diff --git a/class_csrf.php b/class_csrf.php
new file mode 100644
index 00000000..521c0d35
--- /dev/null
+++ b/class_csrf.php
@@ -0,0 +1,104 @@
+<?php
+/**
+* Cross Site Request Forgery (CSRF) Class
+* @Author Matt Kent (Matt_Kent9)
+* @License MIT
+*
+* session_start(); must be called before this is utilised.
+*/
+class CSRF_Token
+{
+	// Empty constructor to avoid "Constructor cannot be static" error.
+	public function __construct() {}
+	
+	// Used for is_recent() method.
+	private static $max_elapsed = 60 * 60 * 24; // 1 day
+	
+	/**
+	* Generates token for use but doesn't store it.
+	*/
+	private static function token()
+	{
+		return bin2hex(openssl_random_pseudo_bytes(64));
+	}
+	
+	/**
+	* Generate and store CSRF token in user session.
+	* Requires session to have been started already.
+	*/
+	private static function createToken()
+	{
+		$token = self::token();
+		$_SESSION['token'] = $token;
+		$_SESSION['token_time'] = time();
+		return $token;
+	}
+	
+	/**
+	* Destroys a token by removing it from the session.
+	*/
+	private static function destroyToken()
+	{
+		$_SESSION['token'] = null;
+		$_SESSION['token_time'] = null;
+		return true;
+	}
+	
+	/**
+	* Return HTML tag for use in a form.
+	*/
+	public static function display()
+	{
+		return "<input type=\"hidden\" name=\"token\" value=\"" . self::createToken() . "\" />";
+	}
+	
+	/**
+	* Returns true if user-submitted POST token is
+	* identical to the previously stored SESSION token.
+	* Returns false otherwise.
+	*/
+	public static function isValid()
+	{
+		if (isset($_POST['token']))
+		{
+			$user_token = $_POST['token'];
+			$stored_token = $_SESSION['token'];
+			return hash_equals($_SESSION['token'], $_POST['token']);
+		}
+		else
+		{
+			return false;
+		}
+	}
+	
+	/**
+	* You can simply check the token validity and 
+	* handle the failure yourself, or you can use 
+	* this "stop-everything-on-failure" method.
+	*/ 
+	public static function exitOnFailure()
+	{
+		if (!self::isValid())
+		{
+			exit('Invalid Security Token.');
+		}
+	}
+	
+	/**
+	* This doesn't have to be used but it
+	* checks to see if the token is recent.
+	*/
+	public static function isRecent()
+	{
+		if (isset($_SESSION['token_time']))
+		{
+			$stored_time = $_SESSION['token_time'];
+			return ($stored_time + self::$max_elapsed) >= time();
+		}
+		else
+		{
+			self::destroyToken();
+			return false;
+		}
+	}
+}
diff --git a/documentation/index.php b/documentation/index.php
index ffa0a10c..126ba889 100644
--- a/documentation/index.php
+++ b/documentation/index.php
@@ -11,13 +11,16 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 include(TR_INCLUDE_PATH.'vitals.inc.php');
 include(TR_INCLUDE_PATH.'handbook_pages.inc.php');
 
 global $handbook_pages;
 
 if (isset($_GET['p'])) {
-	$p = htmlentities($_GET['p']);
+	// We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS
+	// for p parameter
+	$p = htmlspecialchars(trim(stripslashes(strip_tags($_GET['p']))));
 } else {
 	// go to first handbook page defined in $handbook_pages
 	foreach ($handbook_pages as $page_key => $page_value)
diff --git a/file_manager/delete.php b/file_manager/delete.php
index 1feea3d9..9b5af48f 100644
--- a/file_manager/delete.php
+++ b/file_manager/delete.php
@@ -1,172 +1,173 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/PrimaryResourcesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/PrimaryResourcesTypesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/SecondaryResourcesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/SecondaryResourcesTypesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-$popup = $_REQUEST['popup'];
-$framed = $_REQUEST['framed'];
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['submit_yes'])) {
-	/* delete files and directories */
-	/* delete the file  */
-	$pathext = $_POST['pathext'];
-	if (isset($_POST['listoffiles']))  {
-		$checkbox = explode(',',$_POST['listoffiles']);
-		$count = count($checkbox);
-		$result=true;
-		for ($i=0; $i<$count; $i++) {
-			$filename=$checkbox[$i];
-
-			if (FileUtility::course_realpath($current_path . $pathext . $filename) == FALSE) {
-				$msg->addError('FILE_NOT_DELETED');
-				$result=false;
-				break;
-			} else if (!(@unlink($current_path.$pathext.$filename))) {
-				$msg->addError('FILE_NOT_DELETED');
-				$result=false;
-				break;
-			}			
-		}
-		if ($result)
-		{ 
-			// delete according definition of primary resources and alternatives for adapted content
-			$filename = '../'.$pathext.$filename;
-			
-			// 1. delete secondary resources types
-			$secondaryResourcesTypesDAO = new SecondaryResourcesTypesDAO();
-			$secondaryResourcesTypesDAO->DeleteByResourceName($filename);
-			
-			// 2. delete secondary resources 
-			$secondaryResourcesDAO = new SecondaryResourcesDAO();
-			$secondaryResourcesDAO->DeleteByResourceName($filename);
-			
-			// 3. delete primary resources types
-			$primaryResourcesTypesDAO = new PrimaryResourcesTypesDAO();
-			$primaryResourcesTypesDAO->DeleteByResourceName($filename);
-			
-			// 4. delete primary resources 
-			$primaryResourcesDAO = new PrimaryResourcesDAO();
-			$primaryResourcesDAO->DeleteByResourceName($filename);
-			
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		}
-	}
-	/* delete directory */
-	if (isset($_POST['listofdirs'])) {
-				
-		$checkbox = explode(',',$_POST['listofdirs']);
-		$count = count($checkbox);
-		$result=true;
-		for ($i=0; $i<$count; $i++) {
-			$filename=$checkbox[$i];
-				
-			if (strpos($filename, '..') !== false) {
-				$msg->addError('UNKNOWN');
-				$result=false;
-				header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			} else if (!is_dir($current_path.$pathext.$filename)) {
-				$msg->addError(array('DIR_NOT_DELETED',$filename));
-				$result=false;
-				header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			} else if (!($result = FileUtility::clr_dir($current_path.$pathext.$filename))) { 
-				$msg->addError('DIR_NO_PERMISSION');
-				$result=false;
-				header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			} 
-		}
-		if ($result)
-			$msg->addFeedback('DIR_DELETED');
-	}
-	
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	// find the files and directories to be deleted 
-	$total_list = explode(',', $_GET['list']);
-	$pathext = $_GET['pathext']; 
-	$popup   = $_GET['popup'];
-	$framed  = $_GET['framed'];
-	$cp = $_GET['cp'];
-	$cid = $_GET['cid'];
-	$pid = $_GET['pid'];
-	$a_type = $_GET['a_type'];
-	
-	$count = count($total_list);
-	$countd = 0;
-	$countf = 0;
-	
-	foreach ($total_list as $list_item) {
-		if (is_dir($current_path.$pathext.$list_item)) {
-			$_dirs[$countd]  = $list_item;
-			$countd++;
-		} else {
-			$_files[$countf] = $list_item;
-			$countf++;
-		}
-	}
-				
-	$hidden_vars['pathext'] = $pathext;
-	$hidden_vars['popup']   = $popup;
-	$hidden_vars['framed']  = $framed;
-	$hidden_vars['cp']  = $cp;
-	$hidden_vars['cid']  = $cid;
-	$hidden_vars['pid']  = $pid;
-	$hidden_vars['a_type']  = $a_type;
-	$hidden_vars['_course_id']  = $_course_id;
-	
-	if (isset($_files)) {
-		$list_of_files = implode(',', $_files);
-		$hidden_vars['listoffiles'] = $list_of_files;
-
-		foreach ($_files as $file) {
-			$file_list_to_print .= '<li>'.$file.'</li>';
-		}
-		$msg->addConfirm(array('FILE_DELETE', $file_list_to_print), $hidden_vars);
-	}
-		
-	if (isset($_dirs)) {
-		$list_of_dirs = implode(',', $_dirs);
-		$hidden_vars['listofdirs'] = $list_of_dirs;
-
-		foreach ($_dirs as $dir) {
-			$dir_list_to_print .= '<li>'.$dir.'</li>';
-		}
-
-		$msg->addConfirm(array('DIR_DELETE',$dir_list_to_print), $hidden_vars);
-	}
-
-	$msg->printConfirm();
-	
-	require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/PrimaryResourcesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/PrimaryResourcesTypesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/SecondaryResourcesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/SecondaryResourcesTypesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+$popup = $_REQUEST['popup'];
+$framed = $_REQUEST['framed'];
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['submit_yes'])) {
+	/* delete files and directories */
+	/* delete the file  */
+	$pathext = $_POST['pathext'];
+	if (isset($_POST['listoffiles']))  {
+		$checkbox = explode(',',$_POST['listoffiles']);
+		$count = count($checkbox);
+		$result=true;
+		for ($i=0; $i<$count; $i++) {
+			$filename=$checkbox[$i];
+
+			if (FileUtility::course_realpath($current_path . $pathext . $filename) == FALSE) {
+				$msg->addError('FILE_NOT_DELETED');
+				$result=false;
+				break;
+			} else if (!(@unlink($current_path.$pathext.$filename))) {
+				$msg->addError('FILE_NOT_DELETED');
+				$result=false;
+				break;
+			}			
+		}
+		if ($result)
+		{ 
+			// delete according definition of primary resources and alternatives for adapted content
+			$filename = '../'.$pathext.$filename;
+			
+			// 1. delete secondary resources types
+			$secondaryResourcesTypesDAO = new SecondaryResourcesTypesDAO();
+			$secondaryResourcesTypesDAO->DeleteByResourceName($filename);
+			
+			// 2. delete secondary resources 
+			$secondaryResourcesDAO = new SecondaryResourcesDAO();
+			$secondaryResourcesDAO->DeleteByResourceName($filename);
+			
+			// 3. delete primary resources types
+			$primaryResourcesTypesDAO = new PrimaryResourcesTypesDAO();
+			$primaryResourcesTypesDAO->DeleteByResourceName($filename);
+			
+			// 4. delete primary resources 
+			$primaryResourcesDAO = new PrimaryResourcesDAO();
+			$primaryResourcesDAO->DeleteByResourceName($filename);
+			
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		}
+	}
+	/* delete directory */
+	if (isset($_POST['listofdirs'])) {
+				
+		$checkbox = explode(',',$_POST['listofdirs']);
+		$count = count($checkbox);
+		$result=true;
+		for ($i=0; $i<$count; $i++) {
+			$filename=$checkbox[$i];
+				
+			if (strpos($filename, '..') !== false) {
+				$msg->addError('UNKNOWN');
+				$result=false;
+				header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			} else if (!is_dir($current_path.$pathext.$filename)) {
+				$msg->addError(array('DIR_NOT_DELETED',$filename));
+				$result=false;
+				header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			} else if (!($result = FileUtility::clr_dir($current_path.$pathext.$filename))) { 
+				$msg->addError('DIR_NO_PERMISSION');
+				$result=false;
+				header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			} 
+		}
+		if ($result)
+			$msg->addFeedback('DIR_DELETED');
+	}
+	
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	// find the files and directories to be deleted 
+	$total_list = explode(',', $_GET['list']);
+	$pathext = $_GET['pathext']; 
+	$popup   = $_GET['popup'];
+	$framed  = $_GET['framed'];
+	$cp = $_GET['cp'];
+	$cid = $_GET['cid'];
+	$pid = $_GET['pid'];
+	$a_type = $_GET['a_type'];
+	
+	$count = count($total_list);
+	$countd = 0;
+	$countf = 0;
+	
+	foreach ($total_list as $list_item) {
+		if (is_dir($current_path.$pathext.$list_item)) {
+			$_dirs[$countd]  = $list_item;
+			$countd++;
+		} else {
+			$_files[$countf] = $list_item;
+			$countf++;
+		}
+	}
+				
+	$hidden_vars['pathext'] = $pathext;
+	$hidden_vars['popup']   = $popup;
+	$hidden_vars['framed']  = $framed;
+	$hidden_vars['cp']  = $cp;
+	$hidden_vars['cid']  = $cid;
+	$hidden_vars['pid']  = $pid;
+	$hidden_vars['a_type']  = $a_type;
+	$hidden_vars['_course_id']  = $_course_id;
+	
+	if (isset($_files)) {
+		$list_of_files = implode(',', $_files);
+		$hidden_vars['listoffiles'] = $list_of_files;
+
+		foreach ($_files as $file) {
+			$file_list_to_print .= '<li>'.$file.'</li>';
+		}
+		$msg->addConfirm(array('FILE_DELETE', $file_list_to_print), $hidden_vars);
+	}
+		
+	if (isset($_dirs)) {
+		$list_of_dirs = implode(',', $_dirs);
+		$hidden_vars['listofdirs'] = $list_of_dirs;
+
+		foreach ($_dirs as $dir) {
+			$dir_list_to_print .= '<li>'.$dir.'</li>';
+		}
+
+		$msg->addConfirm(array('DIR_DELETE',$dir_list_to_print), $hidden_vars);
+	}
+
+	$msg->printConfirm();
+	
+	require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/file_manager/edit.php b/file_manager/edit.php
index 76cd9631..34f69201 100644
--- a/file_manager/edit.php
+++ b/file_manager/edit.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
 
diff --git a/file_manager/index.php b/file_manager/index.php
index d7fa0344..b43f3a3b 100644
--- a/file_manager/index.php
+++ b/file_manager/index.php
@@ -1,91 +1,92 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-$_custom_css = $_base_href.'include/jscripts/infusion/components/uploader/css/Uploader.css';
-
-if ((isset($_REQUEST['popup']) && $_REQUEST['popup']) && 
-	(!isset($_REQUEST['framed']) || !$_REQUEST['framed'])) {
-	$popup = TRUE;
-	$framed = FALSE;
-} else if (isset($_REQUEST['framed']) && $_REQUEST['framed'] && isset($_REQUEST['popup']) && $_REQUEST['popup']) {
-	$popup = TRUE;
-	$framed = TRUE;
-} else {
-	$popup = FALSE;
-	$framed = FALSE;
-}
-
-// If Flash is detected, call the necessary css and js, and configure settings to use the Fluid Uploader
-if (isset($_SESSION['flash']) && $_SESSION['flash'] == "yes") {
-	// Provide the option of switching between Fluid Uploader and simple single file uploader
-	// and save the user preference as a cookie */
-	if (!isset($_COOKIE["fluid_on"])) {
-	$_custom_head .= '
-		<script type="text/javascript">
-		<!--
-			trans.utility.setcookie("fluid_on", "yes", ' . (time()+1200) .');
-		//-->
-		</script>
-';
-	} 
-
-    $fluid_dir = 'include/jscripts/infusion/';
-    $framed = intval($_GET['framed']);
-    $popup = intval($_GET['popup']);
-    $current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-    if ($_GET['pathext'] != '') {
-        $pathext = urldecode($_GET['pathext']);
-    } else if ($_POST['pathext'] != '') {
-        $pathext = $_POST['pathext'];
-    }
-
-    if($_GET['back'] == 1) {
-        $pathext  = substr($pathext, 0, -1);
-        $slashpos = strrpos($pathext, '/');
-        if($slashpos == 0) {
-            $pathext = '';
-        } else {
-            $pathext = substr($pathext, 0, ($slashpos+1));
-        }
-
-    }
-}
-
-global $msg;
-if (isset($_GET['msg'])) $msg->addFeedback($_GET['msg']);
-
-require('top.php');
-$_SESSION['done'] = 1;
-
-require(TR_INCLUDE_PATH.'../file_manager/filemanager_display.inc.php');
-
-closedir($dir);
-
-?>
-<script type="text/javascript">
-//<!--
-function Checkall(form){ 
-  for (var i = 0; i < form.elements.length; i++){    
-    eval("form.elements[" + i + "].checked = form.checkall.checked");  
-  } 
-}
-function openWindow(page) {
-	newWindow = window.open(page, "progWin", "width=400,height=200,toolbar=no,location=no");
-	newWindow.focus();
-}
-//-->
-</script>
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+$_custom_css = $_base_href.'include/jscripts/infusion/components/uploader/css/Uploader.css';
+
+if ((isset($_REQUEST['popup']) && $_REQUEST['popup']) && 
+	(!isset($_REQUEST['framed']) || !$_REQUEST['framed'])) {
+	$popup = TRUE;
+	$framed = FALSE;
+} else if (isset($_REQUEST['framed']) && $_REQUEST['framed'] && isset($_REQUEST['popup']) && $_REQUEST['popup']) {
+	$popup = TRUE;
+	$framed = TRUE;
+} else {
+	$popup = FALSE;
+	$framed = FALSE;
+}
+
+// If Flash is detected, call the necessary css and js, and configure settings to use the Fluid Uploader
+if (isset($_SESSION['flash']) && $_SESSION['flash'] == "yes") {
+	// Provide the option of switching between Fluid Uploader and simple single file uploader
+	// and save the user preference as a cookie */
+	if (!isset($_COOKIE["fluid_on"])) {
+	$_custom_head .= '
+		<script type="text/javascript">
+		<!--
+			trans.utility.setcookie("fluid_on", "yes", ' . (time()+1200) .');
+		//-->
+		</script>
+';
+	} 
+
+    $fluid_dir = 'include/jscripts/infusion/';
+    $framed = intval($_GET['framed']);
+    $popup = intval($_GET['popup']);
+    $current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+    if ($_GET['pathext'] != '') {
+        $pathext = urldecode($_GET['pathext']);
+    } else if ($_POST['pathext'] != '') {
+        $pathext = $_POST['pathext'];
+    }
+
+    if($_GET['back'] == 1) {
+        $pathext  = substr($pathext, 0, -1);
+        $slashpos = strrpos($pathext, '/');
+        if($slashpos == 0) {
+            $pathext = '';
+        } else {
+            $pathext = substr($pathext, 0, ($slashpos+1));
+        }
+
+    }
+}
+
+global $msg;
+if (isset($_GET['msg'])) $msg->addFeedback($_GET['msg']);
+
+require('top.php');
+$_SESSION['done'] = 1;
+
+require(TR_INCLUDE_PATH.'../file_manager/filemanager_display.inc.php');
+
+closedir($dir);
+
+?>
+<script type="text/javascript">
+//<!--
+function Checkall(form){ 
+  for (var i = 0; i < form.elements.length; i++){    
+    eval("form.elements[" + i + "].checked = form.checkall.checked");  
+  } 
+}
+function openWindow(page) {
+	newWindow = window.open(page, "progWin", "width=400,height=200,toolbar=no,location=no");
+	newWindow.focus();
+}
+//-->
+</script>
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/file_manager/move.php b/file_manager/move.php
index 8ce3ca85..abdb499f 100644
--- a/file_manager/move.php
+++ b/file_manager/move.php
@@ -1,206 +1,207 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-$popup = $_REQUEST['popup'];
-$framed = $_REQUEST['framed'];
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_REQUEST['framed'].SEP.'popup='.$_REQUEST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['submit_yes'])) {
-	$dest = $_POST['dest'] .'/';
-	$pathext = $_POST['pathext'];
-
-	if (isset($_POST['listofdirs'])) {
-
-		$_dirs = explode(',',$_POST['listofdirs']);
-		$count = count($_dirs);
-		
-		for ($i = 0; $i < $count; $i++) {
-			$source = $_dirs[$i];
-			
-			if (FileUtility::course_realpath($current_path . $pathext . $source) == FALSE) {
-				// error: File does not exist
-				$msg->addError('DIR_NOT_EXIST');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			}
-			else if (FileUtility::course_realpath($current_path . $dest) == FALSE) {
-				// error: File does not exist
-				$msg->addError('UNKNOWN');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			}
-			else if (strpos($source, '..') !== false) {
-				$msg->addError('UNKNOWN');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			}	
-			else {
-				@rename($current_path.$pathext.$source, $current_path.$dest.$source);
-			}
-		}
-		$msg->addFeedback('DIRS_MOVED');
-	}
-	if (isset($_POST['listoffiles'])) {
-
-		$_files = explode(',',$_POST['listoffiles']);
-		$count = count($_files);
-
-		for ($i = 0; $i < $count; $i++) {
-			$source = $_files[$i];
-			
-			if (FileUtility::course_realpath($current_path . $pathext . $source) == FALSE) {
-				// error: File does not exist
-				$msg->addError('FILE_NOT_EXIST');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			}
-			else if (FileUtility::course_realpath($current_path . $dest) == FALSE) {
-				// error: File does not exist
-				$msg->addError('UNKNOWN');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			}
-			else if (strpos($source, '..') !== false) {
-				$msg->addError('UNKNOWN');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-				exit;
-			}	
-			else {
-				@rename($current_path.$pathext.$source, $current_path.$dest.$source);
-			}
-		}
-		$msg->addFeedback('MOVED_FILES');
-	}
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['dir_chosen'])) {
-	$hidden_vars['framed'] = $_REQUEST['framed'];
-	$hidden_vars['popup'] = $_REQUEST['popup'];
-	$hidden_vars['pathext'] = $_REQUEST['pathext'];
-	$hidden_vars['dest'] = $_REQUEST['dir_name'];
-	$hidden_vars['cp'] = $_REQUEST['cp'];
-	$hidden_vars['cid'] = $_REQUEST['cid'];
-	$hidden_vars['pid'] = $_REQUEST['pid'];
-	$hidden_vars['a_type'] = $_REQUEST['a_type'];
-	$hidden_vars['_course_id'] = $_course_id;
-	
-	if (isset($_POST['files'])) {
-		$list_of_files = implode(',', $_POST['files']);
-		$hidden_vars['listoffiles'] = $list_of_files;
-		$msg->addConfirm(array('FILE_MOVE', $list_of_files, $_POST['dir_name']), $hidden_vars);
-	}
-	if (isset($_POST['dirs'])) {
-		$list_of_dirs = implode(',', $_POST['dirs']);
-		$hidden_vars['listoffiles'] = $list_of_dirs;
-		$msg->addConfirm(array('DIR_MOVE', $list_of_dirs, $_POST['dir_name']), $hidden_vars);
-	}
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	$msg->printConfirm();
-	require(TR_INCLUDE_PATH.'footer.inc.php');
-} 
-else {
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	
-	$tree = TR_CONTENT_DIR.$_course_id.'/';
-	$file    = $_GET['file'];
-	$pathext = $_GET['pathext']; 
-	$popup   = $_GET['popup'];
-	$framed  = $_GET['framed'];
-	$cp  = $_GET['cp'];
-	$cid  = $_GET['cid'];
-	$pid  = $_GET['pid'];
-	$a_type  = $_GET['a_type'];
-	
-	/* find the files and directories to be copied */
-	$total_list = explode(',', $_GET['list']);
-
-	$count = count($total_list);
-	$countd = 0;
-	$countf = 0;
-	for ($i=0; $i<$count; $i++) {
-		if (is_dir($current_path.$pathext.$total_list[$i])) {
-			$_dirs[$countd] = $total_list[$i];
-			$hidden_dirs  .= '<input type="hidden" name="dirs['.$countd.']"   value="'.$_dirs[$countd].'" />';
-			$countd++;
-		} else {
-			$_files[$countf] = $total_list[$i];
-			$hidden_files .= '<input type="hidden" name="files['.$countf.']" value="'.$_files[$countf].'" />';
-			$countf++;
-		}
-	}
-?>
-
-<form name="move_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
-<div class="input-form">
-	<div class="row">
-		<p><?php echo _AT('select_directory'); ?></p>
-	</div>
-	
-	<div class="row">
-		<ul>
-			<li class="folders"><label><input type="radio" name="dir_name" value=""<?php
-				if ($pathext == '') {
-					echo ' checked="checked"';
-					$here = ' ' . _AT('current_location');
-				} 
-				echo '/>Home ' .$here.'</label>';
-			
-				echo FileUtility::display_tree($current_path, '', $pathext);
-			?></li>
-		</ul>
-	</div>
-
-	<div class="row buttons">
-		<input type="submit" name="dir_chosen" value="<?php echo _AT('move'); ?>" accesskey="s" /> 
-		<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
-	</div>
-</div>
-
-<input type="hidden" name="pathext" value="<?php echo AT_print($pathext, 'input.hidden'); ?>" />
-<input type="hidden" name="framed" value="<?php echo AT_print($framed, 'input.hidden'); ?>" />
-<input type="hidden" name="popup" value="<?php echo AT_print($popup, 'input.hidden'); ?>" />
-<input type="hidden" name="cp" value="<?php echo AT_print($cp, 'input.hidden'); ?>" />
-<input type="hidden" name="cid" value="<?php echo AT_print($cid, 'input.hidden'); ?>" />
-<input type="hidden" name="pid" value="<?php echo AT_print($pid, 'input.hidden'); ?>" />
-<input type="hidden" name="a_type" value="<?php echo AT_print($a_type, 'input.hidden'); ?>" />
-<input type="hidden" name="_course_id" value="<?php echo AT_print($_course_id, 'input.hidden'); ?>" />
-<?php
-	echo $hidden_dirs;
-	echo $hidden_files;
-?>
-</form>
-
-<?php require(TR_INCLUDE_PATH.'footer.inc.php');
-}
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+$popup = $_REQUEST['popup'];
+$framed = $_REQUEST['framed'];
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_REQUEST['framed'].SEP.'popup='.$_REQUEST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['submit_yes'])) {
+	$dest = $_POST['dest'] .'/';
+	$pathext = $_POST['pathext'];
+
+	if (isset($_POST['listofdirs'])) {
+
+		$_dirs = explode(',',$_POST['listofdirs']);
+		$count = count($_dirs);
+		
+		for ($i = 0; $i < $count; $i++) {
+			$source = $_dirs[$i];
+			
+			if (FileUtility::course_realpath($current_path . $pathext . $source) == FALSE) {
+				// error: File does not exist
+				$msg->addError('DIR_NOT_EXIST');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			}
+			else if (FileUtility::course_realpath($current_path . $dest) == FALSE) {
+				// error: File does not exist
+				$msg->addError('UNKNOWN');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			}
+			else if (strpos($source, '..') !== false) {
+				$msg->addError('UNKNOWN');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			}	
+			else {
+				@rename($current_path.$pathext.$source, $current_path.$dest.$source);
+			}
+		}
+		$msg->addFeedback('DIRS_MOVED');
+	}
+	if (isset($_POST['listoffiles'])) {
+
+		$_files = explode(',',$_POST['listoffiles']);
+		$count = count($_files);
+
+		for ($i = 0; $i < $count; $i++) {
+			$source = $_files[$i];
+			
+			if (FileUtility::course_realpath($current_path . $pathext . $source) == FALSE) {
+				// error: File does not exist
+				$msg->addError('FILE_NOT_EXIST');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			}
+			else if (FileUtility::course_realpath($current_path . $dest) == FALSE) {
+				// error: File does not exist
+				$msg->addError('UNKNOWN');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			}
+			else if (strpos($source, '..') !== false) {
+				$msg->addError('UNKNOWN');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+				exit;
+			}	
+			else {
+				@rename($current_path.$pathext.$source, $current_path.$dest.$source);
+			}
+		}
+		$msg->addFeedback('MOVED_FILES');
+	}
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['dir_chosen'])) {
+	$hidden_vars['framed'] = $_REQUEST['framed'];
+	$hidden_vars['popup'] = $_REQUEST['popup'];
+	$hidden_vars['pathext'] = $_REQUEST['pathext'];
+	$hidden_vars['dest'] = $_REQUEST['dir_name'];
+	$hidden_vars['cp'] = $_REQUEST['cp'];
+	$hidden_vars['cid'] = $_REQUEST['cid'];
+	$hidden_vars['pid'] = $_REQUEST['pid'];
+	$hidden_vars['a_type'] = $_REQUEST['a_type'];
+	$hidden_vars['_course_id'] = $_course_id;
+	
+	if (isset($_POST['files'])) {
+		$list_of_files = implode(',', $_POST['files']);
+		$hidden_vars['listoffiles'] = $list_of_files;
+		$msg->addConfirm(array('FILE_MOVE', $list_of_files, $_POST['dir_name']), $hidden_vars);
+	}
+	if (isset($_POST['dirs'])) {
+		$list_of_dirs = implode(',', $_POST['dirs']);
+		$hidden_vars['listoffiles'] = $list_of_dirs;
+		$msg->addConfirm(array('DIR_MOVE', $list_of_dirs, $_POST['dir_name']), $hidden_vars);
+	}
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	$msg->printConfirm();
+	require(TR_INCLUDE_PATH.'footer.inc.php');
+} 
+else {
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	
+	$tree = TR_CONTENT_DIR.$_course_id.'/';
+	$file    = $_GET['file'];
+	$pathext = $_GET['pathext']; 
+	$popup   = $_GET['popup'];
+	$framed  = $_GET['framed'];
+	$cp  = $_GET['cp'];
+	$cid  = $_GET['cid'];
+	$pid  = $_GET['pid'];
+	$a_type  = $_GET['a_type'];
+	
+	/* find the files and directories to be copied */
+	$total_list = explode(',', $_GET['list']);
+
+	$count = count($total_list);
+	$countd = 0;
+	$countf = 0;
+	for ($i=0; $i<$count; $i++) {
+		if (is_dir($current_path.$pathext.$total_list[$i])) {
+			$_dirs[$countd] = $total_list[$i];
+			$hidden_dirs  .= '<input type="hidden" name="dirs['.$countd.']"   value="'.$_dirs[$countd].'" />';
+			$countd++;
+		} else {
+			$_files[$countf] = $total_list[$i];
+			$hidden_files .= '<input type="hidden" name="files['.$countf.']" value="'.$_files[$countf].'" />';
+			$countf++;
+		}
+	}
+?>
+
+<form name="move_form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<div class="input-form">
+	<div class="row">
+		<p><?php echo _AT('select_directory'); ?></p>
+	</div>
+	
+	<div class="row">
+		<ul>
+			<li class="folders"><label><input type="radio" name="dir_name" value=""<?php
+				if ($pathext == '') {
+					echo ' checked="checked"';
+					$here = ' ' . _AT('current_location');
+				} 
+				echo '/>Home ' .$here.'</label>';
+			
+				echo FileUtility::display_tree($current_path, '', $pathext);
+			?></li>
+		</ul>
+	</div>
+
+	<div class="row buttons">
+		<input type="submit" name="dir_chosen" value="<?php echo _AT('move'); ?>" accesskey="s" /> 
+		<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
+	</div>
+</div>
+
+<input type="hidden" name="pathext" value="<?php echo AT_print($pathext, 'input.hidden'); ?>" />
+<input type="hidden" name="framed" value="<?php echo AT_print($framed, 'input.hidden'); ?>" />
+<input type="hidden" name="popup" value="<?php echo AT_print($popup, 'input.hidden'); ?>" />
+<input type="hidden" name="cp" value="<?php echo AT_print($cp, 'input.hidden'); ?>" />
+<input type="hidden" name="cid" value="<?php echo AT_print($cid, 'input.hidden'); ?>" />
+<input type="hidden" name="pid" value="<?php echo AT_print($pid, 'input.hidden'); ?>" />
+<input type="hidden" name="a_type" value="<?php echo AT_print($a_type, 'input.hidden'); ?>" />
+<input type="hidden" name="_course_id" value="<?php echo AT_print($_course_id, 'input.hidden'); ?>" />
+<?php
+	echo $hidden_dirs;
+	echo $hidden_files;
+?>
+</form>
+
+<?php require(TR_INCLUDE_PATH.'footer.inc.php');
+}
+?>
diff --git a/file_manager/new.php b/file_manager/new.php
index 9051d0b5..b3297f2a 100644
--- a/file_manager/new.php
+++ b/file_manager/new.php
@@ -1,201 +1,202 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-$popup  = $_REQUEST['popup'];
-$framed = $_REQUEST['framed'];
-
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['submit_yes'])) {
-	$filename = preg_replace("{[^a-zA-Z0-9_]}","_", trim($_POST['filename']));
-	$pathext  = $_POST['pathext'];
-
-	/* only html or txt extensions allowed */
-	if ($_POST['extension'] == 'html') {
-		$extension = 'html';
-	} else {
-		$extension = 'txt';
-	}
-	
-	if (FileUtility::course_realpath($current_path . $pathext . $filename.'.'.$extension) == FALSE) {
-		$msg->addError('FILE_NOT_SAVED');
-		/* take user to home page to avoid unspecified error warning */
-		header('Location: index.php?pathext='.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
-		exit;
-	}
-
-	if (($f = @fopen($current_path.$pathext.$filename.'.'.$extension,'w')) && @fwrite($f, stripslashes($_POST['body_text'])) !== FALSE && @fclose($f)){
-		$msg->addFeedback('FILE_OVERWRITE');
-	} else {
-		$msg->addError('CANNOT_OVERWRITE_FILE');
-	}
-	unset($_POST['newfile']);
-	header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['savenewfile'])) {
-
-	if (isset($_POST['filename']) && ($_POST['filename'] != "")) {
-		$filename     = preg_replace("{[^a-zA-Z0-9_]}","_", trim($_POST['filename']));
-		$pathext      = $_POST['pathext'];
-		$current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-		/* only html or txt extensions allowed */
-		if ($_POST['extension'] == 'html') {
-			$extension = 'html';
-			$head_html = "<html>\n<head>\n<title>".$_POST['filename']."</title>\n<head>\n<body>";
-			$foot_html ="\n</body>\n</html>";
-		} else {
-			$extension = 'txt';
-		}
-
-		if (!@file_exists($current_path.$pathext.$filename.'.'.$extension)) {
-			$content = str_replace("\r\n", "\n", $head_html.$_POST['body_text'].$foot_html);
-			
-			if (FileUtility::course_realpath($current_path . $pathext . $filename.'.'.$extension) == FALSE) {
-				$msg->addError('FILE_NOT_SAVED');
-				/* take user to home page to avoid unspecified error warning */
-				header('Location: index.php?pathext='.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
-				exit;
-			}
-
-			if (($f = fopen($current_path.$pathext.$filename.'.'.$extension, 'w')) && (@fwrite($f, stripslashes($content)) !== false)  && (@fclose($f))) {
-				$msg->addFeedback(array('FILE_SAVED', $filename.'.'.$extension));
-				header('Location: index.php?pathext='.urlencode($_POST['pathext']).SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
-				exit;
-			} else {
-				$msg->addError('FILE_NOT_SAVED');
-				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
-				exit;
-			}
-		}
-		else {
-			require(TR_INCLUDE_PATH.'header.inc.php');
-			$pathext = $_POST['pathext']; 
-			$popup   = $_POST['popup'];
-
-			$_POST['newfile'] = "new";
-
-			$hidden_vars['pathext']   = $pathext;
-			$hidden_vars['filename']  = $filename;
-			$hidden_vars['extension'] = $extension;
-			$hidden_vars['_course_id'] = $_course_id;
-			$hidden_vars['body_text'] = $_POST['body_text'];
-
-			$hidden_vars['popup']  = $popup;
-			$hidden_vars['framed'] = $framed;
-
-			$msg->addConfirm(array('FILE_EXISTS', $filename.'.'.$extension), $hidden_vars);
-			$msg->printConfirm();
-
-			require(TR_INCLUDE_PATH.'footer.inc.php');
-			exit;
-		}
-	} else {
-		$msg->addError(array('EMPTY_FIELDS', _AT('file_name')));
-	}
-}
-
-$onload="on_load()";
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/tinymce.inc.php');
-
-// set default body editor to tinymce editor
-if (!isset($_POST['extension'])) $_POST['extension'] = 'html';
-
-// load tinymce library
-load_editor(true, false, "none");
-
-$pathext = $_GET['pathext']; 
-$popup   = $_GET['popup'];
-
-$msg->printAll();
-
-?>
-	<form action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$_course_id; ?>" method="post" name="form">
-	<input type="hidden" name="pathext" value="<?php echo $_REQUEST['pathext'] ?>" />
-	<input type="hidden" name="popup" value="<?php echo $popup; ?>" />
-
-	<div class="input-form">	
-	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('create_new_file'); ?></legend>
-		<div class="row">
-			<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="ctitle"><?php echo _AT('file_name');  ?></label><br />
-			<input type="text" name="filename" id="ctitle" size="40" <?php if (isset($_POST['filename'])) echo 'value="'.AT_print($_POST['filename'], 'input.text').'"'?> />
-		</div>
-
-		<div class="row">
-			<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><?php echo _AT('type'); ?><br />
-			<input type="radio" name="extension" value="txt" id="text" <?php if ($_POST['extension'] == 'txt') { echo 'checked="checked"'; } ?> onclick="trans.editor.switch_content_type(this.value);" />
-			<label for="text"><?php echo _AT('plain_text'); ?></label>
-	
-			, <input type="radio" name="extension" value="html" id="html" <?php if ($_POST['extension'] == 'html') { echo 'checked="checked"'; } ?> onclick="trans.editor.switch_content_type(this.value);" />
-			<label for="html"><?php echo _AT('html'); ?></label>
-		</div>
-	
-		<div class="row">
-			<label for="body_text"><?php echo _AT('body');  ?></label><br />
-			<textarea name="body_text" id="body_text" rows="25"><?php echo $contentManager->cleanOutput($_POST['body_text']); ?></textarea>
-		</div>
-	
-		<div class="row buttons">
-			<input type="submit" name="savenewfile" value="<?php echo _AT('save'); ?>" accesskey="s" />
-			<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>"  />		
-		</div>
-	</fieldset>
-	</div>
-	</form>
-
-<script type="text/javascript" language="javascript">
-//<!--
-function on_load()
-{
-	document.form.filename.focus();
-	if (jQuery('#html').attr("checked")) { 
-		tinyMCE.execCommand('mceAddControl', false, 'body_text');
-	}
-}
-
-trans.editor.switch_content_type = function (extension) {
-  if (extension === 'txt') { //text type
-    tinyMCE.execCommand('mceRemoveControl', false, 'body_text');
-  }
-  else { //html type
-    tinyMCE.execCommand('mceAddControl', false, 'body_text');
-  }
-};
-
-//-->
-</script>
-
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+$popup  = $_REQUEST['popup'];
+$framed = $_REQUEST['framed'];
+
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['submit_yes'])) {
+	$filename = preg_replace("{[^a-zA-Z0-9_]}","_", trim($_POST['filename']));
+	$pathext  = $_POST['pathext'];
+
+	/* only html or txt extensions allowed */
+	if ($_POST['extension'] == 'html') {
+		$extension = 'html';
+	} else {
+		$extension = 'txt';
+	}
+	
+	if (FileUtility::course_realpath($current_path . $pathext . $filename.'.'.$extension) == FALSE) {
+		$msg->addError('FILE_NOT_SAVED');
+		/* take user to home page to avoid unspecified error warning */
+		header('Location: index.php?pathext='.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
+		exit;
+	}
+
+	if (($f = @fopen($current_path.$pathext.$filename.'.'.$extension,'w')) && @fwrite($f, stripslashes($_POST['body_text'])) !== FALSE && @fclose($f)){
+		$msg->addFeedback('FILE_OVERWRITE');
+	} else {
+		$msg->addError('CANNOT_OVERWRITE_FILE');
+	}
+	unset($_POST['newfile']);
+	header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['savenewfile'])) {
+
+	if (isset($_POST['filename']) && ($_POST['filename'] != "")) {
+		$filename     = preg_replace("{[^a-zA-Z0-9_]}","_", trim($_POST['filename']));
+		$pathext      = $_POST['pathext'];
+		$current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+		/* only html or txt extensions allowed */
+		if ($_POST['extension'] == 'html') {
+			$extension = 'html';
+			$head_html = "<html>\n<head>\n<title>".$_POST['filename']."</title>\n<head>\n<body>";
+			$foot_html ="\n</body>\n</html>";
+		} else {
+			$extension = 'txt';
+		}
+
+		if (!@file_exists($current_path.$pathext.$filename.'.'.$extension)) {
+			$content = str_replace("\r\n", "\n", $head_html.$_POST['body_text'].$foot_html);
+			
+			if (FileUtility::course_realpath($current_path . $pathext . $filename.'.'.$extension) == FALSE) {
+				$msg->addError('FILE_NOT_SAVED');
+				/* take user to home page to avoid unspecified error warning */
+				header('Location: index.php?pathext='.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
+				exit;
+			}
+
+			if (($f = fopen($current_path.$pathext.$filename.'.'.$extension, 'w')) && (@fwrite($f, stripslashes($content)) !== false)  && (@fclose($f))) {
+				$msg->addFeedback(array('FILE_SAVED', $filename.'.'.$extension));
+				header('Location: index.php?pathext='.urlencode($_POST['pathext']).SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
+				exit;
+			} else {
+				$msg->addError('FILE_NOT_SAVED');
+				header('Location: index.php?pathext='.$pathext.SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'_course_id='.$_course_id);
+				exit;
+			}
+		}
+		else {
+			require(TR_INCLUDE_PATH.'header.inc.php');
+			$pathext = $_POST['pathext']; 
+			$popup   = $_POST['popup'];
+
+			$_POST['newfile'] = "new";
+
+			$hidden_vars['pathext']   = $pathext;
+			$hidden_vars['filename']  = $filename;
+			$hidden_vars['extension'] = $extension;
+			$hidden_vars['_course_id'] = $_course_id;
+			$hidden_vars['body_text'] = $_POST['body_text'];
+
+			$hidden_vars['popup']  = $popup;
+			$hidden_vars['framed'] = $framed;
+
+			$msg->addConfirm(array('FILE_EXISTS', $filename.'.'.$extension), $hidden_vars);
+			$msg->printConfirm();
+
+			require(TR_INCLUDE_PATH.'footer.inc.php');
+			exit;
+		}
+	} else {
+		$msg->addError(array('EMPTY_FIELDS', _AT('file_name')));
+	}
+}
+
+$onload="on_load()";
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/tinymce.inc.php');
+
+// set default body editor to tinymce editor
+if (!isset($_POST['extension'])) $_POST['extension'] = 'html';
+
+// load tinymce library
+load_editor(true, false, "none");
+
+$pathext = $_GET['pathext']; 
+$popup   = $_GET['popup'];
+
+$msg->printAll();
+
+?>
+	<form action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$_course_id; ?>" method="post" name="form">
+	<input type="hidden" name="pathext" value="<?php echo $_REQUEST['pathext'] ?>" />
+	<input type="hidden" name="popup" value="<?php echo $popup; ?>" />
+
+	<div class="input-form">	
+	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('create_new_file'); ?></legend>
+		<div class="row">
+			<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="ctitle"><?php echo _AT('file_name');  ?></label><br />
+			<input type="text" name="filename" id="ctitle" size="40" <?php if (isset($_POST['filename'])) echo 'value="'.AT_print($_POST['filename'], 'input.text').'"'?> />
+		</div>
+
+		<div class="row">
+			<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><?php echo _AT('type'); ?><br />
+			<input type="radio" name="extension" value="txt" id="text" <?php if ($_POST['extension'] == 'txt') { echo 'checked="checked"'; } ?> onclick="trans.editor.switch_content_type(this.value);" />
+			<label for="text"><?php echo _AT('plain_text'); ?></label>
+	
+			, <input type="radio" name="extension" value="html" id="html" <?php if ($_POST['extension'] == 'html') { echo 'checked="checked"'; } ?> onclick="trans.editor.switch_content_type(this.value);" />
+			<label for="html"><?php echo _AT('html'); ?></label>
+		</div>
+	
+		<div class="row">
+			<label for="body_text"><?php echo _AT('body');  ?></label><br />
+			<textarea name="body_text" id="body_text" rows="25"><?php echo $contentManager->cleanOutput($_POST['body_text']); ?></textarea>
+		</div>
+	
+		<div class="row buttons">
+			<input type="submit" name="savenewfile" value="<?php echo _AT('save'); ?>" accesskey="s" />
+			<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>"  />		
+		</div>
+	</fieldset>
+	</div>
+	</form>
+
+<script type="text/javascript" language="javascript">
+//<!--
+function on_load()
+{
+	document.form.filename.focus();
+	if (jQuery('#html').attr("checked")) { 
+		tinyMCE.execCommand('mceAddControl', false, 'body_text');
+	}
+}
+
+trans.editor.switch_content_type = function (extension) {
+  if (extension === 'txt') { //text type
+    tinyMCE.execCommand('mceRemoveControl', false, 'body_text');
+  }
+  else { //html type
+    tinyMCE.execCommand('mceAddControl', false, 'body_text');
+  }
+};
+
+//-->
+</script>
+
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/file_manager/preview.php b/file_manager/preview.php
index f85986f2..1363e2ac 100644
--- a/file_manager/preview.php
+++ b/file_manager/preview.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 global $_course_id;
 
@@ -42,4 +43,4 @@
 </noframes>
 
 </frameset>
-</html>
\ No newline at end of file
+</html>
diff --git a/file_manager/preview_top.php b/file_manager/preview_top.php
index 1c586da0..f60aed3e 100644
--- a/file_manager/preview_top.php
+++ b/file_manager/preview_top.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 global $_course_id;
 
