This does not fix FS#2677, it only adds support for fixing it later.

This time the test case was correct and actually showed a bug in the tar
library. The error occured only on the first build (directory build/0/)
where the zero was stripped from the path name.

I added unit tests to the cleanPath function and discovered another bug
with handling relative directories. I rewrote the cleanPath() function
and now it should finally work.

Unit tests FTW!

This is another go at what pull request #227 tried to do. This removes
support for a style.local.ini in the template file in preference of a
style.ini in the conf folder

- %GROUP% & %USER% can now both be used in the same rule, e.g.

%GROUP%:%USER%    2

- rules with tokens will be skipped when the user is not logged in
  previously %USER% was attempted

/ fix several typos / Fixes FS#2821

Fixed some issues which occur whenever RTL and LTR languages could
potentially be mixed, using the HTML5 `<bdi>` element.
This element is currently only supported by Chrome and Firefox.

The old and only partially working fix for tpl_breadcrumbs() was removed in
favour of this solution.

This reverts commit d6d85509.

I guess it was a bit too early to think straight :-/

and no automatic sitemap.xml is being generated.

this ensures nested POST data is correctly encoded

The check if the plugin is enabled is done later in the plugin
controller anyway.

In response to FS#2766
- make namespace links in the browser sitemap nofollow
- remove nofollow from browser sitemap link on the wiki start page
  when sitemap.xml generation is disabled

The current message confusingly mentions bad 'username' when username is not involved.  The
new message is the same as that introduced for an incorrect current password on the self
delete profile form (FS#2751)

The refshow configuration option wasn't used as described anymore
already in the latest release and after the introduction of the media
usage index the parameter is also no longer relevant for internal
optimization. The only place where it was still used is the no longer
used search_references()-function which is removed here, too.

This adds a new parameter to ft_backlinks() to ignore permissions which
is needed for invalidating the cache of linking pages with useheading
enabled. This also adds various test cases for ft_backlinks().

Added an explanation that what we do is like normal CBC but that we
additionally encrypt the IV which is actually suggested by the NIST for
non-random (but unique) IVs. In the decryption process it's not
necessary to decrypt the IV, this should save some time.

This replaces the deprecated and broken Blowfish implementation that has
previously been used and should provide a lot more security.