The current message confusingly mentions bad 'username' when username is not involved.  The
new message is the same as that introduced for an incorrect current password on the self
delete profile form (FS#2751)

The refshow configuration option wasn't used as described anymore
already in the latest release and after the introduction of the media
usage index the parameter is also no longer relevant for internal
optimization. The only place where it was still used is the no longer
used search_references()-function which is removed here, too.

This adds a new parameter to ft_backlinks() to ignore permissions which
is needed for invalidating the cache of linking pages with useheading
enabled. This also adds various test cases for ft_backlinks().

Added an explanation that what we do is like normal CBC but that we
additionally encrypt the IV which is actually suggested by the NIST for
non-random (but unique) IVs. In the decryption process it's not
necessary to decrypt the IV, this should save some time.

This replaces the deprecated and broken Blowfish implementation that has
previously been used and should provide a lot more security.

FS#2770 - prevent <file> and <code> syntax regex matching token names which start '<file' or '<code'

the _redirect function is not used in DokuWiki anyway

If you want better random initialization and more control over the
password strength install the passpolicy plugin.

This is needed to replace the password generator by a plugin
implementation. Related to PR #166 and FS#2147

No need for HMAC here because there's no length attack vector here. We
only care for the existance of the file and each reset request is
completely (random) independent from each other.