@@ -40,4 +41,4 @@
 </p>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/file_manager/rename.php b/file_manager/rename.php
index ae403b79..fe58f6fa 100644
--- a/file_manager/rename.php
+++ b/file_manager/rename.php
@@ -1,99 +1,100 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-$popup = $_REQUEST['popup'];
-$framed = $_REQUEST['framed'];
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-if (isset($_POST['rename_action'])) {
-
-	$_POST['new_name'] = trim($_POST['new_name']);
-	$_POST['new_name'] = str_replace(' ', '_', $_POST['new_name']);
-	$_POST['new_name'] = str_replace(array(' ', '/', '\\', ':', '*', '?', '"', '<', '>', '|', '\''), '', $_POST['new_name']);
-
-	$_POST['oldname'] = trim($_POST['oldname']);
-	$_POST['oldname'] = str_replace(' ', '_', $_POST['oldname']);
-	$_POST['oldname'] = str_replace(array(' ', '/', '\\', ':', '*', '?', '"', '<', '>', '|', '\''), '', $_POST['oldname']);
-
-	$path_parts_new = pathinfo($_POST['new_name']);
-	$ext_new = $path_parts_new['extension'];
-	$pathext = $_POST['pathext'];
-
-	/* check if this file extension is allowed: */
-	/* $IllegalExtentions is defined in ./include/config.inc.php */
-	if (in_array($ext_new, $IllegalExtentions)) {
-		$errors = array('FILE_ILLEGAL', $ext_new);
-		$msg->addError($errors);
-	}
-	else if ($current_path.$pathext.$_POST['new_name'] == $current_path.$pathext.$_POST['oldname']) {
-		//do nothing
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: index.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-		exit;
-	}
-
-	//make sure new file is inside content directory
-	else if (FileUtility::course_realpath($current_path . $pathext . $_POST['new_name']) == FALSE) {
-		$msg->addError('CANNOT_RENAME');
-	}	
-	else if (FileUtility::course_realpath($current_path . $pathext . $_POST['oldname']) == FALSE) {
-		$msg->addError('CANNOT_RENAME');
-	}
-	else if (file_exists($current_path . $pathext . $_POST['new_name'])) {
-		$msg->addError('CANNOT_RENAME');
-	}
-	else {
-		@rename($current_path.$pathext.$_POST['oldname'], $current_path.$pathext.$_POST['new_name']);
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: index.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
-		exit;
-	}
-}
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-?>
-<form name="rename" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
-<input type="hidden" name="pathext" value="<?php echo AT_print($_REQUEST['pathext'], 'input.hidden'); ?>" />
-<input type="hidden" name="oldname" value="<?php echo AT_print($_REQUEST['oldname'], 'input.hidden'); ?>" />
-<input type="hidden" name="framed" value="<?php echo AT_print($_REQUEST['framed'], 'input.hidden'); ?>" />
-<input type="hidden" name="popup" value="<?php echo AT_print($_REQUEST['popup'], 'input.hidden'); ?>" />
-<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
-
-<div class="input-form">
-	<div class="row">
-		<span class="required" title="<?php echo _AT('required_field'); ?>">*</span>
-		<label for="new"><?php echo _AT('new_name'); ?></label><br />
-		<?php echo $_GET['pathext']; ?><input type="text" name="new_name" id="new" value="<?php echo AT_print($_REQUEST['oldname'], 'input.text'); ?>" size="30" />
-	</div>
-
-	<div class="row buttons">
-		<input type="submit" name="rename_action" value="<?php echo _AT('save'); ?>" accesskey="s" />
-		<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
-	</div>
-</div>
-</form>
-
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+$popup = $_REQUEST['popup'];
+$framed = $_REQUEST['framed'];
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+if (isset($_POST['rename_action'])) {
+
+	$_POST['new_name'] = trim($_POST['new_name']);
+	$_POST['new_name'] = str_replace(' ', '_', $_POST['new_name']);
+	$_POST['new_name'] = str_replace(array(' ', '/', '\\', ':', '*', '?', '"', '<', '>', '|', '\''), '', $_POST['new_name']);
+
+	$_POST['oldname'] = trim($_POST['oldname']);
+	$_POST['oldname'] = str_replace(' ', '_', $_POST['oldname']);
+	$_POST['oldname'] = str_replace(array(' ', '/', '\\', ':', '*', '?', '"', '<', '>', '|', '\''), '', $_POST['oldname']);
+
+	$path_parts_new = pathinfo($_POST['new_name']);
+	$ext_new = $path_parts_new['extension'];
+	$pathext = $_POST['pathext'];
+
+	/* check if this file extension is allowed: */
+	/* $IllegalExtentions is defined in ./include/config.inc.php */
+	if (in_array($ext_new, $IllegalExtentions)) {
+		$errors = array('FILE_ILLEGAL', $ext_new);
+		$msg->addError($errors);
+	}
+	else if ($current_path.$pathext.$_POST['new_name'] == $current_path.$pathext.$_POST['oldname']) {
+		//do nothing
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: index.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+		exit;
+	}
+
+	//make sure new file is inside content directory
+	else if (FileUtility::course_realpath($current_path . $pathext . $_POST['new_name']) == FALSE) {
+		$msg->addError('CANNOT_RENAME');
+	}	
+	else if (FileUtility::course_realpath($current_path . $pathext . $_POST['oldname']) == FALSE) {
+		$msg->addError('CANNOT_RENAME');
+	}
+	else if (file_exists($current_path . $pathext . $_POST['new_name'])) {
+		$msg->addError('CANNOT_RENAME');
+	}
+	else {
+		@rename($current_path.$pathext.$_POST['oldname'], $current_path.$pathext.$_POST['new_name']);
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: index.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'cp='.$_POST['cp'].SEP.'cid='.$_POST['cid'].SEP.'pid='.$_POST['pid'].SEP.'a_type='.$_POST['a_type'].SEP.'_course_id='.$_course_id);
+		exit;
+	}
+}
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+?>
+<form name="rename" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<input type="hidden" name="pathext" value="<?php echo AT_print($_REQUEST['pathext'], 'input.hidden'); ?>" />
+<input type="hidden" name="oldname" value="<?php echo AT_print($_REQUEST['oldname'], 'input.hidden'); ?>" />
+<input type="hidden" name="framed" value="<?php echo AT_print($_REQUEST['framed'], 'input.hidden'); ?>" />
+<input type="hidden" name="popup" value="<?php echo AT_print($_REQUEST['popup'], 'input.hidden'); ?>" />
+<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
+
+<div class="input-form">
+	<div class="row">
+		<span class="required" title="<?php echo _AT('required_field'); ?>">*</span>
+		<label for="new"><?php echo _AT('new_name'); ?></label><br />
+		<?php echo $_GET['pathext']; ?><input type="text" name="new_name" id="new" value="<?php echo AT_print($_REQUEST['oldname'], 'input.text'); ?>" size="30" />
+	</div>
+
+	<div class="row buttons">
+		<input type="submit" name="rename_action" value="<?php echo _AT('save'); ?>" accesskey="s" />
+		<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
+	</div>
+</div>
+</form>
+
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/file_manager/top.php b/file_manager/top.php
index ff1e5859..4656347c 100644
--- a/file_manager/top.php
+++ b/file_manager/top.php
@@ -1,183 +1,184 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-
-if (!$_GET['f']) {
-	$_SESSION['done'] = 0;
-}
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$coursesDAO = new CoursesDAO();
-
-$current_path = TR_CONTENT_DIR.$_course_id.'/';
-
-
-if (isset($_POST['rename'])) {
-	if (!is_array($_POST['check'])) {
-		// error: you must select a file/dir to rename
-		$msg->addError('NO_ITEM_SELECTED');
-	} else if (count($_POST['check']) < 1) {
-		// error: you must select one file/dir to rename
-		$msg->addError('NO_ITEM_SELECTED');
-	} else if (count($_POST['check']) > 1) {
-		// error: you must select ONLY one file/dir to rename
-		$msg->addError('SELECT_ONE_ITEM');
-	} else {
-		header('Location: rename.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'oldname='.urlencode($_POST['check'][0]).SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-		exit;
-	}
-} else if (isset($_POST['delete'])) {
-	
-	if (!is_array($_POST['check'])) {
-		$msg->addError('NO_ITEM_SELECTED');
-	} else {
-
-		$list = implode(',', $_POST['check']);
-		header('Location: delete.php?pathext=' . urlencode($_POST['pathext']) . SEP . 'framed=' . $framed . SEP . 'popup=' . $popup . SEP . 'list=' . urlencode($list).SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-		exit;
-	}
-} else if (isset($_POST['move'])) {
-
-	if (!is_array($_POST['check'])) {
-		$msg->addError('NO_ITEM_SELECTED');
-	} else {
-
-		$list = implode(',', $_POST['check']);		
-		header('Location: move.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'list='.urlencode($list).SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-		exit;
-	}
-}
-
-$MakeDirOn = true;
-
-/* get this courses MaxQuota and MaxFileSize: */
-$row = $coursesDAO->get($_course_id);
-$my_MaxCourseSize	= $row['max_quota'];
-$my_MaxFileSize		= $row['max_file_size'];
-
-if ($my_MaxCourseSize == TR_COURSESIZE_DEFAULT) {
-	$my_MaxCourseSize = $MaxCourseSize;
-}
-if ($my_MaxFileSize == TR_FILESIZE_DEFAULT) {
-	$my_MaxFileSize = $MaxFileSize;
-} else if ($my_MaxFileSize == TR_FILESIZE_SYSTEM_MAX) {
-	$my_MaxFileSize = megabytes_to_bytes(substr(ini_get('upload_max_filesize'), 0, -1));
-}
-
-$MaxSubDirs  = 5;
-$MaxDirDepth = 10;
-
-if ($_GET['pathext'] != '') {
-	$pathext = urldecode($_GET['pathext']);
-} else if ($_POST['pathext'] != '') {
-	$pathext = $_POST['pathext'];
-}
-
-if (strpos($pathext, '..') !== false) {
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	$msg->printErrors('UNKNOWN');	
-	require(TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-if($_GET['back'] == 1) {
-	$pathext  = substr($pathext, 0, -1);
-	$slashpos = strrpos($pathext, '/');
-	if($slashpos == 0) {
-		$pathext = '';
-	} else {
-		$pathext = substr($pathext, 0, ($slashpos+1));
-	}
-
-}
-
-$start_at = 2;
-/* remove the forward or backwards slash from the path */
-$newpath = $current_path;
-$depth = substr_count($pathext, '/');
-
-if ($pathext != '') {
-	$bits = explode('/', $pathext);
-	foreach ($bits as $bit) {
-		if ($bit != '') {
-			$bit_path .= $bit;
-
-			$_section[$start_at][0] = $bit;
-			$_section[$start_at][1] = '../file_manager/index.php?pathext=' . urlencode($bit_path) . SEP . 'popup=' . $popup . SEP . 'framed=' . $framed.SEP.'_course_id='.$_course_id;
-
-			$start_at++;
-		}
-	}
-	$bit_path = "";
-	$bit = "";
-}
-
-/* if upload successful, close the window */
-if ($f) {
-	$onload = 'closeWindow(\'progWin\');';
-}
-
-/* make new directory */
-if ($_POST['mkdir_value'] && ($depth < $MaxDirDepth) ) {
-	$_POST['dirname'] = trim($_POST['dirname']);
-
-	/* anything else should be okay, since we're on *nix..hopefully */
-	$_POST['dirname'] = preg_replace('/[^a-zA-Z0-9._]/', '', $_POST['dirname']);
-
-	if ($_POST['dirname'] == '') {
-		$msg->addError(array('FOLDER_NOT_CREATED', $_POST['dirname'] ));
-	} 
-	else if (strpos($_POST['dirname'], '..') !== false) {
-		$msg->addError('BAD_FOLDER_NAME');
-	}	
-	else {
-		$result = @mkdir($current_path.$pathext.$_POST['dirname'], 0700);
-		if($result == 0) {
-			$msg->addError(array('FOLDER_NOT_CREATED', $_POST['dirname'] ));
-		}
-		else {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		}
-	}
-}
-
-$newpath = substr($current_path.$pathext, 0, -1);
-
-/* open the directory */
-if (!($dir = @opendir($newpath))) {
-	if (isset($_GET['create']) && ($newpath.'/' == $current_path)) {
-		@mkdir($newpath);
-		if (!($dir = @opendir($newpath))) {
-			require(TR_INCLUDE_PATH.'header.inc.php');
-			$msg->printErrors('CANNOT_CREATE_DIR');			
-			require(TR_INCLUDE_PATH.'footer.inc.php');
-			exit;
-		} else {
-			$msg->addFeedback('CONTENT_DIR_CREATED');
-		}
-	} else {
-		require(TR_INCLUDE_PATH.'header.inc.php');
-
-		$msg->printErrors('CANNOT_OPEN_DIR');
-		require(TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-}
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+
+if (!$_GET['f']) {
+	$_SESSION['done'] = 0;
+}
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$coursesDAO = new CoursesDAO();
+
+$current_path = TR_CONTENT_DIR.$_course_id.'/';
+
+
+if (isset($_POST['rename'])) {
+	if (!is_array($_POST['check'])) {
+		// error: you must select a file/dir to rename
+		$msg->addError('NO_ITEM_SELECTED');
+	} else if (count($_POST['check']) < 1) {
+		// error: you must select one file/dir to rename
+		$msg->addError('NO_ITEM_SELECTED');
+	} else if (count($_POST['check']) > 1) {
+		// error: you must select ONLY one file/dir to rename
+		$msg->addError('SELECT_ONE_ITEM');
+	} else {
+		header('Location: rename.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'oldname='.urlencode($_POST['check'][0]).SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+		exit;
+	}
+} else if (isset($_POST['delete'])) {
+	
+	if (!is_array($_POST['check'])) {
+		$msg->addError('NO_ITEM_SELECTED');
+	} else {
+
+		$list = implode(',', $_POST['check']);
+		header('Location: delete.php?pathext=' . urlencode($_POST['pathext']) . SEP . 'framed=' . $framed . SEP . 'popup=' . $popup . SEP . 'list=' . urlencode($list).SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+		exit;
+	}
+} else if (isset($_POST['move'])) {
+
+	if (!is_array($_POST['check'])) {
+		$msg->addError('NO_ITEM_SELECTED');
+	} else {
+
+		$list = implode(',', $_POST['check']);		
+		header('Location: move.php?pathext='.urlencode($_POST['pathext']).SEP.'framed='.$framed.SEP.'popup='.$popup.SEP.'list='.urlencode($list).SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+		exit;
+	}
+}
+
+$MakeDirOn = true;
+
+/* get this courses MaxQuota and MaxFileSize: */
+$row = $coursesDAO->get($_course_id);
+$my_MaxCourseSize	= $row['max_quota'];
+$my_MaxFileSize		= $row['max_file_size'];
+
+if ($my_MaxCourseSize == 'TR_COURSESIZE_DEFAULT') {
+	$my_MaxCourseSize = $MaxCourseSize;
+}
+if ($my_MaxFileSize == 'TR_FILESIZE_DEFAULT') {
+	$my_MaxFileSize = $MaxFileSize;
+} else if ($my_MaxFileSize == 'TR_FILESIZE_SYSTEM_MAX') {
+	$my_MaxFileSize = megabytes_to_bytes(substr(ini_get('upload_max_filesize'), 0, -1));
+}
+
+$MaxSubDirs  = 5;
+$MaxDirDepth = 10;
+
+if ($_GET['pathext'] != '') {
+	$pathext = urldecode($_GET['pathext']);
+} else if ($_POST['pathext'] != '') {
+	$pathext = $_POST['pathext'];
+}
+
+if (strpos($pathext, '..') !== false) {
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	$msg->printErrors('UNKNOWN');	
+	require(TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+if($_GET['back'] == 1) {
+	$pathext  = substr($pathext, 0, -1);
+	$slashpos = strrpos($pathext, '/');
+	if($slashpos == 0) {
+		$pathext = '';
+	} else {
+		$pathext = substr($pathext, 0, ($slashpos+1));
+	}
+
+}
+
+$start_at = 2;
+/* remove the forward or backwards slash from the path */
+$newpath = $current_path;
+$depth = substr_count($pathext, '/');
+
+if ($pathext != '') {
+	$bits = explode('/', $pathext);
+	foreach ($bits as $bit) {
+		if ($bit != '') {
+			$bit_path .= $bit;
+
+			$_section[$start_at][0] = $bit;
+			$_section[$start_at][1] = '../file_manager/index.php?pathext=' . urlencode($bit_path) . SEP . 'popup=' . $popup . SEP . 'framed=' . $framed.SEP.'_course_id='.$_course_id;
+
+			$start_at++;
+		}
+	}
+	$bit_path = "";
+	$bit = "";
+}
+
+/* if upload successful, close the window */
+if ($f) {
+	$onload = 'closeWindow(\'progWin\');';
+}
+
+/* make new directory */
+if ($_POST['mkdir_value'] && ($depth < $MaxDirDepth) ) {
+	$_POST['dirname'] = trim($_POST['dirname']);
+
+	/* anything else should be okay, since we're on *nix..hopefully */
+	$_POST['dirname'] = preg_replace('/[^a-zA-Z0-9._]/', '', $_POST['dirname']);
+
+	if ($_POST['dirname'] == '') {
+		$msg->addError(array('FOLDER_NOT_CREATED', $_POST['dirname'] ));
+	} 
+	else if (strpos($_POST['dirname'], '..') !== false) {
+		$msg->addError('BAD_FOLDER_NAME');
+	}	
+	else {
+		$result = @mkdir($current_path.$pathext.$_POST['dirname'], 0700);
+		if($result == 0) {
+			$msg->addError(array('FOLDER_NOT_CREATED', $_POST['dirname'] ));
+		}
+		else {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		}
+	}
+}
+
+$newpath = substr($current_path.$pathext, 0, -1);
+
+/* open the directory */
+if (!($dir = @opendir($newpath))) {
+	if (isset($_GET['create']) && ($newpath.'/' == $current_path)) {
+		@mkdir($newpath);
+		if (!($dir = @opendir($newpath))) {
+			require(TR_INCLUDE_PATH.'header.inc.php');
+			$msg->printErrors('CANNOT_CREATE_DIR');			
+			require(TR_INCLUDE_PATH.'footer.inc.php');
+			exit;
+		} else {
+			$msg->addFeedback('CONTENT_DIR_CREATED');
+		}
+	} else {
+		require(TR_INCLUDE_PATH.'header.inc.php');
+
+		$msg->printErrors('CANNOT_OPEN_DIR');
+		require(TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+}
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+?>
diff --git a/file_manager/upload.php b/file_manager/upload.php
index 2b44f689..c80bdd48 100644
--- a/file_manager/upload.php
+++ b/file_manager/upload.php
@@ -1,176 +1,177 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$coursesDAO = new CoursesDAO();
-
-$_SESSION['done'] = 1;
-$popup = $_REQUEST['popup'];
-$framed = $_REQUEST['framed'];
-$alter = $_REQUEST['alter'];
-
-//echo $_REQUEST['cid'];
-//echo $_REQUEST['tab'];
-
-//echo $alter;
-
-/* get this courses MaxQuota and MaxFileSize: */
-$row = $coursesDAO->get($_course_id);
-$my_MaxCourseSize = $row['max_quota'];
-$my_MaxFileSize	= $row['max_file_size'];
-
-if ($my_MaxCourseSize != TR_COURSESIZE_UNLIMITED) $my_MaxCourseSize = $MaxCourseSize;
-$my_MaxFileSize = FileUtility::megabytes_to_bytes(substr(ini_get('upload_max_filesize'), 0, -1));
-
-//	if ($my_MaxCourseSize == TR_COURSESIZE_DEFAULT) {
-//		$my_MaxCourseSize = $MaxCourseSize;
-//	}
-//	if ($my_MaxFileSize == TR_FILESIZE_DEFAULT) {
-//		$my_MaxFileSize = $MaxFileSize;
-//	} else if ($my_MaxFileSize == TR_FILESIZE_SYSTEM_MAX) {
-//		$my_MaxFileSize = megabytes_to_bytes(substr(ini_get('upload_max_filesize'), 0, -1));
-//	}
-
-$path = TR_CONTENT_DIR . $_course_id.'/'.$_POST['pathext'];
-
-if (isset($_POST['submit'])) {
-    if($_FILES['file']) {
-       $_FILES['uploadedfile'] = $_FILES['file']; 
-    }
-	if($_FILES['uploadedfile']['name'])	{
-		$_FILES['uploadedfile']['name'] = trim($_FILES['uploadedfile']['name']);
-		$_FILES['uploadedfile']['name'] = str_replace(' ', '_', $_FILES['uploadedfile']['name']);
-
-		$path_parts = pathinfo($_FILES['uploadedfile']['name']);
-		$ext = $path_parts['extension'];
-		/* check if this file extension is allowed: */
-		/* $IllegalExtentions is defined in ./include/config.inc.php */
-		if (in_array($ext, $IllegalExtentions)) {
-			$errors = array('FILE_ILLEGAL', $ext);
-			$msg->addError($errors);
-			FileUtility::handleAjaxUpload(500);
-			header('Location: index.php?pathext='.$_POST['pathext'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-			exit;
-		}
-
-		/* also have to handle the 'application/x-zip-compressed'  case	*/
-		if (   ($_FILES['uploadedfile']['type'] == 'application/x-zip-compressed')
-			|| ($_FILES['uploadedfile']['type'] == 'application/zip')
-			|| ($_FILES['uploadedfile']['type'] == 'application/x-zip')){
-			$is_zip = true;						
-		}
-
-	
-		/* anything else should be okay, since we're on *nix.. hopefully */
-		$_FILES['uploadedfile']['name'] = str_replace(array(' ', '/', '\\', ':', '*', '?', '"', '<', '>', '|', '\''), '', $_FILES['uploadedfile']['name']);
-
-		/* if the file size is within allowed limits */
-		if( ($_FILES['uploadedfile']['size'] > 0) && ($_FILES['uploadedfile']['size'] <= $my_MaxFileSize) ) {
-
-			/* if adding the file will not exceed the maximum allowed total */
-			$course_total = FileUtility::dirsize($path);
-
-			if ((($course_total + $_FILES['uploadedfile']['size']) <= $my_MaxCourseSize) || ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED)) {
-
-				/* check if this file exists first */
-				if (file_exists($path.$_FILES['uploadedfile']['name'])) {
-					/* this file already exists, so we want to prompt for override */
-
-					/* save it somewhere else, temporarily first			*/
-					/* file_name.time ? */
-					$_FILES['uploadedfile']['name'] = substr(time(), -4).'.'.$_FILES['uploadedfile']['name'];
-
-					$f = array('FILE_EXISTS',
-									substr($_FILES['uploadedfile']['name'], 5),
-									$_FILES['uploadedfile']['name']);
-					$msg->addFeedback($f);
-				}
-
-				/* copy the file in the directory */
-				$result = move_uploaded_file( $_FILES['uploadedfile']['tmp_name'], $path.$_FILES['uploadedfile']['name'] );
-
-				if (!$result) {
-					require(TR_INCLUDE_PATH.'header.inc.php');
-					$msg->printErrors('FILE_NOT_SAVED');
-					echo '<a href="../file_manager/index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'] . SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id.'">' . _AT('back') . '</a>';
-					require(TR_INCLUDE_PATH.'footer.inc.php');
-					exit;
-				} else {
-					if ($is_zip) {
-						$f = array('FILE_UPLOADED_ZIP',
-										urlencode($_POST['pathext']), 
-										urlencode($_FILES['uploadedfile']['name']), 
-										$_GET['popup'],
-										$_course_id,
-										SEP);
-						$msg->addFeedback($f);
-						FileUtility::handleAjaxUpload(200);
-						if ($alter)
-							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
-						else
-							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-						exit;
-					} /* else */
-
-					// uploading an alternative content object
-					if ($_GET['a_type'] > 0) {
-						header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'uploadfile='.urlencode($_FILES['uploadedfile']['name']).SEP.'_course_id='.$_course_id);
-					}
-					else {
-						$msg->addFeedback('FILE_UPLOADED');
-						FileUtility::handleAjaxUpload(200);
-						
-						if ($alter)
-							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
-						else
-							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-					}
-					exit;
-				}
-			} else {
-				$msg->addError(array('MAX_STORAGE_EXCEEDED', get_human_size($my_MaxCourseSize)));
-				FileUtility::handleAjaxUpload(500);
-				if ($alter)
-							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
-						else
-							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-						
-				exit;
-			}
-		} else {
-			$msg->addError(array('FILE_TOO_BIG', get_human_size($my_MaxFileSize)));
-			FileUtility::handleAjaxUpload(500);
-			if ($alter)
-							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
-						else
-							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-						
-			exit;
-		}
-	} else {
-		$msg->addError('FILE_NOT_SELECTED');
-		FileUtility::handleAjaxUpload(500);
-		if ($alter)
-			header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
-		else
-			header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
-		exit;
-	}
-}
-
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$coursesDAO = new CoursesDAO();
+
+$_SESSION['done'] = 1;
+$popup = $_REQUEST['popup'];
+$framed = $_REQUEST['framed'];
+$alter = $_REQUEST['alter'];
+
+//echo $_REQUEST['cid'];
+//echo $_REQUEST['tab'];
+
+//echo $alter;
+
+/* get this courses MaxQuota and MaxFileSize: */
+$row = $coursesDAO->get($_course_id);
+$my_MaxCourseSize = $row['max_quota'];
+$my_MaxFileSize	= $row['max_file_size'];
+
+if ($my_MaxCourseSize != TR_COURSESIZE_UNLIMITED) $my_MaxCourseSize = $MaxCourseSize;
+$my_MaxFileSize = FileUtility::megabytes_to_bytes(substr(ini_get('upload_max_filesize'), 0, -1));
+
+//	if ($my_MaxCourseSize == TR_COURSESIZE_DEFAULT) {
+//		$my_MaxCourseSize = $MaxCourseSize;
+//	}
+//	if ($my_MaxFileSize == TR_FILESIZE_DEFAULT) {
+//		$my_MaxFileSize = $MaxFileSize;
+//	} else if ($my_MaxFileSize == TR_FILESIZE_SYSTEM_MAX) {
+//		$my_MaxFileSize = megabytes_to_bytes(substr(ini_get('upload_max_filesize'), 0, -1));
+//	}
+
+$path = TR_CONTENT_DIR . $_course_id.'/'.$_POST['pathext'];
+
+if (isset($_POST['submit'])) {
+    if($_FILES['file']) {
+       $_FILES['uploadedfile'] = $_FILES['file']; 
+    }
+	if($_FILES['uploadedfile']['name'])	{
+		$_FILES['uploadedfile']['name'] = trim($_FILES['uploadedfile']['name']);
+		$_FILES['uploadedfile']['name'] = str_replace(' ', '_', $_FILES['uploadedfile']['name']);
+
+		$path_parts = pathinfo($_FILES['uploadedfile']['name']);
+		$ext = $path_parts['extension'];
+		/* check if this file extension is allowed: */
+		/* $IllegalExtentions is defined in ./include/config.inc.php */
+		if (in_array($ext, $IllegalExtentions)) {
+			$errors = array('FILE_ILLEGAL', $ext);
+			$msg->addError($errors);
+			FileUtility::handleAjaxUpload(500);
+			header('Location: index.php?pathext='.$_POST['pathext'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+			exit;
+		}
+
+		/* also have to handle the 'application/x-zip-compressed'  case	*/
+		if (   ($_FILES['uploadedfile']['type'] == 'application/x-zip-compressed')
+			|| ($_FILES['uploadedfile']['type'] == 'application/zip')
+			|| ($_FILES['uploadedfile']['type'] == 'application/x-zip')){
+			$is_zip = true;						
+		}
+
+	
+		/* anything else should be okay, since we're on *nix.. hopefully */
+		$_FILES['uploadedfile']['name'] = str_replace(array(' ', '/', '\\', ':', '*', '?', '"', '<', '>', '|', '\''), '', $_FILES['uploadedfile']['name']);
+
+		/* if the file size is within allowed limits */
+		if( ($_FILES['uploadedfile']['size'] > 0) && ($_FILES['uploadedfile']['size'] <= $my_MaxFileSize) ) {
+
+			/* if adding the file will not exceed the maximum allowed total */
+			$course_total = FileUtility::dirsize($path);
+
+			if ((($course_total + $_FILES['uploadedfile']['size']) <= $my_MaxCourseSize) || ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED)) {
+
+				/* check if this file exists first */
+				if (file_exists($path.$_FILES['uploadedfile']['name'])) {
+					/* this file already exists, so we want to prompt for override */
+
+					/* save it somewhere else, temporarily first			*/
+					/* file_name.time ? */
+					$_FILES['uploadedfile']['name'] = substr(time(), -4).'.'.$_FILES['uploadedfile']['name'];
+
+					$f = array('FILE_EXISTS',
+									substr($_FILES['uploadedfile']['name'], 5),
+									$_FILES['uploadedfile']['name']);
+					$msg->addFeedback($f);
+				}
+
+				/* copy the file in the directory */
+				$result = move_uploaded_file( $_FILES['uploadedfile']['tmp_name'], $path.$_FILES['uploadedfile']['name'] );
+
+				if (!$result) {
+					require(TR_INCLUDE_PATH.'header.inc.php');
+					$msg->printErrors('FILE_NOT_SAVED');
+					echo '<a href="../file_manager/index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'] . SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id.'">' . _AT('back') . '</a>';
+					require(TR_INCLUDE_PATH.'footer.inc.php');
+					exit;
+				} else {
+					if ($is_zip) {
+						$f = array('FILE_UPLOADED_ZIP',
+										urlencode($_POST['pathext']), 
+										urlencode($_FILES['uploadedfile']['name']), 
+										$_GET['popup'],
+										$_course_id,
+										SEP);
+						$msg->addFeedback($f);
+						FileUtility::handleAjaxUpload(200);
+						if ($alter)
+							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
+						else
+							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+						exit;
+					} /* else */
+
+					// uploading an alternative content object
+					if ($_GET['a_type'] > 0) {
+						header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'uploadfile='.urlencode($_FILES['uploadedfile']['name']).SEP.'_course_id='.$_course_id);
+					}
+					else {
+						$msg->addFeedback('FILE_UPLOADED');
+						FileUtility::handleAjaxUpload(200);
+						
+						if ($alter)
+							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
+						else
+							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+					}
+					exit;
+				}
+			} else {
+				$msg->addError(array('MAX_STORAGE_EXCEEDED', get_human_size($my_MaxCourseSize)));
+				FileUtility::handleAjaxUpload(500);
+				if ($alter)
+							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
+						else
+							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+						
+				exit;
+			}
+		} else {
+			$msg->addError(array('FILE_TOO_BIG', get_human_size($my_MaxFileSize)));
+			FileUtility::handleAjaxUpload(500);
+			if ($alter)
+							header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
+						else
+							header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+						
+			exit;
+		}
+	} else {
+		$msg->addError('FILE_NOT_SELECTED');
+		FileUtility::handleAjaxUpload(500);
+		if ($alter)
+			header('Location: '.$_base_href.'editor/edit_content.php?cid='.$_REQUEST['cid'].SEP . 'pathext='.$_POST['pathext'].SEP. 'popup='.$_GET['popup'].SEP. 'tab='.$_REQUEST['tab'].SEP.'_course_id='.$_course_id);
+		else
+			header('Location: index.php?pathext=' . $_POST['pathext'] . SEP . 'popup=' . $_GET['popup'].SEP. 'framed='.$framed.SEP.'cp='.$_GET['cp'].SEP.'pid='.$_GET['pid'].SEP.'cid='.$_GET['cid'].SEP.'a_type='.$_GET['a_type'].SEP.'_course_id='.$_course_id);
+		exit;
+	}
+}
+
+?>
diff --git a/file_manager/zip.php b/file_manager/zip.php
index a4246543..26f29b11 100644
--- a/file_manager/zip.php
+++ b/file_manager/zip.php
@@ -1,290 +1,291 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'file_manager';
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/pclzip.lib.php');
-require_once(TR_INCLUDE_PATH.'lib/pclzip_callback.lib.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$coursesDAO = new CoursesDAO();
-
-$popup = $_REQUEST['popup'];
-$framed = $_REQUEST['framed'];
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'popup='.$_POST['popup'].SEP.'framed='.$_POST['framed'].SEP.'_course_id='.$_course_id);
-	exit;
-}
-
-	$path = TR_CONTENT_DIR . $_course_id.'/';
-
-	if ($_REQUEST['pathext'] != '') {
-		$pathext = $_REQUEST['pathext'];
-	}
-	if ($_REQUEST['file'] != '') {
-		$file = $_REQUEST['file'];
-	}
-
-	if (strpos($file, '..') !== false) {
-		require(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('UNKNOWN');
-		require(TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-
-	$path_parts = pathinfo($pathext.$file);
-
-	$temp_name = substr($file, 0, -strlen('.'.$path_parts['extension']));
-
-	$zip = new PclZip($path.$pathext.$file);
-
-	if (($list = $zip->listContent()) == 0) {
-		die("Error : ".$zip->errorInfo(true));
-	}
-
-/*****************************************************************/
-	$totalBytes = 0;
-	$translated_file_names = array();
-
-	for ($i=0; $i<sizeof($list); $i++) {
-		$path_parts = pathinfo($list[$i]['stored_filename']);
-		if ($path_parts['dirname'] == '.') {
-			$path_parts['dirname'] = '';
-		} else {
-			$path_parts['dirname'] .= '/';
-		}
-		$ext = $path_parts['extension'];
-
-		$is_dir = false;
-		if($list[$i]['folder']) {
-
-			$filename = $list[$i]['stored_filename'];
-			$fileicon = '<img src="images/folder.gif" alt="'._AT('folder').'" />';
-
-			$is_dir = true;
-
-		} else if ($ext == 'zip') {
-
-			$totalBytes += $list[$i]['size'];
-			$filename = $list[$i]['stored_filename'];
-			$fileicon = '<img src="images/icon-zip.gif" alt="'._AT('zip_archive').'" height="16" width="16" border="0" />';
-
-		} else {
-			$totalBytes += $list[$i]['size'];
-			$filename = $list[$i]['stored_filename'];
-			$fileicon = '<img src="images/icon_minipost.gif" alt="'._AT('file').'" height="11" width="16" />';
-		}
-		
-		if ($is_dir) {
-			$dirs[strtolower($filename)] .= '<tr>
-				<td>'.$filename.'</td>';
-
-				$dirs[strtolower($filename)] .= '<td class="row1" align="right">'.FileUtility::get_human_size($list[$i]['size']).' </td>';
-				$dirs[strtolower($filename)] .= '<td class="row1">&nbsp;';
-				
-				$dirs[strtolower($filename)] .= AT_date(_AT('filemanager_date_format'), $filedata[10], TR_DATE_UNIX_TIMESTAMP);
-					
-				$dirs[strtolower($filename)] .= '&nbsp;</td>';
-
-				$dirs[strtolower($filename)] .= '</tr>';
-		} else {
-
-			$files[strtolower($filename)] .= '<tr>
-				<td>';
-
-				if (in_array($ext, $IllegalExtentions)) {
-					$files[strtolower($filename)] .=  '<span style="text-decoration: line-through;" title="'._AT('illegal_file').'">'.$filename.'</span>';
-				} else {
-					$files[strtolower($filename)] .= $filename;
-					
-					$trans_name = str_replace(' ', '_', $path_parts['basename']);
-					$trans_name = preg_replace("/[^A-Za-z0-9._\-]/", '', $trans_name);
-
-					if (in_array($path_parts['dirname'].$trans_name, $translated_file_names)) {
-						$trans_count = 2;
-						while (in_array($trans_name, $translated_file_names)) {
-							$part = substr($trans_name, 0, -strlen($ext)- 1 - (2*($trans_count-2)));
-							$trans_name = $part.'_'.$trans_count.'.'.$ext;
-							$trans_count++;
-							if ($trans_count>15){
-								exit; // INF loop safety thing..
-							}
-						}
-					}
-					
-					$translated_file_names[$list[$i]['index']] = $path_parts['dirname'].$trans_name;
-
-					if ($path_parts['dirname'].$trans_name != $filename) {
-						$files[strtolower($filename)] .= ' => '.$trans_name;
-					}
-					
-				}
-					
-				$files[strtolower($filename)] .= '</td>';
-
-				$files[strtolower($filename)] .= '<td align="right">'.FileUtility::get_human_size($list[$i]['size']).' </td>';
-				$files[strtolower($filename)] .= '<td>&nbsp;';
-				
-				$files[strtolower($filename)] .= AT_date(_AT('filemanager_date_format'), $list[$i]['mtime'], TR_DATE_UNIX_TIMESTAMP);
-					
-				$files[strtolower($filename)] .= '</td>';
-		
-				$files[strtolower($filename)] .= '</tr>';
-		}
-	}
-
-	$row = $coursesDAO->get($_course_id);
-	$my_MaxCourseSize	= $row['max_quota'];
-	$my_MaxFileSize     = $row['max_file_size'];
-
-	$course_total = FileUtility::dirsize($path);
-	if ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED) {
-		$total_after = 1;
-	} else {
-		$my_MaxCourseSize = $MaxCourseSize;
-		$total_after = FileUtility::get_human_size($my_MaxCourseSize-$course_total-$totalBytes);
-	}
-//	else{
-//		$total_after = get_human_size($my_MaxCourseSize - $course_total - $totalBytes);
-//	}
-
-	// if $total_after < 0: redirect with error msg
-
-	if (isset($_POST['submit']) && ($total_after > 0)) {
-		$_POST['custom_path'] = trim($_POST['custom_path']);
-		$_POST['custom_path'] = str_replace(' ', '_', $_POST['custom_path']);
-
-		/* anything else should be okay, since we're on *nix.. hopefully */
-		$_POST['custom_path'] = preg_replace('/[^a-zA-Z0-9._\/]/', '', $_POST['custom_path']);
-
-		if (strpos($_POST['pathext'].$_POST['custom_path'], '..') !== false) {
-			$msg->addError('UNKNOWN');
-			header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
-			exit;
-		} else if ($zip->extract(	PCLZIP_OPT_PATH,		$path. $_POST['pathext'] . $_POST['custom_path'],  
-							PCLZIP_CB_PRE_EXTRACT,	'preExtractCallBack')			== 0) {
-
-			echo ("Error : ".$zip->errorInfo(true));
-		} else {
-			$msg->addFeedback('ARCHIVE_EXTRACTED');
-			header('Location: index.php?pathext='.$_POST['pathext'].SEP.'popup='.$_POST['popup'].SEP.'framed='.$_POST['framed'].SEP.'_course_id='.$_course_id);
-			exit;
-		}
-
-		header('Location: index.php'.SEP.'_course_id='.$_course_id);
-		exit;
-	}
-
-	require(TR_INCLUDE_PATH.'header.inc.php');
-
-	if ($total_after <= 0) {
-		$msg->printErrors('NO_SPACE_LEFT');
-	} else {
-?>
-		<form method="post" action="file_manager/zip.php">
-		<input type="hidden" name="pathext" value="<?php echo AT_print($_GET['pathext'], 'input.hidden'); ?>" />
-		<input type="hidden" name="file"    value="<?php echo AT_print($_GET['file'], 'input.hidden'); ?>" />
-		<input type="hidden" name="popup"   value="<?php echo AT_print($_GET['popup'], 'input.hidden'); ?>" />
-		<input type="hidden" name="framed"   value="<?php echo AT_print($_GET['framed'], 'input.hidden'); ?>" />
-		<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
-		<div class="input-form">
-			<div class="row">
-				<p><?php echo _AT('zip_illegal_contents'); ?></p>
-				<p><?php echo _AT('extract_tip'); ?></p>
-			</div>
-
-			<div class="row">
-				<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><?php echo _AT('directory_name'); ?><br />
-				<input type="text" name="custom_path" value="<?php echo AT_print($temp_name, 'input.text'); ?>" />
-			</div>
-
-			<div class="row buttons">
-				<input type="submit" name="submit" value="<?php echo _AT('extract'); ?>" /> 
-				<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
-			</div>
-		</div>
-		</form>
-<?php
-	} // end if
-?>
-
-<table class="data static" summary="" rules="groups">
-<thead>
-<tr>
-	<th><?php echo _AT('name'); ?></th>
-	<th><?php echo _AT('size'); ?></th>
-	<th><?php echo _AT('date'); ?></th>
-</tr>
-</thead>
-<tbody>
-	<?php
-	if (is_array($dirs)) {
-		foreach($dirs as $x => $y) {
-			echo $y;
-		}
-	}
-
-	if (is_array($files)) {
-		foreach($files as $x => $y) {
-			echo $y;
-		}
-	}
-?>
-</tbody>
-<tfoot>
-<tr>
-	<td align="right"><?php echo _AT('archive_total'); ?>:</td>
-	<td align="right"><?php echo FileUtility::get_human_size($totalBytes); ?></td>
-	<td>&nbsp;</td>
-</tr>
-<tr>
-	<td align="right"><?php echo _AT('course_total_zip'); ?>:</td>
-	<td align="right"><?php echo FileUtility::get_human_size($course_total); ?></td>
-	<td>&nbsp;</td>
-</tr>
-<tr>
-	<td align="right"><?php echo _AT('course_available_zip1'); ?>:</td>
-	<td align="right"><?php
-			if ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED) {
-				echo _AT('unlimited');
-			} else {
-				echo FileUtility::get_human_size($my_MaxCourseSize-$course_total);
-			} ?></td>
-	<td>&nbsp;</td>
-</tr>
-<tr>
-	<td align="right"><?php echo _AT('course_available_zip2'); ?>:</td>
-	<td align="right"><?php
-			if ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED) {
-				echo _AT('unlimited');
-			} else {
-				if ($total_after <= 0) {
-					echo '<span style="color: red;">';
-					echo $total_after;
-					echo '</span>';
-				} else {
-					echo $total_after;
-				}
-			} ?></td>
-	<td>&nbsp;</td>
-</tr>
-</tfoot>
-</table>
-
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'file_manager';
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/pclzip.lib.php');
+require_once(TR_INCLUDE_PATH.'lib/pclzip_callback.lib.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$coursesDAO = new CoursesDAO();
+
+$popup = $_REQUEST['popup'];
+$framed = $_REQUEST['framed'];
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?pathext='.$_POST['pathext'].SEP.'popup='.$_POST['popup'].SEP.'framed='.$_POST['framed'].SEP.'_course_id='.$_course_id);
+	exit;
+}
+
+	$path = TR_CONTENT_DIR . $_course_id.'/';
+
+	if ($_REQUEST['pathext'] != '') {
+		$pathext = $_REQUEST['pathext'];
+	}
+	if ($_REQUEST['file'] != '') {
+		$file = $_REQUEST['file'];
+	}
+
+	if (strpos($file, '..') !== false) {
+		require(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('UNKNOWN');
+		require(TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+
+	$path_parts = pathinfo($pathext.$file);
+
+	$temp_name = substr($file, 0, -strlen('.'.$path_parts['extension']));
+
+	$zip = new PclZip($path.$pathext.$file);
+
+	if (($list = $zip->listContent()) == 0) {
+		die("Error : ".$zip->errorInfo(true));
+	}
+
+/*****************************************************************/
+	$totalBytes = 0;
+	$translated_file_names = array();
+
+	for ($i=0; $i<sizeof($list); $i++) {
+		$path_parts = pathinfo($list[$i]['stored_filename']);
+		if ($path_parts['dirname'] == '.') {
+			$path_parts['dirname'] = '';
+		} else {
+			$path_parts['dirname'] .= '/';
+		}
+		$ext = $path_parts['extension'];
+
+		$is_dir = false;
+		if($list[$i]['folder']) {
+
+			$filename = $list[$i]['stored_filename'];
+			$fileicon = '<img src="images/folder.gif" alt="'._AT('folder').'" />';
+
+			$is_dir = true;
+
+		} else if ($ext == 'zip') {
+
+			$totalBytes += $list[$i]['size'];
+			$filename = $list[$i]['stored_filename'];
+			$fileicon = '<img src="images/icon-zip.gif" alt="'._AT('zip_archive').'" height="16" width="16" border="0" />';
+
+		} else {
+			$totalBytes += $list[$i]['size'];
+			$filename = $list[$i]['stored_filename'];
+			$fileicon = '<img src="images/icon_minipost.gif" alt="'._AT('file').'" height="11" width="16" />';
+		}
+		
+		if ($is_dir) {
+			$dirs[strtolower($filename)] .= '<tr>
+				<td>'.$filename.'</td>';
+
+				$dirs[strtolower($filename)] .= '<td class="row1" align="right">'.FileUtility::get_human_size($list[$i]['size']).' </td>';
+				$dirs[strtolower($filename)] .= '<td class="row1">&nbsp;';
+				
+				$dirs[strtolower($filename)] .= AT_date(_AT('filemanager_date_format'), $filedata[10], TR_DATE_UNIX_TIMESTAMP);
+					
+				$dirs[strtolower($filename)] .= '&nbsp;</td>';
+
+				$dirs[strtolower($filename)] .= '</tr>';
+		} else {
+
+			$files[strtolower($filename)] .= '<tr>
+				<td>';
+
+				if (in_array($ext, $IllegalExtentions)) {
+					$files[strtolower($filename)] .=  '<span style="text-decoration: line-through;" title="'._AT('illegal_file').'">'.$filename.'</span>';
+				} else {
+					$files[strtolower($filename)] .= $filename;
+					
+					$trans_name = str_replace(' ', '_', $path_parts['basename']);
+					$trans_name = preg_replace("/[^A-Za-z0-9._\-]/", '', $trans_name);
+
+					if (in_array($path_parts['dirname'].$trans_name, $translated_file_names)) {
+						$trans_count = 2;
+						while (in_array($trans_name, $translated_file_names)) {
+							$part = substr($trans_name, 0, -strlen($ext)- 1 - (2*($trans_count-2)));
+							$trans_name = $part.'_'.$trans_count.'.'.$ext;
+							$trans_count++;
+							if ($trans_count>15){
+								exit; // INF loop safety thing..
+							}
+						}
+					}
+					
+					$translated_file_names[$list[$i]['index']] = $path_parts['dirname'].$trans_name;
+
+					if ($path_parts['dirname'].$trans_name != $filename) {
+						$files[strtolower($filename)] .= ' => '.$trans_name;
+					}
+					
+				}
+					
+				$files[strtolower($filename)] .= '</td>';
+
+				$files[strtolower($filename)] .= '<td align="right">'.FileUtility::get_human_size($list[$i]['size']).' </td>';
+				$files[strtolower($filename)] .= '<td>&nbsp;';
+				
+				$files[strtolower($filename)] .= AT_date(_AT('filemanager_date_format'), $list[$i]['mtime'], TR_DATE_UNIX_TIMESTAMP);
+					
+				$files[strtolower($filename)] .= '</td>';
+		
+				$files[strtolower($filename)] .= '</tr>';
+		}
+	}
+
+	$row = $coursesDAO->get($_course_id);
+	$my_MaxCourseSize	= $row['max_quota'];
+	$my_MaxFileSize     = $row['max_file_size'];
+
+	$course_total = FileUtility::dirsize($path);
+	if ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED) {
+		$total_after = 1;
+	} else {
+		$my_MaxCourseSize = $MaxCourseSize;
+		$total_after = FileUtility::get_human_size($my_MaxCourseSize-$course_total-$totalBytes);
+	}
+//	else{
+//		$total_after = get_human_size($my_MaxCourseSize - $course_total - $totalBytes);
+//	}
+
+	// if $total_after < 0: redirect with error msg
+
+	if (isset($_POST['submit']) && ($total_after > 0)) {
+		$_POST['custom_path'] = trim($_POST['custom_path']);
+		$_POST['custom_path'] = str_replace(' ', '_', $_POST['custom_path']);
+
+		/* anything else should be okay, since we're on *nix.. hopefully */
+		$_POST['custom_path'] = preg_replace('/[^a-zA-Z0-9._\/]/', '', $_POST['custom_path']);
+
+		if (strpos($_POST['pathext'].$_POST['custom_path'], '..') !== false) {
+			$msg->addError('UNKNOWN');
+			header('Location: index.php?pathext='.$_POST['pathext'].SEP.'framed='.$_POST['framed'].SEP.'popup='.$_POST['popup'].SEP.'_course_id='.$_course_id);
+			exit;
+		} else if ($zip->extract(	PCLZIP_OPT_PATH,		$path. $_POST['pathext'] . $_POST['custom_path'],  
+							PCLZIP_CB_PRE_EXTRACT,	'preExtractCallBack')			== 0) {
+
+			echo ("Error : ".$zip->errorInfo(true));
+		} else {
+			$msg->addFeedback('ARCHIVE_EXTRACTED');
+			header('Location: index.php?pathext='.$_POST['pathext'].SEP.'popup='.$_POST['popup'].SEP.'framed='.$_POST['framed'].SEP.'_course_id='.$_course_id);
+			exit;
+		}
+
+		header('Location: index.php'.SEP.'_course_id='.$_course_id);
+		exit;
+	}
+
+	require(TR_INCLUDE_PATH.'header.inc.php');
+
+	if ($total_after <= 0) {
+		$msg->printErrors('NO_SPACE_LEFT');
+	} else {
+?>
+		<form method="post" action="file_manager/zip.php">
+		<input type="hidden" name="pathext" value="<?php echo AT_print($_GET['pathext'], 'input.hidden'); ?>" />
+		<input type="hidden" name="file"    value="<?php echo AT_print($_GET['file'], 'input.hidden'); ?>" />
+		<input type="hidden" name="popup"   value="<?php echo AT_print($_GET['popup'], 'input.hidden'); ?>" />
+		<input type="hidden" name="framed"   value="<?php echo AT_print($_GET['framed'], 'input.hidden'); ?>" />
+		<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
+		<div class="input-form">
+			<div class="row">
+				<p><?php echo _AT('zip_illegal_contents'); ?></p>
+				<p><?php echo _AT('extract_tip'); ?></p>
+			</div>
+
+			<div class="row">
+				<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><?php echo _AT('directory_name'); ?><br />
+				<input type="text" name="custom_path" value="<?php echo AT_print($temp_name, 'input.text'); ?>" />
+			</div>
+
+			<div class="row buttons">
+				<input type="submit" name="submit" value="<?php echo _AT('extract'); ?>" /> 
+				<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
+			</div>
+		</div>
+		</form>
+<?php
+	} // end if
+?>
+
+<table class="data static" summary="" rules="groups">
+<thead>
+<tr>
+	<th><?php echo _AT('name'); ?></th>
+	<th><?php echo _AT('size'); ?></th>
+	<th><?php echo _AT('date'); ?></th>
+</tr>
+</thead>
+<tbody>
+	<?php
+	if (is_array($dirs)) {
+		foreach($dirs as $x => $y) {
+			echo $y;
+		}
+	}
+
+	if (is_array($files)) {
+		foreach($files as $x => $y) {
+			echo $y;
+		}
+	}
+?>
+</tbody>
+<tfoot>
+<tr>
+	<td align="right"><?php echo _AT('archive_total'); ?>:</td>
+	<td align="right"><?php echo FileUtility::get_human_size($totalBytes); ?></td>
+	<td>&nbsp;</td>
+</tr>
+<tr>
+	<td align="right"><?php echo _AT('course_total_zip'); ?>:</td>
+	<td align="right"><?php echo FileUtility::get_human_size($course_total); ?></td>
+	<td>&nbsp;</td>
+</tr>
+<tr>
+	<td align="right"><?php echo _AT('course_available_zip1'); ?>:</td>
+	<td align="right"><?php
+			if ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED) {
+				echo _AT('unlimited');
+			} else {
+				echo FileUtility::get_human_size($my_MaxCourseSize-$course_total);
+			} ?></td>
+	<td>&nbsp;</td>
+</tr>
+<tr>
+	<td align="right"><?php echo _AT('course_available_zip2'); ?>:</td>
+	<td align="right"><?php
+			if ($my_MaxCourseSize == TR_COURSESIZE_UNLIMITED) {
+				echo _AT('unlimited');
+			} else {
+				if ($total_after <= 0) {
+					echo '<span style="color: red;">';
+					echo $total_after;
+					echo '</span>';
+				} else {
+					echo $total_after;
+				}
+			} ?></td>
+	<td>&nbsp;</td>
+</tr>
+</tfoot>
+</table>
+
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/home/course/content.php b/home/course/content.php
index 2887c628..a48c5dde 100644
--- a/home/course/content.php
+++ b/home/course/content.php
@@ -1,247 +1,248 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/ContentForumsAssocDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
-
-global $_current_user, $_course_id, $_content_id, $contentManager;
-
-$cid = $_content_id;
-$courseid = $_course_id;
-
-
-if ($cid == 0) {
-	header('Location: '.$_base_href.'index.php');
-	exit;
-}
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$_SESSION['course_id'] = $_course_id;  // used by get.php
-}
-
-/* show the content page */
-if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
-
-if (!$content_row || !isset($contentManager)) {
-	$_pages['home/course/content.php']['title_var'] = 'missing_content';
-	$_pages['home/course/content.php']['parent']    = 'home/index.php';
-	$_pages['home/course/content.php']['ignore']	= true;
-
-
-	require(TR_INCLUDE_PATH.'header.inc.php');
-
-	$msg->addError('MISSING_CONTENT');
-	$msg->printAll();
-
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-} /* else: */
-
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$course_base_href = 'get.php/';
-} else {
-	$course_base_href = 'content/' . $_course_id . '/';
-}
-
-/* the "heading navigation": */
-$path	= $contentManager->getContentPath($cid);
-
-if ($content_row['content_path']) {
-	$content_base_href = $content_row['content_path'].'/';
-}
-
-$parent_headings = '';
-$num_in_path = count($path);
-
-/* the page title: */
-$page_title = '';
-$page_title .= $content_row['title'];
-
-$parent = 0;
-
-foreach ($path as $i=>$page) {
-	// When login is a student, remove content folder from breadcrumb path as content folders are
-	// just toggles for students. Keep content folder in breadcrumb path for instructors as they
-	// can edit content folder title. 
-	if ((!isset($_current_user) || (!$_current_user->isAuthor($_course_id)|| $_current_user->isAdmin())) && 
-	    $contentManager->_menu_info[$page['content_id']]['content_type'] == CONTENT_TYPE_FOLDER) {
-		unset($path[$i]);
-		continue;
-	}
-	
-	if ($contentManager->_menu_info[$page['content_id']]['content_type'] == CONTENT_TYPE_FOLDER)
-		$content_url = 'home/editor/edit_content_folder.php?_cid='.$page['content_id'];
-	else
-		$content_url = 'home/course/content.php?_cid='.$page['content_id'];
-		
-	if (!$parent) {
-		$_pages[$content_url]['title']    = $page['content_number'] . $page['title'];
-		$_pages[$content_url]['parent']   = 'home/index.php';
-	} else {
-		$_pages[$content_url]['title']    = $page['content_number'] . $page['title'];
-		if (isset($_pages['home/editor/edit_content_folder.php?_cid='.$parent])) {
-			$_pages[$content_url]['parent']   = 'home/editor/edit_content_folder.php?_cid='.$parent;
-		} else {
-			$_pages[$content_url]['parent']   = 'home/course/content.php?_cid='.$parent;
-		}
-	}
-
-	$_pages[$content_url]['ignore'] = true;
-	$parent = $page['content_id'];
-}
-
-$last_page = array_pop($_pages);
-$_pages['home/course/content.php'] = $last_page;
-
-reset($path);
-$first_page = current($path);
-
-/* the tests associated with the content */
-$content_test_ids = array();	//the html
-$content_test_rows = $contentManager->getContentTestsAssoc($cid);
-if (is_array($content_test_rows))
-{
-	foreach ($content_test_rows as $content_test_row){
-		$content_test_ids[] = $content_test_row;
-	}
-}
-
-/* the forums associated with the content */
-$contentForumsAssocDAO = new ContentForumsAssocDAO();
-$content_forum_ids = $contentForumsAssocDAO->getByContent($cid);
-//$content_test_rows = $contentManager->getContentTestsAssoc($cid);
-//if (is_array($content_test_rows))
-//{
-//	foreach ($content_test_rows as $content_test_row){
-//		$content_test_ids[] = $content_test_row;
-//	}
-//}
-
-/*TODO***************BOLOGNA***************REMOVE ME**********/
-/* the content forums extension page*/
-//$content_forum_ids = array();	//the html
-//$content_forum_rows = $contentManager->getContentForumsAssoc($cid);
-//if (is_array($content_forum_rows))
-//{
-//	foreach ($content_forum_rows as $content_forum_row){
-//		$content_forum_ids[] = $content_forum_row;
-//	}
-//}
-
-// use any styles that were part of the imported document
-// $_custom_css = $_base_href.'headstuff.php?cid='.$cid.SEP.'path='.urlEncode($_base_href.$course_base_href.$content_base_href);
-
-if ($content_row['use_customized_head'] && strlen($content_row['head']) > 0)
-{
-	$_custom_head .= $content_row['head'];
-}
-
-global $_custom_head;
-$_custom_head .= '
-	<script  type="text/javascript">
-	//<!--
-	jQuery(function() {
-	jQuery(\'a.tooltip\').tooltip( { showBody: ": ", showURL: false } );
-	} );
-	//-->
-	</script>
-';
-
-if (isset($_SESSION['user_id'])) ContentUtility::saveLastCid($cid);
-
-if (isset($top_num) && $top_num != (int) $top_num) {
-	$top_num = substr($top_num, 0, strpos($top_num, '.'));
-}
-
-$_tool_shortcuts = ContentUtility::getToolShortcuts($content_row);
-
-//if it has test and forum associated with it, still display it even if the content is empty
-if ($content_row['text'] == '' && empty($content_test_ids)){
-	$msg->addInfo('NO_PAGE_CONTENT');
-	$savant->assign('body', '');
-} else {
-    // find whether the body has alternatives defined
-	list($has_text_alternative, $has_audio_alternative, $has_visual_alternative, $has_sign_lang_alternative)
-	= ContentUtility::applyAlternatives($cid, $content_row['text'], true);
-
-	// apply alternatives
-	if (intval($_GET['alternative']) > 0) {
-		$content = ContentUtility::applyAlternatives($cid, $content_row['text'], false, intval($_GET['alternative']));
-	} else {
-		
-		$content = ContentUtility::applyAlternatives($cid, $content_row['text']);
-	/*	if($content == 'null') {
-			if(isset($_current_user) && $_current_user->isAuthor($course_id)) {
-			
-					//$coursesDAO = new CoursesDAO();
-					$contentDAO = new ContentDAO();
-					$row = $contentDAO->get($cid);
-					
-					if($row['structure']!='') 
-						$content = '<script language="javascript" type="text/javascript">$(\'#activate_page_template\').prop(\'checked\', true).trigger("change");</script>';
-						
-					
-					
-			} else {
-				$content = '';
-				$msg->addInfo('NO_PAGE_CONTENT');
-			}
-		}*/
-				
-		
-		
-	}
-
-    $content = ContentUtility::formatContent($content, $content_row['formatting']);
-	$content_array = ContentUtility::getContentTable($content, $content_row['formatting']);
-	
-	$savant->assign('content_table', $content_array[0]);
-	$savant->assign('body', htmlspecialchars_decode($content_array[1]));
-	$savant->assign('has_text_alternative', $has_text_alternative);
-	$savant->assign('has_audio_alternative', $has_audio_alternative);
-	$savant->assign('has_visual_alternative', $has_visual_alternative);
-	$savant->assign('has_sign_lang_alternative', $has_sign_lang_alternative);
-	$savant->assign('cid', $cid);
-	
-	//assign test pages if there are tests associated with this content page
-	if (!empty($content_test_ids)){
-		$savant->assign('test_message', $content_row['test_message']);
-		$savant->assign('test_ids', $content_test_ids);
-	} else {
-		$savant->assign('test_message', '');
-		$savant->assign('test_ids', array());
-	}
-	
-	if (is_array($content_forum_ids)){
-		$savant->assign('forum_ids', $content_forum_ids);
-	}
-}
-
-
-
-$savant->assign('content_info', _AT('page_info', AT_date(_AT('page_info_date_format'), $content_row['last_modified'], TR_DATE_MYSQL_DATETIME), $content_row['revision'], AT_date(_AT('inbox_date_format'), $content_row['release_date'], TR_DATE_MYSQL_DATETIME)));
-$savant->assign('course_id', $_course_id);
-if ($_current_user) {
-	$savant->assign('isAdmin', $_current_user->isAdmin());
-}
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->display('home/course/content.tmpl.php');
-
-//save last visit page.
-$_SESSION['last_visited_page'] = $server_protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
-
-require (TR_INCLUDE_PATH.'footer.inc.php');
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/ContentForumsAssocDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
+
+global $_current_user, $_course_id, $_content_id, $contentManager;
+
+$cid = $_content_id;
+$courseid = $_course_id;
+
+
+if ($cid == 0) {
+	header('Location: '.$_base_href.'index.php');
+	exit;
+}
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$_SESSION['course_id'] = $_course_id;  // used by get.php
+}
+
+/* show the content page */
+if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
+
+if (!$content_row || !isset($contentManager)) {
+	$_pages['home/course/content.php']['title_var'] = 'missing_content';
+	$_pages['home/course/content.php']['parent']    = 'home/index.php';
+	$_pages['home/course/content.php']['ignore']	= true;
+
+
+	require(TR_INCLUDE_PATH.'header.inc.php');
+
+	$msg->addError('MISSING_CONTENT');
+	$msg->printAll();
+
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+} /* else: */
+
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$course_base_href = 'get.php/';
+} else {
+	$course_base_href = 'content/' . $_course_id . '/';
+}
+
+/* the "heading navigation": */
+$path	= $contentManager->getContentPath($cid);
+
+if ($content_row['content_path']) {
+	$content_base_href = $content_row['content_path'].'/';
+}
+
+$parent_headings = '';
+$num_in_path = count($path);
+
+/* the page title: */
+$page_title = '';
+$page_title .= $content_row['title'];
+
+$parent = 0;
+
+foreach ($path as $i=>$page) {
+	// When login is a student, remove content folder from breadcrumb path as content folders are
+	// just toggles for students. Keep content folder in breadcrumb path for instructors as they
+	// can edit content folder title. 
+	if ((!isset($_current_user) || (!$_current_user->isAuthor($_course_id)|| $_current_user->isAdmin())) && 
+	    $contentManager->_menu_info[$page['content_id']]['content_type'] == CONTENT_TYPE_FOLDER) {
+		unset($path[$i]);
+		continue;
+	}
+	
+	if ($contentManager->_menu_info[$page['content_id']]['content_type'] == CONTENT_TYPE_FOLDER)
+		$content_url = 'home/editor/edit_content_folder.php?_cid='.$page['content_id'];
+	else
+		$content_url = 'home/course/content.php?_cid='.$page['content_id'];
+		
+	if (!$parent) {
+		$_pages[$content_url]['title']    = $page['content_number'] . $page['title'];
+		$_pages[$content_url]['parent']   = 'home/index.php';
+	} else {
+		$_pages[$content_url]['title']    = $page['content_number'] . $page['title'];
+		if (isset($_pages['home/editor/edit_content_folder.php?_cid='.$parent])) {
+			$_pages[$content_url]['parent']   = 'home/editor/edit_content_folder.php?_cid='.$parent;
+		} else {
+			$_pages[$content_url]['parent']   = 'home/course/content.php?_cid='.$parent;
+		}
+	}
+
+	$_pages[$content_url]['ignore'] = true;
+	$parent = $page['content_id'];
+}
+
+$last_page = array_pop($_pages);
+$_pages['home/course/content.php'] = $last_page;
+
+reset($path);
+$first_page = current($path);
+
+/* the tests associated with the content */
+$content_test_ids = array();	//the html
+$content_test_rows = $contentManager->getContentTestsAssoc($cid);
+if (is_array($content_test_rows))
+{
+	foreach ($content_test_rows as $content_test_row){
+		$content_test_ids[] = $content_test_row;
+	}
+}
+
+/* the forums associated with the content */
+$contentForumsAssocDAO = new ContentForumsAssocDAO();
+$content_forum_ids = $contentForumsAssocDAO->getByContent($cid);
+//$content_test_rows = $contentManager->getContentTestsAssoc($cid);
+//if (is_array($content_test_rows))
+//{
+//	foreach ($content_test_rows as $content_test_row){
+//		$content_test_ids[] = $content_test_row;
+//	}
+//}
+
+/*TODO***************BOLOGNA***************REMOVE ME**********/
+/* the content forums extension page*/
+//$content_forum_ids = array();	//the html
+//$content_forum_rows = $contentManager->getContentForumsAssoc($cid);
+//if (is_array($content_forum_rows))
+//{
+//	foreach ($content_forum_rows as $content_forum_row){
+//		$content_forum_ids[] = $content_forum_row;
+//	}
+//}
+
+// use any styles that were part of the imported document
+// $_custom_css = $_base_href.'headstuff.php?cid='.$cid.SEP.'path='.urlEncode($_base_href.$course_base_href.$content_base_href);
+
+if ($content_row['use_customized_head'] && strlen($content_row['head']) > 0)
+{
+	$_custom_head .= $content_row['head'];
+}
+
+global $_custom_head;
+$_custom_head .= '
+	<script  type="text/javascript">
+	//<!--
+	jQuery(function() {
+	jQuery(\'a.tooltip\').tooltip( { showBody: ": ", showURL: false } );
+	} );
+	//-->
+	</script>
+';
+
+if (isset($_SESSION['user_id'])) ContentUtility::saveLastCid($cid);
+
+if (isset($top_num) && $top_num != (int) $top_num) {
+	$top_num = substr($top_num, 0, strpos($top_num, '.'));
+}
+
+$_tool_shortcuts = ContentUtility::getToolShortcuts($content_row);
+
+//if it has test and forum associated with it, still display it even if the content is empty
+if ($content_row['text'] == '' && empty($content_test_ids)){
+	$msg->addInfo('NO_PAGE_CONTENT');
+	$savant->assign('body', '');
+} else {
+    // find whether the body has alternatives defined
+	list($has_text_alternative, $has_audio_alternative, $has_visual_alternative, $has_sign_lang_alternative)
+	= ContentUtility::applyAlternatives($cid, $content_row['text'], true);
+
+	// apply alternatives
+	if (intval($_GET['alternative']) > 0) {
+		$content = ContentUtility::applyAlternatives($cid, $content_row['text'], false, intval($_GET['alternative']));
+	} else {
+		
+		$content = ContentUtility::applyAlternatives($cid, $content_row['text']);
+	/*	if($content == 'null') {
+			if(isset($_current_user) && $_current_user->isAuthor($course_id)) {
+			
+					//$coursesDAO = new CoursesDAO();
+					$contentDAO = new ContentDAO();
+					$row = $contentDAO->get($cid);
+					
+					if($row['structure']!='') 
+						$content = '<script language="javascript" type="text/javascript">$(\'#activate_page_template\').prop(\'checked\', true).trigger("change");</script>';
+						
+					
+					
+			} else {
+				$content = '';
+				$msg->addInfo('NO_PAGE_CONTENT');
+			}
+		}*/
+				
+		
+		
+	}
+
+    $content = ContentUtility::formatContent($content, $content_row['formatting']);
+	$content_array = ContentUtility::getContentTable($content, $content_row['formatting']);
+	
+	$savant->assign('content_table', $content_array[0]);
+	$savant->assign('body', htmlspecialchars(trim(stripslashes(strip_tags($content_array[1])))));
+	$savant->assign('has_text_alternative', $has_text_alternative);
+	$savant->assign('has_audio_alternative', $has_audio_alternative);
+	$savant->assign('has_visual_alternative', $has_visual_alternative);
+	$savant->assign('has_sign_lang_alternative', $has_sign_lang_alternative);
+	$savant->assign('cid', $cid);
+	
+	//assign test pages if there are tests associated with this content page
+	if (!empty($content_test_ids)){
+		$savant->assign('test_message', $content_row['test_message']);
+		$savant->assign('test_ids', $content_test_ids);
+	} else {
+		$savant->assign('test_message', '');
+		$savant->assign('test_ids', array());
+	}
+	
+	if (is_array($content_forum_ids)){
+		$savant->assign('forum_ids', $content_forum_ids);
+	}
+}
+
+
+
+$savant->assign('content_info', _AT('page_info', AT_date(_AT('page_info_date_format'), $content_row['last_modified'], TR_DATE_MYSQL_DATETIME), $content_row['revision'], AT_date(_AT('inbox_date_format'), $content_row['release_date'], TR_DATE_MYSQL_DATETIME)));
+$savant->assign('course_id', $_course_id);
+if ($_current_user) {
+	$savant->assign('isAdmin', $_current_user->isAdmin());
+}
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->display('home/course/content.tmpl.php');
+
+//save last visit page.
+$_SESSION['last_visited_page'] = $server_protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+
+require (TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/course/content_nav_inline_editor_submit.php b/home/course/content_nav_inline_editor_submit.php
index f3ce9e96..a1a26971 100644
--- a/home/course/content_nav_inline_editor_submit.php
+++ b/home/course/content_nav_inline_editor_submit.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
 
@@ -38,4 +39,4 @@
 		echo json_encode($rtn);
 	}
 }
-?>
\ No newline at end of file
+?>
diff --git a/home/course/course_property.php b/home/course/course_property.php
index feaf380d..bcfe79eb 100644
--- a/home/course/course_property.php
+++ b/home/course/course_property.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
@@ -22,6 +23,7 @@
 require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/ContentTestsAssocDAO.class.php');
 require_once(TR_INCLUDE_PATH.'lib/mysql_funcs.inc.php');
+require_once('../../class_csrf.php');
 
 global $_course_id;
 
@@ -40,17 +42,19 @@
 	exit;
 }
 else if($_POST['submit']){
+	if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
 		if (isset($_POST['hide_course']))
 			$access = 'private';
 		else
 			$access = 'public';
-
-		if ($_course_id > 0) { // update an existing course
-			$coursesDAO->UpdateField($_course_id, 'title', $_POST['title']);
+	{
+			if ($_course_id > 0) { // update an existing course
+			$coursesDAO->UpdateField($_course_id, 'title', htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))));
 			$coursesDAO->UpdateField($_course_id, 'category_id', $_POST['category_id']);
 			$coursesDAO->UpdateField($_course_id, 'primary_language', $_POST['pri_lang']);
-			$coursesDAO->UpdateField($_course_id, 'description', $_POST['description']);
-			$coursesDAO->UpdateField($_course_id, 'copyright', $_POST['copyright']);
+			$coursesDAO->UpdateField($_course_id, 'description', htmlspecialchars(trim(stripslashes(strip_tags($_POST['description'])))));
+			$coursesDAO->UpdateField($_course_id, 'copyright', htmlspecialchars(trim(stripslashes(strip_tags($_POST['copyright'])))));
 
 			$coursesDAO->UpdateField($_course_id, 'access', $access);
 			
@@ -61,8 +65,9 @@
 		}
 		else 
 		{ // create a new course
-			if ($course_id = $coursesDAO->Create($_POST['this_author'], $_POST['category_id'], 'top', $access, $_POST['title'], $_POST['description'], 
-			                    null, null, null, $_POST['copyright'], $_POST['pri_lang'], null, null))
+			
+				if ($course_id = $coursesDAO->Create($_POST['this_author'], $_POST['category_id'], 'top', $access, htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))), htmlspecialchars(trim(stripslashes(strip_tags($_POST['description'])))), 
+			                    null, null, null, htmlspecialchars(trim(stripslashes(strip_tags($_POST['copyright'])))), $_POST['pri_lang'], null, null))
 			{
 				if(isset($_POST['_struct_name'])) {
 					
@@ -82,7 +87,13 @@
 				header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$course_id);
 				exit;
 			}
+		}
+	}
+	} else
+	{
+		$msg->addError('INVALID_TOKEN');
 	}
+		
 }
 
 // display
@@ -107,8 +118,4 @@
 
 require(TR_INCLUDE_PATH.'footer.inc.php');
 
-
-
-
-
 ?>
diff --git a/home/course/course_start.php b/home/course/course_start.php
index c3fc3b64..82a7c241 100644
--- a/home/course/course_start.php
+++ b/home/course/course_start.php
@@ -1,122 +1,122 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
-require(TR_INCLUDE_PATH.'../home/classes/StructureManager.class.php');
-require(TR_INCLUDE_PATH.'header.inc.php'); 
-
-require(TR_INCLUDE_PATH.'../home/course/course_start_tabs.php');
-
-
-global $msg, $_course_id, $contentManager;
-
-if ($_course_id <= 0)
-{
-	$msg->addError('MISSING_COURSE_ID');
-	header('Location: '.TR_BASE_HREF.'home/index.php');
-	exit;
-}
-
-
-if (isset($_current_user) && ($_current_user->isAuthor($_course_id) || $_current_user->isAdmin())) {
-	$savant->assign('isAdmin', $_current_user->isAdmin() );
-	$savant->assign('course_id', $_course_id);
-	
-}
-
-
-
-if(isset($_POST['struct']) && isset($_POST['create_struct'])) {
-	
-	
-	$_POST['struct']	= $content_row['title'] = $_POST['struct'];
-	
-	$ordering = count($contentManager->getContent(0)) + 1;
-	$pid = 0;
-	
-	$cid = $contentManager->addContent($_SESSION['course_id'],
-			                                   $pid,
-			                                   $ordering,
-			                                   $_POST['struct'],
-			                                   '',
-			                                   '',
-			                                   '',
-			                                   0,
-			                                   '',
-			                                   0,
-			                                   '',
-			                                   1,
-			                                   CONTENT_TYPE_FOLDER);
-	
-	$struc_manag = new StructureManager($_POST['struct']);	     
-	$page_temp = $struc_manag->get_page_temp();
-			
-	$struc_manag->createStruct($page_temp, $cid, $_course_id); 
-	//$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-	
-	header('Location: '.TR_BASE_HREF.'home/index.php');
-	//header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
-	//exit;
-	//$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-	//header('Location: '.$_base_path.'home/editor/edit_content_folder.php?_cid='.$cid);
-	
-	exit;
-	
-} else {
-	
-	$msg->printInfos('NO_CONTENT_IN_COURSE');
-	
-	$current_tab = 0;
-		
-	$tabs = get_tabs();	
-	$num_tabs = count($tabs);
-	for ($i=0; $i < $num_tabs; $i++) {
-		if (isset($_POST['button_'.$i]) && ($_POST['button_'.$i] != -1)) { 
-			$current_tab = $i;
-			$_POST['current_tab'] = $i;
-			break;
-		}
-	}
-	
-	if (isset($_POST['current_tab'])) {
-		$current_tab = intval($_POST['current_tab']);
-	}
-
-	
-	
-	?>
-	<form enctype="multipart/form-data" name="form" method="post" action="<?php echo TR_BASE_HREF.'home/course/course_start.php?_course_id='.$_course_id;?>">
-		<input type="hidden" name="current_tab" value="<?php echo $current_tab;?>" />
-		<div align="center">
-			<?php output_tabs($current_tab); ?>
-		</div>
-		<div class="input-form" style="width: 95%;">
-			<?php include('course_start_tabs/'.$tabs[$current_tab][1]); ?>
-		</div>
-		
-	</form>
-
-<?php 
-
-}
-
-require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
-
-<!-- elimino la scitta There is no content in this course -->
-<script>
-    $('#server-msg').css('display','none');
-</script>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
+require(TR_INCLUDE_PATH.'../home/classes/StructureManager.class.php');
+require(TR_INCLUDE_PATH.'header.inc.php'); 
+
+require(TR_INCLUDE_PATH.'../home/course/course_start_tabs.php');
+
+global $msg, $_course_id, $contentManager;
+
+if ($_course_id <= 0)
+{
+	$msg->addError('MISSING_COURSE_ID');
+	header('Location: '.TR_BASE_HREF.'home/index.php');
+	exit;
+}
+
+
+if (isset($_current_user) && ($_current_user->isAuthor($_course_id) || $_current_user->isAdmin())) {
+	$savant->assign('isAdmin', $_current_user->isAdmin() );
+	$savant->assign('course_id', $_course_id);
+	
+}
+
+
+
+if(isset($_POST['struct']) && isset($_POST['create_struct'])) {
+	
+	
+	$_POST['struct']	= $content_row['title'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['struct']))));
+	
+	$ordering = count($contentManager->getContent(0)) + 1;
+	$pid = 0;
+	
+	$cid = $contentManager->addContent($_SESSION['course_id'],
+			                                   $pid,
+			                                   $ordering,
+			                                   $_POST['struct'],
+			                                   '',
+			                                   '',
+			                                   '',
+			                                   0,
+			                                   '',
+			                                   0,
+			                                   '',
+			                                   1,
+			                                   CONTENT_TYPE_FOLDER);
+	
+	$struc_manag = new StructureManager($_POST['struct']);	     
+	$page_temp = $struc_manag->get_page_temp();
+			
+	$struc_manag->createStruct($page_temp, $cid, $_course_id); 
+	//$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+	
+	header('Location: '.TR_BASE_HREF.'home/index.php');
+	//header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
+	//exit;
+	//$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+	//header('Location: '.$_base_path.'home/editor/edit_content_folder.php?_cid='.$cid);
+	
+	exit;
+	
+} else {
+	
+	$msg->printInfos('NO_CONTENT_IN_COURSE');
+	
+	$current_tab = 0;
+		
+	$tabs = get_tabs();	
+	$num_tabs = count($tabs);
+	for ($i=0; $i < $num_tabs; $i++) {
+		if (isset($_POST['button_'.$i]) && ($_POST['button_'.$i] != -1)) { 
+			$current_tab = $i;
+			$_POST['current_tab'] = $i;
+			break;
+		}
+	}
+	
+	if (isset($_POST['current_tab'])) {
+		$current_tab = intval($_POST['current_tab']);
+	}
+
+	
+	
+	?>
+	<form enctype="multipart/form-data" name="form" method="post" action="<?php echo TR_BASE_HREF.'home/course/course_start.php?_course_id='.$_course_id;?>">
+		<input type="hidden" name="current_tab" value="<?php echo $current_tab;?>" />
+		<div align="center">
+			<?php output_tabs($current_tab); ?>
+		</div>
+		<div class="input-form" style="width: 95%;">
+			<?php include('course_start_tabs/'.$tabs[$current_tab][1]); ?>
+		</div>
+		
+	</form>
+
+<?php 
+
+}
+
+require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
+
+<!-- elimino la scitta There is no content in this course -->
+<script>
+    $('#server-msg').css('display','none');
+</script>
diff --git a/home/course/course_start_tabs.php b/home/course/course_start_tabs.php
index 84d5050e..472fa603 100644
--- a/home/course/course_start_tabs.php
+++ b/home/course/course_start_tabs.php
@@ -1,80 +1,81 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-
-function get_tabs() {
-//these are the _AT(x) variable names and their include file
-	/* tabs[tab_id] = array(tab_name, file_name,                accesskey) */
-    
-    /* DEFAULT PROF
-	$tabs[0] = array('manually',       		'manually.inc.php',          'm');
-	$tabs[1] = array('structure',    		'structure.inc.php',    's');
-        $tabs[2] = array('wizard', 'wizard.inc.php',  'w');
-     */
-
-/* Check whether the template_structure is enabled or disabled */
-        include_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
-        $dao = new DAO();
-        
-        $inc=0;
-        $tabs[$inc] = array('manually',       		'manually.inc.php',          'm');    
-/* I do not see the tab if the table structure ac_config the value is 0 (disable) */
-        $sql="SELECT value FROM ".TABLE_PREFIX."config WHERE name='enable_template_structure'";
-        $result=$dao->execute($sql);
-        if(is_array($result))
-        {
-            foreach ($result as $support) {
-                if($support['value']==TR_STATUS_ENABLED)
-                    $tabs[++$inc] = array('structure',    		'structure.inc.php',    's');
-            }  
-        }
-        
-        //future feature
-        //$tabs[++$inc] = array('wizard', 'wizard.inc.php',  'w');
-       
-	return $tabs;
-}
-
-function output_tabs($current_tab) {
-	global $_base_path;
-	$tabs = get_tabs();
-	$num_tabs = count($tabs);
-?>
-	<table class="etabbed-table">
-	<tr>		
-		<?php 
-		for ($i=0; $i < $num_tabs; $i++): 
-			if ($current_tab == $i):?>
-				<td class="editor_tab_selected">
-					
-					<?php echo _AT($tabs[$i][0]); ?>
-				</td>
-				<td class="tab-spacer">&nbsp;</td>
-			<?php else: ?>
-				<td class="editor_tab">
-					
-
-					<?php echo '<input type="submit" name="button_'.$i.'" value="'._AT($tabs[$i][0]).'" title="'._AT($tabs[$i][0]).' - alt '.$tabs[$i][2].'" class="editor_buttontab" accesskey="'.$tabs[$i][2].'" onmouseover="this.style.cursor=\'pointer\';" '.$clickEvent.' />'; ?>
-				</td>
-				<td class="tab-spacer">&nbsp;</td>
-			<?php endif; ?>
-		<?php endfor; ?>
-		<td >&nbsp;</td>
-	</tr>
-	</table>
-<?php }
-
-
-
-
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+
+
+function get_tabs() {
+//these are the _AT(x) variable names and their include file
+	/* tabs[tab_id] = array(tab_name, file_name,                accesskey) */
+    
+    /* DEFAULT PROF
+	$tabs[0] = array('manually',       		'manually.inc.php',          'm');
+	$tabs[1] = array('structure',    		'structure.inc.php',    's');
+        $tabs[2] = array('wizard', 'wizard.inc.php',  'w');
+     */
+
+/* Check whether the template_structure is enabled or disabled */
+        include_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
+        $dao = new DAO();
+        
+        $inc=0;
+        $tabs[$inc] = array('manually',       		'manually.inc.php',          'm');    
+/* I do not see the tab if the table structure ac_config the value is 0 (disable) */
+        $sql="SELECT value FROM ".TABLE_PREFIX."config WHERE name='enable_template_structure'";
+        $result=$dao->execute($sql);
+        if(is_array($result))
+        {
+            foreach ($result as $support) {
+                if($support['value']==TR_STATUS_ENABLED)
+                    $tabs[++$inc] = array('structure',    		'structure.inc.php',    's');
+            }  
+        }
+        
+        //future feature
+        //$tabs[++$inc] = array('wizard', 'wizard.inc.php',  'w');
+       
+	return $tabs;
+}
+
+function output_tabs($current_tab) {
+	global $_base_path;
+	$tabs = get_tabs();
+	$num_tabs = count($tabs);
+?>
+	<table class="etabbed-table">
+	<tr>		
+		<?php 
+		for ($i=0; $i < $num_tabs; $i++): 
+			if ($current_tab == $i):?>
+				<td class="editor_tab_selected">
+					
+					<?php echo _AT($tabs[$i][0]); ?>
+				</td>
+				<td class="tab-spacer">&nbsp;</td>
+			<?php else: ?>
+				<td class="editor_tab">
+					
+
+					<?php echo '<input type="submit" name="button_'.$i.'" value="'._AT($tabs[$i][0]).'" title="'._AT($tabs[$i][0]).' - alt '.$tabs[$i][2].'" class="editor_buttontab" accesskey="'.$tabs[$i][2].'" onmouseover="this.style.cursor=\'pointer\';" '.$clickEvent.' />'; ?>
+				</td>
+				<td class="tab-spacer">&nbsp;</td>
+			<?php endif; ?>
+		<?php endfor; ?>
+		<td >&nbsp;</td>
+	</tr>
+	</table>
+<?php }
+
+
+
+
+?>
diff --git a/home/course/del_course.php b/home/course/del_course.php
index 5e85ce2f..e605056b 100644
--- a/home/course/del_course.php
+++ b/home/course/del_course.php
@@ -1,52 +1,53 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$coursesDAO = new CoursesDAO();
-$course_info = $coursesDAO->get($_course_id);
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['step']) && ($_POST['step'] == 2) && isset($_POST['submit_yes'])) {
-	$coursesDAO->Delete($_course_id);
-	
-	$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-	header('Location: '.TR_BASE_HREF.'home/index.php');
-	exit;
-}
-
-require(TR_INCLUDE_PATH.'header.inc.php'); 
-
-if (!isset($_POST['step'])) {
-	$hidden_vars['step'] = 1;
-	$hidden_vars['_course_id'] = $_course_id;
-	$msg->addConfirm(array('DELETE_COURSE_1', $course_info['title']), $hidden_vars);
-	$msg->printConfirm();
-} else if ($_POST['step'] == 1) {
-	$hidden_vars['step'] = 2;
-	$hidden_vars['_course_id'] = $_course_id;
-	$msg->addConfirm(array('DELETE_COURSE_2', $course_info['title']), $hidden_vars);
-	$msg->printConfirm();
-}
-
-require(TR_INCLUDE_PATH.'footer.inc.php'); 
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$coursesDAO = new CoursesDAO();
+$course_info = $coursesDAO->get($_course_id);
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['step']) && ($_POST['step'] == 2) && isset($_POST['submit_yes'])) {
+	$coursesDAO->Delete($_course_id);
+	
+	$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+	header('Location: '.TR_BASE_HREF.'home/index.php');
+	exit;
+}
+
+require(TR_INCLUDE_PATH.'header.inc.php'); 
+
+if (!isset($_POST['step'])) {
+	$hidden_vars['step'] = 1;
+	$hidden_vars['_course_id'] = $_course_id;
+	$msg->addConfirm(array('DELETE_COURSE_1', htmlspecialchars(trim(stripslashes(strip_tags($course_info['title']))))), $hidden_vars);
+	$msg->printConfirm();
+} else if ($_POST['step'] == 1) {
+	$hidden_vars['step'] = 2;
+	$hidden_vars['_course_id'] = $_course_id;
+	$msg->addConfirm(array('DELETE_COURSE_2', htmlspecialchars(trim(stripslashes(strip_tags($course_info['title']))))), $hidden_vars);
+	$msg->printConfirm();
+}
+
+require(TR_INCLUDE_PATH.'footer.inc.php'); 
+?>
diff --git a/home/course/index.php b/home/course/index.php
index bc0bc0e8..649f20da 100644
--- a/home/course/index.php
+++ b/home/course/index.php
@@ -1,35 +1,36 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-
-global $msg, $contentManager, $_course_id;
-
-if ($_course_id <= 0)
-{
-	$msg->addError('MISSING_COURSE_ID');
-	header('Location: '.TR_BASE_HREF.'home/index.php');
-	exit;
-}
-
-
-if (isset($_sequence_links['resume']['url'])) {
-	$url = $_sequence_links['resume']['url'];
-} else if (isset($_sequence_links['first']['url'])) {
-	$url = $_sequence_links['first']['url'];
-} else
-	$url = TR_BASE_HREF.'home/course/course_start.php?_course_id='.$_course_id;
-
-header('Location: '.$url);
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+
+global $msg, $contentManager, $_course_id;
+
+if ($_course_id <= 0)
+{
+	$msg->addError('MISSING_COURSE_ID');
+	header('Location: '.TR_BASE_HREF.'home/index.php');
+	exit;
+}
+
+
+if (isset($_sequence_links['resume']['url'])) {
+	$url = $_sequence_links['resume']['url'];
+} else if (isset($_sequence_links['first']['url'])) {
+	$url = $_sequence_links['first']['url'];
+} else
+	$url = TR_BASE_HREF.'home/course/course_start.php?_course_id='.$_course_id;
+
+header('Location: '.$url);
+?>
diff --git a/home/course/outline.php b/home/course/outline.php
index 24047329..5115deab 100644
--- a/home/course/outline.php
+++ b/home/course/outline.php
@@ -1,39 +1,40 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-
-global $msg, $contentManager;
-
-//if (!isset($contentManager))
-//{
-//	$msg->addError('MISSING_COURSE_ID');
-//	require(TR_INCLUDE_PATH.'header.inc.php');
-//}
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-
-if (isset($contentManager))
-{
-	echo '<p>';
-	$contentManager->printSiteMapMenu();
-	echo '</p>';
-}
-else
-{
-	$msg->addError('MISSING_COURSE_ID');
-	$msg->printAll();
-}
-
-require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+
+global $msg, $contentManager;
+
+//if (!isset($contentManager))
+//{
+//	$msg->addError('MISSING_COURSE_ID');
+//	require(TR_INCLUDE_PATH.'header.inc.php');
+//}
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+
+if (isset($contentManager))
+{
+	echo '<p>';
+	$contentManager->printSiteMapMenu();
+	echo '</p>';
+}
+else
+{
+	$msg->addError('MISSING_COURSE_ID');
+	$msg->printAll();
+}
+
+require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/course/refresh_content_nav.php b/home/course/refresh_content_nav.php
index d0c7c21a..d818fae8 100644
--- a/home/course/refresh_content_nav.php
+++ b/home/course/refresh_content_nav.php
@@ -11,10 +11,11 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 
 global $contentManager;
 
 // save updated content navigation menu into cache
 echo $contentManager->printMainMenu();
-?>
\ No newline at end of file
+?>
diff --git a/home/create_course.php b/home/create_course.php
index 17183616..9b64492e 100644
--- a/home/create_course.php
+++ b/home/create_course.php
@@ -1,31 +1,32 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-include(TR_INCLUDE_PATH.'classes/DAO/UserGroupsDAO.class.php');
-$dao = new DAO();
-// make sure the user has author privilege
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-// get a list of authors if admin is creating a lesson	
-if($_current_user->isAdmin()){
-	$sql = "SELECT user_id, login, first_name, last_name FROM ".TABLE_PREFIX."users WHERE is_author = '1'";
-	$user_rows = $dao->execute($sql);;
-}
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-$savant->assign('isauthor', $user_rows);
-$savant->display('home/create_course.tmpl.php');
-require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+include(TR_INCLUDE_PATH.'classes/DAO/UserGroupsDAO.class.php');
+$dao = new DAO();
+// make sure the user has author privilege
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+// get a list of authors if admin is creating a lesson	
+if($_current_user->isAdmin()){
+	$sql = "SELECT user_id, login, first_name, last_name FROM ".TABLE_PREFIX."users WHERE is_author = '1'";
+	$user_rows = $dao->execute($sql);;
+}
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+$savant->assign('isauthor', $user_rows);
+$savant->display('home/create_course.tmpl.php');
+require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/editor/accessibility.php b/home/editor/accessibility.php
index 2aee3c77..4f534381 100644
--- a/home/editor/accessibility.php
+++ b/home/editor/accessibility.php
@@ -1,125 +1,125 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
-
-global $_course_id, $_content_id, $contentManager;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-$cid = $_content_id;
-
-if ($cid == 0) {
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	$msg->printInfos('NO_PAGE_CONTENT');
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
-
-if (!$content_row || !isset($contentManager)) {
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	$msg->printErrors('MISSING_CONTENT');
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-$course_base_href = '';
-$content_base_href = '';
-
-//make decisions
-if ($_POST['make_decision']) 
-{
-	//get list of decisions	
-	$desc_query = '';
-	if (is_array($_POST['d'])) {
-		foreach ($_POST['d'] as $sequenceID => $decision) {
-			$desc_query .= '&'.$sequenceID.'='.$decision;
-		}
-	}
-
-	$checker_url = TR_ACHECKER_URL. 'decisions.php?'
-				.'uri='.urlencode($_POST['pg_url']).'&id='.TR_ACHECKER_WEB_SERVICE_ID
-				.'&session='.$_POST['sessionid'].'&output=html'.$desc_query;
-
-	if (@file_get_contents($checker_url) === false) {
-		$msg->addInfo('DECISION_NOT_SAVED');
-	}
-} 
-else if (isset($_POST['reverse'])) 
-{
-	$reverse_url = TR_ACHECKER_URL. 'decisions.php?'
-				.'uri='.urlencode($_POST['pg_url']).'&id='.TR_ACHECKER_WEB_SERVICE_ID
-				.'&session='.$_POST['sessionid'].'&output=html&reverse=true&'.key($_POST['reverse']).'=N';
-	
-	if (@file_get_contents($reverse_url) === false) {
-		$msg->addInfo('DECISION_NOT_REVERSED');
-	} else {
-		$msg->addInfo('DECISION_REVERSED');
-	}
-}
-
-$popup = intval($_GET['popup']);
-require(TR_INCLUDE_PATH.'header.inc.php');
-?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>?popup=1" method="post" name="form">
-  <div class="row">
-<?php 					
-	echo '    <input type="hidden" name="body_text" value="'.htmlspecialchars(stripslashes($_POST['body_text'])).'" />';
-	echo '    <input type="hidden" name="_cid" value="'.$cid.'" />';
-	
-	if (!$cid) {
-		$msg->printInfos('SAVE_CONTENT');
-
-		echo '  </div>';
-
-		return;
-	}
-
-$msg->printInfos();
-if ($_POST['body_text'] != '') {
-	//save temp file
-	$_POST['content_path'] = $content_row['content_path'];
-	write_temp_file();
-
-	$pg_url = TR_BASE_HREF.'get_acheck.php/'.$cid . '.html';
-	$checker_url = TR_ACHECKER_URL.'checkacc.php?uri='.urlencode($pg_url).'&id='.TR_ACHECKER_WEB_SERVICE_ID
-					. '&guide=WCAG2-L2&output=html';
-
-	$report = @file_get_contents($checker_url);
-
-	if (stristr($report, '<div id="error">')) {
-		$msg->printErrors('INVALID_URL');
-	} else if ($report === false) {
-		$msg->printInfos('SERVICE_UNAVAILABLE');
-	} else {
-		echo '    <input type="hidden" name="pg_url" value="'.$pg_url.'" />';
-		echo $report;	
-
-		echo '    <p>'._AT('access_credit').'</p>';
-	}
-	//delete file
-	@unlink(TR_CONTENT_DIR . $cid . '.html');
-
-} else {
-	$msg->printInfos('NO_PAGE_CONTENT');
-} 
-?>
-  </div>
-</form>
-<?php 
-require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
+
+global $_course_id, $_content_id, $contentManager;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+$cid = $_content_id;
+
+if ($cid == 0) {
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	$msg->printInfos('NO_PAGE_CONTENT');
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
+
+if (!$content_row || !isset($contentManager)) {
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	$msg->printErrors('MISSING_CONTENT');
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+$course_base_href = '';
+$content_base_href = '';
+
+//make decisions
+if ($_POST['make_decision']) 
+{
+	//get list of decisions	
+	$desc_query = '';
+	if (is_array($_POST['d'])) {
+		foreach ($_POST['d'] as $sequenceID => $decision) {
+			$desc_query .= '&'.$sequenceID.'='.$decision;
+		}
+	}
+
+	$checker_url = TR_ACHECKER_URL. 'decisions.php?'
+				.'uri='.urlencode($_POST['pg_url']).'&id='.TR_ACHECKER_WEB_SERVICE_ID
+				.'&session='.$_POST['sessionid'].'&output=html'.$desc_query;
+
+	if (@file_get_contents($checker_url) === false) {
+		$msg->addInfo('DECISION_NOT_SAVED');
+	}
+} 
+else if (isset($_POST['reverse'])) 
+{
+	$reverse_url = TR_ACHECKER_URL. 'decisions.php?'
+				.'uri='.urlencode($_POST['pg_url']).'&id='.TR_ACHECKER_WEB_SERVICE_ID
+				.'&session='.$_POST['sessionid'].'&output=html&reverse=true&'.key($_POST['reverse']).'=N';
+	
+	if (@file_get_contents($reverse_url) === false) {
+		$msg->addInfo('DECISION_NOT_REVERSED');
+	} else {
+		$msg->addInfo('DECISION_REVERSED');
+	}
+}
+
+$popup = intval($_GET['popup']);
+require(TR_INCLUDE_PATH.'header.inc.php');
+?>
+<form action="<?php echo $_SERVER['PHP_SELF']; ?>?popup=1" method="post" name="form">
+  <div class="row">
+<?php 					
+	echo '    <input type="hidden" name="body_text" value="'.htmlspecialchars(stripslashes($_POST['body_text'])).'" />';
+	echo '    <input type="hidden" name="_cid" value="'.$cid.'" />';
+	
+	if (!$cid) {
+		$msg->printInfos('SAVE_CONTENT');
+
+		echo '  </div>';
+
+		return;
+	}
+
+$msg->printInfos();
+if ($_POST['body_text'] != '') {
+	//save temp file
+	$_POST['content_path'] = $content_row['content_path'];
+	write_temp_file();
+
+	$pg_url = TR_BASE_HREF.'get_acheck.php/'.$cid . '.html';
+	$checker_url = TR_ACHECKER_URL.'checkacc.php?uri='.urlencode($pg_url).'&id='.TR_ACHECKER_WEB_SERVICE_ID
+					. '&guide=WCAG2-L2&output=html';
+
+	$report = @file_get_contents($checker_url);
+
+	if (stristr($report, '<div id="error">')) {
+		$msg->printErrors('INVALID_URL');
+	} else if ($report === false) {
+		$msg->printInfos('SERVICE_UNAVAILABLE');
+	} else {
+		echo '    <input type="hidden" name="pg_url" value="'.$pg_url.'" />';
+		echo $report;	
+
+		echo '    <p>'._AT('access_credit').'</p>';
+	}
+	//delete file
+	@unlink(TR_CONTENT_DIR . $cid . '.html');
+
+} else {
+	$msg->printInfos('NO_PAGE_CONTENT');
+} 
+?>
+  </div>
+</form>
+<?php 
+require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/editor/add_content.php b/home/editor/add_content.php
index dd7e9721..74eafa4b 100644
--- a/home/editor/add_content.php
+++ b/home/editor/add_content.php
@@ -11,10 +11,11 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 
 global $_course_id;
 
 require('./edit_content.php?_course_id='.$_course_id);
 
