r
                </tr><tr>\r
                        <td><?php echo _TEMPLATE_UPDATE?></td>\r
                        <td>\r
-                               <input type="submit" tabindex="290" value="<?php echo _TEMPLATE_UPDATE_BTN?>" onclick="return checkSubmit();" />\r
-                               <input type="reset" tabindex="300" value="<?php echo _TEMPLATE_RESET_BTN?>" />\r
+                               <input type="submit" tabindex="800" value="<?php echo _TEMPLATE_UPDATE_BTN?>" onclick="return checkSubmit();" />\r
+                               <input type="reset" tabindex="810" value="<?php echo _TEMPLATE_RESET_BTN?>" />\r
                        </td>\r
                </tr></table>\r
-               \r
+\r
                </div>\r
                </form>\r
-               <?php   \r
+               <?php\r
                $this->pagefoot();\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function _templateEditRow(&$template, $description, $name, $help = '', $tabindex = 0, $big = 0) {\r
                static $count = 1;\r
+               if (!isset($template[$name])) $template[$name] = '';\r
        ?>\r
-               </tr><tr>       \r
+               </tr><tr>\r
                        <td><?php echo $description?> <?php if ($help) help('template'.$help); ?></td>\r
                        <td id="td<?php echo $count?>"><textarea class="templateedit" name="<?php echo $name?>" tabindex="<?php echo $tabindex?>" cols="50" rows="<?php echo $big?10:5?>" id="textarea<?php echo $count?>"><?php echo  htmlspecialchars($template[$name]); ?></textarea></td>\r
-       <?php           $count++;\r
+       <?php      $count++;\r
        }\r
-       \r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateupdate() {\r
-               global $member;\r
-               \r
-               $templateid = intRequestVar('templateid');              \r
+               global $member, $manager;\r
+\r
+               $templateid = intRequestVar('templateid');\r
 \r
                $member->isAdmin() or $this->disallow();\r
-               \r
+\r
                $name = postVar('tname');\r
                $desc = postVar('tdesc');\r
-               \r
+\r
                if (!isValidTemplateName($name))\r
                        $this->error(_ERROR_BADTEMPLATENAME);\r
-               \r
+\r
                if ((TEMPLATE::getNameFromId($templateid) != $name) && TEMPLATE::exists($name))\r
                        $this->error(_ERROR_DUPTEMPLATENAME);\r
-                               \r
 \r
-               $name = addslashes($name);\r
-               $desc = addslashes($desc);\r
-               \r
+\r
+               $name = sql_real_escape_string($name);\r
+               $desc = sql_real_escape_string($desc);\r
+\r
                // 1. Remove all template parts\r
                $query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
                sql_query($query);\r
-               \r
+\r
                // 2. Update description\r
                $query =  'UPDATE '.sql_table('template_desc').' SET'\r
-                      . " tdname='" . $name . "',"\r
-                      . " tddesc='" . $desc . "'"\r
-                      . " WHERE tdnumber=" . $templateid;\r
+                          . " tdname='" . $name . "',"\r
+                          . " tddesc='" . $desc . "'"\r
+                          . " WHERE tdnumber=" . $templateid;\r
                sql_query($query);\r
-               \r
+\r
                // 3. Add non-empty template parts\r
                $this->addToTemplate($templateid, 'ITEM_HEADER', postVar('ITEM_HEADER'));\r
                $this->addToTemplate($templateid, 'ITEM', postVar('ITEM'));\r
                $this->addToTemplate($templateid, 'ITEM_FOOTER', postVar('ITEM_FOOTER'));\r
                $this->addToTemplate($templateid, 'MORELINK', postVar('MORELINK'));\r
-               $this->addToTemplate($templateid, 'EDITLINK', postVar('EDITLINK'));             \r
+               $this->addToTemplate($templateid, 'EDITLINK', postVar('EDITLINK'));\r
                $this->addToTemplate($templateid, 'NEW', postVar('NEW'));\r
                $this->addToTemplate($templateid, 'COMMENTS_HEADER', postVar('COMMENTS_HEADER'));\r
                $this->addToTemplate($templateid, 'COMMENTS_BODY', postVar('COMMENTS_BODY'));\r
@@ -3416,6 +3985,9 @@ selector();
                $this->addToTemplate($templateid, 'ARCHIVELIST_HEADER', postVar('ARCHIVELIST_HEADER'));\r
                $this->addToTemplate($templateid, 'ARCHIVELIST_LISTITEM', postVar('ARCHIVELIST_LISTITEM'));\r
                $this->addToTemplate($templateid, 'ARCHIVELIST_FOOTER', postVar('ARCHIVELIST_FOOTER'));\r
+               $this->addToTemplate($templateid, 'BLOGLIST_HEADER', postVar('BLOGLIST_HEADER'));\r
+               $this->addToTemplate($templateid, 'BLOGLIST_LISTITEM', postVar('BLOGLIST_LISTITEM'));\r
+               $this->addToTemplate($templateid, 'BLOGLIST_FOOTER', postVar('BLOGLIST_FOOTER'));\r
                $this->addToTemplate($templateid, 'CATLIST_HEADER', postVar('CATLIST_HEADER'));\r
                $this->addToTemplate($templateid, 'CATLIST_LISTITEM', postVar('CATLIST_LISTITEM'));\r
                $this->addToTemplate($templateid, 'CATLIST_FOOTER', postVar('CATLIST_FOOTER'));\r
@@ -3429,155 +4001,182 @@ selector();
                $this->addToTemplate($templateid, 'POPUP_CODE', postVar('POPUP_CODE'));\r
                $this->addToTemplate($templateid, 'MEDIA_CODE', postVar('MEDIA_CODE'));\r
                $this->addToTemplate($templateid, 'IMAGE_CODE', postVar('IMAGE_CODE'));\r
-               \r
-               \r
+\r
+               $pluginfields = array();\r
+               $manager->notify('TemplateExtraFields',array('fields'=>&$pluginfields));\r
+               foreach ($pluginfields as $pfkey=>$pfvalue) {\r
+                       foreach ($pfvalue as $pffield=>$pfdesc) {\r
+                               $this->addToTemplate($templateid, $pffield, postVar($pffield));\r
+                       }\r
+               }\r
+\r
                // jump back to template edit\r
                $this->action_templateedit(_TEMPLATE_UPDATED);\r
-       \r
-       }       \r
 \r
+       }