The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.

Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site

Attention: Template authors need to adjust their CSS!

Original structure:
div.search_result >
  a.wikilink1 > span.search_cnt
  br
  div.search_snippet

New structure:
dl.search_results >
  dt > a.wikilink1
  dd

Attention: Template authors need to adjust their CSS!

Original structure:
div.toc >
  div#toc__header.tocheader.toctoggle > span#toc__toggle.toc_close|toc_open > span
  div#toc__inside > ul.toc > li.level1 > div.li > span.li > a.toc

New structure:
div#dw__toc.open|close >
  h3 > strong > span
  ul.toc > li.toc > div.li > a

When autopasswd is disabled, the resend password option now asks for a
new password instead of autogenerating a new one and sending it by mail.

Note to translators: the wording for btn_resendpwd and resendpwd changed
to be more universal. English and German language files where updated -
other languages need to be adjusted.

Conflicts:

	inc/lang/en/lang.php

  * Fix selector in subtree loading callback
  * Remove HTML inconsistencies between AJAX and plain PHP lists
  * Unify icon and CSS class switching in dw_tree and dw_mediamanager

don't use form_makeTag() for blank.gif as empty attributes are not passed on (which resulted in a missing alt attribute)