-?>
\ No newline at end of file
+?>
diff --git a/home/editor/add_forum.php b/home/editor/add_forum.php
index dde55b2f..e8660056 100644
--- a/home/editor/add_forum.php
+++ b/home/editor/add_forum.php
@@ -1,94 +1,94 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-
-require_once(TR_INCLUDE_PATH.'classes/DAO/ForumsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/ForumsCoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/ContentForumsAssocDAO.class.php');
-
-global $msg;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-$cid = $_POST['cid'];
-$crid = $_POST['crid'];
-
-
-$popup = intval($_GET['popup']);
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-
-$forums_dao = new ForumsDAO();
-$forum_course = new ForumsCoursesDAO();
-$forum_content = new ContentForumsAssocDAO();
-
-if(isset($_POST['create_forum'])) {
-
-	$forum_id = $forums_dao->Create($_POST['title'], $_POST['body']);
-	if($forum_id) {
-		
-		if($forum_content->Create($cid, $forum_id) & $forum_course->Create($forum_id, $crid)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			$msg->printFeedbacks();
-		}
-	} else {
-		$msg->printErrors();
-	}
-
-} else if(isset($_POST['save'])) {
-	$checks = $_POST['check'];
-	
-	$rows_forums_content = $forum_content->getByContent($cid);
-	
-	$forums_id = array();
-	foreach ($rows_forums_content as $row_forum_content) {
-		$forums_id[] =  $row_forum_content['forum_id'];
-	}
-	
-	$new_ass = array_diff($checks, $forums_id);	
-	
-	if(count($checks) == 0)
-		$del_ass = $forums_id;
-	else
-		$del_ass = array_diff($forums_id, $checks);
-	
-
-
-	
-	
-	foreach ($new_ass as $new) {
-		if($forum_content->Create($cid, $new))
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		
-	}
-	
-
-	
-	foreach ($del_ass as $del) {
-	
-		if($forum_content->Delete($del, $cid))
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		
-	}	
-	
-	
-	$msg->printAll();
-	
-
-}
-
-?>
-
-
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+
+require_once(TR_INCLUDE_PATH.'classes/DAO/ForumsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/ForumsCoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/ContentForumsAssocDAO.class.php');
+
+global $msg;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+$cid = $_POST['cid'];
+$crid = $_POST['crid'];
+
+
+$popup = intval($_GET['popup']);
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+
+$forums_dao = new ForumsDAO();
+$forum_course = new ForumsCoursesDAO();
+$forum_content = new ContentForumsAssocDAO();
+
+if(isset($_POST['create_forum'])) {
+
+	$forum_id = $forums_dao->Create($_POST['title'], $_POST['body']);
+	if($forum_id) {
+		
+		if($forum_content->Create($cid, $forum_id) & $forum_course->Create($forum_id, $crid)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			$msg->printFeedbacks();
+		}
+	} else {
+		$msg->printErrors();
+	}
+
+} else if(isset($_POST['save'])) {
+	$checks = $_POST['check'];
+	
+	$rows_forums_content = $forum_content->getByContent($cid);
+	
+	$forums_id = array();
+	foreach ($rows_forums_content as $row_forum_content) {
+		$forums_id[] =  $row_forum_content['forum_id'];
+	}
+	
+	$new_ass = array_diff($checks, $forums_id);	
+	
+	if(count($checks) == 0)
+		$del_ass = $forums_id;
+	else
+		$del_ass = array_diff($forums_id, $checks);
+	
+
+
+	
+	
+	foreach ($new_ass as $new) {
+		if($forum_content->Create($cid, $new))
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		
+	}
+	
+
+	
+	foreach ($del_ass as $del) {
+	
+		if($forum_content->Delete($del, $cid))
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		
+	}	
+	
+	
+	$msg->printAll();
+	
+
+}
+
+?>
+
+
diff --git a/home/editor/arrange_content.php b/home/editor/arrange_content.php
index f8fb3ff5..4d6d2685 100644
--- a/home/editor/arrange_content.php
+++ b/home/editor/arrange_content.php
@@ -1,37 +1,45 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require (TR_INCLUDE_PATH.'vitals.inc.php');
-
-global $_course_id, $contentManager;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-if (isset($_POST['move']) && isset($_POST['moved_cid'])) {
-	$arr = explode('_', key($_POST['move']), 2);
-	$new_pid = $arr[0];
-	$new_ordering = $arr[1];
-
-	$contentManager->moveContent($_POST['moved_cid'], $new_pid, $new_ordering);
-	header('Location: '.TR_BASE_HREF.'home/editor/arrange_content.php?_course_id='.$_course_id);
-	exit;
-}
-	
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-
-$savant->assign('languageManager', $languageManager);
-$savant->assign('course_id', $_course_id);
-
-$savant->display('home/editor/arrange_content.tmpl.php');
-
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once('../../class_csrf.php');
+require (TR_INCLUDE_PATH.'vitals.inc.php');
+
+global $_course_id, $contentManager;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+if (isset($_POST['move']) && isset($_POST['moved_cid'])) {
+	if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
+	$arr = explode('_', key($_POST['move']), 2);
+	$new_pid = $arr[0];
+	$new_ordering = $arr[1];
+
+	$contentManager->moveContent($_POST['moved_cid'], $new_pid, $new_ordering);
+	header('Location: '.TR_BASE_HREF.'home/editor/arrange_content.php?_course_id='.$_course_id);
+	exit;
+	} else
+	{
+		$msg->addError('INVALID_TOKEN');
+	}
+}
+	
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+
+$savant->assign('languageManager', $languageManager);
+$savant->assign('course_id', $_course_id);
+
+$savant->display('home/editor/arrange_content.tmpl.php');
+
+?>
diff --git a/home/editor/delete_content.php b/home/editor/delete_content.php
index 170db2d7..11b50ac8 100644
--- a/home/editor/delete_content.php
+++ b/home/editor/delete_content.php
@@ -1,70 +1,71 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-
-global $_content_id, $_content_id, $contentManager;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-$cid = $_GET['cid'] = $_content_id;
-
-if (isset($_POST['submit_yes'])) {
-
-	$cid = intval($_POST['_cid']);
-
-	$result = $contentManager->deleteContent($cid);
-
-	$msg->addFeedback('CONTENT_DELETED');
-	header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	$cid = intval($_POST['_cid']);
-	$row = $contentManager->getContentPage($cid);
-	if ($row['content_type'] == CONTENT_TYPE_FOLDER) {
-		header('Location: '.TR_BASE_HREF.'home/editor/edit_content_folder.php?_cid='.$cid);
-	} else {
-		header('Location: '.TR_BASE_HREF.'home/course/content.php?_cid='.$cid);
-	}
-	exit;
-}
-
-$path	= $contentManager->getContentPath($cid);
-require(TR_INCLUDE_PATH.'header.inc.php');
-
-if ($_GET['cid'] == 0) {
-	$msg->printErrors('ID_ZERO');
-	require(TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-$children = $contentManager->getContent($_GET['cid']);
-
-$hidden_vars['_cid'] = $_GET['cid'];
-
-if (is_array($children) && (count($children)>0) ) {
-	$msg->addConfirm('SUB_CONTENT_DELETE', $hidden_vars);
-//	$msg->addConfirm('GLOSSARY_REMAINS', $hidden_vars);
-//} else {
-//	$msg->addConfirm('GLOSSARY_REMAINS', $hidden_vars);
-}
-	
-$row = $contentManager->getContentPage($_GET['cid']);
-$title = $row['title'];
-
-$msg->addConfirm(array('DELETE', $title),  $hidden_vars);
-$msg->printConfirm();
-	
-require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+
+global $_content_id, $_content_id, $contentManager;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+$cid = $_GET['cid'] = $_content_id;
+
+if (isset($_POST['submit_yes'])) {
+
+	$cid = intval($_POST['_cid']);
+
+	$result = $contentManager->deleteContent($cid);
+
+	$msg->addFeedback('CONTENT_DELETED');
+	header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	$cid = intval($_POST['_cid']);
+	$row = $contentManager->getContentPage($cid);
+	if ($row['content_type'] == CONTENT_TYPE_FOLDER) {
+		header('Location: '.TR_BASE_HREF.'home/editor/edit_content_folder.php?_cid='.$cid);
+	} else {
+		header('Location: '.TR_BASE_HREF.'home/course/content.php?_cid='.$cid);
+	}
+	exit;
+}
+
+$path	= $contentManager->getContentPath($cid);
+require(TR_INCLUDE_PATH.'header.inc.php');
+
+if ($_GET['cid'] == 0) {
+	$msg->printErrors('ID_ZERO');
+	require(TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+$children = $contentManager->getContent($_GET['cid']);
+
+$hidden_vars['_cid'] = $_GET['cid'];
+
+if (is_array($children) && (count($children)>0) ) {
+	$msg->addConfirm('SUB_CONTENT_DELETE', $hidden_vars);
+//	$msg->addConfirm('GLOSSARY_REMAINS', $hidden_vars);
+//} else {
+//	$msg->addConfirm('GLOSSARY_REMAINS', $hidden_vars);
+}
+	
+$row = $contentManager->getContentPage($_GET['cid']);
+$title = htmlspecialchars(trim(stripslashes(strip_tags($row['title']))));
+
+$msg->addConfirm(array('DELETE', $title),  $hidden_vars);
+$msg->printConfirm();
+	
+require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/editor/edit_content.php b/home/editor/edit_content.php
index 95c32f75..7f5efca3 100644
--- a/home/editor/edit_content.php
+++ b/home/editor/edit_content.php
@@ -1,329 +1,329 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-
-global $associated_forum, $_course_id, $_content_id;
-
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/tinymce.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-/* In $cid abbiamo il numero della pagina aperta*/
-$cid = $_content_id;
-$dao = new DAO();
-
-if ($_POST) {
-	$do_check = TRUE;
-} else {
-	$do_check = FALSE;
-}
-
-if($_current_user->isAdmin()){
-$savant->assign('isAdmin', $_current_user->isAdmin());
-}
-require(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
-
-if ($_POST['close'] || $_GET['close']) {
-	if ($_GET['close']) {
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-	} else {
-		$msg->addFeedback('CLOSED');
-		if ($cid == 0) {
-			header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
-			exit;
-		}
-	}
-	
-	if (!isset($_content_id) || $_content_id == 0) {
-		header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
-		exit;
-	}
-	header('Location: '.TR_BASE_HREF.'home/course/content.php?_cid='.$_content_id);
-	exit;
-}
-
-$tabs = get_tabs();	
-$num_tabs = count($tabs);
-for ($i=0; $i < $num_tabs; $i++) {
-	if (isset($_POST['button_'.$i]) && ($_POST['button_'.$i] != -1)) { 
-		$current_tab = $i;
-		$_POST['current_tab'] = $i;
-		break;
-	}
-}
-
-if (isset($_GET['tab'])) {
-	$current_tab = intval($_GET['tab']);
-}
-if (isset($_POST['current_tab'])) {
-	$current_tab = intval($_POST['current_tab']);
-}
-
-if (isset($_POST['submit_file'])) {
-	paste_from_file(body_text);
-} else if (isset($_POST['submit']) && ($_POST['submit'] != 'submit1')) {
-	/* we're saving. redirects if successful. */
-	save_changes(true, $current_tab);
-}
-
-if (isset($_POST['submit_file_alt'])) {
-	paste_from_file(body_text_alt);
-} else if (isset($_POST['submit']) && ($_POST['submit'] != 'submit1')) {
-	/* we're saving. redirects if successful. */
-	save_changes(true, $current_tab);
-}
-
-if (isset($_POST['submit'])) {
-	/* we're saving. redirects if successful. */
-	save_changes(true, $current_tab);
-}
-
-if (!isset($current_tab) && isset($_POST['button_1']) && ($_POST['button_1'] == -1) && !isset($_POST['submit'])) {
-	$current_tab = 1;
-} else if (!isset($current_tab)) {
-	$current_tab = 0;
-}
-
-if ($cid) {
-	$_section[0][0] = _AT('edit_content');
-} else {
-	$_section[0][0] = _AT('add_content');
-}
-
-if($current_tab == 0) {
-    $_custom_head .= '
-    <link rel="stylesheet" type="text/css" href="'.TR_BASE_HREF.'include/jscripts/infusion/framework/fss/css/fss-layout.css" />
-    <link rel="stylesheet" type="text/css" href="'.TR_BASE_HREF.'include/jscripts/infusion/framework/fss/css/fss-text.css" />
-    <script type="text/javascript" src="'.$_base_path.'home/editor/js/edit.js"></script>';
-}
-
-if ($cid) {
-	if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
-
-	if (!$content_row || !isset($contentManager)) {
-		require(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('MISSING_CONTENT');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-
-	$path	= $contentManager->getContentPath($cid);
-	$content_tests = $contentManager->getContentTestsAssoc($cid);
-
-	if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-		$course_base_href = 'get.php/';
-	} else {
-		$course_base_href = 'content/' . $_SESSION['course_id'] . '/';
-	}
-
-	if ($content_row['content_path']) {
-		$content_base_href .= $content_row['content_path'].'/';
-	}
-} else {
-	if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-		$content_base_href = 'get.php/';
-	} else {
-		$content_base_href = 'content/' . $_SESSION['course_id'] . '/';
-	}
-}
-
-/* TAB 0 --> Content *//* TAB 2 --> Page */
-if (($current_tab == 0) || ($current_tab == 2)) {
-    if ($_POST['formatting'] == null){ 
-        // this is a fresh load from just logged in
-	    if (isset($_SESSION['prefs']['PREF_CONTENT_EDITOR']) && $_SESSION['prefs']['PREF_CONTENT_EDITOR'] == 0) {
-			$_POST['formatting'] = 0;
-		} else {
-			$_POST['formatting'] = 1;
-		}
-    }
-}
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-
-if ($current_tab == 0 || $current_tab == 2) 
-{
-    $simple = true;
-    if ($_POST['complexeditor'] == '1') {
-        $simple = false;
-    }
-    load_editor($simple, false, "none");    
-}
-
-$pid = intval($_REQUEST['pid']);
-?>
-
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>?_cid=<?php echo $cid; ?>" method="post" name="form" enctype="multipart/form-data">
-<?php
-
-	if ($cid) {
-		//$content_row = sql_quote($content_row);
-		if (isset($_POST['current_tab'])) {
-			//$changes_made = check_for_changes($content_row);
-		} else {
-			$changes_made = array();
-
-			$_POST['formatting'] = $content_row['formatting'];
-			$_POST['head'] = $content_row['head'];
-			$_POST['use_customized_head'] = $content_row['use_customized_head'];
-			$_POST['title']      = $content_row['title'];
-			$_POST['body_text']  = $content_row['text'];
-			$_POST['weblink_text'] = $content_row['text'];
-			$_POST['keywords']   = $content_row['keywords'];
-			$_POST['test_message'] = $content_row['test_message'];                     
-			$_POST['ordering'] = $content_row['ordering'];
-			$_POST['pid'] = $pid = $content_row['content_parent_id'];
-
-		}
-
-	} else {
-		$cid = 0;
-		if (!isset($_POST['current_tab'])) {
-			$_POST['day']  = date('d');
-			$_POST['month']  = date('m');
-			$_POST['year'] = date('Y');
-			$_POST['hour'] = date('H');
-			$_POST['min']  = 0;
-
-			if (isset($_GET['pid'])) {
-				$pid = $_POST['pid'] = intval($_GET['pid']);
-				$_POST['ordering'] = count($contentManager->getContent($pid))+1;
-			} else {
-				$_POST['pid'] = 0;
-				$_POST['ordering'] = count($contentManager->getContent(0))+1;
-			}
-		}
-	}
-	
-	echo '<input type="hidden" name="_course_id" value="'.$_course_id.'" />';
-	echo '<input type="hidden" name="_cid" value="'.$cid.'" />';
-	echo '<input type="hidden" name="title" value="'.htmlspecialchars(stripslashes($_POST['title'])).'" />';
-	if ($_REQUEST['sub'] == 1)
-	{
-		echo '<input type="hidden" name="sub" value="1" />';
-		echo '<input type="hidden" name="folder_title" value="'.htmlspecialchars(stripslashes($_POST['folder_title'])).'" />';
-	}
-	echo '<input type="submit" name="submit" style="display:none;"/>';
-	if (($current_tab != 0) && (($_current_tab != 2))) {
-        echo '<input type="hidden" name="body_text" value="'.htmlspecialchars(stripslashes($_POST['body_text'])).'" />';
-        echo '<input type="hidden" name="weblink_text" value="'.htmlspecialchars(stripslashes($_POST['weblink_text'])).'" />';
-        echo '<input type="hidden" name="head" value="'.htmlspecialchars(stripslashes($_POST['head'])).'" />';
-		echo '<input type="hidden" name="use_customized_head" value="'.(($_POST['use_customized_head']=="") ? 0 : $_POST['use_customized_head']).'" />';
-        echo '<input type="hidden" name="displayhead" id="displayhead" value="'.AT_print($_POST['displayhead'], 'input.hidden').'" />';
-        echo '<input type="hidden" name="complexeditor" id="complexeditor" value="'.AT_print($_POST['complexeditor'], 'input.hidden').'" />';
-        echo '<input type="hidden" name="formatting" value="'.AT_print($_POST['formatting'], 'input.hidden').'" />';
-	
-  
-        
-        }
-
-	echo '<input type="hidden" name="ordering" value="'.AT_print($_POST['ordering'], 'input.hidden').'" />';
-	echo '<input type="hidden" name="pid" value="'.$pid.'" />';
-	
-	echo '<input type="hidden" name="alternatives" value="'.AT_print($_POST['alternatives'], 'input.hidden').'" />';
-	
-	echo '<input type="hidden" name="current_tab" value="'.$current_tab.'" />';
-
-	echo '<input type="hidden" name="keywords" value="'.htmlspecialchars(stripslashes($_POST['keywords'])).'" />';
-
-	//content test association
-	echo '<input type="hidden" name="test_message" value="'.AT_print($_POST['test_message'], 'input.hidden').'" />';
-	
-	/* get glossary terms */
-
-	// adapted content
-	$sql = "SELECT pr.primary_resource_id, prt.type_id
-	          FROM ".TABLE_PREFIX."primary_resources pr, ".
-	                 TABLE_PREFIX."primary_resources_types prt
-	         WHERE pr.content_id = ?
-	           AND pr.language_code = ?
-	           AND pr.primary_resource_id = prt.primary_resource_id";
-	$values = array($cid, $_SESSION['lang']);
-	$types = "is";
-	$types = $dao->execute($sql, $values, $types);
-	
-	$i = 0;
-	if (is_array($types)) {
-		foreach ($types as $type) {
-			$row_alternatives['alt_'.$type['primary_resource_id'].'_'.$type['type_id']] = 1;
-		}
-	}
-	
-	if ($current_tab != 2 && isset($_POST['use_post_for_alt']))
-	{
-		echo '<input type="hidden" name="use_post_for_alt" value="1" />';
-		if (is_array($_POST)) {
-			foreach ($_POST as $alt_id => $alt_value) {
-				if (substr($alt_id, 0 ,4) == 'alt_'){
-					echo '<input type="hidden" name="'.$alt_id.'" value="'.$alt_value.'" />';
-				}
-			}
-		}
-	}
-	
-	//tests
-	if ($current_tab != 5){
-		// set content associated tests
-		if (isset($_POST['visited_tests'])) {
-			echo '<input type="hidden" name="visited_tests" value="1" />'."\n";
-			if (is_array($_POST['tid'])) {
-				foreach ($_POST['tid'] as $i=>$tid){
-					echo '<input type="hidden" name="tid['.$i.']" value="'.AT_print($tid, 'input.hidden').'" />';
-				}
-			}
-		} else {
-			$i = 0;
-			if (is_array($content_tests)) {
-				foreach ($content_tests as $content_test_row) {
-					echo '<input type="hidden" name="tid['.$i++.']" value="'.$content_test_row['test_id'].'" />';
-				}
-			}
-		}
-	} 
-	
-	if ($do_check) {
-		$changes_made = check_for_changes($content_row, $row_alternatives);
-	}
-?>
-
-<div align="center">
-	<?php output_tabs($current_tab, $changes_made); ?>
-</div>
-
-<div class="input-form" style="width: 95%;">
-
-<?php if ($changes_made): ?>
-		<div class="unsaved">
-			<span style="color:red;"><?php echo _AT('save_changes_unsaved'); ?></span> 
-			<input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" style="border: 1px solid red;" /> 
-			<input type="submit" name="close" class="button green" value="<?php echo _AT('close'); ?>" />  <input type="checkbox" id="close" name="save_n_close" value="1" <?php if ($_SESSION['save_n_close']) { echo 'checked="checked"'; } ?> />
-			<label for="close"><?php echo _AT('close_after_saving'); ?></label>
-		</div>
-
-	<?php else: ?>
-		<div class="saved">
-			<?php //if ($cid) { echo _AT('save_changes_saved'); } ?> <input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" class="button"/> <input type="submit" name="close" value="<?php echo _AT('close'); ?>"  class="button"/> <input type="checkbox" style="border:0px;" id="close" name="save_n_close" value="1" <?php if ($_SESSION['save_n_close']) { echo 'checked="checked"'; } ?>/><label for="close"><?php echo _AT('close_after_saving'); ?></label>
-		</div>
-	<?php endif; ?>
-    
-	<?php 
-	
-	include('editor_tabs/'.$tabs[$current_tab][1]); ?>	
-
-</div>
-</form>
-
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+global $associated_forum, $_course_id, $_content_id;
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/tinymce.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+/* In $cid abbiamo il numero della pagina aperta*/
+$cid = $_content_id;
+$dao = new DAO();
+
+if ($_POST) {
+	$do_check = TRUE;
+} else {
+	$do_check = FALSE;
+}
+
+if($_current_user->isAdmin()){
+$savant->assign('isAdmin', $_current_user->isAdmin());
+}
+require(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
+
+if ($_POST['close'] || $_GET['close']) {
+	if ($_GET['close']) {
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+	} else {
+		$msg->addFeedback('CLOSED');
+		if ($cid == 0) {
+			header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
+			exit;
+		}
+	}
+	
+	if (!isset($_content_id) || $_content_id == 0) {
+		header('Location: '.TR_BASE_HREF.'home/course/index.php?_course_id='.$_course_id);
+		exit;
+	}
+	header('Location: '.TR_BASE_HREF.'home/course/content.php?_cid='.$_content_id);
+	exit;
+}
+
+$tabs = get_tabs();	
+$num_tabs = count($tabs);
+for ($i=0; $i < $num_tabs; $i++) {
+	if (isset($_POST['button_'.$i]) && ($_POST['button_'.$i] != -1)) { 
+		$current_tab = $i;
+		$_POST['current_tab'] = $i;
+		break;
+	}
+}
+
+if (isset($_GET['tab'])) {
+	$current_tab = intval($_GET['tab']);
+}
+if (isset($_POST['current_tab'])) {
+	$current_tab = intval($_POST['current_tab']);
+}
+
+if (isset($_POST['submit_file'])) {
+	paste_from_file(body_text);
+} else if (isset($_POST['submit']) && ($_POST['submit'] != 'submit1')) {
+	/* we're saving. redirects if successful. */
+	save_changes(true, $current_tab);
+}
+
+if (isset($_POST['submit_file_alt'])) {
+	paste_from_file(body_text_alt);
+} else if (isset($_POST['submit']) && ($_POST['submit'] != 'submit1')) {
+	/* we're saving. redirects if successful. */
+	save_changes(true, $current_tab);
+}
+
+if (isset($_POST['submit'])) {
+	/* we're saving. redirects if successful. */
+	save_changes(true, $current_tab);
+}
+
+if (!isset($current_tab) && isset($_POST['button_1']) && ($_POST['button_1'] == -1) && !isset($_POST['submit'])) {
+	$current_tab = 1;
+} else if (!isset($current_tab)) {
+	$current_tab = 0;
+}
+
+if ($cid) {
+	$_section[0][0] = _AT('edit_content');
+} else {
+	$_section[0][0] = _AT('add_content');
+}
+
+if($current_tab == 0) {
+    $_custom_head .= '
+    <link rel="stylesheet" type="text/css" href="'.TR_BASE_HREF.'include/jscripts/infusion/framework/fss/css/fss-layout.css" />
+    <link rel="stylesheet" type="text/css" href="'.TR_BASE_HREF.'include/jscripts/infusion/framework/fss/css/fss-text.css" />
+    <script type="text/javascript" src="'.$_base_path.'home/editor/js/edit.js"></script>';
+}
+
+if ($cid) {
+	if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
+
+	if (!$content_row || !isset($contentManager)) {
+		require(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('MISSING_CONTENT');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+
+	$path	= $contentManager->getContentPath($cid);
+	$content_tests = $contentManager->getContentTestsAssoc($cid);
+
+	if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+		$course_base_href = 'get.php/';
+	} else {
+		$course_base_href = 'content/' . $_SESSION['course_id'] . '/';
+	}
+
+	if ($content_row['content_path']) {
+		$content_base_href .= $content_row['content_path'].'/';
+	}
+} else {
+	if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+		$content_base_href = 'get.php/';
+	} else {
+		$content_base_href = 'content/' . $_SESSION['course_id'] . '/';
+	}
+}
+
+/* TAB 0 --> Content *//* TAB 2 --> Page */
+if (($current_tab == 0) || ($current_tab == 2)) {
+    if ($_POST['formatting'] == null){ 
+        // this is a fresh load from just logged in
+	    if (isset($_SESSION['prefs']['PREF_CONTENT_EDITOR']) && $_SESSION['prefs']['PREF_CONTENT_EDITOR'] == 0) {
+			$_POST['formatting'] = 0;
+		} else {
+			$_POST['formatting'] = 1;
+		}
+    }
+}
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+
+if ($current_tab == 0 || $current_tab == 2) 
+{
+    $simple = true;
+    if ($_POST['complexeditor'] == '1') {
+        $simple = false;
+    }
+    load_editor($simple, false, "none");    
+}
+
+$pid = intval($_REQUEST['pid']);
+?>
+
+<form action="<?php echo $_SERVER['PHP_SELF']; ?>?_cid=<?php echo $cid; ?>" method="post" name="form" enctype="multipart/form-data">
+<?php
+
+	if ($cid) {
+		//$content_row = sql_quote($content_row);
+		if (isset($_POST['current_tab'])) {
+			//$changes_made = check_for_changes($content_row);
+		} else {
+			$changes_made = array();
+
+			$_POST['formatting'] = $content_row['formatting'];
+			$_POST['head'] = $content_row['head'];
+			$_POST['use_customized_head'] = $content_row['use_customized_head'];
+			$_POST['title']      = $content_row['title'];
+			$_POST['body_text']  = $content_row['text'];
+			$_POST['weblink_text'] = $content_row['text'];
+			$_POST['keywords']   = $content_row['keywords'];
+			$_POST['test_message'] = $content_row['test_message'];                     
+			$_POST['ordering'] = $content_row['ordering'];
+			$_POST['pid'] = $pid = $content_row['content_parent_id'];
+
+		}
+
+	} else {
+		$cid = 0;
+		if (!isset($_POST['current_tab'])) {
+			$_POST['day']  = date('d');
+			$_POST['month']  = date('m');
+			$_POST['year'] = date('Y');
+			$_POST['hour'] = date('H');
+			$_POST['min']  = 0;
+
+			if (isset($_GET['pid'])) {
+				$pid = $_POST['pid'] = intval($_GET['pid']);
+				$_POST['ordering'] = count($contentManager->getContent($pid))+1;
+			} else {
+				$_POST['pid'] = 0;
+				$_POST['ordering'] = count($contentManager->getContent(0))+1;
+			}
+		}
+	}
+	
+	echo '<input type="hidden" name="_course_id" value="'.$_course_id.'" />';
+	echo '<input type="hidden" name="_cid" value="'.$cid.'" />';
+	echo '<input type="hidden" name="title" value="'.htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))).'" />';
+	if ($_REQUEST['sub'] == 1)
+	{
+		echo '<input type="hidden" name="sub" value="1" />';
+		echo '<input type="hidden" name="folder_title" value="'.htmlspecialchars(trim(stripslashes(strip_tags($_POST['folder_title'])))).'" />';
+	}
+	echo '<input type="submit" name="submit" style="display:none;"/>';
+	if (($current_tab != 0) && (($_current_tab != 2))) {
+        echo '<input type="hidden" name="body_text" value="'.htmlspecialchars(trim(stripslashes(strip_tags($_POST['body_text'])))).'" />';
+        echo '<input type="hidden" name="weblink_text" value="'.htmlspecialchars(trim(stripslashes(strip_tags($_POST['weblink_text'])))).'" />';
+        echo '<input type="hidden" name="head" value="'.htmlspecialchars(trim(stripslashes(strip_tags($_POST['head'])))).'" />';
+		echo '<input type="hidden" name="use_customized_head" value="'.(($_POST['use_customized_head']=="") ? 0 : $_POST['use_customized_head']).'" />';
+        echo '<input type="hidden" name="displayhead" id="displayhead" value="'.AT_print($_POST['displayhead'], 'input.hidden').'" />';
+        echo '<input type="hidden" name="complexeditor" id="complexeditor" value="'.AT_print($_POST['complexeditor'], 'input.hidden').'" />';
+        echo '<input type="hidden" name="formatting" value="'.AT_print($_POST['formatting'], 'input.hidden').'" />';
+	
+  
+        
+        }
+
+	echo '<input type="hidden" name="ordering" value="'.AT_print($_POST['ordering'], 'input.hidden').'" />';
+	echo '<input type="hidden" name="pid" value="'.$pid.'" />';
+	
+	echo '<input type="hidden" name="alternatives" value="'.AT_print($_POST['alternatives'], 'input.hidden').'" />';
+	
+	echo '<input type="hidden" name="current_tab" value="'.$current_tab.'" />';
+
+	echo '<input type="hidden" name="keywords" value="'.htmlspecialchars(trim(stripslashes(strip_tags($_POST['keywords'])))).'" />';
+
+	//content test association
+	echo '<input type="hidden" name="test_message" value="'.AT_print($_POST['test_message'], 'input.hidden').'" />';
+	
+	/* get glossary terms */
+
+	// adapted content
+	$sql = "SELECT pr.primary_resource_id, prt.type_id
+	          FROM ".TABLE_PREFIX."primary_resources pr, ".
+	                 TABLE_PREFIX."primary_resources_types prt
+	         WHERE pr.content_id = ?
+	           AND pr.language_code = ?
+	           AND pr.primary_resource_id = prt.primary_resource_id";
+	$values = array($cid, $_SESSION['lang']);
+	$types = "is";
+	$types = $dao->execute($sql, $values, $types);
+	
+	$i = 0;
+	if (is_array($types)) {
+		foreach ($types as $type) {
+			$row_alternatives['alt_'.$type['primary_resource_id'].'_'.$type['type_id']] = 1;
+		}
+	}
+	
+	if ($current_tab != 2 && isset($_POST['use_post_for_alt']))
+	{
+		echo '<input type="hidden" name="use_post_for_alt" value="1" />';
+		if (is_array($_POST)) {
+			foreach ($_POST as $alt_id => $alt_value) {
+				if (substr($alt_id, 0 ,4) == 'alt_'){
+					echo '<input type="hidden" name="'.$alt_id.'" value="'.$alt_value.'" />';
+				}
+			}
+		}
+	}
+	
+	//tests
+	if ($current_tab != 5){
+		// set content associated tests
+		if (isset($_POST['visited_tests'])) {
+			echo '<input type="hidden" name="visited_tests" value="1" />'."\n";
+			if (is_array($_POST['tid'])) {
+				foreach ($_POST['tid'] as $i=>$tid){
+					echo '<input type="hidden" name="tid['.$i.']" value="'.AT_print($tid, 'input.hidden').'" />';
+				}
+			}
+		} else {
+			$i = 0;
+			if (is_array($content_tests)) {
+				foreach ($content_tests as $content_test_row) {
+					echo '<input type="hidden" name="tid['.$i++.']" value="'.$content_test_row['test_id'].'" />';
+				}
+			}
+		}
+	} 
+	
+	if ($do_check) {
+		$changes_made = check_for_changes($content_row, $row_alternatives);
+	}
+?>
+
+<div align="center">
+	<?php output_tabs($current_tab, $changes_made); ?>
+</div>
+
+<div class="input-form" style="width: 95%;">
+
+<?php if ($changes_made): ?>
+		<div class="unsaved">
+			<span style="color:red;"><?php echo _AT('save_changes_unsaved'); ?></span> 
+			<input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" style="border: 1px solid red;" /> 
+			<input type="submit" name="close" class="button green" value="<?php echo _AT('close'); ?>" />  <input type="checkbox" id="close" name="save_n_close" value="1" <?php if ($_SESSION['save_n_close']) { echo 'checked="checked"'; } ?> />
+			<label for="close"><?php echo _AT('close_after_saving'); ?></label>
+		</div>
+
+	<?php else: ?>
+		<div class="saved">
+			<?php if ($cid) { echo _AT('save_changes_saved'); } ?> <input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" class="button"/> <input type="submit" name="close" value="<?php echo _AT('close'); ?>"  class="button"/> <input type="checkbox" style="border:0px;" id="close" name="save_n_close" value="1" <?php if ($_SESSION['save_n_close']) { echo 'checked="checked"'; } ?>/><label for="close"><?php echo _AT('close_after_saving'); ?></label>
+		</div>
+	<?php endif; ?>
+    
+	<?php 
+	
+	include('editor_tabs/'.$tabs[$current_tab][1]); ?>	
+
+</div>
+</form>
+
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/home/editor/edit_content_folder.php b/home/editor/edit_content_folder.php
index e32c9a13..ec2ce97b 100644
--- a/home/editor/edit_content_folder.php
+++ b/home/editor/edit_content_folder.php
@@ -1,179 +1,185 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
-require_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
-
-global $_content_id, $_content_id, $contentManager, $_course_id;
-$cid = $_content_id;
-
-
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-if (isset($_GET['pid'])) $pid = intval($_GET['pid']);
-
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$course_base_href = 'get.php/';
-} else {
-	$course_base_href = 'content/' . $_course_id . '/';
-}
-
-if ($cid > 0 && isset($contentManager)) {
-	$content_row = $contentManager->getContentPage($cid);
-}
-
-// save changes
-if ($_POST['submit'])
-{
-	if ($_POST['title'] == '') {
-		$msg->addError(array('EMPTY_FIELDS', _AT('title')));
-	}
-		
-	if (!$msg->containsErrors()) 
-	{
-		$_POST['title']	= $content_row['title'] = $_POST['title'];
-	
-		if ($cid > 0)
-		{ // edit existing content
-			$err = $contentManager->editContent($cid, 
-			                                    $_POST['title'], 
-			                                    '', 
-			                                    '', 
-			                                    $content_row['formatting'], 
-			                                    '', 
-			                                    $content_row['use_customized_head'], 
-			                                    '');
-		}
-		else
-		{ // add new content
-			// find out ordering and content_parent_id
-			if ($pid)
-			{ // insert sub content folder
-				$ordering = count($contentManager->getContent($pid))+1;
-			}
-			else
-			{ // insert a top content folder
-				$ordering = count($contentManager->getContent(0)) + 1;
-				$pid = 0;
-			}
-			
-			$cid = $contentManager->addContent($_SESSION['course_id'],
-			                                   $pid,
-			                                   $ordering,
-			                                   $_POST['title'],
-			                                   '',
-			                                   '',
-			                                   '',
-			                                   0,
-			                                   '',
-			                                   0,
-			                                   '',
-			                                   1,
-			                                   CONTENT_TYPE_FOLDER);
-		}
-		
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: '.$_base_path.'home/editor/edit_content_folder.php?_cid='.$cid);
-		exit;
-	}
-}
-
-if ($cid > 0)
-{ // edit existing content folder
-	if (!$content_row || !isset($contentManager)) {
-		$_pages['home/editor/edit_content_folder.php']['title_var'] = 'missing_content';
-		$_pages['home/editor/edit_content_folder.php']['parent']    = 'index.php';
-		$_pages['home/editor/edit_content_folder.php']['ignore']	= true;
-
-		require(TR_INCLUDE_PATH.'header.inc.php');
-	
-		$msg->addError('MISSING_CONTENT');
-		$msg->printAll();
-	
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	} /* else: */
-
-	/* the "heading navigation": */
-	$path	= $contentManager->getContentPath($cid);
-	
-	if ($content_row['content_path']) {
-		$content_base_href = $content_row['content_path'].'/';
-	}
-
-	$parent_headings = '';
-	$num_in_path = count($path);
-	
-	/* the page title: */
-	$page_title = '';
-	$page_title .= $content_row['title'];
-	
-	for ($i=0; $i<$num_in_path; $i++) {
-		$content_info = $path[$i];
-		if ($_SESSION['prefs']['PREF_NUMBERING']) {
-			if ($contentManager->_menu_info[$content_info['content_id']]['content_parent_id'] == 0) {
-				$top_num = $contentManager->_menu_info[$content_info['content_id']]['ordering'];
-				$parent_headings .= $top_num;
-			} else {
-				$top_num = $top_num.'.'.$contentManager->_menu_info[$content_info['content_id']]['ordering'];
-				$parent_headings .= $top_num;
-			}
-			if ($_SESSION['prefs']['PREF_NUMBERING']) {
-				$path[$i]['content_number'] = $top_num . ' ';
-			}
-			$parent_headings .= ' ';
-		}
-	}
-	
-	if ($_SESSION['prefs']['PREF_NUMBERING']) {
-		if ($top_num != '') {
-			$top_num = $top_num.'.'.$content_row['ordering'];
-			$page_title .= $top_num.' ';
-		} else {
-			$top_num = $content_row['ordering'];
-			$page_title .= $top_num.' ';
-		}
-	}
-	
-	$parent = 0;
-
-	reset($path);
-	$first_page = current($path);
-	
-	ContentUtility::saveLastCid($cid);
-	
-	if (isset($top_num) && $top_num != (int) $top_num) {
-		$top_num = substr($top_num, 0, strpos($top_num, '.'));
-	}
-	$_tool_shortcuts = ContentUtility::getToolShortcuts($content_row);  // used by header.tmpl.php
-	
-	// display pre-tests
-	$savant->assign('ftitle', $content_row['title']);
-	$savant->assign('cid', $cid);
-}
-
-if ($pid > 0 || !isset($pid)) {
-	$savant->assign('pid', $pid);
-	$savant->assign('course_id', $_course_id);
-}
-
-$onload = "document.form.title.focus();";
-require(TR_INCLUDE_PATH.'header.inc.php');
-$savant->display('home/editor/edit_content_folder.tmpl.php');
-require(TR_INCLUDE_PATH.'footer.inc.php');
-
-//save last visit page.
-$_SESSION['last_visited_page'] = $server_protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
+require_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
+require_once('../../class_csrf.php');
+
+global $_content_id, $_content_id, $contentManager, $_course_id;
+$cid = $_content_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+if (isset($_GET['pid'])) $pid = intval($_GET['pid']);
+
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$course_base_href = 'get.php/';
+} else {
+	$course_base_href = 'content/' . $_course_id . '/';
+}
+
+if ($cid > 0 && isset($contentManager)) {
+	$content_row = $contentManager->getContentPage($cid);
+}
+
+// save changes
+if ($_POST['submit'])
+{
+	if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
+		if ($_POST['title'] == '') {
+		$msg->addError(array('EMPTY_FIELDS', _AT('title')));
+	}
+		
+	if (!$msg->containsErrors()) 
+	{
+		$_POST['title']	= $content_row['title'] = $_POST['title'];
+	
+		if ($cid > 0)
+		{ // edit existing content
+			$err = $contentManager->editContent($cid, 
+			                                    $_POST['title'], 
+			                                    '', 
+			                                    '', 
+			                                    $content_row['formatting'], 
+			                                    '', 
+			                                    $content_row['use_customized_head'], 
+			                                    '');
+		}
+		else
+		{ // add new content
+			// find out ordering and content_parent_id
+			if ($pid)
+			{ // insert sub content folder
+				$ordering = count($contentManager->getContent($pid))+1;
+			}
+			else
+			{ // insert a top content folder
+				$ordering = count($contentManager->getContent(0)) + 1;
+				$pid = 0;
+			}
+			
+			$cid = $contentManager->addContent($_SESSION['course_id'],
+			                                   $pid,
+			                                   $ordering,
+			                                   $_POST['title'],
+			                                   '',
+			                                   '',
+			                                   '',
+			                                   0,
+			                                   '',
+			                                   0,
+			                                   '',
+			                                   1,
+			                                   CONTENT_TYPE_FOLDER);
+		}
+		
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: '.$_base_path.'home/editor/edit_content_folder.php?_cid='.$cid);
+		exit;
+	}
+	} else
+	{
+		$msg->addError('INVALID_TOKEN');
+	}
+}
+
+if ($cid > 0)
+{ // edit existing content folder
+	if (!$content_row || !isset($contentManager)) {
+		$_pages['home/editor/edit_content_folder.php']['title_var'] = 'missing_content';
+		$_pages['home/editor/edit_content_folder.php']['parent']    = 'index.php';
+		$_pages['home/editor/edit_content_folder.php']['ignore']	= true;
+
+		require(TR_INCLUDE_PATH.'header.inc.php');
+	
+		$msg->addError('MISSING_CONTENT');
+		$msg->printAll();
+	
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	} /* else: */
+
+	/* the "heading navigation": */
+	$path	= $contentManager->getContentPath($cid);
+	
+	if ($content_row['content_path']) {
+		$content_base_href = $content_row['content_path'].'/';
+	}
+
+	$parent_headings = '';
+	$num_in_path = count($path);
+	
+	/* the page title: */
+	$page_title = '';
+	$page_title .= $content_row['title'];
+	
+	for ($i=0; $i<$num_in_path; $i++) {
+		$content_info = $path[$i];
+		if ($_SESSION['prefs']['PREF_NUMBERING']) {
+			if ($contentManager->_menu_info[$content_info['content_id']]['content_parent_id'] == 0) {
+				$top_num = $contentManager->_menu_info[$content_info['content_id']]['ordering'];
+				$parent_headings .= $top_num;
+			} else {
+				$top_num = $top_num.'.'.$contentManager->_menu_info[$content_info['content_id']]['ordering'];
+				$parent_headings .= $top_num;
+			}
+			if ($_SESSION['prefs']['PREF_NUMBERING']) {
+				$path[$i]['content_number'] = $top_num . ' ';
+			}
+			$parent_headings .= ' ';
+		}
+	}
+	
+	if ($_SESSION['prefs']['PREF_NUMBERING']) {
+		if ($top_num != '') {
+			$top_num = $top_num.'.'.$content_row['ordering'];
+			$page_title .= $top_num.' ';
+		} else {
+			$top_num = $content_row['ordering'];
+			$page_title .= $top_num.' ';
+		}
+	}
+	
+	$parent = 0;
+
+	reset($path);
+	$first_page = current($path);
+	
+	ContentUtility::saveLastCid($cid);
+	
+	if (isset($top_num) && $top_num != (int) $top_num) {
+		$top_num = substr($top_num, 0, strpos($top_num, '.'));
+	}
+	$_tool_shortcuts = ContentUtility::getToolShortcuts($content_row);  // used by header.tmpl.php
+	
+	// display pre-tests
+	$savant->assign('ftitle', $content_row['title']);
+	$savant->assign('cid', $cid);
+}
+
+if ($pid > 0 || !isset($pid)) {
+	$savant->assign('pid', $pid);
+	$savant->assign('course_id', $_course_id);
+}
+
+$onload = "document.form.title.focus();";
+require(TR_INCLUDE_PATH.'header.inc.php');
+$savant->display('home/editor/edit_content_folder.tmpl.php');
+require(TR_INCLUDE_PATH.'footer.inc.php');
+
+//save last visit page.
+$_SESSION['last_visited_page'] = $server_protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+?>
diff --git a/home/editor/edit_content_struct.php b/home/editor/edit_content_struct.php
index f01ed62a..c08c4871 100644
--- a/home/editor/edit_content_struct.php
+++ b/home/editor/edit_content_struct.php
@@ -1,202 +1,211 @@
-<?php
-
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
-require_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
-require_once(TR_INCLUDE_PATH.'../home/classes/StructureManager.class.php');
-$_custom_head .= '<link rel="stylesheet" href="'.$_base_href.'themes/'.$_SESSION['prefs']['PREF_THEME'].'/template_editor/style.css" type="text/css" />'."\n";
-
-
-global $_content_id, $contentManager, $_course_id;
-$cid = $_content_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-if (isset($_GET['pid'])) $pid = intval($_GET['pid']);
-if (isset($_POST['_course_id'])) $_course_id = intval($_POST['_course_id']);
-
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$course_base_href = 'get.php/';
-} else {
-	$course_base_href = 'content/' . $_course_id . '/';
-}
-
-
-
-if ($cid > 0 && isset($contentManager)) {
-	$content_row = $contentManager->getContentPage($cid);
-}
-
-// save changes
-if ($_POST['submit'])
-{
-	if ($_POST['title'] == '') {
-		$msg->addError(array('EMPTY_FIELDS', _AT('title')));
-	}
-		
-	if (!$msg->containsErrors()) 
-	{
-		$_POST['title']	= $content_row['title'] = htmlspecialchars($_POST['title'], ENT_QUOTES, 'UTF-8');
-	
-		if ($cid > 0)
-		{ // edit existing content
-			$err = $contentManager->editContent($cid, 
-			                                    $_POST['title'], 
-			                                    '', 
-			                                    '', 
-			                                    $content_row['formatting'], 
-			                                    '', 
-			                                    $content_row['use_customized_head'], 
-			                                    '');
-		}
-		else
-		{ // add new content
-			// find out ordering and content_parent_id
-			if ($pid)
-			{ // insert sub content folder
-				$ordering = count($contentManager->getContent($pid))+1;
-			}
-			else
-			{ // insert a top content folder
-				$ordering = count($contentManager->getContent(0)) + 1;
-				$pid = 0;
-			}
-			
-			$cid = $contentManager->addContent($_SESSION['course_id'],
-			                                   $pid,
-			                                   $ordering,
-			                                   $_POST['title'],
-			                                   '',
-			                                   '',
-			                                   '',
-			                                   0,
-			                                   '',
-			                                   0,
-			                                   '',
-			                                   1,
-			                                   CONTENT_TYPE_FOLDER);
-			
-		    $struc_manag = new StructureManager($_POST['title']);	     
-		    $page_temp = $struc_manag->get_page_temp();
-			
-			$struc_manag->createStruct($page_temp, $cid, $_course_id);   
-			
-			
-		}
-		
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: '.$_base_path.'home/editor/edit_content_folder.php?_cid='.$cid);
-		exit;
-	}
-}
-
-if ($cid > 0)
-{ // edit existing content folder
-
-	
-	if (!$content_row || !isset($contentManager)) {
-		$_pages['home/editor/edit_content_folder.php']['title_var'] = 'missing_content';
-		$_pages['home/editor/edit_content_folder.php']['parent']    = 'index.php';
-		$_pages['home/editor/edit_content_folder.php']['ignore']	= true;
-
-		require(TR_INCLUDE_PATH.'header.inc.php');
-	
-		$msg->addError('MISSING_CONTENT');
-		$msg->printAll();
-	
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	} /* else: */
-	
-	/* the "heading navigation": */
-	$path	= $contentManager->getContentPath($cid);
-	
-	if ($content_row['content_path']) {
-		$content_base_href = $content_row['content_path'].'/';
-	}
-	
-	$parent_headings = '';
-	$num_in_path = count($path);
-	
-	/* the page title: */
-	$page_title = '';
-	$page_title .= $content_row['title'];
-	
-	
-	for ($i=0; $i<$num_in_path; $i++) {
-		$content_info = $path[$i];
-		if ($_SESSION['prefs']['PREF_NUMBERING']) {
-			if ($contentManager->_menu_info[$content_info['content_id']]['content_parent_id'] == 0) {
-				$top_num = $contentManager->_menu_info[$content_info['content_id']]['ordering'];
-				$parent_headings .= $top_num;
-			} else {
-				$top_num = $top_num.'.'.$contentManager->_menu_info[$content_info['content_id']]['ordering'];
-				$parent_headings .= $top_num;
-			}
-			if ($_SESSION['prefs']['PREF_NUMBERING']) {
-				$path[$i]['content_number'] = $top_num . ' ';
-			}
-			$parent_headings .= ' ';
-		}
-	}
-	
-	
-	
-	if ($_SESSION['prefs']['PREF_NUMBERING']) {
-		if ($top_num != '') {
-			$top_num = $top_num.'.'.$content_row['ordering'];
-			$page_title .= $top_num.' ';
-		} else {
-			$top_num = $content_row['ordering'];
-			$page_title .= $top_num.' ';
-		}
-	}
-	
-	
-	$parent = 0;
-
-	reset($path);
-	$first_page = current($path);
-	
-	ContentUtility::saveLastCid($cid);
-	
-	if (isset($top_num) && $top_num != (int) $top_num) {
-		$top_num = substr($top_num, 0, strpos($top_num, '.'));
-	}
-	$_tool_shortcuts = ContentUtility::getToolShortcuts($content_row);  // used by header.tmpl.php
-	
-	// display pre-tests
-	$savant->assign('ftitle', $content_row['title']);
-	$savant->assign('cid', $cid);
-}
-
-
-if ($pid > 0 || !isset($pid)) {
-	$savant->assign('pid', $pid);
-	$savant->assign('course_id', $_course_id);
-}
-
-$onload = "document.form.title.focus();";
-require(TR_INCLUDE_PATH.'header.inc.php');
-$savant->display('home/editor/edit_content_struct.tmpl.php');
-require(TR_INCLUDE_PATH.'footer.inc.php');
-
-
-
-
-//save last visit page.
-$_SESSION['last_visited_page'] = $server_protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
-?>
-
+<?php
+
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
+require_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
+require_once(TR_INCLUDE_PATH.'../home/classes/StructureManager.class.php');
+require_once('../../class_csrf.php');
+
+$_custom_head .= '<link rel="stylesheet" href="'.$_base_href.'themes/'.$_SESSION['prefs']['PREF_THEME'].'/template_editor/style.css" type="text/css" />'."\n";
+
+
+global $_content_id, $contentManager, $_course_id;
+$cid = $_content_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+if (isset($_GET['pid'])) $pid = intval($_GET['pid']);
+if (isset($_POST['_course_id'])) $_course_id = intval($_POST['_course_id']);
+
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$course_base_href = 'get.php/';
+} else {
+	$course_base_href = 'content/' . $_course_id . '/';
+}
+
+
+
+if ($cid > 0 && isset($contentManager)) {
+	$content_row = $contentManager->getContentPage($cid);
+}
+
+// save changes
+if ($_POST['submit'])
+{
+		if ($_POST['title'] == '') {
+		$msg->addError(array('EMPTY_FIELDS', _AT('title')));
+	}
+		
+	if (!$msg->containsErrors()) 
+	{
+		if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
+		$_POST['title']	= $content_row['title'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'], ENT_QUOTES, 'UTF-8'))));
+	
+		if ($cid > 0)
+		{ // edit existing content
+			$err = $contentManager->editContent($cid, 
+			                                    $_POST['title'], 
+			                                    '', 
+			                                    '', 
+			                                    $content_row['formatting'], 
+			                                    '', 
+			                                    $content_row['use_customized_head'], 
+			                                    '');
+		}
+		else
+		{ // add new content
+			// find out ordering and content_parent_id
+			if ($pid)
+			{ // insert sub content folder
+				$ordering = count($contentManager->getContent($pid))+1;
+			}
+			else
+			{ // insert a top content folder
+				$ordering = count($contentManager->getContent(0)) + 1;
+				$pid = 0;
+			}
+			
+			$cid = $contentManager->addContent($_SESSION['course_id'],
+			                                   $pid,
+			                                   $ordering,
+			                                   $_POST['title'],
+			                                   '',
+			                                   '',
+			                                   '',
+			                                   0,
+			                                   '',
+			                                   0,
+			                                   '',
+			                                   1,
+			                                   CONTENT_TYPE_FOLDER);
+			
+		    $struc_manag = new StructureManager($_POST['title']);	     
+		    $page_temp = $struc_manag->get_page_temp();
+			
+			$struc_manag->createStruct($page_temp, $cid, $_course_id);   
+			
+			
+		}
+		
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: '.$_base_path.'home/editor/edit_content_folder.php?_cid='.$cid);
+		exit;
+	} else
+	{
+		$msg->addError('INVALID_TOKEN');
+	}
+	}
+}
+
+if ($cid > 0)
+{ // edit existing content folder
+
+	
+	if (!$content_row || !isset($contentManager)) {
+		$_pages['home/editor/edit_content_folder.php']['title_var'] = 'missing_content';
+		$_pages['home/editor/edit_content_folder.php']['parent']    = 'index.php';
+		$_pages['home/editor/edit_content_folder.php']['ignore']	= true;
+
+		require(TR_INCLUDE_PATH.'header.inc.php');
+	
+		$msg->addError('MISSING_CONTENT');
+		$msg->printAll();
+	
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	} /* else: */
+	
+	/* the "heading navigation": */
+	$path	= $contentManager->getContentPath($cid);
+	
+	if ($content_row['content_path']) {
+		$content_base_href = $content_row['content_path'].'/';
+	}
+	
+	$parent_headings = '';
+	$num_in_path = count($path);
+	
+	/* the page title: */
+	$page_title = '';
+	$page_title .= $content_row['title'];
+	
+	
+	for ($i=0; $i<$num_in_path; $i++) {
+		$content_info = $path[$i];
+		if ($_SESSION['prefs']['PREF_NUMBERING']) {
+			if ($contentManager->_menu_info[$content_info['content_id']]['content_parent_id'] == 0) {
+				$top_num = $contentManager->_menu_info[$content_info['content_id']]['ordering'];
+				$parent_headings .= $top_num;
+			} else {
+				$top_num = $top_num.'.'.$contentManager->_menu_info[$content_info['content_id']]['ordering'];
+				$parent_headings .= $top_num;
+			}
+			if ($_SESSION['prefs']['PREF_NUMBERING']) {
+				$path[$i]['content_number'] = $top_num . ' ';
+			}
+			$parent_headings .= ' ';
+		}
+	}
+	
+	
+	
+	if ($_SESSION['prefs']['PREF_NUMBERING']) {
+		if ($top_num != '') {
+			$top_num = $top_num.'.'.$content_row['ordering'];
+			$page_title .= $top_num.' ';
+		} else {
+			$top_num = $content_row['ordering'];
+			$page_title .= $top_num.' ';
+		}
+	}
+	
+	
+	$parent = 0;
+
+	reset($path);
+	$first_page = current($path);
+	
+	ContentUtility::saveLastCid($cid);
+	
+	if (isset($top_num) && $top_num != (int) $top_num) {
+		$top_num = substr($top_num, 0, strpos($top_num, '.'));
+	}
+	$_tool_shortcuts = ContentUtility::getToolShortcuts($content_row);  // used by header.tmpl.php
+	
+	// display pre-tests
+	$savant->assign('ftitle', $content_row['title']);
+	$savant->assign('cid', $cid);
+}
+
+
+if ($pid > 0 || !isset($pid)) {
+	$savant->assign('pid', $pid);
+	$savant->assign('course_id', $_course_id);
+}
+
+$onload = "document.form.title.focus();";
+require(TR_INCLUDE_PATH.'header.inc.php');
+$savant->display('home/editor/edit_content_struct.tmpl.php');
+require(TR_INCLUDE_PATH.'footer.inc.php');
+
+
+
+
+//save last visit page.
+$_SESSION['last_visited_page'] = $server_protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+?>
+
diff --git a/home/editor/editor_tab_functions.inc.php b/home/editor/editor_tab_functions.inc.php
index c5f73ff4..600faf1f 100644
--- a/home/editor/editor_tab_functions.inc.php
+++ b/home/editor/editor_tab_functions.inc.php
@@ -1,522 +1,522 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-
-function in_array_cin($strItem, $arItems)
-{
-   foreach ($arItems as $key => $strValue)
-   {
-       if (strtoupper($strItem) == strtoupper($strValue))
-       {
-		   return $key;
-       }
-   }
-   return false;
-} 
-
-
-function get_tabs() {
-/* Check if the page template_layout and are enabled or disabled */
-        include_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
-        $dao = new DAO();
-        
-        $inc=0; 
-        $tabs[$inc] = array('content',       		'edit.inc.php',          'n');
-        
-        $sql="SELECT value FROM ".TABLE_PREFIX."config WHERE name='enable_template_layout'";
-        $result=$dao->execute($sql);
-        if(is_array($result))
-        {
-            foreach ($result as $support) {
-                if($support['value']==TR_STATUS_ENABLED)
-                    $tabs[++$inc] = array('layouts', 'layout.inc.php', 'l');
-            }  
-        }
-        $sql="SELECT value FROM ".TABLE_PREFIX."config WHERE name='enable_template_page'";
-        $result=$dao->execute($sql);
-        if(is_array($result))
-        {
-            foreach ($result as $support) {
-                if($support['value']==TR_STATUS_ENABLED)
-                    $tabs[++$inc] = array('page_templates', 'page_template.inc.php', 'g');
-            }  
-        }
-
-	$tabs[++$inc] = array('metadata',    		'properties.inc.php',    'p');
-	$tabs[++$inc] = array('alternative_content', 'alternatives.inc.php',  'a');	
-	$tabs[++$inc] = array('tests',               'tests.inc.php',         't');
-	return $tabs;
-}
-
-
-function output_tabs($current_tab, $changes) {
-	global $_base_path;
-	$tabs = get_tabs();
-	$num_tabs = count($tabs);
-?>
-	<table class="etabbed-table">
-	<tr>		
-		<?php 
-		for ($i=0; $i < $num_tabs; $i++): 
-			if ($current_tab == $i):?>
-				<td class="editor_tab_selected">
-					<?php if ($changes[$i]): ?>
-						<img src="<?php echo $_base_path; ?>images/changes_bullet.gif" alt="<?php echo _AT('usaved_changes_made'); ?>" height="12" width="15" />
-					<?php endif; ?>
-					<?php echo _AT($tabs[$i][0]); ?>
-				</td>
-				<td class="tab-spacer">&nbsp;</td>
-			<?php else: ?>
-				<td class="editor_tab">
-					<?php if ($changes[$i]): ?>
-						<img src="<?php echo $_base_path; ?>images/changes_bullet.gif" alt="<?php echo _AT('usaved_changes_made'); ?>" height="12" width="15" />
-					<?php endif; ?>
-
-					<?php echo '<input type="submit" name="button_'.$i.'" value="'._AT($tabs[$i][0]).'" title="'._AT($tabs[$i][0]).' - alt '.$tabs[$i][2].'" class="editor_buttontab" accesskey="'.$tabs[$i][2].'" onmouseover="this.style.cursor=\'pointer\';" '.$clickEvent.' />'; ?>
-				</td>
-				<td class="tab-spacer">&nbsp;</td>
-			<?php endif; ?>
-		<?php endfor; ?>
-		<td >&nbsp;</td>
-	</tr>
-	</table>
-<?php }
-/**
- * Strips all tags and encodes special characters in the URL
- * Returns false if the URL is invalid
- * 
- * @param string $url
- * @return mixed - returns a stripped and encoded URL or false if URL is invalid
- */
-function isValidURL($url) {
-    if (substr($url,0,4) === 'http') {
-        return filter_var(filter_var($url, FILTER_SANITIZE_STRING), FILTER_VALIDATE_URL);
-    }
-    return false;
-}
-
-/*
- * Parse the primary resources out of the content and save into db.
- * Clean up the removed primary resources from db.
- * @param: $cid: content id
- * @param: $content
- * @return: none
- */
-function populate_a4a($cid, $content, $formatting){
-	global $my_files, $content_base_href, $contentManager;
-	
-	// Defining alternatives is only available for content type "html".
-	// But don't clean up the a4a tables at other content types in case the user needs them back at html.
-	
-	
-	if ($formatting <> 1) return;
-
-	include_once(TR_INCLUDE_PATH.'classes/A4a/A4a.class.php');
-	include_once(TR_INCLUDE_PATH.'classes/XML/XML_HTMLSax/XML_HTMLSax.php');	/* for XML_HTMLSax */
-	include_once(TR_INCLUDE_PATH.'classes/ContentOutputParser.class.php');	/* for parser */
-	
-	// initialize content_base_href; used in format_content
-	if (!isset($content_base_href)) {
-		$content_row = $contentManager->getContentPage($cid);
-		// return if the cid is not found
-		if (!is_array($content_row)) {
-			return;
-		}
-		$content_base_href = $content_row["content_path"].'/';
-	}
-	
-	$body = ContentUtility::formatContent($content, $formatting);
-    
-	$handler = new ContentOutputParser();
-	$parser = new XML_HTMLSax();
-	$parser->set_object($handler);
-	$parser->set_element_handler('openHandler','closeHandler');
-	
-	$my_files 		= array();
-	$parser->parse($body);
-	$my_files = array_unique($my_files);
-	
-	foreach ($my_files as $file) {
-		/* filter out full urls */
-		$url_parts = @parse_url($file);
-		
-		// file should be relative to content
-		if ((substr($file, 0, 1) == '/')) {
-			continue;
-		}
-		
-		// The URL of the movie from youtube.com has been converted above in embed_media().
-		// For example:  http://www.youtube.com/watch?v=a0ryB0m0MiM is converted to
-		// http://www.youtube.com/v/a0ryB0m0MiM to make it playable. This creates the problem
-		// that the parsed-out url (http://www.youtube.com/v/a0ryB0m0MiM) does not match with
-		// the URL saved in content table (http://www.youtube.com/watch?v=a0ryB0m0MiM).
-		// The code below is to convert the URL back to original.
-		$file = ContentUtility::convertYoutubePlayURLToWatchURL($file);
-		
-		$resources[] = convertAmp($file);  // converts & to &amp;
-	}
-    
-    $a4a = new A4a($cid);
-    $db_primary_resources = $a4a->getPrimaryResources();
-    
-    // clean up the removed resources
-    foreach ($db_primary_resources  as $primary_rid=>$db_resource){
-        //if this file from our table is not found in the $resource, then it's not used.
-    	if(count($resources) == 0 || !in_array($db_resource['resource'], $resources)){
-			// The following ends up deleting all original resourse type from the db
-			// Why is it here?
-        	//$a4a->deletePrimaryResource($primary_rid);
-        }
-    }
-    
-    if (count($resources) == 0) return;
-
-	// insert the new resources
-    foreach($resources as $primary_resource)
-	{
-		if (!$a4a->getPrimaryResourceByName($primary_resource)){
-			$a4a->setPrimaryResource($cid, $primary_resource, $_SESSION['lang']);
-		}
-	}
-}
-
-// save all changes to the DB
-function save_changes($redir, $current_tab) {
-	global $contentManager, $msg, $_course_id, $_content_id;
-	
-	$_POST['pid']	= intval($_POST['pid']);
-	$_POST['_cid']	= intval($_POST['_cid']);
-	
-	
-	$_POST['alternatives'] = intval($_POST['alternatives']);
-	
-	$_POST['title'] = trim($_POST['title']);
-	$_POST['head']	= trim($_POST['head']);
-	$_POST['use_customized_head']	= isset($_POST['use_customized_head'])?$_POST['use_customized_head']:0;
-	$_POST['body_text']	= stripslashes(trim($_POST['body_text']));
-	$_POST['weblink_text'] = trim($_POST['weblink_text']);
-	$_POST['formatting'] = intval($_POST['formatting']);
-	$_POST['keywords']	= stripslashes(trim($_POST['keywords']));
-	$_POST['test_message'] = trim($_POST['test_message']);
-
-	//if weblink is selected, use it
-	if ($_POST['formatting']==CONTENT_TYPE_WEBLINK) {
-	    $url = $_POST['weblink_text'];
-	    $validated_url = isValidURL($url);
-        if (!validated_url || $validated_url !== $url) {
-	       $msg->addError(array('INVALID_INPUT', _AT('weblink')));
-	    } else {
-		    $_POST['body_text'] = $url;
-		    $content_type_pref = CONTENT_TYPE_WEBLINK;
-	    }
-	} else {
-		$content_type_pref = CONTENT_TYPE_CONTENT;
-	}
-
-		// add or edit content
-		if ($_POST['_cid']) {
-			/* editing an existing page */
-			$err = $contentManager->editContent($_POST['_cid'], $_POST['title'], $_POST['body_text'], 
-			                                    $_POST['keywords'], $_POST['formatting'], 
-			                                    $_POST['head'], $_POST['use_customized_head'], 
-			                                    $_POST['test_message']);
-    
-                                           
-			$cid = $_POST['_cid'];
-		} else {
-			/* insert new */
-			$cid = $contentManager->addContent($_course_id,
-												  $_POST['pid'],
-												  $_POST['ordering'],
-												  $_POST['title'],
-												  $_POST['body_text'],
-												  $_POST['keywords'],
-												  $_POST['related'],
-												  $_POST['formatting'],
-												  $_POST['head'],
-												  $_POST['use_customized_head'],
-												  $_POST['test_message'],
-												  $content_type_pref);
-												  
-			$_POST['_cid']    = $cid;
-			$_REQUEST['_cid'] = $cid;
-		}
-		
-		
-        
-        
-		if ($cid == 0) return;
-		
-		// re-populate a4a tables based on the new content
-		populate_a4a($cid, $orig_body_text, $_POST['formatting']);
-		
-		
-	if (isset($_GET['tab'])) {
-		$current_tab = intval($_GET['tab']);
-	}
-	if (isset($_POST['current_tab'])) {
-		$current_tab = intval($_POST['current_tab']);
-	}
-
-	// adapted content: save primary content type
-	if (isset($_POST['use_post_for_alt']))
-	{
-		include_once(TR_INCLUDE_PATH.'classes/DAO/PrimaryResourcesTypesDAO.class.php');
-		$primaryResourcesTypesDAO = new PrimaryResourcesTypesDAO();
-		
-		// 1. delete old primary content type
-
-		$sql = "DELETE FROM ".TABLE_PREFIX."primary_resources_types
-		         WHERE primary_resource_id in 
-		               (SELECT DISTINCT primary_resource_id 
-		                  FROM ".TABLE_PREFIX."primary_resources
-		                 WHERE content_id=?
-		                   AND language_code=?)";
-		$values=array($cid, $_SESSION['lang']);
-		$types = "ii";
-		$primaryResourcesTypesDAO->execute($sql, $values, $types);
-		
-		// 2. insert the new primary content type
-
-		$sql = "SELECT pr.primary_resource_id, rt.type_id
-		          FROM ".TABLE_PREFIX."primary_resources pr, ".
-		                 TABLE_PREFIX."resource_types rt
-		         WHERE pr.content_id = ?
-		           AND pr.language_code = ?";
-		$values = array($cid, $_SESSION['lang']);
-		$types = "is";
-		$all_types_rows = $primaryResourcesTypesDAO->execute($sql, $values, $types);
-		
-		if (is_array($all_types_rows)) {
-			foreach ($all_types_rows as $type) {
-				if (isset($_POST['alt_'.$type['primary_resource_id'].'_'.$type['type_id']]))
-				{
-					$primaryResourcesTypesDAO->Create($type['primary_resource_id'], $type['type_id']);
-				}
-			}
-		}
-	}
-	
-	include_once(TR_INCLUDE_PATH.'classes/DAO/ContentTestsAssocDAO.class.php');
-	$contentTestsAssocDAO = new ContentTestsAssocDAO();
-	$test_rows = $contentTestsAssocDAO->getByContent($_POST['_cid']);
-	$db_test_array = array();
-	if (is_array($test_rows)) {
-		foreach ($test_rows as $row) {
-			$db_test_array[] = $row['test_id'];
-		}
-	}
-
-	if (is_array($_POST['tid']) && sizeof($_POST['tid']) > 0){
-		$toBeDeleted = array_diff($db_test_array, $_POST['tid']);
-		$toBeAdded = array_diff($_POST['tid'], $db_test_array);
-		//Delete entries
-		if (!empty($toBeDeleted)){
-			$num_of_ids = count($toBeDeleted);
-			$sql = 'DELETE FROM '. TABLE_PREFIX .'content_tests_assoc WHERE content_id=? AND test_id IN ('.substr(str_repeat("? , ", $num_of_ids), 0, -2).')';
-			$values = $toBeDeleted;
-			$types = "i";
-			$types .= str_pad("", $num_of_ids, "i");
-			$contentTestsAssocDAO->execute($sql, $values, $types);
-		}
-
-		//Add entries
-		if (!empty($toBeAdded)){
-			foreach ($toBeAdded as $i => $tid){
-				$tid = intval($tid);
-
-				if ($contentTestsAssocDAO->Create($_POST['_cid'], $tid) === false){
-					$msg->addError('DB_NOT_UPDATED');
-				}
-			}
-		}
-	} else {
-		//All tests has been removed.
-		$contentTestsAssocDAO->DeleteByContentID($_POST['_cid']);
-	}
-	//End Add test
-
-	if (!$msg->containsErrors() && $redir) {
-		$_SESSION['save_n_close'] = $_POST['save_n_close'];
-		
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: '.basename($_SERVER['PHP_SELF']).'?_cid='.$cid.SEP.'close='.addslashes($_POST['save_n_close']).SEP.'tab='.addslashes($_POST['current_tab']).SEP.'displayhead='.addslashes($_POST['displayhead']).SEP.'alternatives='.addslashes($_POST['alternatives']));
-		exit;
-	} else {
-		return;
-	}
-}
-
-function check_for_changes($row, $row_alternatives) {
-	global $contentManager, $cid, $glossary, $glossary_ids_related;
-
-	$changes = array();
-
-	if ($row && strcmp(trim(addslashes($_POST['title'])), addslashes($row['title']))) {
-		$changes[0] = true;
-	} else if (!$row && $_POST['title']) {
-		$changes[0] = true;
-	}
-
-	if ($row && strcmp(addslashes(trim($_POST['head'])), trim(addslashes($row['head'])))) {
-		$changes[0] = true;
-	} else if (!$row && $_POST['head']) {
-		$changes[0] = true;
-	}
-
-	if ($row && strcmp(addslashes(trim($_POST['body_text'])), trim(addslashes($row['text'])))) {
-		$changes[0] = true;
-	} else if (!$row && $_POST['body_text']) {
-		$changes[0] = true;
-	}
-	
-    if ($row && strcmp(addslashes(trim($_POST['weblink_text'])), trim(addslashes($row['text'])))) {
-        $changes[0] = true;
-    } else if (!$row && $_POST['weblink_text']) {
-        $changes[0] = true;
-    }
-
-	/* use customized head: */
-	if ($row && isset($_POST['use_customized_head']) && ($_POST['use_customized_head'] != $row['use_customized_head'])) {
-		$changes[0] = true;
-	}
-
-	/* formatting: */
-	if ($row && strcmp(trim($_POST['formatting']), $row['formatting'])) {
-		$changes[0] = true;
-	} else if (!$row && $_POST['formatting']) {
-		$changes[0] = true;
-	}
-
-	/* keywords */
-	if ($row && strcmp(trim($_POST['keywords']), $row['keywords'])) {
-		$changes[1] = true;
-	}  else if (!$row && $_POST['keywords']) {
-		$changes[1] = true;
-	}
-
-	/* adapted content */
-	if (isset($_POST['use_post_for_alt']))
-	{
-		foreach ($_POST as $alt_id => $alt_value) {
-			if (substr($alt_id, 0 ,4) == 'alt_' && $alt_value != $row_alternatives[$alt_id]){
-				$changes[2] = true;
-				break;
-			}
-		}
-	}
-	
-	/* test & survey */	
-	if ($row && isset($_POST['test_message']) && $_POST['test_message'] != $row['test_message']){
-		$changes[3] = true;
-	}
-	
-	$content_tests = $contentManager->getContentTestsAssoc($cid);
-	
-	if (isset($_POST['visited_tests'])) {
-		if (!is_array($content_tests) && is_array($_POST['tid'])) {
-			$changes[3] = true;
-		}
-		if (is_array($content_tests)) {
-			for ($i = 0; $i < count($content_tests); $i++) {
-				if ($content_tests[$i]['test_id'] <> $_POST['tid'][$i]) {
-					$changes[3] = true;
-					break;
-				}
-			}
-		}
-	}
-
-	return $changes;
-}
-
-function paste_from_file() {
-	global $msg;
-	
-	include_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
-	if ($_FILES['uploadedfile_paste']['name'] == '')	{
-		$msg->addError('FILE_NOT_SELECTED');
-		return;
-	}
-	if ($_FILES['uploadedfile_paste']['name']
-		&& (($_FILES['uploadedfile_paste']['type'] == 'text/plain')
-			|| ($_FILES['uploadedfile_paste']['type'] == 'text/html')) )
-		{
-
-		$path_parts = pathinfo($_FILES['uploadedfile_paste']['name']);
-		$ext = strtolower($path_parts['extension']);
-
-		if (in_array($ext, array('html', 'htm'))) {
-			$_POST['body_text'] = file_get_contents($_FILES['uploadedfile_paste']['tmp_name']);
-
-			/* get the <title></title> of this page				*/
-
-			$start_pos	= strpos(strtolower($_POST['body_text']), '<title>');
-			$end_pos	= strpos(strtolower($_POST['body_text']), '</title>');
-
-			if (($start_pos !== false) && ($end_pos !== false)) {
-				$start_pos += strlen('<title>');
-				$_POST['title'] = trim(substr($_POST['body_text'], $start_pos, $end_pos-$start_pos));
-			}
-			unset($start_pos);
-			unset($end_pos);
-
-			$_POST['head'] = ContentUtility::getHtmlHeadByTag($_POST['body_text'], array("link", "style", "script")); 
-			if (strlen(trim($_POST['head'])) > 0)	
-				$_POST['use_customized_head'] = 1;
-			else
-				$_POST['use_customized_head'] = 0;
-			
-			$_POST['body_text'] = ContentUtility::getHtmlBody($_POST['body_text']); 
-
-			$msg->addFeedback('FILE_PASTED');
-		} else if ($ext == 'txt') {
-			$_POST['body_text'] = file_get_contents($_FILES['uploadedfile_paste']['tmp_name']);
-			//LAW
-			$msg->addFeedback('FILE_PASTED');
-
-		}
-	} else {
-		$msg->addError('BAD_FILE_TYPE');
-	}
-
-	return;
-}
-
-//for accessibility checker
-function write_temp_file() {
-	global $_POST, $msg;
-
-	if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-		$content_base = 'get.php/';
-	} else {
-		$content_base = 'content/' . $_SESSION['course_id'] . '/';
-	}
-
-	if ($_POST['content_path']) {
-		$content_base .= $_POST['content_path'] . '/';
-	}
-
-	$file_name = $_POST['_cid'].'.html';
-
-	if ($handle = fopen(TR_CONTENT_DIR . $file_name, 'wb+')) {
-	
-		if (!@fwrite($handle, stripslashes($_POST['body_text']))) {
-			$msg->addError('FILE_NOT_SAVED');       
-	   }
-	} else {
-		$msg->addError('FILE_NOT_SAVED');
-	}
-	$msg->printErrors();
-}
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+
+function in_array_cin($strItem, $arItems)
+{
+   foreach ($arItems as $key => $strValue)
+   {
+       if (strtoupper($strItem) == strtoupper($strValue))
+       {
+		   return $key;
+       }
+   }
+   return false;
+} 
+
+
+function get_tabs() {
+/* Check if the page template_layout and are enabled or disabled */
+        include_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
+        $dao = new DAO();
+        
+        $inc=0; 
+        $tabs[$inc] = array('content',       		'edit.inc.php',          'n');
+        
+        $sql="SELECT value FROM ".TABLE_PREFIX."config WHERE name='enable_template_layout'";
+        $result=$dao->execute($sql);
+        if(is_array($result))
+        {
+            foreach ($result as $support) {
+                if($support['value']==TR_STATUS_ENABLED)
+                    $tabs[++$inc] = array('layouts', 'layout.inc.php', 'l');
+            }  
+        }
+        $sql="SELECT value FROM ".TABLE_PREFIX."config WHERE name='enable_template_page'";
+        $result=$dao->execute($sql);
+        if(is_array($result))
+        {
+            foreach ($result as $support) {
+                if($support['value']==TR_STATUS_ENABLED)
+                    $tabs[++$inc] = array('page_templates', 'page_template.inc.php', 'g');
+            }  
+        }
+
+	$tabs[++$inc] = array('metadata',    		'properties.inc.php',    'p');
+	$tabs[++$inc] = array('alternative_content', 'alternatives.inc.php',  'a');	
+	$tabs[++$inc] = array('tests',               'tests.inc.php',         't');
+	return $tabs;
+}
+
+
+function output_tabs($current_tab, $changes) {
+	global $_base_path;
+	$tabs = get_tabs();
+	$num_tabs = count($tabs);
+?>
+	<table class="etabbed-table">
+	<tr>		
+		<?php 
+		for ($i=0; $i < $num_tabs; $i++): 
+			if ($current_tab == $i):?>
+				<td class="editor_tab_selected">
+					<?php if ($changes[$i]): ?>
+						<img src="<?php echo $_base_path; ?>images/changes_bullet.gif" alt="<?php echo _AT('usaved_changes_made'); ?>" height="12" width="15" />
+					<?php endif; ?>
+					<?php echo _AT($tabs[$i][0]); ?>
+				</td>
+				<td class="tab-spacer">&nbsp;</td>
+			<?php else: ?>
+				<td class="editor_tab">
+					<?php if ($changes[$i]): ?>
+						<img src="<?php echo $_base_path; ?>images/changes_bullet.gif" alt="<?php echo _AT('usaved_changes_made'); ?>" height="12" width="15" />
+					<?php endif; ?>
+
+					<?php echo '<input type="submit" name="button_'.$i.'" value="'._AT($tabs[$i][0]).'" title="'._AT($tabs[$i][0]).' - alt '.$tabs[$i][2].'" class="editor_buttontab" accesskey="'.$tabs[$i][2].'" onmouseover="this.style.cursor=\'pointer\';" '.$clickEvent.' />'; ?>
+				</td>
+				<td class="tab-spacer">&nbsp;</td>
+			<?php endif; ?>
+		<?php endfor; ?>
+		<td >&nbsp;</td>
+	</tr>
+	</table>
+<?php }
+/**
+ * Strips all tags and encodes special characters in the URL
+ * Returns false if the URL is invalid
+ * 
+ * @param string $url
+ * @return mixed - returns a stripped and encoded URL or false if URL is invalid
+ */
+function isValidURL($url) {
+    if (substr($url,0,4) === 'http') {
+        return filter_var(filter_var($url, FILTER_SANITIZE_STRING), FILTER_VALIDATE_URL);
+    }
+    return false;
+}
+
+/*
+ * Parse the primary resources out of the content and save into db.
+ * Clean up the removed primary resources from db.
+ * @param: $cid: content id
+ * @param: $content
+ * @return: none
+ */
+function populate_a4a($cid, $content, $formatting){
+	global $my_files, $content_base_href, $contentManager;
+	
+	// Defining alternatives is only available for content type "html".
+	// But don't clean up the a4a tables at other content types in case the user needs them back at html.
+	
+	
+	if ($formatting <> 1) return;
+
+	include_once(TR_INCLUDE_PATH.'classes/A4a/A4a.class.php');
+	include_once(TR_INCLUDE_PATH.'classes/XML/XML_HTMLSax/XML_HTMLSax.php');	/* for XML_HTMLSax */
+	include_once(TR_INCLUDE_PATH.'classes/ContentOutputParser.class.php');	/* for parser */
+	
+	// initialize content_base_href; used in format_content
+	if (!isset($content_base_href)) {
+		$content_row = $contentManager->getContentPage($cid);
+		// return if the cid is not found
+		if (!is_array($content_row)) {
+			return;
+		}
+		$content_base_href = $content_row["content_path"].'/';
+	}
+	
+	$body = ContentUtility::formatContent($content, $formatting);
+    
+	$handler = new ContentOutputParser();
+	$parser = new XML_HTMLSax();
+	$parser->set_object($handler);
+	$parser->set_element_handler('openHandler','closeHandler');
+	
+	$my_files 		= array();
+	$parser->parse($body);
+	$my_files = array_unique($my_files);
+	
+	foreach ($my_files as $file) {
+		/* filter out full urls */
+		$url_parts = @parse_url($file);
+		
+		// file should be relative to content
+		if ((substr($file, 0, 1) == '/')) {
+			continue;
+		}
+		
+		// The URL of the movie from youtube.com has been converted above in embed_media().
+		// For example:  http://www.youtube.com/watch?v=a0ryB0m0MiM is converted to
+		// http://www.youtube.com/v/a0ryB0m0MiM to make it playable. This creates the problem
+		// that the parsed-out url (http://www.youtube.com/v/a0ryB0m0MiM) does not match with
+		// the URL saved in content table (http://www.youtube.com/watch?v=a0ryB0m0MiM).
+		// The code below is to convert the URL back to original.
+		$file = ContentUtility::convertYoutubePlayURLToWatchURL($file);
+		
+		$resources[] = convertAmp($file);  // converts & to &amp;
+	}
+    
+    $a4a = new A4a($cid);
+    $db_primary_resources = $a4a->getPrimaryResources();
+    
+    // clean up the removed resources
+    foreach ($db_primary_resources  as $primary_rid=>$db_resource){
+        //if this file from our table is not found in the $resource, then it's not used.
+    	if(count($resources) == 0 || !in_array($db_resource['resource'], $resources)){
+			// The following ends up deleting all original resourse type from the db
+			// Why is it here?
+        	//$a4a->deletePrimaryResource($primary_rid);
+        }
+    }
+    
+    if (count($resources) == 0) return;
+
+	// insert the new resources
+    foreach($resources as $primary_resource)
+	{
+		if (!$a4a->getPrimaryResourceByName($primary_resource)){
+			$a4a->setPrimaryResource($cid, $primary_resource, $_SESSION['lang']);
+		}
+	}
+}
+
+// save all changes to the DB
+function save_changes($redir, $current_tab) {
+	global $contentManager, $msg, $_course_id, $_content_id;
+	
+	$_POST['pid']	= intval($_POST['pid']);
+	$_POST['_cid']	= intval($_POST['_cid']);
+	
+	
+	$_POST['alternatives'] = intval($_POST['alternatives']);
+	
+	$_POST['title'] = trim($_POST['title']);
+	$_POST['head']	= trim($_POST['head']);
+	$_POST['use_customized_head']	= isset($_POST['use_customized_head'])?$_POST['use_customized_head']:0;
+	$_POST['body_text']	= stripslashes(trim($_POST['body_text']));
+	$_POST['weblink_text'] = trim($_POST['weblink_text']);
+	$_POST['formatting'] = intval($_POST['formatting']);
+	$_POST['keywords']	= stripslashes(trim($_POST['keywords']));
+	$_POST['test_message'] = trim($_POST['test_message']);
+
+	//if weblink is selected, use it
+	if ($_POST['formatting']==CONTENT_TYPE_WEBLINK) {
+	    $url = $_POST['weblink_text'];
+	    $validated_url = isValidURL($url);
+        if (!validated_url || $validated_url !== $url) {
+	       $msg->addError(array('INVALID_INPUT', _AT('weblink')));
+	    } else {
+		    $_POST['body_text'] = $url;
+		    $content_type_pref = CONTENT_TYPE_WEBLINK;
+	    }
+	} else {
+		$content_type_pref = CONTENT_TYPE_CONTENT;
+	}
+
+		// add or edit content
+		if ($_POST['_cid']) {
+			/* editing an existing page */
+			$err = $contentManager->editContent($_POST['_cid'], $_POST['title'], $_POST['body_text'], 
+			                                    $_POST['keywords'], $_POST['formatting'], 
+			                                    $_POST['head'], $_POST['use_customized_head'], 
+			                                    $_POST['test_message']);
+    
+                                           
+			$cid = $_POST['_cid'];
+		} else {
+			/* insert new */
+			$cid = $contentManager->addContent($_course_id,
+												  $_POST['pid'],
+												  $_POST['ordering'],
+												  $_POST['title'],
+												  $_POST['body_text'],
+												  $_POST['keywords'],
+												  $_POST['related'],
+												  $_POST['formatting'],
+												  $_POST['head'],
+												  $_POST['use_customized_head'],
+												  $_POST['test_message'],
+												  $content_type_pref);
+												  
+			$_POST['_cid']    = $cid;
+			$_REQUEST['_cid'] = $cid;
+		}
+		
+		
+        
+        
+		if ($cid == 0) return;
+		
+		// re-populate a4a tables based on the new content
+		populate_a4a($cid, $orig_body_text, $_POST['formatting']);
+		
+		
+	if (isset($_GET['tab'])) {
+		$current_tab = intval($_GET['tab']);
+	}
+	if (isset($_POST['current_tab'])) {
+		$current_tab = intval($_POST['current_tab']);
+	}
+
+	// adapted content: save primary content type
+	if (isset($_POST['use_post_for_alt']))
+	{
+		include_once(TR_INCLUDE_PATH.'classes/DAO/PrimaryResourcesTypesDAO.class.php');
+		$primaryResourcesTypesDAO = new PrimaryResourcesTypesDAO();
+		
+		// 1. delete old primary content type
+
+		$sql = "DELETE FROM ".TABLE_PREFIX."primary_resources_types
+		         WHERE primary_resource_id in 
+		               (SELECT DISTINCT primary_resource_id 
+		                  FROM ".TABLE_PREFIX."primary_resources
+		                 WHERE content_id=?
+		                   AND language_code=?)";
+		$values=array($cid, $_SESSION['lang']);
+		$types = "ii";
+		$primaryResourcesTypesDAO->execute($sql, $values, $types);
+		
+		// 2. insert the new primary content type
+
+		$sql = "SELECT pr.primary_resource_id, rt.type_id
+		          FROM ".TABLE_PREFIX."primary_resources pr, ".
+		                 TABLE_PREFIX."resource_types rt
+		         WHERE pr.content_id = ?
+		           AND pr.language_code = ?";
+		$values = array($cid, $_SESSION['lang']);
+		$types = "is";
+		$all_types_rows = $primaryResourcesTypesDAO->execute($sql, $values, $types);
+		
+		if (is_array($all_types_rows)) {
+			foreach ($all_types_rows as $type) {
+				if (isset($_POST['alt_'.$type['primary_resource_id'].'_'.$type['type_id']]))
+				{
+					$primaryResourcesTypesDAO->Create($type['primary_resource_id'], $type['type_id']);
+				}
+			}
+		}
+	}
+	
+	include_once(TR_INCLUDE_PATH.'classes/DAO/ContentTestsAssocDAO.class.php');
+	$contentTestsAssocDAO = new ContentTestsAssocDAO();
+	$test_rows = $contentTestsAssocDAO->getByContent($_POST['_cid']);
+	$db_test_array = array();
+	if (is_array($test_rows)) {
+		foreach ($test_rows as $row) {
+			$db_test_array[] = $row['test_id'];
+		}
+	}
+
+	if (is_array($_POST['tid']) && sizeof($_POST['tid']) > 0){
+		$toBeDeleted = array_diff($db_test_array, $_POST['tid']);
+		$toBeAdded = array_diff($_POST['tid'], $db_test_array);
+		//Delete entries
+		if (!empty($toBeDeleted)){
+			$num_of_ids = count($toBeDeleted);
+			$sql = 'DELETE FROM '. TABLE_PREFIX .'content_tests_assoc WHERE content_id=? AND test_id IN ('.substr(str_repeat("? , ", $num_of_ids), 0, -2).')';
+			$values = $toBeDeleted;
+			$types = "i";
+			$types .= str_pad("", $num_of_ids, "i");
+			$contentTestsAssocDAO->execute($sql, $values, $types);
+		}
+
+		//Add entries
+		if (!empty($toBeAdded)){
+			foreach ($toBeAdded as $i => $tid){
+				$tid = intval($tid);
+
+				if ($contentTestsAssocDAO->Create($_POST['_cid'], $tid) === false){
+					$msg->addError('DB_NOT_UPDATED');
+				}
+			}
+		}
+	} else {
+		//All tests has been removed.
+		$contentTestsAssocDAO->DeleteByContentID($_POST['_cid']);
+	}
+	//End Add test
+
+	if (!$msg->containsErrors() && $redir) {
+		$_SESSION['save_n_close'] = $_POST['save_n_close'];
+		
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: '.basename($_SERVER['PHP_SELF']).'?_cid='.$cid.SEP.'close='.addslashes($_POST['save_n_close']).SEP.'tab='.addslashes($_POST['current_tab']).SEP.'displayhead='.addslashes($_POST['displayhead']).SEP.'alternatives='.addslashes($_POST['alternatives']));
+		exit;
+	} else {
+		return;
+	}
+}
+
+function check_for_changes($row, $row_alternatives) {
+	global $contentManager, $cid, $glossary, $glossary_ids_related;
+
+	$changes = array();
+
+	if ($row && strcmp(trim(addslashes($_POST['title'])), addslashes($row['title']))) {
+		$changes[0] = true;
+	} else if (!$row && $_POST['title']) {
+		$changes[0] = true;
+	}
+
+	if ($row && strcmp(addslashes(trim($_POST['head'])), trim(addslashes($row['head'])))) {
+		$changes[0] = true;
+	} else if (!$row && $_POST['head']) {
+		$changes[0] = true;
+	}
+
+	if ($row && strcmp(addslashes(trim($_POST['body_text'])), trim(addslashes($row['text'])))) {
+		$changes[0] = true;
+	} else if (!$row && $_POST['body_text']) {
+		$changes[0] = true;
+	}
+	
+    if ($row && strcmp(addslashes(trim($_POST['weblink_text'])), trim(addslashes($row['text'])))) {
+        $changes[0] = true;
+    } else if (!$row && $_POST['weblink_text']) {
+        $changes[0] = true;
+    }
+
+	/* use customized head: */
+	if ($row && isset($_POST['use_customized_head']) && ($_POST['use_customized_head'] != $row['use_customized_head'])) {
+		$changes[0] = true;
+	}
+
+	/* formatting: */
+	if ($row && strcmp(trim($_POST['formatting']), $row['formatting'])) {
+		$changes[0] = true;
+	} else if (!$row && $_POST['formatting']) {
+		$changes[0] = true;
+	}
+
+	/* keywords */
+	if ($row && strcmp(trim($_POST['keywords']), $row['keywords'])) {
+		$changes[1] = true;
+	}  else if (!$row && $_POST['keywords']) {
+		$changes[1] = true;
+	}
+
+	/* adapted content */
+	if (isset($_POST['use_post_for_alt']))
+	{
+		foreach ($_POST as $alt_id => $alt_value) {
+			if (substr($alt_id, 0 ,4) == 'alt_' && $alt_value != $row_alternatives[$alt_id]){
+				$changes[2] = true;
+				break;
+			}
+		}
+	}
+	
+	/* test & survey */	
+	if ($row && isset($_POST['test_message']) && $_POST['test_message'] != $row['test_message']){
+		$changes[3] = true;
+	}
+	
+	$content_tests = $contentManager->getContentTestsAssoc($cid);
+	
+	if (isset($_POST['visited_tests'])) {
+		if (!is_array($content_tests) && is_array($_POST['tid'])) {
+			$changes[3] = true;
+		}
+		if (is_array($content_tests)) {
+			for ($i = 0; $i < count($content_tests); $i++) {
+				if ($content_tests[$i]['test_id'] <> $_POST['tid'][$i]) {
+					$changes[3] = true;
+					break;
+				}
+			}
+		}
+	}
+
+	return $changes;
+}
+
+function paste_from_file() {
+	global $msg;
+	
+	include_once(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
+	if ($_FILES['uploadedfile_paste']['name'] == '')	{
+		$msg->addError('FILE_NOT_SELECTED');
+		return;
+	}
+	if ($_FILES['uploadedfile_paste']['name']
+		&& (($_FILES['uploadedfile_paste']['type'] == 'text/plain')
+			|| ($_FILES['uploadedfile_paste']['type'] == 'text/html')) )
+		{
+
+		$path_parts = pathinfo($_FILES['uploadedfile_paste']['name']);
+		$ext = strtolower($path_parts['extension']);
+
+		if (in_array($ext, array('html', 'htm'))) {
+			$_POST['body_text'] = file_get_contents($_FILES['uploadedfile_paste']['tmp_name']);
+
+			/* get the <title></title> of this page				*/
+
+			$start_pos	= strpos(strtolower($_POST['body_text']), '<title>');
+			$end_pos	= strpos(strtolower($_POST['body_text']), '</title>');
+
+			if (($start_pos !== false) && ($end_pos !== false)) {
+				$start_pos += strlen('<title>');
+				$_POST['title'] = trim(substr($_POST['body_text'], $start_pos, $end_pos-$start_pos));
+			}
+			unset($start_pos);
+			unset($end_pos);
+
+			$_POST['head'] = ContentUtility::getHtmlHeadByTag($_POST['body_text'], array("link", "style", "script")); 
+			if (strlen(trim($_POST['head'])) > 0)	
+				$_POST['use_customized_head'] = 1;
+			else
+				$_POST['use_customized_head'] = 0;
+			
+			$_POST['body_text'] = ContentUtility::getHtmlBody($_POST['body_text']); 
+
+			$msg->addFeedback('FILE_PASTED');
+		} else if ($ext == 'txt') {
+			$_POST['body_text'] = file_get_contents($_FILES['uploadedfile_paste']['tmp_name']);
+			//LAW
+			$msg->addFeedback('FILE_PASTED');
+
+		}
+	} else {
+		$msg->addError('BAD_FILE_TYPE');
+	}
+
+	return;
+}
+
+//for accessibility checker
+function write_temp_file() {
+	global $_POST, $msg;
+
+	if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+		$content_base = 'get.php/';
+	} else {
+		$content_base = 'content/' . $_SESSION['course_id'] . '/';
+	}
+
+	if ($_POST['content_path']) {
+		$content_base .= $_POST['content_path'] . '/';
+	}
+
+	$file_name = $_POST['_cid'].'.html';
+
+	if ($handle = fopen(TR_CONTENT_DIR . $file_name, 'wb+')) {
+	
+		if (!@fwrite($handle, stripslashes($_POST['body_text']))) {
+			$msg->addError('FILE_NOT_SAVED');       
+	   }
+	} else {
+		$msg->addError('FILE_NOT_SAVED');
+	}
+	$msg->printErrors();
+}
+?>
diff --git a/home/editor/forums_tool.php b/home/editor/forums_tool.php
index 01a73f0b..44774a27 100644
--- a/home/editor/forums_tool.php
+++ b/home/editor/forums_tool.php
@@ -157,4 +157,4 @@
 
 </table>
 </div>
-</form>
\ No newline at end of file
+</form>
diff --git a/home/editor/import_export_content.php b/home/editor/import_export_content.php
index 51b9900f..a31c0a4f 100644
--- a/home/editor/import_export_content.php
+++ b/home/editor/import_export_content.php
@@ -1,193 +1,194 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-
-global $_course_id, $_content_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-if (!isset($_main_menu)) {
-	$_main_menu = $contentManager->getContent();
-}
-
-// The length of the content/folder title to display. 
-// This is to fix the issue that, when any one of the content title is too long, 
-// the dropdown box for the export selection stretches out of the "export" fieldset border.
-$len_of_title_to_display = 65;
-
-function print_menu_sections(&$menu, $only_print_content_folder = false, $parent_content_id = 0, $depth = 0, $ordering = '') {
-	global $len_of_title_to_display;
-	
-	$my_children = $menu[$parent_content_id];
-	$cid = $_GET['cid'];
-
-	if (!is_array($my_children)) {
-		return;
-	}
-	foreach ($my_children as $children) {
-		/* test content association, we don't want to display the test pages
-		 * as part of the menu section.  If test, skip it.
-		 */
-		if (isset($children['test_id'])){
-			continue;
-		}
-		if ($only_print_content_folder && $children['content_type'] != CONTENT_TYPE_FOLDER) {
-			continue;
-		}
-
-		echo '<option value="'.$children['content_id'].'"';
-		if ($cid == $children['content_id']) {
-			echo ' selected="selected"';
-		}
-		echo '>';
-		echo str_pad('', $depth, '-') . ' ';
-		if ($parent_content_id == 0) {
-			$new_ordering = $children['ordering'];
-			echo $children['ordering'];
-		} else {
-			$new_ordering = $ordering.'.'.$children['ordering'];
-			echo $ordering . '.'. $children['ordering'];
-		}
-		if (strlen($children['title']) > $len_of_title_to_display) {
-			$title = substr($children['title'], 0, $len_of_title_to_display).' ...';
-		} else {
-			$title = $children['title'];
-		}
-		
-		echo ' '.$title.'</option>';
-
-		print_menu_sections($menu, $only_print_content_folder, $children['content_id'], $depth+1, $new_ordering);
-	}
-}
-
-?>
-<form name="exportForm" method="post" action="home/ims/ims_export.php">
-<div class="input-form">
-	<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
-	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('export_content'); ?></legend>
-	<div class="row">
-		<p><?php echo _AT('export_content_info'); ?></p>
-	</div>
-
-<?php if ($_main_menu[0]): ?>
-	<div class="row">
-		<label for="select_cid"><?php echo _AT('export_content_package_what'); ?></label><br />
-		<select name="cid" id="select_cid">
-			<option value="0"><?php echo _AT('export_entire_course_or_chap'); ?></option>
-			<option value="0"></option>
-			<?php
-				print_menu_sections($_main_menu);
-			?>
-		</select>
-	</div>
-
-	<div class="row">
-		<input type="radio" name="export_as" id="to_cp" value="1" checked="checked" onclick="changeFormAction('cp');" />
-		<label for="to_cp"><?php echo _AT('content_package'); ?></label> <br />
-		<input type="radio" name="export_as" id="to_cc" value="1" onclick="changeFormAction('cc');" />
-		<label for="to_cc"><?php echo _AT('common_cartridge'); ?> </label>
-	</div>
-	<div class="row">
-		<input type="checkbox" name="to_a4a" id="to_a4a" value="1" />
-		<label for="to_a4a"><?php echo _AT('a4a_export'); ?></label>
-	</div>
-	
-	<div class="row buttons">
-		<input type="submit" name="submit" value="<?php echo _AT('export'); ?>" />
-		<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
-	</div>
-	</fieldset>
-<?php else: ?>
-	<div class="row">
-		<strong><?php echo _AT('none_found'); ?></strong>
-	</div>
-<?php endif; ?>
-
-</div>
-</form>
-
-<form name="form1" method="post" action="home/ims/ims_import.php" enctype="multipart/form-data" onsubmit="openWindow('<?php echo TR_BASE_HREF; ?>home/prog.php');">
-<div class="input-form">
-	<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
-	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('import_content'); ?></legend>
-	<div class="row">
-
-		<p><?php echo _AT('import_content_info'); ?></p>
-	</div>
-
-	<div class="row">
-		<label for="select_cid2"><?php echo _AT('import_content_package_where'); ?></label><br />
-		<select name="cid" id="select_cid2">
-			<option value="0"><?php echo _AT('import_content_package_bottom_subcontent'); ?></option>
-			<option value="0"></option>
-			<?php
-				print_menu_sections($_main_menu, true);
-			?>
-		</select>
-	</div>
-
-	<div class="row">
-		<input type="checkbox" name="allow_test_import" id="allow_test_import" checked="checked" />
-		<label for="allow_test_import"><?php echo _AT('test_import_package'); ?></label> <br />
-		<input type="checkbox" name="allow_a4a_import" id="allow_a4a_import" checked="checked" />
-		<label for="allow_a4a_import"><?php echo _AT('a4a_import_package'); ?></label><br />
-		<input type="checkbox" name="ignore_validation" id="ignore_validation" value="1" />
-		<label for="ignore_validation"><?php echo _AT('ignore_validation'); ?></label> <br />
-	</div>
-	
-	<div class="row">
-		<label for="to_file"><?php echo _AT('upload_content_package'); ?></label><br />
-		<input type="file" name="file" id="to_file" />
-	</div>
-
-	<div class="row">
-		<label for="to_url"><?php echo _AT('specify_url_to_content_package'); ?></label><br />
-		<input type="text" name="url" value="http://" size="40" id="to_url" />
-	</div>
-
-	<div class="row buttons">
-		<input type="submit" name="submit" onclick="setClickSource('submit');" value="<?php echo _AT('import'); ?>" />
-		<input type="submit" name="cancel" onclick="document.form1.enctype='';setClickSource('cancel');" value="<?php echo _AT('cancel'); ?>" />
-	</div>
-</div>
-</form>
-
-<script language="javascript" type="text/javascript">
-
-var but_src;
-function setClickSource(name) {
-	but_src = name;
-}
-
-function openWindow(page) {
-	if (but_src != "cancel") {
-		newWindow = window.open(page, "progWin", "width=400,height=200,toolbar=no,location=no");
-		newWindow.focus();
-	}
-}
-
-//Change form action 
-function changeFormAction(type){
-	var obj = document.exportForm;
-	if (type=="cc"){
-		obj.action = "home/imscc/ims_export.php";
-	} else if (type=="cp"){
-		obj.action = "home/ims/ims_export.php";
-	}
-}
-
-</script>
-
-<?php require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+
+global $_course_id, $_content_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+if (!isset($_main_menu)) {
+	$_main_menu = $contentManager->getContent();
+}
+
+// The length of the content/folder title to display. 
+// This is to fix the issue that, when any one of the content title is too long, 
+// the dropdown box for the export selection stretches out of the "export" fieldset border.
+$len_of_title_to_display = 65;
+
+function print_menu_sections(&$menu, $only_print_content_folder = false, $parent_content_id = 0, $depth = 0, $ordering = '') {
+	global $len_of_title_to_display;
+	
+	$my_children = $menu[$parent_content_id];
+	$cid = $_GET['cid'];
+
+	if (!is_array($my_children)) {
+		return;
+	}
+	foreach ($my_children as $children) {
+		/* test content association, we don't want to display the test pages
+		 * as part of the menu section.  If test, skip it.
+		 */
+		if (isset($children['test_id'])){
+			continue;
+		}
+		if ($only_print_content_folder && $children['content_type'] != CONTENT_TYPE_FOLDER) {
+			continue;
+		}
+
+		echo '<option value="'.$children['content_id'].'"';
+		if ($cid == $children['content_id']) {
+			echo ' selected="selected"';
+		}
+		echo '>';
+		echo str_pad('', $depth, '-') . ' ';
+		if ($parent_content_id == 0) {
+			$new_ordering = $children['ordering'];
+			echo $children['ordering'];
+		} else {
+			$new_ordering = $ordering.'.'.$children['ordering'];
+			echo $ordering . '.'. $children['ordering'];
+		}
+		if (strlen($children['title']) > $len_of_title_to_display) {
+			$title = substr($children['title'], 0, $len_of_title_to_display).' ...';
+		} else {
+			$title = $children['title'];
+		}
+		
+		echo ' '.$title.'</option>';
+
+		print_menu_sections($menu, $only_print_content_folder, $children['content_id'], $depth+1, $new_ordering);
+	}
+}
+
+?>
+<form name="exportForm" method="post" action="home/ims/ims_export.php">
+<div class="input-form">
+	<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
+	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('export_content'); ?></legend>
+	<div class="row">
+		<p><?php echo _AT('export_content_info'); ?></p>
+	</div>
+
+<?php if ($_main_menu[0]): ?>
+	<div class="row">
+		<label for="select_cid"><?php echo _AT('export_content_package_what'); ?></label><br />
+		<select name="cid" id="select_cid">
+			<option value="0"><?php echo _AT('export_entire_course_or_chap'); ?></option>
+			<option value="0"></option>
+			<?php
+				print_menu_sections($_main_menu);
+			?>
+		</select>
+	</div>
+
+	<div class="row">
+		<input type="radio" name="export_as" id="to_cp" value="1" checked="checked" onclick="changeFormAction('cp');" />
+		<label for="to_cp"><?php echo _AT('content_package'); ?></label> <br />
+		<input type="radio" name="export_as" id="to_cc" value="1" onclick="changeFormAction('cc');" />
+		<label for="to_cc"><?php echo _AT('common_cartridge'); ?> </label>
+	</div>
+	<div class="row">
+		<input type="checkbox" name="to_a4a" id="to_a4a" value="1" />
+		<label for="to_a4a"><?php echo _AT('a4a_export'); ?></label>
+	</div>
+	
+	<div class="row buttons">
+		<input type="submit" name="submit" value="<?php echo _AT('export'); ?>" />
+		<input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" />
+	</div>
+	</fieldset>
+<?php else: ?>
+	<div class="row">
+		<strong><?php echo _AT('none_found'); ?></strong>
+	</div>
+<?php endif; ?>
+
+</div>
+</form>
+
+<form name="form1" method="post" action="home/ims/ims_import.php" enctype="multipart/form-data" onsubmit="openWindow('<?php echo TR_BASE_HREF; ?>home/prog.php');">
+<div class="input-form">
+	<input type="hidden" name="_course_id" value="<?php echo $_course_id; ?>" />
+	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('import_content'); ?></legend>
+	<div class="row">
+
+		<p><?php echo _AT('import_content_info'); ?></p>
+	</div>
+
+	<div class="row">
+		<label for="select_cid2"><?php echo _AT('import_content_package_where'); ?></label><br />
+		<select name="cid" id="select_cid2">
+			<option value="0"><?php echo _AT('import_content_package_bottom_subcontent'); ?></option>
+			<option value="0"></option>
+			<?php
+				print_menu_sections($_main_menu, true);
+			?>
+		</select>
+	</div>
+
+	<div class="row">
+		<input type="checkbox" name="allow_test_import" id="allow_test_import" checked="checked" />
+		<label for="allow_test_import"><?php echo _AT('test_import_package'); ?></label> <br />
+		<input type="checkbox" name="allow_a4a_import" id="allow_a4a_import" checked="checked" />
+		<label for="allow_a4a_import"><?php echo _AT('a4a_import_package'); ?></label><br />
+		<input type="checkbox" name="ignore_validation" id="ignore_validation" value="1" />
+		<label for="ignore_validation"><?php echo _AT('ignore_validation'); ?></label> <br />
+	</div>
+	
+	<div class="row">
+		<label for="to_file"><?php echo _AT('upload_content_package'); ?></label><br />
+		<input type="file" name="file" id="to_file" />
+	</div>
+
+	<div class="row">
+		<label for="to_url"><?php echo _AT('specify_url_to_content_package'); ?></label><br />
+		<input type="text" name="url" value="http://" size="40" id="to_url" />
+	</div>
+
+	<div class="row buttons">
+		<input type="submit" name="submit" onclick="setClickSource('submit');" value="<?php echo _AT('import'); ?>" />
+		<input type="submit" name="cancel" onclick="document.form1.enctype='';setClickSource('cancel');" value="<?php echo _AT('cancel'); ?>" />
+	</div>
+</div>
+</form>
+
+<script language="javascript" type="text/javascript">
+
+var but_src;
+function setClickSource(name) {
+	but_src = name;
+}
+
+function openWindow(page) {
+	if (but_src != "cancel") {
+		newWindow = window.open(page, "progWin", "width=400,height=200,toolbar=no,location=no");
+		newWindow.focus();
+	}
+}
+
+//Change form action 
+function changeFormAction(type){
+	var obj = document.exportForm;
+	if (type=="cc"){
+		obj.action = "home/imscc/ims_export.php";
+	} else if (type=="cp"){
+		obj.action = "home/ims/ims_export.php";
+	}
+}
+
+</script>
+
+<?php require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/home/editor/index.php b/home/editor/index.php
index 6f5a440c..590bf02d 100644
--- a/home/editor/index.php
+++ b/home/editor/index.php
@@ -1,28 +1,29 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-/** Commented by Cindy Li on Apr 27, 2010
- * Modified from ATutor home/editor/*, SVN revision 9807
- */
-
-define('TR_INCLUDE_PATH', '../../include/');
-require (TR_INCLUDE_PATH.'vitals.inc.php');
-
-$_section[0][0] = 'Blank Page';
-
-require (TR_INCLUDE_PATH.'header.inc.php');
-
-?>
-blank page
-<?php
-require (TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+/** Commented by Cindy Li on Apr 27, 2010
+ * Modified from ATutor home/editor/*, SVN revision 9807
+ */
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require (TR_INCLUDE_PATH.'vitals.inc.php');
+
+$_section[0][0] = 'Blank Page';
+
+require (TR_INCLUDE_PATH.'header.inc.php');
+
+?>
+blank page
+<?php
+require (TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/editor/preview.php b/home/editor/preview.php
index e45f296a..f43a8d3c 100644
--- a/home/editor/preview.php
+++ b/home/editor/preview.php
@@ -1,76 +1,76 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../../include/');
-
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
-
-// commented out this require which was causing the a redeclare error #4846
-// delete the following line when its confirmed the require is not needed
-// require(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
-
-global $_course_id, $_content_id, $contentManager;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR);
-
-$cid = $_content_id;
-
-if ($cid == 0) {
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	$msg->printInfos('NO_PAGE_CONTENT');
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
-
-if (!$content_row || !isset($contentManager)) {
-	require(TR_INCLUDE_PATH.'header.inc.php');
-	$msg->printErrors('MISSING_CONTENT');
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$course_base_href = 'get.php/';
-} else {
-	$course_base_href = 'content/' . $_course_id . '/';
-}
-
-if ($content_row['content_path']) {
-	$content_base_href .= $content_row['content_path'].'/';
-}
-
-$popup = intval($_GET['popup']);
-require(TR_INCLUDE_PATH.'header.inc.php');
-?>
-	<div class="row">
-	<?php 
-		echo '<h2>'.AT_print(stripslashes($_POST['title']), 'content.title').'</h2>';
-		if ($_POST['formatting'] == CONTENT_TYPE_WEBLINK) {
-		    $url = $_POST['weblink_text'];
-            $validated_url = isValidURL($url);
-            if (!validated_url || $validated_url !== $url) {
-                $msg->addError(array('INVALID_INPUT', _AT('weblink')));
-                $msg->printErrors();
-            } else {
-                  echo ContentUtility::formatContent($url, $_POST['formatting']);
-            }
-        } else {
-            echo ContentUtility::formatContent(stripslashes($_POST['body_text']), $_POST['formatting']);
-        }
-    ?>		
-	</div>
-<?php 
-require(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require(TR_INCLUDE_PATH.'../home/editor/editor_tab_functions.inc.php');
+
+// commented out this require which was causing the a redeclare error #4846
+// delete the following line when its confirmed the require is not needed
+// require(TR_INCLUDE_PATH.'../home/classes/ContentUtility.class.php');
+
+global $_course_id, $_content_id, $contentManager;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR);
+
+$cid = $_content_id;
+
+if ($cid == 0) {
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	$msg->printInfos('NO_PAGE_CONTENT');
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+if (isset($contentManager)) $content_row = $contentManager->getContentPage($cid);
+
+if (!$content_row || !isset($contentManager)) {
+	require(TR_INCLUDE_PATH.'header.inc.php');
+	$msg->printErrors('MISSING_CONTENT');
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$course_base_href = 'get.php/';
+} else {
+	$course_base_href = 'content/' . $_course_id . '/';
+}
+
+if ($content_row['content_path']) {
+	$content_base_href .= $content_row['content_path'].'/';
+}
+
+$popup = intval($_GET['popup']);
+require(TR_INCLUDE_PATH.'header.inc.php');
+?>
+	<div class="row">
+	<?php 
+		echo '<h2>'.AT_print(htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))), 'content.title').'</h2>';
+		if ($_POST['formatting'] == CONTENT_TYPE_WEBLINK) {
+		    $url = $_POST['weblink_text'];
+            $validated_url = isValidURL($url);
+            if (!validated_url || $validated_url !== $url) {
+                $msg->addError(array('INVALID_INPUT', _AT('weblink')));
+                $msg->printErrors();
+            } else {
+                  echo ContentUtility::formatContent($url, $_POST['formatting']);
+            }
+        } else {
+            echo ContentUtility::formatContent(htmlspecialchars(trim(stripslashes(strip_tags($_POST['body_text'])))), $_POST['formatting']);
+        }
+    ?>		
+	</div>
+<?php 
+require(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/home/editor/remove_alternative.php b/home/editor/remove_alternative.php
index 6ce4c0e5..0633796e 100644
--- a/home/editor/remove_alternative.php
+++ b/home/editor/remove_alternative.php
@@ -1,65 +1,66 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-/**
- * This script handles the ajax post submit from "content editor" =? "adpated content"
- * to remove selected alternative from database
- * @see home/editor/editor_tabs/alternatives.inc.php
- * @var $_POST values: 
- *      pid: primary resource id
- *      a_type: alternative type, must be one of the values in resource_types.type_id
- */
-
-define('TR_INCLUDE_PATH', '../../include/');
-require (TR_INCLUDE_PATH.'vitals.inc.php');
-
-$pid = intval($_POST['pid']);
-$type_id = intval($_POST['a_type']);
-
-// check post vars
-if ($pid == 0 || $type_id == 0) exit;
-
-require_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
-$dao = new DAO();
-
-// delete the existing alternative for this (pid, a_type)
-$sql = "SELECT sr.secondary_resource_id 
-          FROM ".TABLE_PREFIX."secondary_resources sr, ".TABLE_PREFIX."secondary_resources_types srt
-         WHERE sr.secondary_resource_id = srt.secondary_resource_id
-           AND sr.primary_resource_id = ?
-           AND sr.language_code = ?
-           AND srt.type_id=?";
-$values = array($pid, $_SESSION['lang'], $type_id);
-$types = "isi";
-$existing_secondary_rows = $dao->execute($sql, $values, $types);
-
-if (is_array($existing_secondary_rows)) {
-	foreach ($existing_secondary_rows as $existing_secondary)
-	{
-
-		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources 
-		         WHERE secondary_resource_id = ?";
-		$values = $existing_secondary['secondary_resource_id'];
-		$dao->execute($sql, $values, $types);
-	
-		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources_types 
-		         WHERE secondary_resource_id = ?
-		           AND type_id=?";
-		$values = array($existing_secondary['secondary_resource_id'], $type_id);
-		$types = "ii";
-		$dao->execute($sql, $values, $types);
-	}
-}
-
-exit;
-
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+/**
+ * This script handles the ajax post submit from "content editor" =? "adpated content"
+ * to remove selected alternative from database
+ * @see home/editor/editor_tabs/alternatives.inc.php
+ * @var $_POST values: 
+ *      pid: primary resource id
+ *      a_type: alternative type, must be one of the values in resource_types.type_id
+ */
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require (TR_INCLUDE_PATH.'vitals.inc.php');
+
+$pid = intval($_POST['pid']);
+$type_id = intval($_POST['a_type']);
+
+// check post vars
+if ($pid == 0 || $type_id == 0) exit;
+
+require_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
+$dao = new DAO();
+
+// delete the existing alternative for this (pid, a_type)
+$sql = "SELECT sr.secondary_resource_id 
+          FROM ".TABLE_PREFIX."secondary_resources sr, ".TABLE_PREFIX."secondary_resources_types srt
+         WHERE sr.secondary_resource_id = srt.secondary_resource_id
+           AND sr.primary_resource_id = ?
+           AND sr.language_code = ?
+           AND srt.type_id=?";
+$values = array($pid, $_SESSION['lang'], $type_id);
+$types = "isi";
+$existing_secondary_rows = $dao->execute($sql, $values, $types);
+
+if (is_array($existing_secondary_rows)) {
+	foreach ($existing_secondary_rows as $existing_secondary)
+	{
+
+		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources 
+		         WHERE secondary_resource_id = ?";
+		$values = $existing_secondary['secondary_resource_id'];
+		$dao->execute($sql, $values, $types);
+	
+		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources_types 
+		         WHERE secondary_resource_id = ?
+		           AND type_id=?";
+		$values = array($existing_secondary['secondary_resource_id'], $type_id);
+		$types = "ii";
+		$dao->execute($sql, $values, $types);
+	}
+}
+
+exit;
+
+?>
diff --git a/home/editor/save_alternative.php b/home/editor/save_alternative.php
index f54d2d86..61b28b1c 100644
--- a/home/editor/save_alternative.php
+++ b/home/editor/save_alternative.php
@@ -1,85 +1,86 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-/**
- * This script handles the ajax post submit from "content editor" =? "adpated content"
- * to save the selected alternative into database
- * @see file_manager/filemanager_display.inc.php
- * @var $_POST values: 
- *      pid: primary resource id
- *      a_type: alternative type, must be one of the values in resource_types.type_id
- *      alternative: the location and name of the selected alternative
- */
-
-define('TR_INCLUDE_PATH', '../../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-
-$pid = intval($_POST['pid']);
-$type_id = intval($_POST['a_type']);
-$secondary_resource = trim($_POST['alternative']);
-
-// check post vars
-if ($pid == 0 || $type_id == 0 || $secondary_resource == '') exit;
-
-require_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
-$dao = new DAO();
-
-// delete the existing alternative for this (pid, a_type)
-$sql = "SELECT sr.secondary_resource_id 
-          FROM ".TABLE_PREFIX."secondary_resources sr, ".TABLE_PREFIX."secondary_resources_types srt
-         WHERE sr.secondary_resource_id = srt.secondary_resource_id
-           AND sr.primary_resource_id = ?
-           AND sr.language_code = ?
-           AND srt.type_id=?";
-$values = array($pid, $_SESSION['lang'], $type_id);
-$types = "iii";
-
-$existing_secondary_rows = $dao->execute($sql, $values, $types);
-
-if (is_array($existing_secondary_rows)) {
-	foreach ($existing_secondary_rows as $existing_secondary)
-	{
-		/*$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources 
-		         WHERE secondary_resource_id = ".$existing_secondary['secondary_resource_id'];
-		         */
-		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources 
-		         WHERE secondary_resource_id = ?";
-		$values = $existing_secondary['secondary_resource_id'];
-		$types = "i";
-		$dao->execute($sql, $values, $types);
-	
-		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources_types 
-		         WHERE secondary_resource_id = ?
-		           AND type_id=?";
-		$values = array($existing_secondary['secondary_resource_id'], $type_id);
-		$dao->execute($sql, $values, $types);
-	}
-}
-
-// insert new alternative
-$sql = "INSERT INTO ".TABLE_PREFIX."secondary_resources (primary_resource_id, secondary_resource, language_code)
-        VALUES (?, ?, ?)";
-$values = array($pid, $secondary_resource, $_SESSION['lang']);
-$types = "iss";
-$dao->execute($sql, $values, $types);
-
-$secondary_resource_id = $dao->ac_insert_id();
-
-$sql = "INSERT INTO ".TABLE_PREFIX."secondary_resources_types (secondary_resource_id, type_id)
-        VALUES (?, ?)";
-$values = array($secondary_resource_id, $type_id);
-$types = "ii";
-$dao->execute($sql, $values, $types);
-
-exit;
-
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+/**
+ * This script handles the ajax post submit from "content editor" =? "adpated content"
+ * to save the selected alternative into database
+ * @see file_manager/filemanager_display.inc.php
+ * @var $_POST values: 
+ *      pid: primary resource id
+ *      a_type: alternative type, must be one of the values in resource_types.type_id
+ *      alternative: the location and name of the selected alternative
+ */
+
+define('TR_INCLUDE_PATH', '../../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+
+$pid = intval($_POST['pid']);
+$type_id = intval($_POST['a_type']);
+$secondary_resource = trim($_POST['alternative']);
+
+// check post vars
+if ($pid == 0 || $type_id == 0 || $secondary_resource == '') exit;
+
+require_once(TR_INCLUDE_PATH.'classes/DAO/DAO.class.php');
+$dao = new DAO();
+
+// delete the existing alternative for this (pid, a_type)
+$sql = "SELECT sr.secondary_resource_id 
+          FROM ".TABLE_PREFIX."secondary_resources sr, ".TABLE_PREFIX."secondary_resources_types srt
+         WHERE sr.secondary_resource_id = srt.secondary_resource_id
+           AND sr.primary_resource_id = ?
+           AND sr.language_code = ?
+           AND srt.type_id=?";
+$values = array($pid, $_SESSION['lang'], $type_id);
+$types = "iii";
+
+$existing_secondary_rows = $dao->execute($sql, $values, $types);
+
+if (is_array($existing_secondary_rows)) {
+	foreach ($existing_secondary_rows as $existing_secondary)
+	{
+		/*$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources 
+		         WHERE secondary_resource_id = ".$existing_secondary['secondary_resource_id'];
+		         */
+		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources 
+		         WHERE secondary_resource_id = ?";
+		$values = $existing_secondary['secondary_resource_id'];
+		$types = "i";
+		$dao->execute($sql, $values, $types);
+	
+		$sql = "DELETE FROM ".TABLE_PREFIX."secondary_resources_types 
+		         WHERE secondary_resource_id = ?
+		           AND type_id=?";
+		$values = array($existing_secondary['secondary_resource_id'], $type_id);
+		$dao->execute($sql, $values, $types);
+	}
+}
+
+// insert new alternative
+$sql = "INSERT INTO ".TABLE_PREFIX."secondary_resources (primary_resource_id, secondary_resource, language_code)
+        VALUES (?, ?, ?)";
+$values = array($pid, $secondary_resource, $_SESSION['lang']);
+$types = "iss";
+$dao->execute($sql, $values, $types);
+
+$secondary_resource_id = $dao->ac_insert_id();
+
+$sql = "INSERT INTO ".TABLE_PREFIX."secondary_resources_types (secondary_resource_id, type_id)
+        VALUES (?, ?)";
+$values = array($secondary_resource_id, $type_id);
+$types = "ii";
+$dao->execute($sql, $values, $types);
+
+exit;
+
+?>
diff --git a/home/index.php b/home/index.php
index 84aa49e7..d68f75d8 100644
--- a/home/index.php
+++ b/home/index.php
@@ -1,92 +1,93 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/UserCoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CourseCategoriesDAO.class.php');
-$_custom_head .= '<script type="text/javascript" src="home/js/misc.js"></script>';
-
-global $_current_user;
-
-// clean up the session vars from the previous course
-unset($_SESSION['course_id']);
-
-$userCoursesDAO = new UserCoursesDAO();
-$coursesDAO = new CoursesDAO();
-$courseCategoriesDAO = new CourseCategoriesDAO();
-
-$catid = $_GET['catid'];
-$name_struct = $_GET['stuid'];
-$session_user_id = $_SESSION['user_id'];
-$action = $_GET['action'];
-
-$catid = (isset($catid) && trim($catid) <> '') ? intval($catid) : NULL;
-
-if (isset($action, $_GET['cid']) && $session_user_id > 0) {
-    $cid = intval($_GET['cid']);
-    
-    if ($action == 'remove') {
-       $userCoursesDAO->Delete($session_user_id, $cid);
-    } else if ($action == 'add') {
-        $userCoursesDAO->Create($session_user_id, $cid, TR_USERROLE_VIEWER, 0);
-    }
-    
-    $msg->addFeedback(ACTION_COMPLETED_SUCCESSFULLY);
-}
-
-unset($courses);
-$courses = isset($catid) && $catid != 0  ? $coursesDAO->getByCategory($catid) : $coursesDAO->getByMostRecent();
-
-// If the user is not an admin then we better filter out courses with empty content
-if (!$session_user_id || ($session_user_id && $_current_user->isAdmin($session_user_id) != 1) && !empty($courses)) {
-    foreach ($courses as $i => $course) {
-        $course_user_id = $course['user_id'];
-        $course_id = $course['course_id'];
-        
-        $user_role = isset($session_user_id) ? $userCoursesDAO->get($session_user_id, $course_id) : NULL;
-        $user_role = isset($user_role) ? $user_role['role'] : NULL;
-        
-        // If the user is not the owner of the course or owner but not an author
-        if ($course_user_id != $session_user_id || ($course_user_id == $session_user_id && $user_role != TR_USERROLE_AUTHOR)) {
-            // Do the check that course should not be empty
-            if (!$userCoursesDAO->hasContent($course_id)) {
-               // unset($courses[$i]);
-            }
-        }
-    }
-    $courses = array_values($courses);
-}
-
-// 22/11/2012
-if(isset($name_struct)){
-    $courses = $coursesDAO->getByStructure($name_struct);
-}
-
-
-require(TR_INCLUDE_PATH.'header.inc.php'); 
-
-$curr_page_num = intval($_GET['p']);
-if (!$curr_page_num) {
-    $curr_page_num = 1;
-}
-
-$savant->assign('courses', $courses);
-$savant->assign('categories', $courseCategoriesDAO->getAll());
-$savant->assign('curr_page_num', $curr_page_num);
-$savant->assign('title', isset($catid) ? _AT('search_results') : _AT('most_recent_courses'));
-
-$savant->display('home/index_course.tmpl.php');
-//debug(MYSQLI_ENABLED);
-require(TR_INCLUDE_PATH.'footer.inc.php'); 
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/UserCoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CourseCategoriesDAO.class.php');
+$_custom_head .= '<script type="text/javascript" src="home/js/misc.js"></script>';
+
+global $_current_user;
+
+// clean up the session vars from the previous course
+unset($_SESSION['course_id']);
+
+$userCoursesDAO = new UserCoursesDAO();
+$coursesDAO = new CoursesDAO();
+$courseCategoriesDAO = new CourseCategoriesDAO();
+
+$catid = $_GET['catid'];
+$name_struct = $_GET['stuid'];
+$session_user_id = $_SESSION['user_id'];
+$action = $_GET['action'];
+
+$catid = (isset($catid) && trim($catid) <> '') ? intval($catid) : NULL;
+
+if (isset($action, $_GET['cid']) && $session_user_id > 0) {
+    $cid = intval($_GET['cid']);
+    
+    if ($action == 'remove') {
+       $userCoursesDAO->Delete($session_user_id, $cid);
+    } else if ($action == 'add') {
+        $userCoursesDAO->Create($session_user_id, $cid, TR_USERROLE_VIEWER, 0);
+    }
+    
+    $msg->addFeedback(ACTION_COMPLETED_SUCCESSFULLY);
+}
+
+unset($courses);
+$courses = isset($catid) && $catid != 0  ? $coursesDAO->getByCategory($catid) : $coursesDAO->getByMostRecent();
+
+// If the user is not an admin then we better filter out courses with empty content
+if (!$session_user_id || ($session_user_id && $_current_user->isAdmin($session_user_id) != 1) && !empty($courses)) {
+    foreach ($courses as $i => $course) {
+        $course_user_id = $course['user_id'];
+        $course_id = $course['course_id'];
+        
+        $user_role = isset($session_user_id) ? $userCoursesDAO->get($session_user_id, $course_id) : NULL;
+        $user_role = isset($user_role) ? $user_role['role'] : NULL;
+        
+        // If the user is not the owner of the course or owner but not an author
+        if ($course_user_id != $session_user_id || ($course_user_id == $session_user_id && $user_role != TR_USERROLE_AUTHOR)) {
+            // Do the check that course should not be empty
+            if (!$userCoursesDAO->hasContent($course_id)) {
+               // unset($courses[$i]);
+            }
+        }
+    }
+    $courses = array_values($courses);
+}
+
+// 22/11/2012
+if(isset($name_struct)){
+    $courses = $coursesDAO->getByStructure($name_struct);
+}
+
+
+require(TR_INCLUDE_PATH.'header.inc.php'); 
+
+$curr_page_num = intval($_GET['p']);
+if (!$curr_page_num) {
+    $curr_page_num = 1;
+}
+
+$savant->assign('courses', $courses);
+$savant->assign('categories', $courseCategoriesDAO->getAll());
+$savant->assign('curr_page_num', $curr_page_num);
+$savant->assign('title', isset($catid) ? _AT('search_results') : _AT('most_recent_courses'));
+
+$savant->display('home/index_course.tmpl.php');
+//debug(MYSQLI_ENABLED);
+require(TR_INCLUDE_PATH.'footer.inc.php'); 
+?>
diff --git a/include/classes/DAO/TestsQuestionsDAO.class.php b/include/classes/DAO/TestsQuestionsDAO.class.php
index dbd82755..717b413a 100644
--- a/include/classes/DAO/TestsQuestionsDAO.class.php
+++ b/include/classes/DAO/TestsQuestionsDAO.class.php
@@ -69,7 +69,9 @@ public function Delete($questionID)
 	public function get($questionID)
 	{
 
-		$sql = "SELECT * FROM AC_tests_questions
+		// We use TABLE_PREFIX to prevent error: Table ac_tests_questions doesn't exist
+		// when editing or deleting created tests
+		$sql = "SELECT * FROM ".TABLE_PREFIX."tests_questions
 		             WHERE question_id=?";
 		$values = $questionID;
 		$types = "i";
diff --git a/include/lib/output.inc.php b/include/lib/output.inc.php
index 6ecf7e81..8a3bd751 100644
--- a/include/lib/output.inc.php
+++ b/include/lib/output.inc.php
@@ -1,537 +1,537 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-require_once(TR_INCLUDE_PATH . 'classes/DAO/LanguageTextDAO.class.php');
-require_once(TR_INCLUDE_PATH . '../home/classes/ContentUtility.class.php');
-
-/**********************************************************************************/
-/* Output functions found in this file, in order:
-/*
-/*	- AC(term)
-/*
-/**********************************************************************************/
-
-/**
-* Converts language code to actual language message, caches them according to page url
-* @access	public
-* @param	args				unlimited number of arguments allowed but first arg MUST be name of the language variable/term
-*								i.e		$args[0] = the term to the format string $_template[term]
-*										$args[1..x] = optional arguments to the formatting string 
-* @return	string|array		full resulting message
-* @see		$db			        in include/vitals.inc.php
-* @see		cache()				in include/phpCache/phpCache.inc.php
-* @see		cache_variable()	in include/phpCache/phpCache.inc.php
-* @author	Joel Kronenberg
-*/
-function _AT() {
-	global $_cache_template, $lang_et, $_rel_url;
-	static $_template;
-
-	$args = func_get_args();
-	
-	if ($args[0] == "") return "";
-	
-	$languageTextDAO = new LanguageTextDAO();
-	
-	// a feedback msg
-	if (!is_array($args[0])) {
-		/**
-		 * Added functionality for translating language code String (TR_ERROR|TR_INFOS|TR_WARNING|TR_FEEDBACK).*
-		 * to its text and returning the result. No caching needed.
-		 * @author Jacek Materna
-		 */
-
-		// Check for specific language prefix, extendible as needed
-		// 0002767:  a substring+in_array test should be faster than a preg_match test.
-		// replaced the preg_match with a test of the substring.
-		$sub_arg = substr($args[0], 0, 7); // 7 is the shortest type of msg (TR_INFO)
-		if (in_array($sub_arg, array('TR_ERRO','TR_INFO','TR_WARN','TR_FEED','TR_CONF'))) {
-			global $_base_path;
-					
-			/* get $_msgs_new from the DB */
-			$rows = $languageTextDAO->getMsgByTermAndLang($args[0], $_SESSION['lang']);
-			$msgs = '';
-					
-			if (is_array($rows)) 
-			{
-				$row = $rows[0];
-				// do not cache key as a digit (no contstant(), use string)
-				$msgs = str_replace('SITE_URL/', $_base_path, $row['text']);
-				if (defined('TR_DEVEL') && TR_DEVEL) {
-					$msgs .= ' <small><small>('. $args[0] .')</small></small>';
-				}
-			}
-
-			return $msgs;
-		}
-	}
-	
-	// a template variable
-	if (!isset($_template)) {
-		$url_parts = parse_url(TR_BASE_HREF);
-		$name = substr($_SERVER['PHP_SELF'], strlen($url_parts['path'])-1);
-
-		if ( !($lang_et = cache(120, 'lang', $_SESSION['lang'].'_'.$name)) ) {
-			/* get $_template from the DB */
-			$rows = $languageTextDAO->getAllTemplateByLang($_SESSION['lang']);
-			
-			if (is_array($rows))
-			{
-				foreach ($rows as $id => $row) 
-				{
-					//Do not overwrite the variable that existed in the cache_template already.
-					//The edited terms (_c_template) will always be at the top of the resultset
-					//0003279
-					if (isset($_cache_template[$row['term']])){
-						continue;
-					}
-	
-					// saves us from doing an ORDER BY
-					if ($row['language_code'] == $_SESSION['lang']) {
-						$_cache_template[$row['term']] = stripslashes($row['text']);
-					} else if (!isset($_cache_template[$row['term']])) {
-						$_cache_template[$row['term']] = stripslashes($row['text']);
-					}
-				}
-			}
-		
-			cache_variable('_cache_template');
-			endcache(true, false);
-		}
-		$_template = $_cache_template;
-	}
-
-	$num_args = func_num_args();
-
-	if (is_array($args[0])) {
-		$args = $args[0];
-		$num_args = count($args);
-	}
-	
-	$format	  = array_shift($args);
-	if (isset($_template[$format]) && $num_args > 0) {
-		$outString	= @vsprintf($_template[$format], $args);
-		$str = ob_get_contents();
-	} else {
-		$outString = '';
-	}
-
-	if ($outString === false) {
-		return ('[Error parsing language. Variable: <code>'.$format.'</code>. Language: <code>'.$_SESSION['lang'].'</code> ]');
-	}
-
-	if (empty($outString)) {
-
-		$rows = $languageTextDAO->getByTermAndLang($format, $_SESSION['lang']);
-		if (is_array($rows))
-		{
-			$row = $rows[0];
-			$_template[$row['term']] = stripslashes($row['text']);
-			$outString = $_template[$row['term']];
-		}
-
-		if (empty($outString)) {
-			return ('[ '.$format.' ]');
-		}
-	}
-
-	return $outString;
-}
-
-/* 
-	The following options were added as language dependant:
-	%D: A textual representation of a week, three letters Mon through Sun
-	%F: A full textual representation of a month, such as January or March January through December
-	%l (lowercase 'L'): A full textual representation of the day of the week Sunday through Saturday
-	%M: A short textual representation of a month, three letters Jan through Dec
-
-	Support for the following maybe added later:
-	?? %S: English ordinal suffix for the day of the month, 2 characters st, nd, rd or th. Works well with j
-	?? %a: Lowercase Ante meridiem and Post meridiem am or pm 
-	?? %A: Uppercase Ante meridiem and Post meridiem AM or PM 
-
-	valid formTR_types:
-	TR_DATE_MYSQL_DATETIME:		YYYY-MM-DD HH:MM:SS
-	TR_DATE_MYSQL_TIMESTAMP_14:	YYYYMMDDHHMMSS
-	TR_DATE_UNIX_TIMESTAMP:		seconds since epoch
-	TR_DATE_INDEX_VALUE:		0-x, index into a date array
-*/
-function AT_date($format='%Y-%M-%d', $timestamp = '', $format_type=TR_DATE_MYSQL_DATETIME) {	
-	static $day_name_ext, $day_name_con, $month_name_ext, $month_name_con;
-	global $_config;
-
-	if (!isset($day_name_ext)) {
-		$day_name_ext = array(	'date_sunday', 
-								'date_monday', 
-								'date_tuesday', 
-								'date_wednesday', 
-								'date_thursday', 
-								'date_friday',
-								'date_saturday');
-
-		$day_name_con = array(	'date_sun', 
-								'date_mon', 
-								'date_tue', 
-								'date_wed',
-								'date_thu', 
-								'date_fri', 
-								'date_sat');
-
-		$month_name_ext = array('date_january', 
-								'date_february', 
-								'date_march', 
-								'date_april', 
-								'date_may',
-								'date_june', 
-								'date_july', 
-								'date_august', 
-								'date_september', 
-								'date_october', 
-								'date_november',
-								'date_december');
-
-		$month_name_con = array('date_jan', 
-								'date_feb', 
-								'date_mar', 
-								'date_apr', 
-								'date_may_short',
-								'date_jun', 
-								'date_jul', 
-								'date_aug', 
-								'date_sep', 
-								'date_oct', 
-								'date_nov',
-								'date_dec');
-	}
-
-	if ($format_type == TR_DATE_INDEX_VALUE) {
-		// apply timezone offset
-		apply_timezone($timestamp);
-	
-		if ($format == '%D') {
-			return _AT($day_name_con[$timestamp-1]);
-		} else if ($format == '%l') {
-			return _AT($day_name_ext[$timestamp-1]);
-		} else if ($format == '%F') {
-			return _AT($month_name_ext[$timestamp-1]);
-		} else if ($format == '%M') {
-			return _AT($month_name_con[$timestamp-1]);
-		}
-	}
-
-	if ($timestamp == '') {
-		$timestamp = time();
-		$format_type = TR_DATE_UNIX_TIMESTAMP;
-	}
-
-	/* convert the date to a Unix timestamp before we do anything with it */
-	if ($format_type == TR_DATE_MYSQL_DATETIME) {
-		$year	= substr($timestamp,0,4);
-		$month	= substr($timestamp,5,2);
-		$day	= substr($timestamp,8,2);
-		$hour	= substr($timestamp,11,2);
-		$min	= substr($timestamp,14,2);
-		$sec	= substr($timestamp,17,2);
-		$timestamp	= mktime($hour, $min, $sec, $month, $day, $year);
-
-	} else if ($format_type == TR_DATE_MYSQL_TIMESTAMP_14) {
-	    $year		= substr($timestamp,0,4);
-	    $month		= substr($timestamp,4,2);
-	    $day		= substr($timestamp,6,2);
-		$hour		= substr($timestamp,8,2);
-	    $minute		= substr($timestamp,10,2);
-	    $second		= substr($timestamp,12,2);
-	    $timestamp	= mktime($hour, $minute, $second, $month, $day, $year);  
-	}
-
-	// apply timezone offset
-	apply_timezone($timestamp);
-
-	/* pull out all the %X items from $format */
-	$first_token = strpos($format, '%');
-	if ($first_token === false) {
-		/* no tokens found */
-		return $timestamp;
-	} else {
-		$tokened_format = substr($format, $first_token);
-	}
-	$tokens = explode('%', $tokened_format);
-	array_shift($tokens);
-	$num_tokens = count($tokens);
-
-	$output = $format;
-	
-	for ($i=0; $i<$num_tokens; $i++) {
-		$tokens[$i] = substr($tokens[$i],0,1);
-
-		if ($tokens[$i] == 'D') {
-			$output = str_replace('%D', _AT($day_name_con[date('w', $timestamp)]),$output);
-		
-		} else if ($tokens[$i] == 'l') {
-			$output = str_replace('%l', _AT($day_name_ext[date('w', $timestamp)]),$output);
-		
-		} else if ($tokens[$i] == 'F') {
-			$output = str_replace('%F', _AT($month_name_ext[date('n', $timestamp)-1]),$output);		
-		
-		} else if ($tokens[$i] == 'M') {
-			$output = str_replace('%M', _AT($month_name_con[date('n', $timestamp)-1]),$output);
-
-		} else {
-			/* this token doesn't need translating */
-			$value = date($tokens[$i], $timestamp);
-			if ($value != $tokens[$i]) {
-				$output = str_replace('%'.$tokens[$i], $value, $output);
-			} /* else: this token isn't valid. so don't replace it. Eg. try %q */
-		}
-	}
-
-	return $output;
-}
-
-/**********************************************************************************************************/
-	/**
-	* 	Transforms text based on formatting preferences.  Original $input is also changed (passed by reference).
-	*	Can be called as:
-	*	1) $output = AT_print($input, $name);
-	*	   echo $output;
-	*
-	*	2) echo AT_print($input, $name); // prefered method
-	*
-	* @access	public
-	* @param	string $input			text being transformed
-	* @param	string $name			the unique name of this field (convension: table_name.field_name)
-	* @param	boolean $runtime_html	forcefully disables html formatting for $input (only used by fields that 
-	*									have the 'formatting' option
-	* @return	string					transformed $input
-	* @see		TR_FORMAT constants		in include/lib/constants.inc.php
-	* @see		query_bit()				in include/vitals.inc.php
-	* @author	Joel Kronenberg
-	*/
-	function AT_print($input, $name, $runtime_html = true) {
-		global $_field_formatting;
-
-		if (!isset($_field_formatting[$name])) {
-			/* field not set, check if there's a global setting */
-			$parts = explode('.', $name);
-			
-			/* check if wildcard is set: */
-			if (isset($_field_formatting[$parts[0].'.*'])) {
-				$name = $parts[0].'.*';
-			} else {
-				/* field not set, and there's no global setting */
-				/* same as TR_FORMAT_NONE */
-				return $input;
-			}
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_QUOTES)) {
-			$input = str_replace('"', '&quot;', $input);
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_CONTENT_DIR)) {
-			$input = str_replace('CONTENT_DIR/', '', $input);
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_HTML) && $runtime_html) {
-			/* what special things do we have to do if this is HTML ? remove unwanted HTML? validate? */
-		} else {
-			$input = str_replace('<', '&lt;', $input);
-			$input = nl2br($input);
-		}
-
-		/* this has to be here, only because TR_FORMTR_HTML is the only check that has an else-block */
-		if ($_field_formatting[$name] === TR_FORMAT_NONE) {
-			return $input;
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_EMOTICONS)) {
-			$input = smile_replace($input);
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_ATCODES)) {
-			$input = trim(ContentUtility::myCodes(' ' . $input . ' '));
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_LINKS)) {
-			$input = trim(ContentUtility::makeClickable(' ' . $input . ' '));
-		}
-
-		if (query_bit($_field_formatting[$name], TR_FORMAT_IMAGES)) {
-			$input = trim(ContentUtility::imageReplace(' ' . $input . ' '));
-		}
-        if (query_bit($_field_formatting[$name], TR_FORMAT_DECODE)) {
-            $input = htmlspecialchars_decode($input, ENT_QUOTES);
-        }
-	
-		return $input;
-	}
-
-/********************************************************************************************/
-// Global variables for emoticons
- 
-global $smile_pics;
-global $smile_codes;
-if (!isset($smile_pics)) {
-	$smile_pics[0] = $_base_path.'images/forum/smile.gif';
-	$smile_pics[1] = $_base_path.'images/forum/wink.gif';
-	$smile_pics[2] = $_base_path.'images/forum/frown.gif';
-	$smile_pics[3] = $_base_path.'images/forum/ohwell.gif';
-	$smile_pics[4] = $_base_path.'images/forum/tongue.gif';
-	$smile_pics[5] = $_base_path.'images/forum/51.gif';
-	$smile_pics[6] = $_base_path.'images/forum/52.gif';
-	$smile_pics[7] = $_base_path.'images/forum/54.gif';
-	$smile_pics[8] = $_base_path.'images/forum/27.gif';
-	$smile_pics[9] = $_base_path.'images/forum/19.gif';
-	$smile_pics[10] = $_base_path.'images/forum/3.gif';
-	$smile_pics[11] = $_base_path.'images/forum/56.gif';
-}
-
-if (!isset($smile_codes)) {
-	$smile_codes[0] = ':)';
-	$smile_codes[1] = ';)';
-	$smile_codes[2] = ':(';
-	$smile_codes[3] = '::ohwell::';
-	$smile_codes[4] = ':P';
-	$smile_codes[5] = '::evil::';
-	$smile_codes[6] = '::angry::';
-	$smile_codes[7] = '::lol::';
-	$smile_codes[8] = '::crazy::';
-	$smile_codes[9] = '::tired::';
-	$smile_codes[10] = '::confused::';
-	$smile_codes[11] = '::muah::';
-}
-
-/**
-* Replaces smile-code text into smilie image.
-* @access	public
-* @param	string $text		smile text to be transformed
-* @return	string				transformed $text
-* @see		$smile_pics			in include/lib/output.inc.php (above)
-* @see		$smile_codes		in include/lib/output.inc.php (above)
-* @author	Joel Kronenberg
-*/
-function smile_replace($text) {
-	global $smile_pics;
-	global $smile_codes;
-	static $smiles;
-
-	$smiles[0] = '<img src="'.$smile_pics[0].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_smile').'" />';
-	$smiles[1] = '<img src="'.$smile_pics[1].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_wink').'" />';
-	$smiles[2] = '<img src="'.$smile_pics[2].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_frown').'" />';
-	$smiles[3]= '<img src="'.$smile_pics[3].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_oh_well').'" />';
-	$smiles[4]= '<img src="'.$smile_pics[4].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_tongue').'" />';
-	$smiles[5]= '<img src="'.$smile_pics[5].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_evil').'" />';
-	$smiles[6]= '<img src="'.$smile_pics[6].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_angry').'" />';
-	$smiles[7]= '<img src="'.$smile_pics[7].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_lol').'" />';
-	$smiles[8]= '<img src="'.$smile_pics[8].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_crazy').'" />';
-	$smiles[9]= '<img src="'.$smile_pics[9].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_tired').'" />';
-	$smiles[10]= '<img src="'.$smile_pics[10].'" border="0" height="17" width="19" align="bottom" alt="'._AT('smile_confused').'" />';
-	$smiles[11]= '<img src="'.$smile_pics[11].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_muah').'" />';
-
-	$text = str_replace($smile_codes[0],$smiles[0],$text);
-	$text = str_replace($smile_codes[1],$smiles[1],$text);
-	$text = str_replace($smile_codes[2],$smiles[2],$text);
-	$text = str_replace($smile_codes[3],$smiles[3],$text);
-	$text = str_replace($smile_codes[4],$smiles[4],$text);
-	$text = str_replace($smile_codes[5],$smiles[5],$text);
-	$text = str_replace($smile_codes[6],$smiles[6],$text);
-	$text = str_replace($smile_codes[7],$smiles[7],$text);
-	$text = str_replace($smile_codes[8],$smiles[8],$text);
-	$text = str_replace($smile_codes[9],$smiles[9],$text);
-	$text = str_replace($smile_codes[10],$smiles[10],$text);
-	$text = str_replace($smile_codes[11],$smiles[11],$text);
-
-	return $text;
-}
-
-function html_get_list($array) {
-	$list = '';
-	foreach ($array as $value) {
-		$list .= '<li>'.$value.'</li>';
-	}
-	return $list;
-}
-
-/**
- * print_paginator
- *
- * print out list of page links
- */
-function print_paginator($current_page, $num_rows, $request_args, $rows_per_page = 50, $window = 5, $skippager='0') {
-	$num_pages = ceil($num_rows / $rows_per_page);
-	$request_args = '?'.$request_args;
-
-	if ($num_pages == 1) return;
-	if ($num_rows) {
-		echo '<div><a href="'.$_SERVER['PHP_SELF'].'#skippager'.$skippager.'" class="hide_focus">'._AT('skip_pager').'</a></div>';
-		echo '<div class="paging">';
-	    echo '<ul>';
-		
-		$i=max($current_page-$window - max($window-$num_pages+$current_page,0), 1);
-
-	    if ($current_page > 1)
-			echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.($current_page-1).'">'._AT('prev').'</a>&nbsp;&nbsp;&nbsp;</li>';
-    
-		if ($i > 1) {
-			echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p=1">1</a></li>';
-			if ($i > 2) {
-		        echo '<li>&hellip;</li>';
-			}
-		}
-
-		for ($i; $i<= min($current_page+$window -min($current_page-$window,0),$num_pages); $i++) {
-			if ($current_page == $i) {
-				echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.$i.'" class="current"><em>'.$current_page.'</em></a></li>';
-			} else {
-				echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.$i.'">'.$i.'</a></li>';
-			}
-		}
-        if ($i <= $num_pages) {
-			if ($i < $num_pages) {
-		        echo '<li>&hellip;</li>';
-	        }
-			echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.$num_pages.'">'.$num_pages.'</a></li>';
-		}
-		
-		if ($current_page < $num_pages)
-			echo '<li>&nbsp;&nbsp;&nbsp;<a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.($current_page+1).'">'._AT('next').'</a></li>';
-		
-		echo '</ul>';
-		echo '</div><a name="skippager'.$skippager.'"></a>';
-	}
-}
-
-/**
-* apply_timezone
-* converts a unix timestamp into another UNIX timestamp with timezone offset added up.
-* Adds the user's timezone offset, then converts back to a MYSQL timestamp
-* Available both as a system config option, and a user preference, if both are set
-* they are added together
-* @param   date	 MYSQL timestamp.
-* @return  date  MYSQL timestamp plus user's and/or system's timezone offset.
-* @author  Greg Gay  .
-*/
-function apply_timezone($timestamp){
-	global $_config;
-
-	if($_config['time_zone']){
-		$timestamp = ($timestamp + ($_config['time_zone']*3600));
-	}
-
-	if(isset($_SESSION['prefs']['PREF_TIMEZONE'])){
-		$timestamp = ($timestamp + ($_SESSION['prefs']['PREF_TIMEZONE']*3600));
-	}
-
-	return $timestamp;
-}
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+require_once(TR_INCLUDE_PATH . 'classes/DAO/LanguageTextDAO.class.php');
+require_once(TR_INCLUDE_PATH . '../home/classes/ContentUtility.class.php');
+
+/**********************************************************************************/
+/* Output functions found in this file, in order:
+/*
+/*	- AC(term)
+/*
+/**********************************************************************************/
+
+/**
+* Converts language code to actual language message, caches them according to page url
+* @access	public
+* @param	args				unlimited number of arguments allowed but first arg MUST be name of the language variable/term
+*								i.e		$args[0] = the term to the format string $_template[term]
+*										$args[1..x] = optional arguments to the formatting string 
+* @return	string|array		full resulting message
+* @see		$db			        in include/vitals.inc.php
+* @see		cache()				in include/phpCache/phpCache.inc.php
+* @see		cache_variable()	in include/phpCache/phpCache.inc.php
+* @author	Joel Kronenberg
+*/
+function _AT() {
+	global $_cache_template, $lang_et, $_rel_url;
+	static $_template;
+
+	$args = func_get_args();
+	
+	if ($args[0] == "") return "";
+	
+	$languageTextDAO = new LanguageTextDAO();
+	
+	// a feedback msg
+	if (!is_array($args[0])) {
+		/**
+		 * Added functionality for translating language code String (TR_ERROR|TR_INFOS|TR_WARNING|TR_FEEDBACK).*
+		 * to its text and returning the result. No caching needed.
+		 * @author Jacek Materna
+		 */
+
+		// Check for specific language prefix, extendible as needed
+		// 0002767:  a substring+in_array test should be faster than a preg_match test.
+		// replaced the preg_match with a test of the substring.
+		$sub_arg = substr($args[0], 0, 7); // 7 is the shortest type of msg (TR_INFO)
+		if (in_array($sub_arg, array('TR_ERRO','TR_INFO','TR_WARN','TR_FEED','TR_CONF'))) {
+			global $_base_path;
+					
+			/* get $_msgs_new from the DB */
+			$rows = $languageTextDAO->getMsgByTermAndLang($args[0], $_SESSION['lang']);
+			$msgs = '';
+					
+			if (is_array($rows)) 
+			{
+				$row = $rows[0];
+				// do not cache key as a digit (no contstant(), use string)
+				$msgs = str_replace('SITE_URL/', $_base_path, $row['text']);
+				if (defined('TR_DEVEL') && TR_DEVEL) {
+					$msgs .= ' <small><small>('. $args[0] .')</small></small>';
+				}
+			}
+
+			return $msgs;
+		}
+	}
+	
+	// a template variable
+	if (!isset($_template)) {
+		$url_parts = parse_url(TR_BASE_HREF);
+		$name = substr($_SERVER['PHP_SELF'], strlen($url_parts['path'])-1);
+
+		if ( !($lang_et = cache(120, 'lang', $_SESSION['lang'].'_'.$name)) ) {
+			/* get $_template from the DB */
+			$rows = $languageTextDAO->getAllTemplateByLang($_SESSION['lang']);
+			
+			if (is_array($rows))
+			{
+				foreach ($rows as $id => $row) 
+				{
+					//Do not overwrite the variable that existed in the cache_template already.
+					//The edited terms (_c_template) will always be at the top of the resultset
+					//0003279
+					if (isset($_cache_template[$row['term']])){
+						continue;
+					}
+	
+					// saves us from doing an ORDER BY
+					if ($row['language_code'] == $_SESSION['lang']) {
+						$_cache_template[$row['term']] = stripslashes($row['text']);
+					} else if (!isset($_cache_template[$row['term']])) {
+						$_cache_template[$row['term']] = stripslashes($row['text']);
+					}
+				}
+			}
+		
+			cache_variable('_cache_template');
+			endcache(true, false);
+		}
+		$_template = $_cache_template;
+	}
+
+	$num_args = func_num_args();
+
+	if (is_array($args[0])) {
+		$args = $args[0];
+		$num_args = count($args);
+	}
+	
+	$format	  = array_shift($args);
+	if (isset($_template[$format]) && $num_args > 0) {
+		$outString	= @vsprintf($_template[$format], $args);
+		$str = ob_get_contents();
+	} else {
+		$outString = '';
+	}
+
+	if ($outString === false) {
+		return ('[Error parsing language. Variable: <code>'.$format.'</code>. Language: <code>'.$_SESSION['lang'].'</code> ]');
+	}
+
+	if (empty($outString)) {
+
+		$rows = $languageTextDAO->getByTermAndLang($format, $_SESSION['lang']);
+		if (is_array($rows))
+		{
+			$row = $rows[0];
+			$_template[$row['term']] = stripslashes($row['text']);
+			$outString = $_template[$row['term']];
+		}
+
+		if (empty($outString)) {
+			return ('[ '.$format.' ]');
+		}
+	}
+
+	return $outString;
+}
+
+/* 
+	The following options were added as language dependant:
+	%D: A textual representation of a week, three letters Mon through Sun
+	%F: A full textual representation of a month, such as January or March January through December
+	%l (lowercase 'L'): A full textual representation of the day of the week Sunday through Saturday
+	%M: A short textual representation of a month, three letters Jan through Dec
+
+	Support for the following maybe added later:
+	?? %S: English ordinal suffix for the day of the month, 2 characters st, nd, rd or th. Works well with j
+	?? %a: Lowercase Ante meridiem and Post meridiem am or pm 
+	?? %A: Uppercase Ante meridiem and Post meridiem AM or PM 
+
+	valid formTR_types:
+	TR_DATE_MYSQL_DATETIME:		YYYY-MM-DD HH:MM:SS
+	TR_DATE_MYSQL_TIMESTAMP_14:	YYYYMMDDHHMMSS
+	TR_DATE_UNIX_TIMESTAMP:		seconds since epoch
+	TR_DATE_INDEX_VALUE:		0-x, index into a date array
+*/
+function AT_date($format='%Y-%M-%d', $timestamp = '', $format_type=TR_DATE_MYSQL_DATETIME) {	
+	static $day_name_ext, $day_name_con, $month_name_ext, $month_name_con;
+	global $_config;
+
+	if (!isset($day_name_ext)) {
+		$day_name_ext = array(	'date_sunday', 
+								'date_monday', 
+								'date_tuesday', 
+								'date_wednesday', 
+								'date_thursday', 
+								'date_friday',
+								'date_saturday');
+
+		$day_name_con = array(	'date_sun', 
+								'date_mon', 
+								'date_tue', 
+								'date_wed',
+								'date_thu', 
+								'date_fri', 
+								'date_sat');
+
+		$month_name_ext = array('date_january', 
+								'date_february', 
+								'date_march', 
+								'date_april', 
+								'date_may',
+								'date_june', 
+								'date_july', 
+								'date_august', 
+								'date_september', 
+								'date_october', 
+								'date_november',
+								'date_december');
+
+		$month_name_con = array('date_jan', 
+								'date_feb', 
+								'date_mar', 
+								'date_apr', 
+								'date_may_short',
+								'date_jun', 
+								'date_jul', 
+								'date_aug', 
+								'date_sep', 
+								'date_oct', 
+								'date_nov',
+								'date_dec');
+	}
+
+	if ($format_type == TR_DATE_INDEX_VALUE) {
+		// apply timezone offset
+		apply_timezone($timestamp);
+	
+		if ($format == '%D') {
+			return _AT($day_name_con[$timestamp-1]);
+		} else if ($format == '%l') {
+			return _AT($day_name_ext[$timestamp-1]);
+		} else if ($format == '%F') {
+			return _AT($month_name_ext[$timestamp-1]);
+		} else if ($format == '%M') {
+			return _AT($month_name_con[$timestamp-1]);
+		}
+	}
+
+	if ($timestamp == '') {
+		$timestamp = time();
+		$format_type = TR_DATE_UNIX_TIMESTAMP;
+	}
+
+	/* convert the date to a Unix timestamp before we do anything with it */
+	if ($format_type == TR_DATE_MYSQL_DATETIME) {
+		$year	= substr($timestamp,0,4);
+		$month	= substr($timestamp,5,2);
+		$day	= substr($timestamp,8,2);
+		$hour	= substr($timestamp,11,2);
+		$min	= substr($timestamp,14,2);
+		$sec	= substr($timestamp,17,2);
+		$timestamp	= mktime($hour, $min, $sec, $month, $day, $year);
+
+	} else if ($format_type == TR_DATE_MYSQL_TIMESTAMP_14) {
+	    $year		= substr($timestamp,0,4);
+	    $month		= substr($timestamp,4,2);
+	    $day		= substr($timestamp,6,2);
+		$hour		= substr($timestamp,8,2);
+	    $minute		= substr($timestamp,10,2);
+	    $second		= substr($timestamp,12,2);
+	    $timestamp	= mktime($hour, $minute, $second, $month, $day, $year);  
+	}
+
+	// apply timezone offset
+	apply_timezone($timestamp);
+
+	/* pull out all the %X items from $format */
+	$first_token = strpos($format, '%');
+	if ($first_token === false) {
+		/* no tokens found */
+		return $timestamp;
+	} else {
+		$tokened_format = substr($format, $first_token);
+	}
+	$tokens = explode('%', $tokened_format);
+	array_shift($tokens);
+	$num_tokens = count($tokens);
+
+	$output = $format;
+	
+	for ($i=0; $i<$num_tokens; $i++) {
+		$tokens[$i] = substr($tokens[$i],0,1);
+
+		if ($tokens[$i] == 'D') {
+			$output = str_replace('%D', _AT($day_name_con[date('w', $timestamp)]),$output);
+		
+		} else if ($tokens[$i] == 'l') {
+			$output = str_replace('%l', _AT($day_name_ext[date('w', $timestamp)]),$output);
+		
+		} else if ($tokens[$i] == 'F') {
+			$output = str_replace('%F', _AT($month_name_ext[date('n', $timestamp)-1]),$output);		
+		
+		} else if ($tokens[$i] == 'M') {
+			$output = str_replace('%M', _AT($month_name_con[date('n', $timestamp)-1]),$output);
+
+		} else {
+			/* this token doesn't need translating */
+			$value = date($tokens[$i], $timestamp);
+			if ($value != $tokens[$i]) {
+				$output = str_replace('%'.$tokens[$i], $value, $output);
+			} /* else: this token isn't valid. so don't replace it. Eg. try %q */
+		}
+	}
+
+	return $output;
+}
+
+/**********************************************************************************************************/
+	/**
+	* 	Transforms text based on formatting preferences.  Original $input is also changed (passed by reference).
+	*	Can be called as:
+	*	1) $output = AT_print($input, $name);
+	*	   echo $output;
+	*
+	*	2) echo AT_print($input, $name); // prefered method
+	*
+	* @access	public
+	* @param	string $input			text being transformed
+	* @param	string $name			the unique name of this field (convension: table_name.field_name)
+	* @param	boolean $runtime_html	forcefully disables html formatting for $input (only used by fields that 
+	*									have the 'formatting' option
+	* @return	string					transformed $input
+	* @see		TR_FORMAT constants		in include/lib/constants.inc.php
+	* @see		query_bit()				in include/vitals.inc.php
+	* @author	Joel Kronenberg
+	*/
+	function AT_print($input, $name, $runtime_html = true) {
+		global $_field_formatting;
+
+		if (!isset($_field_formatting[$name])) {
+			/* field not set, check if there's a global setting */
+			$parts = explode('.', $name);
+			
+			/* check if wildcard is set: */
+			if (isset($_field_formatting[$parts[0].'.*'])) {
+				$name = $parts[0].'.*';
+			} else {
+				/* field not set, and there's no global setting */
+				/* same as TR_FORMAT_NONE */
+				return $input;
+			}
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_QUOTES')) {
+			$input = str_replace('"', '&quot;', $input);
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_CONTENT_DIR')) {
+			$input = str_replace('CONTENT_DIR/', '', $input);
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_HTML') && $runtime_html) {
+			/* what special things do we have to do if this is HTML ? remove unwanted HTML? validate? */
+		} else {
+			$input = str_replace('<', '&lt;', $input);
+			$input = nl2br($input);
+		}
+
+		/* this has to be here, only because TR_FORMTR_HTML is the only check that has an else-block */
+		if ($_field_formatting[$name] === 'TR_FORMAT_NONE') {
+			return $input;
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_EMOTICONS')) {
+			$input = smile_replace($input);
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_ATCODES')) {
+			$input = trim(ContentUtility::myCodes(' ' . $input . ' '));
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_LINKS')) {
+			$input = trim(ContentUtility::makeClickable(' ' . $input . ' '));
+		}
+
+		if (query_bit($_field_formatting[$name], 'TR_FORMAT_IMAGES')) {
+			$input = trim(ContentUtility::imageReplace(' ' . $input . ' '));
+		}
+        if (query_bit($_field_formatting[$name], 'TR_FORMAT_DECODE')) {
+            $input = htmlspecialchars_decode($input, ENT_QUOTES);
+        }
+	
+		return $input;
+	}
+
+/********************************************************************************************/
+// Global variables for emoticons
+ 
+global $smile_pics;
+global $smile_codes;
+if (!isset($smile_pics)) {
+	$smile_pics[0] = $_base_path.'images/forum/smile.gif';
+	$smile_pics[1] = $_base_path.'images/forum/wink.gif';
+	$smile_pics[2] = $_base_path.'images/forum/frown.gif';
+	$smile_pics[3] = $_base_path.'images/forum/ohwell.gif';
+	$smile_pics[4] = $_base_path.'images/forum/tongue.gif';
+	$smile_pics[5] = $_base_path.'images/forum/51.gif';
+	$smile_pics[6] = $_base_path.'images/forum/52.gif';
+	$smile_pics[7] = $_base_path.'images/forum/54.gif';
+	$smile_pics[8] = $_base_path.'images/forum/27.gif';
+	$smile_pics[9] = $_base_path.'images/forum/19.gif';
+	$smile_pics[10] = $_base_path.'images/forum/3.gif';
+	$smile_pics[11] = $_base_path.'images/forum/56.gif';
+}
+
+if (!isset($smile_codes)) {
+	$smile_codes[0] = ':)';
+	$smile_codes[1] = ';)';
+	$smile_codes[2] = ':(';
+	$smile_codes[3] = '::ohwell::';
+	$smile_codes[4] = ':P';
+	$smile_codes[5] = '::evil::';
+	$smile_codes[6] = '::angry::';
+	$smile_codes[7] = '::lol::';
+	$smile_codes[8] = '::crazy::';
+	$smile_codes[9] = '::tired::';
+	$smile_codes[10] = '::confused::';
+	$smile_codes[11] = '::muah::';
+}
+
+/**
+* Replaces smile-code text into smilie image.
+* @access	public
+* @param	string $text		smile text to be transformed
+* @return	string				transformed $text
+* @see		$smile_pics			in include/lib/output.inc.php (above)
+* @see		$smile_codes		in include/lib/output.inc.php (above)
+* @author	Joel Kronenberg
+*/
+function smile_replace($text) {
+	global $smile_pics;
+	global $smile_codes;
+	static $smiles;
+
+	$smiles[0] = '<img src="'.$smile_pics[0].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_smile').'" />';
+	$smiles[1] = '<img src="'.$smile_pics[1].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_wink').'" />';
+	$smiles[2] = '<img src="'.$smile_pics[2].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_frown').'" />';
+	$smiles[3]= '<img src="'.$smile_pics[3].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_oh_well').'" />';
+	$smiles[4]= '<img src="'.$smile_pics[4].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_tongue').'" />';
+	$smiles[5]= '<img src="'.$smile_pics[5].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_evil').'" />';
+	$smiles[6]= '<img src="'.$smile_pics[6].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_angry').'" />';
+	$smiles[7]= '<img src="'.$smile_pics[7].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_lol').'" />';
+	$smiles[8]= '<img src="'.$smile_pics[8].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_crazy').'" />';
+	$smiles[9]= '<img src="'.$smile_pics[9].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_tired').'" />';
+	$smiles[10]= '<img src="'.$smile_pics[10].'" border="0" height="17" width="19" align="bottom" alt="'._AT('smile_confused').'" />';
+	$smiles[11]= '<img src="'.$smile_pics[11].'" border="0" height="15" width="15" align="bottom" alt="'._AT('smile_muah').'" />';
+
+	$text = str_replace($smile_codes[0],$smiles[0],$text);
+	$text = str_replace($smile_codes[1],$smiles[1],$text);
+	$text = str_replace($smile_codes[2],$smiles[2],$text);
+	$text = str_replace($smile_codes[3],$smiles[3],$text);
+	$text = str_replace($smile_codes[4],$smiles[4],$text);
+	$text = str_replace($smile_codes[5],$smiles[5],$text);
+	$text = str_replace($smile_codes[6],$smiles[6],$text);
+	$text = str_replace($smile_codes[7],$smiles[7],$text);
+	$text = str_replace($smile_codes[8],$smiles[8],$text);
+	$text = str_replace($smile_codes[9],$smiles[9],$text);
+	$text = str_replace($smile_codes[10],$smiles[10],$text);
+	$text = str_replace($smile_codes[11],$smiles[11],$text);
+
+	return $text;
+}
+
+function html_get_list($array) {
+	$list = '';
+	foreach ($array as $value) {
+		$list .= '<li>'.$value.'</li>';
+	}
+	return $list;
+}
+
+/**
+ * print_paginator
+ *
+ * print out list of page links
+ */
+function print_paginator($current_page, $num_rows, $request_args, $rows_per_page = 50, $window = 5, $skippager='0') {
+	$num_pages = ceil($num_rows / $rows_per_page);
+	$request_args = '?'.$request_args;
+
+	if ($num_pages == 1) return;
+	if ($num_rows) {
+		echo '<div><a href="'.$_SERVER['PHP_SELF'].'#skippager'.$skippager.'" class="hide_focus">'._AT('skip_pager').'</a></div>';
+		echo '<div class="paging">';
+	    echo '<ul>';
+		
+		$i=max($current_page-$window - max($window-$num_pages+$current_page,0), 1);
+
+	    if ($current_page > 1)
+			echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.($current_page-1).'">'._AT('prev').'</a>&nbsp;&nbsp;&nbsp;</li>';
+    
+		if ($i > 1) {
+			echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p=1">1</a></li>';
+			if ($i > 2) {
+		        echo '<li>&hellip;</li>';
+			}
+		}
+
+		for ($i; $i<= min($current_page+$window -min($current_page-$window,0),$num_pages); $i++) {
+			if ($current_page == $i) {
+				echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.$i.'" class="current"><em>'.$current_page.'</em></a></li>';
+			} else {
+				echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.$i.'">'.$i.'</a></li>';
+			}
+		}
+        if ($i <= $num_pages) {
+			if ($i < $num_pages) {
+		        echo '<li>&hellip;</li>';
+	        }
+			echo '<li><a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.$num_pages.'">'.$num_pages.'</a></li>';
+		}
+		
+		if ($current_page < $num_pages)
+			echo '<li>&nbsp;&nbsp;&nbsp;<a href="'.$_SERVER['PHP_SELF'].$request_args.htmlspecialchars(SEP).'p='.($current_page+1).'">'._AT('next').'</a></li>';
+		
+		echo '</ul>';
+		echo '</div><a name="skippager'.$skippager.'"></a>';
+	}
+}
+
+/**
+* apply_timezone
+* converts a unix timestamp into another UNIX timestamp with timezone offset added up.
+* Adds the user's timezone offset, then converts back to a MYSQL timestamp
+* Available both as a system config option, and a user preference, if both are set
+* they are added together
+* @param   date	 MYSQL timestamp.
+* @return  date  MYSQL timestamp plus user's and/or system's timezone offset.
+* @author  Greg Gay  .
+*/
+function apply_timezone($timestamp){
+	global $_config;
+
+	if($_config['time_zone']){
+		$timestamp = ($timestamp + ($_config['time_zone']*3600));
+	}
+
+	if(isset($_SESSION['prefs']['PREF_TIMEZONE'])){
+		$timestamp = ($timestamp + ($_SESSION['prefs']['PREF_TIMEZONE']*3600));
+	}
+
+	return $timestamp;
+}
+?>
diff --git a/include/sidemenus/my_courses.inc.php b/include/sidemenus/my_courses.inc.php
index d6b4ba87..d1c27ac1 100644
--- a/include/sidemenus/my_courses.inc.php
+++ b/include/sidemenus/my_courses.inc.php
@@ -1,79 +1,80 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/UserCoursesDAO.class.php');
-
-// can only be used by login user
-if (!isset($_SESSION['user_id']) || $_SESSION['user_id'] == 0) return;
-
-global $savant, $_course_id;
-
-$userCoursesDAO = new UserCoursesDAO();
-$output = '';
-
-// The main page can be home/index.php or home/search.php
-// Find out the caller URL and direct the page back to the caller 
-// after adding/removing the course from "My Courses"
-list($caller_url, $url_param) = Utility::getRefererURLAndParams();
-
-// retrieve data to display
-if ($_SESSION['user_id'] > 0) {
-	$my_courses = $userCoursesDAO->getByUserID($_SESSION['user_id']); 
-}
-
-if (!is_array($my_courses)) {
-	$num_of_courses = 0;
-	$output = _AT('none_found');
-} else {
-	$num_of_courses = count($my_courses);
-
-    $output .= '<ol class="remove-margin-left">'."\n";
-	
-    foreach ($my_courses as $row) {
-		// only display the first 200 character of course description
-
-		if ($row['role'] == TR_USERROLE_AUTHOR) {
-			$output .= ' <li class="mine" title="'. _AT('my_authoring_course').': '. $row['title'].'"> '."\n";
-		} else {
-			$output .= ' <li class="theirs" title="'. _AT('others_course').': '. $row['title'].'">'."\n";
-		}
-		$output .= '    <a href="'. TR_BASE_HREF.'home/course/index.php?_course_id='. $row['course_id'].'"'.(($_course_id == $row['course_id']) ? ' class="selected-sidemenu"' : '').'>'.$row['title'].'</a>'."\n";
-		if ($row['role'] == TR_USERROLE_VIEWER) {
-			$output .= '    <a href="'. TR_BASE_HREF.'home/'. $caller_url.'action=remove'.SEP.'cid='. $row['course_id'].'">'."\n";
-            $output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/bookmark_remove.png" alt="'. htmlspecialchars(_AT('remove_from_list')).'" title="'. htmlspecialchars(_AT('remove_from_list')).'" border="0" class="shortcut_icon"/>'."\n";
-			$output .= '    </a>'."\n";
-		} 
-		if ($row['role'] == NULL && $_SESSION['user_id']>0) {
-			$output .= '    <a href="'. TR_BASE_HREF.'home/'. $caller_url.'action=add'.SEP.'cid='. $row['course_id'].'">'."\n";
-			$output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/bookmark_add.png" alt="'. htmlspecialchars(_AT('add_into_list')).'" title="'. htmlspecialchars(_AT('add_into_list')).'" border="0"  class="shortcut_icon"/>'."\n";
-			$output .= '    </a>'."\n";
-		}
-		//$output .= '    <a href="'. TR_BASE_HREF.'home/ims/ims_export.php?course_id='. $row['course_id'].'">'."\n";
-		//$output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/export.png" alt="'. _AT('download_content_package').'" title="'. _AT('download_content_package').'" border="0" />'."\n";
-		//$output .= '    </a>'."\n";
-		//if ($row['role'] == TR_USERROLE_AUTHOR) {
-			//$output .= '    <a href="'. TR_BASE_HREF.'home/imscc/ims_export.php?course_id='. $row['course_id'].'">'."\n";
-			//$output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/export_cc.png" alt="'. _AT('download_common_cartridge').'" title="'. _AT('download_common_cartridge').'" border="0" />'."\n";
-			//$output .= '    </a>'."\n";
-		//}
-		$output .= '  </li>'."\n";				
-	} // end of foreach; 
-    $output .= '</ol>'."\n";
-}
-$savant->assign('title', _AT('my_courses').'&nbsp;'.'('.$num_of_courses.')');
-$savant->assign('dropdown_contents', $output);
-//$savant->assign('default_status', "hide");
-
-$savant->display('include/box.tmpl.php');
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/UserCoursesDAO.class.php');
+
+// can only be used by login user
+if (!isset($_SESSION['user_id']) || $_SESSION['user_id'] == 0) return;
+
+global $savant, $_course_id;
+
+$userCoursesDAO = new UserCoursesDAO();
+$output = '';
+
+// The main page can be home/index.php or home/search.php
+// Find out the caller URL and direct the page back to the caller 
+// after adding/removing the course from "My Courses"
+list($caller_url, $url_param) = Utility::getRefererURLAndParams();
+
+// retrieve data to display
+if ($_SESSION['user_id'] > 0) {
+	$my_courses = $userCoursesDAO->getByUserID($_SESSION['user_id']); 
+}
+
+if (!is_array($my_courses)) {
+	$num_of_courses = 0;
+	$output = _AT('none_found');
+} else {
+	$num_of_courses = count($my_courses);
+
+    $output .= '<ol class="remove-margin-left">'."\n";
+	
+    foreach ($my_courses as $row) {
+		// only display the first 200 character of course description
+
+		if ($row['role'] == TR_USERROLE_AUTHOR) {
+			$output .= ' <li class="mine" title="'. _AT('my_authoring_course').': '. htmlspecialchars(trim(stripslashes(strip_tags($row['title'])))).'"> '."\n";
+		} else {
+			$output .= ' <li class="theirs" title="'. _AT('others_course').': '. htmlspecialchars(trim(stripslashes(strip_tags($row['title'])))).'">'."\n";
+		}
+		$output .= '    <a href="'. TR_BASE_HREF.'home/course/index.php?_course_id='. $row['course_id'].'"'.(($_course_id == $row['course_id']) ? ' class="selected-sidemenu"' : '').'>'.htmlspecialchars(trim(stripslashes(strip_tags($row['title'])))).'</a>'."\n";
+		if ($row['role'] == TR_USERROLE_VIEWER) {
+			$output .= '    <a href="'. TR_BASE_HREF.'home/'. $caller_url.'action=remove'.SEP.'cid='. $row['course_id'].'">'."\n";
+            $output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/bookmark_remove.png" alt="'. htmlspecialchars(_AT('remove_from_list')).'" title="'. htmlspecialchars(_AT('remove_from_list')).'" border="0" class="shortcut_icon"/>'."\n";
+			$output .= '    </a>'."\n";
+		} 
+		if ($row['role'] == NULL && $_SESSION['user_id']>0) {
+			$output .= '    <a href="'. TR_BASE_HREF.'home/'. $caller_url.'action=add'.SEP.'cid='. $row['course_id'].'">'."\n";
+			$output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/bookmark_add.png" alt="'. htmlspecialchars(_AT('add_into_list')).'" title="'. htmlspecialchars(_AT('add_into_list')).'" border="0"  class="shortcut_icon"/>'."\n";
+			$output .= '    </a>'."\n";
+		}
+		//$output .= '    <a href="'. TR_BASE_HREF.'home/ims/ims_export.php?course_id='. $row['course_id'].'">'."\n";
+		//$output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/export.png" alt="'. _AT('download_content_package').'" title="'. _AT('download_content_package').'" border="0" />'."\n";
+		//$output .= '    </a>'."\n";
+		//if ($row['role'] == TR_USERROLE_AUTHOR) {
+			//$output .= '    <a href="'. TR_BASE_HREF.'home/imscc/ims_export.php?course_id='. $row['course_id'].'">'."\n";
+			//$output .= '      <img src="'. TR_BASE_HREF.'themes/'. $_SESSION['prefs']['PREF_THEME'].'/images/export_cc.png" alt="'. _AT('download_common_cartridge').'" title="'. _AT('download_common_cartridge').'" border="0" />'."\n";
+			//$output .= '    </a>'."\n";
+		//}
+		$output .= '  </li>'."\n";				
+	} // end of foreach; 
+    $output .= '</ol>'."\n";
+}
+$savant->assign('title', _AT('my_courses').'&nbsp;'.'('.$num_of_courses.')');
+$savant->assign('dropdown_contents', $output);
+//$savant->assign('default_status', "hide");
+
+$savant->display('include/box.tmpl.php');
+?>
diff --git a/login.php b/login.php
index 12c69642..c47896b2 100644
--- a/login.php
+++ b/login.php
@@ -1,71 +1,72 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', 'include/');
-require (TR_INCLUDE_PATH.'vitals.inc.php');
-
-require_once(TR_INCLUDE_PATH. 'classes/DAO/UsersDAO.class.php');
-
-$usersDAO = new UsersDAO();
-
-// For security reasons the token has to be generated anew before each login attempt.
-// The entropy of SHA-1 input should be comparable to that of its output; in other words, the more randomness you feed it the better.
-/***
-* Remove comments below and add comments to the 2 lines in the following block to enable a remote login form.
-*/
-//if (isset($_POST['token']))
-//{
-//	$_SESSION['token'] = $_POST['token'];
-//}
-//else
-//{
-//	if (!isset($_SESSION['token']))
-//		$_SESSION['token'] = sha1(mt_rand() . microtime(TRUE));
-//}
-
-/***
-* Add comments 2 lines below to enable a remote login form.
-*/
-if (!isset($_SESSION['token']))
-	$_SESSION['token'] = sha1(mt_rand() . microtime(TRUE));
-
-if (isset($_POST['submit']))
-{
-    $user_id = $usersDAO->Validate($_POST['form_login'], $_POST['form_password_hidden']);
-	if (!$user_id)
-	{
-		$msg->addError('INVALID_LOGIN');
-	}
-	else
-	{
-		if ($usersDAO->getStatus($user_id) == TR_STATUS_DISABLED)
-		{
-			$msg->addError('ACCOUNT_DISABLED');
-		}
-		else
-		{
-			$usersDAO->setLastLogin($user_id);
-			$_SESSION['user_id'] = $user_id;
-			$msg->addFeedback('LOGIN_SUCCESS');
-			header('Location: index.php');
-			exit;
-		}
-	}
-	
-}
-
-global $onload;
-$onload = 'document.form.form_login.focus();';
-
-//header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');
-$savant->display('login.tmpl.php');
-?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', 'include/');
+
+require (TR_INCLUDE_PATH.'vitals.inc.php');
+
+require_once(TR_INCLUDE_PATH. 'classes/DAO/UsersDAO.class.php');
+
+$usersDAO = new UsersDAO();
+
+// For security reasons the token has to be generated anew before each login attempt.
+// The entropy of SHA-1 input should be comparable to that of its output; in other words, the more randomness you feed it the better.
+/***
+* Remove comments below and add comments to the 2 lines in the following block to enable a remote login form.
+*/
+//if (isset($_POST['token']))
+//{
+//	$_SESSION['token'] = $_POST['token'];
+//}
+//else
+//{
+//	if (!isset($_SESSION['token']))
+//		$_SESSION['token'] = sha1(mt_rand() . microtime(TRUE));
+//}
+
+/***
+* Add comments 2 lines below to enable a remote login form.
+*/
+if (!isset($_SESSION['token']))
+	$_SESSION['token'] = sha1(mt_rand() . microtime(TRUE));
+
+if (isset($_POST['submit']))
+{
+    $user_id = $usersDAO->Validate($_POST['form_login'], $_POST['form_password_hidden']);
+	if (!$user_id)
+	{
+		$msg->addError('INVALID_LOGIN');
+	}
+	else
+	{
+		if ($usersDAO->getStatus($user_id) == TR_STATUS_DISABLED)
+		{
+			$msg->addError('ACCOUNT_DISABLED');
+		}
+		else
+		{
+			$usersDAO->setLastLogin($user_id);
+			$_SESSION['user_id'] = $user_id;
+			$msg->addFeedback('LOGIN_SUCCESS');
+			header('Location: index.php');
+			exit;
+		}
+	}
+	
+}
+
+global $onload;
+$onload = 'document.form.form_login.focus();';
+
+//header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');
+$savant->display('login.tmpl.php');
+?>
diff --git a/profile/change_email.php b/profile/change_email.php
index 497308e2..af699850 100644
--- a/profile/change_email.php
+++ b/profile/change_email.php
@@ -11,8 +11,10 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/UsersDAO.class.php');
+require_once('../class_csrf.php');
 
 global $_current_user;
 
@@ -31,10 +33,12 @@
 	exit;
 }
 
-if (isset($_POST['submit'])) 
+if (isset($_POST['submit']))
 {
-	$this_password = $_POST['form_password_hidden'];
-
+	if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
+		$this_password = $_POST['form_password_hidden'];
+	
 	// password check
 	if (!empty($this_password)) 
 	{
@@ -55,7 +59,7 @@
 		header('Location: change_email.php');
 		exit;
 	}
-		
+	
 	// email check
 	if ($_POST['email'] == '') 
 	{
@@ -78,6 +82,7 @@
 
 	if (!$msg->containsErrors()) 
 	{
+
 		if (defined('TR_EMAIL_CONFIRMATION') && TR_EMAIL_CONFIRMATION) 
 		{
 			//send confirmation email
@@ -110,6 +115,10 @@
 		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
 		}
 	}
+	} else
+	{
+		$msg->addError('INVALID_TOKEN');
+	}	
 }
 
 $row = $_current_user->getInfo();
@@ -122,4 +131,4 @@
 $savant->assign('row', $row);
 $savant->display('profile/change_email.tmpl.php');
 
-?>
\ No newline at end of file
+?>
diff --git a/profile/change_password.php b/profile/change_password.php
index 0f5ac868..6968fabe 100644
--- a/profile/change_password.php
+++ b/profile/change_password.php
@@ -11,7 +11,9 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once('../class_csrf.php');
 
 global $_current_user;
 
@@ -29,12 +31,14 @@
 }
 
 if (isset($_POST['submit'])) {
-	if (!empty($_POST['form_old_password_hidden']))
+	if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
+		if (!empty($_POST['form_old_password_hidden']))
 	{
 		//check if old password entered is correct
 		if ($row = $_current_user->getInfo()) 
 		{
-			if ($row['password'] != $_POST['form_old_password_hidden']) 
+			if ($row['password'] != htmlspecialchars(trim(stripslashes(strip_tags($_POST['form_old_password_hidden'])))))
 			{
 				$msg->addError('WRONG_PASSWORD');
 				Header('Location: change_password.php');
@@ -64,8 +68,9 @@
 	}
 
 	if (!$msg->containsErrors()) {
+
 		// insert into the db.
-		$password   = $_POST['form_password_hidden'];
+		$password   = htmlspecialchars(trim(stripslashes(strip_tags($_POST['form_password_hidden']))));
 
 		if (!$_current_user->setPassword($password)) 
 		{
@@ -77,9 +82,13 @@
 
 		$msg->addFeedback('PASSWORD_CHANGED');
 	}
+	} else
+	{
+		$msg->addError('INVALID_TOKEN');
+	}
 }
 
 /* template starts here */
 $savant->display('profile/change_password.tmpl.php');
 
-?>
\ No newline at end of file
+?>
diff --git a/profile/index.php b/profile/index.php
index c5808a44..67bc069b 100644
--- a/profile/index.php
+++ b/profile/index.php
@@ -11,8 +11,10 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/UsersDAO.class.php');
+require_once('../class_csrf.php');
 unset($_SESSION['course_id']);
 
 global $_current_user;
@@ -32,13 +34,15 @@
 }
 
 if (isset($_POST['submit'])) {
-	if (isset($_POST['is_author'])) $is_author = 1;
-	else $is_author = 0;
+	if (CSRF_Token::isValid() AND CSRF_Token::isRecent())
+	{
+		if (isset($_POST['is_author'])) $is_author = 1;
+		else $is_author = 0;
 		
-	$usersDAO = new UsersDAO();
-	$user_row = $usersDAO->getUserByID($_SESSION['user_id']);
+		$usersDAO = new UsersDAO();
+		$user_row = $usersDAO->getUserByID($_SESSION['user_id']);
 	
-	if ($usersDAO->Update($_SESSION['user_id'], 
+		if ($usersDAO->Update($_SESSION['user_id'], 
 	                  $user_row['user_group_id'],
                       $user_row['login'],
 	                  $user_row['email'],
@@ -54,8 +58,12 @@
                       $_POST['postal_code'],
 	                  $_POST['status']))
 	
+		{
+			$msg->addFeedback('PROFILE_UPDATED');
+		} 
+	} else
 	{
-		$msg->addFeedback('PROFILE_UPDATED');
+		$msg->addError('INVALID_TOKEN');
 	}
 }
 
@@ -72,4 +80,4 @@
 $onload = 'document.form.first_name.focus();';
 
 $savant->display('profile/index.tmpl.php');
-?>
\ No newline at end of file
+?>
diff --git a/templates/system/Layout.class.php b/templates/system/Layout.class.php
index 9b889e07..451aadf8 100755
--- a/templates/system/Layout.class.php
+++ b/templates/system/Layout.class.php
@@ -1,464 +1,464 @@
-<?php
-global $lay;
-
-if (!defined('TR_INCLUDE_PATH')) exit;
-
-class Layout{
-	/**
-	 * Update an existing course record
-	 * @access  public
-	 * @param   courseID: course ID
-	 *          fieldName: the name of the table field to update
-	 *          fieldValue: the value to update
-	 * @return  true if successful
-	 *          error message array if failed; false if update db failed
-	 * @author  Mauro Donadio
-	 */
-
-	/*
-	 * Variables declarations / definitions
-	 * 
-	 * */
-	private $mod_path	= array();
-	private $config		= array();
-	private $content_id	= '';
-	private $course_id	= '';
-	private $uniq		= 'templates';
-
-	// folders and documents to be excluded from the list of the layout
-	private $except		= array('.', '..', '.DS_Store', 'desktop.ini', 'Thumbs.db');
-
-
-
-	/**
-	 * Constructor: sets the main variables used (paths, ..)
-	 * @access  public
-	 * @param   mod_path: associative array containing the paths list
-	 * @return  none
-	 * @author  Mauro Donadio
-	 */
-
-	public function __construct($mod_path){
-		global $_course_id, $_content_id;
-
-		/* content id of an optional chapter */
-		$this->content_id	= (isset($_REQUEST['cid']) ? intval($_REQUEST['cid']) : $_content_id);
-		$this->course_id	= (isset($_REQUEST['course_id']) ? intval($_REQUEST['course_id']) : $_course_id);
-
-		if(isset($_POST['apply_layout_to_course']))
-			$this->applyLayoutToCourse();
-		elseif(isset($_POST['apply_layout_to_content']))
-			$this->applyLayoutToContent();
-
-		$this->mod_path		= $mod_path;
-
-		if($this->mod_path != '')
-			$this->config		= parse_ini_file($this->mod_path['syspath'].'config.ini');
-
-		return;
-	}
-
-	/*
-	 * Open the configuration file reading the parameters
-	 * input:	none
-	 * output:	none
-	 * 
-	 * */
-
-	public function getConfig(){
-		return $this->config;
-	}
-
-	/*
-	 * Read loaded layout creating a list of available layout
-	 * input:	none
-	 * output:	none
-	 * 
-	 * */
-
-	public function getLayoutList(){
-
-		$layout_list	= array();
-		$dir		= array();
-
-		// read the list of available layout
-		$dir = scandir($this->mod_path['layout_dir_int']);
-
-		// subtract files to be excluded from the list of available layout
-		$dir		= array_diff($dir, $this->except);
-		// call the function that validates the available layout
-		$layout_list	= $this->validated_layout($dir);
-
-		return $layout_list;
-	}
-
-	/*
-	 * 	The following function reads from the filesystem existing layout and validates them
-	 * 	according to pre-set criteria (eg comparison between version of the layout and core)
-	 * 	and returns an array of available and valid layout.
-	 *	input:	$dir[]			list of available layout
-	 * 	output:	list of available layout skimmed according to the compatibility of each layout
-	 * 
-	 * */
-	
-	private function validated_layout($dir = array()){
-		
-		// scan all existing layout
-		$layouts = array();
-
-		foreach($dir as $item){
-	
-			$isdir	= $this->mod_path['layout_dir_int'].$item;
-		
-			// checking if the element is a directory
-			if(is_dir($isdir)){
-		
-				// check if exists the .info file and parse it
-		
-				$xml_file = $isdir.'/layouts.xml';
-				if(is_file($xml_file)) {
-					$xml = simplexml_load_file($xml_file);
-					
-					foreach($xml->children() as $child) {
-						$name = $child->getName();
-						if($name == "release") {
-							$info['core'] = $child->version;
-							
-						}
-						$info[$name] = $child;
-					}
-					
-					// if you did not specify a name, use the folder name
-					if(!$info['name'])
-						$info['name'] = $item;
-
-					// check the "core"
-					if(!$info['core'])
-						continue;
-					else {
-
-						$vfile	= explode('.', $info['core']);
-						$vcore	= explode('.', VERSION);
-		
-						// cursory check for version compatibility
-						// stopping the cycle to the first incompatibility found
-						if($vfile[0] < $vcore[0])
-							// not compatible!
-							continue;
-						elseif(strtolower($vfile[1]) != 'x' and $vfile[1] < $vcore[1]) 
-							// not compatible!
-							continue;
-					}
-	
-					// put the info of the current layout into an array
-					$layouts[$item] = $info;
-					
-				}
-			}
-		}
-	
-		return $layouts;
-	}
-
-	/*
-	 * 	The following function provides for the generation of a form
-	 *	to graphically show the user the list of available layout.
-	 * 	The form is returned by the function and, then,
-	 * 	integrated the output of this module.
-	 *	input:	$layout_list[]	list of available layout
-	 *	output:	none 
-	 * */
-
-	public function createUI($layout_list,$_content_id){
-		$IDcontent=$_content_id;
-
-		$ui		= '';
-		$ui		.= '<form action="'.$_SERVER['REQUEST_URI'].'" id="templates" method="post" style="display: none">';
-	
-		// select
-		$ui .= '<div style="margin: 5px;">';
-
-		// NUOVA POSIZIONE DEI PULSANTI     
-		$ui .= '<input type="submit" style="width:250px;" value="'._AT('layout_content_apply').'" id="apply_layout_to_content" name="apply_layout_to_content" />';
-
-		// Spacing of the buttons
-		//$ui .='<div style="padding:5px;"></div>';
-		$ui .= '<input type="submit" style="width:250px; margin-left:15px;" value="'._AT('layout_course_apply').'" id="apply_layout_to_course" name="apply_layout_to_course" />';
-
-		$ui .= '<div style="margin: 10px;">';
-		$ui .= '<table class="data" rules="cols" summary="">';
-		$ui .= '<thead>
-                    <tr>
-                        <th scope="col">&nbsp;</th>
-                        <th scope="col">'._AT('name').'</th>
-                        <th scope="col">'._AT('description').'</th>
-                        <th scope="col">'._AT('thumbnail').'</th>
-                    </tr>
-                </thead>';
-
-		$ui .= '<tbody>';
-		$ui .= '<tr onclick="preview(\'nothing\');">';
-		$ui .= '<td id="radio_nothing"  name="'.$_content_id.'" title="'._AT('nothing').'"><input id="radio-nothing" mouseseup="this.checked=!this.checked" type="radio" name="radio_layout" value="nothing"></td>';
-		$ui .= '<td><label for="radio-nothing" style="cursor:pointer;">'._AT('nothing').'</label></td>';
-		$ui .= '<td>'._AT('nothing_description').'</td>';
-
-		$ui .= '<td><div><img class="layout_img_small"  src="'.TR_BASE_HREF.'/templates/system/nolayout.png" src=""  desc="Nothing Screenshot" title="'._AT('img_layout_icon','nothing').'" /></td></div>';       
-		$ui .= '</tr>'; 
-		$ui .= '</tr>';
-
-		foreach($layout_list as $tname => $tval){
-			$ui .= '<tr onclick="preview(\''.$tname.'\');">';
-
-			$ui .= '<td id="radio_'.$tname.'" name="'.$_content_id.'" title="'.$tname.'">
-<input id="radio-'.$tname.'" mouseseup="this.checked=!this.checked" type="radio" name="radio_layout" value="'.$tname.'">
-</td>';
-
-			$ui .= '<td><label style="cursor:pointer;" for="radio-'.$tname.'">'.$tval['name'].'</label></td>';
-			$ui .= '<td>'.$tval['description'].'</td>';
-
-			if($tname!='seti' && $tname!='windows'&& $tname!='unibo') {    
-				$ui .= '<td><div><img class="layout_img_small" src="'.TR_BASE_HREF.'/templates/layouts/'.$tname.'/screenshot-'.$tname.'.png" alt="'._AT('img_layout_icon',$tname).'"  title="'._AT('img_layout_icon',$tname).'"  /></td></div>';       
-				$ui .= '</tr>'; 
-			} elseif($tname != unibo) {
-				$ui .= '<td><div><img  class="layout_img_small" src="'.TR_BASE_HREF.'/templates/layouts/'.$tname.'/screenshot-'.$tname.'.png" alt="'._AT('img_layout_icon',$tname).'"  title="'._AT('img_layout_icon',$tname).'" /></td></div>';       
-				$ui .= '</tr>'; 
-			} else {
-				$ui .= '<td><div><img  class="layout_img_small" src="'.TR_BASE_HREF.'/templates/layouts/'.$tname.'/screenshot-'.$tname.'.png" alt="'._AT('img_layout_icon',$tname).'" title="'._AT('img_layout_icon',$tname).'"  /></td></div>';       
-				$ui .= '</tr>'; 
-			}
-		}
-
-		$ui .= '</tbody>';
-		$ui .= '</table>';
-		//$ui		.= '</select>';
-		$ui .= '</div>';
-		// end select
-		
-		$ui .= '<div id="content">';
-		$ui .= '</div>';
-
-		//POSIZIONE VECCHIA DEI PULSANTI SOTTO LA TABELLA
-		$ui	.= '</form>';  
-
-		$ui .= '<noscript><div>'._AT('no_js').'</div></noscript>'. "\n";
-		
-		// Define language variables needed by javascript file
-		$ui .= '<script language="javascript" type="text/javascript">'. "\n";
-		$ui .= '//<!--'. "\n";
-		$ui .= '    var trans = trans || {};'. "\n";
-		$ui .= '    trans.templates = trans.templates || {};'. "\n";
-		$ui .= '    trans.templates.preview = "' . htmlentities_utf8(_AT('preview')) . '";'. "\n";
-		$ui .= '    trans.templates.title = "' . htmlentities_utf8(_AT('title')) . '";'. "\n";
-		$ui .= '    trans.templates.document_body = "' . htmlentities_utf8(_AT('document_body')) . '";'. "\n";
-		$ui .= '    trans.templates.devoid_content = "' . htmlentities_utf8(_AT('devoid_content')) . '";'. "\n";
-		$ui .= '//-->'. "\n";
-		$ui .= '</script>'. "\n";
-		
-		$ui .='<script type="text/javascript" src="'.TR_BASE_HREF.'templates/system/Layout.js"></script>'. "\n";
-
-		return $ui;
-	}
-
-	private function applyLayoutToCourse(){
-		global $msg;
-
-		require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
-
-		$contentDAO = new ContentDAO();
-
-		$content	= $contentDAO->getContentByCourseID($this->course_id);
-
-		// for each lesson with that code of course, set / override the style of lessons
-
-		for($i = 0; $i < count($content); $i++){
-
-			$cid		= $content[$i]['content_id'];
-			$text		= $this->textFixPHP($content[$i]['text']);
-
-			$text = strrev($text);
-
-			for($j=0; $j<$count; $j++)
-				$text = str_replace('>vid/<','',$text);
-			
-			$text = strrev($text);
-
-			//$text		= '<div id="content">'.$text.'</div>';
-				
-			// clean up the text from <div id="dnd" and add it:
-			// it does not mean that all classes have the tag,
-			// then, take it off to all the add it again (more safe even if most "expensive")
-
-			// clean up the text from the tag
-			$text    = $this->clearContent($text);
-
-			// insert the value entered by the user in the radio button to choose
-			$layout_name=$_POST['radio_layout'];
-
-			// write on db
-			$contentDAO->UpdateField($cid, 'layout', $layout_name);
-		}
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		// page redirect
-		echo '<script type="text/javascript">';
-			echo 'window.location = "'.$_SERVER['REQUEST_URI'].'";';
-		echo '</script>';
-
-	}
-
-	/*
-	 * 
-	 */
-
-	private function applyLayoutToContent(){
-		global $msg;
-		
-		require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
-
-		$selected_layout	= (isset($_POST['layout_list']) ? htmlentities($_POST['layout_list']) : '-');
-
-		$contentDAO = new ContentDAO();
-
-		$content	= $contentDAO->get($this->content_id);
-
-		$text		= $this->textFixPHP($content['text']);
-
-		$text = strrev($text);
-
-		for($i=0; $i<$count; $i++)
-			$text = str_replace('>vid/<','',$text);
-		
-		$text = strrev($text);
-
-		//$text		= '<div id="content">'.$text.'</div>';
-
-		// clean up the text from <div id="dnd" and add it:
-		// it does not mean that all classes have the tag,
-		// then, take it off to all the add it again (more safe even if most "expensive")
-
-		// clean up the text from the tag
-		$text		= $this->clearContent($text);
-
-		// insert the value entered by the user in the radio button to choose
-		$layout_name= $_POST['radio_layout'];
-
-		// write on db
-		$contentDAO->UpdateField($this->content_id, 'layout', $layout_name);
-		
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-
-		// page redirect
-		echo '<script type="text/javascript">';
-			echo 'window.location = "'.$_SERVER['REQUEST_URI'].'";';
-		echo '</script>';
-	}
-
-	/*
-	 *	Function that cleans the content passed as a parameter.
-	 *	Cleaning is the removal of the block <div id="dnd"> <div id="anteprima-footer"> </ div> built by layout
-	 */
-
-	private function clearContent($content = ''){
-
-		// delete the div
-		$content	= str_replace('<div id="'.$this->uniq.'">','', $content);
-
-		// completely delete the footer from the text
-		$content	= preg_replace('/<div id="anteprima-footer">(.*)<\/div><\/div>/Uis', '', $content);
-
-		return $content;
-	}
-
-	/*
-	 *	exaggeration
-	 *	TinyMCE is not precise with the carriage return, then, I try to repair
-	 *	the display differences between TinyMCE and AContent preview.
-	 *	text	= text to clean up
-	*/
-
-	private function textFixPHP($text = ''){
-
-		// JUMP
-		return $text;
-	}
-
-	public function content_text($cid){
-		require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
-
-		$contentDAO = new ContentDAO();
-
-		$sql="SELECT text FROM ".TABLE_PREFIX."content WHERE content_id=?";
-		$values = $cid;
-		$types = "i";
-		$result=$contentDAO->execute($sql, $values, $types);
-		if(is_array($result))
-		{
-			foreach ($result as $support) {
-				$text=$support['text'];
-				break;
-			}  
-		}    
-
-		return $text;
-	}
-
-	public function appendStyle($rows, $zipfile, $_content_id = ''){
-
-		// $_content_id		determinates if packing the lesson or the entire course
-		// $row				complete lessons list for a specific course
-
-		$styles			= array();
-		$stylesheet		= '';
-	
-                
-                
-		for($i=0; $i < count($rows); $i++){
-                        
-			if($rows[$i]['layout'] != '' && $this->exist_layout($rows[$i]['layout'])){
-				// In another version, AContent requires 'commoncartridge' as folder
-				$rows[$i]['head']					= '<link rel="stylesheet" href="commoncartridge/'.$rows[$i]['layout'].'.css" type="text/css" />'.$rows[$i]['head'];
-				//$rows[$i]['head']					= '<link rel="stylesheet" href="'.$rows[$i]['layout'].'.css" type="text/css" />'.$rows[$i]['head'];
-				$rows[$i]['use_customized_head']	= '1';
-
-				// create image folder
-				// if it's a new style to add
-				if(($_content_id != '' AND $_content_id == $rows[$i]['content_id']) OR $_content_id == ''){
-					
-
-					$styles[]		= $rows[$i]['layout'];
-
-					if(in_array($rows[$i]['layout'], $styles)){
-						
-
-						if($stylesheet = file_get_contents('../../templates/layouts/'.$rows[$i]['layout'].'/'.$rows[$i]['layout'].'.css')){
-							
-							$stylesheet	= str_replace('#'.$this->uniq, 'body', $stylesheet);
-							$zipfile->add_file($stylesheet, 'resources/commoncartridge/'.$rows[$i]['layout'].'.css');
-
-							// add images folder
-							$src	= '../../templates/layouts/'.$rows[$i]['layout'].'/'.$rows[$i]['layout'].'/';
-							$dst	= 'resources/commoncartridge/'.$rows[$i]['layout'].'/';
-	
-							$zipfile->create_dir('resources/commoncartridge/'.$rows[$i]['layout'].'/');
-							$zipfile->add_dir($src, $dst);
-						}
-					}
-				}
-			}
-		}
-		
-
-		return $rows;
-	}
-        
-        public function exist_layout($layout) {
-            
-                if(is_dir('../../templates/layouts/'.$layout))
-                        return true;
-                else
-                        return false;
-        }
-        
-        
-
-}
-?>
+<?php
+global $lay;
+
+if (!defined('TR_INCLUDE_PATH')) exit;
+
+class Layout{
+	/**
+	 * Update an existing course record
+	 * @access  public
+	 * @param   courseID: course ID
+	 *          fieldName: the name of the table field to update
+	 *          fieldValue: the value to update
+	 * @return  true if successful
+	 *          error message array if failed; false if update db failed
+	 * @author  Mauro Donadio
+	 */
+
+	/*
+	 * Variables declarations / definitions
+	 * 
+	 * */
+	private $mod_path	= array();
+	private $config		= array();
+	private $content_id	= '';
+	private $course_id	= '';
+	private $uniq		= 'templates';
+
+	// folders and documents to be excluded from the list of the layout
+	private $except		= array('.', '..', '.DS_Store', 'desktop.ini', 'Thumbs.db');
+
+
+
+	/**
+	 * Constructor: sets the main variables used (paths, ..)
+	 * @access  public
+	 * @param   mod_path: associative array containing the paths list
+	 * @return  none
+	 * @author  Mauro Donadio
+	 */
+
+	public function __construct($mod_path){
+		global $_course_id, $_content_id;
+
+		/* content id of an optional chapter */
+		$this->content_id	= (isset($_REQUEST['cid']) ? intval($_REQUEST['cid']) : $_content_id);
+		$this->course_id	= (isset($_REQUEST['course_id']) ? intval($_REQUEST['course_id']) : $_course_id);
+
+		if(isset($_POST['apply_layout_to_course']))
+			$this->applyLayoutToCourse();
+		elseif(isset($_POST['apply_layout_to_content']))
+			$this->applyLayoutToContent();
+
+		$this->mod_path		= $mod_path;
+
+		if($this->mod_path != '')
+			$this->config		= parse_ini_file($this->mod_path['syspath'].'config.ini');
+
+		return;
+	}
+
+	/*
+	 * Open the configuration file reading the parameters
+	 * input:	none
+	 * output:	none
+	 * 
+	 * */
+
+	public function getConfig(){
+		return $this->config;
+	}
+
+	/*
+	 * Read loaded layout creating a list of available layout
+	 * input:	none
+	 * output:	none
+	 * 
+	 * */
+
+	public function getLayoutList(){
+
+		$layout_list	= array();
+		$dir		= array();
+
+		// read the list of available layout
+		$dir = scandir($this->mod_path['layout_dir_int']);
+
+		// subtract files to be excluded from the list of available layout
+		$dir		= array_diff($dir, $this->except);
+		// call the function that validates the available layout
+		$layout_list	= $this->validated_layout($dir);
+
+		return $layout_list;
+	}
+
+	/*
+	 * 	The following function reads from the filesystem existing layout and validates them
+	 * 	according to pre-set criteria (eg comparison between version of the layout and core)
+	 * 	and returns an array of available and valid layout.
+	 *	input:	$dir[]			list of available layout
+	 * 	output:	list of available layout skimmed according to the compatibility of each layout
+	 * 
+	 * */
+	
+	private function validated_layout($dir = array()){
+		
+		// scan all existing layout
+		$layouts = array();
+
+		foreach($dir as $item){
+	
+			$isdir	= $this->mod_path['layout_dir_int'].$item;
+		
+			// checking if the element is a directory
+			if(is_dir($isdir)){
+		
+				// check if exists the .info file and parse it
+		
+				$xml_file = $isdir.'/layouts.xml';
+				if(is_file($xml_file)) {
+					$xml = simplexml_load_file($xml_file);
+					
+					foreach($xml->children() as $child) {
+						$name = $child->getName();
+						if($name == "release") {
+							$info['core'] = $child->version;
+							
+						}
+						$info[$name] = $child;
+					}
+					
+					// if you did not specify a name, use the folder name
+					if(!$info['name'])
+						$info['name'] = $item;
+
+					// check the "core"
+					if(!$info['core'])
+						continue;
+					else {
+
+						$vfile	= explode('.', $info['core']);
+						$vcore	= explode('.', VERSION);
+		
+						// cursory check for version compatibility
+						// stopping the cycle to the first incompatibility found
+						if($vfile[0] < $vcore[0])
+							// not compatible!
+							continue;
+						elseif(strtolower($vfile[1]) != 'x' and $vfile[1] < $vcore[1]) 
+							// not compatible!
+							continue;
+					}
+	
+					// put the info of the current layout into an array
+					$layouts[$item] = $info;
+					
+				}
+			}
+		}
+	
+		return $layouts;
+	}
+
+	/*
+	 * 	The following function provides for the generation of a form
+	 *	to graphically show the user the list of available layout.
+	 * 	The form is returned by the function and, then,
+	 * 	integrated the output of this module.
+	 *	input:	$layout_list[]	list of available layout
+	 *	output:	none 
+	 * */
+
+	public function createUI($layout_list,$_content_id){
+		$IDcontent=$_content_id;
+
+		$ui		= '';
+		$ui		.= '<form action="'.$_SERVER['REQUEST_URI'].'" id="templates" method="post" style="display: none">';
+	
+		// select
+		$ui .= '<div style="margin: 5px;">';
+
+		// NUOVA POSIZIONE DEI PULSANTI     
+		$ui .= '<input type="submit" style="width:250px;" value="'._AT('layout_content_apply').'" id="apply_layout_to_content" name="apply_layout_to_content" />';
+
+		// Spacing of the buttons
+		//$ui .='<div style="padding:5px;"></div>';
+		$ui .= '<input type="submit" style="width:250px; margin-left:15px;" value="'._AT('layout_course_apply').'" id="apply_layout_to_course" name="apply_layout_to_course" />';
+
+		$ui .= '<div style="margin: 10px;">';
+		$ui .= '<table class="data" rules="cols" summary="">';
+		$ui .= '<thead>
+                    <tr>
+                        <th scope="col">&nbsp;</th>
+                        <th scope="col">'._AT('name').'</th>
+                        <th scope="col">'._AT('description').'</th>
+                        <th scope="col">'._AT('thumbnail').'</th>
+                    </tr>
+                </thead>';
+
+		$ui .= '<tbody>';
+		$ui .= '<tr onclick="preview(\'nothing\');">';
+		$ui .= '<td id="radio_nothing"  name="'.$_content_id.'" title="'._AT('nothing').'"><input id="radio-nothing" mouseseup="this.checked=!this.checked" type="radio" name="radio_layout" value="nothing"></td>';
+		$ui .= '<td><label for="radio-nothing" style="cursor:pointer;">'._AT('nothing').'</label></td>';
+		$ui .= '<td>'._AT('nothing_description').'</td>';
+
+		$ui .= '<td><div><img class="layout_img_small"  src="'.TR_BASE_HREF.'/templates/system/nolayout.png" src=""  desc="Nothing Screenshot" title="'._AT('img_layout_icon','nothing').'" /></td></div>';       
+		$ui .= '</tr>'; 
+		$ui .= '</tr>';
+
+		foreach($layout_list as $tname => $tval){
+			$ui .= '<tr onclick="preview(\''.$tname.'\');">';
+
+			$ui .= '<td id="radio_'.$tname.'" name="'.$_content_id.'" title="'.$tname.'">
+<input id="radio-'.$tname.'" mouseseup="this.checked=!this.checked" type="radio" name="radio_layout" value="'.$tname.'">
+</td>';
+
+			$ui .= '<td><label style="cursor:pointer;" for="radio-'.$tname.'">'.$tval['name'].'</label></td>';
+			$ui .= '<td>'.$tval['description'].'</td>';
+
+			if($tname!='seti' && $tname!='windows'&& $tname!='unibo') {    
+				$ui .= '<td><div><img class="layout_img_small" src="'.TR_BASE_HREF.'/templates/layouts/'.$tname.'/screenshot-'.$tname.'.png" alt="'._AT('img_layout_icon',$tname).'"  title="'._AT('img_layout_icon',$tname).'"  /></td></div>';       
+				$ui .= '</tr>'; 
+			} elseif($tname != 'unibo') {
+				$ui .= '<td><div><img  class="layout_img_small" src="'.TR_BASE_HREF.'/templates/layouts/'.$tname.'/screenshot-'.$tname.'.png" alt="'._AT('img_layout_icon',$tname).'"  title="'._AT('img_layout_icon',$tname).'" /></td></div>';       
+				$ui .= '</tr>'; 
+			} else {
+				$ui .= '<td><div><img  class="layout_img_small" src="'.TR_BASE_HREF.'/templates/layouts/'.$tname.'/screenshot-'.$tname.'.png" alt="'._AT('img_layout_icon',$tname).'" title="'._AT('img_layout_icon',$tname).'"  /></td></div>';       
+				$ui .= '</tr>'; 
+			}
+		}
+
+		$ui .= '</tbody>';
+		$ui .= '</table>';
+		//$ui		.= '</select>';
+		$ui .= '</div>';
+		// end select
+		
+		$ui .= '<div id="content">';
+		$ui .= '</div>';
+
+		//POSIZIONE VECCHIA DEI PULSANTI SOTTO LA TABELLA
+		$ui	.= '</form>';  
+
+		$ui .= '<noscript><div>'._AT('no_js').'</div></noscript>'. "\n";
+		
+		// Define language variables needed by javascript file
+		$ui .= '<script language="javascript" type="text/javascript">'. "\n";
+		$ui .= '//<!--'. "\n";
+		$ui .= '    var trans = trans || {};'. "\n";
+		$ui .= '    trans.templates = trans.templates || {};'. "\n";
+		$ui .= '    trans.templates.preview = "' . htmlentities_utf8(_AT('preview')) . '";'. "\n";
+		$ui .= '    trans.templates.title = "' . htmlentities_utf8(_AT('title')) . '";'. "\n";
+		$ui .= '    trans.templates.document_body = "' . htmlentities_utf8(_AT('document_body')) . '";'. "\n";
+		$ui .= '    trans.templates.devoid_content = "' . htmlentities_utf8(_AT('devoid_content')) . '";'. "\n";
+		$ui .= '//-->'. "\n";
+		$ui .= '</script>'. "\n";
+		
+		$ui .='<script type="text/javascript" src="'.TR_BASE_HREF.'templates/system/Layout.js"></script>'. "\n";
+
+		return $ui;
+	}
+
+	private function applyLayoutToCourse(){
+		global $msg;
+
+		require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
+
+		$contentDAO = new ContentDAO();
+
+		$content	= $contentDAO->getContentByCourseID($this->course_id);
+
+		// for each lesson with that code of course, set / override the style of lessons
+
+		for($i = 0; $i < count($content); $i++){
+
+			$cid		= $content[$i]['content_id'];
+			$text		= $this->textFixPHP($content[$i]['text']);
+
+			$text = strrev($text);
+
+			for($j=0; $j<$count; $j++)
+				$text = str_replace('>vid/<','',$text);
+			
+			$text = strrev($text);
+
+			//$text		= '<div id="content">'.$text.'</div>';
+				
+			// clean up the text from <div id="dnd" and add it:
+			// it does not mean that all classes have the tag,
+			// then, take it off to all the add it again (more safe even if most "expensive")
+
+			// clean up the text from the tag
+			$text    = $this->clearContent($text);
+
+			// insert the value entered by the user in the radio button to choose
+			$layout_name=$_POST['radio_layout'];
+
+			// write on db
+			$contentDAO->UpdateField($cid, 'layout', $layout_name);
+		}
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		// page redirect
+		echo '<script type="text/javascript">';
+			echo 'window.location = "'.$_SERVER['REQUEST_URI'].'";';
+		echo '</script>';
+
+	}
+
+	/*
+	 * 
+	 */
+
+	private function applyLayoutToContent(){
+		global $msg;
+		
+		require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
+
+		$selected_layout	= (isset($_POST['layout_list']) ? htmlentities($_POST['layout_list']) : '-');
+
+		$contentDAO = new ContentDAO();
+
+		$content	= $contentDAO->get($this->content_id);
+
+		$text		= $this->textFixPHP($content['text']);
+
+		$text = strrev($text);
+
+		for($i=0; $i<$count; $i++)
+			$text = str_replace('>vid/<','',$text);
+		
+		$text = strrev($text);
+
+		//$text		= '<div id="content">'.$text.'</div>';
+
+		// clean up the text from <div id="dnd" and add it:
+		// it does not mean that all classes have the tag,
+		// then, take it off to all the add it again (more safe even if most "expensive")
+
+		// clean up the text from the tag
+		$text		= $this->clearContent($text);
+
+		// insert the value entered by the user in the radio button to choose
+		$layout_name= $_POST['radio_layout'];
+
+		// write on db
+		$contentDAO->UpdateField($this->content_id, 'layout', $layout_name);
+		
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+
+		// page redirect
+		echo '<script type="text/javascript">';
+			echo 'window.location = "'.$_SERVER['REQUEST_URI'].'";';
+		echo '</script>';
+	}
+
+	/*
+	 *	Function that cleans the content passed as a parameter.
+	 *	Cleaning is the removal of the block <div id="dnd"> <div id="anteprima-footer"> </ div> built by layout
+	 */
+
+	private function clearContent($content = ''){
+
+		// delete the div
+		$content	= str_replace('<div id="'.$this->uniq.'">','', $content);
+
+		// completely delete the footer from the text
+		$content	= preg_replace('/<div id="anteprima-footer">(.*)<\/div><\/div>/Uis', '', $content);
+
+		return $content;
+	}
+
+	/*
+	 *	exaggeration
+	 *	TinyMCE is not precise with the carriage return, then, I try to repair
+	 *	the display differences between TinyMCE and AContent preview.
+	 *	text	= text to clean up
+	*/
+
+	private function textFixPHP($text = ''){
+
+		// JUMP
+		return $text;
+	}
+
+	public function content_text($cid){
+		require_once(TR_INCLUDE_PATH.'classes/DAO/ContentDAO.class.php');
+
+		$contentDAO = new ContentDAO();
+
+		$sql="SELECT text FROM ".TABLE_PREFIX."content WHERE content_id=?";
+		$values = $cid;
+		$types = "i";
+		$result=$contentDAO->execute($sql, $values, $types);
+		if(is_array($result))
+		{
+			foreach ($result as $support) {
+				$text=$support['text'];
+				break;
+			}  
+		}    
+
+		return $text;
+	}
+
+	public function appendStyle($rows, $zipfile, $_content_id = ''){
+
+		// $_content_id		determinates if packing the lesson or the entire course
+		// $row				complete lessons list for a specific course
+
+		$styles			= array();
+		$stylesheet		= '';
+	
+                
+                
+		for($i=0; $i < count($rows); $i++){
+                        
+			if($rows[$i]['layout'] != '' && $this->exist_layout($rows[$i]['layout'])){
+				// In another version, AContent requires 'commoncartridge' as folder
+				$rows[$i]['head']					= '<link rel="stylesheet" href="commoncartridge/'.$rows[$i]['layout'].'.css" type="text/css" />'.$rows[$i]['head'];
+				//$rows[$i]['head']					= '<link rel="stylesheet" href="'.$rows[$i]['layout'].'.css" type="text/css" />'.$rows[$i]['head'];
+				$rows[$i]['use_customized_head']	= '1';
+
+				// create image folder
+				// if it's a new style to add
+				if(($_content_id != '' AND $_content_id == $rows[$i]['content_id']) OR $_content_id == ''){
+					
+
+					$styles[]		= $rows[$i]['layout'];
+
+					if(in_array($rows[$i]['layout'], $styles)){
+						
+
+						if($stylesheet = file_get_contents('../../templates/layouts/'.$rows[$i]['layout'].'/'.$rows[$i]['layout'].'.css')){
+							
+							$stylesheet	= str_replace('#'.$this->uniq, 'body', $stylesheet);
+							$zipfile->add_file($stylesheet, 'resources/commoncartridge/'.$rows[$i]['layout'].'.css');
+
+							// add images folder
+							$src	= '../../templates/layouts/'.$rows[$i]['layout'].'/'.$rows[$i]['layout'].'/';
+							$dst	= 'resources/commoncartridge/'.$rows[$i]['layout'].'/';
+	
+							$zipfile->create_dir('resources/commoncartridge/'.$rows[$i]['layout'].'/');
+							$zipfile->add_dir($src, $dst);
+						}
+					}
+				}
+			}
+		}
+		
+
+		return $rows;
+	}
+        
+        public function exist_layout($layout) {
+            
+                if(is_dir('../../templates/layouts/'.$layout))
+                        return true;
+                else
+                        return false;
+        }
+        
+        
+
+}
+?>
diff --git a/tests/add_test_questions.php b/tests/add_test_questions.php
index 75ff109d..59c1fa5f 100644
--- a/tests/add_test_questions.php
+++ b/tests/add_test_questions.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
 require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
@@ -56,4 +57,4 @@
 </div>
 <?php require_once(TR_INCLUDE_PATH.'../tests/html/tests_questions.inc.php'); ?>
 
-<?php require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/add_test_questions_confirm.php b/tests/add_test_questions_confirm.php
index be994638..7c64fe9b 100644
--- a/tests/add_test_questions_confirm.php
+++ b/tests/add_test_questions_confirm.php
@@ -1,103 +1,104 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-
-$tid = intval($_POST['tid']);
-
-$_pages['tests/questions.php?tid='.$tid.'&_course_id='.$_course_id]['title_var']    = 'questions';
-$_pages['tests/questions.php?tid='.$tid.'&_course_id='.$_course_id]['parent']   = 'tests/index.php';
-$_pages['tests/questions.php?tid='.$tid.'&_course_id='.$_course_id]['children'] = array('tests/add_test_questions.php');
-
-$_pages['tests/add_test_questions.php']['title_var']  = 'add_questions';
-$_pages['tests/add_test_questions.php']['parent'] = 'tests/questions.php?tid='.$tid.'&_course_id='.$_course_id;
-
-$_pages['tests/add_test_questions_confirm.php']['title_var'] = 'add_questions';
-$_pages['tests/add_test_questions_confirm.php']['parent']    = 'tests/questions.php?tid='.$tid.'&_course_id='.$_course_id;
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: questions.php?tid='.$tid.'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit_yes'])) {
-	//get order
-	$order = $testsQuestionsAssocDAO->getMaxOrderByTestID($tid);
-
-	$sql = "REPLACE INTO ".TABLE_PREFIX."tests_questions_assoc VALUES ";
-	$values = array();
-	foreach ($_POST['questions'] as $question) {
-		$order++;
-		$question = intval($question);
-		//$sql .= '('.$tid.', '.$question.', 0, '.$order.'),';
-		$sql .= '(?, ?, 0, ?),';
-		$values = array_merge($values, array($tid, $question, $order));
-		$types .= "iii";
-	}
-	$sql = substr($sql, 0, -1);
-
-	if ($testsQuestionsAssocDAO->execute($sql, $values, $types)) {
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: questions.php?tid='.$tid.'&_course_id='.$_course_id);
-		exit;
-	}
-	else {
-		$msg->addError('DB_NOT_UPDATED');
-	}
-} else if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: add_test_questions.php?tid='.$tid.'&_course_id='.$_course_id);
-	exit;
-}
-
-if (!is_array($_POST['questions']) || !count($_POST['questions'])) {
-	$msg->addError('NO_QUESTIONS_SELECTED');
-	header('Location: add_test_questions.php?tid='.$tid.'&_course_id='.$_course_id);
-	require_once(TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-foreach ($_POST['questions'] as $id => $cat_array) {
-	foreach ($cat_array as $idx => $q) {
-		$_POST['questions'][$id][$idx] = intval($q);
-		$questions[] = intval($q);
-	}
-}
-
-$rows = $testsQuestionsDAO->getByQuestionIDs($questions);
-
-$questions = '';
-if (is_array($rows)) {
-	foreach ($rows as $row) {
-		$questions .= '<li>'.htmlspecialchars($row['question']).'</li>';
-		$questions_array['questions['.$row['question_id'].']'] = $row['question_id'];
-	}
-}
-$questions_array['tid'] = $_POST['tid'];
-$questions_array['_course_id'] = $_course_id;
-$msg->addConfirm(array('ADD_TEST_QUESTIONS', $questions), $questions_array);
-
-$msg->printConfirm();
-?>
-
-<?php require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+
+$tid = intval($_POST['tid']);
+
+$_pages['tests/questions.php?tid='.$tid.'&_course_id='.$_course_id]['title_var']    = 'questions';
+$_pages['tests/questions.php?tid='.$tid.'&_course_id='.$_course_id]['parent']   = 'tests/index.php';
+$_pages['tests/questions.php?tid='.$tid.'&_course_id='.$_course_id]['children'] = array('tests/add_test_questions.php');
+
+$_pages['tests/add_test_questions.php']['title_var']  = 'add_questions';
+$_pages['tests/add_test_questions.php']['parent'] = 'tests/questions.php?tid='.$tid.'&_course_id='.$_course_id;
+
+$_pages['tests/add_test_questions_confirm.php']['title_var'] = 'add_questions';
+$_pages['tests/add_test_questions_confirm.php']['parent']    = 'tests/questions.php?tid='.$tid.'&_course_id='.$_course_id;
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: questions.php?tid='.$tid.'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit_yes'])) {
+	//get order
+	$order = $testsQuestionsAssocDAO->getMaxOrderByTestID($tid);
+
+	$sql = "REPLACE INTO ".TABLE_PREFIX."tests_questions_assoc VALUES ";
+	$values = array();
+	foreach ($_POST['questions'] as $question) {
+		$order++;
+		$question = intval($question);
+		//$sql .= '('.$tid.', '.$question.', 0, '.$order.'),';
+		$sql .= '(?, ?, 0, ?),';
+		$values = array_merge($values, array($tid, $question, $order));
+		$types .= "iii";
+	}
+	$sql = substr($sql, 0, -1);
+
+	if ($testsQuestionsAssocDAO->execute($sql, $values, $types)) {
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: questions.php?tid='.$tid.'&_course_id='.$_course_id);
+		exit;
+	}
+	else {
+		$msg->addError('DB_NOT_UPDATED');
+	}
+} else if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: add_test_questions.php?tid='.$tid.'&_course_id='.$_course_id);
+	exit;
+}
+
+if (!is_array($_POST['questions']) || !count($_POST['questions'])) {
+	$msg->addError('NO_QUESTIONS_SELECTED');
+	header('Location: add_test_questions.php?tid='.$tid.'&_course_id='.$_course_id);
+	require_once(TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+foreach ($_POST['questions'] as $id => $cat_array) {
+	foreach ($cat_array as $idx => $q) {
+		$_POST['questions'][$id][$idx] = intval($q);
+		$questions[] = intval($q);
+	}
+}
+
+$rows = $testsQuestionsDAO->getByQuestionIDs($questions);
+
+$questions = '';
+if (is_array($rows)) {
+	foreach ($rows as $row) {
+		$questions .= '<li>'.htmlspecialchars($row['question']).'</li>';
+		$questions_array['questions['.$row['question_id'].']'] = $row['question_id'];
+	}
+}
+$questions_array['tid'] = $_POST['tid'];
+$questions_array['_course_id'] = $_course_id;
+$msg->addConfirm(array('ADD_TEST_QUESTIONS', $questions), $questions_array);
+
+$msg->printConfirm();
+?>
+
+<?php require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_question_likert.php b/tests/create_question_likert.php
index fc9e6f14..99924e06 100644
--- a/tests/create_question_likert.php
+++ b/tests/create_question_likert.php
@@ -1,123 +1,126 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['question']    = trim($_POST['question']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-
-	$empty_fields = array();
-	if ($_POST['question'] == ''){
-		$empty_fields[] = _AT('question');
-	}
-	if ($_POST['choice'][0] == '') {
-		$empty_fields[] = _AT('choice').' 1';
-	}
-
-	if ($_POST['choice'][1] == '') {
-		$empty_fields[] = _AT('choice').' 2';
-	}
-
-	if (!empty($empty_fields)) {
-		$msg->addError(array('EMPTY_FIELDS', implode(', ', $empty_fields)));
-	}
-
-	if (!$msg->containsErrors()) {
-		$_POST['feedback']   = '';
-		$_POST['question']   = htmlspecialchars($_POST['question'], ENT_QUOTES);
-
-		for ($i=0; $i<10; $i++) {
-			$_POST['choice'][$i] = trim(htmlspecialchars($_POST['choice'][$i], ENT_QUOTES));
-			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
-
-			if ($_POST['choice'][$i] == '') {
-				/* an empty option can't be correct */
-				$_POST['answer'][$i] = 0;
-			}
-		}
-		$values= array($_POST['category_id'],
-		                    $_course_id,
-		                    $_POST['feedback'],
-		                    $_POST['question'],
-		                    $_POST['choice'][0],
-		                    $_POST['choice'][1],
-		                    $_POST['choice'][2],
-		                    $_POST['choice'][3],
-		                    $_POST['choice'][4],
-		                    $_POST['choice'][5],
-		                    $_POST['choice'][6],
-		                    $_POST['choice'][7],
-		                    $_POST['choice'][8],
-		                    $_POST['choice'][9],
-		                    $_POST['answer'][0],
-		                    $_POST['answer'][1],
-		                    $_POST['answer'][2],
-		                    $_POST['answer'][3],
-		                    $_POST['answer'][4],
-		                    $_POST['answer'][5],
-		                    $_POST['answer'][6],
-		                    $_POST['answer'][7],
-		                    $_POST['answer'][8],
-		                    $_POST['answer'][9]);
-		$types = "iissssssssssssiiiiiiiiii";
-		$sql = TR_SQL_QUESTION_LIKERT;
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-			exit;
-		}
-		else {
-			$msg->addError('DB_NOT_UPDATED');
-		}
-	}
-} else if (isset($_POST['preset'])) {
-	// load preset
-	$_POST['preset_num'] = intval($_POST['preset_num']);
-
-	if (isset($_likert_preset[$_POST['preset_num']])) {
-		$_POST['choice'] = $_likert_preset[$_POST['preset_num']];
-	} else if ($_POST['preset_num']) {
-		$row = $testsQuestionsDAO->get($_POST[preset_num]);
-		if (isset($row)) {
-			for ($i=0; $i<10; $i++) {
-				$_POST['choice'][$i] = $row['choice_' . $i];
-			}
-		}
-	}
-}
-
-global $onload;
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('likert_preset', $_likert_preset);
-$savant->assign('testsQuestionsDAO', $testsQuestionsDAO);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_likert.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit'])) {
+
+	$_POST['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+
+	$empty_fields = array();
+	if ($_POST['question'] == ''){
+		$empty_fields[] = _AT('question');
+	}
+	if ($_POST['choice'][0] == '') {
+		$empty_fields[] = _AT('choice').' 1';
+	}
+
+	if ($_POST['choice'][1] == '') {
+		$empty_fields[] = _AT('choice').' 2';
+	}
+
+	if (!empty($empty_fields)) {
+		$msg->addError(array('EMPTY_FIELDS', implode(', ', $empty_fields)));
+	}
+
+	if (!$msg->containsErrors()) {
+		$_POST['feedback']   = '';
+		$_POST['question']   = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+
+		for ($i=0; $i<10; $i++) {
+			$_POST['choice'][$i] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
+
+			if ($_POST['choice'][$i] == '') {
+				/* an empty option can't be correct */
+				$_POST['answer'][$i] = 0;
+			}
+		}
+		$values= array($_POST['category_id'],
+		                    $_course_id,
+		                    $_POST['feedback'],
+		                    $_POST['question'],
+		                    $_POST['choice'][0],
+		                    $_POST['choice'][1],
+		                    $_POST['choice'][2],
+		                    $_POST['choice'][3],
+		                    $_POST['choice'][4],
+		                    $_POST['choice'][5],
+		                    $_POST['choice'][6],
+		                    $_POST['choice'][7],
+		                    $_POST['choice'][8],
+		                    $_POST['choice'][9],
+		                    $_POST['answer'][0],
+		                    $_POST['answer'][1],
+		                    $_POST['answer'][2],
+		                    $_POST['answer'][3],
+		                    $_POST['answer'][4],
+		                    $_POST['answer'][5],
+		                    $_POST['answer'][6],
+		                    $_POST['answer'][7],
+		                    $_POST['answer'][8],
+		                    $_POST['answer'][9]);
+		$types = "iissssssssssssiiiiiiiiii";
+		$sql = TR_SQL_QUESTION_LIKERT;
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+			exit;
+		}
+		else {
+			$msg->addError('DB_NOT_UPDATED');
+		}
+	}
+
+} else if (isset($_POST['preset'])) {
+	// load preset
+	$_POST['preset_num'] = intval($_POST['preset_num']);
+
+	if (isset($_likert_preset[$_POST['preset_num']])) {
+		$_POST['choice'] = $_likert_preset[$_POST['preset_num']];
+	} else if ($_POST['preset_num']) {
+		$row = $testsQuestionsDAO->get($_POST[preset_num]);
+		if (isset($row)) {
+			for ($i=0; $i<10; $i++) {
+				$_POST['choice'][$i] = $row['choice_' . $i];
+			}
+		}
+	}
+}
+
+global $onload;
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('likert_preset', $_likert_preset);
+$savant->assign('testsQuestionsDAO', $testsQuestionsDAO);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_likert.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
diff --git a/tests/create_question_long.php b/tests/create_question_long.php
index cd94c078..13d17f4b 100644
--- a/tests/create_question_long.php
+++ b/tests/create_question_long.php
@@ -1,67 +1,70 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if ($_POST['submit']) {
-	$_POST['feedback']    = trim($_POST['feedback']);
-	$_POST['question']    = trim($_POST['question']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-	$_POST['properties']  = intval($_POST['properties']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
-	}
-
-	if (!$msg->containsErrors()) {
-
-		$values = array($_POST['category_id'], 
-								$_course_id,
-								$_POST['feedback'], 
-								$_POST['question'], 
-								$_POST['properties']);
-		$types = "iissi";
-		$sql = TR_SQL_QUESTION_LONG;
-
-		if ($testsQuestionsDAO->execute($sql, $values, $types))
-		{
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-			exit;
-		}
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-if (!isset($_POST['properties'])) {
-	$_POST['properties'] = 1;
-}
-
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_long.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); 
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+;
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if ($_POST['submit']) {
+	
+	$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+	$_POST['properties']  = intval($_POST['properties']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
+	}
+
+	if (!$msg->containsErrors()) {
+
+		$values = array($_POST['category_id'], 
+								$_course_id,
+								$_POST['feedback'], 
+								$_POST['question'], 
+								$_POST['properties']);
+		$types = "iissi";
+		$sql = TR_SQL_QUESTION_LONG;
+
+		if ($testsQuestionsDAO->execute($sql, $values, $types))
+		{
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+			exit;
+		}
+	}
+
+}
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+if (!isset($_POST['properties'])) {
+	$_POST['properties'] = 1;
+}
+
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_long.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); 
+?>
diff --git a/tests/create_question_matching.php b/tests/create_question_matching.php
index 0f40b0ca..14e9b042 100644
--- a/tests/create_question_matching.php
+++ b/tests/create_question_matching.php
@@ -1,105 +1,108 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php');
-	exit;
-} else if ($_POST['submit']) {
-	$_POST['feedback']    = trim($_POST['feedback']);
-	$_POST['instructions'] = trim($_POST['instructions']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-
-	for ($i = 0 ; $i < 10; $i++) {
-		$_POST['question'][$i]        = trim($_POST['question'][$i]);
-		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
-		$_POST['answer'][$i]          = trim($_POST['answer'][$i]);
-	}
-
-	if (!$_POST['question'][0] 
-		|| !$_POST['question'][1] 
-		|| !$_POST['answer'][0] 
-		|| !$_POST['answer'][1]) {
-
-		$msg->addError('QUESTION_EMPTY');
-	}
-	
-
-	if (!$msg->containsErrors()) {
-        $values = array($_POST['category_id'],
-                            $_course_id,
-	                        $_POST['feedback'],
-	                        $_POST['instructions'],
-	                        $_POST['question'][0],
-	                        $_POST['question'][1],
-	                        $_POST['question'][2],
-	                        $_POST['question'][3],
-	                        $_POST['question'][4],
-	                        $_POST['question'][5],
-	                        $_POST['question'][6],
-	                        $_POST['question'][7],
-	                        $_POST['question'][8],
-	                        $_POST['question'][9],
-	                        $_POST['question_answer'][0],
-	                        $_POST['question_answer'][1],
-	                        $_POST['question_answer'][2],
-	                        $_POST['question_answer'][3],
-	                        $_POST['question_answer'][4],
-	                        $_POST['question_answer'][5],
-	                        $_POST['question_answer'][6],
-	                        $_POST['question_answer'][7],
-	                        $_POST['question_answer'][8],
-	                        $_POST['question_answer'][9],
-	                        $_POST['answer'][0],
-	                        $_POST['answer'][1],
-	                        $_POST['answer'][2],
-	                        $_POST['answer'][3],
-	                        $_POST['answer'][4],
-	                        $_POST['answer'][5],
-	                        $_POST['answer'][6],
-	                        $_POST['answer'][7],
-	                        $_POST['answer'][8],
-	                        $_POST['answer'][9]
-	                        );
-	     $types = "iissssssssssssiiiiiiiiiissssssssss";
-	    $sql = TR_SQL_QUESTION_MATCHING;                   
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-			exit;
-		}
-	}
-}
-
-// for matching test questions
-$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('letters', $_letters);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_matching.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php');
+	exit;
+} else if ($_POST['submit']) {
+
+	$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['instructions'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['instructions']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+
+	for ($i = 0 ; $i < 10; $i++) {
+		$_POST['question'][$i]        = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question'][$i]))));
+		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
+		$_POST['answer'][$i]          = htmlspecialchars(trim(stripslashes(strip_tags($_POST['answer'][$i]))));
+	}
+
+	if (!$_POST['question'][0] 
+		|| !$_POST['question'][1] 
+		|| !$_POST['answer'][0] 
+		|| !$_POST['answer'][1]) {
+
+		$msg->addError('QUESTION_EMPTY');
+	}
+	
+
+	if (!$msg->containsErrors()) {
+        $values = array($_POST['category_id'],
+                            $_course_id,
+	                        $_POST['feedback'],
+	                        $_POST['instructions'],
+	                        $_POST['question'][0],
+	                        $_POST['question'][1],
+	                        $_POST['question'][2],
+	                        $_POST['question'][3],
+	                        $_POST['question'][4],
+	                        $_POST['question'][5],
+	                        $_POST['question'][6],
+	                        $_POST['question'][7],
+	                        $_POST['question'][8],
+	                        $_POST['question'][9],
+	                        $_POST['question_answer'][0],
+	                        $_POST['question_answer'][1],
+	                        $_POST['question_answer'][2],
+	                        $_POST['question_answer'][3],
+	                        $_POST['question_answer'][4],
+	                        $_POST['question_answer'][5],
+	                        $_POST['question_answer'][6],
+	                        $_POST['question_answer'][7],
+	                        $_POST['question_answer'][8],
+	                        $_POST['question_answer'][9],
+	                        $_POST['answer'][0],
+	                        $_POST['answer'][1],
+	                        $_POST['answer'][2],
+	                        $_POST['answer'][3],
+	                        $_POST['answer'][4],
+	                        $_POST['answer'][5],
+	                        $_POST['answer'][6],
+	                        $_POST['answer'][7],
+	                        $_POST['answer'][8],
+	                        $_POST['answer'][9]
+	                        );
+	     $types = "iissssssssssssiiiiiiiiiissssssssss";
+	    $sql = TR_SQL_QUESTION_MATCHING;                   
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+			exit;
+		}
+	} 
+
+}
+
+// for matching test questions
+$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('letters', $_letters);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_matching.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_question_matchingdd.php b/tests/create_question_matchingdd.php
index 91727a1a..3ba8636c 100644
--- a/tests/create_question_matchingdd.php
+++ b/tests/create_question_matchingdd.php
@@ -1,107 +1,110 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if ($_POST['submit']) {
-	$_POST['feedback']    = trim($_POST['feedback']);
-	$_POST['instructions'] = trim($_POST['instructions']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-
-	for ($i = 0 ; $i < 10; $i++) {
-		$_POST['question'][$i]        = trim($_POST['question'][$i]);
-		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
-		$_POST['answer'][$i]          = trim($_POST['answer'][$i]);
-	}
-
-	if (!$_POST['question'][0] 
-		|| !$_POST['question'][1] 
-		|| !$_POST['answer'][0] 
-		|| !$_POST['answer'][1]) {
-
-		$msg->addError('QUESTION_EMPTY');
-	}
-	
-
-	if (!$msg->containsErrors()) {
-		
-            $values = array($_POST['category_id'],
-                            $_course_id,
-	                        $_POST['feedback'],
-	                        $_POST['instructions'],
-	                        $_POST['question'][0],
-	                        $_POST['question'][1],
-	                        $_POST['question'][2],
-	                        $_POST['question'][3],
-	                        $_POST['question'][4],
-	                        $_POST['question'][5],
-	                        $_POST['question'][6],
-	                        $_POST['question'][7],
-	                        $_POST['question'][8],
-	                        $_POST['question'][9],
-	                        $_POST['question_answer'][0],
-	                        $_POST['question_answer'][1],
-	                        $_POST['question_answer'][2],
-	                        $_POST['question_answer'][3],
-	                        $_POST['question_answer'][4],
-	                        $_POST['question_answer'][5],
-	                        $_POST['question_answer'][6],
-	                        $_POST['question_answer'][7],
-	                        $_POST['question_answer'][8],
-	                        $_POST['question_answer'][9],
-	                        $_POST['answer'][0],
-	                        $_POST['answer'][1],
-	                        $_POST['answer'][2],
-	                        $_POST['answer'][3],
-	                        $_POST['answer'][4],
-	                        $_POST['answer'][5],
-	                        $_POST['answer'][6],
-	                        $_POST['answer'][7],
-	                        $_POST['answer'][8],
-	                        $_POST['answer'][9]
-	                        );
-	    $types = "iissssssssssssiiiiiiiiiissssssssss";
-	    $sql = TR_SQL_QUESTION_MATCHINGDD;
-
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-			exit;
-		}
-	}
-}
-
-// for matching test questions
-$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('letters', $_letters);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_matchingdd.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if ($_POST['submit']) {
+
+	$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['instructions'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['instructions']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+
+	for ($i = 0 ; $i < 10; $i++) {
+		$_POST['question'][$i]        = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question'][$i]))));
+		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
+		$_POST['answer'][$i]          = htmlspecialchars(trim(stripslashes(strip_tags($_POST['answer'][$i]))));
+	}
+
+	if (!$_POST['question'][0] 
+		|| !$_POST['question'][1] 
+		|| !$_POST['answer'][0] 
+		|| !$_POST['answer'][1]) {
+
+		$msg->addError('QUESTION_EMPTY');
+	}
+	
+
+	if (!$msg->containsErrors()) {
+		
+            $values = array($_POST['category_id'],
+                            $_course_id,
+	                        $_POST['feedback'],
+	                        $_POST['instructions'],
+	                        $_POST['question'][0],
+	                        $_POST['question'][1],
+	                        $_POST['question'][2],
+	                        $_POST['question'][3],
+	                        $_POST['question'][4],
+	                        $_POST['question'][5],
+	                        $_POST['question'][6],
+	                        $_POST['question'][7],
+	                        $_POST['question'][8],
+	                        $_POST['question'][9],
+	                        $_POST['question_answer'][0],
+	                        $_POST['question_answer'][1],
+	                        $_POST['question_answer'][2],
+	                        $_POST['question_answer'][3],
+	                        $_POST['question_answer'][4],
+	                        $_POST['question_answer'][5],
+	                        $_POST['question_answer'][6],
+	                        $_POST['question_answer'][7],
+	                        $_POST['question_answer'][8],
+	                        $_POST['question_answer'][9],
+	                        $_POST['answer'][0],
+	                        $_POST['answer'][1],
+	                        $_POST['answer'][2],
+	                        $_POST['answer'][3],
+	                        $_POST['answer'][4],
+	                        $_POST['answer'][5],
+	                        $_POST['answer'][6],
+	                        $_POST['answer'][7],
+	                        $_POST['answer'][8],
+	                        $_POST['answer'][9]
+	                        );
+	    $types = "iissssssssssssiiiiiiiiiissssssssss";
+	    $sql = TR_SQL_QUESTION_MATCHINGDD;
+
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+			exit;
+		}
+	}
+
+}
+
+// for matching test questions
+$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('letters', $_letters);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_matchingdd.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_question_multianswer.php b/tests/create_question_multianswer.php
index 887a6de4..68eb603d 100644
--- a/tests/create_question_multianswer.php
+++ b/tests/create_question_multianswer.php
@@ -1,130 +1,133 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel']) || isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if ($_POST['submit'] || $_POST['submit_yes']) {
-	$_POST['required'] = intval($_POST['required']);
-	$_POST['feedback'] = trim(htmlspecialchars($_POST['feedback'], ENT_QUOTES));
-	$_POST['question'] = trim(htmlspecialchars($_POST['question'], ENT_QUOTES));
-	$_POST['category_id'] = intval($_POST['category_id']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
-	}
-		
-	if (!$msg->containsErrors()) {
-		$choice_new = array(); // stores the non-blank choices
-		$answer_new = array(); // stores the associated "answer" for the choices
-		for ($i=0; $i<10; $i++) {
-			/**
-			 * Db defined it to be 255 length, chop strings off it it's less than that
-			 * @harris
-			 */
-			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
-			$_POST['choice'][$i] = trim(htmlspecialchars($_POST['choice'][$i], ENT_QUOTES));
-			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
-
-			if ($_POST['choice'][$i] == '') {
-				/* an empty option can't be correct */
-				$_POST['answer'][$i] = 0;
-			} else {
-				/* filter out empty choices/ remove gaps */
-				$choice_new[] = $_POST['choice'][$i];
-				$answer_new[] = $_POST['answer'][$i];
-
-				if ($_POST['answer'][$i] != 0)
-					$has_answer = TRUE;
-			}
-		}
-			
-		if ($has_answer != TRUE && !$_POST['submit_yes']) {
-	
-			$hidden_vars['required']    = htmlspecialchars($_POST['required'], ENT_QUOTES);
-			$hidden_vars['feedback']    = htmlspecialchars($_POST['feedback'], ENT_QUOTES);
-			$hidden_vars['question']    = htmlspecialchars($_POST['question'], ENT_QUOTES);
-			$hidden_vars['category_id'] = intval($_POST['category_id']);
-			$hidden_vars['_course_id']  = $_course_id;
-
-			for ($i = 0; $i < count($choice_new); $i++) {
-				$hidden_vars['answer['.$i.']'] = htmlspecialchars($answer_new[$i], ENT_QUOTES);
-				$hidden_vars['choice['.$i.']'] = htmlspecialchars($choice_new[$i], ENT_QUOTES);
-			}
-
-			$msg->addConfirm('NO_ANSWER', $hidden_vars);
-		} else {
-		
-			$_POST['answer'] = $answer_new;
-			$_POST['choice'] = $choice_new;
-			$_POST['answer'] = array_pad($_POST['answer'], 10, 0);
-			$_POST['choice'] = array_pad($_POST['choice'], 10, '');
-
-        $values = array(	$_POST['category_id'], 
-									$_course_id,
-									$_POST['feedback'], 
-									$_POST['question'], 
-									$_POST['choice'][0], 
-									$_POST['choice'][1], 
-									$_POST['choice'][2], 
-									$_POST['choice'][3], 
-									$_POST['choice'][4], 
-									$_POST['choice'][5], 
-									$_POST['choice'][6], 
-									$_POST['choice'][7], 
-									$_POST['choice'][8], 
-									$_POST['choice'][9], 
-									$_POST['answer'][0], 
-									$_POST['answer'][1], 
-									$_POST['answer'][2], 
-									$_POST['answer'][3], 
-									$_POST['answer'][4], 
-									$_POST['answer'][5], 
-									$_POST['answer'][6], 
-									$_POST['answer'][7], 
-									$_POST['answer'][8], 
-									$_POST['answer'][9]);
-	    $types = "iissssssssssssiiiiiiiiii";
-        $sql = TR_SQL_QUESTION_MULTIANSWER;
-			if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-				$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-				header('Location: question_db.php?_course_id='.$_course_id);
-				exit;
-			}
-		}
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$msg->printConfirm();
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_multianswer.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel']) || isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if ($_POST['submit'] || $_POST['submit_yes']) {
+
+	$_POST['required'] = intval($_POST['required']);
+	$_POST['feedback'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
+	}
+		
+	if (!$msg->containsErrors()) {
+		$choice_new = array(); // stores the non-blank choices
+		$answer_new = array(); // stores the associated "answer" for the choices
+		for ($i=0; $i<10; $i++) {
+			/**
+			 * Db defined it to be 255 length, chop strings off it it's less than that
+			 * @harris
+			 */
+			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
+			$_POST['choice'][$i] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
+
+			if ($_POST['choice'][$i] == '') {
+				/* an empty option can't be correct */
+				$_POST['answer'][$i] = 0;
+			} else {
+				/* filter out empty choices/ remove gaps */
+				$choice_new[] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+				$answer_new[] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['answer'][$i]))));
+
+				if ($_POST['answer'][$i] != 0)
+					$has_answer = TRUE;
+			}
+		}
+			
+		if ($has_answer != TRUE && !$_POST['submit_yes']) {
+	
+			$hidden_vars['required']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['required']))));
+			$hidden_vars['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+			$hidden_vars['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+			$hidden_vars['category_id'] = intval($_POST['category_id']);
+			$hidden_vars['_course_id']  = $_course_id;
+
+			for ($i = 0; $i < count($choice_new); $i++) {
+				$hidden_vars['answer['.$i.']'] = htmlspecialchars(trim(stripslashes(strip_tags($answer_new[$i]))));
+				$hidden_vars['choice['.$i.']'] = htmlspecialchars(trim(stripslashes(strip_tags($choice_new[$i]))));
+			}
+
+			$msg->addConfirm('NO_ANSWER', $hidden_vars);
+		} else {
+		
+			$_POST['answer'] = $answer_new;
+			$_POST['choice'] = $choice_new;
+			$_POST['answer'] = array_pad($_POST['answer'], 10, 0);
+			$_POST['choice'] = array_pad($_POST['choice'], 10, '');
+
+        $values = array(	$_POST['category_id'], 
+									$_course_id,
+									$_POST['feedback'], 
+									$_POST['question'], 
+									$_POST['choice'][0], 
+									$_POST['choice'][1], 
+									$_POST['choice'][2], 
+									$_POST['choice'][3], 
+									$_POST['choice'][4], 
+									$_POST['choice'][5], 
+									$_POST['choice'][6], 
+									$_POST['choice'][7], 
+									$_POST['choice'][8], 
+									$_POST['choice'][9], 
+									$_POST['answer'][0], 
+									$_POST['answer'][1], 
+									$_POST['answer'][2], 
+									$_POST['answer'][3], 
+									$_POST['answer'][4], 
+									$_POST['answer'][5], 
+									$_POST['answer'][6], 
+									$_POST['answer'][7], 
+									$_POST['answer'][8], 
+									$_POST['answer'][9]);
+	    $types = "iissssssssssssiiiiiiiiii";
+        $sql = TR_SQL_QUESTION_MULTIANSWER;
+			if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+				$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+				header('Location: question_db.php?_course_id='.$_course_id);
+				exit;
+			}
+		}
+	}
+
+}
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$msg->printConfirm();
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_multianswer.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_question_multichoice.php b/tests/create_question_multichoice.php
index 9a6673b2..bdbba9f1 100644
--- a/tests/create_question_multichoice.php
+++ b/tests/create_question_multichoice.php
@@ -1,91 +1,94 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel']) || isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['required'] = intval($_POST['required']);
-	$_POST['feedback'] = trim(htmlspecialchars($_POST['feedback'], ENT_QUOTES));
-	$_POST['question'] = trim(htmlspecialchars($_POST['question'], ENT_QUOTES));
-	$_POST['category_id'] = intval($_POST['category_id']);
-	$_POST['answer']      = intval($_POST['answer']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
-	}
-		
-	if (!$msg->containsErrors()) {
-		for ($i=0; $i<10; $i++) {
-			$_POST['choice'][$i] = trim(htmlspecialchars($_POST['choice'][$i], ENT_QUOTES));
-		}
-
-		$answers = array_fill(0, 10, 0);
-		$answers[$_POST['answer']] = 1;
-        $values = array($_POST['category_id'], 
-									$_course_id,
-									$_POST['feedback'], 
-									$_POST['question'], 
-									$_POST['choice'][0], 
-									$_POST['choice'][1], 
-									$_POST['choice'][2], 
-									$_POST['choice'][3], 
-									$_POST['choice'][4], 
-									$_POST['choice'][5], 
-									$_POST['choice'][6], 
-									$_POST['choice'][7], 
-									$_POST['choice'][8], 
-									$_POST['choice'][9], 
-									$answers[0], 
-                                    $answers[1], 
-                                    $answers[2], 
-                                    $answers[3], 
-                                    $answers[4], 
-                                    $answers[5], 
-                                    $answers[6], 
-                                    $answers[7], 
-                                    $answers[8], 
-                                    $answers[9]);
-	    $types = "iissssssssssssiiiiiiiiii";
-		$sql = TR_SQL_QUESTION_MULTI;
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-			exit;
-		}
-	}
-} else {
-	$_POST['answer'] = 0;
-}
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$msg->printConfirm();
-
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_multichoice.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel']) || isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit'])) {
+
+	$_POST['required'] = intval($_POST['required']);
+	$_POST['feedback'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+	$_POST['answer']      = intval($_POST['answer']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
+	}
+		
+	if (!$msg->containsErrors()) {
+		for ($i=0; $i<10; $i++) {
+			$_POST['choice'][$i] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+		}
+
+		$answers = array_fill(0, 10, 0);
+		$answers[$_POST['answer']] = 1;
+        $values = array($_POST['category_id'], 
+									$_course_id,
+									$_POST['feedback'], 
+									$_POST['question'], 
+									$_POST['choice'][0], 
+									$_POST['choice'][1], 
+									$_POST['choice'][2], 
+									$_POST['choice'][3], 
+									$_POST['choice'][4], 
+									$_POST['choice'][5], 
+									$_POST['choice'][6], 
+									$_POST['choice'][7], 
+									$_POST['choice'][8], 
+									$_POST['choice'][9], 
+									$answers[0], 
+                                    $answers[1], 
+                                    $answers[2], 
+                                    $answers[3], 
+                                    $answers[4], 
+                                    $answers[5], 
+                                    $answers[6], 
+                                    $answers[7], 
+                                    $answers[8], 
+                                    $answers[9]);
+	    $types = "iissssssssssssiiiiiiiiii";
+		$sql = TR_SQL_QUESTION_MULTI;
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+			exit;
+		}
+	}
+
+} else {
+	$_POST['answer'] = 0;
+}
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$msg->printConfirm();
+
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_multichoice.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_question_ordering.php b/tests/create_question_ordering.php
index 2d78211d..61ca1497 100644
--- a/tests/create_question_ordering.php
+++ b/tests/create_question_ordering.php
@@ -1,116 +1,120 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if ($_POST['submit']) {
-	$missing_fields = array();
-
-	$_POST['feedback']    = trim($_POST['feedback']);
-	$_POST['question']    = trim($_POST['question']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-
-	if ($_POST['question'] == ''){
-		$missing_fields[] = _AT('question');
-	}
-
-	if (trim($_POST['choice'][0]) == '') {
-		$missing_fields[] = _AT('item').' 1';
-	}
-	if (trim($_POST['choice'][1]) == '') {
-		$missing_fields[] = _AT('item').' 2';
-	}
-
-	if ($missing_fields) {
-		$missing_fields = implode(', ', $missing_fields);
-		$msg->addError(array('EMPTY_FIELDS', $missing_fields));
-	}
-
-	if (!$msg->containsErrors()) {
-		$choice_new = array(); // stores the non-blank choices
-		$answer_new = array(); // stores the non-blank answers
-		$order = 0; // order count
-		for ($i=0; $i<10; $i++) {
-			/**
-			 * Db defined it to be 255 length, chop strings off it it's less than that
-			 * @harris
-			 */
-			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
-			$_POST['choice'][$i] = trim($_POST['choice'][$i]);
-
-			if ($_POST['choice'][$i] != '') {
-				/* filter out empty choices/ remove gaps */
-				$choice_new[] = $_POST['choice'][$i];
-				$answer_new[] = $order++;
-			}
-		}
-
-		$_POST['choice']   = array_pad($choice_new, 10, '');
-		$answer_new        = array_pad($answer_new, 10, 0);
-	
-	    $values = array($_POST['category_id'],
-	                            $_course_id,
-		                        $_POST['feedback'],
-		                        $_POST['question'],
-		                        $_POST['choice'][0],
-		                        $_POST['choice'][1],
-		                        $_POST['choice'][2],
-		                        $_POST['choice'][3],
-		                        $_POST['choice'][4],
-		                        $_POST['choice'][5],
-		                        $_POST['choice'][6],
-		                        $_POST['choice'][7],
-		                        $_POST['choice'][8],
-		                        $_POST['choice'][9], 
-		                        $answer_new[0],
-		                        $answer_new[1],
-		                        $answer_new[2],
-		                        $answer_new[3],
-		                        $answer_new[4],
-		                        $answer_new[5],
-		                        $answer_new[6],
-		                        $answer_new[7],
-		                        $answer_new[8],
-		                        $answer_new[9]);	
-		$types = "iissssssssssssiiiiiiiiii";
-		$sql = TR_SQL_QUESTION_ORDERING;
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-			exit;
-		}
-		else
-			$msg->addError('DB_NOT_UPDATED');
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_ordering.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if ($_POST['submit']) {
+
+	$missing_fields = array();
+
+	$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+
+	if ($_POST['question'] == ''){
+		$missing_fields[] = _AT('question');
+	}
+
+	if (trim($_POST['choice'][0]) == '') {
+		$missing_fields[] = _AT('item').' 1';
+	}
+	if (trim($_POST['choice'][1]) == '') {
+		$missing_fields[] = _AT('item').' 2';
+	}
+
+	if ($missing_fields) {
+		$missing_fields = implode(', ', $missing_fields);
+		$msg->addError(array('EMPTY_FIELDS', $missing_fields));
+	}
+
+	if (!$msg->containsErrors()) {
+		$choice_new = array(); // stores the non-blank choices
+		$answer_new = array(); // stores the non-blank answers
+		$order = 0; // order count
+		for ($i=0; $i<10; $i++) {
+			/**
+			 * Db defined it to be 255 length, chop strings off it it's less than that
+
+			 * @harris
+			 */
+			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
+			$_POST['choice'][$i] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+
+			if ($_POST['choice'][$i] != '') {
+				/* filter out empty choices/ remove gaps */
+				$choice_new[] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+				$answer_new[] = $order++;
+			}
+		}
+
+		$_POST['choice']   = array_pad($choice_new, 10, '');
+		$answer_new        = array_pad($answer_new, 10, 0);
+	
+	    $values = array($_POST['category_id'],
+	                            $_course_id,
+		                        $_POST['feedback'],
+		                        $_POST['question'],
+		                        $_POST['choice'][0],
+		                        $_POST['choice'][1],
+		                        $_POST['choice'][2],
+		                        $_POST['choice'][3],
+		                        $_POST['choice'][4],
+		                        $_POST['choice'][5],
+		                        $_POST['choice'][6],
+		                        $_POST['choice'][7],
+		                        $_POST['choice'][8],
+		                        $_POST['choice'][9], 
+		                        $answer_new[0],
+		                        $answer_new[1],
+		                        $answer_new[2],
+		                        $answer_new[3],
+		                        $answer_new[4],
+		                        $answer_new[5],
+		                        $answer_new[6],
+		                        $answer_new[7],
+		                        $answer_new[8],
+		                        $answer_new[9]);	
+		$types = "iissssssssssssiiiiiiiiii";
+		$sql = TR_SQL_QUESTION_ORDERING;
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+			exit;
+		}
+		else
+			$msg->addError('DB_NOT_UPDATED');
+	}
+
+}
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_ordering.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_question_truefalse.php b/tests/create_question_truefalse.php
index 776d9278..924e416a 100644
--- a/tests/create_question_truefalse.php
+++ b/tests/create_question_truefalse.php
@@ -1,62 +1,65 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if ($_POST['submit']) {
-	$_POST['required']     = 1; //intval($_POST['required']);
-	$_POST['feedback']     = trim($_POST['feedback']);
-	$_POST['question']     = trim($_POST['question']);
-	$_POST['category_id']  = intval($_POST['category_id']);
-	$_POST['answer']       = intval($_POST['answer']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('statement')));
-	}
-
-	if (!$msg->containsErrors()) {
-		$sql = TR_SQL_QUESTION_TRUEFALSE;
-		$values = array($_POST['category_id'], 
-		                            $_course_id, 
-		                            $_POST['feedback'], 
-		                            $_POST['question'],
-		                            $_POST['answer']);
-		$types = "iisss";
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			header('Location: question_db.php?_course_id='.$_course_id);
-		}
-		else
-			$msg->addError('DB_NOT_UPDATED');
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_truefalse.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/test_question_queries.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if ($_POST['submit']) {
+
+	$_POST['required']     = 1; //intval($_POST['required']);
+	$_POST['feedback']     = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question']     = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id']  = intval($_POST['category_id']);
+	$_POST['answer']       = intval($_POST['answer']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('statement')));
+	}
+
+	if (!$msg->containsErrors()) {
+		$sql = TR_SQL_QUESTION_TRUEFALSE;
+		$values = array($_POST['category_id'], 
+		                            $_course_id, 
+		                            $_POST['feedback'], 
+		                            $_POST['question'],
+		                            $_POST['answer']);
+		$types = "iisss";
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			header('Location: question_db.php?_course_id='.$_course_id);
+		}
+		else
+			$msg->addError('DB_NOT_UPDATED');
+	}
+
+}
+
+$onload = 'document.form.category_id.focus();';
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_truefalse.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/create_test.php b/tests/create_test.php
index fcb70175..52c4abc1 100644
--- a/tests/create_test.php
+++ b/tests/create_test.php
@@ -1,51 +1,54 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-//$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$test_type = 'normal';
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit'])) {
-	$testsDAO = new TestsDAO();
-	
-	if ($testsDAO->Create($_course_id, $_POST['title'], $_POST['description']))
-	{
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		header('Location: index.php?_course_id='.$_course_id);
-		exit;
-	}
-}
-
-$onload = 'document.form.title.focus();';
-
-$savant->assign('course_id', $_course_id);
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-$msg->printErrors();
-
-$savant->display('tests/create_edit_test.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); 
-
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+//$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$test_type = 'normal';
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit'])) {
+	
+		$testsDAO = new TestsDAO();
+	
+		if ($testsDAO->Create($_course_id, htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))), htmlspecialchars(trim(stripslashes(strip_tags($_POST['description']))))));
+		{
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		header('Location: index.php?_course_id='.$_course_id);
+		exit;
+		}
+
+}
+
+$onload = 'document.form.title.focus();';
+
+$savant->assign('course_id', $_course_id);
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+$msg->printErrors();
+
+$savant->display('tests/create_edit_test.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); 
+
+?>
diff --git a/tests/dd.php b/tests/dd.php
index a48ae8a9..eca5bdf7 100644
--- a/tests/dd.php
+++ b/tests/dd.php
@@ -1,222 +1,223 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-
-global $_course_id;
-
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$content_base_href = 'get.php/';
-} else {
-	$content_base_href = 'content/' . $_course_id . '/';
-}
-// Verify that we may access this question
-if (!isset($_SESSION['dd_question_ids']) || !is_array($_SESSION['dd_question_ids']) || !isset($_SESSION['dd_question_ids'][$_GET['qid']])) {
-	// Just exit as we're in an IFRAME
-	exit;
-}
-// Clean up tidily
-unset($_SESSION['dd_question_ids'][$_GET['qid']]);
-if (count($_SESSION['dd_question_ids']) == 0) {
-	unset($_SESSION['dd_question_ids']);
-}
-session_write_close();
-$_GET['qid'] = intval($_GET['qid']);
-
-$testQuestionsDAO = new TestsQuestionsDAO();
-$row = $testQuestionsDAO->get($_GET['qid']);
-
-$_letters = array(_AT('A'), _AT('B'), _AT('C'), _AT('D'), _AT('E'), _AT('F'), _AT('G'), _AT('H'), _AT('I'), _AT('J'));
-$_colours = array('#FF9900', '#00FF00', '#0000FF', '#F23AA3', '#9999CC', '#990026', '#0099CC', '#22C921', '#007D48', '#00248F');
-
-$num_options = 0;
-for ($i=0; $i < 10; $i++) {
-	if ($row['option_'. $i] != '') {
-		$num_options++;
-	}
-}
-?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html lang="<?php echo $_SESSION['lang']; ?>">
-<head>
-	<title><?php echo SITE_NAME; ?> : <?php echo AT_print($row['question'], 'tests_questions.question'); ?></title>
-	<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $myLang->getCharacterSet(); ?>" />
-	<meta name="Generator" content="AContent - Copyright 2010 by http://atutor.ca" />
-	<base href="<?php echo TR_BASE_HREF . $content_base_href; ?>" />
-	<script type="text/javascript" src="<?php echo TR_BASE_HREF; ?>include/jscripts/infusion/InfusionAll.js"></script>
-	<script type="text/javascript" src="<?php echo TR_BASE_HREF; ?>include/jscripts/interface.js"></script>
-	<script type="text/javascript" src="<?php echo TR_BASE_HREF; ?>include/jscripts/wz_jsgraphics.js"></script>
-	<link rel="stylesheet" href="<?php echo TR_BASE_HREF; ?>themes/default/styles.css" type="text/css" />
-<style type="text/css">
-* {
-	margin: 0px;
-	padding: 0px;
-}
-body {
-	background-color: #fdfdfd;
-}
-option {
-	padding-right: 5px;
-}
-li {
-	padding: 5px;
-	border: 1px solid #ccc;
-	margin: 8px;
-}
-li.question {
-	width: 180px;
-	overflow: auto;
-}
-li.question:hover {
-	cursor: move;
-}
-li.answer {
-	width: 180px;
-	overflow: auto;
-	padding: 8px;
-	margin: 8px;
-}
-.dropactive {
-	background-color: #fc9;
-}
-.drophover {
-	background-color: #ffc;
-}
-</style>
-</head>
-<body>
-
-<?php $response = explode('|', $_GET['response']); ?>
-
-<?php for ($i=0; $i < 10; $i++): ?>
-	<?php if ($row['choice_'. $i] != ''): ?>
-		<div id="container<?php echo $i; ?>" style="position: absolute; top: 0px; left: 0px; width: 100%"></div>
-	<?php endif; ?>
-<?php endfor; ?>
-
-<form method="get">
-	<ul style="position: absolute; top: 10px; left: 5px" id="q">
-		<?php for ($i=0; $i < 10; $i++): ?>
-			<?php if ($row['choice_'. $i] != ''): ?>
-				<li class="question" id="q<?php echo $i; ?>" value="<?php echo $i; ?>">
-					<select name="s<?php echo $i; ?>" onchange="selectLine(this.value, '<?php echo $i; ?>');" id="s<?php echo $i; ?>">
-						<option value="-1">-</option>
-						<?php for ($j=0; $j < $num_options; $j++): ?>
-							<option value="<?php echo $j; ?>" <?php if($response[$i] == $j): ?>selected="selected"<?php endif; ?>><?php echo $_letters[$j]; ?></option>
-						<?php endfor; ?>
-					</select>
-				
-				<?php echo AT_print($row['choice_'.$i], 'tests_questions.question'); ?></li>
-			<?php endif; ?>
-		<?php endfor; ?>
-	</ul>
-
-	<ol style="position: absolute; list-style-type: upper-alpha; top: 10px; left: 310px" id="a">
-		<?php for ($i=0; $i < 10; $i++): ?>
-			<?php if ($row['option_'. $i] != ''): ?>
-				<li class="answer" id="a<?php echo $i; ?>" value="<?php echo $i; ?>"><?php echo $_letters[$i]; ?>. <?php echo AT_print($row['option_'.$i], 'tests_questions.question'); ?></li>
-			<?php endif; ?>
-		<?php endfor; ?>
-	</ol>
-</form>
-<script type="text/javascript">
-// <!--
-if($.browser.msie) {
-	var padding = 8;
-} else {
-	var padding = 15;
-}
-var jg = Array(10);
-<?php for ($i=0; $i < 10; $i++): ?>
-	<?php if ($row['choice_'. $i] != ''): ?>
-		jg[<?php echo $i; ?>] = new jsGraphics("container<?php echo $i; ?>");
-		jg[<?php echo $i; ?>].setStroke(3);
-		jg[<?php echo $i; ?>].setColor("<?php echo $_colours[$i]; ?>");
-	<?php endif; ?>
-<?php endfor; ?>
-
-var container_html = $("#container0").html();
-
-$(document).ready(
-	function() {
-	
-		$('#q>li').Draggable(
-			{
-				containment: "document",
-				zIndex: 	1000,
-				ghosting:	true,
-				opacity: 	1,
-				revert:     true,
-				fx: 0 // doesn't update select menu in FF if > 0
-			}
-		); // end draggable
-
-		$('#a>li').Droppable(
-			{
-				accept : 'question', 
-				activeclass: 'dropactive', 
-				hoverclass:	'drophover',
-				tolerance: "pointer",
-				ondrop:	function (drag)  {
-					var lx = drag.offsetLeft + $("#" + drag.id).width() + padding;
-					var ly = drag.offsetTop  + $("#" + drag.id).height()/2 + 10;
-					var rx = this.offsetLeft + 310;
-					var ry = this.offsetTop  + $("#" + this.id).height()/2 + 10;
-
-					document.getElementById('s' + drag.value).selectedIndex =  this.value + 1;
-
-					window.top.document.getElementById("<?php echo $_GET['qid']; ?>q" + drag.value).value = this.value;
-
-					$("#container" + drag.value).html(container_html);
-
-					jg[drag.value].drawLine(lx, ly , rx, ry );
-					jg[drag.value].paint();
-
-					return true;
-				}
-			}
-		); // end droppable
-
-        parent.iframeSetHeight(<?php echo $_GET['qid']; ?>, Math.max($("#q").height(), $("#a").height()));
-		<?php foreach ($response as $id => $value): ?>
-		selectLine(<?php echo $value; ?>, <?php echo $id; ?>);
-		<?php endforeach; ?>
-	}
-)
-
-function selectLine(value, id) {
-	if (value == -1) {
-		window.top.document.getElementById("<?php echo $_GET['qid']; ?>q" + id).value = "-1";
-		$("#container" + id).html(container_html);
-
-		return true;
-	}
-
-	var lx = document.getElementById("q" + id).offsetLeft + $("#q" + id).width() + padding;
-	var ly = document.getElementById("q" + id).offsetTop  + $("#q" + id).height()/2 + 10;
-	var rx = document.getElementById("a" + value).offsetLeft + 310;
-	var ry = document.getElementById("a" + value).offsetTop + $("#a" + value).height()/2 + 10;
-
-	window.top.document.getElementById("<?php echo $_GET['qid']; ?>q" + id).value = value;
-
-	$("#container" + id).html(container_html);
-	jg[id].drawLine(lx, ly , rx, ry );
-	jg[id].paint();
-
-	return true;
-}
-// -->
-</script>
-
-</body>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+
+global $_course_id;
+
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$content_base_href = 'get.php/';
+} else {
+	$content_base_href = 'content/' . $_course_id . '/';
+}
+// Verify that we may access this question
+if (!isset($_SESSION['dd_question_ids']) || !is_array($_SESSION['dd_question_ids']) || !isset($_SESSION['dd_question_ids'][$_GET['qid']])) {
+	// Just exit as we're in an IFRAME
+	exit;
+}
+// Clean up tidily
+unset($_SESSION['dd_question_ids'][$_GET['qid']]);
+if (count($_SESSION['dd_question_ids']) == 0) {
+	unset($_SESSION['dd_question_ids']);
+}
+session_write_close();
+$_GET['qid'] = intval($_GET['qid']);
+
+$testQuestionsDAO = new TestsQuestionsDAO();
+$row = $testQuestionsDAO->get($_GET['qid']);
+
+$_letters = array(_AT('A'), _AT('B'), _AT('C'), _AT('D'), _AT('E'), _AT('F'), _AT('G'), _AT('H'), _AT('I'), _AT('J'));
+$_colours = array('#FF9900', '#00FF00', '#0000FF', '#F23AA3', '#9999CC', '#990026', '#0099CC', '#22C921', '#007D48', '#00248F');
+
+$num_options = 0;
+for ($i=0; $i < 10; $i++) {
+	if ($row['option_'. $i] != '') {
+		$num_options++;
+	}
+}
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html lang="<?php echo $_SESSION['lang']; ?>">
+<head>
+	<title><?php echo SITE_NAME; ?> : <?php echo AT_print($row['question'], 'tests_questions.question'); ?></title>
+	<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $myLang->getCharacterSet(); ?>" />
+	<meta name="Generator" content="AContent - Copyright 2010 by http://atutor.ca" />
+	<base href="<?php echo TR_BASE_HREF . $content_base_href; ?>" />
+	<script type="text/javascript" src="<?php echo TR_BASE_HREF; ?>include/jscripts/infusion/InfusionAll.js"></script>
+	<script type="text/javascript" src="<?php echo TR_BASE_HREF; ?>include/jscripts/interface.js"></script>
+	<script type="text/javascript" src="<?php echo TR_BASE_HREF; ?>include/jscripts/wz_jsgraphics.js"></script>
+	<link rel="stylesheet" href="<?php echo TR_BASE_HREF; ?>themes/default/styles.css" type="text/css" />
+<style type="text/css">
+* {
+	margin: 0px;
+	padding: 0px;
+}
+body {
+	background-color: #fdfdfd;
+}
+option {
+	padding-right: 5px;
+}
+li {
+	padding: 5px;
+	border: 1px solid #ccc;
+	margin: 8px;
+}
+li.question {
+	width: 180px;
+	overflow: auto;
+}
+li.question:hover {
+	cursor: move;
+}
+li.answer {
+	width: 180px;
+	overflow: auto;
+	padding: 8px;
+	margin: 8px;
+}
+.dropactive {
+	background-color: #fc9;
+}
+.drophover {
+	background-color: #ffc;
+}
+</style>
+</head>
+<body>
+
+<?php $response = explode('|', $_GET['response']); ?>
+
+<?php for ($i=0; $i < 10; $i++): ?>
+	<?php if ($row['choice_'. $i] != ''): ?>
+		<div id="container<?php echo $i; ?>" style="position: absolute; top: 0px; left: 0px; width: 100%"></div>
+	<?php endif; ?>
+<?php endfor; ?>
+
+<form method="get">
+	<ul style="position: absolute; top: 10px; left: 5px" id="q">
+		<?php for ($i=0; $i < 10; $i++): ?>
+			<?php if ($row['choice_'. $i] != ''): ?>
+				<li class="question" id="q<?php echo $i; ?>" value="<?php echo $i; ?>">
+					<select name="s<?php echo $i; ?>" onchange="selectLine(this.value, '<?php echo $i; ?>');" id="s<?php echo $i; ?>">
+						<option value="-1">-</option>
+						<?php for ($j=0; $j < $num_options; $j++): ?>
+							<option value="<?php echo $j; ?>" <?php if($response[$i] == $j): ?>selected="selected"<?php endif; ?>><?php echo $_letters[$j]; ?></option>
+						<?php endfor; ?>
+					</select>
+				
+				<?php echo AT_print($row['choice_'.$i], 'tests_questions.question'); ?></li>
+			<?php endif; ?>
+		<?php endfor; ?>
+	</ul>
+
+	<ol style="position: absolute; list-style-type: upper-alpha; top: 10px; left: 310px" id="a">
+		<?php for ($i=0; $i < 10; $i++): ?>
+			<?php if ($row['option_'. $i] != ''): ?>
+				<li class="answer" id="a<?php echo $i; ?>" value="<?php echo $i; ?>"><?php echo $_letters[$i]; ?>. <?php echo AT_print($row['option_'.$i], 'tests_questions.question'); ?></li>
+			<?php endif; ?>
+		<?php endfor; ?>
+	</ol>
+</form>
+<script type="text/javascript">
+// <!--
+if($.browser.msie) {
+	var padding = 8;
+} else {
+	var padding = 15;
+}
+var jg = Array(10);
+<?php for ($i=0; $i < 10; $i++): ?>
+	<?php if ($row['choice_'. $i] != ''): ?>
+		jg[<?php echo $i; ?>] = new jsGraphics("container<?php echo $i; ?>");
+		jg[<?php echo $i; ?>].setStroke(3);
+		jg[<?php echo $i; ?>].setColor("<?php echo $_colours[$i]; ?>");
+	<?php endif; ?>
+<?php endfor; ?>
+
+var container_html = $("#container0").html();
+
+$(document).ready(
+	function() {
+	
+		$('#q>li').Draggable(
+			{
+				containment: "document",
+				zIndex: 	1000,
+				ghosting:	true,
+				opacity: 	1,
+				revert:     true,
+				fx: 0 // doesn't update select menu in FF if > 0
+			}
+		); // end draggable
+
+		$('#a>li').Droppable(
+			{
+				accept : 'question', 
+				activeclass: 'dropactive', 
+				hoverclass:	'drophover',
+				tolerance: "pointer",
+				ondrop:	function (drag)  {
+					var lx = drag.offsetLeft + $("#" + drag.id).width() + padding;
+					var ly = drag.offsetTop  + $("#" + drag.id).height()/2 + 10;
+					var rx = this.offsetLeft + 310;
+					var ry = this.offsetTop  + $("#" + this.id).height()/2 + 10;
+
+					document.getElementById('s' + drag.value).selectedIndex =  this.value + 1;
+
+					window.top.document.getElementById("<?php echo $_GET['qid']; ?>q" + drag.value).value = this.value;
+
+					$("#container" + drag.value).html(container_html);
+
+					jg[drag.value].drawLine(lx, ly , rx, ry );
+					jg[drag.value].paint();
+
+					return true;
+				}
+			}
+		); // end droppable
+
+        parent.iframeSetHeight(<?php echo $_GET['qid']; ?>, Math.max($("#q").height(), $("#a").height()));
+		<?php foreach ($response as $id => $value): ?>
+		selectLine(<?php echo $value; ?>, <?php echo $id; ?>);
+		<?php endforeach; ?>
+	}
+)
+
+function selectLine(value, id) {
+	if (value == -1) {
+		window.top.document.getElementById("<?php echo $_GET['qid']; ?>q" + id).value = "-1";
+		$("#container" + id).html(container_html);
+
+		return true;
+	}
+
+	var lx = document.getElementById("q" + id).offsetLeft + $("#q" + id).width() + padding;
+	var ly = document.getElementById("q" + id).offsetTop  + $("#q" + id).height()/2 + 10;
+	var rx = document.getElementById("a" + value).offsetLeft + 310;
+	var ry = document.getElementById("a" + value).offsetTop + $("#a" + value).height()/2 + 10;
+
+	window.top.document.getElementById("<?php echo $_GET['qid']; ?>q" + id).value = value;
+
+	$("#container" + id).html(container_html);
+	jg[id].drawLine(lx, ly , rx, ry );
+	jg[id].paint();
+
+	return true;
+}
+// -->
+</script>
+
+</body>
diff --git a/tests/delete_question.php b/tests/delete_question.php
index f7353149..9f2f9a22 100644
--- a/tests/delete_question.php
+++ b/tests/delete_question.php
@@ -1,62 +1,63 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-
-$tid = intval($_REQUEST['tid']);
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit_yes'])) {
-	$_POST['qid'] = explode(',', $_POST['qid']);
-
-	foreach ($_POST['qid'] as $id) {
-		$id = intval($id);
-
-		if ($testsQuestionsDAO->Delete($id)) $testsQuestionsAssocDAO->DeleteByQuestionID($id);
-	}
-
-	$msg->addFeedback('QUESTION_DELETED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-} /* else: */
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$these_questions= explode(",", $_REQUEST['qid']);
-
-foreach($these_questions as $this_question){
-	$this_question = intval($this_question);
-	$row = $testsQuestionsDAO->get($this_question);
-	$confirm .= "<li>".$row['question']."</li>";
-}
-
-$confirm = array('DELETE', $confirm);
-$hidden_vars['qid'] = $_REQUEST['qid'];
-$hidden_vars['_course_id'] = $_course_id;
-
-$msg->addConfirm($confirm, $hidden_vars);
-$msg->printConfirm();
-
-require_once(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+
+$tid = intval($_REQUEST['tid']);
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit_yes'])) {
+	$_POST['qid'] = explode(',', $_POST['qid']);
+
+	foreach ($_POST['qid'] as $id) {
+		$id = intval($id);
+
+		if ($testsQuestionsDAO->Delete($id)) $testsQuestionsAssocDAO->DeleteByQuestionID($id);
+	}
+
+	$msg->addFeedback('QUESTION_DELETED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+} /* else: */
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$these_questions= explode(",", $_REQUEST['qid']);
+
+foreach($these_questions as $this_question){
+	$this_question = intval($this_question);
+	$row = $testsQuestionsDAO->get($this_question);
+	$confirm .= "<li>".$row['question']."</li>";
+}
+
+$confirm = array('DELETE', $confirm);
+$hidden_vars['qid'] = $_REQUEST['qid'];
+$hidden_vars['_course_id'] = $_course_id;
+
+$msg->addConfirm($confirm, $hidden_vars);
+$msg->printConfirm();
+
+require_once(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/tests/delete_test.php b/tests/delete_test.php
index 49a49fcc..76251553 100644
--- a/tests/delete_test.php
+++ b/tests/delete_test.php
@@ -1,64 +1,65 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/ContentTestsAssocDAO.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-	
-$testsDAO = new TestsDAO();
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit_yes'])) {
-	
-	$tid = intval($_POST['tid']);
-
-	if ($testsDAO->Delete($tid)) {
-		$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-		$testsQuestionsAssocDAO->DeleteByTestID($tid);
-
-		//delete test content association as well
-		$contentTestsAssocDAO = new ContentTestsAssocDAO();
-		$contentTestsAssocDAO->DeleteByTestID($tid);
-	}
-
-	$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-	header('Location: '.TR_BASE_HREF.'tests/index.php?_course_id='.$_course_id);
-	exit;
-
-} /* else: */
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$_GET['tid'] = intval($_GET['tid']);
-
-$row = $testsDAO->get($_GET['tid']);
-
-unset($hidden_vars);
-$hidden_vars['tid'] = $_GET['tid'];
-$hidden_vars['_course_id'] = $_course_id;
-
-$msg->addConfirm(array('DELETE_TEST', $row['title']), $hidden_vars);
-$msg->printConfirm();
-
-require_once(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/ContentTestsAssocDAO.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+	
+$testsDAO = new TestsDAO();
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit_yes'])) {
+	
+	$tid = intval($_POST['tid']);
+
+	if ($testsDAO->Delete($tid)) {
+		$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+		$testsQuestionsAssocDAO->DeleteByTestID($tid);
+
+		//delete test content association as well
+		$contentTestsAssocDAO = new ContentTestsAssocDAO();
+		$contentTestsAssocDAO->DeleteByTestID($tid);
+	}
+
+	$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+	header('Location: '.TR_BASE_HREF.'tests/index.php?_course_id='.$_course_id);
+	exit;
+
+} /* else: */
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$_GET['tid'] = intval($_GET['tid']);
+
+$row = $testsDAO->get($_GET['tid']);
+
+unset($hidden_vars);
+$hidden_vars['tid'] = $_GET['tid'];
+$hidden_vars['_course_id'] = $_course_id;
+
+$msg->addConfirm(array('DELETE_TEST', $row['title']), $hidden_vars);
+$msg->printConfirm();
+
+require_once(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/tests/edit_question_likert.php b/tests/edit_question_likert.php
index dfc57086..25c76d0d 100644
--- a/tests/edit_question_likert.php
+++ b/tests/edit_question_likert.php
@@ -1,170 +1,173 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['question']    = trim($_POST['question']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-	$_POST['alignment']   = intval($_POST['alignment']);
-
-	$empty_fields = array();
-	if ($_POST['question'] == ''){
-		$empty_fields[] = _AT('question');
-	}
-	if ($_POST['choice'][0] == '') {
-		$empty_fields[] = _AT('choice').' 1';
-	}
-
-	if ($_POST['choice'][1] == '') {
-		$empty_fields[] = _AT('choice').' 2';
-	}
-
-	if (!empty($empty_fields)) {
-		$msg->addError(array('EMPTY_FIELDS', implode(', ', $empty_fields)));
-	}
-
-	if (!$msg->containsErrors()) {
-
-		for ($i=0; $i<10; $i++) {
-			$_POST['choice'][$i] = trim($_POST['choice'][$i]);
-			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
-
-			if ($_POST['choice'][$i] == '') {
-				/* an empty option can't be correct */
-				$_POST['answer'][$i] = 0;
-			}
-		}
-			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
-                            category_id=?,
-                            feedback=?,
-                            question=?,
-                            choice_0=?,
-                            choice_1=?,
-                            choice_2=?,
-                            choice_3=?,
-                            choice_4=?,
-                            choice_5=?,
-                            choice_6=?,
-                            choice_7=?,
-                            choice_8=?,
-                            choice_9=?,
-                            answer_0=?,
-                            answer_1=?,
-                            answer_2=?,
-                            answer_3=?,
-                            answer_4=?,
-                            answer_5=?,
-                            answer_6=?,
-                            answer_7=?,
-                            answer_8=?,
-                            answer_9=?
-                            WHERE question_id=?";	
-		$values= array($_POST['category_id'],
-		                    $_POST['feedback'],
-		                    $_POST['question'],
-		                    $_POST['choice'][0],
-		                    $_POST['choice'][1],
-		                    $_POST['choice'][2],
-		                    $_POST['choice'][3],
-		                    $_POST['choice'][4],
-		                    $_POST['choice'][5],
-		                    $_POST['choice'][6],
-		                    $_POST['choice'][7],
-		                    $_POST['choice'][8],
-		                    $_POST['choice'][9],
-		                    $_POST['answer'][0],
-		                    $_POST['answer'][1],
-		                    $_POST['answer'][2],
-		                    $_POST['answer'][3],
-		                    $_POST['answer'][4],
-		                    $_POST['answer'][5],
-		                    $_POST['answer'][6],
-		                    $_POST['answer'][7],
-		                    $_POST['answer'][8],
-		                    $_POST['answer'][9],
-		                    $_POST['qid']);
-		$types = "issssssssssssiiiiiiiiiii";
-		$testsQuestionsDAO->execute($sql, $values, $types);
-
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-		if ($_POST['tid']) {
-			header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-		} else {
-			header('Location: question_db.php?_course_id='.$_course_id);
-		}
-		exit;
-	}
-} else if (isset($_POST['preset'])) {
-	// load preset
-	$_POST['preset_num'] = intval($_POST['preset_num']);
-
-	if (isset($_likert_preset[$_POST['preset_num']])) {
-		$_POST['choice'] = $_likert_preset[$_POST['preset_num']];
-	} else if ($_POST['preset_num']) {
-		if ($row = $testsQuestionsDAO->get($_POST['preset_num'])){
-			for ($i=0; $i<10; $i++) {
-				$_POST['choice'][$i] = $row['choice_' . $i];
-			}
-		}
-	}
-} else {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		require_once(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-	
-	$_POST['question']		= $row['question'];
-	$_POST['category_id']	= $row['category_id'];
-
-	for ($i=0; $i<10; $i++) {
-		$_POST['choice'][$i] = $row['choice_'.$i];
-	}
-}
-
-global $onload;
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('likert_preset', $_likert_preset);
-$savant->assign('testsQuestionsDAO', $testsQuestionsDAO);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_likert.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$_POST['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+	$_POST['alignment']   = intval($_POST['alignment']);
+
+	$empty_fields = array();
+	if ($_POST['question'] == ''){
+		$empty_fields[] = _AT('question');
+	}
+	if ($_POST['choice'][0] == '') {
+		$empty_fields[] = _AT('choice').' 1';
+	}
+
+	if ($_POST['choice'][1] == '') {
+		$empty_fields[] = _AT('choice').' 2';
+	}
+
+	if (!empty($empty_fields)) {
+		$msg->addError(array('EMPTY_FIELDS', implode(', ', $empty_fields)));
+	}
+
+	if (!$msg->containsErrors()) {
+
+			for ($i=0; $i<10; $i++) {
+			$_POST['choice'][$i] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
+
+			if ($_POST['choice'][$i] == '') {
+				/* an empty option can't be correct */
+				$_POST['answer'][$i] = 0;
+			}
+		}
+			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
+                            category_id=?,
+                            feedback=?,
+                            question=?,
+                            choice_0=?,
+                            choice_1=?,
+                            choice_2=?,
+                            choice_3=?,
+                            choice_4=?,
+                            choice_5=?,
+                            choice_6=?,
+                            choice_7=?,
+                            choice_8=?,
+                            choice_9=?,
+                            answer_0=?,
+                            answer_1=?,
+                            answer_2=?,
+                            answer_3=?,
+
+                            answer_4=?,
+                            answer_5=?,
+                            answer_6=?,
+                            answer_7=?,
+                            answer_8=?,
+                            answer_9=?
+                            WHERE question_id=?";	
+		$values= array($_POST['category_id'],
+		                    $_POST['feedback'],
+		                    $_POST['question'],
+		                    $_POST['choice'][0],
+		                    $_POST['choice'][1],
+		                    $_POST['choice'][2],
+		                    $_POST['choice'][3],
+		                    $_POST['choice'][4],
+		                    $_POST['choice'][5],
+		                    $_POST['choice'][6],
+		                    $_POST['choice'][7],
+		                    $_POST['choice'][8],
+		                    $_POST['choice'][9],
+		                    $_POST['answer'][0],
+		                    $_POST['answer'][1],
+		                    $_POST['answer'][2],
+		                    $_POST['answer'][3],
+		                    $_POST['answer'][4],
+		                    $_POST['answer'][5],
+		                    $_POST['answer'][6],
+		                    $_POST['answer'][7],
+		                    $_POST['answer'][8],
+		                    $_POST['answer'][9],
+		                    $_POST['qid']);
+		$types = "issssssssssssiiiiiiiiiii";
+		$testsQuestionsDAO->execute($sql, $values, $types);
+
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+		if ($_POST['tid']) {
+			header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+		} else {
+			header('Location: question_db.php?_course_id='.$_course_id);
+		}
+		exit;
+
+	}
+} else if (isset($_POST['preset'])) {
+	// load preset
+	$_POST['preset_num'] = intval($_POST['preset_num']);
+
+	if (isset($_likert_preset[$_POST['preset_num']])) {
+		$_POST['choice'] = $_likert_preset[$_POST['preset_num']];
+	} else if ($_POST['preset_num']) {
+		if ($row = $testsQuestionsDAO->get($_POST['preset_num'])){
+			for ($i=0; $i<10; $i++) {
+				$_POST['choice'][$i] = $row['choice_' . $i];
+			}
+		}
+	}
+} else {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		require_once(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+	
+	$_POST['question']		= $row['question'];
+	$_POST['category_id']	= $row['category_id'];
+
+	for ($i=0; $i<10; $i++) {
+		$_POST['choice'][$i] = $row['choice_'.$i];
+	}
+}
+
+global $onload;
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('likert_preset', $_likert_preset);
+$savant->assign('testsQuestionsDAO', $testsQuestionsDAO);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_likert.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
diff --git a/tests/edit_question_long.php b/tests/edit_question_long.php
index c575fe16..e6c16811 100644
--- a/tests/edit_question_long.php
+++ b/tests/edit_question_long.php
@@ -1,97 +1,100 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['feedback']    = trim($_POST['feedback']);
-	$_POST['question']    = trim($_POST['question']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-	$_POST['properties']  = intval($_POST['properties']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
-	}
-
-	if (!$msg->containsErrors()) {
-		$_POST['question'] = addslashes($_POST['question']);
-		$_POST['feedback'] = addslashes($_POST['feedback']);
-/*
-		$sql = "UPDATE ".TABLE_PREFIX."tests_questions SET	category_id=$_POST[category_id],
-			feedback='$_POST[feedback]',
-			question='$_POST[question]',
-			properties=$_POST[properties]
-		WHERE question_id=$_POST[qid]"; */
-		$sql = "UPDATE ".TABLE_PREFIX."tests_questions SET	category_id=?,
-			feedback=?,
-			question=?,
-			properties=?
-		WHERE question_id=?";
-		$values = array($_POST['category_id'], 
-		                        $_POST['feedback'], 
-		                        $_POST['question'], 
-		                        $_POST['properties'], 
-		                        $_POST['qid'] );
-		$types = "issii";
-		$testsQuestionsDAO->execute($sql, $values, $types);
-
-		$msg->addFeedback('QUESTION_UPDATED');
-		if ($_POST['tid']) {
-			header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-		} else {
-			header('Location: question_db.php?_course_id='.$_course_id);
-		}
-		exit;
-	}
-}
-
-if (!isset($_POST['submit'])) {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-
-	$_POST	= $row;
-}
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$msg->printErrors();
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_long.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); 
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+	$_POST['properties']  = intval($_POST['properties']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
+	}
+
+	if (!$msg->containsErrors()) {
+
+		$_POST['question'] = addslashes($_POST['question']);
+		$_POST['feedback'] = addslashes($_POST['feedback']);
+/*
+		$sql = "UPDATE ".TABLE_PREFIX."tests_questions SET	category_id=$_POST[category_id],
+			feedback='$_POST[feedback]',
+			question='$_POST[question]',
+			properties=$_POST[properties]
+		WHERE question_id=$_POST[qid]"; */
+		$sql = "UPDATE ".TABLE_PREFIX."tests_questions SET	category_id=?,
+			feedback=?,
+			question=?,
+			properties=?
+		WHERE question_id=?";
+		$values = array($_POST['category_id'], 
+		                        $_POST['feedback'], 
+		                        $_POST['question'], 
+		                        $_POST['properties'], 
+		                        $_POST['qid'] );
+		$types = "issii";
+		$testsQuestionsDAO->execute($sql, $values, $types);
+
+		$msg->addFeedback('QUESTION_UPDATED');
+		if ($_POST['tid']) {
+			header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+		} else {
+			header('Location: question_db.php?_course_id='.$_course_id);
+		}
+		exit;
+
+	}
+}
+
+if (!isset($_POST['submit'])) {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+
+	$_POST	= $row;
+}
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$msg->printErrors();
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_long.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); 
+?>
diff --git a/tests/edit_question_matching.php b/tests/edit_question_matching.php
index a6e278f8..3fa9776c 100644
--- a/tests/edit_question_matching.php
+++ b/tests/edit_question_matching.php
@@ -1,170 +1,176 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-// for matching test questions
-$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['tid']          = intval($_POST['tid']);
-	$_POST['qid']          = intval($_POST['qid']);
-	$_POST['feedback']     = trim($_POST['feedback']);
-	$_POST['instructions'] = trim($_POST['instructions']);
-	$_POST['category_id']  = intval($_POST['category_id']);
-
-	for ($i = 0 ; $i < 10; $i++) {
-		$_POST['question'][$i]        = addslashes(trim($_POST['question'][$i]));
-		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
-		$_POST['answer'][$i]          = addslashes(trim($_POST['answer'][$i]));
-	}
-
-	if (!$_POST['question'][0] 
-		|| !$_POST['question'][1] 
-		|| !$_POST['answer'][0] 
-		|| !$_POST['answer'][1]) {
-
-		$msg->addError('QUESTION_EMPTY');
-	}
-
-	if (!$msg->containsErrors()) {
-			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
-                            category_id=?,
-                            feedback=?,
-                            question=?,
-                            choice_0=?,
-                            choice_1=?,
-                            choice_2=?,
-                            choice_3=?,
-                            choice_4=?,
-                            choice_5=?,
-                            choice_6=?,
-                            choice_7=?,
-                            choice_8=?,
-                            choice_9=?,
-                            answer_0=?,
-                            answer_1=?,
-                            answer_2=?,
-                            answer_3=?,
-                            answer_4=?,
-                            answer_5=?,
-                            answer_6=?,
-                            answer_7=?,
-                            answer_8=?,
-                            answer_9=?,
-                            option_0=?,
-                            option_1=?,
-                            option_2=?,
-                            option_3=?,
-                            option_4=?,
-                            option_5=?,
-                            option_6=?,
-                            option_7=?,
-                            option_8=?,
-                            option_9=?
-                            WHERE question_id=?";
-	    $values = array($_POST['category_id'],
-	                        $_POST['feedback'],
-	                        $_POST['instructions'],
-	                        $_POST['question'][0],
-	                        $_POST['question'][1],
-	                        $_POST['question'][2],
-	                        $_POST['question'][3],
-	                        $_POST['question'][4],
-	                        $_POST['question'][5],
-	                        $_POST['question'][6],
-	                        $_POST['question'][7],
-	                        $_POST['question'][8],
-	                        $_POST['question'][9],
-	                        $_POST['question_answer'][0],
-	                        $_POST['question_answer'][1],
-	                        $_POST['question_answer'][2],
-	                        $_POST['question_answer'][3],
-	                        $_POST['question_answer'][4],
-	                        $_POST['question_answer'][5],
-	                        $_POST['question_answer'][6],
-	                        $_POST['question_answer'][7],
-	                        $_POST['question_answer'][8],
-	                        $_POST['question_answer'][9],
-	                        $_POST['answer'][0],
-	                        $_POST['answer'][1],
-	                        $_POST['answer'][2],
-	                        $_POST['answer'][3],
-	                        $_POST['answer'][4],
-	                        $_POST['answer'][5],
-	                        $_POST['answer'][6],
-	                        $_POST['answer'][7],
-	                        $_POST['answer'][8],
-	                        $_POST['answer'][9],
-	                        $_POST['qid']
-	                        );
-	    $types = "issssssssssssiiiiiiiiiissssssssssi";	
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			if ($_POST['tid']) {
-				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-			} else {
-				header('Location: question_db.php?_course_id='.$_course_id);
-			}
-			exit;
-		}
-	}
-} else {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		require_once(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-	$_POST['feedback']		= $row['feedback'];
-	$_POST['instructions']	= $row['question'];
-	$_POST['category_id']	= $row['category_id'];
-
-	for ($i=0; $i<10; $i++) {
-		$_POST['question'][$i]        = $row['choice_'.$i];
-		$_POST['question_answer'][$i] = $row['answer_'.$i];
-		$_POST['answer'][$i]          = $row['option_'.$i];
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('letters', $_letters);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_matching.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+// for matching test questions
+$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$_POST['tid']          = intval($_POST['tid']);
+	$_POST['qid']          = intval($_POST['qid']);
+	$_POST['feedback']     = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['instructions'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['instructions']))));
+	$_POST['category_id']  = intval($_POST['category_id']);
+
+	for ($i = 0 ; $i < 10; $i++) {
+		$_POST['question'][$i]        = addslashes(trim($_POST['question'][$i]));
+		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
+		$_POST['answer'][$i]          = addslashes(trim($_POST['answer'][$i]));
+	}
+
+	if (!$_POST['question'][0] 
+		|| !$_POST['question'][1] 
+		|| !$_POST['answer'][0] 
+		|| !$_POST['answer'][1]) {
+
+		$msg->addError('QUESTION_EMPTY');
+	}
+
+	if (!$msg->containsErrors()) {
+
+			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
+                            category_id=?,
+                            feedback=?,
+                            question=?,
+                            choice_0=?,
+                            choice_1=?,
+                            choice_2=?,
+                            choice_3=?,
+                            choice_4=?,
+                            choice_5=?,
+                            choice_6=?,
+                            choice_7=?,
+                            choice_8=?,
+                            choice_9=?,
+                            answer_0=?,
+                            answer_1=?,
+                            answer_2=?,
+                            answer_3=?,
+                            answer_4=?,
+                            answer_5=?,
+                            answer_6=?,
+                            answer_7=?,
+                            answer_8=?,
+                            answer_9=?,
+                            option_0=?,
+                            option_1=?,
+
+                            option_2=?,
+                            option_3=?,
+                            option_4=?,
+                            option_5=?,
+
+                            option_6=?,
+                            option_7=?,
+                            option_8=?,
+                            option_9=?
+
+                            WHERE question_id=?";
+	    $values = array($_POST['category_id'],
+	                        $_POST['feedback'],
+	                        $_POST['instructions'],
+	                        $_POST['question'][0],
+	                        $_POST['question'][1],
+	                        $_POST['question'][2],
+	                        $_POST['question'][3],
+	                        $_POST['question'][4],
+	                        $_POST['question'][5],
+	                        $_POST['question'][6],
+	                        $_POST['question'][7],
+	                        $_POST['question'][8],
+	                        $_POST['question'][9],
+	                        $_POST['question_answer'][0],
+	                        $_POST['question_answer'][1],
+	                        $_POST['question_answer'][2],
+	                        $_POST['question_answer'][3],
+	                        $_POST['question_answer'][4],
+	                        $_POST['question_answer'][5],
+	                        $_POST['question_answer'][6],
+	                        $_POST['question_answer'][7],
+	                        $_POST['question_answer'][8],
+	                        $_POST['question_answer'][9],
+	                        $_POST['answer'][0],
+	                        $_POST['answer'][1],
+	                        $_POST['answer'][2],
+	                        $_POST['answer'][3],
+	                        $_POST['answer'][4],
+	                        $_POST['answer'][5],
+	                        $_POST['answer'][6],
+	                        $_POST['answer'][7],
+	                        $_POST['answer'][8],
+	                        $_POST['answer'][9],
+	                        $_POST['qid']
+	                        );
+	    $types = "issssssssssssiiiiiiiiiissssssssssi";	
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			if ($_POST['tid']) {
+				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+			} else {
+				header('Location: question_db.php?_course_id='.$_course_id);
+			}
+			exit;
+		}
+
+	}
+} else {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		require_once(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+	$_POST['feedback']		= $row['feedback'];
+	$_POST['instructions']	= $row['question'];
+	$_POST['category_id']	= $row['category_id'];
+
+	for ($i=0; $i<10; $i++) {
+		$_POST['question'][$i]        = $row['choice_'.$i];
+		$_POST['question_answer'][$i] = $row['answer_'.$i];
+		$_POST['answer'][$i]          = $row['option_'.$i];
+	}
+}
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('letters', $_letters);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_matching.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
diff --git a/tests/edit_question_matchingdd.php b/tests/edit_question_matchingdd.php
index be369f7c..ef74e0a8 100644
--- a/tests/edit_question_matchingdd.php
+++ b/tests/edit_question_matchingdd.php
@@ -1,171 +1,174 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-//require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-// for matching test questions
-$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if (isset($_POST['tid'])) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['tid']          = intval($_POST['tid']);
-	$_POST['qid']          = intval($_POST['qid']);
-	$_POST['feedback']     = trim($_POST['feedback']);
-	$_POST['instructions'] = trim($_POST['instructions']);
-	$_POST['category_id']  = intval($_POST['category_id']);
-
-	for ($i = 0 ; $i < 10; $i++) {
-		$_POST['question'][$i]        = trim($_POST['question'][$i]);
-		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
-		$_POST['answer'][$i]          = trim($_POST['answer'][$i]);
-	}
-
-	if (!$_POST['question'][0] 
-		|| !$_POST['question'][1] 
-		|| !$_POST['answer'][0] 
-		|| !$_POST['answer'][1]) {
-
-		$msg->addError('QUESTION_EMPTY');
-	}
-
-	if (!$msg->containsErrors()) {
-			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
-                            category_id=?,
-                            feedback=?,
-                            question=?,
-                            choice_0=?,
-                            choice_1=?,
-                            choice_2=?,
-                            choice_3=?,
-                            choice_4=?,
-                            choice_5=?,
-                            choice_6=?,
-                            choice_7=?,
-                            choice_8=?,
-                            choice_9=?,
-                            answer_0=?,
-                            answer_1=?,
-                            answer_2=?,
-                            answer_3=?,
-                            answer_4=?,
-                            answer_5=?,
-                            answer_6=?,
-                            answer_7=?,
-                            answer_8=?,
-                            answer_9=?,
-                            option_0=?,
-                            option_1=?,
-                            option_2=?,
-                            option_3=?,
-                            option_4=?,
-                            option_5=?,
-                            option_6=?,
-                            option_7=?,
-                            option_8=?,
-                            option_9=?
-                            WHERE question_id=?";
-	    $values = array($_POST['category_id'],
-	                        $_POST['feedback'],
-	                        $_POST['instructions'],
-	                        $_POST['question'][0],
-	                        $_POST['question'][1],
-	                        $_POST['question'][2],
-	                        $_POST['question'][3],
-	                        $_POST['question'][4],
-	                        $_POST['question'][5],
-	                        $_POST['question'][6],
-	                        $_POST['question'][7],
-	                        $_POST['question'][8],
-	                        $_POST['question'][9],
-	                        $_POST['question_answer'][0],
-	                        $_POST['question_answer'][1],
-	                        $_POST['question_answer'][2],
-	                        $_POST['question_answer'][3],
-	                        $_POST['question_answer'][4],
-	                        $_POST['question_answer'][5],
-	                        $_POST['question_answer'][6],
-	                        $_POST['question_answer'][7],
-	                        $_POST['question_answer'][8],
-	                        $_POST['question_answer'][9],
-	                        $_POST['answer'][0],
-	                        $_POST['answer'][1],
-	                        $_POST['answer'][2],
-	                        $_POST['answer'][3],
-	                        $_POST['answer'][4],
-	                        $_POST['answer'][5],
-	                        $_POST['answer'][6],
-	                        $_POST['answer'][7],
-	                        $_POST['answer'][8],
-	                        $_POST['answer'][9],
-	                        $_POST['qid']
-	                        );
-	    $types = "issssssssssssiiiiiiiiiissssssssssi";
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			if ($_POST['tid']) {
-				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-			} else {
-				header('Location: question_db.php?_course_id='.$_course_id);
-			}
-			exit;
-		}
-	}
-} else {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		require_once(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-	$_POST['feedback']		= $row['feedback'];
-	$_POST['instructions']	= $row['question'];
-	$_POST['category_id']	= $row['category_id'];
-
-	for ($i=0; $i<10; $i++) {
-		$_POST['question'][$i]        = $row['choice_'.$i];
-		$_POST['question_answer'][$i] = $row['answer_'.$i];
-		$_POST['answer'][$i]          = $row['option_'.$i];
-	}
-	
-}
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('letters', $_letters);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_matchingdd.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+//require_once(TR_INCLUDE_PATH.'../tests/lib/likert_presets.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+// for matching test questions
+$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if (isset($_POST['tid'])) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$_POST['tid']          = intval($_POST['tid']);
+	$_POST['qid']          = intval($_POST['qid']);
+	$_POST['feedback']     = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['instructions'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['instructions']))));
+	$_POST['category_id']  = intval($_POST['category_id']);
+
+	for ($i = 0 ; $i < 10; $i++) {
+		$_POST['question'][$i]        = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question'][$i]))));
+		$_POST['question_answer'][$i] = (int) $_POST['question_answer'][$i];
+		$_POST['answer'][$i]          = htmlspecialchars(trim(stripslashes(strip_tags(trim($_POST['answer'][$i])))));
+	}
+
+	if (!$_POST['question'][0] 
+		|| !$_POST['question'][1] 
+		|| !$_POST['answer'][0] 
+		|| !$_POST['answer'][1]) {
+
+		$msg->addError('QUESTION_EMPTY');
+	}
+
+	if (!$msg->containsErrors()) {
+
+			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
+                            category_id=?,
+                            feedback=?,
+                            question=?,
+                            choice_0=?,
+                            choice_1=?,
+                            choice_2=?,
+                            choice_3=?,
+                            choice_4=?,
+                            choice_5=?,
+                            choice_6=?,
+                            choice_7=?,
+                            choice_8=?,
+                            choice_9=?,
+                            answer_0=?,
+                            answer_1=?,
+                            answer_2=?,
+                            answer_3=?,
+                            answer_4=?,
+                            answer_5=?,
+                            answer_6=?,
+                            answer_7=?,
+                            answer_8=?,
+                            answer_9=?,
+                            option_0=?,
+                            option_1=?,
+                            option_2=?,
+                            option_3=?,
+                            option_4=?,
+                            option_5=?,
+                            option_6=?,
+                            option_7=?,
+                            option_8=?,
+                            option_9=?
+                            WHERE question_id=?";
+	    $values = array($_POST['category_id'],
+	                        $_POST['feedback'],
+	                        $_POST['instructions'],
+	                        $_POST['question'][0],
+	                        $_POST['question'][1],
+	                        $_POST['question'][2],
+	                        $_POST['question'][3],
+	                        $_POST['question'][4],
+	                        $_POST['question'][5],
+	                        $_POST['question'][6],
+	                        $_POST['question'][7],
+	                        $_POST['question'][8],
+	                        $_POST['question'][9],
+	                        $_POST['question_answer'][0],
+	                        $_POST['question_answer'][1],
+	                        $_POST['question_answer'][2],
+	                        $_POST['question_answer'][3],
+	                        $_POST['question_answer'][4],
+	                        $_POST['question_answer'][5],
+	                        $_POST['question_answer'][6],
+	                        $_POST['question_answer'][7],
+	                        $_POST['question_answer'][8],
+	                        $_POST['question_answer'][9],
+	                        $_POST['answer'][0],
+	                        $_POST['answer'][1],
+	                        $_POST['answer'][2],
+	                        $_POST['answer'][3],
+	                        $_POST['answer'][4],
+	                        $_POST['answer'][5],
+	                        $_POST['answer'][6],
+	                        $_POST['answer'][7],
+	                        $_POST['answer'][8],
+	                        $_POST['answer'][9],
+	                        $_POST['qid']
+	                        );
+	    $types = "issssssssssssiiiiiiiiiissssssssssi";
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			if ($_POST['tid']) {
+				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+			} else {
+				header('Location: question_db.php?_course_id='.$_course_id);
+			}
+			exit;
+			}
+
+	}
+} else {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		require_once(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+	$_POST['feedback']		= $row['feedback'];
+	$_POST['instructions']	= $row['question'];
+	$_POST['category_id']	= $row['category_id'];
+
+	for ($i=0; $i<10; $i++) {
+		$_POST['question'][$i]        = $row['choice_'.$i];
+		$_POST['question_answer'][$i] = $row['answer_'.$i];
+		$_POST['answer'][$i]          = $row['option_'.$i];
+	}
+	
+}
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('letters', $_letters);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_matchingdd.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
diff --git a/tests/edit_question_multianswer.php b/tests/edit_question_multianswer.php
index ab4ae0a0..00745f46 100644
--- a/tests/edit_question_multianswer.php
+++ b/tests/edit_question_multianswer.php
@@ -1,169 +1,177 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['feedback'] = trim($_POST['feedback']);
-	$_POST['question'] = trim($_POST['question']);
-	$_POST['tid']	   = intval($_POST['tid']);
-	$_POST['qid']	   = intval($_POST['qid']);
-	$_POST['weight']   = intval($_POST['weight']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
-	}
-
-	if (!$msg->containsErrors()) {
-		$choice_new = array(); // stores the non-blank choices
-		$answer_new = array(); // stores the associated "answer" for the choices
-
-		for ($i=0; $i<10; $i++) {
-			$_POST['choice'][$i] = addslashes(trim($_POST['choice'][$i]));
-			/**
-			 * Db defined it to be 255 length, chop strings off it it's less than that
-			 * @harris
-			 */
-			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
-			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
-
-			if ($_POST['choice'][$i] == '') {
-				/* an empty option can't be correct */
-				$_POST['answer'][$i] = 0;
-			} else {
-				/* filter out empty choices/ remove gaps */
-				$choice_new[] = $_POST['choice'][$i];
-				$answer_new[] = $_POST['answer'][$i];
-			}
-		}
-
-		$_POST['answer'] = $answer_new;
-		$_POST['choice'] = $choice_new;
-		$_POST['answer'] = array_pad($_POST['answer'], 10, 0);
-		$_POST['choice'] = array_pad($_POST['choice'], 10, '');
-
-		$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
-                                    category_id=?,
-                                    feedback=?,
-                                    question=?,
-                                    choice_0=?,
-                                    choice_1=?,
-                                    choice_2=?,
-                                    choice_3=?,
-                                    choice_4=?,
-                                    choice_5=?,
-                                    choice_6=?,
-                                    choice_7=?,
-                                    choice_8=?,
-                                    choice_9=?,
-                                    answer_0=?,
-                                    answer_1=?,
-                                    answer_2=?,
-                                    answer_3=?,
-                                    answer_4=?,
-                                    answer_5=?,
-                                    answer_6=?,
-                                    answer_7=?,
-                                    answer_8=?,
-                                    answer_9=?
-                                    WHERE question_id=?";
-
-        $values = array($_POST['category_id'], 
-									$_POST['feedback'], 
-									$_POST['question'], 
-									$_POST['choice'][0], 
-									$_POST['choice'][1], 
-									$_POST['choice'][2], 
-									$_POST['choice'][3], 
-									$_POST['choice'][4], 
-									$_POST['choice'][5], 
-									$_POST['choice'][6], 
-									$_POST['choice'][7], 
-									$_POST['choice'][8], 
-									$_POST['choice'][9], 
-									$_POST['answer'][0], 
-									$_POST['answer'][1], 
-									$_POST['answer'][2], 
-									$_POST['answer'][3], 
-									$_POST['answer'][4], 
-									$_POST['answer'][5], 
-									$_POST['answer'][6], 
-									$_POST['answer'][7], 
-									$_POST['answer'][8], 
-									$_POST['answer'][9],
-									$_POST['qid']);
-	    $types = "issssssssssssiiiiiiiiiii";
-
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('QUESTION_UPDATED');
-			if ($_POST['tid']) {
-				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-			} else {
-				header('Location: question_db.php?_course_id='.$_course_id);
-			}
-			exit;
-		}
-		else
-		{
-			$msg->addError('DB_NOT_UPDATED');
-		}
-	}
-}
-
-if (!isset($_POST['submit'])) {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		require_once(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-	$_POST['category_id'] = $row['category_id'];
-	$_POST['feedback']	  = $row['feedback'];
-	$_POST['weight']	  = $row['weight'];
-	$_POST['question']	  = $row['question'];
-
-	for ($i=0; $i<10; $i++) {
-		$_POST['choice'][$i] = $row['choice_'.$i];
-		$_POST['answer'][$i] = $row['answer_'.$i];
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_multianswer.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$_POST['feedback'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['tid']	   = intval($_POST['tid']);
+	$_POST['qid']	   = intval($_POST['qid']);
+	$_POST['weight']   = intval($_POST['weight']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
+	}
+
+	if (!$msg->containsErrors()) {
+
+		$choice_new = array(); // stores the non-blank choices
+		$answer_new = array(); // stores the associated "answer" for the choices
+
+		for ($i=0; $i<10; $i++) {
+			$_POST['choice'][$i] = addslashes(trim($_POST['choice'][$i]));
+			/**
+			 * Db defined it to be 255 length, chop strings off it it's less than that
+			 * @harris
+			 */
+			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
+			$_POST['answer'][$i] = intval($_POST['answer'][$i]);
+
+			if ($_POST['choice'][$i] == '') {
+				/* an empty option can't be correct */
+				$_POST['answer'][$i] = 0;
+			} else {
+				/* filter out empty choices/ remove gaps */
+				$choice_new[] = $_POST['choice'][$i];
+				$answer_new[] = $_POST['answer'][$i];
+			}
+		}
+
+		$_POST['answer'] = $answer_new;
+		$_POST['choice'] = $choice_new;
+		$_POST['answer'] = array_pad($_POST['answer'], 10, 0);
+		$_POST['choice'] = array_pad($_POST['choice'], 10, '');
+
+		$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
+                                    category_id=?,
+                                    feedback=?,
+                                    question=?,
+                                    choice_0=?,
+                                    choice_1=?,
+                                    choice_2=?,
+                                    choice_3=?,
+                                    choice_4=?,
+                                    choice_5=?,
+                                    choice_6=?,
+
+                                    choice_7=?,
+                                    choice_8=?,
+                                    choice_9=?,
+
+                                    answer_0=?,
+                                    answer_1=?,
+
+                                    answer_2=?,
+                                    answer_3=?,
+                                    answer_4=?,
+
+                                    answer_5=?,
+                                    answer_6=?,
+                                    answer_7=?,
+                                    answer_8=?,
+
+                                    answer_9=?
+                                    WHERE question_id=?";
+
+        $values = array($_POST['category_id'], 
+									$_POST['feedback'], 
+									$_POST['question'], 
+									$_POST['choice'][0], 
+									$_POST['choice'][1], 
+									$_POST['choice'][2], 
+									$_POST['choice'][3], 
+									$_POST['choice'][4], 
+									$_POST['choice'][5], 
+									$_POST['choice'][6], 
+									$_POST['choice'][7], 
+									$_POST['choice'][8], 
+									$_POST['choice'][9], 
+									$_POST['answer'][0], 
+									$_POST['answer'][1], 
+									$_POST['answer'][2], 
+									$_POST['answer'][3], 
+									$_POST['answer'][4], 
+									$_POST['answer'][5], 
+									$_POST['answer'][6], 
+									$_POST['answer'][7], 
+									$_POST['answer'][8], 
+									$_POST['answer'][9],
+									$_POST['qid']);
+	    $types = "issssssssssssiiiiiiiiiii";
+
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('QUESTION_UPDATED');
+			if ($_POST['tid']) {
+				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+			} else {
+				header('Location: question_db.php?_course_id='.$_course_id);
+			}
+			exit;
+		}
+		else
+		{
+			$msg->addError('DB_NOT_UPDATED');
+		}
+		
+	}
+}
+
+if (!isset($_POST['submit'])) {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		require_once(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+	$_POST['category_id'] = $row['category_id'];
+	$_POST['feedback']	  = $row['feedback'];
+	$_POST['weight']	  = $row['weight'];
+	$_POST['question']	  = $row['question'];
+
+	for ($i=0; $i<10; $i++) {
+		$_POST['choice'][$i] = $row['choice_'.$i];
+		$_POST['answer'][$i] = $row['answer_'.$i];
+	}
+}
+
+$onload = 'document.form.category_id.focus();';
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_multianswer.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/edit_question_multichoice.php b/tests/edit_question_multichoice.php
index 491d33f9..79ae0a10 100644
--- a/tests/edit_question_multichoice.php
+++ b/tests/edit_question_multichoice.php
@@ -1,146 +1,154 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$_POST['feedback'] = trim($_POST['feedback']);
-	$_POST['question'] = trim($_POST['question']);
-	$_POST['tid']	   = intval($_POST['tid']);
-	$_POST['qid']	   = intval($_POST['qid']);
-	$_POST['weight']   = intval($_POST['weight']);
-	$_POST['answer']   = intval($_POST['answer']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
-	}
-
-	if (!$msg->containsErrors()) {
-		$answers    = array_fill(0, 10, 0);
-		$answers[$_POST['answer']] = 1;
-
-		for ($i=0; $i<10; $i++) {
-			$_POST['choice'][$i] = trim($_POST['choice'][$i]);
-		}
-				$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
-                            category_id=?,
-                            feedback=?,
-                            question=?,
-                            choice_0=?,
-                            choice_1=?,
-                            choice_2=?,
-                            choice_3=?,
-                            choice_4=?,
-                            choice_5=?,
-                            choice_6=?,
-                            choice_7=?,
-                            choice_8=?,
-                            choice_9=?,
-                            answer_0=?,
-                            answer_1=?,
-                            answer_2=?,
-                            answer_3=?,
-                            answer_4=?,
-                            answer_5=?,
-                            answer_6=?,
-                            answer_7=?,
-                            answer_8=?,
-                            answer_9=?
-                            WHERE question_id=?";	
-		$values= array($_POST['category_id'],
-		                    $_POST['feedback'],
-		                    $_POST['question'],
-		                    $_POST['choice'][0],
-		                    $_POST['choice'][1],
-		                    $_POST['choice'][2],
-		                    $_POST['choice'][3],
-		                    $_POST['choice'][4],
-		                    $_POST['choice'][5],
-		                    $_POST['choice'][6],
-		                    $_POST['choice'][7],
-		                    $_POST['choice'][8],
-		                    $_POST['choice'][9],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $answers[0],
-		                    $_POST['qid']);
-		$types = "issssssssssssiiiiiiiiiii";
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('QUESTION_UPDATED');
-			if ($_POST['tid']) {
-				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-			} else {
-				header('Location: question_db.php?_course_id='.$_course_id);
-			}
-			exit;
-		}
-		else
-			$msg->addError('DB_NOT_UPDATED');
-	}
-}
-
-if (!isset($_POST['submit'])) {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		require_once(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-	$_POST['category_id'] = $row['category_id'];
-	$_POST['feedback']	  = $row['feedback'];
-	$_POST['weight']	  = $row['weight'];
-	$_POST['question']	  = $row['question'];
-
-	for ($i=0; $i<10; $i++) {
-		$_POST['choice'][$i] = $row['choice_'.$i];
-		$_POST['answer'][$i] = $row['answer_'.$i];
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_multichoice.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); 
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$_POST['feedback'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['tid']	   = intval($_POST['tid']);
+	$_POST['qid']	   = intval($_POST['qid']);
+	$_POST['weight']   = intval($_POST['weight']);
+	$_POST['answer']   = intval($_POST['answer']);
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('question')));
+	}
+
+	if (!$msg->containsErrors()) {
+
+		$answers    = array_fill(0, 10, 0);
+		$answers[$_POST['answer']] = 1;
+
+		for ($i=0; $i<10; $i++) {
+			$_POST['choice'][$i] =htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+		}
+				$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
+                            category_id=?,
+                            feedback=?,
+                            question=?,
+                            choice_0=?,
+                            choice_1=?,
+
+                            choice_2=?,
+                            choice_3=?,
+                            choice_4=?,
+                            choice_5=?,
+                            choice_6=?,
+
+                            choice_7=?,
+                            choice_8=?,
+                            choice_9=?,
+                            answer_0=?,
+                            answer_1=?,
+
+                            answer_2=?,
+                            answer_3=?,
+                            answer_4=?,
+                            answer_5=?,
+                            answer_6=?,
+
+                            answer_7=?,
+                            answer_8=?,
+                            answer_9=?
+
+                            WHERE question_id=?";	
+		$values= array($_POST['category_id'],
+		                    $_POST['feedback'],
+		                    $_POST['question'],
+		                    $_POST['choice'][0],
+		                    $_POST['choice'][1],
+		                    $_POST['choice'][2],
+		                    $_POST['choice'][3],
+		                    $_POST['choice'][4],
+		                    $_POST['choice'][5],
+		                    $_POST['choice'][6],
+		                    $_POST['choice'][7],
+		                    $_POST['choice'][8],
+		                    $_POST['choice'][9],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $answers[0],
+		                    $_POST['qid']);
+		$types = "issssssssssssiiiiiiiiiii";
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('QUESTION_UPDATED');
+			if ($_POST['tid']) {
+				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+			} else {
+				header('Location: question_db.php?_course_id='.$_course_id);
+			}
+			exit;
+		} else {
+			$msg->addError('DB_NOT_UPDATED');
+		}		
+
+	}
+}
+
+if (!isset($_POST['submit'])) {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		require_once(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+	$_POST['category_id'] = $row['category_id'];
+	$_POST['feedback']	  = $row['feedback'];
+	$_POST['weight']	  = $row['weight'];
+	$_POST['question']	  = $row['question'];
+
+	for ($i=0; $i<10; $i++) {
+		$_POST['choice'][$i] = $row['choice_'.$i];
+		$_POST['answer'][$i] = $row['answer_'.$i];
+	}
+}
+
+$onload = 'document.form.category_id.focus();';
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_multichoice.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); 
+?>
diff --git a/tests/edit_question_ordering.php b/tests/edit_question_ordering.php
index cce2c4ef..bd1cfe5c 100644
--- a/tests/edit_question_ordering.php
+++ b/tests/edit_question_ordering.php
@@ -1,168 +1,180 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-	$missing_fields = array();
-
-	$_POST['feedback']    = trim($_POST['feedback']);
-	$_POST['question']    = trim($_POST['question']);
-	$_POST['category_id'] = intval($_POST['category_id']);
-
-	if ($_POST['question'] == ''){
-		$missing_fields[] = _AT('question');
-	}
-
-	if (trim($_POST['choice'][0]) == '') {
-		$missing_fields[] = _AT('item').' 1';
-	}
-	if (trim($_POST['choice'][1]) == '') {
-		$missing_fields[] = _AT('item').' 2';
-	}
-
-	if ($missing_fields) {
-		$missing_fields = implode(', ', $missing_fields);
-		$msg->addError(array('EMPTY_FIELDS', $missing_fields));
-	}
-	if (!$msg->containsErrors()) {
-		$choice_new = array(); // stores the non-blank choices
-		$answer_new = array(); // stores the non-blank answers
-		$order = 0; // order count
-		for ($i=0; $i<10; $i++) {
-			/**
-			 * Db defined it to be 255 length, chop strings off it it's less than that
-			 * @harris
-			 */
-			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
-			$_POST['choice'][$i] = trim($_POST['choice'][$i]);
-
-			if ($_POST['choice'][$i] != '') {
-				/* filter out empty choices/ remove gaps */
-				$choice_new[] = $_POST['choice'][$i];
-				$answer_new[] = $order++;
-			}
-		}
-		
-		$_POST['choice']   = array_pad($choice_new, 10, '');
-		$answer_new        = array_pad($answer_new, 10, 0);
-		$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
-                                category_id=?,
-                                feedback=?,
-                                question=?,
-                                choice_0=?,
-                                choice_1=?,
-                                choice_2=?,
-                                choice_3=?,
-                                choice_4=?,
-                                choice_5=?,
-                                choice_6=?,
-                                choice_7=?,
-                                choice_8=?,
-                                choice_9=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?,
-                                answer_0=?
-                                WHERE question_id=?";	
-			
-		$values = array($_POST['category_id'],
-		                        $_POST['feedback'],
-		                        $_POST['question'],
-		                        $_POST['choice'][0],
-		                        $_POST['choice'][1],
-		                        $_POST['choice'][2],
-		                        $_POST['choice'][3],
-		                        $_POST['choice'][4],
-		                        $_POST['choice'][5],
-		                        $_POST['choice'][6],
-		                        $_POST['choice'][7],
-		                        $_POST['choice'][8],
-		                        $_POST['choice'][9], 
-		                        $answer_new[0],
-		                        $answer_new[1],
-		                        $answer_new[2],
-		                        $answer_new[3],
-		                        $answer_new[4],
-		                        $answer_new[5],
-		                        $answer_new[6],
-		                        $answer_new[7],
-		                        $answer_new[8],
-		                        $answer_new[9],
-		                        $_POST['qid']);	
-		$types = "issssssssssssiiiiiiiiiii";
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-			if ($_POST['tid']) {
-				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-			} else {
-				header('Location: question_db.php?_course_id='.$_course_id);
-			}
-			exit;
-		}
-		else
-			$msg->addError('DB_NOT_UPDATED');
-	}
-} else {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		require_once(TR_INCLUDE_PATH.'header.inc.php');
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-
-	$_POST['required']		= $row['required'];
-	$_POST['question']		= $row['question'];
-	$_POST['category_id']	= $row['category_id'];
-	$_POST['feedback']		= $row['feedback'];
-
-	for ($i=0; $i<10; $i++) {
-		$_POST['choice'][$i] = $row['choice_'.$i];
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_ordering.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+	$missing_fields = array();
+
+	$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+	$_POST['question']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+	$_POST['category_id'] = intval($_POST['category_id']);
+
+	if ($_POST['question'] == ''){
+		$missing_fields[] = _AT('question');
+	}
+
+	if (trim($_POST['choice'][0]) == '') {
+		$missing_fields[] = _AT('item').' 1';
+	}
+	if (trim($_POST['choice'][1]) == '') {
+		$missing_fields[] = _AT('item').' 2';
+	}
+
+	if ($missing_fields) {
+		$missing_fields = implode(', ', $missing_fields);
+		$msg->addError(array('EMPTY_FIELDS', $missing_fields));
+	}
+	if (!$msg->containsErrors()) {
+
+		$choice_new = array(); // stores the non-blank choices
+		$answer_new = array(); // stores the non-blank answers
+		$order = 0; // order count
+		for ($i=0; $i<10; $i++) {
+			/**
+			 * Db defined it to be 255 length, chop strings off it it's less than that
+			 * @harris
+			 */
+			$_POST['choice'][$i] = Utility::validateLength($_POST['choice'][$i], 255);
+			$_POST['choice'][$i] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['choice'][$i]))));
+
+			if ($_POST['choice'][$i] != '') {
+				/* filter out empty choices/ remove gaps */
+				$choice_new[] = $_POST['choice'][$i];
+				$answer_new[] = $order++;
+			}
+		}
+		
+		$_POST['choice']   = array_pad($choice_new, 10, '');
+		$answer_new        = array_pad($answer_new, 10, 0);
+		$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET
+                                category_id=?,
+                                feedback=?,
+
+                                question=?,
+                                choice_0=?,
+
+                                choice_1=?,
+                                choice_2=?,
+                                choice_3=?,
+
+                                choice_4=?,
+                                choice_5=?,
+                                choice_6=?,
+
+                                choice_7=?,
+                                choice_8=?,
+                                choice_9=?,
+
+                                answer_0=?,
+                                answer_0=?,
+                                answer_0=?,
+
+                                answer_0=?,
+                                answer_0=?,
+                                answer_0=?,
+
+                                answer_0=?,
+                                answer_0=?,
+                                answer_0=?,
+
+                                answer_0=?
+                                WHERE question_id=?";	
+			
+		$values = array($_POST['category_id'],
+		                        $_POST['feedback'],
+		                        $_POST['question'],
+		                        $_POST['choice'][0],
+		                        $_POST['choice'][1],
+		                        $_POST['choice'][2],
+		                        $_POST['choice'][3],
+		                        $_POST['choice'][4],
+		                        $_POST['choice'][5],
+		                        $_POST['choice'][6],
+		                        $_POST['choice'][7],
+		                        $_POST['choice'][8],
+		                        $_POST['choice'][9], 
+		                        $answer_new[0],
+		                        $answer_new[1],
+		                        $answer_new[2],
+		                        $answer_new[3],
+		                        $answer_new[4],
+		                        $answer_new[5],
+		                        $answer_new[6],
+		                        $answer_new[7],
+		                        $answer_new[8],
+		                        $answer_new[9],
+		                        $_POST['qid']);	
+		$types = "issssssssssssiiiiiiiiiii";
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+			if ($_POST['tid']) {
+				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+			} else {
+				header('Location: question_db.php?_course_id='.$_course_id);
+			}
+			exit;
+		}
+		else {
+			$msg->addError('DB_NOT_UPDATED');
+		}	
+
+	}
+} else {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		require_once(TR_INCLUDE_PATH.'header.inc.php');
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+
+	$_POST['required']		= $row['required'];
+	$_POST['question']		= $row['question'];
+	$_POST['category_id']	= $row['category_id'];
+	$_POST['feedback']		= $row['feedback'];
+
+	for ($i=0; $i<10; $i++) {
+		$_POST['choice'][$i] = $row['choice_'.$i];
+	}
+}
+
+$onload = 'document.form.category_id.focus();';
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_ordering.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php');  ?>
diff --git a/tests/edit_question_truefalse.php b/tests/edit_question_truefalse.php
index 59e4b80d..cd8625b4 100644
--- a/tests/edit_question_truefalse.php
+++ b/tests/edit_question_truefalse.php
@@ -1,111 +1,115 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsQuestionsDAO = new TestsQuestionsDAO();
-
-$qid = intval($_GET['qid']);
-if ($qid == 0){
-	$qid = intval($_POST['qid']);
-}
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	if ($_POST['tid']) {
-		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-	} else {
-		header('Location: question_db.php?_course_id='.$_course_id);
-	}
-	exit;
-} else if (isset($_POST['submit'])) {
-
-	$_POST['question'] = trim($_POST['question']);
-
-	if ($_POST['question'] == ''){
-		$msg->addError(array('EMPTY_FIELDS', _AT('statement')));
-	}
-
-	if (!$msg->containsErrors()) {
-		$_POST['feedback']    = trim($_POST['feedback']);
-		$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET	category_id=$_POST[category_id],
-			feedback='$_POST[feedback]',
-			question='$_POST[question]',
-			answer_0={$_POST[answer]}
-			WHERE question_id=$_POST[qid]";
-		$values = array($_POST['category_id'], $_POST['feedback'], $_POST['question'], $_POST['answer'], $_POST['qid']);
-		$types = "isssi";
-		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
-			$msg->addFeedback('QUESTION_UPDATED');
-			if ($_POST['tid']) {
-				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
-			} else {
-				header('Location: question_db.php?_course_id='.$_course_id);
-			}
-			exit;
-		}
-		else
-			$msg->addError('DB_NOT_UPDATED');
-	}
-}
-
-if (!$_POST['submit']) {
-	if (!($row = $testsQuestionsDAO->get($qid))){
-		$msg->printErrors('ITEM_NOT_FOUND');
-		require (TR_INCLUDE_PATH.'footer.inc.php');
-		exit;
-	}
-
-	$_POST	= $row;
-}
-
-if ($_POST['answer'] == '') {
-	if ($_POST['answer_0'] == 1) {
-		$ans_yes = ' checked="checked"';
-	} else if ($_POST['answer_0'] == 2){
-		$ans_no  = ' checked="checked"';
-	} else if ($_POST['answer_0'] == 3) {
-		$ans_yes1 = ' checked="checked"';
-	} else {
-		$ans_no1  = ' checked="checked"';
-	}
-} else {
-	if ($_POST['answer'] == 1) {
-		$ans_yes = ' checked="checked"';
-	} else if($_POST['answer'] == 2){
-		$ans_no  = ' checked="checked"';
-	} else if ($_POST['answer'] == 3) {
-		$ans_yes1 = ' checked="checked"';
-	} else {
-		$ans_no1  = ' checked="checked"';
-	}
-}
-
-$onload = 'document.form.category_id.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php'); 
-
-$savant->assign('qid', $qid);
-$savant->assign('tid', $_REQUEST['tid']);
-$savant->assign('ans_yes', $ans_yes);
-$savant->assign('ans_no', $ans_no);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/create_edit_question_truefalse.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsQuestionsDAO = new TestsQuestionsDAO();
+
+$qid = intval($_GET['qid']);
+if ($qid == 0){
+	$qid = intval($_POST['qid']);
+}
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	if ($_POST['tid']) {
+		header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+	} else {
+		header('Location: question_db.php?_course_id='.$_course_id);
+	}
+	exit;
+} else if (isset($_POST['submit'])) {
+
+	$_POST['question'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['question']))));
+
+	if ($_POST['question'] == ''){
+		$msg->addError(array('EMPTY_FIELDS', _AT('statement')));
+	}
+
+	if (!$msg->containsErrors()) {
+
+			$_POST['feedback']    = htmlspecialchars(trim(stripslashes(strip_tags($_POST['feedback']))));
+			$sql	= "UPDATE ".TABLE_PREFIX."tests_questions SET	category_id=$_POST[category_id],
+			feedback='$_POST[feedback]',
+			question='$_POST[question]',
+			answer_0={$_POST[answer]}
+			WHERE question_id=$_POST[qid]";
+		$values = array($_POST['category_id'], $_POST['feedback'], $_POST['question'], $_POST['answer'], $_POST['qid']);
+		$types = "isssi";
+		if ($testsQuestionsDAO->execute($sql, $values, $types)) {
+			$msg->addFeedback('QUESTION_UPDATED');
+			if ($_POST['tid']) {
+				header('Location: questions.php?tid='.$_POST['tid'].'&_course_id='.$_course_id);			
+			} else {
+				header('Location: question_db.php?_course_id='.$_course_id);
+			}
+			exit;
+		}
+		else {
+			$msg->addError('DB_NOT_UPDATED');
+		}
+
+	}
+}
+
+if (!$_POST['submit']) {
+	if (!($row = $testsQuestionsDAO->get($qid))){
+		$msg->printErrors('ITEM_NOT_FOUND');
+		require (TR_INCLUDE_PATH.'footer.inc.php');
+		exit;
+	}
+
+	$_POST	= $row;
+}
+
+if ($_POST['answer'] == '') {
+	if ($_POST['answer_0'] == 1) {
+		$ans_yes = ' checked="checked"';
+	} else if ($_POST['answer_0'] == 2){
+		$ans_no  = ' checked="checked"';
+	} else if ($_POST['answer_0'] == 3) {
+		$ans_yes1 = ' checked="checked"';
+	} else {
+		$ans_no1  = ' checked="checked"';
+	}
+} else {
+	if ($_POST['answer'] == 1) {
+		$ans_yes = ' checked="checked"';
+	} else if($_POST['answer'] == 2){
+		$ans_no  = ' checked="checked"';
+	} else if ($_POST['answer'] == 3) {
+		$ans_yes1 = ' checked="checked"';
+	} else {
+		$ans_no1  = ' checked="checked"';
+	}
+}
+
+$onload = 'document.form.category_id.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php'); 
+
+$savant->assign('qid', $qid);
+$savant->assign('tid', $_REQUEST['tid']);
+$savant->assign('ans_yes', $ans_yes);
+$savant->assign('ans_no', $ans_no);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/create_edit_question_truefalse.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/edit_test.php b/tests/edit_test.php
index f1c07050..42dcfcc4 100644
--- a/tests/edit_test.php
+++ b/tests/edit_test.php
@@ -1,52 +1,55 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$tid = intval($_REQUEST['tid']);
-$testsDAO = new TestsDAO();
-$row = $testsDAO->get($tid);
-
-if (isset($_POST['cancel'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit'])) {
-	if ($testsDAO->Update($_POST['tid'], $_POST['title'], $_POST['description']))
-	{
-		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');		
-		header('Location: index.php?_course_id='.$_course_id);
-		exit;
-	}
-}
-
-$onload = 'document.form.title.focus();';
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-$msg->printErrors();
-
-$savant->assign('course_id', $_course_id);
-$savant->assign('tid', $tid);
-$savant->assign('row', $row);
-
-$savant->display('tests/create_edit_test.tmpl.php');
-
-require (TR_INCLUDE_PATH.'footer.inc.php'); 
-
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$tid = intval($_REQUEST['tid']);
+$testsDAO = new TestsDAO();
+$row = $testsDAO->get($tid);
+
+if (isset($_POST['cancel'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit'])) {
+
+		if ($testsDAO->Update($_POST['tid'], htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))), htmlspecialchars(trim(stripslashes(strip_tags($_POST['description']))))));
+	{
+		$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');		
+		header('Location: index.php?_course_id='.$_course_id);
+		exit;
+	}
+
+}
+
+$onload = 'document.form.title.focus();';
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+$msg->printErrors();
+
+$savant->assign('course_id', $_course_id);
+$savant->assign('tid', $tid);
+$savant->assign('row', $row);
+
+$savant->display('tests/create_edit_test.tmpl.php');
+
+require (TR_INCLUDE_PATH.'footer.inc.php'); 
+
+?>
diff --git a/tests/export_test.php b/tests/export_test.php
index 96837ea7..c720211c 100644
--- a/tests/export_test.php
+++ b/tests/export_test.php
@@ -1,38 +1,39 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsDAO = new TestsDAO();
-
-$tid = intval($_GET['tid']);
-
-/* Retrieve the content_id of this test */
-if (!($test_row = $testsDAO->get($tid))) {
-	$msg->addError('ITEM_NOT_FOUND');
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-}
-
-//export
-if (!test_qti_export($tid, $test_row['title'])) {
-	$msg->addInfo('TEST_NO_QUESTION');
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-}
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsDAO = new TestsDAO();
+
+$tid = intval($_GET['tid']);
+
+/* Retrieve the content_id of this test */
+if (!($test_row = $testsDAO->get($tid))) {
+	$msg->addError('ITEM_NOT_FOUND');
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+}
+
+//export
+if (!test_qti_export($tid, $test_row['title'])) {
+	$msg->addInfo('TEST_NO_QUESTION');
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+}
+?>
diff --git a/tests/form_editor.php b/tests/form_editor.php
index 803de959..bad7dcaa 100644
--- a/tests/form_editor.php
+++ b/tests/form_editor.php
@@ -12,6 +12,7 @@
 
 $page = 'form_editor';
 define('TR_INCLUDE_PATH', '../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'lib/tinymce.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
@@ -117,4 +118,4 @@ function insertTo(field) {
 </iframe>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/tests/html/tests_questions.inc.php b/tests/html/tests_questions.inc.php
index fb48903d..fa5fc33f 100644
--- a/tests/html/tests_questions.inc.php
+++ b/tests/html/tests_questions.inc.php
@@ -30,7 +30,7 @@
 
 $cats = array();
 if ($_GET['category_id'] >= 0) {
-	$category_row = $testsQuestionsCategoriesDAO->get($_GET[category_id]);
+	$category_row = $testsQuestionsCategoriesDAO->get($_GET['category_id']);
 } else {
 	$category_rows = $testsQuestionsCategoriesDAO->getByCourseID($_course_id);
 }
diff --git a/tests/import_test.php b/tests/import_test.php
index 7a439c22..50cafb5e 100644
--- a/tests/import_test.php
+++ b/tests/import_test.php
@@ -1,342 +1,343 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/pclzip.lib.php');
-require_once(TR_INCLUDE_PATH.'lib/pclzip_callback.lib.php');
-require_once(TR_INCLUDE_PATH.'lib/qti.inc.php'); 
-require_once(TR_INCLUDE_PATH.'classes/QTI/QTIImport.class.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-
-global $_course_id;
-
-/* to avoid timing out on large files */
-@set_time_limit(0);
-$_SESSION['done'] = 1;
-
-$element_path = array();
-$character_data = '';
-$test_title = '';
-$resource_num = 0;
-$qids = array();	//store all the question ids that's being inserted into the db by this import
-$overwrite = false;	//files will not be overwrite and prompt
-
-/* handle get */
-if (isset($_POST['submit_yes'])){
-	$overwrite = true;
-} elseif (isset($_POST['submit_no'])){
-	$msg->addFeedback('IMPORT_CANCELLED');
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-}
-
-/* functions */
-/* called at the start of en element */
-/* builds the $path array which is the path from the root to the current element */
-function startElement($parser, $name, $attrs) {
-	global $attributes, $element_path, $resource_num;
-	//save attributes.
-	switch($name) {
-		case 'resource':
-			$attributes[$name.$resource_num]['identifier'] = $attrs['identifier'];
-			$attributes[$name.$resource_num]['href'] = $attrs['href'];
-			$attributes[$name.$resource_num]['type'] = $attrs['type'];
-			$resource_num++;
-			break;
-		case 'file':
-			if(in_array('resource', $element_path)){
-				$attributes['resource'.($resource_num-1)]['file'][] = $attrs['href'];
-			}
-			break;
-		case 'dependency':
-			if(in_array('resource', $element_path)){
-				$attributes['resource'.($resource_num-1)]['dependency'][] = $attrs['identifierref'];
-			}
-			break;
-
-	}
-	array_push($element_path, $name);		
-}
-
-/* called when an element ends */
-/* removed the current element from the $path */
-function endElement($parser, $name) {
-	global $element_path, $test_title, $character_data;
-	switch($name) {
-		case 'title':
-			if (in_array('organization', $element_path)){
-				$test_title = $character_data;
-			}
-	}
-	$character_data = '';
-	array_pop($element_path);
-}
-
-/* called when there is character data within elements */
-/* constructs the $items array using the last entry in $path as the parent element */
-function characterData($parser, $data){
-	global $character_data;
-	if (trim($data)!=''){
-		$character_data .= preg_replace('/[\t\0\x0B]*/', '', $data);
-	}
-}
-
-//If overwrite hasn't been set to true, then the file has not been exported and still in the cache.
-//otherwise, the zip file is extracted but has not been deleted (due to the confirmation).
-if (!$overwrite){
-	if (!isset($_POST['submit_import'])) {
-		/* just a catch all */
-		
-		$errors = array('FILE_MAX_SIZE', ini_get('post_max_size'));
-		$msg->addError($errors);
-
-		header('Location: index.php?_course_id='.$_course_id);
-		exit;
-	} 
-
-
-	//Handles import
-	/*
-	if (isset($_POST['url']) && ($_POST['url'] != 'http://') ) {
-		if ($content = @file_get_contents($_POST['url'])) {
-
-			// save file to /content/
-			$filename = substr(time(), -6). '.zip';
-			$full_filename = TR_CONTENT_DIR . $filename;
-
-			if (!$fp = fopen($full_filename, 'w+b')) {
-				echo "Cannot open file ($filename)";
-				exit;
-			}
-
-			if (fwrite($fp, $content, strlen($content) ) === FALSE) {
-				echo "Cannot write to file ($filename)";
-				exit;
-			}
-			fclose($fp);
-		}	
-		$_FILES['file']['name']     = $filename;
-		$_FILES['file']['tmp_name'] = $full_filename;
-		$_FILES['file']['size']     = strlen($content);
-		unset($content);
-		$url_parts = pathinfo($_POST['url']);
-		$package_base_name_url = $url_parts['basename'];
-	}
-	*/
-	$ext = pathinfo($_FILES['file']['name']);
-	$ext = $ext['extension'];
-
-	if ($ext != 'zip') {
-		$msg->addError('IMPORTDIR_IMS_NOTVALID');
-	} else if ($_FILES['file']['error'] == 1) {
-		$errors = array('FILE_MAX_SIZE', ini_get('upload_max_filesize'));
-		$msg->addError($errors);
-	} else if ( !$_FILES['file']['name'] || (!is_uploaded_file($_FILES['file']['tmp_name']) && !$_POST['url'])) {
-		$msg->addError('FILE_NOT_SELECTED');
-	} else if ($_FILES['file']['size'] == 0) {
-		$msg->addError('IMPORTFILE_EMPTY');
-	} 
-}
-
-if ($msg->containsErrors()) {
-//	if (isset($_GET['tile'])) {
-//		header('Location: '.$_base_path.'tile/index.php');
-//	} else {
-		header('Location: index.php?_course_id='.$_course_id);
-//	}
-	exit;
-}
-
-/* check if ../content/import/ exists */
-$import_path = TR_CONTENT_DIR . 'import/';
-$content_path = TR_CONTENT_DIR;
-
-if (!is_dir($import_path)) {
-	if (!@mkdir($import_path, 0700)) {
-		$msg->addError('IMPORTDIR_FAILED');
-	}
-}
-
-$import_path .= $_course_id.'/';
-if (!$overwrite){
-	if (is_dir($import_path)) {
-		FileUtility::clr_dir($import_path);
-	}
-
-	if (!@mkdir($import_path, 0700)) {
-		$msg->addError('IMPORTDIR_FAILED');
-	}
-
-	/* extract the entire archive into TR_COURSE_CONTENT . import/$course using the call back function to filter out php files */
-	error_reporting(0);
-	$archive = new PclZip($_FILES['file']['tmp_name']);
-	if ($archive->extract(	PCLZIP_OPT_PATH,	$import_path,
-							PCLZIP_CB_PRE_EXTRACT,	'preImportCallBack') == 0) {
-		$msg->addError('IMPORT_FAILED');
-		echo 'Error : '.$archive->errorInfo(true);
-		FileUtility::clr_dir($import_path);
-		header('Location: question_db.php?_course_id='.$_course_id);
-		exit;
-	}
-	error_reporting(TR_ERROR_REPORTING);
-}
-/* get the course's max_quota */
-$coursesDAO = new CoursesDAO();
-$q_row	= $coursesDAO->get($_course_id);
-
-if ($q_row['max_quota'] != TR_COURSESIZE_UNLIMITED) {
-	$zip_size_limit = $MaxCourseSize;
-	
-	$totalBytes   = FileUtility::dirsize($import_path);
-	
-	$total_after  = $zip_size_limit - $totalBytes;
-	
-	if (is_dir(TR_CONTENT_DIR . $_course_id.'/')) 
-	{
-		$course_total = FileUtility::dirsize(TR_CONTENT_DIR . $_course_id.'/');
-		$total_after  -= $course_total;
-	}
-	
-	if ($total_after < 0) {
-		/* remove the content dir, since there's no space for it */
-		$errors = array('NO_CONTENT_SPACE', number_format(-1*($total_after/TR_KBYTE_SIZE), 2 ) );
-		$msg->addError($errors);
-		
-		// Clean up import path and inserted course row
-		FileUtility::clr_dir($import_path);
-	
-		header('Location: index.php?_course_id='.$_course_id);
-		exit;
-	}
-}
-
-$ims_manifest_xml = @file_get_contents($import_path.'imsmanifest.xml');
-
-if ($ims_manifest_xml === false) {
-	$msg->addError('NO_IMSMANIFEST');
-
-	if (file_exists($import_path . 'atutor_backup_version')) {
-		$msg->addError('NO_IMS_BACKUP');
-	}
-
-	FileUtility::clr_dir($import_path);
-
-//	if (isset($_GET['tile'])) {
-//		header('Location: '.$_base_path.'tile/index.php');
-//	} else {
-		header('Location: index.php?_course_id='.$_course_id);
-//	}
-	exit;
-}
-
-$xml_parser = xml_parser_create();
-
-xml_parser_set_option($xml_parser, XML_OPTION_CASE_FOLDING, false); /* conform to W3C specs */
-xml_set_element_handler($xml_parser, 'startElement', 'endElement');
-xml_set_character_data_handler($xml_parser, 'characterData');
-
-if (!xml_parse($xml_parser, $ims_manifest_xml, true)) {
-	die(sprintf("XML error: %s at line %d",
-				xml_error_string(xml_get_error_code($xml_parser)),
-				xml_get_current_line_number($xml_parser)));
-}
-
-xml_parser_free($xml_parser);
-
-//assign folder names
-//if (!$package_base_name){
-//	$package_base_name = substr($_FILES['file']['name'], 0, -4);
-//}
-
-//$package_base_name = strtolower($package_base_name);
-//$package_base_name = str_replace(array('\'', '"', ' ', '|', '\\', '/', '<', '>', ':'), '_' , $package_base_name);
-//$package_base_name = preg_replace("/[^A-Za-z0-9._\-]/", '', $package_base_name);
-
-//if (is_dir(TR_CONTENT_DIR . $_SESSION['course_id'].'/'.$package_base_name)) {
-//	echo 'Already exist: Quitting.  (Need better msg here)';
-//	exit;
-//	$package_base_name .= '_'.date('ymdHis');
-//}
-
-if ($package_base_path) {
-	$package_base_path = implode('/', $package_base_path);
-}
-
-
-//Dependency handling
-//$media_items = array();
-$xml_items = array();
-//foreach($attributes as $resource=>$attrs){
-//	if ($attrs['type'] != 'webcontent'){
-//		$media_items[$attrs['identifier']] = $attrs['file'];
-//	}
-//}
-
-//Check if the files exist, if so, warn the user.
-$existing_files = isQTIFileExist($attributes);
-
-if (!$overwrite && !empty($existing_files)){
-	$existing_files = implode('<br/>', $existing_files);
-	require_once(TR_INCLUDE_PATH.'header.inc.php');
-//	$msg->addConfirm(array('MEDIA_FILE_EXISTED', $existing_files));
-//	$msg->printConfirm();
-	echo '<form action="" method="POST">';
-	echo '<div class="input-form">';
-	echo '<div class="row">';
-	$msg->printInfos(array('MEDIA_FILE_EXISTED', $existing_files));
-	echo '</div>';
-	echo '<div class="row buttons">';
-	echo '<input type="submit" class="" name="submit_yes" value="'._AT('yes').'"/>';
-	echo '<input type="submit" class="" name="submit_no" value="'._AT('no').'"/>';
-	echo '<input type="hidden" name="submit_import" value="submit_import" />';
-	ECHO '<input type="hidden" name="url" value="'.AT_print($_POST['url'], 'input.hidden').'" />';
-	echo '</div></div>';
-	echo '</form>';
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-
-	exit;
-}
-
-//Get the XML file out and start importing them into our database.
-//TODO: See question_import.php 287-289.
-$qti_import = new QTIImport($import_path);
-$qids = $qti_import->importQuestions($attributes);
-
-//import test
-$tid = $qti_import->importTest();
-
-//associate question and tests
-foreach ($qids as $order=>$qid){
-	if (isset($qti_import->weights[$order])){
-		$weight = round($qti_import->weights[$order]);
-	} else {
-		$weight = 0;
-	}
-	$new_order = $order + 1;
-
-	$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-	$testsQuestionsAssocDAO->Create($tid, $qid, $weight, $new_order);
-}
-
-if (!$msg->containsErrors()) {
-	$msg->addFeedback('IMPORT_SUCCEEDED');
-}
-
-//clear directory
-FileUtility::clr_dir(TR_CONTENT_DIR . 'import/'.$_course_id);
-
-header('Location: index.php?_course_id='.$_course_id);
-exit;
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/pclzip.lib.php');
+require_once(TR_INCLUDE_PATH.'lib/pclzip_callback.lib.php');
+require_once(TR_INCLUDE_PATH.'lib/qti.inc.php'); 
+require_once(TR_INCLUDE_PATH.'classes/QTI/QTIImport.class.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+
+global $_course_id;
+
+/* to avoid timing out on large files */
+@set_time_limit(0);
+$_SESSION['done'] = 1;
+
+$element_path = array();
+$character_data = '';
+$test_title = '';
+$resource_num = 0;
+$qids = array();	//store all the question ids that's being inserted into the db by this import
+$overwrite = false;	//files will not be overwrite and prompt
+
+/* handle get */
+if (isset($_POST['submit_yes'])){
+	$overwrite = true;
+} elseif (isset($_POST['submit_no'])){
+	$msg->addFeedback('IMPORT_CANCELLED');
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+}
+
+/* functions */
+/* called at the start of en element */
+/* builds the $path array which is the path from the root to the current element */
+function startElement($parser, $name, $attrs) {
+	global $attributes, $element_path, $resource_num;
+	//save attributes.
+	switch($name) {
+		case 'resource':
+			$attributes[$name.$resource_num]['identifier'] = $attrs['identifier'];
+			$attributes[$name.$resource_num]['href'] = $attrs['href'];
+			$attributes[$name.$resource_num]['type'] = $attrs['type'];
+			$resource_num++;
+			break;
+		case 'file':
+			if(in_array('resource', $element_path)){
+				$attributes['resource'.($resource_num-1)]['file'][] = $attrs['href'];
+			}
+			break;
+		case 'dependency':
+			if(in_array('resource', $element_path)){
+				$attributes['resource'.($resource_num-1)]['dependency'][] = $attrs['identifierref'];
+			}
+			break;
+
+	}
+	array_push($element_path, $name);		
+}
+
+/* called when an element ends */
+/* removed the current element from the $path */
+function endElement($parser, $name) {
+	global $element_path, $test_title, $character_data;
+	switch($name) {
+		case 'title':
+			if (in_array('organization', $element_path)){
+				$test_title = $character_data;
+			}
+	}
+	$character_data = '';
+	array_pop($element_path);
+}
+
+/* called when there is character data within elements */
+/* constructs the $items array using the last entry in $path as the parent element */
+function characterData($parser, $data){
+	global $character_data;
+	if (trim($data)!=''){
+		$character_data .= preg_replace('/[\t\0\x0B]*/', '', $data);
+	}
+}
+
+//If overwrite hasn't been set to true, then the file has not been exported and still in the cache.
+//otherwise, the zip file is extracted but has not been deleted (due to the confirmation).
+if (!$overwrite){
+	if (!isset($_POST['submit_import'])) {
+		/* just a catch all */
+		
+		$errors = array('FILE_MAX_SIZE', ini_get('post_max_size'));
+		$msg->addError($errors);
+
+		header('Location: index.php?_course_id='.$_course_id);
+		exit;
+	} 
+
+
+	//Handles import
+	/*
+	if (isset($_POST['url']) && ($_POST['url'] != 'http://') ) {
+		if ($content = @file_get_contents($_POST['url'])) {
+
+			// save file to /content/
+			$filename = substr(time(), -6). '.zip';
+			$full_filename = TR_CONTENT_DIR . $filename;
+
+			if (!$fp = fopen($full_filename, 'w+b')) {
+				echo "Cannot open file ($filename)";
+				exit;
+			}
+
+			if (fwrite($fp, $content, strlen($content) ) === FALSE) {
+				echo "Cannot write to file ($filename)";
+				exit;
+			}
+			fclose($fp);
+		}	
+		$_FILES['file']['name']     = $filename;
+		$_FILES['file']['tmp_name'] = $full_filename;
+		$_FILES['file']['size']     = strlen($content);
+		unset($content);
+		$url_parts = pathinfo($_POST['url']);
+		$package_base_name_url = $url_parts['basename'];
+	}
+	*/
+	$ext = pathinfo($_FILES['file']['name']);
+	$ext = $ext['extension'];
+
+	if ($ext != 'zip') {
+		$msg->addError('IMPORTDIR_IMS_NOTVALID');
+	} else if ($_FILES['file']['error'] == 1) {
+		$errors = array('FILE_MAX_SIZE', ini_get('upload_max_filesize'));
+		$msg->addError($errors);
+	} else if ( !$_FILES['file']['name'] || (!is_uploaded_file($_FILES['file']['tmp_name']) && !$_POST['url'])) {
+		$msg->addError('FILE_NOT_SELECTED');
+	} else if ($_FILES['file']['size'] == 0) {
+		$msg->addError('IMPORTFILE_EMPTY');
+	} 
+}
+
+if ($msg->containsErrors()) {
+//	if (isset($_GET['tile'])) {
+//		header('Location: '.$_base_path.'tile/index.php');
+//	} else {
+		header('Location: index.php?_course_id='.$_course_id);
+//	}
+	exit;
+}
+
+/* check if ../content/import/ exists */
+$import_path = TR_CONTENT_DIR . 'import/';
+$content_path = TR_CONTENT_DIR;
+
+if (!is_dir($import_path)) {
+	if (!@mkdir($import_path, 0700)) {
+		$msg->addError('IMPORTDIR_FAILED');
+	}
+}
+
+$import_path .= $_course_id.'/';
+if (!$overwrite){
+	if (is_dir($import_path)) {
+		FileUtility::clr_dir($import_path);
+	}
+
+	if (!@mkdir($import_path, 0700)) {
+		$msg->addError('IMPORTDIR_FAILED');
+	}
+
+	/* extract the entire archive into TR_COURSE_CONTENT . import/$course using the call back function to filter out php files */
+	error_reporting(0);
+	$archive = new PclZip($_FILES['file']['tmp_name']);
+	if ($archive->extract(	PCLZIP_OPT_PATH,	$import_path,
+							PCLZIP_CB_PRE_EXTRACT,	'preImportCallBack') == 0) {
+		$msg->addError('IMPORT_FAILED');
+		echo 'Error : '.$archive->errorInfo(true);
+		FileUtility::clr_dir($import_path);
+		header('Location: question_db.php?_course_id='.$_course_id);
+		exit;
+	}
+	error_reporting(TR_ERROR_REPORTING);
+}
+/* get the course's max_quota */
+$coursesDAO = new CoursesDAO();
+$q_row	= $coursesDAO->get($_course_id);
+
+if ($q_row['max_quota'] != TR_COURSESIZE_UNLIMITED) {
+	$zip_size_limit = $MaxCourseSize;
+	
+	$totalBytes   = FileUtility::dirsize($import_path);
+	
+	$total_after  = $zip_size_limit - $totalBytes;
+	
+	if (is_dir(TR_CONTENT_DIR . $_course_id.'/')) 
+	{
+		$course_total = FileUtility::dirsize(TR_CONTENT_DIR . $_course_id.'/');
+		$total_after  -= $course_total;
+	}
+	
+	if ($total_after < 0) {
+		/* remove the content dir, since there's no space for it */
+		$errors = array('NO_CONTENT_SPACE', number_format(-1*($total_after/TR_KBYTE_SIZE), 2 ) );
+		$msg->addError($errors);
+		
+		// Clean up import path and inserted course row
+		FileUtility::clr_dir($import_path);
+	
+		header('Location: index.php?_course_id='.$_course_id);
+		exit;
+	}
+}
+
+$ims_manifest_xml = @file_get_contents($import_path.'imsmanifest.xml');
+
+if ($ims_manifest_xml === false) {
+	$msg->addError('NO_IMSMANIFEST');
+
+	if (file_exists($import_path . 'atutor_backup_version')) {
+		$msg->addError('NO_IMS_BACKUP');
+	}
+
+	FileUtility::clr_dir($import_path);
+
+//	if (isset($_GET['tile'])) {
+//		header('Location: '.$_base_path.'tile/index.php');
+//	} else {
+		header('Location: index.php?_course_id='.$_course_id);
+//	}
+	exit;
+}
+
+$xml_parser = xml_parser_create();
+
+xml_parser_set_option($xml_parser, XML_OPTION_CASE_FOLDING, false); /* conform to W3C specs */
+xml_set_element_handler($xml_parser, 'startElement', 'endElement');
+xml_set_character_data_handler($xml_parser, 'characterData');
+
+if (!xml_parse($xml_parser, $ims_manifest_xml, true)) {
+	die(sprintf("XML error: %s at line %d",
+				xml_error_string(xml_get_error_code($xml_parser)),
+				xml_get_current_line_number($xml_parser)));
+}
+
+xml_parser_free($xml_parser);
+
+//assign folder names
+//if (!$package_base_name){
+//	$package_base_name = substr($_FILES['file']['name'], 0, -4);
+//}
+
+//$package_base_name = strtolower($package_base_name);
+//$package_base_name = str_replace(array('\'', '"', ' ', '|', '\\', '/', '<', '>', ':'), '_' , $package_base_name);
+//$package_base_name = preg_replace("/[^A-Za-z0-9._\-]/", '', $package_base_name);
+
+//if (is_dir(TR_CONTENT_DIR . $_SESSION['course_id'].'/'.$package_base_name)) {
+//	echo 'Already exist: Quitting.  (Need better msg here)';
+//	exit;
+//	$package_base_name .= '_'.date('ymdHis');
+//}
+
+if ($package_base_path) {
+	$package_base_path = implode('/', $package_base_path);
+}
+
+
+//Dependency handling
+//$media_items = array();
+$xml_items = array();
+//foreach($attributes as $resource=>$attrs){
+//	if ($attrs['type'] != 'webcontent'){
+//		$media_items[$attrs['identifier']] = $attrs['file'];
+//	}
+//}
+
+//Check if the files exist, if so, warn the user.
+$existing_files = isQTIFileExist($attributes);
+
+if (!$overwrite && !empty($existing_files)){
+	$existing_files = implode('<br/>', $existing_files);
+	require_once(TR_INCLUDE_PATH.'header.inc.php');
+//	$msg->addConfirm(array('MEDIA_FILE_EXISTED', $existing_files));
+//	$msg->printConfirm();
+	echo '<form action="" method="POST">';
+	echo '<div class="input-form">';
+	echo '<div class="row">';
+	$msg->printInfos(array('MEDIA_FILE_EXISTED', $existing_files));
+	echo '</div>';
+	echo '<div class="row buttons">';
+	echo '<input type="submit" class="" name="submit_yes" value="'._AT('yes').'"/>';
+	echo '<input type="submit" class="" name="submit_no" value="'._AT('no').'"/>';
+	echo '<input type="hidden" name="submit_import" value="submit_import" />';
+	ECHO '<input type="hidden" name="url" value="'.AT_print($_POST['url'], 'input.hidden').'" />';
+	echo '</div></div>';
+	echo '</form>';
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+
+	exit;
+}
+
+//Get the XML file out and start importing them into our database.
+//TODO: See question_import.php 287-289.
+$qti_import = new QTIImport($import_path);
+$qids = $qti_import->importQuestions($attributes);
+
+//import test
+$tid = $qti_import->importTest();
+
+//associate question and tests
+foreach ($qids as $order=>$qid){
+	if (isset($qti_import->weights[$order])){
+		$weight = round($qti_import->weights[$order]);
+	} else {
+		$weight = 0;
+	}
+	$new_order = $order + 1;
+
+	$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+	$testsQuestionsAssocDAO->Create($tid, $qid, $weight, $new_order);
+}
+
+if (!$msg->containsErrors()) {
+	$msg->addFeedback('IMPORT_SUCCEEDED');
+}
+
+//clear directory
+FileUtility::clr_dir(TR_CONTENT_DIR . 'import/'.$_course_id);
+
+header('Location: index.php?_course_id='.$_course_id);
+exit;
+?>
diff --git a/tests/index.php b/tests/index.php
index 2793a57c..c96b23d9 100644
--- a/tests/index.php
+++ b/tests/index.php
@@ -1,56 +1,57 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-if (isset($_GET['edit'], $_GET['id'])) {
-	header('Location: edit_test.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['preview'], $_GET['id'])) {
-	header('Location: preview.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['questions'], $_GET['id'])) {
-	header('Location: questions.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['delete'], $_GET['id'])) {
-	header('Location: delete_test.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['export'], $_GET['id'])){
-	header('Location: export_test.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
-} else if (isset($_GET['edit']) 
-		|| isset($_GET['preview']) 
-		|| isset($_GET['questions']) 
-		|| isset($_GET['delete'])
-		|| isset($_GET['export'])) {
-
-	$msg->addError('NO_ITEM_SELECTED');
-}
-
-$testsDAO = new TestsDAO();
-/* get a list of all the tests we have, and links to create, edit, delete, preview */
-$rows = $testsDAO->getByCourseID($_course_id);
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('course_id', $_course_id);
-$savant->assign('rows', $rows);
-
-$savant->display('tests/index.tmpl.php');
-
-require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+if (isset($_GET['edit'], $_GET['id'])) {
+	header('Location: edit_test.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['preview'], $_GET['id'])) {
+	header('Location: preview.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['questions'], $_GET['id'])) {
+	header('Location: questions.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['delete'], $_GET['id'])) {
+	header('Location: delete_test.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['export'], $_GET['id'])){
+	header('Location: export_test.php?tid='.$_GET['id'].'&_course_id='.$_course_id);
+} else if (isset($_GET['edit']) 
+		|| isset($_GET['preview']) 
+		|| isset($_GET['questions']) 
+		|| isset($_GET['delete'])
+		|| isset($_GET['export'])) {
+
+	$msg->addError('NO_ITEM_SELECTED');
+}
+
+$testsDAO = new TestsDAO();
+/* get a list of all the tests we have, and links to create, edit, delete, preview */
+$rows = $testsDAO->getByCourseID($_course_id);
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('course_id', $_course_id);
+$savant->assign('rows', $rows);
+
+$savant->display('tests/index.tmpl.php');
+
+require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/preview.php b/tests/preview.php
index bc0b3cbd..7a7d9d01 100644
--- a/tests/preview.php
+++ b/tests/preview.php
@@ -1,94 +1,95 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-
-global $_course_id;
-//Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsDAO = new TestsDAO();
-$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-
-$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
-
-if ($_POST['back']) {
-	header('Location: index.php?_course_id='.$_course_id);
-	exit;
-} 
-
-if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
-	$content_base_href = 'get.php/';
-} else {
-	$content_base_href = 'content/' . $_SESSION['course_id'] . '/';
-}
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$tid = intval($_GET['tid']);
-
-// check that the test_id is correct
-if (!($test_row = $testsDAO->get($tid))) {
-	$msg->printErrors('ITEM_NOT_FOUND');
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-	exit;
-}
-
-$rows = $testsQuestionsAssocDAO->getByTestID($tid);
-$count = 1;
-?>
-<form method="post" action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$_course_id; ?>" name="preview">
-
-<?php if (is_array($rows)) {?>
-	<div class="input-form">
-	<div class="row"><h2><?php echo $test_row['title']; ?></h2></div>
-
-
-	<?php if ($test_row['instructions'] != ''): ?>
-		<div style="background-color: #f3f3f3; padding: 5px 10px; margin: 0px; border-top: 1px solid">
-			<strong><?php echo _AT('instructions'); ?></strong>
-		</div>
-		<div class="row" style="padding-bottom: 20px"><?php echo $test_row['instructions']; ?></div>
-	<?php endif; ?>
-	
-	<?php
-	foreach ($rows as $row) {
-		$o = TestQuestions::getQuestion($row['type']);
-		$o->display($row);
-	}
-	
-	// "back" button only appears when the request is from index page of "tests" module
-	if (stripos($_SERVER['HTTP_REFERER'], 'tests/index.php')) { ?>
-	<div class="row buttons">
-		<input type="submit" value="<?php echo _AT('back'); ?>" name="back" />
-	</div>
-	<?php }?>
-	</div>
-</form>
-<script type="text/javascript">
-//<!--
-function iframeSetHeight(id, height) {
-	document.getElementById("qframe" + id).style.height = (height + 20) + "px";
-}
-//-->
-</script>
-<?php
-} else {
-	$msg->printErrors('NO_QUESTIONS');
-}
-
-
-require_once(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+
+global $_course_id;
+//Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsDAO = new TestsDAO();
+$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+
+$_letters = array(_AT('a'), _AT('b'), _AT('c'), _AT('d'), _AT('e'), _AT('f'), _AT('g'), _AT('h'), _AT('i'), _AT('j'));
+
+if ($_POST['back']) {
+	header('Location: index.php?_course_id='.$_course_id);
+	exit;
+} 
+
+if (defined('TR_FORCE_GET_FILE') && TR_FORCE_GET_FILE) {
+	$content_base_href = 'get.php/';
+} else {
+	$content_base_href = 'content/' . $_SESSION['course_id'] . '/';
+}
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$tid = intval($_GET['tid']);
+
+// check that the test_id is correct
+if (!($test_row = $testsDAO->get($tid))) {
+	$msg->printErrors('ITEM_NOT_FOUND');
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+	exit;
+}
+
+$rows = $testsQuestionsAssocDAO->getByTestID($tid);
+$count = 1;
+?>
+<form method="post" action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$_course_id; ?>" name="preview">
+
+<?php if (is_array($rows)) {?>
+	<div class="input-form">
+	<div class="row"><h2><?php echo $test_row['title']; ?></h2></div>
+
+
+	<?php if ($test_row['instructions'] != ''): ?>
+		<div style="background-color: #f3f3f3; padding: 5px 10px; margin: 0px; border-top: 1px solid">
+			<strong><?php echo _AT('instructions'); ?></strong>
+		</div>
+		<div class="row" style="padding-bottom: 20px"><?php echo $test_row['instructions']; ?></div>
+	<?php endif; ?>
+	
+	<?php
+	foreach ($rows as $row) {
+		$o = TestQuestions::getQuestion($row['type']);
+		$o->display($row);
+	}
+	
+	// "back" button only appears when the request is from index page of "tests" module
+	if (stripos($_SERVER['HTTP_REFERER'], 'tests/index.php')) { ?>
+	<div class="row buttons">
+		<input type="submit" value="<?php echo _AT('back'); ?>" name="back" />
+	</div>
+	<?php }?>
+	</div>
+</form>
+<script type="text/javascript">
+//<!--
+function iframeSetHeight(id, height) {
+	document.getElementById("qframe" + id).style.height = (height + 20) + "px";
+}
+//-->
+</script>
+<?php
+} else {
+	$msg->printErrors('NO_QUESTIONS');
+}
+
+
+require_once(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/tests/preview_question.php b/tests/preview_question.php
index 29dd71e3..7c4e173f 100644
--- a/tests/preview_question.php
+++ b/tests/preview_question.php
@@ -11,6 +11,7 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
@@ -60,4 +61,4 @@ function iframeSetHeight(id, height) {
 }
 //-->
 </script>
-<?php require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/question_cats.php b/tests/question_cats.php
index 95f99041..801c0b4e 100644
--- a/tests/question_cats.php
+++ b/tests/question_cats.php
@@ -12,6 +12,7 @@
 
 $page = 'tests';
 define('TR_INCLUDE_PATH', '../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsCategoriesDAO.class.php');
 require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
@@ -42,4 +43,4 @@
 
 $savant->display('tests/question_cats.tmpl.php');
 
-require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+require_once(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/tests/question_cats_delete.php b/tests/question_cats_delete.php
index dea9e756..7d4f7b64 100644
--- a/tests/question_cats_delete.php
+++ b/tests/question_cats_delete.php
@@ -12,6 +12,7 @@
 
 $page = 'tests';
 define('TR_INCLUDE_PATH', '../include/');
+
 require_once(TR_INCLUDE_PATH.'vitals.inc.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsCategoriesDAO.class.php');
 require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsDAO.class.php');
@@ -62,4 +63,4 @@
 $msg->printConfirm();
 
 require_once(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+?>
diff --git a/tests/question_cats_manage.php b/tests/question_cats_manage.php
index cc92364f..9b5332c4 100644
--- a/tests/question_cats_manage.php
+++ b/tests/question_cats_manage.php
@@ -28,7 +28,7 @@
 	exit;
 } else if (isset($_POST['submit'])) {
 
-	$_POST['title'] = trim($_POST['title']);
+	$_POST['title'] = htmlspecialchars(trim(stripslashes(strip_tags($_POST['title']))));
 
 	if (!empty($_POST['title']) && !isset($_POST['catid'])) {
 		if ($testsQuestionsCategoriesDAO->Create($_course_id, $_POST['title']))
@@ -73,4 +73,4 @@
 
 require_once(TR_INCLUDE_PATH.'footer.inc.php'); 
 
-?>
\ No newline at end of file
+?>
diff --git a/tests/question_db.php b/tests/question_db.php
index 0cec69da..e3e08ac4 100644
--- a/tests/question_db.php
+++ b/tests/question_db.php
@@ -1,106 +1,107 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-// converts array entries to ints
-function intval_array ( & $value, $key) { $value = (int) $value; }
-
-if ( (isset($_GET['edit']) || isset($_GET['delete']) || isset($_GET['export']) || isset($_GET['preview']) || isset($_GET['add'])) && !isset($_GET['questions'])){
-	$msg->addError('NO_ITEM_SELECTED');
-} else if (isset($_GET['submit_create'], $_GET['question_type'])) {
-	header('Location: '.TR_BASE_HREF.'tests/create_question_'.addslashes($_GET['question_type']).'.php?_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['edit'])) {
-	$id  = current($_GET['questions']);
-	$num_selected = count($id);
-
-	if ($num_selected == 1) {
-		$ids = explode('|', $id[0], 2);
-		$o = TestQuestions::getQuestion($ids[1]);
-		if ($name = $o->getPrefix()) {
-			header('Location: '.TR_BASE_HREF.'tests/edit_question_'.$name.'.php?qid='.intval($ids[0]).'&_course_id='.$_course_id);
-			exit;
-		} else {
-			header('Location: '.TR_BASE_HREF.'tests/index.php?_course_id='.$_course_id);
-			exit;
-		}
-	} else {
-		$msg->addError('SELECT_ONE_ITEM');
-	}
-
-} else if (isset($_GET['delete'])) {
-	$id  = current($_GET['questions']);
-	$ids = array();
-	foreach ($_GET['questions'] as $category_questions) {
-		$ids = array_merge($ids, $category_questions);
-	}
-
-	array_walk($ids, 'intval_array');
-	$ids = implode(',',$ids);
-
-	header('Location: '.TR_BASE_HREF.'tests/delete_question.php?qid='.$ids.'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['preview'])) {
-	$ids = array();
-	foreach ($_GET['questions'] as $category_questions) {
-		$ids = array_merge($ids, $category_questions);
-	}
-
-	array_walk($ids, 'intval_array');
-	$ids = implode(',',$ids);
-
-	header('Location: '.TR_BASE_HREF.'tests/preview_question.php?qid='.$ids.'&_course_id='.$_course_id);
-	exit;
-} else if (isset($_GET['add'])) {
-	$id  = current($_GET['questions']);
-	$ids = explode('|', $id[0], 2);
-} else if (isset($_GET['export'])) {
-	$ids = array();
-	foreach ($_GET['questions'] as $category_questions) {
-		$ids = array_merge($ids, $category_questions);
-	}
-
-	array_walk($ids, 'intval_array');
-
-	if ($_GET['qti_export_version']=='2.1'){
-		test_question_qti_export_v2p1($ids);
-	} else {
-		test_question_qti_export($ids);
-	}
-
-	exit;
-}
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$savant->assign('course_id', $_course_id);
-$savant->assign('tid', $tid);
-$savant->assign('questions', TestQuestions::getQuestionPrefixNames());
-
-$savant->display('tests/question_db_top.tmpl.php');
-
-$tid = 0; 
-
-require_once(TR_INCLUDE_PATH.'../tests/html/tests_questions.inc.php'); 
-?>
-<br style="clear:both;" />
-
-
-<?php require_once(TR_INCLUDE_PATH.'footer.inc.php');?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+// converts array entries to ints
+function intval_array ( & $value, $key) { $value = (int) $value; }
+
+if ( (isset($_GET['edit']) || isset($_GET['delete']) || isset($_GET['export']) || isset($_GET['preview']) || isset($_GET['add'])) && !isset($_GET['questions'])){
+	$msg->addError('NO_ITEM_SELECTED');
+} else if (isset($_GET['submit_create'], $_GET['question_type'])) {
+	header('Location: '.TR_BASE_HREF.'tests/create_question_'.addslashes($_GET['question_type']).'.php?_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['edit'])) {
+	$id  = current($_GET['questions']);
+	$num_selected = count($id);
+
+	if ($num_selected == 1) {
+		$ids = explode('|', $id[0], 2);
+		$o = TestQuestions::getQuestion($ids[1]);
+		if ($name = $o->getPrefix()) {
+			header('Location: '.TR_BASE_HREF.'tests/edit_question_'.$name.'.php?qid='.intval($ids[0]).'&_course_id='.$_course_id);
+			exit;
+		} else {
+			header('Location: '.TR_BASE_HREF.'tests/index.php?_course_id='.$_course_id);
+			exit;
+		}
+	} else {
+		$msg->addError('SELECT_ONE_ITEM');
+	}
+
+} else if (isset($_GET['delete'])) {
+	$id  = current($_GET['questions']);
+	$ids = array();
+	foreach ($_GET['questions'] as $category_questions) {
+		$ids = array_merge($ids, $category_questions);
+	}
+
+	array_walk($ids, 'intval_array');
+	$ids = implode(',',$ids);
+
+	header('Location: '.TR_BASE_HREF.'tests/delete_question.php?qid='.$ids.'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['preview'])) {
+	$ids = array();
+	foreach ($_GET['questions'] as $category_questions) {
+		$ids = array_merge($ids, $category_questions);
+	}
+
+	array_walk($ids, 'intval_array');
+	$ids = implode(',',$ids);
+
+	header('Location: '.TR_BASE_HREF.'tests/preview_question.php?qid='.$ids.'&_course_id='.$_course_id);
+	exit;
+} else if (isset($_GET['add'])) {
+	$id  = current($_GET['questions']);
+	$ids = explode('|', $id[0], 2);
+} else if (isset($_GET['export'])) {
+	$ids = array();
+	foreach ($_GET['questions'] as $category_questions) {
+		$ids = array_merge($ids, $category_questions);
+	}
+
+	array_walk($ids, 'intval_array');
+
+	if ($_GET['qti_export_version']=='2.1'){
+		test_question_qti_export_v2p1($ids);
+	} else {
+		test_question_qti_export($ids);
+	}
+
+	exit;
+}
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$savant->assign('course_id', $_course_id);
+$savant->assign('tid', $tid);
+$savant->assign('questions', TestQuestions::getQuestionPrefixNames());
+
+$savant->display('tests/question_db_top.tmpl.php');
+
+$tid = 0; 
+
+require_once(TR_INCLUDE_PATH.'../tests/html/tests_questions.inc.php'); 
+?>
+<br style="clear:both;" />
+
+
+<?php require_once(TR_INCLUDE_PATH.'footer.inc.php');?>
diff --git a/tests/question_import.php b/tests/question_import.php
index ff559e88..9b2208fa 100644
--- a/tests/question_import.php
+++ b/tests/question_import.php
@@ -1,303 +1,304 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'lib/pclzip.lib.php');
-require_once(TR_INCLUDE_PATH.'lib/pclzip_callback.lib.php');
-require_once(TR_INCLUDE_PATH.'lib/qti.inc.php'); 
-require_once(TR_INCLUDE_PATH.'classes/QTI/QTIImport.class.php');
-require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
-
-global $_course_id;
-
-/* to avoid timing out on large files */
-@set_time_limit(0);
-$_SESSION['done'] = 1;
-
-$element_path = array();
-$character_data = '';
-$resource_num = 0;
-$overwrite = false;
-
-/* handle get */
-if (isset($_POST['submit_yes'])){
-	$overwrite = true;
-} elseif (isset($_POST['submit_no'])){
-	$msg->addFeedback('IMPORT_CANCELLED');
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-}
-
-/* functions */
-/* called at the start of en element */
-/* builds the $path array which is the path from the root to the current element */
-function startElement($parser, $name, $attrs) {
-	global $attributes, $element_path, $resource_num;
-	//save attributes.
-	switch($name) {
-		case 'resource':
-			$attributes[$name.$resource_num]['identifier'] = $attrs['identifier'];
-			$attributes[$name.$resource_num]['href'] = $attrs['href'];
-			$attributes[$name.$resource_num]['type'] = $attrs['type'];
-			$resource_num++;
-			break;
-		case 'file':
-			if(in_array('resource', $element_path)){
-				$attributes['resource'.($resource_num-1)]['file'][] = $attrs['href'];
-			}
-			break;
-		case 'dependency':
-			if(in_array('resource', $element_path)){
-				$attributes['resource'.($resource_num-1)]['dependency'][] = $attrs['identifierref'];
-			}
-			break;
-
-	}
-	array_push($element_path, $name);		
-}
-
-/* called when an element ends */
-/* removed the current element from the $path */
-function endElement($parser, $name) {
-	global $element_path;
-	array_pop($element_path);
-}
-
-/* called when there is character data within elements */
-/* constructs the $items array using the last entry in $path as the parent element */
-function characterData($parser, $data){
-	global $character_data;
-	if (trim($data)!=''){
-		$character_data .= preg_replace('/[\t\0\x0B]*/', '', $data);
-	}
-}
-
-//If overwrite hasn't been set to true, then the file has not been exported and still in the cache.
-//otherwise, the zip file is extracted but has not been deleted (due to the confirmation).
-if (!$overwrite){
-	if (!isset($_POST['submit_import'])) {
-		/* just a catch all */
-		
-		$errors = array('FILE_MAX_SIZE', ini_get('post_max_size'));
-		$msg->addError($errors);
-
-		header('Location: ./question_db.php?_course_id='.$_course_id);
-		exit;
-	} 
-
-
-	//Handles import
-	/*
-	if (isset($_POST['url']) && ($_POST['url'] != 'http://') ) {
-		if ($content = @file_get_contents($_POST['url'])) {
-
-			// save file to /content/
-			$filename = substr(time(), -6). '.zip';
-			$full_filename = TR_CONTENT_DIR . $filename;
-
-			if (!$fp = fopen($full_filename, 'w+b')) {
-				echo "Cannot open file ($filename)";
-				exit;
-			}
-
-			if (fwrite($fp, $content, strlen($content) ) === FALSE) {
-				echo "Cannot write to file ($filename)";
-				exit;
-			}
-			fclose($fp);
-		}	
-		$_FILES['file']['name']     = $filename;
-		$_FILES['file']['tmp_name'] = $full_filename;
-		$_FILES['file']['size']     = strlen($content);
-		unset($content);
-		$url_parts = pathinfo($_POST['url']);
-		$package_base_name_url = $url_parts['basename'];
-	}
-	*/
-	$ext = pathinfo($_FILES['file']['name']);
-	$ext = $ext['extension'];
-
-	if ($ext != 'zip') {
-		$msg->addError('IMPORTDIR_IMS_NOTVALID');
-	} else if ($_FILES['file']['error'] == 1) {
-		$errors = array('FILE_MAX_SIZE', ini_get('upload_max_filesize'));
-		$msg->addError($errors);
-	} else if ( !$_FILES['file']['name'] || (!is_uploaded_file($_FILES['file']['tmp_name']) && !$_POST['url'])) {
-		$msg->addError('FILE_NOT_SELECTED');
-	} else if ($_FILES['file']['size'] == 0) {
-		$msg->addError('IMPORTFILE_EMPTY');
-	} 
-}
-
-if ($msg->containsErrors()) {
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-}
-
-/* check if ../content/import/ exists */
-$import_path = TR_CONTENT_DIR . 'import/';
-$content_path = TR_CONTENT_DIR;
-
-if (!is_dir($import_path)) {
-	if (!@mkdir($import_path, 0700)) {
-		$msg->addError('IMPORTDIR_FAILED');
-	}
-}
-
-$import_path .= $_course_id.'/';
-if (!$overwrite){
-	if (is_dir($import_path)) {
-		FileUtility::clr_dir($import_path);
-	}
-
-	if (!@mkdir($import_path, 0700)) {
-		$msg->addError('IMPORTDIR_FAILED');
-	}
-
-	/* extract the entire archive into TR_COURSE_CONTENT . import/$course using the call back function to filter out php files */
-	error_reporting(0);
-	$archive = new PclZip($_FILES['file']['tmp_name']);
-	if ($archive->extract(	PCLZIP_OPT_PATH,	$import_path,
-							PCLZIP_CB_PRE_EXTRACT,	'preImportCallBack') == 0) {
-		$msg->addError('IMPORT_FAILED');
-		echo 'Error : '.$archive->errorInfo(true);
-		FileUtility::clr_dir($import_path);
-		header('Location: question_db.php?_course_id='.$_course_id);
-		exit;
-	}
-	error_reporting(TR_ERROR_REPORTING);
-}
-
-/* get the course's max_quota */
-$coursesDAO = new CoursesDAO();
-$q_row	= $coursesDAO->get($_course_id);
-
-if ($q_row['max_quota'] != TR_COURSESIZE_UNLIMITED) {
-	$zip_size_limit = $MaxCourseSize;
-	
-	$totalBytes   = FileUtility::dirsize($import_path);
-	
-	$total_after  = $zip_size_limit - $totalBytes;
-	
-	if (is_dir(TR_CONTENT_DIR . $_course_id.'/')) 
-	{
-		$course_total = FileUtility::dirsize(TR_CONTENT_DIR . $_course_id.'/');
-		$total_after  -= $course_total;
-	}
-	
-	if ($total_after < 0) {
-		/* remove the content dir, since there's no space for it */
-		$errors = array('NO_CONTENT_SPACE', number_format(-1*($total_after/TR_KBYTE_SIZE), 2 ) );
-		$msg->addError($errors);
-		
-		// Clean up import path and inserted course row
-		FileUtility::clr_dir($import_path);
-	
-		header('Location: question_db.php?_course_id='.$_course_id);
-		exit;
-	}
-}
-
-$ims_manifest_xml = @file_get_contents($import_path.'imsmanifest.xml');
-
-if ($ims_manifest_xml === false) {
-	$msg->addError('NO_IMSMANIFEST');
-
-	if (file_exists($import_path . 'atutor_backup_version')) {
-		$msg->addError('NO_IMS_BACKUP');
-	}
-
-	FileUtility::clr_dir($import_path);
-
-	header('Location: question_db.php?_course_id='.$_course_id);
-	exit;
-}
-
-$xml_parser = xml_parser_create();
-
-xml_parser_set_option($xml_parser, XML_OPTION_CASE_FOLDING, false); /* conform to W3C specs */
-xml_set_element_handler($xml_parser, 'startElement', 'endElement');
-xml_set_character_data_handler($xml_parser, 'characterData');
-
-if (!xml_parse($xml_parser, $ims_manifest_xml, true)) {
-	die(sprintf("XML error: %s at line %d",
-				xml_error_string(xml_get_error_code($xml_parser)),
-				xml_get_current_line_number($xml_parser)));
-}
-
-xml_parser_free($xml_parser);
-
-//assign folder names
-//if (!$package_base_name){
-//	$package_base_name = substr($_FILES['file']['name'], 0, -4);
-//}
-
-//$package_base_name = strtolower($package_base_name);
-//$package_base_name = str_replace(array('\'', '"', ' ', '|', '\\', '/', '<', '>', ':'), '_' , $package_base_name);
-//$package_base_name = preg_replace("/[^A-Za-z0-9._\-]/", '', $package_base_name);
-
-//if (is_dir(TR_CONTENT_DIR . $_SESSION['course_id'].'/'.$package_base_name)) {
-//	echo 'Already exist: Quitting.  (Need better msg here)';
-//	exit;
-//	$package_base_name .= '_'.date('ymdHis');
-//}
-
-if ($package_base_path) {
-	$package_base_path = implode('/', $package_base_path);
-}
-
-//Dependency handling
-//$media_items = array();
-$xml_items = array();
-
-
-//Check if the files exist, if so, warn the user.
-$existing_files = isQTIFileExist($attributes);
-
-if (!$overwrite && !empty($existing_files)){
-	$existing_files = implode('<br/>', $existing_files);
-	require_once(TR_INCLUDE_PATH.'header.inc.php');
-	echo '<form action="" method="POST">';
-	echo '<div class="input-form">';
-	echo '<div class="row">';
-	$msg->printInfos(array('MEDIA_FILE_EXISTED', $existing_files));
-	echo '</div>';
-	echo '<div class="row buttons">';
-	echo '<input type="submit" class="" name="submit_yes" value="'._AT('yes').'"/>';
-	echo '<input type="submit" class="" name="submit_no" value="'._AT('no').'"/>';
-	echo '<input type="hidden" name="submit_import" value="submit_import" />';
-	echo '<input type="hidden" name="url" value="'.AT_print($_POST['url'], 'input.hidden').'" />';
-	echo '</div></div>';
-	echo '</form>';
-	require (TR_INCLUDE_PATH.'footer.inc.php');
-
-	exit;
-}
-
-
-//Get the XML file out and start importing them into our database.
-//TODO:	import_test.php shares approx. the same code as below, just that import_test.php has 
-//		an extra line of code that uses a stack to remember the question #.  Might want to 
-//		create a function for this.
-$qti_import = new QTIImport($import_path);
-$qti_import->importQuestions($attributes);
-
-FileUtility::clr_dir(TR_CONTENT_DIR . 'import/'.$_course_id);
-if (!$msg->containsErrors()) {
-	$msg->addFeedback('IMPORT_SUCCEEDED');
-}
-
-header('Location: question_db.php?_course_id='.$_course_id);
-exit;
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'lib/pclzip.lib.php');
+require_once(TR_INCLUDE_PATH.'lib/pclzip_callback.lib.php');
+require_once(TR_INCLUDE_PATH.'lib/qti.inc.php'); 
+require_once(TR_INCLUDE_PATH.'classes/QTI/QTIImport.class.php');
+require_once(TR_INCLUDE_PATH.'classes/FileUtility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/CoursesDAO.class.php');
+
+global $_course_id;
+
+/* to avoid timing out on large files */
+@set_time_limit(0);
+$_SESSION['done'] = 1;
+
+$element_path = array();
+$character_data = '';
+$resource_num = 0;
+$overwrite = false;
+
+/* handle get */
+if (isset($_POST['submit_yes'])){
+	$overwrite = true;
+} elseif (isset($_POST['submit_no'])){
+	$msg->addFeedback('IMPORT_CANCELLED');
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+}
+
+/* functions */
+/* called at the start of en element */
+/* builds the $path array which is the path from the root to the current element */
+function startElement($parser, $name, $attrs) {
+	global $attributes, $element_path, $resource_num;
+	//save attributes.
+	switch($name) {
+		case 'resource':
+			$attributes[$name.$resource_num]['identifier'] = $attrs['identifier'];
+			$attributes[$name.$resource_num]['href'] = $attrs['href'];
+			$attributes[$name.$resource_num]['type'] = $attrs['type'];
+			$resource_num++;
+			break;
+		case 'file':
+			if(in_array('resource', $element_path)){
+				$attributes['resource'.($resource_num-1)]['file'][] = $attrs['href'];
+			}
+			break;
+		case 'dependency':
+			if(in_array('resource', $element_path)){
+				$attributes['resource'.($resource_num-1)]['dependency'][] = $attrs['identifierref'];
+			}
+			break;
+
+	}
+	array_push($element_path, $name);		
+}
+
+/* called when an element ends */
+/* removed the current element from the $path */
+function endElement($parser, $name) {
+	global $element_path;
+	array_pop($element_path);
+}
+
+/* called when there is character data within elements */
+/* constructs the $items array using the last entry in $path as the parent element */
+function characterData($parser, $data){
+	global $character_data;
+	if (trim($data)!=''){
+		$character_data .= preg_replace('/[\t\0\x0B]*/', '', $data);
+	}
+}
+
+//If overwrite hasn't been set to true, then the file has not been exported and still in the cache.
+//otherwise, the zip file is extracted but has not been deleted (due to the confirmation).
+if (!$overwrite){
+	if (!isset($_POST['submit_import'])) {
+		/* just a catch all */
+		
+		$errors = array('FILE_MAX_SIZE', ini_get('post_max_size'));
+		$msg->addError($errors);
+
+		header('Location: ./question_db.php?_course_id='.$_course_id);
+		exit;
+	} 
+
+
+	//Handles import
+	/*
+	if (isset($_POST['url']) && ($_POST['url'] != 'http://') ) {
+		if ($content = @file_get_contents($_POST['url'])) {
+
+			// save file to /content/
+			$filename = substr(time(), -6). '.zip';
+			$full_filename = TR_CONTENT_DIR . $filename;
+
+			if (!$fp = fopen($full_filename, 'w+b')) {
+				echo "Cannot open file ($filename)";
+				exit;
+			}
+
+			if (fwrite($fp, $content, strlen($content) ) === FALSE) {
+				echo "Cannot write to file ($filename)";
+				exit;
+			}
+			fclose($fp);
+		}	
+		$_FILES['file']['name']     = $filename;
+		$_FILES['file']['tmp_name'] = $full_filename;
+		$_FILES['file']['size']     = strlen($content);
+		unset($content);
+		$url_parts = pathinfo($_POST['url']);
+		$package_base_name_url = $url_parts['basename'];
+	}
+	*/
+	$ext = pathinfo($_FILES['file']['name']);
+	$ext = $ext['extension'];
+
+	if ($ext != 'zip') {
+		$msg->addError('IMPORTDIR_IMS_NOTVALID');
+	} else if ($_FILES['file']['error'] == 1) {
+		$errors = array('FILE_MAX_SIZE', ini_get('upload_max_filesize'));
+		$msg->addError($errors);
+	} else if ( !$_FILES['file']['name'] || (!is_uploaded_file($_FILES['file']['tmp_name']) && !$_POST['url'])) {
+		$msg->addError('FILE_NOT_SELECTED');
+	} else if ($_FILES['file']['size'] == 0) {
+		$msg->addError('IMPORTFILE_EMPTY');
+	} 
+}
+
+if ($msg->containsErrors()) {
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+}
+
+/* check if ../content/import/ exists */
+$import_path = TR_CONTENT_DIR . 'import/';
+$content_path = TR_CONTENT_DIR;
+
+if (!is_dir($import_path)) {
+	if (!@mkdir($import_path, 0700)) {
+		$msg->addError('IMPORTDIR_FAILED');
+	}
+}
+
+$import_path .= $_course_id.'/';
+if (!$overwrite){
+	if (is_dir($import_path)) {
+		FileUtility::clr_dir($import_path);
+	}
+
+	if (!@mkdir($import_path, 0700)) {
+		$msg->addError('IMPORTDIR_FAILED');
+	}
+
+	/* extract the entire archive into TR_COURSE_CONTENT . import/$course using the call back function to filter out php files */
+	error_reporting(0);
+	$archive = new PclZip($_FILES['file']['tmp_name']);
+	if ($archive->extract(	PCLZIP_OPT_PATH,	$import_path,
+							PCLZIP_CB_PRE_EXTRACT,	'preImportCallBack') == 0) {
+		$msg->addError('IMPORT_FAILED');
+		echo 'Error : '.$archive->errorInfo(true);
+		FileUtility::clr_dir($import_path);
+		header('Location: question_db.php?_course_id='.$_course_id);
+		exit;
+	}
+	error_reporting(TR_ERROR_REPORTING);
+}
+
+/* get the course's max_quota */
+$coursesDAO = new CoursesDAO();
+$q_row	= $coursesDAO->get($_course_id);
+
+if ($q_row['max_quota'] != TR_COURSESIZE_UNLIMITED) {
+	$zip_size_limit = $MaxCourseSize;
+	
+	$totalBytes   = FileUtility::dirsize($import_path);
+	
+	$total_after  = $zip_size_limit - $totalBytes;
+	
+	if (is_dir(TR_CONTENT_DIR . $_course_id.'/')) 
+	{
+		$course_total = FileUtility::dirsize(TR_CONTENT_DIR . $_course_id.'/');
+		$total_after  -= $course_total;
+	}
+	
+	if ($total_after < 0) {
+		/* remove the content dir, since there's no space for it */
+		$errors = array('NO_CONTENT_SPACE', number_format(-1*($total_after/TR_KBYTE_SIZE), 2 ) );
+		$msg->addError($errors);
+		
+		// Clean up import path and inserted course row
+		FileUtility::clr_dir($import_path);
+	
+		header('Location: question_db.php?_course_id='.$_course_id);
+		exit;
+	}
+}
+
+$ims_manifest_xml = @file_get_contents($import_path.'imsmanifest.xml');
+
+if ($ims_manifest_xml === false) {
+	$msg->addError('NO_IMSMANIFEST');
+
+	if (file_exists($import_path . 'atutor_backup_version')) {
+		$msg->addError('NO_IMS_BACKUP');
+	}
+
+	FileUtility::clr_dir($import_path);
+
+	header('Location: question_db.php?_course_id='.$_course_id);
+	exit;
+}
+
+$xml_parser = xml_parser_create();
+
+xml_parser_set_option($xml_parser, XML_OPTION_CASE_FOLDING, false); /* conform to W3C specs */
+xml_set_element_handler($xml_parser, 'startElement', 'endElement');
+xml_set_character_data_handler($xml_parser, 'characterData');
+
+if (!xml_parse($xml_parser, $ims_manifest_xml, true)) {
+	die(sprintf("XML error: %s at line %d",
+				xml_error_string(xml_get_error_code($xml_parser)),
+				xml_get_current_line_number($xml_parser)));
+}
+
+xml_parser_free($xml_parser);
+
+//assign folder names
+//if (!$package_base_name){
+//	$package_base_name = substr($_FILES['file']['name'], 0, -4);
+//}
+
+//$package_base_name = strtolower($package_base_name);
+//$package_base_name = str_replace(array('\'', '"', ' ', '|', '\\', '/', '<', '>', ':'), '_' , $package_base_name);
+//$package_base_name = preg_replace("/[^A-Za-z0-9._\-]/", '', $package_base_name);
+
+//if (is_dir(TR_CONTENT_DIR . $_SESSION['course_id'].'/'.$package_base_name)) {
+//	echo 'Already exist: Quitting.  (Need better msg here)';
+//	exit;
+//	$package_base_name .= '_'.date('ymdHis');
+//}
+
+if ($package_base_path) {
+	$package_base_path = implode('/', $package_base_path);
+}
+
+//Dependency handling
+//$media_items = array();
+$xml_items = array();
+
+
+//Check if the files exist, if so, warn the user.
+$existing_files = isQTIFileExist($attributes);
+
+if (!$overwrite && !empty($existing_files)){
+	$existing_files = implode('<br/>', $existing_files);
+	require_once(TR_INCLUDE_PATH.'header.inc.php');
+	echo '<form action="" method="POST">';
+	echo '<div class="input-form">';
+	echo '<div class="row">';
+	$msg->printInfos(array('MEDIA_FILE_EXISTED', $existing_files));
+	echo '</div>';
+	echo '<div class="row buttons">';
+	echo '<input type="submit" class="" name="submit_yes" value="'._AT('yes').'"/>';
+	echo '<input type="submit" class="" name="submit_no" value="'._AT('no').'"/>';
+	echo '<input type="hidden" name="submit_import" value="submit_import" />';
+	echo '<input type="hidden" name="url" value="'.AT_print($_POST['url'], 'input.hidden').'" />';
+	echo '</div></div>';
+	echo '</form>';
+	require (TR_INCLUDE_PATH.'footer.inc.php');
+
+	exit;
+}
+
+
+//Get the XML file out and start importing them into our database.
+//TODO:	import_test.php shares approx. the same code as below, just that import_test.php has 
+//		an extra line of code that uses a stack to remember the question #.  Might want to 
+//		create a function for this.
+$qti_import = new QTIImport($import_path);
+$qti_import->importQuestions($attributes);
+
+FileUtility::clr_dir(TR_CONTENT_DIR . 'import/'.$_course_id);
+if (!$msg->containsErrors()) {
+	$msg->addFeedback('IMPORT_SUCCEEDED');
+}
+
+header('Location: question_db.php?_course_id='.$_course_id);
+exit;
+?>
diff --git a/tests/question_remove.php b/tests/question_remove.php
index d374d853..d1dd65b0 100644
--- a/tests/question_remove.php
+++ b/tests/question_remove.php
@@ -1,59 +1,60 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-
-global $_course_id;
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-
-$tid = intval($_REQUEST['tid']);
-$qid = intval($_REQUEST['qid']);
-
-if (isset($_POST['submit_no'])) {
-	$msg->addFeedback('CANCELLED');
-	header('Location: questions.php?tid=' . $tid.SEP.'_course_id='.$_course_id);
-	exit;
-} else if (isset($_POST['submit_yes'])) {
-	$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-	$testsQuestionsAssocDAO->Delete($tid, $qid);
-	$msg->addFeedback('QUESTION_REMOVED');
-	header('Location: questions.php?tid=' . $tid.SEP.'_course_id='.$_course_id);
-	exit;
-
-} /* else: */
-
-$_pages['tests/questions.php?tid='.$_GET['tid']]['title_var']    = 'questions';
-$_pages['tests/questions.php?tid='.$_GET['tid']]['parent']   = 'tests/index.php';
-$_pages['tests/questions.php?tid='.$_GET['tid']]['children'] = array('tests/add_test_questions.php?tid='.$_GET['tid']);
-
-$_pages['tests/add_test_questions.php?tid='.$_GET['tid']]['title_var']    = 'add_questions';
-$_pages['tests/add_test_questions.php?tid='.$_GET['tid']]['parent']   = 'tests/questions.php?tid='.$_GET['tid'];
-
-$_pages['tests/question_remove.php']['title_var'] = 'remove_question';
-$_pages['tests/question_remove.php']['parent']    = 'tests/questions.php?tid='.$_GET['tid'];
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-unset($hidden_vars);
-$hidden_vars['qid'] = $_GET['qid'];
-$hidden_vars['tid'] = $_GET['tid'];
-$hidden_vars['_course_id'] = $_course_id;
-$msg->addConfirm('REMOVE_TEST_QUESTION', $hidden_vars);
-
-$msg->printConfirm();
-
-require_once(TR_INCLUDE_PATH.'footer.inc.php');
-?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+
+global $_course_id;
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+
+$tid = intval($_REQUEST['tid']);
+$qid = intval($_REQUEST['qid']);
+
+if (isset($_POST['submit_no'])) {
+	$msg->addFeedback('CANCELLED');
+	header('Location: questions.php?tid=' . $tid.SEP.'_course_id='.$_course_id);
+	exit;
+} else if (isset($_POST['submit_yes'])) {
+	$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+	$testsQuestionsAssocDAO->Delete($tid, $qid);
+	$msg->addFeedback('QUESTION_REMOVED');
+	header('Location: questions.php?tid=' . $tid.SEP.'_course_id='.$_course_id);
+	exit;
+
+} /* else: */
+
+$_pages['tests/questions.php?tid='.$_GET['tid']]['title_var']    = 'questions';
+$_pages['tests/questions.php?tid='.$_GET['tid']]['parent']   = 'tests/index.php';
+$_pages['tests/questions.php?tid='.$_GET['tid']]['children'] = array('tests/add_test_questions.php?tid='.$_GET['tid']);
+
+$_pages['tests/add_test_questions.php?tid='.$_GET['tid']]['title_var']    = 'add_questions';
+$_pages['tests/add_test_questions.php?tid='.$_GET['tid']]['parent']   = 'tests/questions.php?tid='.$_GET['tid'];
+
+$_pages['tests/question_remove.php']['title_var'] = 'remove_question';
+$_pages['tests/question_remove.php']['parent']    = 'tests/questions.php?tid='.$_GET['tid'];
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+unset($hidden_vars);
+$hidden_vars['qid'] = $_GET['qid'];
+$hidden_vars['tid'] = $_GET['tid'];
+$hidden_vars['_course_id'] = $_course_id;
+$msg->addConfirm('REMOVE_TEST_QUESTION', $hidden_vars);
+
+$msg->printConfirm();
+
+require_once(TR_INCLUDE_PATH.'footer.inc.php');
+?>
diff --git a/tests/questions.php b/tests/questions.php
index 58b674b1..df68beec 100644
--- a/tests/questions.php
+++ b/tests/questions.php
@@ -1,94 +1,95 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-$page = 'tests';
-define('TR_INCLUDE_PATH', '../include/');
-require_once(TR_INCLUDE_PATH.'vitals.inc.php');
-require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
-require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsCategoriesDAO.class.php');
-require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
-
-global $_course_id;
-
-Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
-$testsDAO = new TestsDAO();
-$testsQuestionsCategoriesDAO = new TestsQuestionsCategoriesDAO();
-$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
-
-$_pages['tests/questions.php']['title_var']    = 'questions';
-$_pages['tests/questions.php']['parent']   = 'tests/index.php';
-$_pages['tests/questions.php']['children'] = array('tests/add_test_questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id);
-
-$_pages['tests/add_test_questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id]['title_var']    = 'add_questions';
-$_pages['tests/add_test_questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id]['parent']   = 'tests/questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id;
-
-$_pages['tests/questions.php']['guide']    = 'instructor/?p=add_questions.php';
-
-$tid = intval($_REQUEST['tid']);
-
-if (isset($_POST['submit'])) {
-	$count = 1;
-	foreach ($_POST['weight'] as $qid => $weight) {
-		$qid    = intval($qid);
-		$weight = intval($weight);
-
-		$orders = $_POST['ordering'];
-		asort($orders);
-		$orders = array_keys($orders);
-
-		foreach ($orders as $k => $id)
-			$orders[$k] = intval($id);
-			
-		$orders = array_flip($orders);
-		
-		$testsQuestionsAssocDAO->Update($tid, $qid, $weight, $orders[$qid]+1);
-		$count++;
-	}
-
-	$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
-	header('Location: '.$_SERVER['PHP_SELF'] .'?tid='.$tid.'&_course_id='.$_course_id);
-	exit;
-}
-
-$cats    = array();
-$cats[0] = _AT('cats_uncategorized');
-$cat_rows = $testsQuestionsCategoriesDAO->getByCourseID($_course_id);
-if (is_array($cat_rows)) {
-	foreach ($cat_rows as $cat_row) {
-		$cats[$cat_row['category_id']] = $cat_row['title'];
-	}
-}
-
-require_once(TR_INCLUDE_PATH.'header.inc.php');
-
-$row = $testsDAO->get($tid);
-echo '<div class="input-form">';
-echo '<h3>'._AT('questions_for').' '.AT_print($row['title'], 'tests.title').'</h3>';
-
-$rows = $testsQuestionsAssocDAO->getZeroWeightRowsByTestID($tid);
-if (is_array($rows)) {
-	$msg->printWarnings('QUESTION_WEIGHT');
-}
-
-$msg->printAll();
-
-$rows = $testsQuestionsAssocDAO->getByTestID($tid);
-
-$savant->assign('cats', $cats);
-$savant->assign('rows', $rows);
-$savant->assign('tid', $tid);
-$savant->assign('course_id', $_course_id);
-$savant->display('tests/questions.tmpl.php');
-echo '</div>';
-require_once(TR_INCLUDE_PATH.'footer.inc.php');?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+$page = 'tests';
+define('TR_INCLUDE_PATH', '../include/');
+
+require_once(TR_INCLUDE_PATH.'vitals.inc.php');
+require_once(TR_INCLUDE_PATH.'classes/testQuestions.class.php');
+require_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsCategoriesDAO.class.php');
+require_once(TR_INCLUDE_PATH.'classes/DAO/TestsQuestionsAssocDAO.class.php');
+
+global $_course_id;
+
+Utility::authenticate(TR_PRIV_ISAUTHOR_OF_CURRENT_COURSE);
+$testsDAO = new TestsDAO();
+$testsQuestionsCategoriesDAO = new TestsQuestionsCategoriesDAO();
+$testsQuestionsAssocDAO = new TestsQuestionsAssocDAO();
+
+$_pages['tests/questions.php']['title_var']    = 'questions';
+$_pages['tests/questions.php']['parent']   = 'tests/index.php';
+$_pages['tests/questions.php']['children'] = array('tests/add_test_questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id);
+
+$_pages['tests/add_test_questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id]['title_var']    = 'add_questions';
+$_pages['tests/add_test_questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id]['parent']   = 'tests/questions.php?tid='.$_GET['tid'].'&_course_id='.$_course_id;
+
+$_pages['tests/questions.php']['guide']    = 'instructor/?p=add_questions.php';
+
+$tid = intval($_REQUEST['tid']);
+
+if (isset($_POST['submit'])) {
+	$count = 1;
+	foreach ($_POST['weight'] as $qid => $weight) {
+		$qid    = intval($qid);
+		$weight = intval($weight);
+
+		$orders = $_POST['ordering'];
+		asort($orders);
+		$orders = array_keys($orders);
+
+		foreach ($orders as $k => $id)
+			$orders[$k] = intval($id);
+			
+		$orders = array_flip($orders);
+		
+		$testsQuestionsAssocDAO->Update($tid, $qid, $weight, $orders[$qid]+1);
+		$count++;
+	}
+
+	$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
+	header('Location: '.$_SERVER['PHP_SELF'] .'?tid='.$tid.'&_course_id='.$_course_id);
+	exit;
+}
+
+$cats    = array();
+$cats[0] = _AT('cats_uncategorized');
+$cat_rows = $testsQuestionsCategoriesDAO->getByCourseID($_course_id);
+if (is_array($cat_rows)) {
+	foreach ($cat_rows as $cat_row) {
+		$cats[$cat_row['category_id']] = $cat_row['title'];
+	}
+}
+
+require_once(TR_INCLUDE_PATH.'header.inc.php');
+
+$row = $testsDAO->get($tid);
+echo '<div class="input-form">';
+echo '<h3>'._AT('questions_for').' '.AT_print($row['title'], 'tests.title').'</h3>';
+
+$rows = $testsQuestionsAssocDAO->getZeroWeightRowsByTestID($tid);
+if (is_array($rows)) {
+	$msg->printWarnings('QUESTION_WEIGHT');
+}
+
+$msg->printAll();
+
+$rows = $testsQuestionsAssocDAO->getByTestID($tid);
+
+$savant->assign('cats', $cats);
+$savant->assign('rows', $rows);
+$savant->assign('tid', $tid);
+$savant->assign('course_id', $_course_id);
+$savant->display('tests/questions.tmpl.php');
+echo '</div>';
+require_once(TR_INCLUDE_PATH.'footer.inc.php');?>
diff --git a/themes/default/home/course/course_property.tmpl.php b/themes/default/home/course/course_property.tmpl.php
index 73268eee..82669d79 100644
--- a/themes/default/home/course/course_property.tmpl.php
+++ b/themes/default/home/course/course_property.tmpl.php
@@ -9,13 +9,18 @@
 /* modify it under the terms of the GNU General Public License          */
 /* as published by the Free Software Foundation.                        */
 /************************************************************************/
+
+session_start();
+
 global $_current_user;
 global $languageManager;
 
 require_once(TR_INCLUDE_PATH.'classes/CoursesUtility.class.php');
+require_once('../../class_csrf.php');
+
 ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$this->course_id; ?>" name="form">
+<form method="post" action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$this->course_id; ?>" name="form" autocomplete="off">
 <input type="hidden" name="_course_id" value="<?php echo $this->course_id; ?>" />
 <?php if(isset( $_REQUEST['_struct_name'])) {
 
@@ -56,14 +61,14 @@
 		<tr>
 			<td align="left"><span class="required" title="<?php echo _AT('required_field'); ?>">*</span>
 			<label for="title"><?php echo _AT('title'); ?></label>:</td>
-			<td align="left"><input id="title" name="title" type="text" maxlength="255" size="45" value="<?php if (isset($_POST['login'])) echo stripslashes(htmlspecialchars($_POST['title'])); else echo stripslashes(htmlspecialchars($this->course_row['title'])); ?>" /></td>
+			<td align="left"><input id="title" name="title" type="text" maxlength="255" size="45" value="<?php if (isset($_POST['title']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo stripslashes(htmlspecialchars($_POST['title'])); else echo stripslashes(htmlspecialchars($this->course_row['title'])); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="category"><?php  echo _AT('category_name'); ?></label></td>
 			<td align="left">
 			<select name="category_id" id="category">
-				<?php if (isset($_POST['category_id'])) $category_id = $_POST['category_id'];
+				<?php if (isset($_POST['category_id']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) $category_id = $_POST['category_id'];
 				      else $category_id = $this->course_row['category_id'];
 				      CoursesUtility::printCourseCatsInDropDown($category_id); ?>
 			</select>
@@ -77,7 +82,7 @@
 
 		<tr>
 			<td align="left"><label for="description"><?php echo _AT('description'); ?></label></td>
-			<td align="left"><textarea id="description" cols="45" rows="2" name="description"><?php if (isset($_POST['description'])) echo stripslashes(htmlspecialchars($_POST['description'])); else echo stripslashes(htmlspecialchars($this->course_row['description'])); ?></textarea></td>
+			<td align="left"><textarea id="description" cols="45" rows="2" name="description"><?php if (isset($_POST['description']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo stripslashes(htmlspecialchars($_POST['description'])); else echo stripslashes(htmlspecialchars($this->course_row['description'])); ?></textarea></td>
 		</tr>
 
                 <tr>
@@ -85,7 +90,7 @@
 
                         <td align="left"><label for="copyright"><?php echo _AT('course_copyright'); ?></label></td>
 
-                        <td align="left"><textarea name="copyright" rows="2" cols="65" id="copyright"><?php if (isset($_POST['copyright'])) echo stripslashes(htmlspecialchars($_POST['copyright'])); else echo stripslashes(htmlspecialchars($this->course_row['copyright'])); ?></textarea></td>
+                        <td align="left"><textarea name="copyright" rows="2" cols="65" id="copyright"><?php if (isset($_POST['copyright']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo stripslashes(htmlspecialchars($_POST['copyright'])); else echo stripslashes(htmlspecialchars($this->course_row['copyright'])); ?></textarea></td>
 
 
                 </tr>
@@ -93,7 +98,7 @@
                         <td colspan="2" align="left">
 
 
-                            <input type="checkbox" name="hide_course" id="hide_course" value="1" <?php if ($this->course_row['access'] == 'private') echo "checked"; ?> />
+                            <input type="checkbox" name="hide_course" id="hide_course" value="1" <?php if ($this->course_row['access'] == 'private' AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo "checked"; else $this->course_row['access']?> />
 
 
                             <label for="hide_course"><?php echo _AT('hide_course'); ?></label>
@@ -109,6 +114,7 @@
 
 
                         <p class="submit_button">
+                        	<?php echo CSRF_Token::display(); ?><br>
                             <input type="submit" name="submit" value="<?php echo _AT('save'); ?>" class="submit" />
                             <input type="submit" name="cancel" value="<?php echo _AT('cancel'); ?>" class="submit" />
 
diff --git a/themes/default/home/editor/arrange_content.tmpl.php b/themes/default/home/editor/arrange_content.tmpl.php
index 0f60af3f..87908b49 100644
--- a/themes/default/home/editor/arrange_content.tmpl.php
+++ b/themes/default/home/editor/arrange_content.tmpl.php
@@ -1,50 +1,54 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; } 
-
-global $contentManager;
-
-require(TR_INCLUDE_PATH.'header.inc.php');
-?>
-<div class="input-form">
-<form action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$this->course_id; if ($this->cid > 0) echo SEP.'_cid='.$this->cid; else if ($this->pid > 0) echo SEP.'pid='.$this->pid;?>" method="post" name="form"> 
-	<input type="hidden" name="button_1" value="-1" />
-<?php
-	if ($contentManager->getNumSections() > (1 - (bool)(!$cid))) {
-		echo '<p>' 
-			, _AT('editor_properties_instructions', 
-				'<img src="'.$_base_path.'images/after.gif" alt="'._AT('after_topic', '').'" title="'._AT('after_topic', '').'" />', 
-				'<img src="'.$_base_path.'images/before.gif" alt="'._AT('before_topic', '').'" title="'._AT('before_topic', '').'" />',
-				'<img src="'.$_base_path.'images/child_of.gif" alt="'._AT('child_of', '').'" title="'._AT('child_of', '').'"  />')
-			, '</p>';
-
-	}
-
-	?><br />
-	<table border="0" align="center">
-	<tr>
-		<th colspan="3"><?php echo _AT('move'); ?></th>
-		<th><?php echo _AT('content'); ?></th>
-	</tr>
-	<tr>
-		<td colspan="3">&nbsp;</td>
-		<td><?php echo _AT('home'); ?></td>
-	</tr>
-<?php
-		$contentManager->printActionMenu($contentManager->_menu, 0, 0, '', array(), "movable");
-			
-?>
-	</table>
-</form>
-</div>
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+session_start();
+
+if (!defined('TR_INCLUDE_PATH')) { exit; } 
+
+global $contentManager;
+
+require(TR_INCLUDE_PATH.'header.inc.php');
+require_once('../../class_csrf.php');
+?>
+<div class="input-form">
+<form action="<?php echo $_SERVER['PHP_SELF'].'?_course_id='.$this->course_id; if ($this->cid > 0) echo SEP.'_cid='.$this->cid; else if ($this->pid > 0) echo SEP.'pid='.$this->pid;?>" method="post" name="form"> 
+	<?php echo CSRF_Token::display(); ?><br>
+	<input type="hidden" name="button_1" value="-1" />
+<?php
+	if ($contentManager->getNumSections() > (1 - (bool)(!$cid))) {
+		echo '<p>' 
+			, _AT('editor_properties_instructions', 
+				'<img src="'.$_base_path.'images/after.gif" alt="'._AT('after_topic', '').'" title="'._AT('after_topic', '').'" />', 
+				'<img src="'.$_base_path.'images/before.gif" alt="'._AT('before_topic', '').'" title="'._AT('before_topic', '').'" />',
+				'<img src="'.$_base_path.'images/child_of.gif" alt="'._AT('child_of', '').'" title="'._AT('child_of', '').'"  />')
+			, '</p>';
+
+	}
+
+	?><br />
+	<table border="0" align="center">
+	<tr>
+		<th colspan="3"><?php echo _AT('move'); ?></th>
+		<th><?php echo _AT('content'); ?></th>
+	</tr>
+	<tr>
+		<td colspan="3">&nbsp;</td>
+		<td><?php echo _AT('home'); ?></td>
+	</tr>
+<?php
+		$contentManager->printActionMenu($contentManager->_menu, 0, 0, '', array(), "movable");
+			
+?>
+	</table>
+</form>
+</div>
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/themes/default/home/editor/edit_content_folder.tmpl.php b/themes/default/home/editor/edit_content_folder.tmpl.php
index bbac5857..6ee53864 100644
--- a/themes/default/home/editor/edit_content_folder.tmpl.php
+++ b/themes/default/home/editor/edit_content_folder.tmpl.php
@@ -10,12 +10,16 @@
 /* as published by the Free Software Foundation.                        */
 /************************************************************************/
 
+session_start();
+
 if (!defined('TR_INCLUDE_PATH')) { exit; } 
 
 global $onload, $contentManager;
 $onload = 'document.form.title.focus();';
+
+require_once('../../class_csrf.php');
 ?>
-<form action="<?php echo $_SERVER['PHP_SELF'].'?'; if ($this->cid > 0) echo '_cid='.$this->cid; else if ($this->pid > 0) echo 'pid='.$this->pid.SEP.'_course_id='.$this->course_id; else echo '_course_id='.$this->course_id;?>" method="post" name="form"> 
+<form action="<?php echo $_SERVER['PHP_SELF'].'?'; if ($this->cid > 0) echo '_cid='.$this->cid; else if ($this->pid > 0) echo 'pid='.$this->pid.SEP.'_course_id='.$this->course_id; else echo '_course_id='.$this->course_id;?>" method="post" name="form" autocomplete="off"> 
 <div class="input-form" style="width:95%;margin-left:1.5em;">
 <!-- <?php
 if ($this->shortcuts): 
@@ -34,6 +38,7 @@
 	</div>
 	
 	<div class="row buttons">
+		<?php echo CSRF_Token::display(); ?><br>
 		<input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" />
 	</div>
 </div>
diff --git a/themes/default/home/editor/edit_content_struct.tmpl.php b/themes/default/home/editor/edit_content_struct.tmpl.php
index f950a869..1015c005 100644
--- a/themes/default/home/editor/edit_content_struct.tmpl.php
+++ b/themes/default/home/editor/edit_content_struct.tmpl.php
@@ -1,125 +1,130 @@
-<?php
-
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2010                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; } 
-
-global $onload;
-$onload = 'document.form.title.focus();';
-?>
-<form action="<?php echo $_SERVER['PHP_SELF'].'?'; if ($this->cid > 0) echo '_cid='.$this->cid; else if ($this->pid > 0) echo 'pid='.$this->pid.SEP.'_course_id='.$this->course_id; else echo '_course_id='.$this->course_id;?>" method="post" name="form"> 
-<div class="input-form" style="width:95%;margin-left:1.5em;">
-<!-- <?php
-if ($this->shortcuts): 
-?>
- <fieldset id="shortcuts" style="margin-top:1em;float:right;clear:right;"><legend><?php echo _AT('shortcuts'); ?></legend>
-	<ul>
-		<?php foreach ($this->shortcuts as $link): ?>
-			<li><a href="<?php echo $link['url']; ?>"><?php echo $link['title']; ?></a></li>
-		<?php endforeach; ?>
-	</ul>
-</fieldset>
-<?php endif; ?> -->
-	<div class="row">
-		<div style="font-weight:bold;"><span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="ftitle"><?php echo _AT('choose_structure'); ?></label></div>
-		
-		<?php  
-			
-			$mod_path['templates']		= realpath(TR_BASE_HREF			. 'templates').'/';
-			$mod_path['templates_int']	= realpath(TR_INCLUDE_PATH		. '../templates').'/';
-			$mod_path['templates_sys']	= $mod_path['templates_int']	. 'system/';
-			$mod_path['structs_dir']		= $mod_path['templates']		. 'structures/';
-			$mod_path['structs_dir_int']	= $mod_path['templates_int']	. 'structures/';
-
-			include_once($mod_path['templates_sys'].'Structures.class.php');
-			
-			$structs	= new Structures($mod_path);
-
-			$structsList = $structs->getStructsList();
-			if (!is_array($structsList)) {
-					$num_of_structs = 0;
-					$output = _AT('none_found');
-			} else {
-			
-                echo '<div style=" weight: 10%; margin: 10px;">';
-                            
-                echo '<ol class="remove-margin-left" id="layout_list"> ';   
-				foreach ($structsList as $struct) {
-				    echo "<li>";
-				
-					echo '<input type="radio" name="title" id="'.$struct['name'].'" class="formfield" value="'.$struct['short_name'].'"/>';
-					echo '<label for="'.$struct['name'].'">'.$struct['name'].'</label>';
-                                        $value = "";
-                                        
-                                        
-                                        
-		foreach ($structsList as $val) { 
-		  	if(isset($_POST['struct']) && $_POST['struct'] == $val['short_name'])
-				$check = true;
-			else 
-				$check = false;
-                                        
-                        if($val['name'] == $struct['name']){
-                  ?>                      
-                <div style=" margin-bottom: 10px; margin-top:-1.5em;; <?php if($check) echo 'border: 2px #cccccc dotted;';?> ">
-		
-		
-	<!--	<li id="<?php echo $val['short_name'];?>"> <?php echo $val['name'];?> </li> -->
-
-		<!--<p style="margin-left: 10px; font-size:90%;"><span style="font-style:italic;"><?php echo _AT('description'); ?>:</span>
-                <?php echo $val['description']; ?></p> -->
-
-
-                <div style="font-size:95%; ">
-<!--
-                        <a title="outline_collapsed" id="a_outline_<?php echo $val['short_name'];?>" onclick="javascript: trans.utility.toggleOutline('<?php echo $val['short_name'];?>', '<?php echo _AT('hide_outline'); ?>', '<?php echo _AT('show_outline'); ?>'); " href="javascript:void(0)"><?php echo _AT('show_outline'); ?></a>
-                        <div style="display: none;" id="div_outline_<?php echo $val['short_name'];?>">
-                                <?php $struc_manag = new StructureManager($val['short_name']);
-                                $struc_manag->printPreview(false, $val['short_name']); ?>
-                        </div> -->
-                        <div style=" margin-bottom: 10px; <?php if($check) echo 'border: 2px #cccccc dotted;';?> ">
-                            <div class="struct_preview">
-                                    <div style="display: inline;" id="div_outline_<?php echo $struct['short_name'];?>">
-                                        <?php   
-                                                $struc_manag = new StructureManager($struct['short_name']);
-                                                $struc_manag->printPreview(false, $struct['short_name']); 
-                                        ?>
-                                    </div>
-                            </div>
-                        </div>
-            
-            </div>
-                </div>
-
-                                        <?php 
-                                        }
-                }
-                                        
-                                        
-					echo '</li>';
-				}
-                            
-                            echo '</ol></div>';    
-                                
-			}
-		
-		?>
-		
-		<!-- <input type="checkbox"" name="title" id="ftitle1" class="formfield" value="bao"></input> -->
-		
-	</div>
-	
-	<div class="row buttons">
-		<input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" />
-	</div>
-</div>
-</form>
+<?php
+
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2010                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+session_start();
+
+if (!defined('TR_INCLUDE_PATH')) { exit; } 
+
+global $onload;
+$onload = 'document.form.title.focus();';
+
+require_once('../../class_csrf.php');
+?>
+<form action="<?php echo $_SERVER['PHP_SELF'].'?'; if ($this->cid > 0) echo '_cid='.$this->cid; else if ($this->pid > 0) echo 'pid='.$this->pid.SEP.'_course_id='.$this->course_id; else echo '_course_id='.$this->course_id;?>" method="post" name="form"> 
+<div class="input-form" style="width:95%;margin-left:1.5em;">
+<!-- <?php
+if ($this->shortcuts): 
+?>
+ <fieldset id="shortcuts" style="margin-top:1em;float:right;clear:right;"><legend><?php echo _AT('shortcuts'); ?></legend>
+	<ul>
+		<?php foreach ($this->shortcuts as $link): ?>
+			<li><a href="<?php echo $link['url']; ?>"><?php echo $link['title']; ?></a></li>
+		<?php endforeach; ?>
+	</ul>
+</fieldset>
+<?php endif; ?> -->
+	<div class="row">
+		<div style="font-weight:bold;"><span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="ftitle"><?php echo _AT('choose_structure'); ?></label></div>
+		
+		<?php  
+			
+			$mod_path['templates']		= realpath(TR_BASE_HREF			. 'templates').'/';
+			$mod_path['templates_int']	= realpath(TR_INCLUDE_PATH		. '../templates').'/';
+			$mod_path['templates_sys']	= $mod_path['templates_int']	. 'system/';
+			$mod_path['structs_dir']		= $mod_path['templates']		. 'structures/';
+			$mod_path['structs_dir_int']	= $mod_path['templates_int']	. 'structures/';
+
+			include_once($mod_path['templates_sys'].'Structures.class.php');
+			
+			$structs	= new Structures($mod_path);
+
+			$structsList = $structs->getStructsList();
+			if (!is_array($structsList)) {
+					$num_of_structs = 0;
+					$output = _AT('none_found');
+			} else {
+			
+                echo '<div style=" weight: 10%; margin: 10px;">';
+                            
+                echo '<ol class="remove-margin-left" id="layout_list"> ';   
+				foreach ($structsList as $struct) {
+				    echo "<li>";
+				
+					echo '<input type="radio" name="title" id="'.$struct['name'].'" class="formfield" value="'.$struct['short_name'].'"/>';
+					echo '<label for="'.$struct['name'].'">'.$struct['name'].'</label>';
+                                        $value = "";
+                                        
+                                        
+                                        
+		foreach ($structsList as $val) { 
+		  	if(isset($_POST['struct']) && $_POST['struct'] == $val['short_name'])
+				$check = true;
+			else 
+				$check = false;
+                                        
+                        if($val['name'] == $struct['name']){
+                  ?>                      
+                <div style=" margin-bottom: 10px; margin-top:-1.5em;; <?php if($check) echo 'border: 2px #cccccc dotted;';?> ">
+		
+		
+	<!--	<li id="<?php echo $val['short_name'];?>"> <?php echo $val['name'];?> </li> -->
+
+		<!--<p style="margin-left: 10px; font-size:90%;"><span style="font-style:italic;"><?php echo _AT('description'); ?>:</span>
+                <?php echo $val['description']; ?></p> -->
+
+
+                <div style="font-size:95%; ">
+<!--
+                        <a title="outline_collapsed" id="a_outline_<?php echo $val['short_name'];?>" onclick="javascript: trans.utility.toggleOutline('<?php echo $val['short_name'];?>', '<?php echo _AT('hide_outline'); ?>', '<?php echo _AT('show_outline'); ?>'); " href="javascript:void(0)"><?php echo _AT('show_outline'); ?></a>
+                        <div style="display: none;" id="div_outline_<?php echo $val['short_name'];?>">
+                                <?php $struc_manag = new StructureManager($val['short_name']);
+                                $struc_manag->printPreview(false, $val['short_name']); ?>
+                        </div> -->
+                        <div style=" margin-bottom: 10px; <?php if($check) echo 'border: 2px #cccccc dotted;';?> ">
+                            <div class="struct_preview">
+                                    <div style="display: inline;" id="div_outline_<?php echo $struct['short_name'];?>">
+                                        <?php   
+                                                $struc_manag = new StructureManager($struct['short_name']);
+                                                $struc_manag->printPreview(false, $struct['short_name']); 
+                                        ?>
+                                    </div>
+                            </div>
+                        </div>
+            
+            </div>
+                </div>
+
+                                        <?php 
+                                        }
+                }
+                                        
+                                        
+					echo '</li>';
+				}
+                            
+                            echo '</ol></div>';    
+                                
+			}
+		
+		?>
+		
+		<!-- <input type="checkbox"" name="title" id="ftitle1" class="formfield" value="bao"></input> -->
+		
+	</div>
+	
+	<div class="row buttons">
+		<?php echo CSRF_Token::display(); ?><br>
+		<input type="submit" name="submit" value="<?php echo _AT('save'); ?>" title="<?php echo _AT('save_changes'); ?> alt-s" accesskey="s" />
+	</div>
+</div>
+</form>
diff --git a/themes/default/include/header.tmpl.php b/themes/default/include/header.tmpl.php
index f7806c15..8bfb60d9 100644
--- a/themes/default/include/header.tmpl.php
+++ b/themes/default/include/header.tmpl.php
@@ -1,409 +1,411 @@
-<?php
-/************************************************************************/
-/* AContent                                                             */
-/************************************************************************/
-/* Copyright (c) 2013                                                   */
-/* Inclusive Design Institute                                           */
-/*                                                                      */
-/* This program is free software. You can redistribute it and/or        */
-/* modify it under the terms of the GNU General Public License          */
-/* as published by the Free Software Foundation.                        */
-/************************************************************************/
-
-if (!defined('TR_INCLUDE_PATH')) { exit; }
-/* available header.tmpl.php variables:
- * $this->lang_code         the ISO language code
- * SITE_NAME            the site name from the config file
- * $this->page_title      the name of this page to use in the <title>
- * top_level_pages           array(array('url', 'title'))     the top level pages. AContent default creates tabs.
- * current_top_level_page    string                           full url to the current top level page in "top_leve_pages"
- * path                      array(array('url', 'title'))     the breadcrumb path to the current page.
- * sub_menus                 array(array('url', 'title'))     the sub level menus.
- * current_page              string                           full url to the current sub level page in the "sub_level_pages"
- * section_title             string                           the name of the current section. either name of the course, administration, my start page, etc.
- * page_title                string                           the title of the current page.
- * user_name                 string                           name of login user
- * $this->lang_charset      the ISO language character set
- * $this->base_path         the absolute path to this AContent installation
- * $this->theme            the directory name of the current theme
- * $this->custom_head      the custom head script used in <head> section
- * $this->$onload         the html body onload event
- * $this->shortcuts      array of editor tools available title:url:icon
- * $this->content_base_href   the <base href> to use for this page
- * $this->rtl_css         if set, the path to the RTL style sheet
- * $this->icon         the path to a course icon
- * $this->banner_style      -deprecated-
- * $this->base_href         the full url to this AContent installation
- * $this->onload         javascript onload() calls
- * $this->img            the absolute path to this theme's images/ directory
- * $this->sequence_links   associative array of 'previous', 'next', and/or 'resume' links
- * $this->path            associative array of path to this page: aka bread crumbs
- * $this->rel_url         the relative url from the installation root to this page
- * $this->nav_courses      associative array of this user's enrolled courses
- * $this->section_title      the title of this section (course, public, admin, my start page)
- * $this->top_level_pages   associative array of the top level navigation
- * $this->current_top_level_page   the full path to the current top level page with file name
- * $this->sub_level_pages         associate array of sub level navigation
- * $this->back_to_page            if set, the path and file name to the part of this page (if parent is not a top level nav)
- * $this->current_sub_level_page   the full path to the current sub level page with file name
- * $this->guide            the full path and file name to the guide page
- * $this->user_name         string, the name of the current login user
- * $this->isAuthor         boolean, whether the current login user is the author of the selected course. Only passed in when there is login user and selected course
- * ======================================
- * back_to_page              array('url', 'title')            the link back to the part of the current page, if needed.
- */
-include_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
-$lang_charset = "UTF-8";
-//Timer
-//$mtime = microtime(); 
-//$mtime = explode(' ', $mtime); 
-//$mtime = $mtime[1] + $mtime[0]; 
-//$starttime = $mtime; 
-//Timer Ends
-?><!DOCTYPE html>
-<html  lang="<?php echo DEFAULT_LANGUAGE_CODE; ?>"> 
-<head>
-   <title><?php echo SITE_NAME; ?> : <?php echo $this->page_title; ?></title>
-   <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $this->lang_charset; ?>" />
-   <meta name="Generator" content="AContent - Copyright 2010 by IDRC/IDI http://inclusivedesign.ca/" />
-   <meta name="keywords" content="AContent, free, open source, elearning, authoring, common cartridge, content package, QTI, AccessForAll, AFA, repository" />
-   <meta name="description" content="AContent is a standards compliant Web-based elearning content authoring tool and repository that can be used with any system that supports IMS content interoperability standards." />
-   <base href="<?php echo $this->content_base_href; ?>" />
-   <link rel="icon" href="<?php echo $this->base_path; ?>favicon.ico" type="image/x-icon" /> 
-   <link rel="stylesheet" href="<?php echo $this->base_path.'include/jscripts/infusion/framework/fss/css/fss-layout.css'; ?>" type="text/css" />
-   <link rel="stylesheet" href="<?php echo $this->base_path.'include/jscripts/infusion/components/inlineEdit/css/InlineEdit.css'; ?>" type="text/css" />
-   <link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/forms.css" type="text/css" />
-   <link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/styles.css" type="text/css" />   
-<!--[if IE]>
-     <link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/ie_styles.css" type="text/css" />
-   <![endif]-->
-<?php echo $this->rtl_css; ?>
-   <script src="<?php echo $this->base_path; ?>include/jscripts/infusion/InfusionAll.js" type="text/javascript"></script>
-   <script src="<?php echo $this->base_path; ?>include/jscripts/infusion/jquery.autoHeight.js" type="text/javascript"></script>
-   <script src="<?php echo $this->base_path; ?>include/jscripts/flowplayer/flowplayer-3.2.4.min.js" type="text/javascript"></script>
-   <script src="<?php echo $this->base_path; ?>include/jscripts/handleAjaxResponse.js" type="text/javascript"></script>
-   <script src="<?php echo $this->base_path; ?>include/jscripts/transformable.js" type="text/javascript"></script>
-<?php echo $this->custom_head; ?>
-   <script type="text/javascript">
-      // check if AContent is into an iframe
-      // if so, include the "iframe" stylesheet to hide header, side menu and footer
-      // The use of another css instead of a media="print" is to keep separate the two objectives: print, iframe.
-      if (top != self){
-        document.writeln('<link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/styles_iframe.css" type="text/css" />');
-         jQuery(document).ready(function() {
-            //alert(jQuery(document).height());
-            jQuery("#content_frame", window.parent.document).height(jQuery(document).height());
-            jQuery("#content_frame", window.parent.document).attr('scrolling', 'no');
-            //jQuery("#content_frame").contents().find("body").height()
-         });
-      }
-   </script>
-   <script type="text/javascript">
-        // if AContent is being presented in ATutor, which has its own content navigation
-        //  hide way all navigation elements
-        function inIframe () {
-             try {
-                return window.self !== window.top;
-            } catch (e) {
-            return true;
-            }
-        }
-        //if(window.frameElement.id && window.frameElement.id == "content_frame"){
-        if( inIframe ()){
-         document.writeln('<link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/styles_iframe_atutor.css" type="text/css" />');
-        }
-    </script>
-</head>
-<body onload="<?php echo $this->onload; ?>">
-<div id="topbar" role="banner">
-    <a href="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES); ?>#contenttop" accesskey="c">
-    <img src="<?php echo $this->base_path; ?>images/clr.gif" height="1" width="1" alt="<?php echo _AT('goto_content'); ?> ALT+c" /></a>      
-
-   <a href="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES); ?>#menu<?php echo $_REQUEST['_cid']  ?>"  accesskey="m"><img src="<?php echo $this->base_path; ?>images/clr.gif" height="1" width="1" alt="<?php echo _AT('goto_menu'); ?> ALT+m" /></a>
-   <?php global $_config;
-    echo '<span id="site_title">'.$_config['site_name'].'</span>';
-   
-   ?>
-   <span id="logininfo">
-        <?php
-        if (isset($this->user_name))
-        {
-          echo _AT('logged_in_as'). ' '.$this->user_name;
-        ?>
-            &nbsp;&nbsp;
-            <a href="<?php echo TR_BASE_HREF; ?>logout.php" ><?php echo _AT('logout'); ?></a>
-        <?php
-        }
-        else
-        {
-        ?>
-            <a href="<?php echo TR_BASE_HREF; ?>login.php" ><?php echo _AT('login'); ?></a>
-            &nbsp;&nbsp;
-            <a href="<?php echo TR_BASE_HREF; ?>register.php" ><?php echo _AT('register'); ?></a>
-        <?php
-        }
-        ?>
-  </span>
- 
-</div>
-<div id="liquid-round">
- <div class="center-content">
-  <div class="topnavlistcontainer"  role="navigation">
-  <!-- the main navigation. in our case, tabs -->
-    <ul class="navigation">
-<?php 
-
-foreach ($this->top_level_pages as $page) {
-   if (strpos($page['url'], '?') > 0)  {
-      $url_without_param = substr($page['url'], 0, strpos($page['url'], '?'));
-   } else {
-      $url_without_param = $page['url'];
-   }
-   if ($url_without_param == $this->current_top_level_page) { ?>
-      <li class="navigation"><a href="<?php echo $page['url']; ?>" title="<?php echo $page['title']; ?>" class="active"><?php echo $page['title']; ?></a></li>
-<?php } else { ?>
-   <?php
-        if(!isset($this->course_id) && (strstr($page['url'],"tests") || strstr($page['url'],"file_manager"))){ 
-         // don't display tests and file manager for admins when not in a lesson
-         }else{ ?>
-         <li class="navigation"><a href="<?php echo $page['url']; ?>"  title="<?php echo $page['title']; ?>"><?php echo $page['title']; ?></a></li>
-         <?php } ?>
-<?php } // endif
-
-} //endforeach ?>
-    </ul>
-  </div>
-
-   <!-- the sub navigation and guide -->
-  <div id="sub-menu">
-      <div class="search_top" role="search">
-      <form target="_top" action="<?php echo TR_BASE_HREF; ?>home/search.php" method="get">
-        <input type="text" title="<?php echo _AT("search"); ?>" name="search_text" id="search_text_at_header" value="<?php if (isset($_GET['search_text'])) echo htmlentities_utf8($_GET['search_text'], ENT_QUOTES, 'UTF-8'); ?>" size="25" />      
-<?php if (is_array($this->categories)) { // print category dropdown list box?>
-        <select name="catid">
-          <option value="" <?php if (!isset($_GET['catid']) || $_GET['catid'] == '') echo 'selected="selected"'; ?>><?php echo _AT('all_categories'); ?></option>
-          
-<?php foreach ($this->categories as $category) {?>
-          <option value="<?php echo $category['category_id']; ?>" <?php if ($_GET['catid'] == $category['category_id']) echo 'selected'; ?> title="<?php echo $category['category_name']; ?>">
-            <?php echo Utility::validateLength($category['category_name'], TR_MAX_LAN_CATEGORY_NAME, 1); ?>
-          </option>
-<?php }?>
-          <option value="0" <?php if ($_GET['catid'] == 0 && $_GET['catid'] <> '') echo 'selected'; ?>><?php echo _AT('cats_uncategorized'); ?></option>
-        </select>
-<?php }?>
-        <input type="submit" name="search" value="<?php echo _AT("search"); ?>" />
-      </form>
-      </div>
-  </div>
-
-
-  <div id="sequence-links">
-    <?php if ($this->sequence_links['resume']): ?>
-    <a style="color:white;" href="<?php echo $this->sequence_links['resume']['url']; ?>" accesskey="."><img src="<?php echo $this->base_path.'themes/'.$this->theme; ?>/images/resume.png" title="<?php echo _AT('resume').': '.$this->sequence_links['resume']['title']; ?> Alt+." alt="<?php echo $this->sequence_links['resume']['title']; ?> Alt+." class="shortcut_icon" /></a>
-    <?php else:
-          if ($this->sequence_links['previous']): ?>
-    <a href="<?php echo $this->sequence_links['previous']['url']; ?>" title="<?php echo _AT('previous_topic').': '. $this->sequence_links['previous']['title']; ?> Alt+," accesskey=","><img src="<?php echo $this->base_path.'themes/'.$this->theme; ?>/images/previous.png" alt="<?php echo _AT('previous_topic').': '. $this->sequence_links['previous']['title']; ?> Alt+," class="shortcut_icon" /></a>
-    <?php endif;
-          if ($this->sequence_links['next']): ?>
-    <a href="<?php echo $this->sequence_links['next']['url']; ?>" title="<?php echo _AT('next_topic').': '.$this->sequence_links['next']['title']; ?> Alt+." accesskey="."><img src="<?php echo $this->base_path.'themes/'.$this->theme; ?>/images/next.png" alt="<?php echo _AT('next_topic').': '.$this->sequence_links['next']['title']; ?> Alt+." class="shortcut_icon" /></a>
-    <?php endif; ?>
-    <?php endif; ?>
-    &nbsp;
-  </div>
-  <!-- guide -->
-  <?php if (isset($this->guide)) {  ?>
-    <div id="guide_box" title="<?php echo _AT('handbook_for').' '.$this->page_title; ?>">
-    <a href="<?php echo $this->guide; ?>" onclick="trans.utility.poptastic('<?php echo $this->guide; ?>'); return false;" id="guide" target="atutor"><em><?php echo $this->page_title; ?></em></a>&nbsp;
-  </div>
-  <?php }?>
-
-  <?php if (is_array($this->tool_shortcuts) ||isset($this->course_id) && $this->course_id > 0){ ?>
-  <!-- toolbar toggle switch-->
-<div class="tool_switch">
- <label class="switch" for="tool_slider">
-  <input type="checkbox" id="tool_slider"/>
-  <div class="slider round toggle_tools_on"  id="toggle_tools" title="<?php echo _AT('toggle_toolbar'); ?>" tabindex="0"></div>
-  </label>
-</div>
-
-  <div class="shortcuts" style="float:right;">
-  <span style="font-size:0px;" aria-live="polite" aria-label="<?php echo _AT('toolbar_on'); ?>"></span>
-    <ul>
-  <?php if (is_array($this->tool_shortcuts)){ ?>
-      <?php foreach ($this->tool_shortcuts as $link){ ?>
-   <li><a href="<?php echo $link['url']; ?>"><img src="<?php echo $link['icon']; ?>" alt="<?php echo $link['title']; ?>"  title="<?php echo $link['title']; ?>" class="shortcut_icon"/><!-- <?php echo $link['title']; ?> --></a></li>
-      <?php } ?>
-    <?php } ?>
-  <?php } ?>
-  
-  <?php if (isset($this->course_id) && $this->course_id > 0) {?>
-      <?php if ($this->isAuthor || $this->isAdmin) { // only for authors or admins ?>
-      <li><a href="<?php echo $this->base_path; ?>home/course/course_property.php?_course_id=<?php echo $this->course_id; ?>">
-        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/course_property.png"; ?>" title="<?php echo _AT('course_property'); ?>" alt="<?php echo _AT('course_property'); ?>"  class="shortcut_icon"/>
-        </a>
-      </li>
-      <li><a href="<?php echo $this->base_path; ?>file_manager/index.php?_course_id=<?php echo $this->course_id; ?>">
-        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/file-manager.png"; ?>" title="<?php echo _AT('file_manager'); ?>" alt="<?php echo _AT('file_manager'); ?>"  class="shortcut_icon"/>
-        </a>
-      </li>
-      <li><a href="<?php echo $this->base_path; ?>home/editor/arrange_content.php?_course_id=<?php echo $this->course_id; ?>">
-        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/arrange_content.gif"; ?>" title="<?php echo _AT('arrange_content'); ?>" alt="<?php echo _AT('arrange_content'); ?>"  class="shortcut_icon"/>
-        </a>
-      </li>
-      <li><a href="<?php echo $this->base_path; ?>home/editor/import_export_content.php?_course_id=<?php echo $this->course_id; ?>">
-        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/import_export.png"; ?>" title="<?php echo _AT('content_packaging'); ?>" alt="<?php echo _AT('content_packaging'); ?>"  class="shortcut_icon"/>
-        </a>
-      </li>
-      <li><a href="<?php echo $this->base_path; ?>home/course/del_course.php?_course_id=<?php echo $this->course_id; ?>">
-        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/delete.gif"; ?>" title="<?php echo _AT('del_course'); ?>" alt="<?php echo _AT('del_course'); ?>"  class="shortcut_icon"/>
-        </a>
-      </li>
-      <?php }?>
-      <li><a href="<?php echo $this->base_path; ?>home/index.php">
-        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/exit.png"; ?>" title="<?php echo _AT('exit_course'); ?>" alt="<?php echo _AT('exit_course'); ?>"  class="shortcut_icon"/>
-        </a>
-      </li>
-  </ul>
- </div>
-<script type="text/javascript">
-    $('document').ready( function(){
-        if(getCookie("shortcuts") == 1){
-            $( ".shortcuts" ).css("display","none");
-            $('input[type=checkbox]').prop('checked', true);
-        } else{
-            $( ".shortcuts" ).css("display","inline");
-        }
-        $( ".slider" ).click(function() {
-            $( ".shortcuts" ).toggle(800);
-            $( ".menuedit" ).toggle(800);
-            $( ".delete_ex" ).toggle(800);
-            if(getCookie('shortcuts') == 1){
-                //deleteCookie("shortcuts");
-                setCookie('shortcuts', '', -2);
-            }else{
-               setCookie("shortcuts","1","10");
-            }
-        });
-        $( ".slider" ).keypress(function(e) {
-        if(e.which == 13) {
-            $( ".shortcuts" ).toggle(800);
-            $( ".menuedit" ).toggle(800);
-            $( ".delete_ex" ).toggle(800);
-            if(getCookie('shortcuts') == 1){
-               setCookie('shortcuts', '', -2);
-               $('input[type=checkbox]').prop('checked', false);
-            }else{
-               setCookie("shortcuts","1","10");
-               $('input[type=checkbox]').prop('checked', true);
-            }
-         }
-        });
-    });
-    function setCookie(cname, cvalue, exdays) {
-        var d = new Date();
-        d.setTime(d.getTime() + (exdays*24*60*60*1000));
-        var expires = "expires="+ d.toUTCString();
-        document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
-    }
-    
-    function getCookie(cname) {
-        var name = cname + "=";
-        var decodedCookie = decodeURIComponent(document.cookie);
-        var ca = decodedCookie.split(';');
-        for(var i = 0; i <ca.length; i++) {
-            var c = ca[i];
-            while (c.charAt(0) == ' ') {
-                c = c.substring(1);
-            }
-            if (c.indexOf(name) == 0) {
-                return c.substring(name.length, c.length);
-            }
-        }
-        return "";
-    }
-    </script>
-    <?php }?>
-
-  <div id="contentwrapper">
-    <?php //if ((isset($this->course_id) && $this->course_id > 0)): ?>
-    <div id="leftcolumn">
-     <a id="menu"></a>
-     <div id="side-menu" role="navigation" aria-label="<?php echo _AT('side_menu');?>"> 
-     <?php require(TR_INCLUDE_PATH.'side_menu.inc.php'); ?> 
-    <script type="text/javascript">
-      //<![CDATA[
-      var state = trans.utility.getcookie("side-menu");
-      if (state && (state == 'none')) {
-        $('#side-menu').css('display','none');
-        }
-      //]]>
-      </script>
-     </div>
-    </div>
-    <div id="contentcolumn" role="main"
-    <?php if (isset($this->course_id) && $this->course_id <= 0): ?>
-      style="margin-left:0.5em;width:99%;"
-    <?php endif; ?>>
-
-    <?php //if (isset($this->course_id) && $this->course_id > 0): ?>
-      <div id="menutoggle">
-        <?php //if ($this->course_id > 0): ?>
-        <script type="text/javascript">
-        //<![CDATA[
-        var state = trans.utility.getcookie("side-menu");
-        if (state && (state == 'none')) {
-           trans.utility.showTocToggle("side-menu", "<img src=\"<?php echo $this->base_path; ?>themes/default/images/showmenu.gif.png\" alt=\'<?php echo _AT('show').' '._AT('side_menu'); ; ?>\' title=\"<?php echo _AT('show'); ?>\" class=\"shortcut_icon\"/>","<img src=\"<?php echo $this->base_path; ?>themes/default/images/hidemenu.gif.png\" alt=\'<?php echo _AT('hide').' '._AT('side_menu'); ?>\' title=\"<?php echo _AT('hide'); ?>\" class=\"shortcut_icon\" />", "", "show");
-        } else {
-            document.getElementById('contentcolumn').id="contentcolumn_shiftright";
-            trans.utility.showTocToggle("side-menu", "<img src=\"<?php echo $this->base_path; ?>themes/default/images/showmenu.gif.png\" alt=\'<?php echo _AT('show').' '._AT('side_menu'); ; ?>\' title=\"<?php echo _AT('show'); ?>\"  class=\"shortcut_icon\"/>","<img src=\"<?php echo $this->base_path; ?>themes/default/images/hidemenu.gif.png\" alt=\'<?php echo _AT('hide').' '._AT('side_menu'); ?>\' title=\"<?php echo _AT('hide'); ?>\"  class=\"shortcut_icon\" />", "", "hide");
-        }
-        //]]>
-        </script>
-        <?php //endif; ?>
-      </div>
-    <?php //endif; ?>
-
-      <!-- the page title -->
-      <a id="contenttop" title="<?php echo _AT('content'); ?>"></a>
-      <?php
-      global $_current_user;
-      if ($_SESSION['course_id'] && $_current_user && $_current_user->isAdmin()){
-         echo '<br /><span class="hide"><small><strong>'._AT('course_owner').':'.$this->course_owner['first_name'].' '.$this->course_owner['last_name'].' ('.$this->course_owner['login'].')</strong></small></span>';
-         }
-      ?>      <div id="ajax-msg">
-  </div>
-      <h2 class="page-title"><?php echo $this->page_title; ?></h2>
-      <div id="server-msg">
-      <?php global $msg; $msg->printAll(); ?>
-      </div>
-
- <!-- the sub navigation -->
-<?php if (is_array($this->sub_menus) && count($this->sub_menus) > 0): ?>
-        <div id="subnavlistcontainer">
-            <div id="sub-navigation">
-             <?php if (isset($this->back_to_page)): ?>
-               <div id="subnavbacktopage">     
-                 <a href="<?php echo $this->back_to_page['url']; ?>" id="back-to"><?php echo '<img src="'.TR_BASE_HREF.'images/arrowicon.png"  alt="'._AT('back_to').':'.$this->back_to_page['title'].'" title="'._AT('back_to').':'.$this->back_to_page['title'].'" style="vertical-align:center;" />'; ?></a> 
-               </div>
-             <?php endif; ?>
-           <ul id="subnavlist">
-              <?php $num_pages = count($this->sub_menus); ?>
-              <?php for ($i=0; $i<$num_pages; $i++): ?>
-             <?php list($sub_menu_url, $param) = Utility::separateURLAndParam($this->sub_menus[$i]['url']);
-              if ($sub_menu_url == $this->current_page): ?>
-           <li class="active"><strong><?php echo $this->sub_menus[$i]['title']; ?></strong></li>
-              <?php else: ?>
-           <li><a href="<?php echo $this->sub_menus[$i]['url']; ?>"><?php echo $this->sub_menus[$i]['title']; ?></a></li>
-              <?php endif; ?>
-              <?php if ($i < $num_pages-1): ?>
-              <?php endif; ?>
-              <?php endfor; ?>
-              <?php else: ?>
-              &nbsp;
-
-              <?php endif; ?>
-              <?php if (is_array($this->sub_menus) && count($this->sub_menus) > 0): ?>
-              </ul>
-            </div>
-        </div>
-<?php endif; ?>
+<?php
+/************************************************************************/
+/* AContent                                                             */
+/************************************************************************/
+/* Copyright (c) 2013                                                   */
+/* Inclusive Design Institute                                           */
+/*                                                                      */
+/* This program is free software. You can redistribute it and/or        */
+/* modify it under the terms of the GNU General Public License          */
+/* as published by the Free Software Foundation.                        */
+/************************************************************************/
+
+if (!defined('TR_INCLUDE_PATH')) { exit; }
+
+/* available header.tmpl.php variables:
+ * $this->lang_code         the ISO language code
+ * SITE_NAME            the site name from the config file
+ * $this->page_title      the name of this page to use in the <title>
+ * top_level_pages           array(array('url', 'title'))     the top level pages. AContent default creates tabs.
+ * current_top_level_page    string                           full url to the current top level page in "top_leve_pages"
+ * path                      array(array('url', 'title'))     the breadcrumb path to the current page.
+ * sub_menus                 array(array('url', 'title'))     the sub level menus.
+ * current_page              string                           full url to the current sub level page in the "sub_level_pages"
+ * section_title             string                           the name of the current section. either name of the course, administration, my start page, etc.
+ * page_title                string                           the title of the current page.
+ * user_name                 string                           name of login user
+ * $this->lang_charset      the ISO language character set
+ * $this->base_path         the absolute path to this AContent installation
+ * $this->theme            the directory name of the current theme
+ * $this->custom_head      the custom head script used in <head> section
+ * $this->$onload         the html body onload event
+ * $this->shortcuts      array of editor tools available title:url:icon
+ * $this->content_base_href   the <base href> to use for this page
+ * $this->rtl_css         if set, the path to the RTL style sheet
+ * $this->icon         the path to a course icon
+ * $this->banner_style      -deprecated-
+ * $this->base_href         the full url to this AContent installation
+ * $this->onload         javascript onload() calls
+ * $this->img            the absolute path to this theme's images/ directory
+ * $this->sequence_links   associative array of 'previous', 'next', and/or 'resume' links
+ * $this->path            associative array of path to this page: aka bread crumbs
+ * $this->rel_url         the relative url from the installation root to this page
+ * $this->nav_courses      associative array of this user's enrolled courses
+ * $this->section_title      the title of this section (course, public, admin, my start page)
+ * $this->top_level_pages   associative array of the top level navigation
+ * $this->current_top_level_page   the full path to the current top level page with file name
+ * $this->sub_level_pages         associate array of sub level navigation
+ * $this->back_to_page            if set, the path and file name to the part of this page (if parent is not a top level nav)
+ * $this->current_sub_level_page   the full path to the current sub level page with file name
+ * $this->guide            the full path and file name to the guide page
+ * $this->user_name         string, the name of the current login user
+ * $this->isAuthor         boolean, whether the current login user is the author of the selected course. Only passed in when there is login user and selected course
+ * ======================================
+ * back_to_page              array('url', 'title')            the link back to the part of the current page, if needed.
+ */
+include_once(TR_INCLUDE_PATH.'classes/Utility.class.php');
+
+$lang_charset = "UTF-8";
+//Timer
+//$mtime = microtime(); 
+//$mtime = explode(' ', $mtime); 
+//$mtime = $mtime[1] + $mtime[0]; 
+//$starttime = $mtime; 
+//Timer Ends
+?><!DOCTYPE html>
+<html  lang="<?php echo DEFAULT_LANGUAGE_CODE; ?>"> 
+<head>
+   <title><?php echo SITE_NAME; ?> : <?php echo $this->page_title; ?></title>
+   <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $this->lang_charset; ?>" />
+   <meta name="Generator" content="AContent - Copyright 2010 by IDRC/IDI http://inclusivedesign.ca/" />
+   <meta name="keywords" content="AContent, free, open source, elearning, authoring, common cartridge, content package, QTI, AccessForAll, AFA, repository" />
+   <meta name="description" content="AContent is a standards compliant Web-based elearning content authoring tool and repository that can be used with any system that supports IMS content interoperability standards." />
+   <base href="<?php echo $this->content_base_href; ?>" />
+   <link rel="icon" href="<?php echo $this->base_path; ?>favicon.ico" type="image/x-icon" /> 
+   <link rel="stylesheet" href="<?php echo $this->base_path.'include/jscripts/infusion/framework/fss/css/fss-layout.css'; ?>" type="text/css" />
+   <link rel="stylesheet" href="<?php echo $this->base_path.'include/jscripts/infusion/components/inlineEdit/css/InlineEdit.css'; ?>" type="text/css" />
+   <link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/forms.css" type="text/css" />
+   <link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/styles.css" type="text/css" />   
+<!--[if IE]>
+     <link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/ie_styles.css" type="text/css" />
+   <![endif]-->
+<?php echo $this->rtl_css; ?>
+   <script src="<?php echo $this->base_path; ?>include/jscripts/infusion/InfusionAll.js" type="text/javascript"></script>
+   <script src="<?php echo $this->base_path; ?>include/jscripts/infusion/jquery.autoHeight.js" type="text/javascript"></script>
+   <script src="<?php echo $this->base_path; ?>include/jscripts/flowplayer/flowplayer-3.2.4.min.js" type="text/javascript"></script>
+   <script src="<?php echo $this->base_path; ?>include/jscripts/handleAjaxResponse.js" type="text/javascript"></script>
+   <script src="<?php echo $this->base_path; ?>include/jscripts/transformable.js" type="text/javascript"></script>
+<?php echo $this->custom_head; ?>
+   <script type="text/javascript">
+      // check if AContent is into an iframe
+      // if so, include the "iframe" stylesheet to hide header, side menu and footer
+      // The use of another css instead of a media="print" is to keep separate the two objectives: print, iframe.
+      if (top != self){
+        document.writeln('<link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/styles_iframe.css" type="text/css" />');
+         jQuery(document).ready(function() {
+            //alert(jQuery(document).height());
+            jQuery("#content_frame", window.parent.document).height(jQuery(document).height());
+            jQuery("#content_frame", window.parent.document).attr('scrolling', 'no');
+            //jQuery("#content_frame").contents().find("body").height()
+         });
+      }
+   </script>
+   <script type="text/javascript">
+        // if AContent is being presented in ATutor, which has its own content navigation
+        //  hide way all navigation elements
+        function inIframe () {
+             try {
+                return window.self !== window.top;
+            } catch (e) {
+            return true;
+            }
+        }
+        //if(window.frameElement.id && window.frameElement.id == "content_frame"){
+        if( inIframe ()){
+         document.writeln('<link rel="stylesheet" href="<?php echo $this->base_path.'themes/'.$this->theme; ?>/styles_iframe_atutor.css" type="text/css" />');
+        }
+    </script>
+</head>
+<body onload="<?php echo $this->onload; ?>">
+<div id="topbar" role="banner">
+    <a href="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES); ?>#contenttop" accesskey="c">
+    <img src="<?php echo $this->base_path; ?>images/clr.gif" height="1" width="1" alt="<?php echo _AT('goto_content'); ?> ALT+c" /></a>      
+
+   <a href="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES); ?>#menu<?php echo htmlspecialchars(trim(stripslashes(strip_tags($_REQUEST['_cid']))))  ?>"  accesskey="m"><img src="<?php echo $this->base_path; ?>images/clr.gif" height="1" width="1" alt="<?php echo _AT('goto_menu'); ?> ALT+m" /></a>
+   <?php global $_config;
+    echo '<span id="site_title">'.$_config['site_name'].'</span>';
+   
+   ?>
+   <span id="logininfo">
+        <?php
+        if (isset($this->user_name))
+        {
+          echo _AT('logged_in_as'). ' '.$this->user_name;
+        ?>
+            &nbsp;&nbsp;
+            <a href="<?php echo TR_BASE_HREF; ?>logout.php" ><?php echo _AT('logout'); ?></a>
+        <?php
+        }
+        else
+        {
+        ?>
+            <a href="<?php echo TR_BASE_HREF; ?>login.php" ><?php echo _AT('login'); ?></a>
+            &nbsp;&nbsp;
+            <a href="<?php echo TR_BASE_HREF; ?>register.php" ><?php echo _AT('register'); ?></a>
+        <?php
+        }
+        ?>
+  </span>
+ 
+</div>
+<div id="liquid-round">
+ <div class="center-content">
+  <div class="topnavlistcontainer"  role="navigation">
+  <!-- the main navigation. in our case, tabs -->
+    <ul class="navigation">
+<?php 
+
+foreach ($this->top_level_pages as $page) {
+   if (strpos($page['url'], '?') > 0)  {
+      $url_without_param = substr($page['url'], 0, strpos($page['url'], '?'));
+   } else {
+      $url_without_param = $page['url'];
+   }
+   if ($url_without_param == $this->current_top_level_page) { ?>
+      <li class="navigation"><a href="<?php echo $page['url']; ?>" title="<?php echo $page['title']; ?>" class="active"><?php echo $page['title']; ?></a></li>
+<?php } else { ?>
+   <?php
+        if(!isset($this->course_id) && (strstr($page['url'],"tests") || strstr($page['url'],"file_manager"))){ 
+         // don't display tests and file manager for admins when not in a lesson
+         }else{ ?>
+         <li class="navigation"><a href="<?php echo $page['url']; ?>"  title="<?php echo $page['title']; ?>"><?php echo $page['title']; ?></a></li>
+         <?php } ?>
+<?php } // endif
+
+} //endforeach ?>
+    </ul>
+  </div>
+
+   <!-- the sub navigation and guide -->
+  <div id="sub-menu">
+      <div class="search_top" role="search">
+      <form target="_top" action="<?php echo TR_BASE_HREF; ?>home/search.php" method="get">
+        <input type="text" title="<?php echo _AT("search"); ?>" name="search_text" id="search_text_at_header" value="<?php if (isset($_GET['search_text'])) echo htmlentities_utf8($_GET['search_text'], ENT_QUOTES, 'UTF-8'); ?>" size="25" />      
+<?php if (is_array($this->categories)) { // print category dropdown list box?>
+        <select name="catid">
+          <option value="" <?php if (!isset($_GET['catid']) || $_GET['catid'] == '') echo 'selected="selected"'; ?>><?php echo _AT('all_categories'); ?></option>
+          
+<?php foreach ($this->categories as $category) {?>
+          <option value="<?php echo $category['category_id']; ?>" <?php if ($_GET['catid'] == $category['category_id']) echo 'selected'; ?> title="<?php echo $category['category_name']; ?>">
+            <?php echo Utility::validateLength($category['category_name'], TR_MAX_LAN_CATEGORY_NAME, 1); ?>
+          </option>
+<?php }?>
+          <option value="0" <?php if ($_GET['catid'] == 0 && $_GET['catid'] <> '') echo 'selected'; ?>><?php echo _AT('cats_uncategorized'); ?></option>
+        </select>
+<?php }?>
+        <input type="submit" name="search" value="<?php echo _AT("search"); ?>" />
+      </form>
+      </div>
+  </div>
+
+
+  <div id="sequence-links">
+    <?php if ($this->sequence_links['resume']): ?>
+    <a style="color:white;" href="<?php echo $this->sequence_links['resume']['url']; ?>" accesskey="."><img src="<?php echo $this->base_path.'themes/'.$this->theme; ?>/images/resume.png" title="<?php echo _AT('resume').': '.$this->sequence_links['resume']['title']; ?> Alt+." alt="<?php echo $this->sequence_links['resume']['title']; ?> Alt+." class="shortcut_icon" /></a>
+    <?php else:
+          if ($this->sequence_links['previous']): ?>
+    <a href="<?php echo $this->sequence_links['previous']['url']; ?>" title="<?php echo _AT('previous_topic').': '. $this->sequence_links['previous']['title']; ?> Alt+," accesskey=","><img src="<?php echo $this->base_path.'themes/'.$this->theme; ?>/images/previous.png" alt="<?php echo _AT('previous_topic').': '. $this->sequence_links['previous']['title']; ?> Alt+," class="shortcut_icon" /></a>
+    <?php endif;
+          if ($this->sequence_links['next']): ?>
+    <a href="<?php echo $this->sequence_links['next']['url']; ?>" title="<?php echo _AT('next_topic').': '.$this->sequence_links['next']['title']; ?> Alt+." accesskey="."><img src="<?php echo $this->base_path.'themes/'.$this->theme; ?>/images/next.png" alt="<?php echo _AT('next_topic').': '.$this->sequence_links['next']['title']; ?> Alt+." class="shortcut_icon" /></a>
+    <?php endif; ?>
+    <?php endif; ?>
+    &nbsp;
+  </div>
+  <!-- guide -->
+  <?php if (isset($this->guide)) {  ?>
+    <div id="guide_box" title="<?php echo _AT('handbook_for').' '.$this->page_title; ?>">
+    <a href="<?php echo $this->guide; ?>" onclick="trans.utility.poptastic('<?php echo $this->guide; ?>'); return false;" id="guide" target="atutor"><em><?php echo $this->page_title; ?></em></a>&nbsp;
+  </div>
+  <?php }?>
+
+  <?php if (is_array($this->tool_shortcuts) ||isset($this->course_id) && $this->course_id > 0){ ?>
+  <!-- toolbar toggle switch-->
+<div class="tool_switch">
+ <label class="switch" for="tool_slider">
+  <input type="checkbox" id="tool_slider"/>
+  <div class="slider round toggle_tools_on"  id="toggle_tools" title="<?php echo _AT('toggle_toolbar'); ?>" tabindex="0"></div>
+  </label>
+</div>
+
+  <div class="shortcuts" style="float:right;">
+  <span style="font-size:0px;" aria-live="polite" aria-label="<?php echo _AT('toolbar_on'); ?>"></span>
+    <ul>
+  <?php if (is_array($this->tool_shortcuts)){ ?>
+      <?php foreach ($this->tool_shortcuts as $link){ ?>
+   <li><a href="<?php echo $link['url']; ?>"><img src="<?php echo $link['icon']; ?>" alt="<?php echo $link['title']; ?>"  title="<?php echo $link['title']; ?>" class="shortcut_icon"/><!-- <?php echo $link['title']; ?> --></a></li>
+      <?php } ?>
+    <?php } ?>
+  <?php } ?>
+  
+  <?php if (isset($this->course_id) && $this->course_id > 0) {?>
+      <?php if ($this->isAuthor || $this->isAdmin) { // only for authors or admins ?>
+      <li><a href="<?php echo $this->base_path; ?>home/course/course_property.php?_course_id=<?php echo $this->course_id; ?>">
+        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/course_property.png"; ?>" title="<?php echo _AT('course_property'); ?>" alt="<?php echo _AT('course_property'); ?>"  class="shortcut_icon"/>
+        </a>
+      </li>
+      <li><a href="<?php echo $this->base_path; ?>file_manager/index.php?_course_id=<?php echo $this->course_id; ?>">
+        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/file-manager.png"; ?>" title="<?php echo _AT('file_manager'); ?>" alt="<?php echo _AT('file_manager'); ?>"  class="shortcut_icon"/>
+        </a>
+      </li>
+      <li><a href="<?php echo $this->base_path; ?>home/editor/arrange_content.php?_course_id=<?php echo $this->course_id; ?>">
+        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/arrange_content.gif"; ?>" title="<?php echo _AT('arrange_content'); ?>" alt="<?php echo _AT('arrange_content'); ?>"  class="shortcut_icon"/>
+        </a>
+      </li>
+      <li><a href="<?php echo $this->base_path; ?>home/editor/import_export_content.php?_course_id=<?php echo $this->course_id; ?>">
+        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/import_export.png"; ?>" title="<?php echo _AT('content_packaging'); ?>" alt="<?php echo _AT('content_packaging'); ?>"  class="shortcut_icon"/>
+        </a>
+      </li>
+      <li><a href="<?php echo $this->base_path; ?>home/course/del_course.php?_course_id=<?php echo $this->course_id; ?>">
+        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/delete.gif"; ?>" title="<?php echo _AT('del_course'); ?>" alt="<?php echo _AT('del_course'); ?>"  class="shortcut_icon"/>
+        </a>
+      </li>
+      <?php }?>
+      <li><a href="<?php echo $this->base_path; ?>home/index.php">
+        <img src="<?php echo $this->base_path. "themes/".$this->theme."/images/exit.png"; ?>" title="<?php echo _AT('exit_course'); ?>" alt="<?php echo _AT('exit_course'); ?>"  class="shortcut_icon"/>
+        </a>
+      </li>
+  </ul>
+ </div>
+<script type="text/javascript">
+    $('document').ready( function(){
+        if(getCookie("shortcuts") == 1){
+            $( ".shortcuts" ).css("display","none");
+            $('input[type=checkbox]').prop('checked', true);
+        } else{
+            $( ".shortcuts" ).css("display","inline");
+        }
+        $( ".slider" ).click(function() {
+            $( ".shortcuts" ).toggle(800);
+            $( ".menuedit" ).toggle(800);
+            $( ".delete_ex" ).toggle(800);
+            if(getCookie('shortcuts') == 1){
+                //deleteCookie("shortcuts");
+                setCookie('shortcuts', '', -2);
+            }else{
+               setCookie("shortcuts","1","10");
+            }
+        });
+        $( ".slider" ).keypress(function(e) {
+        if(e.which == 13) {
+            $( ".shortcuts" ).toggle(800);
+            $( ".menuedit" ).toggle(800);
+            $( ".delete_ex" ).toggle(800);
+            if(getCookie('shortcuts') == 1){
+               setCookie('shortcuts', '', -2);
+               $('input[type=checkbox]').prop('checked', false);
+            }else{
+               setCookie("shortcuts","1","10");
+               $('input[type=checkbox]').prop('checked', true);
+            }
+         }
+        });
+    });
+    function setCookie(cname, cvalue, exdays) {
+        var d = new Date();
+        d.setTime(d.getTime() + (exdays*24*60*60*1000));
+        var expires = "expires="+ d.toUTCString();
+        document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
+    }
+    
+    function getCookie(cname) {
+        var name = cname + "=";
+        var decodedCookie = decodeURIComponent(document.cookie);
+        var ca = decodedCookie.split(';');
+        for(var i = 0; i <ca.length; i++) {
+            var c = ca[i];
+            while (c.charAt(0) == ' ') {
+                c = c.substring(1);
+            }
+            if (c.indexOf(name) == 0) {
+                return c.substring(name.length, c.length);
+            }
+        }
+        return "";
+    }
+    </script>
+    <?php }?>
+
+  <div id="contentwrapper">
+    <?php //if ((isset($this->course_id) && $this->course_id > 0)): ?>
+    <div id="leftcolumn">
+     <a id="menu"></a>
+     <div id="side-menu" role="navigation" aria-label="<?php echo _AT('side_menu');?>"> 
+     <?php require(TR_INCLUDE_PATH.'side_menu.inc.php'); ?> 
+    <script type="text/javascript">
+      //<![CDATA[
+      var state = trans.utility.getcookie("side-menu");
+      if (state && (state == 'none')) {
+        $('#side-menu').css('display','none');
+        }
+      //]]>
+      </script>
+     </div>
+    </div>
+    <div id="contentcolumn" role="main"
+    <?php if (isset($this->course_id) && $this->course_id <= 0): ?>
+      style="margin-left:0.5em;width:99%;"
+    <?php endif; ?>>
+
+    <?php //if (isset($this->course_id) && $this->course_id > 0): ?>
+      <div id="menutoggle">
+        <?php //if ($this->course_id > 0): ?>
+        <script type="text/javascript">
+        //<![CDATA[
+        var state = trans.utility.getcookie("side-menu");
+        if (state && (state == 'none')) {
+           trans.utility.showTocToggle("side-menu", "<img src=\"<?php echo $this->base_path; ?>themes/default/images/showmenu.gif.png\" alt=\'<?php echo _AT('show').' '._AT('side_menu'); ; ?>\' title=\"<?php echo _AT('show'); ?>\" class=\"shortcut_icon\"/>","<img src=\"<?php echo $this->base_path; ?>themes/default/images/hidemenu.gif.png\" alt=\'<?php echo _AT('hide').' '._AT('side_menu'); ?>\' title=\"<?php echo _AT('hide'); ?>\" class=\"shortcut_icon\" />", "", "show");
+        } else {
+            document.getElementById('contentcolumn').id="contentcolumn_shiftright";
+            trans.utility.showTocToggle("side-menu", "<img src=\"<?php echo $this->base_path; ?>themes/default/images/showmenu.gif.png\" alt=\'<?php echo _AT('show').' '._AT('side_menu'); ; ?>\' title=\"<?php echo _AT('show'); ?>\"  class=\"shortcut_icon\"/>","<img src=\"<?php echo $this->base_path; ?>themes/default/images/hidemenu.gif.png\" alt=\'<?php echo _AT('hide').' '._AT('side_menu'); ?>\' title=\"<?php echo _AT('hide'); ?>\"  class=\"shortcut_icon\" />", "", "hide");
+        }
+        //]]>
+        </script>
+        <?php //endif; ?>
+      </div>
+    <?php //endif; ?>
+
+      <!-- the page title -->
+      <a id="contenttop" title="<?php echo _AT('content'); ?>"></a>
+      <?php
+      global $_current_user;
+      if ($_SESSION['course_id'] && $_current_user && $_current_user->isAdmin()){
+         echo '<br /><span class="hide"><small><strong>'._AT('course_owner').':'.$this->course_owner['first_name'].' '.$this->course_owner['last_name'].' ('.$this->course_owner['login'].')</strong></small></span>';
+         }
+      ?>      <div id="ajax-msg">
+  </div>
+      <h2 class="page-title"><?php echo $this->page_title; ?></h2>
+      <div id="server-msg">
+      <?php global $msg; $msg->printAll(); ?>
+      </div>
+
+ <!-- the sub navigation -->
+<?php if (is_array($this->sub_menus) && count($this->sub_menus) > 0): ?>
+        <div id="subnavlistcontainer">
+            <div id="sub-navigation">
+             <?php if (isset($this->back_to_page)): ?>
+               <div id="subnavbacktopage">     
+                 <a href="<?php echo $this->back_to_page['url']; ?>" id="back-to"><?php echo '<img src="'.TR_BASE_HREF.'images/arrowicon.png"  alt="'._AT('back_to').':'.$this->back_to_page['title'].'" title="'._AT('back_to').':'.$this->back_to_page['title'].'" style="vertical-align:center;" />'; ?></a> 
+               </div>
+             <?php endif; ?>
+           <ul id="subnavlist">
+              <?php $num_pages = count($this->sub_menus); ?>
+              <?php for ($i=0; $i<$num_pages; $i++): ?>
+             <?php list($sub_menu_url, $param) = Utility::separateURLAndParam($this->sub_menus[$i]['url']);
+              if ($sub_menu_url == $this->current_page): ?>
+           <li class="active"><strong><?php echo $this->sub_menus[$i]['title']; ?></strong></li>
+              <?php else: ?>
+           <li><a href="<?php echo $this->sub_menus[$i]['url']; ?>"><?php echo $this->sub_menus[$i]['title']; ?></a></li>
+              <?php endif; ?>
+              <?php if ($i < $num_pages-1): ?>
+              <?php endif; ?>
+              <?php endfor; ?>
+              <?php else: ?>
+              &nbsp;
+
+              <?php endif; ?>
+              <?php if (is_array($this->sub_menus) && count($this->sub_menus) > 0): ?>
+              </ul>
+            </div>
+        </div>
+<?php endif; ?>
diff --git a/themes/default/profile/change_email.tmpl.php b/themes/default/profile/change_email.tmpl.php
index acb4bce6..9fd7f49a 100644
--- a/themes/default/profile/change_email.tmpl.php
+++ b/themes/default/profile/change_email.tmpl.php
@@ -10,9 +10,13 @@
 /* as published by the Free Software Foundation.                        */
 /************************************************************************/
 
+session_start();
+
 global $onload;
 $onload = 'document.form.form_password.focus();';
-require(TR_INCLUDE_PATH.'header.inc.php'); 
+require(TR_INCLUDE_PATH.'header.inc.php');
+
+require_once('../class_csrf.php');
 
 ?>
 
@@ -29,7 +33,7 @@ function encrypt_password()
 <div class="input-form">
 <fieldset class="group_form"><legend class="group_form"><?php echo _AT('change_email'); ?></legend>
 
-	<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="form">
+	<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="form" autocomplete="off">
 		<input type="hidden" name="form_password_hidden" value="" />
 	
 		<table class="form-data" align="center">
@@ -48,14 +52,15 @@ function encrypt_password()
 					<span class="required" title="<?php echo _AT('required_field'); ?>">*</span>
 					<label for="email"><?php echo _AT('email_address'); ?></label>
 				</td>
-				<td align="left">
-					<input id="email" name="email" type="text" size="50" maxlength="50" value="<?php echo stripslashes(htmlspecialchars($_POST['email'])); ?>" />
+				<td align="left"> <!--If CSRF_Token is not valid and not recent, then make values from user unchangeable by CRSF Payload-->
+					<input id="email" name="email" type="text" size="50" maxlength="50" value="<?php if (isset($_POST['email']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['email'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['email'])))) ?>" />
 				</td>
 			</tr>
 		
 			<tr>
 				<td colspan="2">
 					<p class="submit_button">
+						<?php echo CSRF_Token::display(); ?><br>
 						<input type="submit" name="submit" value="<?php echo _AT('submit'); ?>" onclick="encrypt_password()" />
 						<input type="submit" name="cancel" value=" <?php echo _AT('cancel'); ?> " />
 					</p>
@@ -67,4 +72,4 @@ function encrypt_password()
 </fieldset>
 </div>
 
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/themes/default/profile/change_password.tmpl.php b/themes/default/profile/change_password.tmpl.php
index 913c1c14..94ae2c9c 100644
--- a/themes/default/profile/change_password.tmpl.php
+++ b/themes/default/profile/change_password.tmpl.php
@@ -10,10 +10,14 @@
 /* as published by the Free Software Foundation.                        */
 /************************************************************************/
 
+session_start();
+
 global $onload;
 $onload = 'document.form.old_password.focus();';
 
 require(TR_INCLUDE_PATH.'header.inc.php');
+require_once('../class_csrf.php');
+
 ?>
 
 <script
@@ -93,6 +97,7 @@ function encrypt_password()
 			<tr>
 				<td colspan="2">
 					<p class="submit_button">
+						<?php echo CSRF_Token::display(); ?><br>
 						<input type="submit" name="submit" value="<?php echo _AT('submit'); ?>" onclick="encrypt_password()" />
 						<input type="submit" name="cancel" value=" <?php echo _AT('cancel'); ?> " />
 					</p>
@@ -104,4 +109,4 @@ function encrypt_password()
 </fieldset>
 </div>
 
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/themes/default/profile/index.tmpl.php b/themes/default/profile/index.tmpl.php
index 8fe32d75..d9ee0f91 100644
--- a/themes/default/profile/index.tmpl.php
+++ b/themes/default/profile/index.tmpl.php
@@ -10,11 +10,15 @@
 /* as published by the Free Software Foundation.                        */
 /************************************************************************/
 
+session_start();
+
 // show or hide the author information based on the status of the checkbox "author content" 
 global $onload;
 $onload = "if (jQuery('#is_author').attr('checked')) jQuery('#table_is_author').show(); else jQuery('#table_is_author').hide();";
 
 require(TR_INCLUDE_PATH.'header.inc.php'); 
+require_once('../class_csrf.php');
+
 //Timer
 $mtime = microtime(); 
 $mtime = explode(' ', $mtime); 
@@ -22,7 +26,9 @@
 $starttime = $mtime;
 ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form">
+<!--If CSRF_Token is not valid and not recent, then make values from user unchangeable by CRSF Payload-->
+
+<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form" autocomplete="off">
 <input name="password_error" type="hidden" />
 <input type="hidden" name="form_password_hidden" value="" />
 
@@ -38,7 +44,7 @@
 
 		<tr>
 			<th align="left"><?php echo _AT('login_name'); ?>:</th>
-			<td align="left"><?php echo stripslashes(htmlspecialchars($this->row['login'])); ?></td>
+			<td align="left"><?php echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['login'])))); ?></td>
 		</tr>
 
 		<tr>
@@ -50,17 +56,17 @@
 
 		<tr>
 			<th align="left"><span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="first_name"><?php echo _AT('first_name'); ?></label>:</th>
-			<td align="left"><input id="first_name" name="first_name" type="text" value="<?php echo stripslashes(htmlspecialchars($_POST['first_name'])); ?>" /></td>
+			<td align="left"><input id="first_name" name="first_name" type="text" value="<?php if (isset($_POST['first_name']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['first_name'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['first_name'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<th align="left"><span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="last_name"><?php echo _AT('last_name'); ?></label>:</th>
-			<td align="left"><input id="last_name" name="last_name" type="text" value="<?php echo stripslashes(htmlspecialchars($_POST['last_name'])); ?>" /></td>
+			<td align="left"><input id="last_name" name="last_name" type="text" value="<?php if (isset($_POST['last_name']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['last_name'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['last_name'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td colspan="2">
-				<input type="checkbox" name="is_author" id="is_author" <?php if ($_POST['is_author'] == 'on' || $_POST['is_author']==1) echo 'checked="checked"'; ?> onclick="if (this.checked) jQuery('#table_is_author').show('slow'); else jQuery('#table_is_author').hide('slow');" /><label for="is_author"><?php echo _AT('is_author'); ?></label> 
+				<input type="checkbox" name="is_author" id="is_author" <?php if ($_POST['is_author'] == 'on' || $_POST['is_author']==1 && CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo 'checked="checked"'; ?> onclick="if (this.checked) jQuery('#table_is_author').show('slow'); else jQuery('#table_is_author').hide('slow');" /><label for="is_author"><?php echo _AT('is_author'); ?></label> 
 			</td>
 		</tr>
 		</table>
@@ -70,37 +76,37 @@
 		<table id="table_is_author">
 		<tr>
 			<td align="left"><label for="organization"><?php echo _AT('organization'); ?></label>:</td>
-			<td align="left"><input id="organization" name="organization" type="text" size="50" maxlength="100" value="<?php if (isset($_POST['organization'])) echo stripslashes(htmlspecialchars($_POST['organization'])); else echo stripslashes(htmlspecialchars($this->row['organization'])); ?>" /></td>
+			<td align="left"><input id="organization" name="organization" type="text" size="50" maxlength="100" value="<?php if (isset($_POST['organization']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['organization'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['organization'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="phone"><?php echo _AT('phone'); ?></label>:</td>
-			<td align="left"><input id="phone" name="phone" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['phone'])) echo stripslashes(htmlspecialchars($_POST['phone'])); else echo stripslashes(htmlspecialchars($this->row['phone'])); ?>" /></td>
+			<td align="left"><input id="phone" name="phone" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['phone']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['phone'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['phone'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="address"><?php echo _AT('address'); ?></label>:</td>
-			<td align="left"><input id="address" name="address" type="text" size="50" maxlength="100" value="<?php if (isset($_POST['address'])) echo stripslashes(htmlspecialchars($_POST['address'])); else echo stripslashes(htmlspecialchars($this->row['address'])); ?>" /></td>
+			<td align="left"><input id="address" name="address" type="text" size="50" maxlength="100" value="<?php if (isset($_POST['address']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['address'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['address'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="city"><?php echo _AT('city'); ?></label>:</td>
-			<td align="left"><input id="city" name="city" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['city'])) echo stripslashes(htmlspecialchars($_POST['city'])); else echo stripslashes(htmlspecialchars($this->row['city'])); ?>" /></td>
+			<td align="left"><input id="city" name="city" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['city']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['city'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['city'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="province"><?php echo _AT('province'); ?></label>:</td>
-			<td align="left"><input id="province" name="province" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['province'])) echo stripslashes(htmlspecialchars($_POST['province'])); else echo stripslashes(htmlspecialchars($this->row['province'])); ?>" /></td>
+			<td align="left"><input id="province" name="province" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['province']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['province'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['province'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="country"><?php echo _AT('country'); ?></label>:</td>
-			<td align="left"><input id="country" name="country" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['country'])) echo stripslashes(htmlspecialchars($_POST['country'])); else echo stripslashes(htmlspecialchars($this->row['country'])); ?>" /></td>
+			<td align="left"><input id="country" name="country" type="text" size="30" maxlength="30" value="<?php if (isset($_POST['country']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['country'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['country'])))); ?>" /></td>
 		</tr>
 
 		<tr>
 			<td align="left"><label for="postal_code"><?php echo _AT('postal_code'); ?></label>:</td>
-			<td align="left"><input id="postal_code" name="postal_code" type="text" size="10" maxlength="10" value="<?php if (isset($_POST['postal_code'])) echo stripslashes(htmlspecialchars($_POST['postal_code'])); else echo stripslashes(htmlspecialchars($this->row['postal_code'])); ?>" /></td>
+			<td align="left"><input id="postal_code" name="postal_code" type="text" size="10" maxlength="10" value="<?php if (isset($_POST['postal_code']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['postal_code'])))); else echo htmlspecialchars(trim(stripslashes(strip_tags($this->row['postal_code'])))); ?> "/></td>
 		</tr>
 
 		</table>
@@ -111,6 +117,7 @@
 		<tr>
 			<td colspan="2">
 			<p class="submit_button">
+				<?php echo CSRF_Token::display(); ?><br>
 				<input type="submit" name="submit" value="<?php echo _AT('save'); ?>" class="submit" /> 
 				<input type="submit" name="cancel" value=" <?php echo _AT('cancel'); ?> "  class="submit" />
 			</p>
@@ -124,4 +131,4 @@
 </div>
 </form>
 
-<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
\ No newline at end of file
+<?php require(TR_INCLUDE_PATH.'footer.inc.php'); ?>
diff --git a/themes/default/tests/create_edit_test.tmpl.php b/themes/default/tests/create_edit_test.tmpl.php
index 0bee40a7..7f17b151 100644
--- a/themes/default/tests/create_edit_test.tmpl.php
+++ b/themes/default/tests/create_edit_test.tmpl.php
@@ -9,9 +9,11 @@
 /* modify it under the terms of the GNU General Public License          */
 /* as published by the Free Software Foundation.                        */
 /************************************************************************/
+
+
 ?>
 
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="form">
+<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="form" autocomplete="off">
 <?php if (isset($this->tid)) { ?><input type="hidden" name="tid" value="<?php echo $this->tid; ?>" /> <?php }?>
 <input type="hidden" name="_course_id" value="<?php echo $this->course_id; ?>" />
 
@@ -19,12 +21,12 @@
 	<fieldset class="group_form"><legend class="group_form"><?php echo _AT('edit_test'); ?></legend>
 	<div class="row">
 		<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="title"><?php echo _AT('title'); ?></label><br />
-		<input type="text" name="title" id="title" size="40" value="<?php if (isset($_POST['title'])) echo stripslashes(htmlspecialchars($_POST['title'])); else echo AT_print($this->row['title'], 'input.text'); ?>" />
+		<input type="text" name="title" id="title" size="40" value="<?php if (isset($_POST['title']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo stripslashes(htmlspecialchars($_POST['title'])); else echo AT_print($this->row['title'], 'input.text'); ?>" />
 	</div>
 	
 	<div class="row">
 		<label for="description"><?php echo _AT('test_description'); ?></label><br />
-		<textarea name="description" cols="35" rows="3" id="description"><?php if (isset($_POST['description'])) echo htmlspecialchars($_POST['description']); else echo $this->row['description']; ?></textarea>
+		<textarea name="description" cols="35" rows="3" id="description"><?php if (isset($_POST['description']) AND CSRF_Token::isValid() AND CSRF_Token::isRecent()) echo htmlspecialchars($_POST['description']); else echo $this->row['description']; ?></textarea>
 	</div>
 
 	<div class="row buttons">
diff --git a/themes/default/tests/question_cats_manage.tmpl.php b/themes/default/tests/question_cats_manage.tmpl.php
index 0659d0cb..17480f40 100644
--- a/themes/default/tests/question_cats_manage.tmpl.php
+++ b/themes/default/tests/question_cats_manage.tmpl.php
@@ -22,7 +22,7 @@
 	<fieldset class="group_form"><legend class="group_form"><?php echo $this->title; ?></legend>
 	<div class="row">
 		<span class="required" title="<?php echo _AT('required_field'); ?>">*</span><label for="cat"><?php echo _AT('title'); ?></label><br />
-		<input type="text" name="title" id="cat" value="<?php echo htmlspecialchars($_POST['title']); ?>" />
+		<input type="text" name="title" id="cat" value="<?php echo htmlspecialchars(trim(stripslashes(strip_tags($_POST['title'])))); ?>" />
 	</div>
 
 	<div class="row buttons">